Modules |Directives |FAQ |Glossary |Sitemap
Apache HTTP Server Version 2.4
| Description: | Group authorizations based on host (name or IPaddress) |
|---|---|
| Status: | Base |
| Module Identifier: | authz_host_module |
| Source File: | mod_authz_host.c |
| Compatibility: | Theforward-dns provider was added in 2.4.19 |
The authorization providers implemented bymod_authz_host are registered using theRequire directive. The directive can be referenced within a<Directory>,<Files>, or<Location> section as well as.htaccess files to control access to particular parts of the server. Access can be controlled based on the client hostname or IP address.
In general, access restriction directives apply to all access methods (GET,PUT,POST, etc). This is the desired behavior in most cases. However, it is possible to restrict some methods, while leaving other methods unrestricted, by enclosing the directives in a<Limit> section.
This module provides no directives.
Apache'sRequire directive is used during the authorization phase to ensure that a user is allowed or denied access to a resource. mod_authz_host extends the authorization types withip,host,forward-dns andlocal. Other authorization types may also be used but may require that additional authorization modules be loaded.
These authorization providers affect which hosts can access an area of the server. Access can be controlled by hostname, IP Address, or IP Address range.
Since v2.4.8,expressions are supported within the host require directives.
Theip provider allows access to the server to be controlled based on the IP address of the remote client. WhenRequire ipip-address is specified, then the request is allowed access if the IP address matches.
A full IP address:
Require ip 10.1.2.3Require ip 192.168.1.104 192.168.1.205
An IP address of a host allowed access
A partial IP address:
Require ip 10.1Require ip 10 172.20 192.168.2
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair:
Require ip 10.1.0.0/255.255.0.0
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
A network/nnn CIDR specification:
Require ip 10.1.0.0/16
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified as shown below:
Require ip 2001:db8::a00:20ff:fea7:cceaRequire ip 2001:db8:1:1::aRequire ip 2001:db8:2:1::/64Require ip 2001:db8:3::/48
Note: As the IP addresses are parsed on startup, expressions are not evaluated at request time.
Thehost provider allows access to the server to be controlled based on the host name of the remote client. WhenRequire hosthost-name is specified, then the request is allowed access if the host name matches.
A (partial) domain-name
Require host example.orgRequire host .net example.edu
Hosts whose names match, or end in, this string are allowed access. Only complete components are matched, so the above example will matchfoo.example.org but it will not matchfooexample.org. This configuration will cause Apache to perform a double reverse DNS lookup on the client IP address, regardless of the setting of theHostnameLookups directive. It will do a reverse DNS lookup on the IP address to find the associated hostname, and then do a forward lookup on the hostname to assure that it matches the original IP address. Only if the forward and reverse DNS are consistent and the hostname matches will access be allowed.
Theforward-dns provider allows access to the server to be controlled based on simple host names. WhenRequire forward-dnshost-name is specified, all IP addresses corresponding tohost-name are allowed access.
In contrast to thehost provider, this provider does not rely on reverse DNS lookups: it simply queries the DNS for the host name and allows a client if its IP matches. As a consequence, it will only work with complete host names that can be resolved in DNS, not partial domain names. However, as the reverse DNS is not used, and DNS lookups occur at request processing time (instead of startup), it will work with clients which use a dynamic DNS service.
Require forward-dns dynamic.example.org
A client the IP of which is resolved from the namedynamic.example.org will be granted access.
Theforward-dns provider was added in 2.4.19.
Thelocal provider allows access to the server if any of the following conditions is true:
This allows a convenient way to match connections that originate from the local host:
Require local
If you are proxying content to your server, you need to be aware that the client address will be the address of your proxy server, not the address of the client, and so using theRequire directive in this context may not do what you mean. Seemod_remoteip for one possible solution to this problem.
Copyright 2025 The Apache Software Foundation.
Licensed under theApache License, Version 2.0.
