88319179998c5d8d19943d09450931b88694be58takashi<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
88319179998c5d8d19943d09450931b88694be58takashi XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
88319179998c5d8d19943d09450931b88694be58takashi This file is generated from xml source: DO NOT EDIT
88319179998c5d8d19943d09450931b88694be58takashi XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
96ad5d81ee4a2cc66a4ae19893efc8aa6d06fae7jailletc<title>mod_access_compat - Apache HTTP Server Version 2.5</title>
88319179998c5d8d19943d09450931b88694be58takashi<link href="/style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
88319179998c5d8d19943d09450931b88694be58takashi<link href="/style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen<link href="/style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="/style/css/prettify.css" />
2e545ce2450a9953665f701bb05350f0d3f26275nd<script src="/style/scripts/prettify.min.js" type="text/javascript">
88319179998c5d8d19943d09450931b88694be58takashi<link href="/images/favicon.ico" rel="shortcut icon" /></head>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p>
88319179998c5d8d19943d09450931b88694be58takashi<div class="up"><a href="./"><img title="<-" alt="<-" src="/images/left.gif" /></a></div>
3f08db06526d6901aa08c110b5bc7dde6bc39905nd<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.5</a> > <a href="./">Modules</a></div>
88319179998c5d8d19943d09450931b88694be58takashi<div id="preamble"><h1>Apache Module mod_access_compat</h1>
88319179998c5d8d19943d09450931b88694be58takashi<p><span>Available Languages: </span><a href="/en/mod/mod_access_compat.html" title="English"> en </a> |
88319179998c5d8d19943d09450931b88694be58takashi<a href="/fr/mod/mod_access_compat.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/ja/mod/mod_access_compat.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p>
88319179998c5d8d19943d09450931b88694be58takashi<table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Group authorizations based on host (name or IP
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="module-dict.html#Status">Status:</a></th><td>Extension</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="module-dict.html#ModuleIdentifier">Module�Identifier:</a></th><td>access_compat_module</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="module-dict.html#SourceFile">Source�File:</a></th><td>mod_access_compat.c</td></tr>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf<tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache HTTP Server 2.3 as a compatibility module with
ecdc51f25765b81b6d07389c6fa02a9529411f5drbowenprevious versions of Apache httpd 2.x. The directives provided by this module
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsfhave been deprecated by the new authz refactoring. Please see
88319179998c5d8d19943d09450931b88694be58takashi<code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></td></tr></table>
88319179998c5d8d19943d09450931b88694be58takashi <p>The directives provided by <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code> are
88319179998c5d8d19943d09450931b88694be58takashi used in <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code>,
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="/mod/core.html#files"><Files></a></code>, and
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="/mod/core.html#location"><Location></a></code> sections
88319179998c5d8d19943d09450931b88694be58takashi as well as <code><a href="core.html#accessfilename">.htaccess</a>
88319179998c5d8d19943d09450931b88694be58takashi </code> files to control access to particular parts of the server.
88319179998c5d8d19943d09450931b88694be58takashi Access can be controlled based on the client hostname, IP address, or
88319179998c5d8d19943d09450931b88694be58takashi other characteristics of the client request, as captured in <a href="/env.html">environment variables</a>. The <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are used to
88319179998c5d8d19943d09450931b88694be58takashi specify which clients are or are not allowed access to the server,
88319179998c5d8d19943d09450931b88694be58takashi while the <code class="directive"><a href="#order">Order</a></code>
88319179998c5d8d19943d09450931b88694be58takashi directive sets the default access state, and configures how the
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives interact with each
88319179998c5d8d19943d09450931b88694be58takashi <p>Both host-based access restrictions and password-based
88319179998c5d8d19943d09450931b88694be58takashi authentication may be implemented simultaneously. In that case,
88319179998c5d8d19943d09450931b88694be58takashi the <code class="directive"><a href="#satisfy">Satisfy</a></code> directive is used
88319179998c5d8d19943d09450931b88694be58takashi to determine how the two sets of restrictions interact.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>The directives provided by <code class="module"><a href="/mod/mod_access_compat.html">mod_access_compat</a></code> have
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf been deprecated by the new authz refactoring. Please see
