Módulos | Directivas | Preguntas Frecuentes | Glosario | Mapa del sitio web

Versión 2.5 del Servidor HTTP Apache

<-
Apache > Servidor HTTP > Documentación > Versión 2.5 > How-To / Tutoriales

Control de Acceso

Idiomas disponibles:  en  |  es  |  fr 

El control de acceso, hace referencia a todos los medios que proporcionan una forma de controlar el acceso a cualquier recurso. Esta parte está separada de autenticación y autorización.

Consulte también

top

Módulos y Directivas relacionados

El control de acceso puede efectuarse mediante diferentes módulos. Los más importantes de éstos son mod_authz_core y mod_authz_host. También se habla en este documento de el control de acceso usando el módulo mod_rewrite.

top

Control de Acceso por host

Si lo que se quiere es restringir algunas zonas del sitio web, basándonos en la dirección del visitante, esto puede ser realizado de manera fácil con el módulo mod_authz_host.

La directiva Require proporciona una variedad de diferentes maneras de permitir o denegar el acceso a los recursos. Además puede ser usada junto con las directivas:RequireAll, RequireAny, y RequireNone, estos requerimientos pueden ser combinados de forma compleja y arbitraria, para cumplir cualquiera que sean tus políticas de acceso.

Las directivas Allow, Deny, y Order, proporcionadas por mod_access_compat, están obsoletas y serán quitadas en futuras versiones. Deberá evitar su uso, y también los tutoriales desactualizaos que recomienden su uso.

El uso de estas directivas es:

Require host address
Require ip ip.address

En la primera formaIn the first form, address is a fully qualified domain name (or a partial domain name); you may provide multiple addresses or domain names, if desired.

In the second form, ip.address is an IP address, a partial IP address, a network/netmask pair, or a network/nnn CIDR specification. Either IPv4 or IPv6 addresses may be used.

See the mod_authz_host documentation for further examples of this syntax.

You can insert not to negate a particular requirement. Note, that since a not is a negation of a value, it cannot be used by itself to allow or deny a request, as not true does not constitute false. Thus, to deny a visit using a negation, the block must have one element that evaluates as true or false. For example, if you have someone spamming your message board, and you want to keep them out, you could do the following:

<RequireAll>
    Require all granted
    Require not ip 10.252.46.165
</RequireAll>

Visitors coming from that address (10.252.46.165) will not be able to see the content covered by this directive. If, instead, you have a machine name, rather than an IP address, you can use that.

Require not host host.example.com

And, if you'd like to block access from an entire domain, you can specify just part of an address or domain name:

Require not ip 192.168.205
Require not host phishers.example.com moreidiots.example
Require not host gov

Use of the RequireAll, RequireAny, and RequireNone directives may be used to enforce more complex sets of requirements.

top

Access control by arbitrary variables

Using the <If>, you can allow or deny access based on arbitrary environment variables or request header values. For example, to deny access based on user-agent (the browser type) you might do the following:

<If "%{HTTP_USER_AGENT} == 'BadBot'">
    Require all denied
</If>

Using the Require expr syntax, this could also be written as:

Require expr %{HTTP_USER_AGENT} != 'BadBot'

Warning:

Access control by User-Agent is an unreliable technique, since the User-Agent header can be set to anything at all, at the whim of the end user.

See the expressions document for a further discussion of what expression syntaxes and variables are available to you.

top

Access control with mod_rewrite

The [F] RewriteRule flag causes a 403 Forbidden response to be sent. Using this, you can deny access to a resource based on arbitrary criteria.

For example, if you wish to block access to a resource between 8pm and 6am, you can do this using mod_rewrite.

RewriteEngine On
RewriteCond "%{TIME_HOUR}" ">=20" [OR]
RewriteCond "%{TIME_HOUR}" "<07"
RewriteRule "^/fridge"     "-"       [F]

This will return a 403 Forbidden response for any request after 8pm or before 7am. This technique can be used for any criteria that you wish to check. You can also redirect, or otherwise rewrite these requests, if that approach is preferred.

The <If> directive, added in 2.4, replaces many things that mod_rewrite has traditionally been used to do, and you should probably look there first before resorting to mod_rewrite.

top

More information

The expression engine gives you a great deal of power to do a variety of things based on arbitrary server variables, and you should consult that document for more detail.

Also, you should read the mod_authz_core documentation for examples of combining multiple access requirements and specifying how they interact.

See also the Authentication and Authorization howto.

Idiomas disponibles:  en  |  es  |  fr 

top

Comentarios

Notice:
This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.