From: Rich Bowen Date: Fri, 19 Jun 2026 12:05:10 +0000 (+0000) Subject: docs: howto/access.xml editorial cleanup and examples X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=47fc6df4ffb2ec0d8d7dccf17aa22713c7e71645;p=thirdparty%2Fapache%2Fhttpd.git docs: howto/access.xml editorial cleanup and examples git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1935507 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/howto/access.xml b/docs/manual/howto/access.xml index 5861e124d9..1581e4d9ca 100644 --- a/docs/manual/howto/access.xml +++ b/docs/manual/howto/access.xml @@ -43,7 +43,7 @@
Access control by host

If you wish to restrict access to portions of your site based on the - host address of your visitors, this is most easily done using + host address of your visitors, use mod_authz_host.

@@ -67,10 +67,12 @@

The usage of these directives is:

- + + Require host address Require ip ip.address - + +

In the first form, address is a fully qualified domain name (or a partial domain name); you may provide multiple @@ -80,12 +82,29 @@ Require ip ip.address partial IP address, a network/netmask pair, or a network/nnn CIDR specification. Either IPv4 or IPv6 addresses may be used.

+Examples of IP address formats + +# Full IP address +Require ip 10.2.3.4 +# Partial IP address (matches any host in the 172.20.0.0/16 range) +Require ip 172.20 +# Network/netmask pair +Require ip 192.168.1.0/255.255.255.0 +# Network/CIDR specification +Require ip 192.168.1.0/24 +# IPv6 address +Require ip 2001:db8::a00:20ff:fea7:ccea +# IPv6 with CIDR +Require ip 2001:db8:1::/48 + + +

See the mod_authz_host documentation for further examples of this syntax.

You can insert not to negate a particular requirement. - Note, that since a not is a negation of a value, it cannot + Since a not is a negation of a value, it cannot be used by itself to allow or deny a request, as not true does not constitute false. Thus, to deny a visit using a negation, the block must have one element that evaluates as true or false. @@ -93,30 +112,36 @@ Require ip ip.address board, and you want to keep them out, you could do the following:

- + + <RequireAll> - Require all granted - Require not ip 10.252.46.165 +Require all granted +Require not ip 10.252.46.165 </RequireAll> - + +

Visitors coming from that address (10.252.46.165) will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

- + + Require not host host.example.com - + +

And, if you'd like to block access from an entire domain, - you can specify just part of an address or domain name:

+ you can specify part of an address or domain name:

- + + Require not ip 192.168.205 -Require not host phishers.example.com moreidiots.example +Require not host phishers.example.com badguys.example Require not host gov - + +

Use of the RequireAll, - + + <If "%{HTTP_USER_AGENT} == 'BadBot'"> - Require all denied +Require all denied </If> - + +

Using the Require expr syntax, this could also be written as:

- + + Require expr %{HTTP_USER_AGENT} != 'BadBot' - + + Warning:

Access control by User-Agent is an unreliable technique, @@ -170,12 +199,14 @@ Require expr %{HTTP_USER_AGENT} != 'BadBot'

For example, if you wish to block access to a resource between 8pm and 7am, you can do this using mod_rewrite.

- + + RewriteEngine On RewriteCond "%{TIME_HOUR}" ">=20" [OR] RewriteCond "%{TIME_HOUR}" "<07" RewriteRule "^/fridge" "-" [F] - + +

This will return a 403 Forbidden response for any request after 8pm or before 7am. This technique can be used for any criteria that you wish