88319179998c5d8d19943d09450931b88694be58takashi <code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code>.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>In general, access restriction directives apply to all
88319179998c5d8d19943d09450931b88694be58takashi <code>POST</code>, etc). This is the desired behavior in most
88319179998c5d8d19943d09450931b88694be58takashi cases. However, it is possible to restrict some methods, while
88319179998c5d8d19943d09450931b88694be58takashi leaving other methods unrestricted, by enclosing the directives
88319179998c5d8d19943d09450931b88694be58takashi in a <code class="directive"><a href="/mod/core.html#limit"><Limit></a></code> section.</p>
bd43fc31993cfc191e744a9490481f4294894099covener <div class="note"> <h3>Merging of configuration sections</h3>
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar <p>When any directive provided by this module is used in a new
bd43fc31993cfc191e744a9490481f4294894099covener configuration section, no directives provided by this module are
bd43fc31993cfc191e744a9490481f4294894099covener inherited from previous configuration sections.</p>
88319179998c5d8d19943d09450931b88694be58takashi<div id="quickview"><h3 class="directives">Directives</h3>
88319179998c5d8d19943d09450931b88694be58takashi<li><img alt="" src="/images/down.gif" /> <a href="#allow">Allow</a></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><img alt="" src="/images/down.gif" /> <a href="#deny">Deny</a></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><img alt="" src="/images/down.gif" /> <a href="#order">Order</a></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><img alt="" src="/images/down.gif" /> <a href="#satisfy">Satisfy</a></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><code class="module"><a href="/mod/mod_authz_host.html">mod_authz_host</a></code></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><code class="module"><a href="/mod/mod_authz_core.html">mod_authz_core</a></code></li>
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh</ul><ul class="seealso"><li><a href="#comments_section">Comments</a></li></ul></div>
88319179998c5d8d19943d09450931b88694be58takashi<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
88319179998c5d8d19943d09450931b88694be58takashi<div class="directive-section"><h2><a name="Allow" id="Allow">Allow</a> <a name="allow" id="allow">Directive</a></h2>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls which hosts can access an area of the
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Allow from all|<var>host</var>|env=[!]<var>env-variable</var>
88319179998c5d8d19943d09450931b88694be58takashi[<var>host</var>|env=[!]<var>env-variable</var>] ...</code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Limit</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access_compat</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi <p>The <code class="directive">Allow</code> directive affects which hosts can
88319179998c5d8d19943d09450931b88694be58takashi access an area of the server. Access can be controlled by
88319179998c5d8d19943d09450931b88694be58takashi hostname, IP address, IP address range, or by other
88319179998c5d8d19943d09450931b88694be58takashi characteristics of the client request captured in environment
88319179998c5d8d19943d09450931b88694be58takashi variables.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>The first argument to this directive is always
88319179998c5d8d19943d09450931b88694be58takashi <code>from</code>. The subsequent arguments can take three
88319179998c5d8d19943d09450931b88694be58takashi different forms. If <code>Allow from all</code> is specified, then
88319179998c5d8d19943d09450931b88694be58takashi all hosts are allowed access, subject to the configuration of the
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#deny">Deny</a></code> and <code class="directive"><a href="#order">Order</a></code> directives as discussed
88319179998c5d8d19943d09450931b88694be58takashi below. To allow only particular hosts or groups of hosts to access
88319179998c5d8d19943d09450931b88694be58takashi the server, the <em>host</em> can be specified in any of the
88319179998c5d8d19943d09450931b88694be58takashi following formats:</p>
4aa603e6448b99f9371397d439795c91a93637eand <pre class="prettyprint lang-config">Allow from example.org
88319179998c5d8d19943d09450931b88694be58takashi <p>Hosts whose names match, or end in, this string are allowed
88319179998c5d8d19943d09450931b88694be58takashi access. Only complete components are matched, so the above
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick example will match <code>foo.example.org</code> but it will not
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick match <code>fooexample.org</code>. This configuration will cause
ecdc51f25765b81b6d07389c6fa02a9529411f5drbowen Apache httpd to perform a double DNS lookup on the client IP
88319179998c5d8d19943d09450931b88694be58takashi address, regardless of the setting of the <code class="directive"><a href="/mod/core.html#hostnamelookups">HostnameLookups</a></code> directive. It will do
88319179998c5d8d19943d09450931b88694be58takashi a reverse DNS lookup on the IP address to find the associated
88319179998c5d8d19943d09450931b88694be58takashi hostname, and then do a forward lookup on the hostname to assure
