025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn<html xmlns="http://www.w3.org/TR/xhtml1/strict"><head><!--

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn--><title>mod_access - Apache HTTP Server</title><link href="/style/manual.css" type="text/css" rel="stylesheet"/></head><body><blockquote><div align="center"><img alt="[APACHE DOCUMENTATION]" src="/images/sub.gif"/><h3>Apache HTTP Server Version 2.0</h3></div><h1 align="center">Apache Module mod_access</h1><table cellspacing="1" cellpadding="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td valign="top"><span class="help">Description:</span></td><td>Provides access control based on client hostname, IP

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallynaddress, or other characteristics of the client request.</td></tr><tr><td><a href="module-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="module-dict.html#ModuleIdentifier" class="help">Module&nbsp;Identifier:</a></td><td>access_module</td></tr></table></td></tr></table><h2>Summary</h2>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <p>The directives provided by mod_access are used in <a href="core.html#directory" class="directive"><code class="directive">&lt;Directory&gt;</code></a>, <a href="core.html#files" class="directive"><code class="directive">&lt;Files&gt;</code></a>, and <a href="core.html#location" class="directive"><code class="directive">&lt;Location&gt;</code></a> sections as well as

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <code><a href="core.html#accessfilename">.htaccess</a></code>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn files to control access to particular parts of the server. Access

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn can be controlled based on the client hostname, IP address, or

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn other characteristics of the client request, as captured in <a href="/env.html">environment variables</a>. The <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives are used to

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn specify which clients are or are not allowed access to the server,

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn while the <a href="#order" class="directive"><code class="directive">Order</code></a>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn directive sets the default access state, and configures how the

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives interact with each

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn other.</p>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <p>Both host-based access restrictions and password-based

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn authentication may be implemented simultaneously. In that case,

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn the <a href="core.html#satisfy" class="directive"><code class="directive">Satisfy</code></a> directive is used

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn to determine how the two sets of restrictions interact.</p>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <p>In general, access restriction directives apply to all

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn access methods (<code>GET</code>, <code>PUT</code>,

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <code>POST</code>, etc). This is the desired behavior in most

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn cases. However, it is possible to restrict some methods, while

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn leaving other methods unrestricted, by enclosing the directives

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn in a <a href="core.html#limit" class="directive"><code class="directive">&lt;Limit&gt;</code></a> section.</p>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn<h2>Directives</h2><ul><li><a href="#allow">Allow</a></li><li><a href="#deny">Deny</a></li><li><a href="#order">Order</a></li></ul><p><strong>See also </strong></p><ul><li><a href="core.html#satisfy" class="directive"><code class="directive">Satisfy</code></a></li><li><a href="core.html#require" class="directive"><code class="directive">Require</code></a></li></ul><hr/><h2><a name="Allow">Allow</a> <a name="allow">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls which hosts can access an area of the

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallynserver</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Allow from

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn all|<em>host</em>|env=<em>env-variable</em>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn [<em>host</em>|env=<em>env-variable</em>] ...</td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <p>The <code class="directive">Allow</code> directive affects which hosts can

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn access an area of the server. Access can be controlled by

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn hostname, IP Address, IP Address range, or by other

c26adb82536952e27b05d237049b938d697e8ed9Stéphane Graber characteristics of the client request captured in environment

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn variables.</p>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

c26adb82536952e27b05d237049b938d697e8ed9Stéphane Graber <p>The first argument to this directive is always

c26adb82536952e27b05d237049b938d697e8ed9Stéphane Graber <code>from</code>. The subsequent arguments can take three

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn different forms. If <code>Allow from all</code> is specified, then

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn all hosts are allowed access, subject to the configuration of the

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <a href="#deny" class="directive"><code class="directive">Deny</code></a> and <a href="#order" class="directive"><code class="directive">Order</code></a> directives as discussed

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn below. To allow only particular hosts or groups of hosts to access

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn the server, the <em>host</em> can be specified in any of the

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn following formats:</p>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dl>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dt>A (partial) domain-name</dt>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

8ced4fd4f746f882e9d9932036465d97ebd2811fStéphane Graber <dd>Example: <code>Allow from apache.org</code><br>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn Hosts whose names match, or end in, this string are allowed

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn access. Only complete components are matched, so the above

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn example will match <code>foo.apache.org</code> but it will

8ced4fd4f746f882e9d9932036465d97ebd2811fStéphane Graber not match <code>fooapache.org</code>. This configuration will

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn cause the server to perform a reverse DNS lookup on the

