mod_access_compat.xml revision a330659fa32865eb8521adaccf5d9b75687b9aeb
530eba85dbd41b8a0fa5255d3648d1440199a661slive<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
e942c741056732f50da2074b36fe59805d370650slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<!-- $LastChangedRevision$ -->
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Licensed to the Apache Software Foundation (ASF) under one or more
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive contributor license agreements. See the NOTICE file distributed with
530eba85dbd41b8a0fa5255d3648d1440199a661slive this work for additional information regarding copyright ownership.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive The ASF licenses this file to You under the Apache License, Version 2.0
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive (the "License"); you may not use this file except in compliance with
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive the License. You may obtain a copy of the License at
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Unless required by applicable law or agreed to in writing, software
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive distributed under the License is distributed on an "AS IS" BASIS,
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18b4b0fd6056093002ddef488636bf5ebe415ef0erikabele See the License for the specific language governing permissions and
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive limitations under the License.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<description>Group authorizations based on host (name or IP
80c4526970a11f37c0f8e3b82afdf03902dac3f3sliveaddress)</description>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<compatibility>Available in Apache HTTP Server 2.3 as a compatibility module with
80c4526970a11f37c0f8e3b82afdf03902dac3f3sliveprevious versions of Apache httpd 2.x. The directives provided by this module
80c4526970a11f37c0f8e3b82afdf03902dac3f3slivehave been deprecated by the new authz refactoring. Please see
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The directives provided by <module>mod_access_compat</module> are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive used in <directive module="core" type="section">Directory</directive>,
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="core" type="section">Files</directive>, and
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="core" type="section">Location</directive> sections
fb77c505254b6e9c925e23e734463e87574f8f40kess as well as <code><a href="core.html#accessfilename">.htaccess</a>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive </code> files to control access to particular parts of the server.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Access can be controlled based on the client hostname, IP address, or
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive other characteristics of the client request, as captured in <a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive href="/env.html">environment variables</a>. The <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> and <directive
fb77c505254b6e9c925e23e734463e87574f8f40kess module="mod_access_compat">Deny</directive> directives are used to
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive specify which clients are or are not allowed access to the server,
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive while the <directive module="mod_access_compat">Order</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directive sets the default access state, and configures how the
fb77c505254b6e9c925e23e734463e87574f8f40kess <directive module="mod_access_compat">Allow</directive> and <directive
fb77c505254b6e9c925e23e734463e87574f8f40kess module="mod_access_compat">Deny</directive> directives interact with each
fb77c505254b6e9c925e23e734463e87574f8f40kess <p>Both host-based access restrictions and password-based
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess authentication may be implemented simultaneously. In that case,
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive the <directive module="mod_access_compat">Satisfy</directive> directive is used
fb77c505254b6e9c925e23e734463e87574f8f40kess to determine how the two sets of restrictions interact.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The directives provided by <module>mod_access_compat</module> have
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive been deprecated by the new authz refactoring. Please see
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>In general, access restriction directives apply to all
fb77c505254b6e9c925e23e734463e87574f8f40kess <code>POST</code>, etc). This is the desired behavior in most
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive cases. However, it is possible to restrict some methods, while
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd leaving other methods unrestricted, by enclosing the directives
130d299c4b2b15be45532a176604c71fdc7bea5bnd in a <directive module="core" type="section">Limit</directive> section.</p>
130d299c4b2b15be45532a176604c71fdc7bea5bnd<seealso><directive module="mod_authz_core">Require</directive></seealso>
130d299c4b2b15be45532a176604c71fdc7bea5bnd<directivesynopsis>
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd<description>Controls which hosts can access an area of the
80c4526970a11f37c0f8e3b82afdf03902dac3f3sliveserver</description>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<syntax> Allow from all|<var>host</var>|env=[!]<var>env-variable</var>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive[<var>host</var>|env=[!]<var>env-variable</var>] ...</syntax>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<contextlist><context>directory</context><context>.htaccess</context>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</contextlist>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The <directive>Allow</directive> directive affects which hosts can
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive access an area of the server. Access can be controlled by
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive hostname, IP address, IP address range, or by other
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive characteristics of the client request captured in environment
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess variables.</p>
003f0c9fda6664daf5092a0e42f65ede20098153slive <p>The first argument to this directive is always
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess <code>from</code>. The subsequent arguments can take three
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess different forms. If <code>Allow from all</code> is specified, then
