| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> |
| <HTML> |
| <HEAD> |
| <TITLE>Apache module mod_access</TITLE> |
| </HEAD> |
| |
| <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
| <BODY |
| BGCOLOR="#FFFFFF" |
| TEXT="#000000" |
| LINK="#0000FF" |
| VLINK="#000080" |
| ALINK="#FF0000" |
| > |
| <!--#include virtual="header.html" --> |
| |
| <H1 ALIGN="CENTER">Module mod_access</H1> |
| <P> |
| This module is contained in the <CODE>mod_access.c</CODE> file, and |
| is compiled in by default. It provides access control based on client |
| hostname or IP address. |
| </P> |
| |
| <UL> |
| <LI><A HREF="#allow">allow</A> |
| <LI><A HREF="#allowfromenv">allow from env=</A> |
| <LI><A HREF="#deny">deny</A> |
| <LI><A HREF="#denyfromenv">deny from env=</A> |
| <LI><A HREF="#order">order</A> |
| </UL> |
| <HR> |
| |
| |
| <H2><A NAME="allow">allow directive</A></H2> |
| <P> |
| <!--%plaintext <?INDEX {\tt allow} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> allow from <EM>host host ...</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> Limit<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_access |
| </P> |
| <P> |
| The allow directive affects which hosts can access a given directory. |
| <EM>Host</EM> is one of the following: |
| </P> |
| <DL> |
| <DT><CODE>all</CODE> |
| <DD>All hosts are allowed access |
| <DT>A (partial) domain-name |
| <DD>Hosts whose names match, or end in, this string are allowed access. |
| <DT>A full IP address |
| <DD>An IP address of a host allowed access |
| <DT>A partial IP address |
| <DD>The first 1 to 3 bytes of an IP address, for subnet restriction. |
| <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>) |
| <DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet |
| restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0) |
| <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>) |
| <DD>Similar to the previous case, except the netmask consists of nnn |
| high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0) |
| </DL> |
| <P> |
| Example: |
| </P> |
| <BLOCKQUOTE><CODE>allow from .ncsa.uiuc.edu</CODE></BLOCKQUOTE> |
| <P> |
| All hosts in the specified domain are allowed access. |
| </P> |
| <P> |
| Note that this compares whole components; <CODE>bar.edu</CODE> |
| would not match <CODE>foobar.edu</CODE>. |
| </P> |
| <P> |
| See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and |
| <A HREF="mod_browser.html#browsermatch">BrowserMatch</A>. |
| </P> |
| |
| <P> |
| <A NAME="allowfromenv"><STRONG>Syntax:</STRONG> allow from |
| env=<EM>variablename</EM></A><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> Limit<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_access<BR> |
| <A |
| HREF="directive-dict.html#Compatibility" |
| REL="Help" |
| ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above |
| </P> |
| <P> |
| The allow from env directive controls access to a directory by the |
| existence (or non-existence) of an environment variable. |
| </P> |
| <P> |
| Example: |
| </P> |
| <BLOCKQUOTE><PRE> |
| BrowserMatch ^KnockKnock/2.0 let_me_in |
| <Directory /docroot> |
| order deny,allow |
| deny from all |
| allow from env=let_me_in |
| </Directory> |
| </PRE></BLOCKQUOTE> |
| In this case browsers with the user-agent string <TT>KnockKnock/2.0</TT> will |
| be allowed access, and all others will be denied. |
| <P> |
| See also <A HREF="#denyfromenv">deny from env</A> |
| and <A HREF="#order">order</A>. |
| </P> |
| <HR> |
| |
| <H2><A NAME="deny">deny directive</A></H2> |
| <P> |
| <!--%plaintext <?INDEX {\tt deny} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> deny from <EM>host host ...</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> Limit<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_access |
| </P> |
| <P> |
| The deny directive affects which hosts can access a given directory. |