1d1774b1ac705364c8eb7959a554935d8c134230Bogdan Purcareata client IP address, regardless of the setting of the <a href="core.html#hostnamelookups" class="directive"><code class="directive">HostnameLookups</code></a>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn directive.</dd>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dt>A full IP address</dt>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dd>Example: <code>Allow from 10.1.2.3</code><br>

45997a79453b22713f06b6216767bd446703e439Stéphane Graber An IP address of a host allowed access</dd>

45997a79453b22713f06b6216767bd446703e439Stéphane Graber

45997a79453b22713f06b6216767bd446703e439Stéphane Graber <dt>A partial IP address</dt>

45997a79453b22713f06b6216767bd446703e439Stéphane Graber

45997a79453b22713f06b6216767bd446703e439Stéphane Graber <dd>Example: <code>Allow from 10.1</code><br>

45997a79453b22713f06b6216767bd446703e439Stéphane Graber The first 1 to 3 bytes of an IP address, for subnet

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn restriction.</dd>

8ced4fd4f746f882e9d9932036465d97ebd2811fStéphane Graber

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dt>A network/netmask pair</dt>

f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallyn

f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallyn <dd>Example: <code>Allow from

f58236fd702f8979a68a74e17c7a81f37899edf7Serge Hallyn 10.1.0.0/255.255.0.0</code><br>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn A network a.b.c.d, and a netmask w.x.y.z. For more

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn fine-grained subnet restriction.</dd>

8ced4fd4f746f882e9d9932036465d97ebd2811fStéphane Graber

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dt>A network/nnn CIDR specification</dt>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn <dd>Example: <code>Allow from 10.1.0.0/16</code><br>

025f59ab98217b7e9caf6d3ac7e910853d95f621Serge Hallyn Similar to the previous case, except the netmask consists of

nnn high-order 1 bits.</dd>

</dl>

<p>Note that the last three examples above match exactly the

same set of hosts.</p>

<p>IPv6 addresses and IPv6 subnets can be specified as shown

below:</p>

<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>

Allow from fe80::a00:20ff:fea7:ccea<br>

Allow from fe80::a00:20ff:fea7:ccea/10

</code></td></tr></table></blockquote>

<p>The third format of the arguments to the

<code class="directive">Allow</code> directive allows access to the server

to be controlled based on the existence of an <a href="/env.html">environment variable</a>. When <code>Allow from

env=</code><em>env-variable</em> is specified, then the request is

allowed access if the environment variable <em>env-variable</em>

exists. The server provides the ability to set environment

variables in a flexible way based on characteristics of the client

request using the directives provided by

<code><a href="mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be

used to allow access based on such factors as the clients

<code>User-Agent</code> (browser type), <code>Referer</code>, or

other HTTP request header fields.</p>

<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><p align="center"><strong>Example:</strong></p><code>

SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in<br>

&lt;Directory /docroot&gt;<br>

&nbsp;&nbsp; Order Deny,Allow<br>

&nbsp;&nbsp; Deny from all<br>

&nbsp;&nbsp; Allow from env=let_me_in<br>

&lt;/Directory&gt;

</code></td></tr></table></blockquote>

<p>In this case, browsers with a user-agent string beginning

with <code>KnockKnock/2.0</code> will be allowed access, and all

others will be denied.</p>

<hr/><h2><a name="Deny">Deny</a> <a name="deny">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls which hosts are denied access to the

server</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Deny from

all|<em>host</em>|env=<em>env-variable</em>

[<em>host</em>|env=<em>env-variable</em>] ...</td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>

<p>This directive allows access to the server to be restricted

based on hostname, IP address, or environment variables. The

arguments for the <code class="directive">Deny</code> directive are

identical to the arguments for the <a href="#allow" class="directive"><code class="directive">Allow</code></a> directive.</p>

<hr/><h2><a name="Order">Order</a> <a name="order">Directive</a></h2><table cellpadding="1" cellspacing="0" border="0" bgcolor="#cccccc"><tr><td><table bgcolor="#ffffff"><tr><td><strong>Description: </strong></td><td>Controls the default access state and the order in which

Allow and Deny are

evaluated.</td></tr><tr><td><a href="directive-dict.html#Syntax" class="help">Syntax:</a></td><td> Order <em>ordering</em></td></tr><tr><td><a href="directive-dict.html#Default" class="help">Default:</a></td><td><code>Order Deny,Allow</code></td></tr><tr><td><a href="directive-dict.html#Context" class="help">Context:</a></td><td>directory, .htaccess</td></tr><tr><td><a href="directive-dict.html#Override" class="help">Override:</a></td><td>Limit</td></tr><tr><td><a href="directive-dict.html#Status" class="help">Status:</a></td><td>Base</td></tr><tr><td><a href="directive-dict.html#Module" class="help">Module:</a></td><td>mod_access</td></tr></table></td></tr></table>

<p>The <code class="directive">Order</code> directive controls the default

access state and the order in which <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives are evaluated.

