1<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" 2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> 3<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 4 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> 5 6<html xmlns="http://www.w3.org/1999/xhtml"> 7 <head> 8 <meta name="generator" content="HTML Tidy, see www.w3.org" /> 9 10 <title>Apache module mod_access</title> 11 </head> 12 <!-- Background white, links blue (unvisited), navy (visited), red (active) --> 13 14 <body bgcolor="#FFFFFF" text="#000000" link="#0000FF" 15 vlink="#000080" alink="#FF0000"> 16 <div align="CENTER"> 17 <img src="../images/sub.gif" alt="[APACHE DOCUMENTATION]" /> 18 19 <h3>Apache HTTP Server Version 1.3</h3> 20 </div> 21 22 23 <h1 align="CENTER">Module mod_access</h1> 24 25 <p>This module provides access control based on client 26 hostname, IP address, or other characteristics of the client 27 request.</p> 28 29 <p><a href="module-dict.html#Status" 30 rel="Help"><strong>Status:</strong></a> Base<br /> 31 <a href="module-dict.html#SourceFile" 32 rel="Help"><strong>Source File:</strong></a> mod_access.c<br /> 33 <a href="module-dict.html#ModuleIdentifier" 34 rel="Help"><strong>Module Identifier:</strong></a> 35 access_module</p> 36 37 <h2>Summary</h2> 38 39 <p>The directives provided by mod_access are used in <code><a 40 href="core.html#directory"><Directory></a>, <a 41 href="core.html#files"><Files></a>,</code> and <code><a 42 href="core.html#location"><Location></a></code> sections 43 as well as <code><a 44 href="core.html#accessfilename">.htaccess</a></code> files to 45 control access to particular parts of the server. Access can be 46 controlled based on the client hostname, IP address, or other 47 characteristics of the client request, as captured in <a 48 href="../env.html">environment variables</a>. The 49 <code>Allow</code> and <code>Deny</code> directives are used to 50 specify which clients are or are not allowed access to the 51 server, while the <code>Order</code> directive sets the default 52 access state, and configures how the <code>Allow</code> and 53 <code>Deny</code> directives interact with each other.</p> 54 55 <p>Both host-based access restrictions and password-based 56 authentication may be implemented simultaneously. In that case, 57 the <a href="core.html#satisfy">Satisfy</a> directive is used 58 to determine how the two sets of restrictions interact.</p> 59 60 <p>In general, access restriction directives apply to all 61 access methods (<code>GET</code>, <code>PUT</code>, 62 <code>POST</code>, etc). This is the desired behavior in most 63 cases. However, it is possible to restrict some methods, while 64 leaving other methods unrestricted, by enclosing the directives 65 in a <a href="core.html#limit"><Limit></a> section.</p> 66 67 <h2>Directives</h2> 68 69 <ul> 70 <li><a href="#allow">Allow</a></li> 71 72 <li><a href="#deny">Deny</a></li> 73 74 <li><a href="#order">Order</a></li> 75 </ul> 76 77 <p>See also <a href="core.html#satisfy">Satisfy</a> and <a 78 href="core.html#require">Require</a>.</p> 79 <hr /> 80 81 <h2><a id="allow" name="allow">Allow</a> <a id="allowfromenv" 82 name="allowfromenv">directive</a></h2> 83 84 <p> 85 <a href="directive-dict.html#Syntax" 86 rel="Help"><strong>Syntax:</strong></a> Allow from 87 all|<em>host</em>|env=<em>env-variable</em> 88 [<em>host</em>|env=<em>env-variable</em>] ...<br /> 89 <a href="directive-dict.html#Context" 90 rel="Help"><strong>Context:</strong></a> directory, 91 .htaccess<br /> 92 <a href="directive-dict.html#Override" 93 rel="Help"><strong>Override:</strong></a> Limit<br /> 94 <a href="directive-dict.html#Status" 95 rel="Help"><strong>Status:</strong></a> Base<br /> 96 <a href="directive-dict.html#Module" 97 rel="Help"><strong>Module:</strong></a> mod_access</p> 98 99 <p>The <code>Allow</code> directive affects which hosts can 100 access an area of the server. Access can be controlled by 101 hostname, IP Address, IP Address range, or by other 102 characteristics of the client request captured in environment 103 variables.