mod_access

mod_access lets you filter clients by IP address.

access.deny (action)

denies access by returning a 403 status code

access.deny;

access.check (action)

allows or denies access based on client IP address

access.check rules;
rules
A key value list mapping "access" and/or "deny" keys to a list of CIDR addresses or "all".

Checks the client IP address agains the rules. Default is to deny all addresses. The most precise matching rule defines the result ("192.168.100.0/24" takes precedence over "192.168.0.0/16"; similar to routing tables); if the same CIDR is in both lists the second action is taken. "all" is a synonym for "0.0.0.0/0" and "::/0", matching all IPv4 and IPv6 addresses.

Example: restrict access to local network

Limit access to clients from the local network. The deny rule isn't strictly required, as the default is to deny anyway. The smaller CIDR strings for the local networks override the global deny rule.

setup {
	module_load "mod_access";
}

access.check (
	"allow" => ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"),
	"deny" => ("all")
);

Example: restrict access to subnet with exception

Limit access to clients from "192.168.10.0/24", but deny access to "192.168.10.1". As "192.168.10.1" (equivalent to "192.168.10.1/32") is a more precise match it overwrites the allow rule for the subnet "192.168.10.0/24" containing it.

setup {
	module_load "mod_access";
}

access.check (
	"allow" => ("192.168.10.0/24"),
	"deny" => ("192.168.10.1")
);

access.redirect_url (option)

url to redirect to if access was denied (not implemented yet)

access.redirect_url url;
Default value: not set

NOT IMPLEMENTED YET

access.log_blocked (option)

whether to log when access was denied (with log level "info")

access.log_blocked url;
Default value: false