<em>Ordering</em> is one of</p>

<dl>

<dt>Deny,Allow</dt>

<dd>The <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives

are evaluated before the <a href="#allow" class="directive"><code class="directive">Allow</code></a> directives. Access is

allowed by default. Any client which does not match a

<a href="#deny" class="directive"><code class="directive">Deny</code></a> directive or does

match an <a href="#allow" class="directive"><code class="directive">Allow</code></a>

directive will be allowed access to the server.</dd>

<dt>Allow,Deny</dt>

<dd>The <a href="#allow" class="directive"><code class="directive">Allow</code></a>

directives are evaluated before the <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives. Access is denied

by default. Any client which does not match an <a href="#allow" class="directive"><code class="directive">Allow</code></a> directive or does match a

<a href="#deny" class="directive"><code class="directive">Deny</code></a> directive will be

denied access to the server.</dd>

<dt>Mutual-failure</dt>

<dd>Only those hosts which appear on the <a href="#allow" class="directive"><code class="directive">Allow</code></a> list and do not appear on

the <a href="#deny" class="directive"><code class="directive">Deny</code></a> list are

granted access. This ordering has the same effect as <code>Order

Allow,Deny</code> and is deprecated in favor of that

configuration.</dd>

</dl>

<p>Keywords may only be separated by a comma; no whitespace is

allowed between them. Note that in all cases every <a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> statement is evaluated.</p>

<p>In the following example, all hosts in the apache.org domain

are allowed access; all other hosts are denied access.</p>

<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>

Order Deny,Allow<br>

Deny from all<br>

Allow from apache.org<br>

</code></td></tr></table></blockquote>

<p>In the next example, all hosts in the apache.org domain are

allowed access, except for the hosts which are in the

foo.apache.org subdomain, who are denied access. All hosts not

in the apache.org domain are denied access because the default

state is to deny access to the server.</p>

<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>

Order Allow,Deny<br>

Allow from apache.org<br>

Deny from foo.apache.org<br>

</code></td></tr></table></blockquote>

<p>On the other hand, if the <code>Order</code> in the last

example is changed to <code>Deny,Allow</code>, all hosts will

be allowed access. This happens because, regardless of the

actual ordering of the directives in the configuration file,

the <code>Allow from apache.org</code> will be evaluated last

and will override the <code>Deny from foo.apache.org</code>.

All hosts not in the <code>apache.org</code> domain will also

be allowed access because the default state will change to

<em>allow</em>.</p>

<p>The presence of an <code>Order</code> directive can affect

access to a part of the server even in the absence of accompanying

<a href="#allow" class="directive"><code class="directive">Allow</code></a> and <a href="#deny" class="directive"><code class="directive">Deny</code></a> directives because of its effect

on the default access state. For example,</p>

<blockquote><table cellpadding="10"><tr><td bgcolor="#eeeeee"><code>

&lt;Directory /www&gt;<br>

&nbsp;&nbsp;Order Allow,Deny<br>

&lt;/Directory&gt;

</code></td></tr></table></blockquote>

<p>will deny all access to the <code>/www</code> directory

because the default access state will be set to

<em>deny</em>.</p>

<p>The <code class="directive">Order</code> directive controls the order of access

directive processing only within each phase of the server's

configuration processing. This implies, for example, that an

<a href="#allow" class="directive"><code class="directive">Allow</code></a> or <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive occurring in a

<a href="core.html#location" class="directive"><code class="directive">&lt;Location&gt;</code></a> section will

always be evaluated after an <a href="#allow" class="directive"><code class="directive">Allow</code></a> or <a href="#deny" class="directive"><code class="directive">Deny</code></a> directive occurring in a

<a href="core.html#directory" class="directive"><code class="directive">&lt;Directory&gt;</code></a> section or

<code>.htaccess</code> file, regardless of the setting of the

<code class="directive">Order</code> directive. For details on the merging

of configuration sections, see the documentation on <a href="/sections.html">How Directory, Location and Files sections

work</a>.</p>

<hr/><h3 align="center">Apache HTTP Server Version 2.0</h3><a href="./"><img alt="Index" src="/images/index.gif"/></a><a href="../"><img alt="Home" src="/images/home.gif"/></a></blockquote></body></html>