manual/mod/mod_access.html

	mod_access.html revision 2724768e1047c3c6d547805ef7310837656daaf8
0N/A<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2362N/A<HTML>
0N/A<HEAD>
0N/A<TITLE>Apache module mod_access</TITLE>
0N/A</HEAD>
0N/A
0N/A<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
0N/A<BODY
0N/A BGCOLOR="#FFFFFF"
0N/A TEXT="#000000"
0N/A LINK="#0000FF"
0N/A VLINK="#000080"
0N/A ALINK="#FF0000"
0N/A>
0N/A<!--#include virtual="header.html" -->
0N/A
0N/A<H1 ALIGN="CENTER">Module mod_access</h1>
0N/A<P>
2362N/AThis module is contained in the <code>mod_access.c</code> file, and
2362N/Ais compiled in by default. It provides access control based on client
2362N/Ahostname or IP address.
0N/A</P>
0N/A
0N/A<UL>
0N/A<li><A HREF="#allow">allow</A>
0N/A<li><A HREF="#allowfromenv">allow from env=</A>
0N/A<li><A HREF="#deny">deny</A>
0N/A<li><A HREF="#denyfromenv">deny from env=</A>
0N/A<li><A HREF="#order">order</A>
0N/A</UL>
0N/A<hr>
0N/A
0N/A
0N/A<h2><A name="allow">allow directive</A></h2>
0N/A<P>
0N/A<!--%plaintext &lt;?INDEX {\tt allow} directive&gt; -->
0N/A<strong>Syntax:</strong> allow from <em>host host ...</em><br>
0N/A<Strong>Context:</strong> directory, .htaccess<br>
0N/A<Strong>Override:</strong> Limit<br>
0N/A<strong>Status:</strong> Base<br>
0N/A<strong>Module:</strong> mod_access
0N/A</p>
0N/A<P>
0N/AThe allow directive affects which hosts can access a given directory.
0N/A<em>Host</em> is one of the following:
0N/A</P>
0N/A<dl>
0N/A<dt><code>all</code>
0N/A<dd>All hosts are allowed access
0N/A<dt>A (partial) domain-name
0N/A<dd>Hosts whose names match, or end in, this string are allowed access.
0N/A<dt>A full IP address
0N/A<dd>An IP address of a host allowed access
0N/A<dt>A partial IP address
0N/A<dd>The first 1 to 3 bytes of an IP address, for subnet restriction.
0N/A<dt>A network/netmask pair
0N/A<dd>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
0N/A    restriction.  (i.e. 10.1.0.0/255.255.0.0)
0N/A<dt>A network/nnn CIDR specification
0N/A<dd>Similar to the previous case, except the netmask consists of nnn
0N/A    high-order 1 bits.  (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
0N/A</dl>
0N/A<P>
0N/AExample:
0N/A</P>
0N/A<blockquote><code>allow from .ncsa.uiuc.edu</code></blockquote>
0N/A<P>
0N/AAll hosts in the specified domain are allowed access.
0N/A</p>
0N/A<P>
0N/ANote that this compares whole components; <code>bar.edu</code>
0N/Awould not match <code>foobar.edu</code>.
0N/A</P>
0N/A<P>
0N/ASee also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and
0N/A<a href="mod_browser.html#browsermatch">BrowserMatch</a>.
0N/A</p>
0N/A
0N/A<P>
0N/A<a name="allowfromenv"><strong>Syntax:</strong> allow from env=<em>variablename</em></a><br>
0N/A<Strong>Context:</strong> directory, .htaccess<br>
0N/A<Strong>Override:</strong> Limit<br>
0N/A<strong>Status:</strong> Base<br>
0N/A<strong>Module:</strong> mod_access<br>
0N/A<strong>Compatibility:</strong> Apache 1.2 and above
0N/A</p>
0N/A<P>
0N/AThe allow from env directive controls access to a directory by the
0N/Aexistence (or non-existence) of an environment variable.
0N/A</P>
0N/A<P>
0N/AExample:
0N/A</P>
0N/A<blockquote><pre>
0N/ABrowserMatch ^KnockKnock/2.0 let_me_in
0N/A&lt;Directory /docroot&gt;
0N/Aorder allow,deny
0N/Aallow from env=let_me_in
0N/Adeny from all
0N/A&lt;/Directory&gt;
0N/A</pre></blockquote>
0N/A<P>
0N/ASee also <A HREF="#denyfromenv">deny from env</A>
0N/Aand <A HREF="#order">order</A>.
0N/A</p>
0N/A<hr>
0N/A
0N/A<h2><A name="deny">deny directive</A></h2>
0N/A<P>
0N/A<!--%plaintext &lt;?INDEX {\tt deny} directive&gt; -->
0N/A<strong>Syntax:</strong> deny from <em>host host ...</em><br>
<Strong>Context:</strong> directory, .htaccess<br>
<Strong>Override:</strong> Limit<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_access
</p>
<P>
The deny directive affects which hosts can access a given directory.
<em>Host</em> is one of the following:
</P>
<dl>
<dt><code>all</code>
<dd>all hosts are denied access
<dt>A (partial) domain-name
<dd>host whose name is, or ends in, this string are denied access.
<dt>A full IP address
<dd>An IP address of a host denied access
<dt>A partial IP address
<dd>The first 1 to 3 bytes of an IP address, for subnet restriction.
<dt>A network/netmask pair
<dd>A network a.b.c.d, and a netmask w.x.y.z.  For more fine-grained subnet
    restriction.  (i.e. 10.1.0.0/255.255.0.0)
<dt>A network/nnn CIDR specification
<dd>Similar to the previous case, except the netmask consists of nnn
    high-order 1 bits.  (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
</dl>
<P>
Example:
</P>
<blockquote><code>deny from 16</code></blockquote>
<P>
All hosts in the specified network are denied access.
</p>
<P>
Note that this compares whole components; <code>bar.edu</code>
would not match <code>foobar.edu</code>.
</p>
<P>
See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.
</p>

