docs/manual/mod/mod_access.html - httpd - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
 <TITLE>Apache module mod_access</TITLE>
 </HEAD>

 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
 <BODY
  BGCOLOR="#FFFFFF"
  TEXT="#000000"
  LINK="#0000FF"
  VLINK="#000080"
  ALINK="#FF0000"
 >
 <!--#include virtual="header.html" -->

 <H1 ALIGN="CENTER">Module mod_access</H1>
 <P>
 This module is contained in the <CODE>mod_access.c</CODE> file, and
 is compiled in by default. It provides access control based on client
 hostname or IP address.
 </P>

 <UL>
 <LI><A HREF="#allow">allow</A>
 <LI><A HREF="#allowfromenv">allow from env=</A>
 <LI><A HREF="#deny">deny</A>
 <LI><A HREF="#denyfromenv">deny from env=</A>
 <LI><A HREF="#order">order</A>
 </UL>
 <HR>


 <H2><A NAME="allow">allow directive</A></H2>
 <P>
 <!--%plaintext &lt;?INDEX {\tt allow} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> allow from <EM>host host ...</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> Limit<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_access
 </P>
 <P>
 The allow directive affects which hosts can access a given directory.
 <EM>Host</EM> is one of the following:
 </P>
 <DL>
 <DT><CODE>all</CODE>
 <DD>All hosts are allowed access
 <DT>A (partial) domain-name
 <DD>Hosts whose names match, or end in, this string are allowed access.
 <DT>A full IP address
 <DD>An IP address of a host allowed access
 <DT>A partial IP address
 <DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
 <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
 <DD>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
     restriction.  (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
 <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
 <DD>Similar to the previous case, except the netmask consists of nnn
     high-order 1 bits.  (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
 </DL>
 <P>
 Example:
 </P>
 <BLOCKQUOTE><CODE>allow from .ncsa.uiuc.edu</CODE></BLOCKQUOTE>
 <P>
 All hosts in the specified domain are allowed access.
 </P>
 <P>
 Note that this compares whole components; <CODE>bar.edu</CODE>
 would not match <CODE>foobar.edu</CODE>.
 </P>
 <P>
 See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and
 <A HREF="mod_browser.html#browsermatch">BrowserMatch</A>.
 </P>

 <P>
 <A NAME="allowfromenv"><STRONG>Syntax:</STRONG> allow from
  env=<EM>variablename</EM></A><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> Limit<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_access<BR>
 <A
  HREF="directive-dict.html#Compatibility"
  REL="Help"
 ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
 </P>
 <P>
 The allow from env directive controls access to a directory by the
 existence (or non-existence) of an environment variable.
 </P>
 <P>
 Example:
 </P>
 <BLOCKQUOTE><PRE>
 BrowserMatch ^KnockKnock/2.0 let_me_in
 &lt;Directory /docroot&gt;
     order deny,allow
     deny from all
     allow from env=let_me_in
 &lt;/Directory&gt;
 </PRE></BLOCKQUOTE>
 In this case browsers with the user-agent string <TT>KnockKnock/2.0</TT> will
 be allowed access, and all others will be denied.
 <P>
 See also <A HREF="#denyfromenv">deny from env</A>
 and <A HREF="#order">order</A>.
 </P>
 <HR>

 <H2><A NAME="deny">deny directive</A></H2>
 <P>
 <!--%plaintext &lt;?INDEX {\tt deny} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> deny from <EM>host host ...</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> Limit<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_access
 </P>
 <P>
 The deny directive affects which hosts can access a given directory.
 <EM>Host</EM> is one of the following:
 </P>
 <DL>
 <DT><CODE>all</CODE>
 <DD>all hosts are denied access
 <DT>A (partial) domain-name
 <DD>host whose name is, or ends in, this string are denied access.
 <DT>A full IP address
 <DD>An IP address of a host denied access
 <DT>A partial IP address
 <DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
 <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
 <DD>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
     restriction.  (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
 <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
 <DD>Similar to the previous case, except the netmask consists of nnn
     high-order 1 bits.  (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
 </DL>
 <P>
 Example:
 </P>
 <BLOCKQUOTE><CODE>deny from 16</CODE></BLOCKQUOTE>
 <P>
 All hosts in the specified network are denied access.
 </P>
 <P>
 Note that this compares whole components; <CODE>bar.edu</CODE>
 would not match <CODE>foobar.edu</CODE>.
 </P>
 <P>
 See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.
 </P>

 <P>
 <A NAME="denyfromenv"><STRONG>Syntax:</STRONG> deny from
  env=<EM>variablename</EM></A><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> Limit<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_access<BR>
 <A
  HREF="directive-dict.html#Compatibility"
  REL="Help"
 ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
 </P>
 <P>
 The deny from env directive controls access to a directory by the
 existence (or non-existence) of an environment variable.
 </P>
 <P>
 Example:
 </P>
 <BLOCKQUOTE><PRE>
 BrowserMatch ^BadRobot/0.9 go_away
 &lt;Directory /docroot&gt;
     order allow,deny
     allow from all
     deny from env=go_away
 &lt;/Directory&gt;
 </PRE></BLOCKQUOTE>
 In this case browsers with the user-agent string <TT>BadRobot/0.9</TT> will
 be denied access, and all others will be allowed.

