29.14. Restricting Access by Client Address
Apache can also be configured to limit access to a directory, URL location, or filename to certain client systems. The web server knows the IP address of every browser that connects to it and can use that address to determine whether or not the browser is allowed to request certain pages.
In some situations, the client's real IP address will not be available to the web server. If the client is accessing the web through a proxy server or a firewall doing NAT, then the IP address from which the request appears to originate will be that of the proxy or firewall system. There is a way to get the real address, but generally it is not a problem because all clients behind the proxy or firewall are usually treated the same from an access control point of view.
Apache determines whether a client is allowed access or not by checking its IP address and hostname against a list of rules. There are two types of rules—those that allow access and those that deny it. Depending on its configuration, the web server will either check all of the allow rules before the deny rules, or vice-versa. The first one to match determines whether or not the client is denied and no further rules are checked.
Most people who set up IP access control want to allow access from certain addresses and networks and deny everyone else. For example, you might want to give hosts on your company LAN access to your intranet, but prevent others on the Internet from accessing it. To set up this kind of access control, follow these steps:
1. | On the module's main page, click on the icon for the virtual server under which you want IP access control to be enabled. |
2. | Click on the icon for the directory, URL location, or filename to which you want to restrict access. If one does not yet exist, follow the steps in Section 29.6 “Setting Per-Directory Options” earlier in this chapter to create it. |
3. | |
4. | Scroll down to the Restrict access table and change the Access checking order field to Allow then deny. This tells Apache that any request that is not specifically allowed by access control rules should be denied, and that all rules that allow access should be checked before rules that deny. If the alternative Deny then allow option is chosen, requests that do not match any rule will be allowed and deny rules will be checked before allow rules. The Mutual failure option has the same effect as Allow then deny and should not be used. |
5. | At first, this table will contain only one empty row for entering your first access control rule. Because you are going to allow only certain clients and block the rest, select Allow from the menu in the Action column. The menu and field under the Condition column determine what kind of check is done to see if the client is allowed or not. The following are the available condition types: All requests If chosen, all client requests will have the selected action performed. Request from host If chosen, only clients whose hostname is the same as or ends with the text entered into the field next to it will have the action performed. Apache gets the hostname by performing a reverse DNS lookup on the client's IP address, which may not always work. Request from IP If the client's IP address is the exactly same as the one entered into the field next to the menu, the selected action will be performed. Request from partial IP If chosen, clients whose IP addresses start with the partial IP entered into the field next to the menu will have the selected action performed. For example, you could enter 192.168 to match all clients on that network. Request from net/netmask If the client's IP address is within the network specified by the entered network address and netmask, the selected action will be performed. An example network specification would be 192.168.1.0/255.255.255.0. Request from net/CIDR If the client's IP address is within the network specified by the entered network address and prefix bits, the selected action will be performed. 192.168.1.128/25 is an example of this kind of network specification. If variable is set If this option is chosen, the selected action will only be performed if the environment variable whose name is entered into the adjacent field is set. Apache provides several ways to set variables based on request headers and browser types and are too complex to cover here. |
6. | Click the Save button at the bottom of the form and, if there are no errors in your selections, you will be returned to the directory options page. To allow more than one client IP address or network, click on the Access Control icon again and fill another blank row in the Restrict access table. You can build up complex access control rulesets by adding many allow and deny rules. |
7. | When you are totally done, use the Apply Changes link on any page to make the restrictions active. |
It is possible to combine both IP address restrictions and username/password access control for the same directory. This can be done in two ways—clients are either checked for any IP restrictions and then forced to enter a password or only prompted for a password if they do not pass the IP restrictions.
The mode that Apache uses is determined by the Clients must satisfy field on the access control form. If you set it to All access controls, then they must pass both password and IP checks. If Any access control is selected, however, a password will only be prompted for if the IP checks fail. This can be useful for granting access to a directory to everyone on your internal network and to people on the Internet who have a valid username and password.