211 lines
12 KiB
HTML
211 lines
12 KiB
HTML
|
<?xml version="1.0" encoding="UTF-8"?>
|
||
|
<!DOCTYPE html
|
||
|
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
||
|
<html lang="en-us" xml:lang="en-us">
|
||
|
<head>
|
||
|
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
|
||
|
<meta name="security" content="public" />
|
||
|
<meta name="Robots" content="index,follow" />
|
||
|
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
|
||
|
<meta name="DC.Type" content="topic" />
|
||
|
<meta name="DC.Title" content="Module mod_access" />
|
||
|
<meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" />
|
||
|
<meta name="DC.Format" content="XHTML" />
|
||
|
<meta name="DC.Identifier" content="rzaiemod_access" />
|
||
|
<meta name="DC.Language" content="en-us" />
|
||
|
<!-- All rights reserved. Licensed Materials Property of IBM -->
|
||
|
<!-- US Government Users Restricted Rights -->
|
||
|
<!-- Use, duplication or disclosure restricted by -->
|
||
|
<!-- GSA ADP Schedule Contract with IBM Corp. -->
|
||
|
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
|
||
|
<link rel="stylesheet" type="text/css" href="./ic.css" />
|
||
|
<title>Module mod_access</title>
|
||
|
</head>
|
||
|
<body id="rzaiemod_access"><a name="rzaiemod_access"><!-- --></a>
|
||
|
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
|
||
|
<!--Java sync-link--><h1 class="topictitle1">Module mod_access</h1>
|
||
|
<div><div class="important"><span class="importanttitle">Important:</span> Information
|
||
|
for this topic supports the latest PTF levels for HTTP Server for i5/OS .
|
||
|
It is recommended that you install the latest PTFs to upgrade to the latest
|
||
|
level of the HTTP Server for i5/OS. Some of the topics documented here are
|
||
|
not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div>
|
||
|
<p><strong>Summary</strong></p>
|
||
|
<p>The module mod_access provides access control based on a client's hostname
|
||
|
or IP address.</p>
|
||
|
<p><strong>Directives</strong></p>
|
||
|
<ul><li><a href="#allow">Allow</a></li>
|
||
|
<li><a href="#deny">Deny</a></li>
|
||
|
<li><a href="#order">Order</a></li>
|
||
|
</ul>
|
||
|
</div>
|
||
|
<div class="hr" id="allow"><a name="allow"><!-- --></a><h2 class="topictitle2">Allow</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: allow from <em>all | env=[!]envvar | host
|
||
|
[host ...]</em></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="allow__allow_context"><a name="allow__allow_context"><!-- --></a>directory, .htaccess</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="allow__allow_origin"><a name="allow__allow_origin"><!-- --></a>Apache</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from all</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from env=go_away</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from 10.10.10.10 .ibm.com</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The Allow directive affects which hosts can access a given directory.</p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>host</em></dt>
|
||
|
<dd><ul><li>If <em>all</em>, all hosts are allowed access.</li>
|
||
|
<li>If <em>full</em> or <em>partial domain-name</em>, hosts whose names match
|
||
|
or end in this string are allowed access. </li>
|
||
|
<li>If <em>full IP address</em>, only IP address of a host are allowed access. </li>
|
||
|
<li>If <em>partial IP address</em>, only the first 1 to 3 bytes of an IP address,
|
||
|
for subnet restriction. </li>
|
||
|
<li>If<em> network/netmask</em>, a network a.b.c.d. And a netmask w.x.y.z. Can
|
||
|
be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
|
||
|
</li>
|
||
|
<li>If <em>network/nnn CIDR specification</em>, it is similar to the previous
|
||
|
case, except the netmask consists of nnn higher-order 1 bits (for example,
|
||
|
10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> This compares whole components, ibm.com<sup>®</sup> would not match <em>QIBMibm.com</em>.</div>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>The allow from env option controls access to a directory by the existence
|
||
|
(or nonexistence) of an environment variable. For example: </p>
|
||
|
<pre class="block">BrowserMatch ^KnockKnock/2.0 let_me_in
|
||
|
<Directory /docroot>
|
||
|
order deny,allow
|
||
|
deny from all
|
||
|
allow from env=let_me_in
|
||
|
</Directory></pre>
|
||
|
<p>In this case browsers with the user-agent string KnockKnock/2.0 will be
|
||
|
allowed access, and all others will be denied.</p>
|
||
|
<p>See also <a href="#deny">Deny</a>, <a href="#order">Order</a>, and BrowserMatch.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="deny"><a name="deny"><!-- --></a><h2 class="topictitle2">Deny</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: deny from <em>all | env=[!]envvar | host
|
||
|
[host ...]</em></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="deny__deny_context"><a name="deny__deny_context"><!-- --></a>directory, .htaccess</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="deny__deny_origin"><a name="deny__deny_origin"><!-- --></a>Apache</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: deny from env=go_away</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: deny from 10.10.10.10 .ibm.com</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The deny directive affects which hosts can access a given directory.</p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>host</em></dt>
|
||
|
<dd><ul><li>If <em>all</em>, all hosts are denied access. </li>
|
||
|
<li>If <em>full</em> or <em>partial domain-name</em>, hosts whose names match
|
||
|
or end in this string are denied access. </li>
|
||
|
<li>If <em>full IP address</em>, only IP address of a host are denied access. </li>
|
||
|
<li>If <em>partial IP address</em>, only the first 1 to 3 bytes of an IP address,
|
||
|
for subnet restriction. </li>
|
||
|
<li>If <em>network/netmask</em>, a network a.b.c.d. And a net mask w.x.y.z.