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive all hosts are allowed access, subject to the configuration of the
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd <directive module="mod_access_compat">Deny</directive> and <directive
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd module="mod_access_compat">Order</directive> directives as discussed
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd below. To allow only particular hosts or groups of hosts to access
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive the server, the <em>host</em> can be specified in any of the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive following formats:</p>
130d299c4b2b15be45532a176604c71fdc7bea5bnd Allow from .net example.edu
130d299c4b2b15be45532a176604c71fdc7bea5bnd </example>
130d299c4b2b15be45532a176604c71fdc7bea5bnd <p>Hosts whose names match, or end in, this string are allowed
130d299c4b2b15be45532a176604c71fdc7bea5bnd access. Only complete components are matched, so the above
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd example will match <code>foo.example.org</code> but it will not
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive match <code>fooexample.org</code>. This configuration will cause
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Apache httpd to perform a double DNS lookup on the client IP
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive address, regardless of the setting of the <directive
1a3f62ca37273a15a06bb94a61d3c6fcf4bf38c9rbowen module="core">HostnameLookups</directive> directive. It will do
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive a reverse DNS lookup on the IP address to find the associated
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive hostname, and then do a forward lookup on the hostname to assure
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive that it matches the original IP address. Only if the forward
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive and reverse DNS are consistent and the hostname matches will
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 10.1.2.3<br />
003f0c9fda6664daf5092a0e42f65ede20098153slive Allow from 192.168.1.104 192.168.1.205
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 10.1<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 10 172.20 192.168.2
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The first 1 to 3 bytes of an IP address, for subnet
58699879a562774640b95e9eedfd891f336e38c2nd </example>
58699879a562774640b95e9eedfd891f336e38c2nd <p>Similar to the previous case, except the netmask consists of
58699879a562774640b95e9eedfd891f336e38c2nd <p>Note that the last three examples above match exactly the
58699879a562774640b95e9eedfd891f336e38c2nd same set of hosts.</p>
fb77c505254b6e9c925e23e734463e87574f8f40kess <p>IPv6 addresses and IPv6 subnets can be specified as shown
fb77c505254b6e9c925e23e734463e87574f8f40kess below:</p>
fb77c505254b6e9c925e23e734463e87574f8f40kess Allow from 2001:db8::a00:20ff:fea7:ccea<br />
58699879a562774640b95e9eedfd891f336e38c2nd </example>
58699879a562774640b95e9eedfd891f336e38c2nd <p>The third format of the arguments to the
58699879a562774640b95e9eedfd891f336e38c2nd <directive>Allow</directive> directive allows access to the server
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess to be controlled based on the existence of an <a
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess href="/env.html">environment variable</a>. When <code>Allow from
58699879a562774640b95e9eedfd891f336e38c2nd env=<var>env-variable</var></code> is specified, then the request is
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess allowed access if the environment variable <var>env-variable</var>
58699879a562774640b95e9eedfd891f336e38c2nd exists. When <code>Allow from env=!<var>env-variable</var></code> is
58699879a562774640b95e9eedfd891f336e38c2nd specified, then the request is allowed access if the environment
fb77c505254b6e9c925e23e734463e87574f8f40kess The server provides the ability to set environment
fb77c505254b6e9c925e23e734463e87574f8f40kess variables in a flexible way based on characteristics of the client
58699879a562774640b95e9eedfd891f336e38c2nd request using the directives provided by
58699879a562774640b95e9eedfd891f336e38c2nd <module>mod_setenvif</module>. Therefore, this directive can be
58699879a562774640b95e9eedfd891f336e38c2nd used to allow access based on such factors as the clients
58699879a562774640b95e9eedfd891f336e38c2nd <code>User-Agent</code> (browser type), <code>Referer</code>, or
58699879a562774640b95e9eedfd891f336e38c2nd other HTTP request header fields.</p>
58699879a562774640b95e9eedfd891f336e38c2nd SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
58699879a562774640b95e9eedfd891f336e38c2nd <Directory /docroot><br />
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess Order Deny,Allow<br />
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd Deny from all<br />
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd Allow from env=let_me_in<br />
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess </Directory>
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess </example>
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd <p>In this case, browsers with a user-agent string beginning
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd with <code>KnockKnock/2.0</code> will be allowed access, and all
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd others will be denied.</p>
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd</directivesynopsis>
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd<directivesynopsis>
58699879a562774640b95e9eedfd891f336e38c2nd<description>Controls which hosts are denied access to the
58699879a562774640b95e9eedfd891f336e38c2ndserver</description>
58699879a562774640b95e9eedfd891f336e38c2nd<syntax> Deny from all|<var>host</var>|env=[!]<var>env-variable</var>
58699879a562774640b95e9eedfd891f336e38c2nd[<var>host</var>|env=[!]<var>env-variable</var>] ...</syntax>
58699879a562774640b95e9eedfd891f336e38c2nd<contextlist><context>directory</context><context>.htaccess</context>
4a7affccb2f1f5b94cab395e1bf3825aed715ebcnd</contextlist>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>This directive allows access to the server to be restricted
003f0c9fda6664daf5092a0e42f65ede20098153slive based on hostname, IP address, or environment variables. The
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess arguments for the <directive>Deny</directive> directive are
fb77c505254b6e9c925e23e734463e87574f8f40kess identical to the arguments for the <directive
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd module="mod_access_compat">Allow</directive> directive.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</directivesynopsis>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<directivesynopsis>
