1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
4 <TITLE>Apache module mod_access</TITLE>
7 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
15 <!--#include virtual="header.html" -->
17 <H1 ALIGN="CENTER">Module mod_access</H1>
19 This module is contained in the <CODE>mod_access.c</CODE> file, and
20 is compiled in by default. It provides access control based on client
21 hostname or IP address.
25 <LI><A HREF="#allow">allow</A>
26 <LI><A HREF="#allowfromenv">allow from env=</A>
27 <LI><A HREF="#deny">deny</A>
28 <LI><A HREF="#denyfromenv">deny from env=</A>
29 <LI><A HREF="#order">order</A>
34 <H2><A NAME="allow">allow directive</A></H2>
36 <!--%plaintext <?INDEX {\tt allow} directive> -->
38 HREF="directive-dict.html#Syntax"
40 ><STRONG>Syntax:</STRONG></A> allow from <EM>host host ...</EM><BR>
42 HREF="directive-dict.html#Context"
44 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
46 HREF="directive-dict.html#Override"
48 ><STRONG>Override:</STRONG></A> Limit<BR>
50 HREF="directive-dict.html#Status"
52 ><STRONG>Status:</STRONG></A> Base<BR>
54 HREF="directive-dict.html#Module"
56 ><STRONG>Module:</STRONG></A> mod_access
59 The allow directive affects which hosts can access a given directory.
60 <EM>Host</EM> is one of the following:
64 <DD>All hosts are allowed access
65 <DT>A (partial) domain-name
66 <DD>Hosts whose names match, or end in, this string are allowed access.
68 <DD>An IP address of a host allowed access
69 <DT>A partial IP address
70 <DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
71 <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
72 <DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
73 restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
74 <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
75 <DD>Similar to the previous case, except the netmask consists of nnn
76 high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
81 <BLOCKQUOTE><CODE>allow from .ncsa.uiuc.edu</CODE></BLOCKQUOTE>
83 All hosts in the specified domain are allowed access.
86 Note that this compares whole components; <CODE>bar.edu</CODE>
87 would not match <CODE>foobar.edu</CODE>.
90 See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and
91 <A HREF="mod_browser.html#browsermatch">BrowserMatch</A>.
95 <A NAME="allowfromenv"><STRONG>Syntax:</STRONG> allow from
96 env=<EM>variablename</EM></A><BR>
98 HREF="directive-dict.html#Context"
100 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
102 HREF="directive-dict.html#Override"
104 ><STRONG>Override:</STRONG></A> Limit<BR>
106 HREF="directive-dict.html#Status"
108 ><STRONG>Status:</STRONG></A> Base<BR>
110 HREF="directive-dict.html#Module"
112 ><STRONG>Module:</STRONG></A> mod_access<BR>
114 HREF="directive-dict.html#Compatibility"
116 ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
119 The allow from env directive controls access to a directory by the
120 existence (or non-existence) of an environment variable.
126 BrowserMatch ^KnockKnock/2.0 let_me_in
127 <Directory /docroot>
130 allow from env=let_me_in
133 In this case browsers with the user-agent string <TT>KnockKnock/2.0</TT> will
134 be allowed access, and all others will be denied.
136 See also <A HREF="#denyfromenv">deny from env</A>
137 and <A HREF="#order">order</A>.
141 <H2><A NAME="deny">deny directive</A></H2>
143 <!--%plaintext <?INDEX {\tt deny} directive> -->
145 HREF="directive-dict.html#Syntax"
147 ><STRONG>Syntax:</STRONG></A> deny from <EM>host host ...</EM><BR>
149 HREF="directive-dict.html#Context"
151 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
153 HREF="directive-dict.html#Override"
155 ><STRONG>Override:</STRONG></A> Limit<BR>
157 HREF="directive-dict.html#Status"
159 ><STRONG>Status:</STRONG></A> Base<BR>
161 HREF="directive-dict.html#Module"
163 ><STRONG>Module:</STRONG></A> mod_access
166 The deny directive affects which hosts can access a given directory.
167 <EM>Host</EM> is one of the following:
171 <DD>all hosts are denied access
172 <DT>A (partial) domain-name
173 <DD>host whose name is, or ends in, this string are denied access.
174 <DT>A full IP address
175 <DD>An IP address of a host denied access
176 <DT>A partial IP address
177 <DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
178 <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
179 <DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
180 restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
181 <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
182 <DD>Similar to the previous case, except the netmask consists of nnn
183 high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
188 <BLOCKQUOTE><CODE>deny from 16</CODE></BLOCKQUOTE>
190 All hosts in the specified network are denied access.
193 Note that this compares whole components; <CODE>bar.edu</CODE>
194 would not match <CODE>foobar.edu</CODE>.
197 See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.
201 <A NAME="denyfromenv"><STRONG>Syntax:</STRONG> deny from
202 env=<EM>variablename</EM></A><BR>
204 HREF="directive-dict.html#Context"
206 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
208 HREF="directive-dict.html#Override"
210 ><STRONG>Override:</STRONG></A> Limit<BR>
212 HREF="directive-dict.html#Status"
214 ><STRONG>Status:</STRONG></A> Base<BR>
216 HREF="directive-dict.html#Module"
218 ><STRONG>Module:</STRONG></A> mod_access<BR>
220 HREF="directive-dict.html#Compatibility"
222 ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
225 The deny from env directive controls access to a directory by the
226 existence (or non-existence) of an environment variable.
232 BrowserMatch ^BadRobot/0.9 go_away
233 <Directory /docroot>
236 deny from env=go_away
239 In this case browsers with the user-agent string <TT>BadRobot/0.9</TT> will
240 be denied access, and all others will be allowed.
243 See also <A HREF="#allowfromenv">allow from env</A>
244 and <A HREF="#order">order</A>.
248 <H2><A NAME="order">order directive</A></H2>
250 <!--%plaintext <?INDEX {\tt order} directive> -->
252 HREF="directive-dict.html#Syntax"
254 ><STRONG>Syntax:</STRONG></A> order <EM>ordering</EM><BR>
256 HREF="directive-dict.html#Default"
258 ><STRONG>Default:</STRONG></A> <CODE>order deny,allow</CODE><BR>
260 HREF="directive-dict.html#Context"
262 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
264 HREF="directive-dict.html#Override"
266 ><STRONG>Override:</STRONG></A> Limit<BR>
268 HREF="directive-dict.html#Status"
270 ><STRONG>Status:</STRONG></A> Base<BR>
272 HREF="directive-dict.html#Module"
274 ><STRONG>Module:</STRONG></A> mod_access
277 The order directive controls the order in which <A HREF="#allow">allow</A> and
278 <A HREF="#deny">deny</A> directives are evaluated. <EM>Ordering</EM> is one
283 <DD>the deny directives are evaluated before the allow directives. (The
284 initial state is OK.)
286 <DD>the allow directives are evaluated before the deny directives. (The
287 initial state is FORBIDDEN.)
289 <DD>Only those hosts which appear on the allow list and do not appear
290 on the deny list are granted access. (The initial state is irrelevant.)
293 <STRONG>Note that in all cases every <CODE>allow</CODE> and <CODE>deny</CODE>
294 statement is evaluated, there is no "short-circuiting".</STRONG>
302 allow from .ncsa.uiuc.edu<BR>
305 Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
308 <!--#include virtual="footer.html" -->