</p> 104 105 <p>The first argument to this directive is always 106 <code>from</code>. The subsequent arguments can take three 107 different forms. If <code>Allow from all</code> is specified, 108 then all hosts are allowed access, subject to the configuration 109 of the <code>Deny</code> and <code>Order</code> directives as 110 discussed below. To allow only particular hosts or groups of 111 hosts to access the server, the <em>host</em> can be specified 112 in any of the following formats:</p> 113 114 <dl> 115 <dt>A (partial) domain-name</dt> 116 117 <dd>Example: <code>Allow from apache.org</code><br /> 118 Hosts whose names match, or end in, this string are allowed 119 access. Only complete components are matched, so the above 120 example will match <code>foo.apache.org</code> but it will 121 not match <code>fooapache.org</code>. This configuration will 122 cause the server to perform a double reverse DNS lookup on the 123 client IP address, regardless of the setting of the <a 124 href="core.html#hostnamelookups">HostnameLookups</a> 125 directive. It will do a reverse DNS lookup on the IP address to 126 find the associated hostname, and then do a forward lookup on 127 the hostname to assure that it matches the original IP address. 128 Only if the forward and reverse DNS are consistent and the 129 hostname matches will access be allowed.</dd> 130 131 <dt>A full IP address</dt> 132 133 <dd>Example: <code>Allow from 10.1.2.3</code><br /> 134 An IP address of a host allowed access</dd> 135 136 <dt>A partial IP address</dt> 137 138 <dd>Example: <code>Allow from 10.1</code><br /> 139 The first 1 to 3 bytes of an IP address, for subnet 140 restriction.</dd> 141 142 <dt>A network/netmask pair</dt> 143 144 <dd>Example: <code>Allow from 145 10.1.0.0/255.255.0.0</code><br /> 146 A network a.b.c.d, and a netmask w.x.y.z. For more 147 fine-grained subnet restriction. (Apache 1.3 and later)</dd> 148 149 <dt>A network/nnn CIDR specification</dt> 150 151 <dd>Example: <code>Allow from 10.1.0.0/16</code><br /> 152 Similar to the previous case, except the netmask consists of 153 nnn high-order 1 bits. (Apache 1.3 and later)</dd> 154 </dl> 155 156 <p>Note that the last three examples above match exactly the 157 same set of hosts.</p> 158 159 <p>The third format of the arguments to the <code>Allow</code> 160 directive allows access to the server to be controlled based on 161 the existence of an <a href="../env.html">environment 162 variable</a>. When <code>Allow from 163 env=</code><em>env-variable</em> is specified, then the request 164 is allowed access if the environment variable 165 <em>env-variable</em> exists. The server provides the ability 166 to set environment variables in a flexible way based on 167 characteristics of the client request using the directives 168 provided by <a href="mod_setenvif.html">mod_setenvif</a>. 169 Therefore, this directive can be used to allow access based on 170 such factors as the clients <code>User-Agent</code> (browser 171 type), <code>Referer</code>, or other HTTP request header 172 fields.</p> 173 174 <p>Example:</p> 175 176 <blockquote> 177<pre> 178SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in 179<Directory /docroot> 180 Order Deny,Allow 181 Deny from all 182 Allow from env=let_me_in 183</Directory> 184</pre> 185 </blockquote> 186 187 <p>In this case, browsers with a user-agent string beginning 188 with <tt>KnockKnock/2.0</tt> will be allowed access, and all 189 others will be denied.</p> 190 191 <p>See also <a href="#deny">Deny</a>, <a 192 href="#order">Order</a> and <a 193 href="mod_setenvif.html#setenvif">SetEnvIf</a>.</p> 194 <hr /> 195 196 <h2><a id="deny" name="deny">Deny</a> <a id="denyfromenv" 197 name="denyfromenv">directive</a></h2> 198 199 <p> 200 <a href="directive-dict.html#Syntax" 201 rel="Help"><strong>Syntax:</strong></a> Deny from 202 all|<em>host</em>|env=<em>env-variable</em> 203 [<em>host</em>|env=<em>env-variable</em>] ...<br /> 204 <a href="directive-dict.html#Context" 205 rel="Help"><strong>Context:</strong></a> directory, 206 .htaccess<br /> 207 <a href="directive-dict.html#Override" 208 rel="Help"><strong>Override:</strong></a> Limit<br /> 209 <a href="directive-dict.html#Status" 210 rel="Help"><strong>Status:</strong></a> Base<br /> 211 <a href="directive-dict.html#Module" 212 rel="Help"><strong>Module:</strong></a> mod_access</p> 213 214 <p>This directive allows access to the server to be restricted 215 based on hostname, IP address, or environment variables. The 216 arguments for the <code>Deny</code> directive are identical to 217 the arguments for the <a href="#allow">Allow</a> directive.</p> 218 219 <p>See also <a href="#allow">Allow</a>, <a 220 href="#order">Order</a> and <a 221 href="mod_setenvif.html#setenvif">SetEnvIf</a>.