mod_access.html revision 2de56243b49d1c39dbc467e3f9daab152c8691b8
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html xmlns="http://www.w3.org/TR/xhtml1/strict"><head><!--
c40265eba0c99708887d68e67901924065ba2514Brian Wellington XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User This file is generated from xml source: DO NOT EDIT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User --><title>mod_access- Apache HTTP Server</title><link href="/style/manual.css" type="text/css" rel="stylesheet"/></head><body><blockquote><div align="center"><img src="/images/sub.gif" alt="[APACHE DOCUMENTATION]"/><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module mod_access</h1><table cellspacing="1" cellpadding="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td valign="top"><span class="help">Description:</span></td><td>Provides access control based on client hostname, IP
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox Useraddress, or other characteristics of the client request.</td></tr><tr><td><a href="module-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="module-dict.html#ModuleIdentifier" class="help">Module Identifier:</a></td><td>access_module</td></tr></table></td></tr></table><h2>Summary</h2>
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User <p>The directives provided by mod_access are used in <a href="core.html#directory" class="directive"><code class="directive"><Directory></code></a>, <a href="core.html#files" class="directive"><code class="directive"><Files></code></a>, and <a href="core.html#location" class="directive"><code class="directive"><Location></code></a> sections as well as
c40265eba0c99708887d68e67901924065ba2514Brian Wellington <code><a href="core.html#accessfilename">.htaccess</a></code>
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews files to control access to particular parts of the server. Access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be controlled based on the client hostname, IP address, or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein other characteristics of the client request, as captured in <a href="/env.html">environment variables</a>. The <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives are used to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein specify which clients are or are not allowed access to the server,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User while the <a href="#order" class="directive"><code class="directive">Order</code></a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein directive sets the default access state, and configures how the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives interact with each
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>Both host-based access restrictions and password-based
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User authentication may be implemented simultaneously. In that case,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the <a href="core.html#satisfy" class="directive"><code class="directive">Satisfy</code></a> directive is used
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to determine how the two sets of restrictions interact.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>In general, access restriction directives apply to all
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User access methods (<code>GET</code>, <code>PUT</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code>POST</code>, etc). This is the desired behavior in most
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User cases. However, it is possible to restrict some methods, while
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User leaving other methods unrestricted, by enclosing the directives
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in a <a href="core.html#limit" class="directive"><code class="directive"><Limit></code></a> section.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<h2>Directives</h2><ul><li><a href="#allow">Allow</a></li><li><a href="#deny">Deny</a></li><li><a href="#order">Order</a></li></ul><p><strong>See also </strong></p><ul><li><a href="core.html#satisfy" class="directive"><code class="directive">Satisfy</code></a></li><li><a href="core.html#require" class="directive"><code class="directive">Require</code></a></li></ul><hr/><h2><a name="Allow">Allow</a> <a name="allow">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls which hosts can access an area of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinserver</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Allow from
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<em>host</em>|env=<em>env-variable</em>] ...</td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>The <code class="directive">Allow</code> directive affects which hosts can
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User access an area of the server. Access can be controlled by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User hostname, IP Address, IP Address range, or by other
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User characteristics of the client request captured in environment
ea640e04eae220b5e569f188563eb1f204c7c77eTinderbox User variables.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>The first argument to this directive is always
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code>from</code>. The subsequent arguments can take three
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User different forms. If <code>Allow from all</code> is specified, then
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User all hosts are allowed access, subject to the configuration of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <a href="#deny" class="directive"><code class="directive">Deny</code></a> and <a href="#order" class="directive"><code class="directive">Order</code></a> directives as discussed
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User below. To allow only particular hosts or groups of hosts to access
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the server, the <em>host</em> can be specified in any of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User following formats:</p>
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater <dd>Example: <code>Allow from apache.org</code><br>
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater Hosts whose names match, or end in, this string are allowed
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater access. Only complete components are matched, so the above
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User example will match <code>foo.apache.org</code> but it will
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User not match <code>fooapache.org</code>. This configuration will
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater cause the server to perform a reverse DNS lookup on the
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater client IP address, regardless of the setting of the <a href="core.html#hostnamelookups" class="directive"><code class="directive">HostnameLookups</code></a>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User directive.</dd>
d856585f5fe37cc2ea82115c10339578d2b517b1Automatic Updater <dd>Example: <code>Allow from 10.1.2.3</code><br>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein An IP address of a host allowed access</dd>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <dd>Example: <code>Allow from 10.1</code><br>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The first 1 to 3 bytes of an IP address, for subnet
