mod_access_compat.xml revision 6fb0d7c7ef6ba46708b168dfb50ac252a4338d8d
530eba85dbd41b8a0fa5255d3648d1440199a661slive<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
e942c741056732f50da2074b36fe59805d370650slive<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
5f5d1b4cc970b7f06ff8ef6526128e9a27303d88nd<!-- $LastChangedRevision: 327999 $ -->
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Copyright 2002-2005 The Apache Software Foundation or its licensors, as
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding applicable.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding Licensed under the Apache License, Version 2.0 (the "License");
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding you may not use this file except in compliance with the License.
db479b48bd4d75423ed4a45e15b75089d1a8ad72fielding You may obtain a copy of the License at
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd Unless required by applicable law or agreed to in writing, software
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd distributed under the License is distributed on an "AS IS" BASIS,
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd See the License for the specific language governing permissions and
d5d794fc2f4cc9ca6d6da17cfa2cdcd8d244bacdnd limitations under the License.
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<description>Group authorizations based on host (name or IP
80c4526970a11f37c0f8e3b82afdf03902dac3f3sliveaddress)</description>
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna<compatibility>Available in Apache 2.3 as a compatibility module with
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquernaprevious versions of Apache 2.x. The directives provided by this module
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquernahave been deprecated by the new authz refactoring. Please see
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <p>The directives provided by <module>mod_access_compat</module> are
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna used in <directive module="core" type="section">Directory</directive>,
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <directive module="core" type="section">Files</directive>, and
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <directive module="core" type="section">Location</directive> sections
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna as well as <code><a href="core.html#accessfilename">.htaccess</a>
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna </code> files to control access to particular parts of the server.
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna Access can be controlled based on the client hostname, IP address, or
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe other characteristics of the client request, as captured in <a
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe href="/env.html">environment variables</a>. The <directive
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe module="mod_access_compat">Allow</directive> and <directive
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe module="mod_access_compat">Deny</directive> directives are used to
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe specify which clients are or are not allowed access to the server,
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe while the <directive module="mod_access_compat">Order</directive>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe directive sets the default access state, and configures how the
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe <directive module="mod_access_compat">Allow</directive> and <directive
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna module="mod_access_compat">Deny</directive> directives interact with each
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <p>Both host-based access restrictions and password-based
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna authentication may be implemented simultaneously. In that case,
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna the <directive module="core">Satisfy</directive> directive is used
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna to determine how the two sets of restrictions interact.</p>
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <p>The directives provided by <module>mod_access_compat</module> have
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna been deprecated by the new authz refactoring. Please see
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <module>mod_authz_default</module> must also be loaded to provide for
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna default authorization handling.</p>
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <p>In general, access restriction directives apply to all
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna <code>POST</code>, etc). This is the desired behavior in most
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna cases. However, it is possible to restrict some methods, while
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna leaving other methods unrestricted, by enclosing the directives
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna in a <directive module="core" type="section">Limit</directive> section.</p>
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna<seealso><directive module="mod_authz_core">Require</directive></seealso>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe<directivesynopsis>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe<description>Controls which hosts can access an area of the
5ae609a8a09239d20f48a4a95c4f21b713995babwroweserver</description>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe<syntax> Allow from all|<var>host</var>|env=<var>env-variable</var>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe<contextlist><context>directory</context><context>.htaccess</context>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe</contextlist>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe <p>The <directive>Allow</directive> directive affects which hosts can
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe access an area of the server. Access can be controlled by
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe hostname, IP Address, IP Address range, or by other
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe characteristics of the client request captured in environment
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe variables.</p>
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe <p>The first argument to this directive is always
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe <code>from</code>. The subsequent arguments can take three
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe different forms. If <code>Allow from all</code> is specified, then
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe all hosts are allowed access, subject to the configuration of the
5ae609a8a09239d20f48a4a95c4f21b713995babwrowe <directive module="mod_access_compat">Deny</directive> and <directive
