Apache | Access Permissions | Setting Access Permissions (Require)
This article explains how to configure access permissions.
Setting access permissions (Require)
In Apache, access restrictions can be configured for every file used by the server. By using section containers and related settings, restrictions can be configured by directory or by file.
For section containers, see “Setting the Access Scope (Section Containers).”
For example, write the configuration as follows.
<Directory "${SRVROOT}/htdocs">
Require all granted
Require not ip 10.252.46.165
</Directory>
Access restrictions are written with Require. You can use all to allow all access (granted) or deny all access (denied). You can also use host and ip to allow or deny access for a specific host or IP address.
| Format | Meaning |
|---|---|
| Require all granted | Allow all access |
| Require all denied | Deny all access |
| Require ip IP-address | Allow the specified IP address |
| Require not ip IP-address | Deny the specified IP address |
| Require host host | Allow the specified host |
| Require not host host | Deny the specified host |
all
When all is specified, it applies to every access. Require all granted allows all access. Require all denied denies all access.
IP address
When an IP address is specified, only clients from that IP address can access it. For example, Require ip 192.168.1.1 allows access only from the IP address 192.168.1.1.
IP addresses can be written as follows.
192.168.1.2
192.168.1
192.168.1.0/255.255.255.0
192.168.1.0/24
The first line specifies an individual IP address. The second form corresponds to 192.168.1.0/24. The third and fourth forms use a netmask and target the addresses from 192.168.1.0 to 192.168.1.255.
Host
A host or domain can be specified. Apache obtains the host from the IP address that accessed the server. If the end of the host name matches the host or domain specified as the target, it is matched.
Require host devkuma.com
For example, with the configuration above, access is allowed when the end of the host name obtained from the user’s IP address matches devkuma.com. Examples include host1.devkuma.com and www.sub.devkuma.com, where the trailing part matches.
Configuration priority
When access restrictions for a directory are configured with <Directory>, the specified directory and all subdirectories are targeted. If different access restrictions are configured for a subdirectory, the subdirectory configuration overrides the parent configuration.
Now look at the default settings in the httpd.conf file. The access restriction part is excerpted below.
<Directory />
AllowOverride none
Require all denied
</Directory>
<Directory "${SRVROOT}/htdocs">
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
<Files ".ht*">
Require all denied
</Files>
<Directory "${SRVROOT}/cgi-bin">
AllowOverride None
Options None
Require all granted
</Directory>
First, all access is denied for the root directory /. As explained earlier, directory permission settings include all subdirectories, so this root directory setting denies access to every file included in Apache.
Next, all access is allowed for ${SRVROOT}/htdocs, the document root. Because the document root directory and its subdirectories are published externally, access must be allowed.
As described above, the later setting for the subdirectory overrides the earlier setting, so the “deny all” setting for the root directory is overwritten with “allow all” for the document root’s subdirectories.
The cgi-bin directory also allows all access. This directory is where CGI and similar files are placed.
Using Files, all access is denied for every file matching the wildcard .ht*. This prevents files such as .htaccess from being accessed externally regardless of the directory where they are located. .htaccess is a special file for writing access restrictions and will be covered separately on another page.
References
- https://httpd.apache.org/docs/2.4/upgrading.html
- https://httpd.apache.org/docs/2.4/howto/access.html