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User restriction.</dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User A network a.b.c.d, and a netmask w.x.y.z. For more
ea640e04eae220b5e569f188563eb1f204c7c77eTinderbox User fine-grained subnet restriction.</dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <dd>Example: <code>Allow from 10.1.0.0/16</code><br>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Similar to the previous case, except the netmask consists of
ea640e04eae220b5e569f188563eb1f204c7c77eTinderbox User nnn high-order 1 bits.</dd>
ea640e04eae220b5e569f188563eb1f204c7c77eTinderbox User <p>Note that the last three examples above match exactly the
ea640e04eae220b5e569f188563eb1f204c7c77eTinderbox User same set of hosts.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>IPv6 addresses and IPv6 subnets can be specified as shown
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Allow from fe80::a00:20ff:fea7:ccea<br>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>The third format of the arguments to the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="directive">Allow</code> directive allows access to the server
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to be controlled based on the existence of an <a href="/env.html">environment variable</a>. When <code>Allow from
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User env=</code><em>env-variable</em> is specified, then the request is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User allowed access if the environment variable <em>env-variable</em>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User exists. The server provides the ability to set environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein variables in a flexible way based on characteristics of the client
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User request using the directives provided by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code><a href="mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User used to allow access based on such factors as the clients
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code>User-Agent</code> (browser type), <code>Referer</code>, or
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User other HTTP request header fields.</p>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><p align="center"><strong>Example:</strong></p><code>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox UserSetEnvIf User-Agent ^KnockKnock/2.0 let_me_in<br>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User<Directory /docroot><br>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User Order Deny,Allow<br>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User Deny from all<br>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Allow from env=let_me_in<br>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User</Directory>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>In this case, browsers with a user-agent string beginning
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews with <code>KnockKnock/2.0</code> will be allowed access, and all
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews others will be denied.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<hr/><h2><a name="Deny">Deny</a> <a name="deny">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls which hosts are denied access to the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userserver</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Deny from
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<em>host</em>|env=<em>env-variable</em>] ...</td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>This directive allows access to the server to be restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein based on hostname, IP address, or environment variables. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein arguments for the <code class="directive">Deny</code> directive are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User identical to the arguments for the <a href="#allow" class="directive"><code class="directive">Allow</code></a> directive.</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<hr/><h2><a name="Order">Order</a> <a name="order">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls the default access state and the order in which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinAllow and Deny are
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Userevaluated.</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Order <em>ordering</em></td></tr><tr><td><a href="directive-dict.html#Default" class="help">Default:</a></td><td><code>Order Deny,Allow</code></td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p>The <code class="directive">Order</code> directive controls the default
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User access state and the order in which <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives are evaluated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <dd>The <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User are evaluated before the <a href="#allow" class="directive"><code class="directive">Allow</code></a> directives. Access is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User allowed by default. Any client which does not match a
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive or does
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User match an <a href="#allow" class="directive"><code class="directive">Allow</code></a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User directive will be allowed access to the server.</dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <dd>The <a href="#allow" class="directive"><code class="directive">Allow</code></a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User directives are evaluated before the <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives. Access is denied
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User by default. Any client which does not match an <a href="#allow" class="directive"><code class="directive">Allow</code></a> directive or does match a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein denied access to the server.</dd>
<dd>Only those hosts which appear on the <a href="#allow" class="directive"><code class="directive">Allow</code></a> list and do not appear on
allowed between them. Note that in all cases every <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> statement is evaluated.</p>
foo.apache.org subdomain, who are denied access. All hosts not
in the apache.org domain are denied access because the default
<a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives because of its effect
<a href="#allow" class="directive"><code class="directive">Allow</code></a> or <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive occurring in a
<a href="core.html#location" class="directive"><code class="directive"><Location></code></a> section will
always be evaluated after an <a href="#allow" class="directive"><code class="directive">Allow</code></a> or <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive occurring in a
<a href="core.html#directory" class="directive"><code class="directive"><Directory></code></a> section or
of configuration sections, see the documentation on <a href="/sections.html">How Directory, Location and Files sections
