|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
|
|
Packit |
90a5c9 |
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
This file is generated from xml source: DO NOT EDIT
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
-->
|
|
Packit |
90a5c9 |
<title>mod_authz_host - Apache HTTP Server Version 2.4</title>
|
|
Packit |
90a5c9 |
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
|
|
Packit |
90a5c9 |
<script src="../style/scripts/prettify.min.js" type="text/javascript">
|
|
Packit |
90a5c9 |
</script>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
|
|
Packit |
90a5c9 |
<body>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap
|
|
Packit |
90a5c9 |
Apache HTTP Server Version 2.4
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache > HTTP Server > Documentation > Version 2.4 > Modules
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache Module mod_authz_host
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
address)
|
|
Packit |
90a5c9 |
Status:Base
|
|
Packit |
90a5c9 |
Module Identifier:authz_host_module
|
|
Packit |
90a5c9 |
Source File:mod_authz_host.c
|
|
Packit |
90a5c9 |
Compatibility:The forward-dns provider was addded in 2.4.19
|
|
Packit |
90a5c9 |
Summary
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The authorization providers implemented by mod_authz_host are
|
|
Packit |
90a5c9 |
registered using the Require
|
|
Packit |
90a5c9 |
directive. The directive can be referenced within a
|
|
Packit |
90a5c9 |
<Directory> ,
|
|
Packit |
90a5c9 |
<Files> ,
|
|
Packit |
90a5c9 |
or <Location> section
|
|
Packit |
90a5c9 |
as well as .htaccess
|
|
Packit |
90a5c9 |
files to control access to particular parts of the server.
|
|
Packit |
90a5c9 |
Access can be controlled based on the client hostname or IP address.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In general, access restriction directives apply to all
|
|
Packit |
90a5c9 |
access methods (GET , PUT ,
|
|
Packit |
90a5c9 |
POST , etc). This is the desired behavior in most
|
|
Packit |
90a5c9 |
cases. However, it is possible to restrict some methods, while
|
|
Packit |
90a5c9 |
leaving other methods unrestricted, by enclosing the directives
|
|
Packit |
90a5c9 |
in a <Limit> section.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Topics
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Require Directives
|
|
Packit |
90a5c9 |
Directives
|
|
Packit |
90a5c9 |
This module provides no
|
|
Packit |
90a5c9 |
directives.
|
|
Packit |
90a5c9 |
Bugfix checklistSee also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Authentication, Authorization,
|
|
Packit |
90a5c9 |
and Access Control
|
|
Packit |
90a5c9 |
Require
|
|
Packit |
90a5c9 |
Comments
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache's Require
|
|
Packit |
90a5c9 |
directive is used during the authorization phase to ensure that a user is allowed or
|
|
Packit |
90a5c9 |
denied access to a resource. mod_authz_host extends the
|
|
Packit |
90a5c9 |
authorization types with ip , host ,
|
|
Packit |
90a5c9 |
forward-dns and local .
|
|
Packit |
90a5c9 |
Other authorization types may also be
|
|
Packit |
90a5c9 |
used but may require that additional authorization modules be loaded.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
These authorization providers affect which hosts can
|
|
Packit |
90a5c9 |
access an area of the server. Access can be controlled by
|
|
Packit |
90a5c9 |
hostname, IP Address, or IP Address range.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Since v2.4.8, expressions are supported
|
|
Packit |
90a5c9 |
within the host require directives.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The ip provider allows access to the server
|
|
Packit |
90a5c9 |
to be controlled based on the IP address of the remote client.
|
|
Packit |
90a5c9 |
When Require ip ip-address is specified,
|
|
Packit |
90a5c9 |
then the request is allowed access if the IP address matches.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A full IP address:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ip 10.1.2.3
|
|
Packit |
90a5c9 |
Require ip 192.168.1.104 192.168.1.205
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An IP address of a host allowed access
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A partial IP address:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ip 10.1
|
|
Packit |
90a5c9 |
Require ip 10 172.20 192.168.2
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The first 1 to 3 bytes of an IP address, for subnet
|
|
Packit |
90a5c9 |
restriction.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network/netmask pair:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ip 10.1.0.0/255.255.0.0
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network a.b.c.d, and a netmask w.x.y.z. For more
|
|
Packit |
90a5c9 |
fine-grained subnet restriction.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network/nnn CIDR specification:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ip 10.1.0.0/16
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Similar to the previous case, except the netmask consists of
|
|
Packit |
90a5c9 |
nnn high-order 1 bits.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note that the last three examples above match exactly the
|
|
Packit |
90a5c9 |
same set of hosts.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
IPv6 addresses and IPv6 subnets can be specified as shown
|
|
Packit |
90a5c9 |
below:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require ip 2001:db8::a00:20ff:fea7:ccea
|
|
Packit |
90a5c9 |
Require ip 2001:db8:1:1::a
|
|
Packit |
90a5c9 |
Require ip 2001:db8:2:1::/64
|
|
Packit |
90a5c9 |
Require ip 2001:db8:3::/48
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note: As the IP addresses are parsed on startup, expressions are
|
|
Packit |
90a5c9 |
not evaluated at request time.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The host provider allows access to the server
|
|
Packit |
90a5c9 |
to be controlled based on the host name of the remote client.