 <P>
 See also <A HREF="#allowfromenv">allow from env</A>
 and <A HREF="#order">order</A>.
 </P>
 <HR>

 <H2><A NAME="order">order directive</A></H2>
 <P>
 <!--%plaintext &lt;?INDEX {\tt order} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> order <EM>ordering</EM><BR>
 <A
  HREF="directive-dict.html#Default"
  REL="Help"
 ><STRONG>Default:</STRONG></A> <CODE>order deny,allow</CODE><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> Limit<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_access
 </P>
 <P>
 The order directive controls the order in which <A HREF="#allow">allow</A> and
 <A HREF="#deny">deny</A> directives are evaluated. <EM>Ordering</EM> is one
 of
 </P>
 <DL>
 <DT>deny,allow
 <DD>the deny directives are evaluated before the allow directives.  (The
 initial state is OK.)
 <DT>allow,deny
 <DD>the allow directives are evaluated before the deny directives.  (The
 initial state is FORBIDDEN.)
 <DT>mutual-failure
 <DD>Only those hosts which appear on the allow list and do not appear
 on the deny list are granted access.  (The initial state is irrelevant.)
 </DL>
 <P>
 Keywords may only be separated by a comma; no whitespace is allowed between
 them.
 <STRONG>Note that in all cases every <CODE>allow</CODE> and <CODE>deny</CODE>
 statement is evaluated, there is no &quot;short-circuiting&quot;.</STRONG>
 </P>
 <P>
 Example:
 </P>
 <BLOCKQUOTE><CODE>
     order deny,allow<BR>
     deny from all<BR>
     allow from .ncsa.uiuc.edu<BR>
 </CODE></BLOCKQUOTE>
 <P>
 Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
 denied access.
 </P>
 <!--#include virtual="footer.html" -->
 </BODY>
 </HTML>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
	<HTML>
	<HEAD>
	<TITLE>Apache module mod_access</TITLE>
	</HEAD>

	<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
	<BODY
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#000080"
	ALINK="#FF0000"
	>
	<!--#include virtual="header.html" -->

	<H1 ALIGN="CENTER">Module mod_access</H1>
	<P>
	This module is contained in the <CODE>mod_access.c</CODE> file, and
	is compiled in by default. It provides access control based on client
	hostname or IP address.
	</P>

	<UL>
	<LI><A HREF="#allow">allow</A>
	<LI><A HREF="#allowfromenv">allow from env=</A>
	<LI><A HREF="#deny">deny</A>
	<LI><A HREF="#denyfromenv">deny from env=</A>
	<LI><A HREF="#order">order</A>
	</UL>
	<HR>


	<H2><A NAME="allow">allow directive</A></H2>
	<P>
	<!--%plaintext <?INDEX {\tt allow} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> allow from <EM>host host ...</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> Limit<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_access
	</P>
	<P>
	The allow directive affects which hosts can access a given directory.
	<EM>Host</EM> is one of the following:
	</P>
	<DL>
	<DT><CODE>all</CODE>
	<DD>All hosts are allowed access
	<DT>A (partial) domain-name
	<DD>Hosts whose names match, or end in, this string are allowed access.
	<DT>A full IP address
	<DD>An IP address of a host allowed access
	<DT>A partial IP address
	<DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
	<DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
	<DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
	restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
	<DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
	<DD>Similar to the previous case, except the netmask consists of nnn
	high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
	</DL>
	<P>
	Example:
	</P>
	<BLOCKQUOTE><CODE>allow from .ncsa.uiuc.edu</CODE></BLOCKQUOTE>
	<P>
	All hosts in the specified domain are allowed access.
	</P>
	<P>
	Note that this compares whole components; <CODE>bar.edu</CODE>
	would not match <CODE>foobar.edu</CODE>.
	</P>
	<P>
	See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and
	<A HREF="mod_browser.html#browsermatch">BrowserMatch</A>.
	</P>

