mod_access_compat.xml revision a330659fa32865eb8521adaccf5d9b75687b9aeb
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<!DOCTYPE modulesynopsis SYSTEM "/style/modulesynopsis.dtd">
e9458b1a7a19a63aa4c179f9ab20f4d50681c168Jens Elkner<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<!-- $LastChangedRevision$ -->
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu Licensed to the Apache Software Foundation (ASF) under one or more
431571057e88a650a974adec93ea4bb5173b6213Felix Gabriel Mance contributor license agreements. See the NOTICE file distributed with
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu this work for additional information regarding copyright ownership.
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu The ASF licenses this file to You under the Apache License, Version 2.0
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu (the "License"); you may not use this file except in compliance with
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu the License. You may obtain a copy of the License at
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu http://www.apache.org/licenses/LICENSE-2.0
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu Unless required by applicable law or agreed to in writing, software
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski distributed under the License is distributed on an "AS IS" BASIS,
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
a604cbad8e2202147b5c6bb9f2e06ae61162d654Felix Gabriel Mance See the License for the specific language governing permissions and
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu limitations under the License.
fc05327b875b5723b6c17849b83477f29ec12c90Felix Gabriel Mance<modulesynopsis metafile="mod_access_compat.xml.meta">
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<description>Group authorizations based on host (name or IP
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiuaddress)</description>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<sourcefile>mod_access_compat.c</sourcefile>
e0f1794e365dd347e97b37d7d22b2fce27296fa1Christian Maeder<identifier>access_compat_module</identifier>
424860079d47bf490fa98d5d7498096a0447c569mcodescu<compatibility>Available in Apache HTTP Server 2.3 as a compatibility module with
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiuprevious versions of Apache httpd 2.x. The directives provided by this module
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiuhave been deprecated by the new authz refactoring. Please see
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>The directives provided by <module>mod_access_compat</module> are
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu used in <directive module="core" type="section">Directory</directive>,
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <directive module="core" type="section">Files</directive>, and
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <directive module="core" type="section">Location</directive> sections
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu as well as <code><a href="core.html#accessfilename">.htaccess</a>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu </code> files to control access to particular parts of the server.
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu Access can be controlled based on the client hostname, IP address, or
27fdf879983dd28e211b41f3be6c0e930b7c816bFelix Gabriel Mance other characteristics of the client request, as captured in <a
431571057e88a650a974adec93ea4bb5173b6213Felix Gabriel Mance href="/env.html">environment variables</a>. The <directive
1a38107941725211e7c3f051f7a8f5e12199f03acmaeder module="mod_access_compat">Allow</directive> and <directive
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu module="mod_access_compat">Deny</directive> directives are used to
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu specify which clients are or are not allowed access to the server,
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu while the <directive module="mod_access_compat">Order</directive>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu directive sets the default access state, and configures how the
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <directive module="mod_access_compat">Allow</directive> and <directive
b84c87f199dc287d235d7dad6ea344f6912ef531Christian Maeder module="mod_access_compat">Deny</directive> directives interact with each
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>Both host-based access restrictions and password-based
be00381168b3f10192afabbba136fb06d3a9f358Christian Maeder authentication may be implemented simultaneously. In that case,
be00381168b3f10192afabbba136fb06d3a9f358Christian Maeder the <directive module="mod_access_compat">Satisfy</directive> directive is used
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu to determine how the two sets of restrictions interact.</p>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>The directives provided by <module>mod_access_compat</module> have
27fdf879983dd28e211b41f3be6c0e930b7c816bFelix Gabriel Mance been deprecated by the new authz refactoring. Please see
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <module>mod_authz_host</module>.</p>
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance <p>In general, access restriction directives apply to all
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance access methods (<code>GET</code>, <code>PUT</code>,
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance <code>POST</code>, etc). This is the desired behavior in most
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance cases. However, it is possible to restrict some methods, while
431571057e88a650a974adec93ea4bb5173b6213Felix Gabriel Mance leaving other methods unrestricted, by enclosing the directives
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu in a <directive module="core" type="section">Limit</directive> section.</p>
60f30f0eeeacdfc1e0dfe39664373ddf5a0675adFelix Gabriel Mance<seealso><directive module="mod_authz_core">Require</directive></seealso>
60f30f0eeeacdfc1e0dfe39664373ddf5a0675adFelix Gabriel Mance<seealso><module>mod_authz_host</module></seealso>
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder<seealso><module>mod_authz_core</module></seealso>
424860079d47bf490fa98d5d7498096a0447c569mcodescu<directivesynopsis>
60f30f0eeeacdfc1e0dfe39664373ddf5a0675adFelix Gabriel Mance<description>Controls which hosts can access an area of the
d6d81ead61a5f9fb7d047e623f7898e730c258camcodescuserver</description>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<syntax> Allow from all|<var>host</var>|env=[!]<var>env-variable</var>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu[<var>host</var>|env=[!]<var>env-variable</var>] ...</syntax>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu<contextlist><context>directory</context><context>.htaccess</context>
9475501a6acf48434052d9e6f4a05ed6681eaaabFrancisc Nicolae Bungiu <p>The <directive>Allow</directive> directive affects which hosts can
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu access an area of the server. Access can be controlled by
7852de3551fc797566ee71165bafe05b6d81728cnotanartist hostname, IP address, IP address range, or by other
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski characteristics of the client request captured in environment
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski variables.</p>
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder <p>The first argument to this directive is always
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder <code>from</code>. The subsequent arguments can take three