|
|
Packit |
90a5c9 |
When Require host host-name is specified,
|
|
Packit |
90a5c9 |
then the request is allowed access if the host name matches.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A (partial) domain-name
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require host example.org
|
|
Packit |
90a5c9 |
Require host .net example.edu
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Hosts whose names match, or end in, this string are allowed
|
|
Packit |
90a5c9 |
access. Only complete components are matched, so the above
|
|
Packit |
90a5c9 |
example will match foo.example.org but it will not
|
|
Packit |
90a5c9 |
match fooexample.org . This configuration will cause
|
|
Packit |
90a5c9 |
Apache to perform a double reverse DNS lookup on the client IP
|
|
Packit |
90a5c9 |
address, regardless of the setting of the HostnameLookups directive. It will do
|
|
Packit |
90a5c9 |
a reverse DNS lookup on the IP address to find the associated
|
|
Packit |
90a5c9 |
hostname, and then do a forward lookup on the hostname to assure
|
|
Packit |
90a5c9 |
that it matches the original IP address. Only if the forward
|
|
Packit |
90a5c9 |
and reverse DNS are consistent and the hostname matches will
|
|
Packit |
90a5c9 |
access be allowed.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The forward-dns provider allows access to the server
|
|
Packit |
90a5c9 |
to be controlled based on simple host names. When
|
|
Packit |
90a5c9 |
Require forward-dns host-name is specified,
|
|
Packit |
90a5c9 |
all IP addresses corresponding to host-name
|
|
Packit |
90a5c9 |
are allowed access.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In contrast to the host provider, this provider does not
|
|
Packit |
90a5c9 |
rely on reverse DNS lookups: it simply queries the DNS for the host name
|
|
Packit |
90a5c9 |
and allows a client if its IP matches. As a consequence, it will only
|
|
Packit |
90a5c9 |
work with host names, not domain names. However, as the reverse DNS is
|
|
Packit |
90a5c9 |
not used, it will work with clients which use a dynamic DNS service.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require forward-dns bla.example.org
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A client the IP of which is resolved from the name
|
|
Packit |
90a5c9 |
bla.example.org will be granted access.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The forward-dns provider was added in 2.4.19.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The local provider allows access to the server if any
|
|
Packit |
90a5c9 |
of the following conditions is true:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
the client address matches 127.0.0.0/8
|
|
Packit |
90a5c9 |
the client address is ::1
|
|
Packit |
90a5c9 |
both the client and the server address of the connection are
|
|
Packit |
90a5c9 |
the same
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This allows a convenient way to match connections that originate from
|
|
Packit |
90a5c9 |
the local host:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require local
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
If you are proxying content to your server, you need to be aware
|
|
Packit |
90a5c9 |
that the client address will be the address of your proxy server,
|
|
Packit |
90a5c9 |
not the address of the client, and so using the Require
|
|
Packit |
90a5c9 |
directive in this context may not do what you mean. See
|
|
Packit |
90a5c9 |
mod_remoteip for one possible solution to this
|
|
Packit |
90a5c9 |
problem.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr
|
|
Packit |
90a5c9 |
Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
|
|
Packit |
90a5c9 |
<script type="text/javascript">
|
|
Packit |
90a5c9 |
var comments_shortname = 'httpd';
|
|
Packit |
90a5c9 |
var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_authz_host.html';
|
|
Packit |
90a5c9 |
(function(w, d) {
|
|
Packit |
90a5c9 |
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
var s = d.createElement('script');
|
|
Packit |
90a5c9 |
s.type = 'text/javascript';
|
|
Packit |
90a5c9 |
s.async = true;
|
|
Packit |
90a5c9 |
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
|
|
Packit |
90a5c9 |
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
})(window, document);
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
Copyright 2018 The Apache Software Foundation. Licensed under the Apache License, Version 2.0.
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap <script type="text/javascript">
|
|
Packit |
90a5c9 |
if (typeof(prettyPrint) !== 'undefined') {
|
|
Packit |
90a5c9 |
prettyPrint();
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
</body></html>
|