88319179998c5d8d19943d09450931b88694be58takashi that it matches the original IP address. Only if the forward
88319179998c5d8d19943d09450931b88694be58takashi and reverse DNS are consistent and the hostname matches will
4aa603e6448b99f9371397d439795c91a93637eandAllow from 192.168.1.104 192.168.1.205</pre>
4aa603e6448b99f9371397d439795c91a93637eandAllow from 10 172.20 192.168.2</pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>The first 1 to 3 bytes of an IP address, for subnet
20f499565e77defe9dab24dd85c02f38a1175855nd <pre class="prettyprint lang-config">Allow from 10.1.0.0/255.255.0.0</pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>A network a.b.c.d, and a netmask w.x.y.z. For more
20f499565e77defe9dab24dd85c02f38a1175855nd <pre class="prettyprint lang-config">Allow from 10.1.0.0/16</pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>Similar to the previous case, except the netmask consists of
88319179998c5d8d19943d09450931b88694be58takashi <p>Note that the last three examples above match exactly the
88319179998c5d8d19943d09450931b88694be58takashi same set of hosts.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>IPv6 addresses and IPv6 subnets can be specified as shown
4aa603e6448b99f9371397d439795c91a93637eand <pre class="prettyprint lang-config">Allow from 2001:db8::a00:20ff:fea7:ccea
88319179998c5d8d19943d09450931b88694be58takashi <p>The third format of the arguments to the
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive">Allow</code> directive allows access to the server
88319179998c5d8d19943d09450931b88694be58takashi to be controlled based on the existence of an <a href="/env.html">environment variable</a>. When <code>Allow from
88319179998c5d8d19943d09450931b88694be58takashi env=<var>env-variable</var></code> is specified, then the request is
88319179998c5d8d19943d09450931b88694be58takashi allowed access if the environment variable <var>env-variable</var>
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf exists. When <code>Allow from env=!<var>env-variable</var></code> is
9a58dc6a2b26ec128b1270cf48810e705f1a90dbsf specified, then the request is allowed access if the environment
88319179998c5d8d19943d09450931b88694be58takashi The server provides the ability to set environment
88319179998c5d8d19943d09450931b88694be58takashi variables in a flexible way based on characteristics of the client
88319179998c5d8d19943d09450931b88694be58takashi request using the directives provided by
88319179998c5d8d19943d09450931b88694be58takashi <code class="module"><a href="/mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
88319179998c5d8d19943d09450931b88694be58takashi used to allow access based on such factors as the clients
88319179998c5d8d19943d09450931b88694be58takashi <code>User-Agent</code> (browser type), <code>Referer</code>, or
88319179998c5d8d19943d09450931b88694be58takashi other HTTP request header fields.</p>
4aa603e6448b99f9371397d439795c91a93637eand <pre class="prettyprint lang-config">SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar<Directory "/docroot">
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Order Deny,Allow
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Deny from all
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Allow from env=let_me_in
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>In this case, browsers with a user-agent string beginning
88319179998c5d8d19943d09450931b88694be58takashi with <code>KnockKnock/2.0</code> will be allowed access, and all
88319179998c5d8d19943d09450931b88694be58takashi others will be denied.</p>
bd43fc31993cfc191e744a9490481f4294894099covener <div class="note"> <h3>Merging of configuration sections</h3>
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar <p>When any directive provided by this module is used in a new
bd43fc31993cfc191e744a9490481f4294894099covener configuration section, no directives provided by this module are
bd43fc31993cfc191e744a9490481f4294894099covener inherited from previous configuration sections.</p>
88319179998c5d8d19943d09450931b88694be58takashi<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
88319179998c5d8d19943d09450931b88694be58takashi<div class="directive-section"><h2><a name="Deny" id="Deny">Deny</a> <a name="deny" id="deny">Directive</a></h2>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls which hosts are denied access to the
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Deny from all|<var>host</var>|env=[!]<var>env-variable</var>
88319179998c5d8d19943d09450931b88694be58takashi[<var>host</var>|env=[!]<var>env-variable</var>] ...</code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Limit</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access_compat</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi <p>This directive allows access to the server to be restricted
88319179998c5d8d19943d09450931b88694be58takashi based on hostname, IP address, or environment variables. The
88319179998c5d8d19943d09450931b88694be58takashi arguments for the <code class="directive">Deny</code> directive are
88319179998c5d8d19943d09450931b88694be58takashi identical to the arguments for the <code class="directive"><a href="#allow">Allow</a></code> directive.</p>