fb77c505254b6e9c925e23e734463e87574f8f40kess<description>Controls the default access state and the order in which
fb77c505254b6e9c925e23e734463e87574f8f40kess<directive>Allow</directive> and <directive>Deny</directive> are
6b64034fa2a644ba291c484c0c01c7df5b8d982ckessevaluated.</description>
10673857794a4b3d9568ca2d983722a87ed352f1rbowen<contextlist><context>directory</context><context>.htaccess</context>
fb77c505254b6e9c925e23e734463e87574f8f40kess</contextlist>
10673857794a4b3d9568ca2d983722a87ed352f1rbowen <p>The <directive>Order</directive> directive, along with the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="mod_access_compat">Allow</directive> and
fb77c505254b6e9c925e23e734463e87574f8f40kess <directive module="mod_access_compat">Deny</directive> directives,
fb77c505254b6e9c925e23e734463e87574f8f40kess controls a three-pass access control system. The first pass
fb77c505254b6e9c925e23e734463e87574f8f40kess processes either all <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> or all <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives, as specified
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive by the <directive module="mod_access_compat">Order</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directive. The second pass parses the rest of the directives
fb77c505254b6e9c925e23e734463e87574f8f40kess (<directive module="mod_access_compat">Deny</directive> or
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="mod_access_compat">Allow</directive>). The third
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd pass applies to all requests which do not match either of the first
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> and <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive processed, unlike a typical firewall, where only the first match is
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive used. The last match is effective (also unlike a typical firewall).
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Additionally, the order in which lines appear in the configuration
1f53e295ebd19aed1767d12da7abfab9936c148cjerenkrantz files is not significant -- all <directive
1f53e295ebd19aed1767d12da7abfab9936c148cjerenkrantz module="mod_access_compat">Allow</directive> lines are processed as
9ed9eaf871c58d281af02e76125ceadb5060afa5nd one group, all <directive
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess module="mod_access_compat">Deny</directive> lines are considered as
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive another, and the default state is considered by itself.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> directives are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive evaluated; at least one must match, or the request is rejected.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Next, all <directive module="mod_access_compat">Deny</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directives are evaluated. If any matches, the request is rejected.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Last, any requests which do not match an <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> or a <directive
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess module="mod_access_compat">Deny</directive> directive are denied
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive by default.</dd>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive evaluated; if any match, the request is denied
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> directive. Any
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive requests which do not match any <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> or <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive permitted.</dd>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow,Deny</code> and is deprecated in its favor.</dd>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>Keywords may only be separated by a comma; <em>no whitespace</em>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive is allowed between them.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>In the following example, all hosts in the example.org domain
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive are allowed access; all other hosts are denied access.</p>
003f0c9fda6664daf5092a0e42f65ede20098153slive Order Deny,Allow<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Deny from all<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>In the next example, all hosts in the example.org domain are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive allowed access, except for the hosts which are in the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive foo.example.org subdomain, who are denied access. All hosts not
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive in the example.org domain are denied access because the default
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive state is to <directive module="mod_access_compat">Deny</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive access to the server.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Order Allow,Deny<br />
9ed9eaf871c58d281af02e76125ceadb5060afa5nd </example>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>On the other hand, if the <directive>Order</directive> in the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive last example is changed to <code>Deny,Allow</code>, all hosts will
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive be allowed access. This happens because, regardless of the actual
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive ordering of the directives in the configuration file, the
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd <code>Allow from example.org</code> will be evaluated last and will
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd override the <code>Deny from foo.example.org</code>. All hosts not in
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd the <code>example.org</code> domain will also be allowed access
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive because the default state is <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The presence of an <directive>Order</directive> directive can
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess affect access to a part of the server even in the absence of
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess accompanying <directive module="mod_access_compat">Allow</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive and <directive module="mod_access_compat">Deny</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directives because of its effect on the default access state. For
