{"id":527,"date":"2015-06-23T12:36:13","date_gmt":"2015-06-23T16:36:13","guid":{"rendered":"http:\/\/jaewon.hwang.info\/jaewon\/?p=527"},"modified":"2015-06-23T12:36:40","modified_gmt":"2015-06-23T16:36:40","slug":"apache-group-authorizations-based-on-host-name-or-ip-address","status":"publish","type":"post","link":"https:\/\/jaewon.hwang.info\/jaewon\/2015\/06\/apache-group-authorizations-based-on-host-name-or-ip-address\/","title":{"rendered":"Apache group authorizations based on host (name or IP address)"},"content":{"rendered":"

From http:\/\/httpd.apache.org\/docs\/trunk\/mod\/mod_authz_host.html<\/a><\/p>\n

<\/p>\n

<\/a>Require ip<\/h3>\n

The ip<\/code> provider allows access to the server to be controlled based on the IP address of the remote client. When Require ip ip-address<\/var><\/code> is specified, then the request is allowed access if the IP address matches.<\/p>\n

A full IP address:<\/p>\n

Require<\/span> ip <\/span>10.1<\/span>.<\/span>2.3<\/span>\r\nRequire<\/span> ip <\/span>192.168<\/span>.<\/span>1.104<\/span> 192.168<\/span>.<\/span>1.205<\/span><\/pre>\n
An IP address of a host allowed access<\/p>\n
A partial IP address:<\/p>\n
Require<\/span> ip <\/span>10.1<\/span>\r\nRequire<\/span> ip <\/span>10<\/span> 172.20<\/span> 192.168<\/span>.<\/span>2<\/span><\/pre>\n
The first 1 to 3 bytes of an IP address, for subnet restriction.<\/p>\n
A network\/netmask pair:<\/p>\n
Require<\/span> ip <\/span>10.1<\/span>.<\/span>0.0<\/span>\/<\/span>255.255<\/span>.<\/span>0.0<\/span><\/pre>\n
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.<\/p>\n
A network\/nnn CIDR specification:<\/p>\n
Require<\/span> ip <\/span>10.1<\/span>.<\/span>0.0<\/span>\/<\/span>16<\/span><\/pre>\n
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.<\/p>\n
Note that the last three examples above match exactly the same set of hosts.<\/p>\n
IPv6 addresses and IPv6 subnets can be specified as shown below:<\/p>\n
Require<\/span> ip <\/span>2001:db8::a00:20ff:fea7:ccea<\/span>\r\nRequire<\/span> ip <\/span>2001:db8::a00:20ff:fea7:ccea<\/span>\/<\/span>10<\/span><\/pre>\n
Note: As the IP addresses are parsed on startup, expressions are not evaluated at request time.<\/p>\n
<\/a>Require host<\/h3>\n
The host<\/code> provider allows access to the server to be controlled based on the host name of the remote client. When Require host host-name<\/var><\/code> is specified, then the request is allowed access if the host name matches.<\/p>\n
A (partial) domain-name<\/p>\n
Require<\/span> host example<\/span>.<\/span>org\r\n<\/span>Require<\/span> host <\/span>.<\/span>net example<\/span>.<\/span>edu<\/span><\/pre>\n
<\/a>Require local<\/h3>\n
The local<\/code> provider allows access to the server if any of the following conditions is true:<\/p>\n
    \n
  • the client address matches 127.0.0.0\/8<\/li>\n
  • the client address is ::1<\/li>\n
  • both the client and the server address of the connection are the same<\/li>\n<\/ul>\n
    This allows a convenient way to match connections that originate from the local host:<\/p>\n
    Require<\/span> local<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"
    From http:\/\/httpd.apache.org\/docs\/trunk\/mod\/mod_authz_host.html<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[33],"class_list":["post-527","post","type-post","status-publish","format-standard","hentry","category-computer","tag-apache"],"_links":{"self":[{"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/posts\/527","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/comments?post=527"}],"version-history":[{"count":0,"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/posts\/527\/revisions"}],"wp:attachment":[{"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/media?parent=527"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/categories?post=527"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jaewon.hwang.info\/jaewon\/wp-json\/wp\/v2\/tags?post=527"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will match foo.example.org<\/code> but it will not match fooexample.org<\/code>. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of the HostnameLookups<\/a><\/code> directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.<\/p>\n