88319179998c5d8d19943d09450931b88694be58takashi<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
88319179998c5d8d19943d09450931b88694be58takashi<div class="directive-section"><h2><a name="Order" id="Order">Order</a> <a name="order" id="order">Directive</a></h2>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the default access state and the order in which
88319179998c5d8d19943d09450931b88694be58takashi<code class="directive">Allow</code> and <code class="directive">Deny</code> are
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Order <var>ordering</var></code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Order Deny,Allow</code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>Limit</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access_compat</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi <p>The <code class="directive">Order</code> directive, along with the
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#allow">Allow</a></code> and
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#deny">Deny</a></code> directives,
88319179998c5d8d19943d09450931b88694be58takashi controls a three-pass access control system. The first pass
88319179998c5d8d19943d09450931b88694be58takashi processes either all <code class="directive"><a href="#allow">Allow</a></code> or all <code class="directive"><a href="#deny">Deny</a></code> directives, as specified
88319179998c5d8d19943d09450931b88694be58takashi by the <code class="directive"><a href="#order">Order</a></code>
88319179998c5d8d19943d09450931b88694be58takashi directive. The second pass parses the rest of the directives
88319179998c5d8d19943d09450931b88694be58takashi (<code class="directive"><a href="#deny">Deny</a></code> or
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#allow">Allow</a></code>). The third
88319179998c5d8d19943d09450931b88694be58takashi pass applies to all requests which do not match either of the first
88319179998c5d8d19943d09450931b88694be58takashi <p>Note that all <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are
88319179998c5d8d19943d09450931b88694be58takashi processed, unlike a typical firewall, where only the first match is
88319179998c5d8d19943d09450931b88694be58takashi used. The last match is effective (also unlike a typical firewall).
88319179998c5d8d19943d09450931b88694be58takashi Additionally, the order in which lines appear in the configuration
88319179998c5d8d19943d09450931b88694be58takashi files is not significant -- all <code class="directive"><a href="#allow">Allow</a></code> lines are processed as
88319179998c5d8d19943d09450931b88694be58takashi one group, all <code class="directive"><a href="#deny">Deny</a></code> lines are considered as
88319179998c5d8d19943d09450931b88694be58takashi another, and the default state is considered by itself.</p>
88319179998c5d8d19943d09450931b88694be58takashi <dd>First, all <code class="directive"><a href="#allow">Allow</a></code> directives are
88319179998c5d8d19943d09450931b88694be58takashi evaluated; at least one must match, or the request is rejected.
88319179998c5d8d19943d09450931b88694be58takashi Next, all <code class="directive"><a href="#deny">Deny</a></code>
88319179998c5d8d19943d09450931b88694be58takashi directives are evaluated. If any matches, the request is rejected.
88319179998c5d8d19943d09450931b88694be58takashi Last, any requests which do not match an <code class="directive"><a href="#allow">Allow</a></code> or a <code class="directive"><a href="#deny">Deny</a></code> directive are denied
88319179998c5d8d19943d09450931b88694be58takashi by default.</dd>
88319179998c5d8d19943d09450931b88694be58takashi <dd>First, all <code class="directive"><a href="#deny">Deny</a></code> directives are
88319179998c5d8d19943d09450931b88694be58takashi evaluated; if any match, the request is denied
88319179998c5d8d19943d09450931b88694be58takashi <strong>unless</strong> it also matches an <code class="directive"><a href="#allow">Allow</a></code> directive. Any
88319179998c5d8d19943d09450931b88694be58takashi requests which do not match any <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directives are
88319179998c5d8d19943d09450931b88694be58takashi permitted.</dd>
88319179998c5d8d19943d09450931b88694be58takashi Allow,Deny</code> and is deprecated in its favor.</dd>
88319179998c5d8d19943d09450931b88694be58takashi <p>Keywords may only be separated by a comma; <em>no whitespace</em>
88319179998c5d8d19943d09450931b88694be58takashi is allowed between them.</p>
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick <p>In the following example, all hosts in the example.org domain
88319179998c5d8d19943d09450931b88694be58takashi are allowed access; all other hosts are denied access.</p>
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalicDeny from all
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick <p>In the next example, all hosts in the example.org domain are
88319179998c5d8d19943d09450931b88694be58takashi allowed access, except for the hosts which are in the
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick foo.example.org subdomain, who are denied access. All hosts not
