Soon after I learned about mod_perl, I wanted to know how I could use it to secure my web site. Apache has a number of phases it progresses through as it serves web pages. Three of those phases are access control, authentication, and authorization. In this article, I’ll discuss each phase and demonstrate five examples of what they can do.
The access control phase is the first of the three authentication phases available in Apache. This phase allows you to restrict access to specific URLs based on criteria other than who the visitor is. This has traditionally been used to allow or deny access for certain hosts. However, with mod_perl you can restrict access to specific directories for any reason you like: time of day or week, phase of the moon, user agent, the referring page, and just about anything else you can envision.
The Apache::HostLimit module (Example 8-1) is a simple access control handler you can use to exclude particular hosts. For a more detailed explanation of handlers, read the mod_perl article in this book, or get Lincoln Stein and Doug MacEachern’s book Writing Apache Modules in Perl and C (O’Reilly).
To activate the access control handler, you need the following in your configuration file:
This tells Apache to invoke the Apache::HostLimit module during access control.
Example 8-1. Excluding particular hosts with Apache::HostLimit
1 package Apache::HostLimit; 2 3 use strict; ...