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna module="mod_access_compat">Order</directive> directives as discussed
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna below. To allow only particular hosts or groups of hosts to access
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna the server, the <em>host</em> can be specified in any of the
7e8f5c6496b3825b6b128e2aacc4b1b09d28553dpquerna following formats:</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from .net example.edu
88d86cfadffe2275a3dfb67a4d7bdc018630b661rbowen <p>Hosts whose names match, or end in, this string are allowed
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive access. Only complete components are matched, so the above
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive example will match <code>foo.apache.org</code> but it will not
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive match <code>fooapache.org</code>. This configuration will cause
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Apache to perform a double reverse DNS lookup on the client IP
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive address, regardless of the setting of the <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="core">HostnameLookups</directive> directive. It will do
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive a reverse DNS lookup on the IP address to find the associated
fb77c505254b6e9c925e23e734463e87574f8f40kess hostname, and then do a forward lookup on the hostname to assure
fb77c505254b6e9c925e23e734463e87574f8f40kess that it matches the original IP address. Only if the forward
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive and reverse DNS are consistent and the hostname matches will
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 10.1.2.3<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 192.168.1.104 192.168.1.205
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 10.1<br />
fb77c505254b6e9c925e23e734463e87574f8f40kess Allow from 10 172.20 192.168.2
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The first 1 to 3 bytes of an IP address, for subnet
bc4b55ec8f31569d606d5680d50189a355bcd7a6rbowen <p>A network a.b.c.d, and a netmask w.x.y.z. For more
fb77c505254b6e9c925e23e734463e87574f8f40kess <p>Similar to the previous case, except the netmask consists of
130d299c4b2b15be45532a176604c71fdc7bea5bnd <p>Note that the last three examples above match exactly the
130d299c4b2b15be45532a176604c71fdc7bea5bnd same set of hosts.</p>
130d299c4b2b15be45532a176604c71fdc7bea5bnd <p>IPv6 addresses and IPv6 subnets can be specified as shown
130d299c4b2b15be45532a176604c71fdc7bea5bnd below:</p>
130d299c4b2b15be45532a176604c71fdc7bea5bnd Allow from 2001:db8::a00:20ff:fea7:ccea<br />
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd </example>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The third format of the arguments to the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive>Allow</directive> directive allows access to the server
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive to be controlled based on the existence of an <a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive href="/env.html">environment variable</a>. When <code>Allow from
003f0c9fda6664daf5092a0e42f65ede20098153slive env=<var>env-variable</var></code> is specified, then the request is
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd allowed access if the environment variable <var>env-variable</var>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive exists. The server provides the ability to set environment
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive variables in a flexible way based on characteristics of the client
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive request using the directives provided by
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <module>mod_setenvif</module>. Therefore, this directive can be
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive used to allow access based on such factors as the clients
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess <code>User-Agent</code> (browser type), <code>Referer</code>, or
003f0c9fda6664daf5092a0e42f65ede20098153slive other HTTP request header fields.</p>
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <Directory /docroot><br />
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd Order Deny,Allow<br />
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd Deny from all<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from env=let_me_in<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive </Directory>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>In this case, browsers with a user-agent string beginning
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive with <code>KnockKnock/2.0</code> will be allowed access, and all
130d299c4b2b15be45532a176604c71fdc7bea5bnd others will be denied.</p>
130d299c4b2b15be45532a176604c71fdc7bea5bnd</directivesynopsis>
130d299c4b2b15be45532a176604c71fdc7bea5bnd<directivesynopsis>
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd<description>Controls which hosts are denied access to the
80c4526970a11f37c0f8e3b82afdf03902dac3f3sliveserver</description>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<syntax> Deny from all|<var>host</var>|env=<var>env-variable</var>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive[<var>host</var>|env=<var>env-variable</var>] ...</syntax>
1a3f62ca37273a15a06bb94a61d3c6fcf4bf38c9rbowen<contextlist><context>directory</context><context>.htaccess</context>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</contextlist>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding <p>This directive allows access to the server to be restricted
684f2a9a422185adda0692a1203c5ad6687fc5c5nd based on hostname, IP address, or environment variables. The
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd arguments for the <directive>Deny</directive> directive are
530eba85dbd41b8a0fa5255d3648d1440199a661slive identical to the arguments for the <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Allow</directive> directive.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive</directivesynopsis>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive<directivesynopsis>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding<description>Controls the default access state and the order in which
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding<directive>Allow</directive> and <directive>Deny</directive> are
843a03fe0b138a4c1f64cb90a014e9417ac30691fieldingevaluated.</description>
684f2a9a422185adda0692a1203c5ad6687fc5c5nd<contextlist><context>directory</context><context>.htaccess</context>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding</contextlist>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding <p>The <directive>Order</directive> directive controls the default
b24c77ceb4cea5ffa92536e19f0aa83608960dc4fielding access state and the order in which <directive
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding module="mod_access_compat">Allow</directive> and <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives are evaluated.
