Stylish design

4 Comments Written by Robert on April 10, 2008 – 10:22 am

Basic controls (which come with mod_access) allow some restrictions based on the IP address or domain name included in the request. The controls allow you to specify that:

A resource is generally available.

Access to the resource is prohibited for clients with addresses that fall in a specified range of IP addresses (or a specified domain), but access is permitted from everywhere else.

Or, more usefully, that access is prohibited except for clients whose IP addresses fall in a specified range or whose domain matches a specified domain. Controls are defined in the httpd.conf file using Directory, DirectoryMatch or File directives. These directives have the general form:

<Directory resource-location>
   control options
 </Directory>

A Directory directive will have the full pathname of the directory to which the controls apply. A DirectoryMatch, or File directive can use simple regular expressions to identify the resources. The control options include several that are described later; those that relate to access are Order, Allow and Deny. The Allow option is used to specify the IP range, or domain name, for those clients who are permitted access to a resource. The Deny option identifies those excluded. The Order option specifies how the checks are to apply. If the order is Deny, Allow then the default is that the resource is accessible; the client is checked against the Deny constraint and, if matched, will be blocked unless the client also matches the subsequent more specific Allow constraint. If the order is Allow, Deny then the resource is by default inaccessible; if the client matches the Allow constraint access will be permitted provided the client is not caught by a more closely targeted Deny constraint. The following examples illustrate constraints applied to the contents of directories (and their subdirectories). The examples assume that your Apache is installed in /local/ apache. The first example defines a restricted subdirectory that is only to be accessed by students and others who are logged into the domain bigcampus.edu:

<Directory “/local/apache/htdocs/onCampus”>
   Order deny, allow
   Deny from all
   Allow from .bigcampus.edu
 </Directory>

When checking such a constraint, Apache will do a reverse lookup on the IP address of the client to obtain its domain and then check whether this ends with .bigcampus.edu. A second rather similar example would be appropriate if you had a resource that was for some reason not to be available to clients in France:

<Directory /local/apache/htdocs/notForTheFrench>
   Order allow, deny
   Allow from all
   Deny from .fr
 </Directory>

(Such a constraint is not that far-fetched! French courts are trying to enforce French commercial laws on e-commerce transactions made by those residing in France; you might not want to bother with the need to employ French legal representation.) The standard httpd.conf file contains an example of a File directive:

<Files ~ “^\.ht”>
   Order allow, deny
   Deny from all
 </Files>

This has a regular expression match that defines all files that start with the sequence .ht; access to these files is globally prohibited.

Popularity: 27% [?]