1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
2    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
3<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
4    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
5
6<html xmlns="http://www.w3.org/1999/xhtml">
7  <head>
8    <meta name="generator" content="HTML Tidy, see www.w3.org" />
9
10    <title>Apache module mod_access</title>
11  </head>
12  <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
13
14  <body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
15  vlink="#000080" alink="#FF0000">
16        <div align="CENTER">
17      <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" />
18
19      <h3>Apache HTTP Server Version 1.3</h3>
20    </div>
21
22
23    <h1 align="CENTER">Module mod_access</h1>
24
25    <p>This module provides access control based on client
26    hostname, IP address, or other characteristics of the client
27    request.</p>
28
29    <p><a href="module-dict.html#Status"
30    rel="Help"><strong>Status:</strong></a> Base<br />
31     <a href="module-dict.html#SourceFile"
32    rel="Help"><strong>Source File:</strong></a> mod_access.c<br />
33     <a href="module-dict.html#ModuleIdentifier"
34    rel="Help"><strong>Module Identifier:</strong></a>
35    access_module</p>
36
37    <h2>Summary</h2>
38
39    <p>The directives provided by mod_access are used in <code><a
40    href="core.html#directory">&lt;Directory&gt;</a>, <a
41    href="core.html#files">&lt;Files&gt;</a>,</code> and <code><a
42    href="core.html#location">&lt;Location&gt;</a></code> sections
43    as well as <code><a
44    href="core.html#accessfilename">.htaccess</a></code> files to
45    control access to particular parts of the server. Access can be
46    controlled based on the client hostname, IP address, or other
47    characteristics of the client request, as captured in <a
48    href="../env.html">environment variables</a>. The
49    <code>Allow</code> and <code>Deny</code> directives are used to
50    specify which clients are or are not allowed access to the
51    server, while the <code>Order</code> directive sets the default
52    access state, and configures how the <code>Allow</code> and
53    <code>Deny</code> directives interact with each other.</p>
54
55    <p>Both host-based access restrictions and password-based
56    authentication may be implemented simultaneously. In that case,
57    the <a href="core.html#satisfy">Satisfy</a> directive is used
58    to determine how the two sets of restrictions interact.</p>
59
60    <p>In general, access restriction directives apply to all
61    access methods (<code>GET</code>, <code>PUT</code>,
62    <code>POST</code>, etc). This is the desired behavior in most
63    cases. However, it is possible to restrict some methods, while
64    leaving other methods unrestricted, by enclosing the directives
65    in a <a href="core.html#limit">&lt;Limit&gt;</a> section.</p>
66
67    <h2>Directives</h2>
68
69    <ul>
70      <li><a href="#allow">Allow</a></li>
71
72      <li><a href="#deny">Deny</a></li>
73
74      <li><a href="#order">Order</a></li>
75    </ul>
76
77    <p>See also <a href="core.html#satisfy">Satisfy</a> and <a
78    href="core.html#require">Require</a>.</p>
79    <hr />
80
81    <h2><a id="allow" name="allow">Allow</a> <a id="allowfromenv"
82    name="allowfromenv">directive</a></h2>
83
84    <p>
85     <a href="directive-dict.html#Syntax"
86    rel="Help"><strong>Syntax:</strong></a> Allow from
87    all|<em>host</em>|env=<em>env-variable</em>
88    [<em>host</em>|env=<em>env-variable</em>] ...<br />
89     <a href="directive-dict.html#Context"
90    rel="Help"><strong>Context:</strong></a> directory,
91    .htaccess<br />
92     <a href="directive-dict.html#Override"
93    rel="Help"><strong>Override:</strong></a> Limit<br />
94     <a href="directive-dict.html#Status"
95    rel="Help"><strong>Status:</strong></a> Base<br />
96     <a href="directive-dict.html#Module"
97    rel="Help"><strong>Module:</strong></a> mod_access</p>
98
99    <p>The <code>Allow</code> directive affects which hosts can
100    access an area of the server. Access can be controlled by
101    hostname, IP Address, IP Address range, or by other
102    characteristics of the client request captured in environment
103    variables.</p>
104
105    <p>The first argument to this directive is always
106    <code>from</code>. The subsequent arguments can take three
107    different forms. If <code>Allow from all</code> is specified,
108    then all hosts are allowed access, subject to the configuration
109    of the <code>Deny</code> and <code>Order</code> directives as
110    discussed below. To allow only particular hosts or groups of
111    hosts to access the server, the <em>host</em> can be specified
112    in any of the following formats:</p>
113
114    <dl>
115      <dt>A (partial) domain-name</dt>
116
117      <dd>Example: <code>Allow from apache.org</code><br />
118       Hosts whose names match, or end in, this string are allowed
119      access. Only complete components are matched, so the above
120      example will match <code>foo.apache.org</code> but it will
121      not match <code>fooapache.org</code>. This configuration will
122      cause the server to perform a double reverse DNS lookup on the
123      client IP address, regardless of the setting of the <a
124      href="core.html#hostnamelookups">HostnameLookups</a>
125      directive.  It will do a reverse DNS lookup on the IP address to
126      find the associated hostname, and then do a forward lookup on
127      the hostname to assure that it matches the original IP address.