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding <dd>The <directive module="mod_access_compat">Deny</directive> directives
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding are evaluated before the <directive
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding module="mod_access_compat">Allow</directive> directives. Access is
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding allowed by default. Any client which does not match a
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding <directive module="mod_access_compat">Deny</directive> directive or does
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding match an <directive module="mod_access_compat">Allow</directive>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding directive will be allowed access to the server.</dd>
843a03fe0b138a4c1f64cb90a014e9417ac30691fielding <dd>The <directive module="mod_access_compat">Allow</directive>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directives are evaluated before the <directive
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive module="mod_access_compat">Deny</directive> directives. Access is denied
77ead9e0262e4f08ec336d1a65b2edef7705c839nd by default. Any client which does not match an <directive
77ead9e0262e4f08ec336d1a65b2edef7705c839nd module="mod_access_compat">Allow</directive> directive or does match a
9583adab6bc4b3758e41963c905d9dad9f067131nd <directive module="mod_access_compat">Deny</directive> directive will be
77ead9e0262e4f08ec336d1a65b2edef7705c839nd denied access to the server.</dd>
88d86cfadffe2275a3dfb67a4d7bdc018630b661rbowen module="mod_access_compat">Allow</directive> list and do not appear on
77ead9e0262e4f08ec336d1a65b2edef7705c839nd the <directive module="mod_access_compat">Deny</directive> list are
77ead9e0262e4f08ec336d1a65b2edef7705c839nd granted access. This ordering has the same effect as <code>Order
77ead9e0262e4f08ec336d1a65b2edef7705c839nd Allow,Deny</code> and is deprecated in favor of that
77ead9e0262e4f08ec336d1a65b2edef7705c839nd configuration.</dd>
77ead9e0262e4f08ec336d1a65b2edef7705c839nd <p>Keywords may only be separated by a comma; <em>no whitespace</em> is
77ead9e0262e4f08ec336d1a65b2edef7705c839nd allowed between them. Note that in all cases every <directive
77ead9e0262e4f08ec336d1a65b2edef7705c839nd module="mod_access_compat">Allow</directive> and <directive
77ead9e0262e4f08ec336d1a65b2edef7705c839nd module="mod_access_compat">Deny</directive> statement is evaluated.</p>
77ead9e0262e4f08ec336d1a65b2edef7705c839nd <p>In the following example, all hosts in the apache.org domain
9b5e2c5e769dc678a1aca06df75c32022b2f1492trawick are allowed access; all other hosts are denied access.</p>
77ead9e0262e4f08ec336d1a65b2edef7705c839nd Order Deny,Allow<br />
77ead9e0262e4f08ec336d1a65b2edef7705c839nd Deny from all<br />
77ead9e0262e4f08ec336d1a65b2edef7705c839nd </example>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>In the next example, all hosts in the apache.org domain are
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive allowed access, except for the hosts which are in the
003f0c9fda6664daf5092a0e42f65ede20098153slive foo.apache.org subdomain, who are denied access. All hosts not
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess in the apache.org domain are denied access because the default
fb77c505254b6e9c925e23e734463e87574f8f40kess state is to deny access to the server.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Order Allow,Deny<br />
fb77c505254b6e9c925e23e734463e87574f8f40kess </example>
fb77c505254b6e9c925e23e734463e87574f8f40kess <p>On the other hand, if the <directive>Order</directive> in the last
6b64034fa2a644ba291c484c0c01c7df5b8d982ckess example is changed to <code>Deny,Allow</code>, all hosts will
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive be allowed access. This happens because, regardless of the
313bb560bc5c323cfd40c9cad7335b4b8e060aedkess actual ordering of the directives in the configuration file,
10673857794a4b3d9568ca2d983722a87ed352f1rbowen the <code>Allow from apache.org</code> will be evaluated last
fb77c505254b6e9c925e23e734463e87574f8f40kess and will override the <code>Deny from foo.apache.org</code>.