424860079d47bf490fa98d5d7498096a0447c569mcodescu different forms. If <code>Allow from all</code> is specified, then
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder all hosts are allowed access, subject to the configuration of the
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder <directive module="mod_access_compat">Deny</directive> and <directive
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu module="mod_access_compat">Order</directive> directives as discussed
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu below. To allow only particular hosts or groups of hosts to access
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance the server, the <em>host</em> can be specified in any of the
60f30f0eeeacdfc1e0dfe39664373ddf5a0675adFelix Gabriel Mance following formats:</p>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>Hosts whose names match, or end in, this string are allowed
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder access. Only complete components are matched, so the above
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu example will match <code>foo.example.org</code> but it will not
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder match <code>fooexample.org</code>. This configuration will cause
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder Apache httpd to perform a double DNS lookup on the client IP
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu address, regardless of the setting of the <directive
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu module="core">HostnameLookups</directive> directive. It will do
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu a reverse DNS lookup on the IP address to find the associated
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu hostname, and then do a forward lookup on the hostname to assure
3d3889e0cefcdce9b3f43c53aaa201943ac2e895Jonathan von Schroeder that it matches the original IP address. Only if the forward
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu and reverse DNS are consistent and the hostname matches will
d3cb3401882f6956de016f8eecbec1cd3b868acbFelix Gabriel Mance Allow from 10.1.2.3<br />
d3cb3401882f6956de016f8eecbec1cd3b868acbFelix Gabriel Mance Allow from 192.168.1.104 192.168.1.205
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>An IP address of a host allowed access</p></dd>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu Allow from 10.1<br />
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu Allow from 10 172.20 192.168.2
0dd6e7830de0887c9a12356447975a826b3b3db2Christian Maeder <p>The first 1 to 3 bytes of an IP address, for subnet
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>A network a.b.c.d, and a netmask w.x.y.z. For more
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu fine-grained subnet restriction.</p></dd>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <dt>A network/nnn CIDR specification</dt>
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski <p>Similar to the previous case, except the netmask consists of
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder <p>Note that the last three examples above match exactly the
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder same set of hosts.</p>
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder <p>IPv6 addresses and IPv6 subnets can be specified as shown
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder Allow from 2001:db8::a00:20ff:fea7:ccea<br />
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder <p>The third format of the arguments to the
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder <directive>Allow</directive> directive allows access to the server
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder to be controlled based on the existence of an <a
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder href="/env.html">environment variable</a>. When <code>Allow from
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder env=<var>env-variable</var></code> is specified, then the request is
cf0439f74f1d55a9840d38a88f9b0f4fc00d5547Christian Maeder allowed access if the environment variable <var>env-variable</var>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu exists. When <code>Allow from env=!<var>env-variable</var></code> is
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu specified, then the request is allowed access if the environment
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu The server provides the ability to set environment
7852de3551fc797566ee71165bafe05b6d81728cnotanartist variables in a flexible way based on characteristics of the client
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski request using the directives provided by
624f8c31bd8d6746b93f4b5966aa6fc7680fefc5Felix Gabriel Mance <module>mod_setenvif</module>. Therefore, this directive can be
80875f917d741946a39d0ec0b5721e46ba609823Till Mossakowski used to allow access based on such factors as the clients
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <code>User-Agent</code> (browser type), <code>Referer</code>, or
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu other HTTP request header fields.</p>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in<br />
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <Directory /docroot><br />
b84c87f199dc287d235d7dad6ea344f6912ef531Christian Maeder Order Deny,Allow<br />
624f8c31bd8d6746b93f4b5966aa6fc7680fefc5Felix Gabriel Mance Deny from all<br />
7852de3551fc797566ee71165bafe05b6d81728cnotanartist Allow from env=let_me_in<br />
1a38107941725211e7c3f051f7a8f5e12199f03acmaeder </Directory>
ee93ea764a2b8189253e912c8447f9419033f6d4Francisc Nicolae Bungiu <p>In this case, browsers with a user-agent string beginning
d0f58d27c2536eba454d8f77de8617bc6a2c99cdFelix Gabriel Mance with <code>KnockKnock/2.0</code> will be allowed access, and all
431571057e88a650a974adec93ea4bb5173b6213Felix Gabriel Mance others will be denied.</p>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu</directivesynopsis>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<directivesynopsis>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<description>Controls which hosts are denied access to the
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescuserver</description>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<syntax> Deny from all|<var>host</var>|env=[!]<var>env-variable</var>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu[<var>host</var>|env=[!]<var>env-variable</var>] ...</syntax>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<contextlist><context>directory</context><context>.htaccess</context>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu</contextlist>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu <p>This directive allows access to the server to be restricted
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu based on hostname, IP address, or environment variables. The
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu arguments for the <directive>Deny</directive> directive are
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu identical to the arguments for the <directive
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu module="mod_access_compat">Allow</directive> directive.</p>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu</directivesynopsis>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<directivesynopsis>
b90f0b7fd6ccfbdd7e5adb65b1f6c02c7758ff5cmcodescu<description>Controls the default access state and the order in which
Allow from example.org
foo.example.org subdomain, who are denied access. All hosts not
in the example.org domain are denied access because the default
Deny from foo.example.org
href="/sections.html">How Directory, Location and Files sections