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick in the example.org domain are denied access because the default
88319179998c5d8d19943d09450931b88694be58takashi state is to <code class="directive"><a href="#deny">Deny</a></code>
88319179998c5d8d19943d09450931b88694be58takashi access to the server.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>On the other hand, if the <code class="directive">Order</code> in the
88319179998c5d8d19943d09450931b88694be58takashi last example is changed to <code>Deny,Allow</code>, all hosts will
88319179998c5d8d19943d09450931b88694be58takashi be allowed access. This happens because, regardless of the actual
88319179998c5d8d19943d09450931b88694be58takashi ordering of the directives in the configuration file, the
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick <code>Allow from example.org</code> will be evaluated last and will
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick override the <code>Deny from foo.example.org</code>. All hosts not in
9a367ec3d570bcbaf8923dad66cb3b1532963964trawick the <code>example.org</code> domain will also be allowed access
88319179998c5d8d19943d09450931b88694be58takashi because the default state is <code class="directive"><a href="#allow">Allow</a></code>.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>The presence of an <code class="directive">Order</code> directive can
88319179998c5d8d19943d09450931b88694be58takashi affect access to a part of the server even in the absence of
88319179998c5d8d19943d09450931b88694be58takashi accompanying <code class="directive"><a href="#allow">Allow</a></code>
88319179998c5d8d19943d09450931b88694be58takashi and <code class="directive"><a href="#deny">Deny</a></code>
88319179998c5d8d19943d09450931b88694be58takashi directives because of its effect on the default access state. For
88319179998c5d8d19943d09450931b88694be58takashi example,</p>
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <pre class="prettyprint lang-config"><Directory "/www">
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Order Allow,Deny
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>will Deny all access to the <code>/www</code> directory
88319179998c5d8d19943d09450931b88694be58takashi because the default access state is set to
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#deny">Deny</a></code>.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>The <code class="directive">Order</code> directive controls the order of access
88319179998c5d8d19943d09450931b88694be58takashi directive processing only within each phase of the server's
88319179998c5d8d19943d09450931b88694be58takashi configuration processing. This implies, for example, that an
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="/mod/core.html#location"><Location></a></code> section will
88319179998c5d8d19943d09450931b88694be58takashi always be evaluated after an <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive"><a href="/mod/core.html#directory"><Directory></a></code> section or
88319179998c5d8d19943d09450931b88694be58takashi <code>.htaccess</code> file, regardless of the setting of the
88319179998c5d8d19943d09450931b88694be58takashi <code class="directive">Order</code> directive. For details on the merging
88319179998c5d8d19943d09450931b88694be58takashi of configuration sections, see the documentation on <a href="/sections.html">How Directory, Location and Files sections
bd43fc31993cfc191e744a9490481f4294894099covener <div class="note"> <h3>Merging of configuration sections</h3>
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar <p>When any directive provided by this module is used in a new
bd43fc31993cfc191e744a9490481f4294894099covener configuration section, no directives provided by this module are
bd43fc31993cfc191e744a9490481f4294894099covener inherited from previous configuration sections.</p>
88319179998c5d8d19943d09450931b88694be58takashi<div class="top"><a href="#page-header"><img alt="top" src="/images/up.gif" /></a></div>
88319179998c5d8d19943d09450931b88694be58takashi<div class="directive-section"><h2><a name="Satisfy" id="Satisfy">Satisfy</a> <a name="satisfy" id="satisfy">Directive</a></h2>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Interaction between host-level access control and
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Satisfy Any|All</code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Satisfy All</code></td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Override">Override:</a></th><td>AuthConfig</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access_compat</td></tr>
88319179998c5d8d19943d09450931b88694be58takashi <p>Access policy if both <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code> used. The parameter can be
88319179998c5d8d19943d09450931b88694be58takashi either <code>All</code> or <code>Any</code>. This directive is only
88319179998c5d8d19943d09450931b88694be58takashi useful if access to a particular area is being restricted by both
88319179998c5d8d19943d09450931b88694be58takashi username/password <em>and</em> client host address. In this case
88319179998c5d8d19943d09450931b88694be58takashi the default behavior (<code>All</code>) is to require that the client