b12b918ae6baf9c5762ed61b7393d0e2198378c0nd All hosts not in the <code>apache.org</code> domain will also
b12b918ae6baf9c5762ed61b7393d0e2198378c0nd be allowed access because the default state will change to
10673857794a4b3d9568ca2d983722a87ed352f1rbowen <p>The presence of an <directive>Order</directive> directive can affect
10673857794a4b3d9568ca2d983722a87ed352f1rbowen access to a part of the server even in the absence of accompanying
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive module="mod_access_compat">Allow</directive> and <directive
fb77c505254b6e9c925e23e734463e87574f8f40kess module="mod_access_compat">Deny</directive> directives because of its effect
fb77c505254b6e9c925e23e734463e87574f8f40kess on the default access state. For example,</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <Directory /www><br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Order Allow,Deny<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive </Directory>
a7f40ca49262952d6dd69d021cf5b0c2b452ae4cnd </example>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>will deny all access to the <code>/www</code> directory
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive because the default access state will be set to
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>The <directive>Order</directive> directive controls the order of access
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive directive processing only within each phase of the server's
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive configuration processing. This implies, for example, that an
1f53e295ebd19aed1767d12da7abfab9936c148cjerenkrantz <directive module="mod_access_compat">Allow</directive> or <directive
1f53e295ebd19aed1767d12da7abfab9936c148cjerenkrantz module="mod_access_compat">Deny</directive> directive occurring in a
9ed9eaf871c58d281af02e76125ceadb5060afa5nd <directive module="core" type="section">Location</directive> section will
9cd3b05d7b70f07a742bbaf548fa4fa2bdbe5ce6noodl always be evaluated after an <directive
9cd3b05d7b70f07a742bbaf548fa4fa2bdbe5ce6noodl module="mod_access_compat">Allow</directive> or <directive
1f53e295ebd19aed1767d12da7abfab9936c148cjerenkrantz module="mod_access_compat">Deny</directive> directive occurring in a
9cd3b05d7b70f07a742bbaf548fa4fa2bdbe5ce6noodl <directive module="core" type="section">Directory</directive> section or
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <code>.htaccess</code> file, regardless of the setting of the
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <directive>Order</directive> directive. For details on the merging
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive of configuration sections, see the documentation on <a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive href="/sections.html">How Directory, Location and Files sections
b24c77ceb4cea5ffa92536e19f0aa83608960dc4fielding</directivesynopsis>
b24c77ceb4cea5ffa92536e19f0aa83608960dc4fielding<directivesynopsis>
b24c77ceb4cea5ffa92536e19f0aa83608960dc4fielding<description>Interaction between host-level access control and
b24c77ceb4cea5ffa92536e19f0aa83608960dc4fieldinguser authentication</description>
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem<contextlist><context>directory</context><context>.htaccess</context>
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem</contextlist>
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem<compatibility>Influenced by <directive module="core" type="section"
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluemtype="section">LimitExcept</directive> in version 2.0.51 and
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluemlater</compatibility>
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem module="mod_authz_host">Allow</directive> and <directive
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem module="mod_authz_core">Require</directive> used. The parameter can be
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem either <code>All</code> or <code>Any</code>. This directive is only
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem useful if access to a particular area is being restricted by both
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem username/password <em>and</em> client host address. In this case
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem the default behavior (<code>All</code>) is to require that the client
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem passes the address access restriction <em>and</em> enters a valid
5528d1a30ae8560e2d7a96d734ffe31500dc6113rpluem username and password. With the <code>Any</code> option the client will be
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive granted access if they either pass the host restriction or enter a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive valid username and password. This can be used to password restrict
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive an area, but to let clients from particular addresses in without
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive prompting for a password.</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>For example, if you wanted to let people on your network have
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive unrestricted access to a portion of your website, but require that
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive people outside of your network provide a password, you could use a
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive configuration similar to the following:</p>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Require valid-user<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Allow from 192.168.1<br />
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive Satisfy Any
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <p>Since version 2.0.51 <directive>Satisfy</directive> directives can
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive be restricted to particular methods by <directive module="core"
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive type="section">Limit</directive> and <directive module="core" type="section"
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <seealso><directive module="mod_access_compat">Allow</directive></seealso>
80c4526970a11f37c0f8e3b82afdf03902dac3f3slive <seealso><directive module="mod_authz_core">Require</directive></seealso>
9ed9eaf871c58d281af02e76125ceadb5060afa5nd</directivesynopsis>
9ed9eaf871c58d281af02e76125ceadb5060afa5nd</modulesynopsis>