mod_access
mod_access lets you filter clients by IP address.
access.deny (action)
denies access by returning a 403 status code
access.deny;
access.check (action)
allows or denies access based on client IP address
access.check rules;
- rules
- A key value list mapping "access" and/or "deny" keys to a list of CIDR addresses or "all".
Checks the client IP address against the rules. Default is to deny all addresses. The most precise matching rule defines the result (“192.168.100.0/24” takes precedence over “192.168.0.0/16”; similar to routing tables); if the same CIDR is in both lists the second action is taken. “all” is a synonym for “0.0.0.0/0” and “::/0”, matching all IPv4 and IPv6 addresses.
Example: restrict access to local network
Limit access to clients from the local network. The deny rule isn’t strictly required, as the default is to deny anyway. The smaller CIDR strings for the local networks override the global deny rule.
setup {
module_load "mod_access";
}
access.check (
"allow" => ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"),
"deny" => ("all")
);
Example: restrict access to subnet with exception
Limit access to clients from “192.168.10.0/24”, but deny access to “192.168.10.1”. As “192.168.10.1” (equivalent to “192.168.10.1/32”) is a more precise match it overwrites the allow rule for the subnet “192.168.10.0/24” containing it.
setup {
module_load "mod_access";
}
access.check (
"allow" => ("192.168.10.0/24"),
"deny" => ("192.168.10.1")
);
access.redirect_url (option)
url to redirect to if access was denied (not implemented yet)
access.redirect_url url;
NOT IMPLEMENTED YET
access.log_blocked (option)
whether to log when access was denied (with log level "info")
access.log_blocked url;