88319179998c5d8d19943d09450931b88694be58takashi passes the address access restriction <em>and</em> enters a valid
88319179998c5d8d19943d09450931b88694be58takashi username and password. With the <code>Any</code> option the client will be
88319179998c5d8d19943d09450931b88694be58takashi granted access if they either pass the host restriction or enter a
88319179998c5d8d19943d09450931b88694be58takashi valid username and password. This can be used to password restrict
88319179998c5d8d19943d09450931b88694be58takashi an area, but to let clients from particular addresses in without
88319179998c5d8d19943d09450931b88694be58takashi prompting for a password.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>For example, if you wanted to let people on your network have
88319179998c5d8d19943d09450931b88694be58takashi unrestricted access to a portion of your website, but require that
88319179998c5d8d19943d09450931b88694be58takashi people outside of your network provide a password, you could use a
88319179998c5d8d19943d09450931b88694be58takashi configuration similar to the following:</p>
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalicAllow from 192.168.1
4aa603e6448b99f9371397d439795c91a93637eandSatisfy Any</pre>
88319179998c5d8d19943d09450931b88694be58takashi Another frequent use of the <code class="directive">Satisfy</code> directive
88319179998c5d8d19943d09450931b88694be58takashi is to relax access restrictions for a subdirectory:
1f1b6bf13313fdd14a45e52e553d3ff28689b717coar <pre class="prettyprint lang-config"><Directory "/var/www/private">
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Require valid-user
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic</Directory>
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Allow from all
f0fa55ff14fa0bf8fd72d989f6625de6dc3260c8igalic Satisfy Any
4aa603e6448b99f9371397d439795c91a93637eand</Directory></pre>
88319179998c5d8d19943d09450931b88694be58takashi <p>In the above example, authentication will be required for the
88319179998c5d8d19943d09450931b88694be58takashi <code>/var/www/private</code> directory, but will not be required
88319179998c5d8d19943d09450931b88694be58takashi for the <code>/var/www/private/public</code> directory.</p>
88319179998c5d8d19943d09450931b88694be58takashi <p>Since version 2.0.51 <code class="directive">Satisfy</code> directives can
88319179998c5d8d19943d09450931b88694be58takashi be restricted to particular methods by <code class="directive"><a href="/mod/core.html#limit"><Limit></a></code> and <code class="directive"><a href="/mod/core.html#limitexcept"><LimitExcept></a></code> sections.</p>
bd43fc31993cfc191e744a9490481f4294894099covener <div class="note"> <h3>Merging of configuration sections</h3>
5d01f40ffd657dd2ac567aacd93cabd162ddfa79coar <p>When any directive provided by this module is used in a new
bd43fc31993cfc191e744a9490481f4294894099covener configuration section, no directives provided by this module are
bd43fc31993cfc191e744a9490481f4294894099covener inherited from previous configuration sections.</p>
88319179998c5d8d19943d09450931b88694be58takashi<li><code class="directive"><a href="#allow">Allow</a></code></li>
88319179998c5d8d19943d09450931b88694be58takashi<li><code class="directive"><a href="/mod/mod_authz_core.html#require">Require</a></code></li>
88319179998c5d8d19943d09450931b88694be58takashi<p><span>Available Languages: </span><a href="/en/mod/mod_access_compat.html" title="English"> en </a> |
88319179998c5d8d19943d09450931b88694be58takashi<a href="/fr/mod/mod_access_compat.html" hreflang="fr" rel="alternate" title="Fran�ais"> fr </a> |
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung<a href="/ja/mod/mod_access_compat.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p>
727872d18412fc021f03969b8641810d8896820bhumbedooh</div><div class="top"><a href="#page-header"><img src="/images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
727872d18412fc021f03969b8641810d8896820bhumbedoohvar comments_shortname = 'httpd';
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedoohvar comments_identifier = 'http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html';
0d0ba3a410038e179b695446bb149cce6264e0abnd(function(w, d) {
cc7e1025de9ac63bd4db6fe7f71c158b2cf09fe4humbedooh if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread"><\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd var s = d.createElement('script');
ac082aefa89416cbdc9a1836eaf3bed9698201c8humbedooh s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
0d0ba3a410038e179b695446bb149cce6264e0abnd (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
727872d18412fc021f03969b8641810d8896820bhumbedooh d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
0d0ba3a410038e179b695446bb149cce6264e0abnd})(window, document);
205f749042ed530040a4f0080dbcb47ceae8a374rjung<p class="apache">Copyright 2015 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen<p class="menu"><a href="/mod/">Modules</a> | <a href="/mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="/glossary.html">Glossary</a> | <a href="/sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
0d0ba3a410038e179b695446bb149cce6264e0abndif (typeof(prettyPrint) !== 'undefined') {
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd prettyPrint();