</p> 222 <hr /> 223 224 <h2><a id="order" name="order">Order directive</a></h2> 225 226 <p> 227 <a href="directive-dict.html#Syntax" 228 rel="Help"><strong>Syntax:</strong></a> Order 229 <em>ordering</em><br /> 230 <a href="directive-dict.html#Default" 231 rel="Help"><strong>Default:</strong></a> <code>Order 232 Deny,Allow</code><br /> 233 <a href="directive-dict.html#Context" 234 rel="Help"><strong>Context:</strong></a> directory, 235 .htaccess<br /> 236 <a href="directive-dict.html#Override" 237 rel="Help"><strong>Override:</strong></a> Limit<br /> 238 <a href="directive-dict.html#Status" 239 rel="Help"><strong>Status:</strong></a> Base<br /> 240 <a href="directive-dict.html#Module" 241 rel="Help"><strong>Module:</strong></a> mod_access</p> 242 243 <p>The <code>Order</code> directive controls the default access 244 state and the order in which <a href="#allow">Allow</a> and <a 245 href="#deny">Deny</a> directives are evaluated. 246 <em>Ordering</em> is one of</p> 247 248 <dl> 249 <dt>Deny,Allow</dt> 250 251 <dd>The <code>Deny</code> directives are evaluated before the 252 <code>Allow</code> directives. Access is allowed by default. 253 Any client which does not match a <code>Deny</code> directive 254 or does match an <code>Allow</code> directive will be allowed 255 access to the server.</dd> 256 257 <dt>Allow,Deny</dt> 258 259 <dd>The <code>Allow</code> directives are evaluated before 260 the <code>Deny</code> directives. Access is denied by 261 default. Any client which does not match an 262 <code>Allow</code> directive or does match a 263 <code>Deny</code> directive will be denied access to the 264 server.</dd> 265 266 <dt>Mutual-failure</dt> 267 268 <dd>Only those hosts which appear on the <code>Allow</code> 269 list and do not appear on the <code>Deny</code> list are 270 granted access. This ordering has the same effect as 271 <code>Order Allow,Deny</code> and is deprecated in favor of 272 that configuration.</dd> 273 </dl> 274 275 <p>Keywords may only be separated by a comma; no whitespace is 276 allowed between them. Note that in all cases every 277 <code>Allow</code> and <code>Deny</code> statement is 278 evaluated.</p> 279 280 <p>In the following example, all hosts in the apache.org domain 281 are allowed access; all other hosts are denied access.</p> 282 283 <blockquote> 284 <code>Order Deny,Allow<br /> 285 Deny from all<br /> 286 Allow from apache.org<br /> 287 </code> 288 </blockquote> 289 290 <p>In the next example, all hosts in the apache.org domain are 291 allowed access, except for the hosts which are in the 292 foo.apache.org subdomain, who are denied access. All hosts not 293 in the apache.org domain are denied access because the default 294 state is to deny access to the server.</p> 295 296 <blockquote> 297 <code>Order Allow,Deny<br /> 298 Allow from apache.org<br /> 299 Deny from foo.apache.org<br /> 300 </code> 301 </blockquote> 302 303 <p>On the other hand, if the <code>Order</code> in the last 304 example is changed to <code>Deny,Allow</code>, all hosts will 305 be allowed access. This happens because, regardless of the 306 actual ordering of the directives in the configuration file, 307 the <code>Allow from apache.org</code> will be evaluated last 308 and will override the <code>Deny from foo.apache.org</code>. 309 All hosts not in the <code>apache.org</code> domain will also 310 be allowed access because the default state will change to 311 <em>allow</em>.</p> 312 313 <p>The presence of an <code>Order</code> directive can affect 314 access to a part of the server even in the absence of 315 accompanying <code>Allow</code> and <code>Deny</code> 316 directives because of its effect on the default access state. 317 For example,</p> 318 319 <blockquote> 320 <code><Directory /www><br /> 321 Order Allow,Deny<br /> 322 </Directory></code> 323 </blockquote> 324 325 <p>will deny all access to the <code>/www</code> directory 326 because the default access state will be set to 327 <em>deny</em>.</p> 328 329 <p>The <code>Order</code> directive controls the order of 330 access directive processing only within each phase of the 331 server's configuration processing. This implies, for example, 332 that an <code>Allow</code> or <code>Deny</code> directive 333 occurring in a <Location> section will always be 334 evaluated after an <code>Allow</code> or <code>Deny</code> 335 directive occurring in a <Directory> section or 336 <code>.htaccess</code> file, regardless of the setting of the 337 <code>Order</code> directive. For details on the merging of 338 configuration sections, see the documentation on <a 339 href="../sections.html">How Directory, Location and Files 340 sections work</a>.</p> 341 342 <p>See also: <a href="#deny">Deny</a> and <a 343 href="#allow">Allow</a>. <hr /> 344 345 <h3 align="CENTER">Apache HTTP Server Version 1.3</h3> 346 <a href="./"><img src="../images/index.gif" alt="Index" /></a> 347 <a href="../"><img src="../images/home.gif" alt="Home" /></a> 348 349 </p> 350 </body> 351</html> 352 353 354