128      Only if the forward and reverse DNS are consistent and the
129      hostname matches will access be allowed.</dd>
130
131      <dt>A full IP address</dt>
132
133      <dd>Example: <code>Allow from 10.1.2.3</code><br />
134       An IP address of a host allowed access</dd>
135
136      <dt>A partial IP address</dt>
137
138      <dd>Example: <code>Allow from 10.1</code><br />
139       The first 1 to 3 bytes of an IP address, for subnet
140      restriction.</dd>
141
142      <dt>A network/netmask pair</dt>
143
144      <dd>Example: <code>Allow from
145      10.1.0.0/255.255.0.0</code><br />
146       A network a.b.c.d, and a netmask w.x.y.z. For more
147      fine-grained subnet restriction. (Apache 1.3 and later)</dd>
148
149      <dt>A network/nnn CIDR specification</dt>
150
151      <dd>Example: <code>Allow from 10.1.0.0/16</code><br />
152       Similar to the previous case, except the netmask consists of
153      nnn high-order 1 bits. (Apache 1.3 and later)</dd>
154    </dl>
155
156    <p>Note that the last three examples above match exactly the
157    same set of hosts.</p>
158
159    <p>The third format of the arguments to the <code>Allow</code>
160    directive allows access to the server to be controlled based on
161    the existence of an <a href="../env.html">environment
162    variable</a>. When <code>Allow from
163    env=</code><em>env-variable</em> is specified, then the request
164    is allowed access if the environment variable
165    <em>env-variable</em> exists. The server provides the ability
166    to set environment variables in a flexible way based on
167    characteristics of the client request using the directives
168    provided by <a href="mod_setenvif.html">mod_setenvif</a>.
169    Therefore, this directive can be used to allow access based on
170    such factors as the clients <code>User-Agent</code> (browser
171    type), <code>Referer</code>, or other HTTP request header
172    fields.</p>
173
174    <p>Example:</p>
175
176    <blockquote>
177<pre>
178SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
179&lt;Directory /docroot&gt;
180    Order Deny,Allow
181    Deny from all
182    Allow from env=let_me_in
183&lt;/Directory&gt;
184</pre>
185    </blockquote>
186
187    <p>In this case, browsers with a user-agent string beginning
188    with <tt>KnockKnock/2.0</tt> will be allowed access, and all
189    others will be denied.</p>
190
191    <p>See also <a href="#deny">Deny</a>, <a
192    href="#order">Order</a> and <a
193    href="mod_setenvif.html#setenvif">SetEnvIf</a>.</p>
194    <hr />
195
196    <h2><a id="deny" name="deny">Deny</a> <a id="denyfromenv"
197    name="denyfromenv">directive</a></h2>
198
199    <p>
200     <a href="directive-dict.html#Syntax"
201    rel="Help"><strong>Syntax:</strong></a> Deny from
202    all|<em>host</em>|env=<em>env-variable</em>
203    [<em>host</em>|env=<em>env-variable</em>] ...<br />
204     <a href="directive-dict.html#Context"
205    rel="Help"><strong>Context:</strong></a> directory,
206    .htaccess<br />
207     <a href="directive-dict.html#Override"
208    rel="Help"><strong>Override:</strong></a> Limit<br />
209     <a href="directive-dict.html#Status"
210    rel="Help"><strong>Status:</strong></a> Base<br />
211     <a href="directive-dict.html#Module"
212    rel="Help"><strong>Module:</strong></a> mod_access</p>
213
214    <p>This directive allows access to the server to be restricted
215    based on hostname, IP address, or environment variables. The
216    arguments for the <code>Deny</code> directive are identical to
217    the arguments for the <a href="#allow">Allow</a> directive.</p>
218
219    <p>See also <a href="#allow">Allow</a>, <a
220    href="#order">Order</a> and <a
221    href="mod_setenvif.html#setenvif">SetEnvIf</a>.</p>
222    <hr />
223
224    <h2><a id="order" name="order">Order directive</a></h2>
225
226    <p>
227     <a href="directive-dict.html#Syntax"
228    rel="Help"><strong>Syntax:</strong></a> Order
229    <em>ordering</em><br />
230     <a href="directive-dict.html#Default"
231    rel="Help"><strong>Default:</strong></a> <code>Order
232    Deny,Allow</code><br />
233     <a href="directive-dict.html#Context"
234    rel="Help"><strong>Context:</strong></a> directory,
235    .htaccess<br />
236     <a href="directive-dict.html#Override"
237    rel="Help"><strong>Override:</strong></a> Limit<br />
238     <a href="directive-dict.html#Status"
239    rel="Help"><strong>Status:</strong></a> Base<br />
240     <a href="directive-dict.html#Module"
241    rel="Help"><strong>Module:</strong></a> mod_access</p>
242
243    <p>The <code>Order</code> directive controls the default access
244    state and the order in which <a href="#allow">Allow</a> and <a
245    href="#deny">Deny</a> directives are evaluated.
