1N/A<!
DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
1N/A<
TITLE>Apache module mod_access</
TITLE>
1N/A<!-- Background white, links blue (unvisited), navy (visited), red (active) --> 1N/A<
H1 ALIGN="CENTER">Module mod_access</
H1>
1N/Ais compiled in by default. It provides access control based on client
1N/Ahostname or IP address.
1N/A<
LI><
A HREF="#allow">allow</
A>
1N/A<
LI><
A HREF="#allowfromenv">allow from env=</
A>
1N/A<
LI><
A HREF="#deny">deny</
A>
1N/A<
LI><
A HREF="#denyfromenv">deny from env=</
A>
1N/A<
LI><
A HREF="#order">order</
A>
1N/A<
H2><
A NAME="allow">allow directive</
A></
H2>
1N/A<!--%plaintext <?INDEX {\tt allow} directive> --> 1N/A><
STRONG>Syntax:</
STRONG></
A> allow from <
EM>host host ...</
EM><
BR>
1N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
1N/A><
STRONG>Override:</
STRONG></
A> Limit<
BR>
1N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
1N/A><
STRONG>Module:</
STRONG></
A> mod_access
1N/AThe allow directive affects which hosts can access a given directory.
1N/A<
EM>Host</
EM> is one of the following:
1N/A<
DD>All hosts are allowed access
1N/A<
DT>A (partial) domain-name
1N/A<
DD>Hosts whose names match, or end in, this string are allowed access.
1N/A<
DT>A full IP address
1N/A<
DD>An IP address of a host allowed access
1N/A<
DT>A partial IP address
1N/A<
DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
1N/A<
DT>A
network/
nnn CIDR specification (<
STRONG>Apache 1.3 and later</
STRONG>)
1N/A<
DD>Similar to the previous case, except the netmask consists of nnn
1N/AAll hosts in the specified domain are allowed access.
1N/ANote that this compares whole components; <
CODE>
bar.edu</
CODE>
1N/ASee also <
A HREF="#deny">deny</
A>, <
A HREF="#order">order</
A>, and
1N/A<
A NAME="allowfromenv"><
STRONG>Syntax:</
STRONG> allow from
1N/A env=<
EM>variablename</
EM></
A><
BR>
1N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
1N/A><
STRONG>Override:</
STRONG></
A> Limit<
BR>
1N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
1N/A><
STRONG>Module:</
STRONG></
A> mod_access<
BR>
1N/A><
STRONG>Compatibility:</
STRONG></
A> Apache 1.2 and above
1N/AThe allow from env directive controls access to a directory by the
1N/Aexistence (or non-existence) of an environment variable.
1N/A<Directory /docroot>
1N/A allow from env=let_me_in
1N/Abe allowed access, and all others will be denied.
1N/ASee also <
A HREF="#denyfromenv">deny from env</
A>
1N/Aand <
A HREF="#order">order</
A>.
1N/A<
H2><
A NAME="deny">deny directive</
A></
H2>
1N/A<!--%plaintext <?INDEX {\tt deny} directive> --> 1N/A><
STRONG>Syntax:</
STRONG></
A> deny from <
EM>host host ...</
EM><
BR>
1N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
1N/A><
STRONG>Override:</
STRONG></
A> Limit<
BR>
1N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
1N/A><
STRONG>Module:</
STRONG></
A> mod_access
1N/AThe deny directive affects which hosts can access a given directory.
1N/A<
EM>Host</
EM> is one of the following:
1N/A<
DD>all hosts are denied access
1N/A<
DT>A (partial) domain-name
1N/A<
DD>host whose name is, or ends in, this string are denied access.
1N/A<
DT>A full IP address
1N/A<
DD>An IP address of a host denied access
1N/A<
DT>A partial IP address
1N/A<
DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
1N/A<
DT>A
network/
nnn CIDR specification (<
STRONG>Apache 1.3 and later</
STRONG>)
1N/A<
DD>Similar to the previous case, except the netmask consists of nnn
1N/A<
BLOCKQUOTE><
CODE>deny from 16</
CODE></
BLOCKQUOTE>
1N/AAll hosts in the specified network are denied access.
1N/ANote that this compares whole components; <
CODE>
bar.edu</
CODE>
1N/ASee also <
A HREF="#allow">allow</
A> and <
A HREF="#order">order</
A>.
1N/A<
A NAME="denyfromenv"><
STRONG>Syntax:</
STRONG> deny from
1N/A env=<
EM>variablename</
EM></
A><
BR>
1N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
1N/A><
STRONG>Override:</
STRONG></
A> Limit<
BR>
1N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
1N/A><
STRONG>Module:</
STRONG></
A> mod_access<
BR>
1N/A><
STRONG>Compatibility:</
STRONG></
A> Apache 1.2 and above
1N/AThe deny from env directive controls access to a directory by the
1N/Aexistence (or non-existence) of an environment variable.
1N/A<Directory /docroot>
1N/A deny from env=go_away
1N/AIn this case browsers with the user-agent string <
TT>
BadRobot/
0.9</
TT> will
1N/Abe denied access, and all others will be allowed.
1N/ASee also <
A HREF="#allowfromenv">allow from env</
A>
1N/Aand <
A HREF="#order">order</
A>.
1N/A<
H2><
A NAME="order">order directive</
A></
H2>
1N/A<!--%plaintext <?INDEX {\tt order} directive> --> 1N/A><
STRONG>Syntax:</
STRONG></
A> order <
EM>ordering</
EM><
BR>
><
STRONG>Default:</
STRONG></
A> <
CODE>order deny,allow</
CODE><
BR>
><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
><
STRONG>Override:</
STRONG></
A> Limit<
BR>
><
STRONG>Status:</
STRONG></
A> Base<
BR>
><
STRONG>Module:</
STRONG></
A> mod_access
The order directive controls the order in which <
A HREF="#allow">allow</
A> and
<
A HREF="#deny">deny</
A> directives are evaluated. <
EM>Ordering</
EM> is one
<
DD>the deny directives are evaluated before the allow directives. (The
<
DD>the allow directives are evaluated before the deny directives. (The
initial state is FORBIDDEN.)
<
DD>Only those hosts which appear on the allow list and do not appear
on the deny list are granted access. (The initial state is irrelevant.)
<
STRONG>Note that in all cases every <
CODE>allow</
CODE> and <
CODE>deny</
CODE>
statement is evaluated, there is no "short-circuiting".</
STRONG>
Hosts in the
ncsa.uiuc.edu domain are allowed access; all other hosts are