httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject svn commit: r1070853 - in /httpd/httpd/trunk/docs/manual/howto: access.xml index.xml
Date Tue, 15 Feb 2011 11:54:28 GMT
Author: rbowen
Date: Tue Feb 15 11:54:27 2011
New Revision: 1070853

Copies the access control howto from the 2.2 docs. However, it's going
to need some work to be appropriate for trunk.


Added: httpd/httpd/trunk/docs/manual/howto/access.xml
--- httpd/httpd/trunk/docs/manual/howto/access.xml (added)
+++ httpd/httpd/trunk/docs/manual/howto/access.xml Tue Feb 15 11:54:27 2011
@@ -0,0 +1,188 @@
+<?xml version='1.0' encoding='UTF-8' ?>
+<!DOCTYPE manualpage SYSTEM "../style/manualpage.dtd">
+<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
+<!-- $LastChangedRevision: 675570 $ -->
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements.  See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License.  You may obtain a copy of the License at
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ See the License for the specific language governing permissions and
+ limitations under the License.
+<manualpage metafile="access.xml.meta">
+<parentdocument href="./">How-To / Tutorials</parentdocument>
+<title>Access Control</title>
+    <p>Access control refers to any means of controlling access to any
+    resource. This is separate from <a
+    href="auth.html">authentication and authorization</a>.</p>
+<section id="related"><title>Related Modules and Directives</title>
+<p>Access control can be done by several different modules. The most
+important of these is <module>mod_authz_host</module>. Other modules
+discussed in this document include <module>mod_setenvif</module> and
+<section id="host"><title>Access control by host</title>
+    <p>
+    If you wish to restrict access to portions of your site based on the
+    host address of your visitors, this is most easily done using
+    <module>mod_authz_host</module>.
+    </p>
+    <p>The <directive module="mod_authz_host">Allow</directive> and
+    <directive module="mod_authz_host">Deny</directive> directives let
+    you allow and deny access based on the host name, or host
+    address, of the machine requesting a document. The
+    <directive module="mod_authz_host">Order</directive> directive goes
+    hand-in-hand with these two, and tells Apache in which order to
+    apply the filters.</p>
+    <p>The usage of these directives is:</p>
+    <example>
+      Allow from <var>address</var>
+    </example>
+    <p>where <var>address</var> is an IP address (or a partial IP
+    address) or a fully qualified domain name (or a partial domain
+    name); you may provide multiple addresses or domain names, if
+    desired.</p>
+    <p>For example, if you have someone spamming your message
+    board, and you want to keep them out, you could do the
+    following:</p>
+    <example>
+      Deny from
+    </example>
+    <p>Visitors coming from that address will not be able to see
+    the content covered by this directive. If, instead, you have a
+    machine name, rather than an IP address, you can use that.</p>
+    <example>
+      Deny from <var></var>
+    </example>
+    <p>And, if you'd like to block access from an entire domain,
+    you can specify just part of an address or domain name:</p>
+    <example>
+      Deny from <var>192.168.205</var><br />
+      Deny from <var></var> <var>moreidiots.example</var><br
+      Deny from ke
+    </example>
+    <p>Using <directive module="mod_authz_host">Order</directive> will
let you
+    be sure that you are actually restricting things to the group that you want
+    to let in, by combining a <directive
+    module="mod_authz_host">Deny</directive> and an <directive
+    module="mod_authz_host">Allow</directive> directive:</p>
+    <example>
+      Order deny,allow<br />
+      Deny from all<br />
+      Allow from <var></var>
+    </example>
+    <p>Listing just the <directive module="mod_authz_host">Allow</directive>
+    directive would not do what you want, because it will let folks from that
+    host in, in addition to letting everyone in. What you want is to let
+    <em>only</em> those folks in.</p>
+<section id="env"><title>Access control by environment variable</title>
+    <p>
+    <module>mod_authz_host</module>, in conjunction with
+    <module>mod_setenvif</module>, can be used to restrict access to
+    your website based on the value of arbitrary environment variables.
+    This is done with the <code>Allow from env=</code> and <code>Deny
+    from env=</code> syntax.
+    </p>
+    <example>
+    SetEnvIf User-Agent BadBot GoAway=1<br />
+    Order allow,deny<br />
+    Allow from all<br />
+    Deny from env=GoAway
+    </example>
+    <note><title>Warning:</title>
+    <p>Access control by <code>User-Agent</code> is an unreliable technique,
+    since the <code>User-Agent</code> header can be set to anything at all,
+    at the whim of the end user.</p>
+    </note>
+    <p>
+    In the above example, the environment variable <code>GoAway</code>
+    is set to <code>1</code> if the <code>User-Agent</code> matches
+    string <code>BadBot</code>. Then we deny access for any request when
+    this variable is set. This blocks that particular user agent from
+    the site.
+    </p>
+    <p>An environment variable test can be negated using the <code>=!</code>
+    syntax:</p>
+    <example><p>
+    Allow from env=!GoAway
+    </p></example>
+<section id="rewrite"><title>Access control with mod_rewrite</title>
+<p>The <code>[F]</code> <directive
+module="mod_rewrite">RewriteRule</directive> flag causes a 403 Forbidden
+response to be sent. Using this, you can deny access to a resource based
+on arbitrary criteria.</p>
+<p>For example, if you wish to block access to a resource between 8pm
+and 6am, you can do this using <module>mod_rewrite</module>.</p>
+RewriteEngine On<br />
+RewriteCond %{TIME_HOUR} &gt;20 [OR]<br />
+RewriteCond %{TIME_HOUR} &lt;07<br />
+RewriteRule ^/fridge - [F]
+<p>This will return a 403 Forbidden response for any request after 8pm
+or before 7am. This technique can be used for any criteria that you wish
+to check. You can also redirect, or otherwise rewrite these requests, if
+that approach is preferred.</p>
+<section id="moreinformation"><title>More information</title>
+    <p>You should also read the documentation for
+    <module>mod_auth_basic</module> and <module>mod_authz_host</module>
+    contain some more information about how this all works.
+    <module>mod_authn_alias</module> can also help in simplifying certain
+    authentication configurations.</p>
+    <p>See the <a href="auth.html">Authentication and Authorization</a>
+    howto.</p>

Modified: httpd/httpd/trunk/docs/manual/howto/index.xml
--- httpd/httpd/trunk/docs/manual/howto/index.xml (original)
+++ httpd/httpd/trunk/docs/manual/howto/index.xml Tue Feb 15 11:54:27 2011
@@ -41,6 +41,18 @@
+    <dl>
+      <dt>Access Control</dt>
+      <dd>
+        <p>Access control refers to the process of restricting, or
+        granting access to a resource based on arbitrary criteria. There
+        are a variety of different ways that this can be
+        accomplished.</p>
+        <p>See: <a href="access.html">Access Control</a></p>
+      </dd>
+    </dl>
       <dt>Dynamic Content with CGI</dt>

View raw message