246    <em>Ordering</em> is one of</p>
247
248    <dl>
249      <dt>Deny,Allow</dt>
250
251      <dd>The <code>Deny</code> directives are evaluated before the
252      <code>Allow</code> directives. Access is allowed by default.
253      Any client which does not match a <code>Deny</code> directive
254      or does match an <code>Allow</code> directive will be allowed
255      access to the server.</dd>
256
257      <dt>Allow,Deny</dt>
258
259      <dd>The <code>Allow</code> directives are evaluated before
260      the <code>Deny</code> directives. Access is denied by
261      default. Any client which does not match an
262      <code>Allow</code> directive or does match a
263      <code>Deny</code> directive will be denied access to the
264      server.</dd>
265
266      <dt>Mutual-failure</dt>
267
268      <dd>Only those hosts which appear on the <code>Allow</code>
269      list and do not appear on the <code>Deny</code> list are
270      granted access. This ordering has the same effect as
271      <code>Order Allow,Deny</code> and is deprecated in favor of
272      that configuration.</dd>
273    </dl>
274
275    <p>Keywords may only be separated by a comma; no whitespace is
276    allowed between them. Note that in all cases every
277    <code>Allow</code> and <code>Deny</code> statement is
278    evaluated.</p>
279
280    <p>In the following example, all hosts in the apache.org domain
281    are allowed access; all other hosts are denied access.</p>
282
283    <blockquote>
284      <code>Order Deny,Allow<br />
285       Deny from all<br />
286       Allow from apache.org<br />
287      </code>
288    </blockquote>
289
290    <p>In the next example, all hosts in the apache.org domain are
291    allowed access, except for the hosts which are in the
292    foo.apache.org subdomain, who are denied access. All hosts not
293    in the apache.org domain are denied access because the default
294    state is to deny access to the server.</p>
295
296    <blockquote>
297      <code>Order Allow,Deny<br />
298       Allow from apache.org<br />
299       Deny from foo.apache.org<br />
300      </code>
301    </blockquote>
302
303    <p>On the other hand, if the <code>Order</code> in the last
304    example is changed to <code>Deny,Allow</code>, all hosts will
305    be allowed access. This happens because, regardless of the
306    actual ordering of the directives in the configuration file,
307    the <code>Allow from apache.org</code> will be evaluated last
308    and will override the <code>Deny from foo.apache.org</code>.
309    All hosts not in the <code>apache.org</code> domain will also
310    be allowed access because the default state will change to
311    <em>allow</em>.</p>
312
313    <p>The presence of an <code>Order</code> directive can affect
314    access to a part of the server even in the absence of
315    accompanying <code>Allow</code> and <code>Deny</code>
316    directives because of its effect on the default access state.
317    For example,</p>
318
319    <blockquote>
320      <code>&lt;Directory /www&gt;<br />
321       &nbsp;&nbsp;Order Allow,Deny<br />
322       &lt;/Directory&gt;</code>
323    </blockquote>
324
325    <p>will deny all access to the <code>/www</code> directory
326    because the default access state will be set to
327    <em>deny</em>.</p>
328
329    <p>The <code>Order</code> directive controls the order of
330    access directive processing only within each phase of the
331    server's configuration processing. This implies, for example,
332    that an <code>Allow</code> or <code>Deny</code> directive
333    occurring in a &lt;Location&gt; section will always be
334    evaluated after an <code>Allow</code> or <code>Deny</code>
335    directive occurring in a &lt;Directory&gt; section or
336    <code>.htaccess</code> file, regardless of the setting of the
337    <code>Order</code> directive. For details on the merging of
338    configuration sections, see the documentation on <a
339    href="../sections.html">How Directory, Location and Files
340    sections work</a>.</p>
341
342    <p>See also: <a href="#deny">Deny</a> and <a
343    href="#allow">Allow</a>.     <hr />
344
345    <h3 align="CENTER">Apache HTTP Server Version 1.3</h3>
346    <a href="./"><img src="../images/index.gif" alt="Index" /></a>
347    <a href="../"><img src="../images/home.gif" alt="Home" /></a>
348
349    </p>
350  </body>
351</html>
352
353
354