|
||
|
Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0). </li>
|
||
|
<li>If <em>network/nnn CIDR specification</em>, it is similar to the previous
|
||
|
case, except the netmask consists of nnn higher-order 1 bits (for example,
|
||
|
10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).</li>
|
||
|
</ul>
|
||
|
<div class="note"><span class="notetitle">Note:</span> This compares whole components (ibm.com would not match <em>QIBMibm.com</em>). </div>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>The deny from env option controls access to a directory by the existence
|
||
|
(or nonexistence) of an environment variable. For example: </p>
|
||
|
<pre class="block">BrowserMatch ^BadRobot/0.9 go_away
|
||
|
<Directory /docroot>
|
||
|
order allow,deny
|
||
|
allow from all
|
||
|
deny from env=go_away
|
||
|
</Directory></pre>
|
||
|
<p>In this case browsers with the user-agent string BadRobot/0.9 will be denied
|
||
|
access, and all others will be allowed.</p>
|
||
|
<p>See also <a href="#allow">Allow</a> and <a href="#order">Order</a>. </p>
|
||
|
</div>
|
||
|
</div>
|
||
|
<div class="hr" id="order"><a name="order"><!-- --></a><h2 class="topictitle2">Order</h2>
|
||
|
<div>
|
||
|
<div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: order <em>ordering</em></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: order deny,allow</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="order__order_context"><a name="order__order_context"><!-- --></a>directory, .htaccess</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="order__order_origin"><a name="order__order_origin"><!-- --></a>Modified</span></td>
|
||
|
</tr>
|
||
|
<tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: order deny,allow</td>
|
||
|
</tr>
|
||
|
</tbody>
|
||
|
</table>
|
||
|
</div>
|
||
|
<p>The order directive controls the order in which Allow and Deny directives
|
||
|
are evaluated. .</p>
|
||
|
<dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>ordering</em></dt>
|
||
|
<dd><ul><li>If <em>deny,allow</em>, the deny directives are evaluated before the allow
|
||
|
directives (the initial state is OK).</li>
|
||
|
<li>If <em>allow,deny</em>, the allow directives are evaluated before the deny
|
||
|
directives (the initial state is FORBIDDEN).</li>
|
||
|
<li>If <em>mutual-failure</em>, only those hosts which appear on the allow list
|
||
|
and do not appear on the deny list are granted access (the initial state is
|
||
|
irrelevant). </li>
|
||
|
</ul>
|
||
|
</dd>
|
||
|
</dl>
|
||
|
<p>Keywords may only be separated by a comma; no whitespace is allowed between
|
||
|
them. Note: that in all cases every allow and deny statement is evaluated,
|
||
|
there is no "short-circuiting". For Example: </p>
|
||
|
<pre class="block">order deny,allow
|
||
|
deny from all
|
||
|
allow from .ibm.com</pre>
|
||
|
<p>In this example, the first container's intent is to keep everyone out.
|
||
|
The next container overrides for the appropriate subdirectory. </p>
|
||
|
<pre class="block"><Directory/>
|
||
|
Order deny,allow
|
||
|
deny from all
|
||
|
allow from none
|
||
|
</Directory>
|
||
|
|
||
|
Alias /root /bobtest/xyz/html
|
||
|
<Directory /bobtest/xyz/html/>
|
||
|
Order allow,deny
|
||
|
allow from all
|
||
|
Authtype Basic
|
||
|
AuthName "root and %%SYSTEM%%"
|
||
|
PasswdFile %%SYSTEM%%
|
||
|
Require valid-user
|
||
|
UserID %%SYSTEM%%
|
||
|
</Directory></pre>
|
||
|
<p>Hosts in the ibm.com domain
|
||
|
are allowed access; all other hosts are denied access.</p>
|
||
|
</div>
|
||
|
</div>
|
||
|
|
||
|
</body>
|
||
|
</html>
|