Module mod_access

Important: Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm Link outside Information Center for more information.

Summary

The module mod_access provides access control based on a client's hostname or IP address.

Directives

Allow

Module: mod_access
Syntax: allow from all | env=[!]envvar | host [host ...]
Default: none
Context: directory, .htaccess
Override: Limit
Origin: Apache
Example: allow from all
Example: allow from env=go_away
Example: allow from 10.10.10.10 .ibm.com

The Allow directive affects which hosts can access a given directory.

Parameter: host
  • If all, all hosts are allowed access.
  • If full or partial domain-name, hosts whose names match or end in this string are allowed access.
  • If full IP address, only IP address of a host are allowed access.
  • If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
  • If network/netmask, a network a.b.c.d. And a netmask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
  • If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).
Note: This compares whole components, ibm.com® would not match QIBMibm.com.

The allow from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example: 

BrowserMatch ^KnockKnock/2.0 let_me_in
<Directory /docroot>
   order deny,allow
   deny from all
   allow from env=let_me_in
</Directory>

In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.

See also Deny, Order, and BrowserMatch.

Deny

Module: mod_access
Syntax: deny from all | env=[!]envvar | host [host ...]
Default: none
Context: directory, .htaccess
Override: Limit
Origin: Apache
Example: deny from env=go_away
Example: deny from 10.10.10.10 .ibm.com

The deny directive affects which hosts can access a given directory.

Parameter: host
  • If all, all hosts are denied access.
  • If full or partial domain-name, hosts whose names match or end in this string are denied access.
  • If full IP address, only IP address of a host are denied access.
  • If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
  • If network/netmask, a network a.b.c.d. And a net mask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
  • If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).
Note: This compares whole components (ibm.com would not match QIBMibm.com).

The deny from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example: 

BrowserMatch ^BadRobot/0.9 go_away
<Directory /docroot>
   order allow,deny
   allow from all
   deny from env=go_away
</Directory>

In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.

See also Allow and Order.

Order

Module: mod_access
Syntax: order ordering
Default: order deny,allow
Context: directory, .htaccess
Override: Limit
Origin: Modified
Example: order deny,allow

The order directive controls the order in which Allow and Deny directives are evaluated. .

Parameter: ordering
  • If deny,allow, the deny directives are evaluated before the allow directives (the initial state is OK).
  • If allow,deny, the allow directives are evaluated before the deny directives (the initial state is FORBIDDEN).
  • If mutual-failure, only those hosts which appear on the allow list and do not appear on the deny list are granted access (the initial state is irrelevant).

Keywords may only be separated by a comma; no whitespace is allowed between them. Note: that in all cases every allow and deny statement is evaluated, there is no "short-circuiting". For Example: 

order deny,allow 
deny from all 
allow from .ibm.com

In this example, the first container's intent is to keep everyone out. The next container overrides for the appropriate subdirectory. 

<Directory/>
   Order deny,allow
   deny from all
   allow from none
</Directory>

Alias /root /bobtest/xyz/html
<Directory /bobtest/xyz/html/>
   Order allow,deny
   allow from all
   Authtype Basic
   AuthName "root and %%SYSTEM%%"
   PasswdFile %%SYSTEM%%
   Require valid-user
   UserID %%SYSTEM%%
</Directory>

Hosts in the ibm.com domain are allowed access; all other hosts are denied access.