As ever, this functionality is provided by a module: authz_host_module from library mod_authz_host.so (in versions of Apache before 2.2 this was access_module from library mod_access.so).
This module offers us three commands: Allow, Deny and Order.
These restrictions need not cover the whole server, and typically don't. They are in any case examples of commands which must be placed within a <Directory> block or delegated configuration file. If you want to cover the whole web server then the document root must be used for the <Directory> block.
The Order command takes one of two
arguments: Deny,Allow
and
Allow,Deny
. No whitespace is allowed around the
comma. While it may look like a comma-delimited list it is not;
it is just a pair of rather strange looking arguments that have
a comma as one of their characters.
If the argument is Deny,Allow
(the
default) then the initial state is that all access is allowed,
then all the Deny
statements are processed and then they are overridden by the
Allow statements.
If the argument is Allow,Deny
then then
the initial state is that all access is prohibited, then all the
Allow statements are processed and then they
are overridden by the Deny
statements.
This is best illustrated with some examples.
LoadModule authz_host_module /usr/lib/apache2/mod_authz_host.so <Directory /srv/www/WWW/bestiary> Order Allow,Deny Deny from touble.csi.cam.ac.uk Allow from cam.ac.uk #Deny from csi.cam.ac.uk </Directory>
Here is what happens when a request from trouble.csi.cam.ac.uk is processed.
Stage | Match? | State |
---|---|---|
Initial | All requests refused. | |
Allow from cam.ac.uk | Rule matches. | Access is allowed. |
Deny from trouble.cam.ac.uk | Rule matches. | Access is denied. |
Final | Access is denied. |
Note that the sequence of Allow and Deny commands is unimportant and that their processing is entirely dependent on the Order.
The addresses given in the Allow and Deny statements can be specified in a variety of ways. The examples given are for the Allow command but are equally applicable to the Deny command.
Syntax summary: Options on the Allow command
Access is allowed from any host whose name ends with cam.ac.uk.
Access is allowed for queries originating from 131.111.11.148. Note that any query redirected through a web proxy or cache will have the address of the web proxy or cache.
Access is allowed for queries originating from IP addresses whose first two bytes are 131.111. Note that Cambridge has more networks than just this primary one.
Access is allowed from any IP address which when masked by 255.255.254.0 gives 131.111.10.0.
Access is allowed from any IP address whose first 23 bits form the address 131.111.10.0.