On Tue, Apr 24, 2001 at 12:35:33PM -0230, [EMAIL PROTECTED] wrote:
> Can I have a directory which I can block access to by a range of IPs or
> specific IPs?
>
> I read about this a few weeks ago but at the time it didn't mean much to
> me.
This isn't a mod_ssl specific feature (though somewhat security
related, I guess). It is a built-in to the Apache web server.
<Directory /usr/home/foo>
Order allow,deny
Allow from 192.168.0.0/16
Deny from all
</Directory>
The 'Deny from all' above is redundant, since deny is the default
action if the ip doesn't match the allow statement.
The order of allow/deny is important. Whichever (allow or deny) is
last becomes the default action. For example, if the order directive
is:
Order allow,deny
all access is denied by default. Only IP addresses matching the allow
directive will be allowed. This is useful for allowing access to
authorized clients based on their IP address while denying access to
everyone else.
If the order directive is:
Order deny,allow
all access is allowed by default. Only IP addresses matching the deny
directive will be denied. This is useful for restricting access from
abusive clients based on their IP address. For more information on
this (including more examples), read the Apache Server documentation.
You can also limit what these IPs can do with the 'Limit' directive
(e.g., GET, PUT, POST, DELETE, etc.)
Note that restricting a directory by IP address isn't strong security
since IP addresses can be spoofed. For strong authentication, use
mod_ssl with client certificates.
Scott Wiersdorf
--
Scott Wiersdorf
[EMAIL PROTECTED]
http://www.ipartner.net/
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
