Module mod_access_compat
Module mod_access_compat supports directives for the IBM® HTTP Server for i Web server.
Summary
The module mod_access_compat provides access control based on a client's hostname or IP address.
Directives
Allow
| Module: mod_access_compat | |
| Syntax: allow from all | env=[!]envvar | host [host ...] | |
| Default: none | |
| Context: directory, .htaccess | |
| Override: Limit | |
| Origin: Apache | |
| Example: allow from all | |
| Example: allow from env=go_away | |
| Example: allow from 10.10.10.10 .ibm.com | |
| Example: allow from 2001:db8::a00:20ff:fea7:ccea | |
| Example: allow from 2001:db8::a00:20ff:fea7:ccea/10 |
The Allow directive affects which hosts can access a given directory.
- Parameter: host
- If all, all hosts are allowed access.
- If full or partial domain-name, hosts whose names match or end in this string are allowed access.
- If full IP address, only IP address of a host are allowed access.
- If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
- If network/netmask, a network a.b.c.d. And a netmask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
- If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).
Note: This compares whole components, ibm.com® would not match QIBMibm.com.
The allow from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example:
BrowserMatch ^KnockKnock/2.0 let_me_in
<Directory /docroot>
order deny,allow
deny from all
allow from env=let_me_in
</Directory>In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.
Deny
| Module: mod_access_compat | |
| Syntax: deny from all | env=[!]envvar | host [host ...] | |
| Default: none | |
| Context: directory, .htaccess | |
| Override: Limit | |
| Origin: Apache | |
| Example: deny from env=go_away | |
| Example: deny from 10.10.10.10 .ibm.com |
The deny directive affects which hosts can access a given directory.
- Parameter: host
- If all, all hosts are denied access.
- If full or partial domain-name, hosts whose names match or end in this string are denied access.
- If full IP address, only IP address of a host are denied access.
- If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
- If network/netmask, a network a.b.c.d. And a net mask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
- If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).
Note: This compares whole components (ibm.com would not match QIBMibm.com).
The deny from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example:
BrowserMatch ^BadRobot/0.9 go_away
<Directory /docroot>
order allow,deny
allow from all
deny from env=go_away
</Directory>In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.
Order
| Module: mod_access_compat | |
| Syntax: order ordering | |
| Default: order deny,allow | |
| Context: directory, .htaccess | |
| Override: Limit | |
| Origin: Modified | |
| Example: order deny,allow |
The order directive controls the order in which Allow and Deny directives are evaluated. .
- Parameter: ordering
- If deny,allow, the deny directives are evaluated before the allow directives (the initial state is OK).
- If allow,deny, the allow directives are evaluated before the deny directives (the initial state is FORBIDDEN).
- If mutual-failure, only those hosts which appear on the allow list and do not appear on the deny list are granted access (the initial state is irrelevant).
Keywords may only be separated by a comma; no whitespace is allowed between them. Note: that in all cases every allow and deny statement is evaluated, there is no "short-circuiting". For Example:
order deny,allow
deny from all
allow from .ibm.comIn this example, the first container's intent is to keep everyone out. The next container overrides for the appropriate subdirectory.
<Directory/>
Order deny,allow
deny from all
allow from none
</Directory>
Alias /root /bobtest/xyz/html
<Directory /bobtest/xyz/html/>
Order allow,deny
allow from all
Authtype Basic
AuthName "root and %%SYSTEM%%"
PasswdFile %%SYSTEM%%
Require valid-user
UserID %%SYSTEM%%
</Directory>Hosts in the ibm.com domain are allowed access; all other hosts are denied access.
Satisfy
| Module: mod_access_compat | |
| Syntax: Satisfy any | all | |
| Default: Satisfy all | |
| Context: directory, .htaccess | |
| Override: AuthConfig | |
| Origin: Modified | |
| Example: Satisfy any |
The Satisfy directive establishes access policy if both allow and require are used. The parameter can be either 'all' or 'any'. This directive is only useful if access to a particular area is being restricted by both username/password and client host address.
- Parameter: any | all
- In this case, the default behavior all requires that the client passes the address access restriction and enters a valid username and password.
- With the any option, the client will be granted access if they either pass the host restriction or enter a valid username and password. This can be used to password restrict an area, but to let clients from particular addresses in without prompting for a password.
The Require directive has to indicate Satisfy is not required every time AuthType is used, but if "Satisfy Any" is used, then you must also use Allow, Require, AuthType AuthName and PasswdFile in order for the Satisfy to work correctly. For example:
Order allow,deny
Allow from All
Satisfy Any
AuthType Basic
AuthName "Realm can go here"
PasswdFile %%SYSTEM%%
Require valid-user