	<P>
	<A NAME="allowfromenv"><STRONG>Syntax:</STRONG> allow from
	env=<EM>variablename</EM></A><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> Limit<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_access<BR>
	<A
	HREF="directive-dict.html#Compatibility"
	REL="Help"
	><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
	</P>
	<P>
	The allow from env directive controls access to a directory by the
	existence (or non-existence) of an environment variable.
	</P>
	<P>
	Example:
	</P>
	<BLOCKQUOTE><PRE>
	BrowserMatch ^KnockKnock/2.0 let_me_in
	<Directory /docroot>
	order deny,allow
	deny from all
	allow from env=let_me_in
	</Directory>
	</PRE></BLOCKQUOTE>
	In this case browsers with the user-agent string <TT>KnockKnock/2.0</TT> will
	be allowed access, and all others will be denied.
	<P>
	See also <A HREF="#denyfromenv">deny from env</A>
	and <A HREF="#order">order</A>.
	</P>
	<HR>

	<H2><A NAME="deny">deny directive</A></H2>
	<P>
	<!--%plaintext <?INDEX {\tt deny} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> deny from <EM>host host ...</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> Limit<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_access
	</P>
	<P>
	The deny directive affects which hosts can access a given directory.
	<EM>Host</EM> is one of the following:
	</P>
	<DL>
	<DT><CODE>all</CODE>
	<DD>all hosts are denied access
	<DT>A (partial) domain-name
	<DD>host whose name is, or ends in, this string are denied access.
	<DT>A full IP address
	<DD>An IP address of a host denied access
	<DT>A partial IP address
	<DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
	<DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
	<DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
	restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0)
	<DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
	<DD>Similar to the previous case, except the netmask consists of nnn
	high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
	</DL>
	<P>
	Example:
	</P>
	<BLOCKQUOTE><CODE>deny from 16</CODE></BLOCKQUOTE>
	<P>
	All hosts in the specified network are denied access.
	</P>
	<P>
	Note that this compares whole components; <CODE>bar.edu</CODE>
	would not match <CODE>foobar.edu</CODE>.
	</P>
	<P>
	See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.
	</P>

	<P>
	<A NAME="denyfromenv"><STRONG>Syntax:</STRONG> deny from
	env=<EM>variablename</EM></A><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> Limit<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_access<BR>
	<A
	HREF="directive-dict.html#Compatibility"
	REL="Help"
	><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
	</P>
	<P>
	The deny from env directive controls access to a directory by the
	existence (or non-existence) of an environment variable.
	</P>
	<P>
	Example:
	</P>
	<BLOCKQUOTE><PRE>
	BrowserMatch ^BadRobot/0.9 go_away
	<Directory /docroot>
	order allow,deny
	allow from all
	deny from env=go_away
	</Directory>
	</PRE></BLOCKQUOTE>
	In this case browsers with the user-agent string <TT>BadRobot/0.9</TT> will
	be denied access, and all others will be allowed.

	<P>
	See also <A HREF="#allowfromenv">allow from env</A>
	and <A HREF="#order">order</A>.
	</P>
	<HR>

	<H2><A NAME="order">order directive</A></H2>
	<P>
	<!--%plaintext <?INDEX {\tt order} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> order <EM>ordering</EM><BR>
	<A
	HREF="directive-dict.html#Default"
	REL="Help"
	><STRONG>Default:</STRONG></A> <CODE>order deny,allow</CODE><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> Limit<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_access
	</P>
	<P>
	The order directive controls the order in which <A HREF="#allow">allow</A> and
	<A HREF="#deny">deny</A> directives are evaluated. <EM>Ordering</EM> is one
	of
	</P>
	<DL>
	<DT>deny,allow
	<DD>the deny directives are evaluated before the allow directives. (The
	initial state is OK.)
	<DT>allow,deny
	<DD>the allow directives are evaluated before the deny directives. (The
	initial state is FORBIDDEN.)
	<DT>mutual-failure
	<DD>Only those hosts which appear on the allow list and do not appear
	on the deny list are granted access. (The initial state is irrelevant.)
	</DL>
	<P>
	Keywords may only be separated by a comma; no whitespace is allowed between
	them.
	<STRONG>Note that in all cases every <CODE>allow</CODE> and <CODE>deny</CODE>
	statement is evaluated, there is no "short-circuiting".</STRONG>
	</P>
	<P>
	Example:
	</P>
	<BLOCKQUOTE><CODE>
	order deny,allow<BR>
	deny from all<BR>
	allow from .ncsa.uiuc.edu<BR>
	</CODE></BLOCKQUOTE>
	<P>
	Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
	denied access.
	</P>
	<!--#include virtual="footer.html" -->
	</BODY>
	</HTML>