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive example,</p>
003f0c9fda6664daf5092a0e42f65ede20098153slive <Directory /www><br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Order Allow,Deny<br />
530eba85dbd41b8a0fa5255d3648d1440199a661slive </Directory>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>will Deny all access to the <code>/www</code> directory
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive because the default access state is set to
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess <directive module="mod_access_compat">Deny</directive>.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The <directive>Order</directive> directive controls the order of access
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directive processing only within each phase of the server's
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive configuration processing. This implies, for example, that an
9ed9eaf871c58d281af02e76125ceadb5060afa5nd <directive module="mod_access_compat">Allow</directive> or <directive
9ed9eaf871c58d281af02e76125ceadb5060afa5nd module="mod_access_compat">Deny</directive> directive occurring in a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="core" type="section">Location</directive> section will
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive always be evaluated after an <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> or <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directive occurring in a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="core" type="section">Directory</directive> section or
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <code>.htaccess</code> file, regardless of the setting of the
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes <directive>Order</directive> directive. For details on the merging
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes of configuration sections, see the documentation on <a
fb77c505254b6e9c925e23e734463e87574f8f40kess href="/sections.html">How Directory, Location and Files sections
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes</directivesynopsis>
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes<directivesynopsis>
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes<description>Interaction between host-level access control and
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholesuser authentication</description>
fb77c505254b6e9c925e23e734463e87574f8f40kess<contextlist><context>directory</context><context>.htaccess</context>
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess</contextlist>
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholes<compatibility>Influenced by <directive module="core" type="section"
4c7bdb15764021d39e486adb7bc2166d3f683773bnicholestype="section">LimitExcept</directive> in version 2.0.51 and
80c4526970a11f37c0f8e3b82afdf03902dac3f3slivelater</compatibility>
fb77c505254b6e9c925e23e734463e87574f8f40kess module="mod_access_compat">Allow</directive> and <directive
fb77c505254b6e9c925e23e734463e87574f8f40kess module="mod_authz_core">Require</directive> used. The parameter can be
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive either <code>All</code> or <code>Any</code>. This directive is only
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive useful if access to a particular area is being restricted by both
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive username/password <em>and</em> client host address. In this case
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive the default behavior (<code>All</code>) is to require that the client
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive passes the address access restriction <em>and</em> enters a valid
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive username and password. With the <code>Any</code> option the client will be
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive granted access if they either pass the host restriction or enter a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive valid username and password. This can be used to password restrict
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive an area, but to let clients from particular addresses in without
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive prompting for a password.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>For example, if you wanted to let people on your network have
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive unrestricted access to a portion of your website, but require that
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive people outside of your network provide a password, you could use a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive configuration similar to the following:</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Require valid-user<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 192.168.1<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Satisfy Any
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd </example>
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd Another frequent use of the <directive>Satisfy</directive> directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive is to relax access restrictions for a subdirectory:
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Require valid-user<br />
fb77c505254b6e9c925e23e734463e87574f8f40kess </Directory><br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from all<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Satisfy Any<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive </Directory>
003f0c9fda6664daf5092a0e42f65ede20098153slive <p>In the above example, authentication will be required for the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <code>/var/www/private</code> directory, but will not be required
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd for the <code>/var/www/private/public</code> directory.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>Since version 2.0.51 <directive>Satisfy</directive> directives can
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive be restricted to particular methods by <directive module="core"
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive type="section">Limit</directive> and <directive module="core" type="section"
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <seealso><directive module="mod_access_compat">Allow</directive></seealso>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <seealso><directive module="mod_authz_core">Require</directive></seealso>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</directivesynopsis>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</modulesynopsis>