1. Login

Apache Allow and Deny Replaced With Require

Allow and Deny are being replaced with Require from mod_authz_host.

418 views
d

By. Jacob

Edited: 2021-09-25 14:35

Future versions of Apache will use mod_authz_host instead of mod_access_compat; traditional Allow and Deny directives are going away, and in fact, this seems to have been the case for Apache2.4 all along, I just have not noticed it until now. No matter — better late than never :-)

It is technically possible to mix the old way of doing things with the new, but this is discouraged, because it may complicate things unnecessarily and lead to mistakes. Last I checked in Ubuntu, both modules were enabled after installing Apache2.4, hence why I have not really noticed this change until now.

We should now use the Require directive instead. I included a few examples below.

The wollowing allows access from everywhere:

Order allow,deny
Allow from all

The equivalent of:

Require all granted

And the following denies access from everywhere:

Order deny,allow
Deny from all

Is the equivalent of:

Require all denied

Note. Require can be used inside Directory and Location blocks.

For some reason, Directory does not seem to work for sub-directories of a root directory, but Location does.

Only allow access from IP

If you want to only allow access to a folder from a specific IP, then you probably want to use the Location directive for sub-directories.

To limit access to http://example.com/phpmyadmin/, to a specific IP, try something like this:

<Location "/phpmyadmin/">
  DirectoryIndex index.php
  Require ip 127.0.0.1
</location>

This will also restrict access to files and sub-directories in /phpmyadmin/ so that only the client with the 127.0.0.1 IP address is allowed. You should place this in your Virtual Host file, below Directory blocks (if any).

You can list multiple IPs by seperating them with a space character:

Require ip 127.0.0.1 127.0.0.2 127.0.0.3

This is very useful if you only use phpMyAdmin for development purposes, and only developers needs to have access.

Your IP Address is:

Only allow access from local IPs

A really cool option for use with Require is called local; when used, only clients on the same LAN will be able to access the configured resource. E.g.:

Require local

This includes:

  • 127.0.0.0/8
  • ::1
  • When the Client address is the same as the Server address.

Links

  1. Upgrading to 2.4 from 2.2 - apache.org
  2. Apache Module mod_authz_host - apache.org

Share with your friends:

Tell us what you think:

  1. Apache and the Default VHOST Problem
    This article describes configuration issues caused by Apache mischievously picking a default VHOST without telling the user.
  2. Route Everything through Index.php With Mod_rewrite
    In this Tutorial, it is shown how to redirect all HTTP requests to a index.php file using htaccess or Apache configuration files.
  3. Configuring mod_remoteip with Apache and Cloudflare
  4. Module php7 does not exist (a2enmod php7)
    How to enable Apache mod_php using a2enmod, and how to find out what the name of the module is.
  5. Permissions with SSH and SFTP
    How to have files uploaded through SFTP correctly inherit the group permissions of the parent directory.

More in: Apache