<P>
<a name="denyfromenv"><strong>Syntax:</strong> deny from env=<em>variablename</em></a><br>
<Strong>Context:</strong> directory, .htaccess<br>
<Strong>Override:</strong> Limit<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_access<br>
<strong>Compatibility:</strong> Apache 1.2 and above
</p>
<P>
The deny from env directive controls access to a directory by the
existence (or non-existence) of an environment variable.
</P>
<P>
Example:
</P>
<blockquote><pre>
BrowserMatch ^BadRobot/0.9 go_away
&lt;Directory /docroot&gt;
order deny,allow
deny from env=go_away
allow from all
&lt;/Directory&gt;
</pre></blockquote>

<P>
See also <A HREF="#allowfromenv">allow from env</A>
and <A HREF="#order">order</A>.
</p>
<hr>

<h2><A name="order">order directive</A></h2>
<P>
<!--%plaintext &lt;?INDEX {\tt order} directive&gt; -->
<strong>Syntax:</strong> order <em>ordering</em><br>
<strong>Default:</strong> <code>order deny,allow</code><br>
<strong>Context:</strong> directory, .htaccess<br>
<strong>Override:</strong> Limit<br>
<strong>Status:</strong> Base<br>
<strong>Module:</strong> mod_access
</p>
<P>
The order directive controls the order in which <A HREF="#allow">allow</A> and
<A HREF="#deny">deny</A> directives are evaluated. <em>Ordering</em> is one
of
</P>
<dl>
<dt>deny,allow
<dd>the deny directives are evaluated before the allow directives.  (The
initial state is OK.)
<dt>allow,deny
<dd>the allow directives are evaluated before the deny directives.  (The
initial state is FORBIDDEN.)
<dt>mutual-failure
<dd>Only those hosts which appear on the allow list and do not appear
on the deny list are granted access.  (The initial state is irrelevant.)
</dl>
<P>
Note that in all cases every <code>allow</code> and <code>deny</code>
statement is evaluated, there is no &quot;short-circuiting&quot;.
</P>
<p>
Example:
</P>
<blockquote><code>
order deny,allow<br>
deny from all<br>
allow from .ncsa.uiuc.edu<br>
</code></blockquote>
<P>
Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
denied access.
</P>
<!--#include virtual="footer.html" -->
</BODY>
</HTML>