Apache Allow and Deny Replaced With Require

Allow and Deny are being replaced with Require from mod_authz_host.

100 views
d

By. Jacob

Edited: 2021-09-25 14:35

Future versions of Apache will use mod_authz_host instead of mod_access_compat; traditional Allow and Deny directives are going away, and in fact, this seems to have been the case for Apache2.4 all along, I just have not noticed it until now. No matter — better late than never :-)

It is technically possible to mix the old way of doing things with the new, but this is discouraged, because it may complicate things unnecessarily and lead to mistakes. Last I checked in Ubuntu, both modules were enabled after installing Apache2.4, hence why I have not really noticed this change until now.

We should now use the Require directive instead. I included a few examples below.

The wollowing allows access from everywhere:

Order allow,deny
Allow from all

The equivalent of:

Require all granted

And the following denies access from everywhere:

Order deny,allow
Deny from all

Is the equivalent of:

Require all denied

Note. Require can be used inside Directory and Location blocks.

For some reason, Directory does not seem to work for sub-directories of a root directory, but Location does.

Only allow access from IP

If you want to only allow access to a folder from a specific IP, then you probably want to use the Location directive for sub-directories.

To limit access to http://example.com/phpmyadmin/, to a specific IP, try something like this:

<Location "/phpmyadmin/">
  DirectoryIndex index.php
  Require ip 127.0.0.1
</location>

This will also restrict access to files and sub-directories in /phpmyadmin/ so that only the client with the 127.0.0.1 IP address is allowed. You should place this in your Virtual Host file, below Directory blocks (if any).

You can list multiple IPs by seperating them with a space character:

Require ip 127.0.0.1 127.0.0.2 127.0.0.3

This is very useful if you only use phpMyAdmin for development purposes, and only developers needs to have access.

Your IP Address is:

Only allow access from local IPs

A really cool option for use with Require is called local; when used, only clients on the same LAN will be able to access the configured resource. E.g.:

Require local

This includes:

  • 127.0.0.0/8
  • ::1
  • When the Client address is the same as the Server address.

Links

  1. Upgrading to 2.4 from 2.2 - apache.org
  2. Apache Module mod_authz_host - apache.org

Tell us what you think:

  1. Changing the default charset for the Apache HTTP server may be done by changing either the v-host .conf files or the charset.conf file. If you do not have access to these files, you can try .htaccess instead. Find out how in this tutorial.
  2. This article describes configuration issues caused by Apache mischievously picking a default VHOST without telling the user.
  3. How to enable Apache mod_php using a2enmod, and how to find out what the name of the module is.
  4. How to configure Apache with Multiple Vhost files in Linux.

More in: Apache