<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

<HTML>

<HEAD>

<TITLE>Apache module mod_access</TITLE>

</HEAD>

<BODY

BGCOLOR="#FFFFFF"

TEXT="#000000"

LINK="#0000FF"

VLINK="#000080"

ALINK="#FF0000"

>

<H1 ALIGN="CENTER">Module mod_access</h1>

<P>

This module is contained in the <code>mod_access.c</code> file, and

is compiled in by default. It provides access control based on client

hostname or IP address.

</P>

<UL>

<li><A HREF="#allow">allow</A>

<li><A HREF="#allowfromenv">allow from env=</A>

<li><A HREF="#deny">deny</A>

<li><A HREF="#denyfromenv">deny from env=</A>

<li><A HREF="#order">order</A>

</UL>

<hr>

<h2><A name="allow">allow directive</A></h2>

<P>

<strong>Syntax:</strong> allow from <em>host host ...</em><br>

<Strong>Context:</strong> directory, .htaccess<br>

<Strong>Override:</strong> Limit<br>

<strong>Status:</strong> Base<br>

<strong>Module:</strong> mod_access

</p>

<P>

The allow directive affects which hosts can access a given directory.

<em>Host</em> is one of the following:

</P>

<dl>

<dt><code>all</code>

<dd>All hosts are allowed access

<dt>A (partial) domain-name

<dd>Hosts whose names match, or end in, this string are allowed access.

<dt>A full IP address

<dd>An IP address of a host allowed access

<dt>A partial IP address

<dd>The first 1 to 3 bytes of an IP address, for subnet restriction.

<dt>A network/netmask pair

<dd>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet

restriction. (i.e. 10.1.0.0/255.255.0.0)

<dt>A network/nnn CIDR specification

<dd>Similar to the previous case, except the netmask consists of nnn

high-order 1 bits. (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

</dl>

<P>

Example:

</P>

<blockquote><code>allow from .ncsa.uiuc.edu</code></blockquote>

<P>

All hosts in the specified domain are allowed access.

</p>

<P>

Note that this compares whole components; <code>bar.edu</code>

would not match <code>foobar.edu</code>.

</P>

<P>

See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and

<a href="mod_browser.html#browsermatch">BrowserMatch</a>.

</p>

<P>

<a name="allowfromenv"><strong>Syntax:</strong> allow from env=<em>variablename</em></a><br>

<Strong>Context:</strong> directory, .htaccess<br>

<Strong>Override:</strong> Limit<br>

<strong>Status:</strong> Base<br>

<strong>Module:</strong> mod_access<br>

<strong>Compatibility:</strong> Apache 1.2 and above

</p>

<P>

The allow from env directive controls access to a directory by the

existence (or non-existence) of an environment variable.

</P>

<P>

Example:

</P>

<blockquote><pre>

BrowserMatch ^KnockKnock/2.0 let_me_in

&lt;Directory /docroot&gt;

order allow,deny

allow from env=let_me_in

deny from all

&lt;/Directory&gt;

</pre></blockquote>

<P>

See also <A HREF="#denyfromenv">deny from env</A>

and <A HREF="#order">order</A>.

</p>

<hr>

<h2><A name="deny">deny directive</A></h2>

<P>

<strong>Syntax:</strong> deny from <em>host host ...</em><br>

<Strong>Context:</strong> directory, .htaccess<br>

<Strong>Override:</strong> Limit<br>

<strong>Status:</strong> Base<br>

<strong>Module:</strong> mod_access

</p>

<P>

The deny directive affects which hosts can access a given directory.

<em>Host</em> is one of the following:

</P>

<dl>

<dt><code>all</code>

<dd>all hosts are denied access

<dt>A (partial) domain-name

<dd>host whose name is, or ends in, this string are denied access.

<dt>A full IP address

<dd>An IP address of a host denied access

<dt>A partial IP address

<dd>The first 1 to 3 bytes of an IP address, for subnet restriction.

<dt>A network/netmask pair

<dd>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet

restriction. (i.e. 10.1.0.0/255.255.0.0)

<dt>A network/nnn CIDR specification

<dd>Similar to the previous case, except the netmask consists of nnn

high-order 1 bits. (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

</dl>

<P>

Example:

</P>

<blockquote><code>deny from 16</code></blockquote>

<P>

All hosts in the specified network are denied access.

</p>

<P>

Note that this compares whole components; <code>bar.edu</code>

would not match <code>foobar.edu</code>.

</p>

<P>

See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.

</p>

<P>

<a name="denyfromenv"><strong>Syntax:</strong> deny from env=<em>variablename</em></a><br>

<Strong>Context:</strong> directory, .htaccess<br>

<Strong>Override:</strong> Limit<br>

<strong>Status:</strong> Base<br>

<strong>Module:</strong> mod_access<br>

<strong>Compatibility:</strong> Apache 1.2 and above

</p>

<P>

The deny from env directive controls access to a directory by the

existence (or non-existence) of an environment variable.

</P>

<P>

Example:

</P>

<blockquote><pre>

BrowserMatch ^BadRobot/0.9 go_away

&lt;Directory /docroot&gt;

order deny,allow

deny from env=go_away

allow from all

&lt;/Directory&gt;

</pre></blockquote>

<P>

See also <A HREF="#allowfromenv">allow from env</A>

and <A HREF="#order">order</A>.

</p>

<hr>

<h2><A name="order">order directive</A></h2>

<P>

<strong>Syntax:</strong> order <em>ordering</em><br>

<strong>Default:</strong> <code>order deny,allow</code><br>

<strong>Context:</strong> directory, .htaccess<br>

<strong>Override:</strong> Limit<br>

<strong>Status:</strong> Base<br>

<strong>Module:</strong> mod_access

</p>

<P>

The order directive controls the order in which <A HREF="#allow">allow</A> and

<A HREF="#deny">deny</A> directives are evaluated. <em>Ordering</em> is one

of

</P>

<dl>

<dt>deny,allow

<dd>the deny directives are evaluated before the allow directives. (The

initial state is OK.)

<dt>allow,deny

<dd>the allow directives are evaluated before the deny directives. (The

initial state is FORBIDDEN.)

<dt>mutual-failure

<dd>Only those hosts which appear on the allow list and do not appear

on the deny list are granted access. (The initial state is irrelevant.)

</dl>

<P>

Note that in all cases every <code>allow</code> and <code>deny</code>

statement is evaluated, there is no &quot;short-circuiting&quot;.

</P>

<p>

Example:

</P>

<blockquote><code>

order deny,allow<br>

deny from all<br>

allow from .ncsa.uiuc.edu<br>

</code></blockquote>

<P>

Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are

denied access.

</P>

</BODY>

</HTML>