| <EM>Host</EM> is one of the following: |
| </P> |
| <DL> |
| <DT><CODE>all</CODE> |
| <DD>all hosts are denied access |
| <DT>A (partial) domain-name |
| <DD>host whose name is, or ends in, this string are denied access. |
| <DT>A full IP address |
| <DD>An IP address of a host denied access |
| <DT>A partial IP address |
| <DD>The first 1 to 3 bytes of an IP address, for subnet restriction. |
| <DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>) |
| <DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet |
| restriction. (<EM>i.e.</EM>, 10.1.0.0/255.255.0.0) |
| <DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>) |
| <DD>Similar to the previous case, except the netmask consists of nnn |
| high-order 1 bits. (<EM>i.e.</EM>, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0) |
| </DL> |
| <P> |
| Example: |
| </P> |
| <BLOCKQUOTE><CODE>deny from 16</CODE></BLOCKQUOTE> |
| <P> |
| All hosts in the specified network are denied access. |
| </P> |
| <P> |
| Note that this compares whole components; <CODE>bar.edu</CODE> |
| would not match <CODE>foobar.edu</CODE>. |
| </P> |
| <P> |
| See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>. |
| </P> |
| |
| <P> |
| <A NAME="denyfromenv"><STRONG>Syntax:</STRONG> deny from |
| env=<EM>variablename</EM></A><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> Limit<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_access<BR> |
| <A |
| HREF="directive-dict.html#Compatibility" |
| REL="Help" |
| ><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above |
| </P> |
| <P> |
| The deny from env directive controls access to a directory by the |
| existence (or non-existence) of an environment variable. |
| </P> |
| <P> |
| Example: |
| </P> |
| <BLOCKQUOTE><PRE> |
| BrowserMatch ^BadRobot/0.9 go_away |
| <Directory /docroot> |
| order allow,deny |
| allow from all |
| deny from env=go_away |
| </Directory> |
| </PRE></BLOCKQUOTE> |
| In this case browsers with the user-agent string <TT>BadRobot/0.9</TT> will |
| be denied access, and all others will be allowed. |
| |
| <P> |
| See also <A HREF="#allowfromenv">allow from env</A> |
| and <A HREF="#order">order</A>. |
| </P> |
| <HR> |
| |
| <H2><A NAME="order">order directive</A></H2> |
| <P> |
| <!--%plaintext <?INDEX {\tt order} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> order <EM>ordering</EM><BR> |
| <A |
| HREF="directive-dict.html#Default" |
| REL="Help" |
| ><STRONG>Default:</STRONG></A> <CODE>order deny,allow</CODE><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> Limit<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_access |
| </P> |
| <P> |
| The order directive controls the order in which <A HREF="#allow">allow</A> and |
| <A HREF="#deny">deny</A> directives are evaluated. <EM>Ordering</EM> is one |
| of |
| </P> |
| <DL> |
| <DT>deny,allow |
| <DD>the deny directives are evaluated before the allow directives. (The |
| initial state is OK.) |
| <DT>allow,deny |
| <DD>the allow directives are evaluated before the deny directives. (The |
| initial state is FORBIDDEN.) |
| <DT>mutual-failure |
| <DD>Only those hosts which appear on the allow list and do not appear |
| on the deny list are granted access. (The initial state is irrelevant.) |
| </DL> |
| <P> |
| Keywords may only be separated by a comma; no whitespace is allowed between |
| them. |
| <STRONG>Note that in all cases every <CODE>allow</CODE> and <CODE>deny</CODE> |
| statement is evaluated, there is no "short-circuiting".</STRONG> |
| </P> |
| <P> |
| Example: |
| </P> |
| <BLOCKQUOTE><CODE> |
| order deny,allow<BR> |
| deny from all<BR> |
| allow from .ncsa.uiuc.edu<BR> |
| </CODE></BLOCKQUOTE> |
| <P> |
| Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are |
| denied access. |
| </P> |
| <!--#include virtual="footer.html" --> |
| </BODY> |
| </HTML> |