Hack 96 Controlling Web-Server Access by Hostname or IP Address

It's easy as pie to get Apache serving something exciting, but at times, the joy of a running web server needs to be curbed by the stern eye of security. We'll take a quick look at how to enable hostname or IP access control, creating a set of acceptance or denial rules for content we want restricted.

While Apache can certainly handle authenticated access control, we're only going to touch on the location-based side of it for this hack (we get to usernames and passwords in our next one). To protect our Apache server, we're going to open httpd.conf [Hack #89] with our favorite text editorand modify (or define) the directory we want protected. In our example, we're going to protect the entire web server, so we'll look for our document root, which should look something like this:

<Directory "/Library/WebServer/Documents">   Options Indexes FollowSymLinks MultiViews   AllowOverride None   Order Allow,Deny   Allow from all </Directory>

Quite simply, the Order Allow,Deny and Allow from all lines are the magic that will stop outside visitors from perusing our site. Right now, as these lines stand, we're wide open to the public. This is what we're going to end up with:

<Directory "/Library/WebServer/Documents">   Options Includes FollowSymLinks MultiViews   AllowOverride None   Order Deny,Allow   Deny from all   Allow from gatesmcfaddenco.org </Directory>

See what we've done here? The first thing we did was flip our Order directive. This tells Apache to process all Deny rules first, and then all the remaining Allow rules. Likewise, our first Deny is from all, meaning no one can come knocking. If we denied everyone, of course, no one would be able to see our site, so we add an Allow rule for a domain of our choosing. We can also Allow and Deny by IP, such as Allow from 209.204.146. This will allow access to anyone from within that block, but no one from without.

Once you've made these changes, restart Apache (type sudo apache restart) and you'll be protected nicely from the outside world, serving up pages only to allowed sites.

96.1 See Also

• Apache's mod_access documentation (http://httpd.apache.org/docs/mod/mod_access.html)