In general, access limitation directives apply to all access methods ( GET, PUT, POST, etc ). This is the desire behavior in most cases. however, it is potential to restrict some methods, while leaving other methods unrestricted, by enclosing the directives in a section. The authority providers implemented by mod_authz_host are registered using the Require directive. The directing can be referenced within a , , or section as well as .htaccess files to control access to particular parts of the server. Access can be controlled based on the client hostname or IP address.
Apache ‘s Require directing is used during the authority phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the authority types with ip, host, forward-dns and local. early mandate types may besides be used but may require that extra authority modules be loaded .
These mandate providers affect which hosts can access an sphere of the server. Access can be controlled by hostname, IP Address, or IP Address range.

Since v2.4.8, expressions are supported within the host command directives .
The ip provider allows entree to the waiter to be controlled based on the IP address of the outside node. When Require ip ip-address is specified, then the request is allowed access if the IP address matches .
A full IP address :

Require ip 10.1.2.3
Require ip 192.168.1.104 192.168.1.205

An IP address of a host allowed access
A partial derivative IP address :

Require ip 10.1
Require ip 10 172.20 192.168.2

The first 1 to 3 bytes of an IP address, for subnet limitation .
A network/netmask pair :

Require ip 10.1.0.0/255.255.0.0

A network a.b.c.d, and a netmask w.x.y.z. For more powdered subnet limitation .
A network/nnn CIDR specification :

Require ip 10.1.0.0/16

similar to the former casing, except the netmask consists of nnn high-order 1 bits.

note that the last three examples above pit precisely the lapp set of hosts .
IPv6 addresses and IPv6 subnets can be specified as shown below :

Require ip 2001:db8::a00:20ff:fea7:ccea
Require ip 2001:db8:1:1::a
Require ip 2001:db8:2:1::/64
Require ip 2001:db8:3::/48

note : As the IP addresses are parsed on startup, expressions are not evaluated at request time .
The host supplier allows access to the server to be controlled based on the host name of the distant node. When Require host host-name is specified, then the request is allowed access if the host name matches .
A ( overtone ) domain-name

Require host example.org
Require host .net example.edu

Hosts whose names match, or end in, this drawstring are allowed access. lone complete components are matched, so the above exemplar will match foo.example.org but it will not match fooexample.org. This configuration will cause Apache to perform a double reverse DNS search on the client IP address, careless of the set of the HostnameLookups directive. It will do a turn back DNS search on the IP savoir-faire to find the consociate hostname, and then do a ahead search on the hostname to assure that it matches the original IP address. only if the forward and reverse DNS are coherent and the hostname matches will entree be allowed .
The forward-dns provider allows access to the waiter to be controlled based on simple host names. When Require forward-dns host-name is specified, all IP addresses corresponding to host-name are allowed access .
In contrast to the host supplier, this supplier does not rely on reverse DNS search : it merely queries the DNS for the host name and allows a node if its IP matches. As a consequence, it will alone work with host names, not domain names. however, as the reverse DNS is not used, it will work with clients which use a dynamic DNS avail .

Require forward-dns dynamic.example.org

A client the IP of which is resolved from the appoint dynamic.example.org will be granted entree .
The forward-dns provider was added in 2.4.19.

The local provider allows access to the server if any of the follow conditions is true :

  • the client address matches 127.0.0.0/8
  • the client address is ::1
  • both the client and the server address of the connection are
    the same

This allows a commodious direction to match connections that originate from the local server :

Require local

If you are proxying content to your server, you need to be aware that the customer address will be the address of your proxy server, not the address of the node, and sol using the Require directing in this context may not do what you mean. See mod_remoteip for one potential solution to this problem .

Leave a Reply

Your email address will not be published.