Whos There? Configuring Client IP/Domain Restrictions
After you've configured the access rights on a per-directory basis, using either the global access.conf or directory-specific access control files, you may decide that you want to allow or deny access on a per-site basis, as well. You may, for instance, only wish to allow connections from a particular domain, possibly for specific directories. You can do this additionally within the global access.conf file using additional entries within the <Limit> directive for a particular directory.
It's important to understand how the allow/deny directives are parsed within any given <Limit> statement. You have three options to specify parse order that give you the ability to override previous deny statements with allow statements, using the order statement
order deny, allow
Using this form lets you, for instance, deny from everywhere, then allow only from a specific domain(s) or host(s), perhaps like this:
<Limit GET> order deny,allow deny from all allow from .corp.adobe.com </Limit>
Likewise, you can override allow statements with deny statements to allow everyone and then deny a few specific domains or hosts like so:
<Limit GET> order allow,deny allow from all deny from .bozo.com </Limit>
You can also treat all connections as denied, unless the host appears in either an allow or deny statement, using the following order option:
<Limit GET> order mutual-failure allow from .metronet.com allow from 130.248 deny from .bozo.com </Limit>
This option is probably the safest, because it won't allow any connections from anywhere, unless they're specifically allowed.
Running our script again now gives the following:
Userid: nobody
Group: nogroup
Administrator is: wmiddlet@adobe.com
Running at port: 80
Access filename: .privaccess
User Directory: public_html
Global Types: text/html .shtml
Options for Directory: /usr/local/etc/httpd/cgi-bin
Options : None
AllowOverride : None
Limit:
Options for Directory: /usr/local/etc/httpd/htdocs/test1
Options : None
AllowOverride : None
Limit: GET POST
require = valid-user
Options for Directory: /usr/local/etc/httpd/htdocs
PerlHandler : main::handler
AddType : text/html .shtml
Options : Indexes SymLinksIfOwnerMatch IncludesNOEXEC
AllowOverride : AuthConfig FileInfo Indexes Limit
Limit: GET
deny = from .bozo.com
order = mutual-failure
allow = from .metronet.com
But note our <Limit> directive for DocumentRoot has not limited retrievals in /cgi-bin. Because the cgi-bin directory isn't beneath DocumentRoot, it's not affected by the <Limit> statement. You'll need to explicitly limit anything outside, or above, the directory where you place <Limit> statements if that is the intent.