Apache Module mod_access

Available Languages: en | - ja

- - - - -

Description:	Provides access control based on client hostname, IP -address, or other characteristics of the client request.
Status:	Base
Module Identifier:	access_module
Source File:	mod_access.c
Compatibility:	Available only in versions prior to 2.1

Summary

- -

The directives provided by mod_access are used - in <Directory>, - <Files>, and - <Location> sections - as well as .htaccess - files to control access to particular parts of the server. Access - can be controlled based on the client hostname, IP address, or - other characteristics of the client request, as captured in environment variables. The Allow and Deny directives are used to - specify which clients are or are not allowed access to the server, - while the Order - directive sets the default access state, and configures how the - Allow and Deny directives interact with each - other.

- -

Both host-based access restrictions and password-based - authentication may be implemented simultaneously. In that case, - the Satisfy directive is used - to determine how the two sets of restrictions interact.

- -

In general, access restriction directives apply to all - access methods (GET, PUT, - POST, etc). This is the desired behavior in most - cases. However, it is possible to restrict some methods, while - leaving other methods unrestricted, by enclosing the directives - in a <Limit> section.

Directives

Allow
Deny
Order

Allow Directive

- - - - - - - -

Description:	Controls which hosts can access an area of the -server
Syntax:	`Allow from - all\|host\|env=env-variable - [host\|env=env-variable] ...`
Context:	directory, .htaccess
Override:	Limit
Status:	Base
Module:	mod_access

- -

The Allow directive affects which hosts can - access an area of the server. Access can be controlled by - hostname, IP address, IP address range, or by other - characteristics of the client request captured in environment - variables.

- -

The first argument to this directive is always - from. The subsequent arguments can take three - different forms. If Allow from all is specified, then - all hosts are allowed access, subject to the configuration of the - Deny and Order directives as discussed - below. To allow only particular hosts or groups of hosts to access - the server, the host can be specified in any of the - following formats:

- -

A (partial) domain-name: -
Example:
- Allow from apache.org - Allow from .net example.edu -
-
Hosts whose names match, or end in, this string are allowed - access. Only complete components are matched, so the above - example will match foo.apache.org but it will not - match fooapache.org. This configuration will cause - Apache to perform a double reverse DNS lookup on the client IP - address, regardless of the setting of the HostnameLookups directive. It will do - a reverse DNS lookup on the IP address to find the associated - hostname, and then do a forward lookup on the hostname to assure - that it matches the original IP address. Only if the forward - and reverse DNS are consistent and the hostname matches will - access be allowed.
A full IP address: -
Example:
- Allow from 10.1.2.3 - Allow from 192.168.1.104 192.168.1.205 -
-
An IP address of a host allowed access
A partial IP address: -
Example:
- Allow from 10.1 - Allow from 10 172.20 192.168.2 -
-
The first 1 to 3 bytes of an IP address, for subnet - restriction.
A network/netmask pair: -
Example:
- Allow from 10.1.0.0/255.255.0.0 -
-
A network a.b.c.d, and a netmask w.x.y.z. For more - fine-grained subnet restriction.
A network/nnn CIDR specification: -
Example:
- Allow from 10.1.0.0/16 -
-
Similar to the previous case, except the netmask consists of - nnn high-order 1 bits.

- -

Note that the last three examples above match exactly the - same set of hosts.

- -

IPv6 addresses and IPv6 subnets can be specified as shown - below:

- -

- Allow from 2001:db8::a00:20ff:fea7:ccea - Allow from 2001:db8::a00:20ff:fea7:ccea/10 -

- -

The third format of the arguments to the - Allow directive allows access to the server - to be controlled based on the existence of an environment variable. When Allow from - env=env-variable is specified, then the request is - allowed access if the environment variable env-variable - exists. The server provides the ability to set environment - variables in a flexible way based on characteristics of the client - request using the directives provided by - mod_setenvif. Therefore, this directive can be - used to allow access based on such factors as the clients - User-Agent (browser type), Referer, or - other HTTP request header fields.

- -

Example:

- SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in - <Directory /docroot> - - Order Deny,Allow - Deny from all - Allow from env=let_me_in - - </Directory> -

- -

In this case, browsers with a user-agent string beginning - with KnockKnock/2.0 will be allowed access, and all - others will be denied.

- -

Deny Directive

- - - - - - - -

Description:	Controls which hosts are denied access to the -server
Syntax:	`Deny from all\|host\|env=env-variable -[host\|env=env-variable] ...`
Context:	directory, .htaccess
Override:	Limit
Status:	Base
Module:	mod_access

This directive allows access to the server to be restricted - based on hostname, IP address, or environment variables. The - arguments for the Deny directive are - identical to the arguments for the Allow directive.

- -

Order Directive

- - - - - - - - -

Description:	Controls the default access state and the order in which -`Allow` and `Deny` are -evaluated.
Syntax:	`Order ordering`
Default:	`Order Deny,Allow`
Context:	directory, .htaccess
Override:	Limit
Status:	Base
Module:	mod_access

- -

The Order directive, along with the - Allow and Deny directives, controls a - three-pass access control system. The first pass processes either - all Allow or all - Deny directives, as - specified by the Order directive. The second - pass parses the rest of the directives (Deny or Allow). The third pass applies to - all requests which do not match either of the first two.

- -

Note that all Allow - and Deny directives are - processed, unlike a typical firewall, where only the first match is - used. The last match is effective (also unlike a typical firewall). - Additionally, the order in which lines appear in the configuration - files is not significant -- all Allow lines are processed as one - group, all Deny lines are - considered as another, and the default state is considered by - itself.

- -

Ordering is one of:

- -

Allow,Deny: First, all Allow - directives are evaluated; at least one must match, or the request - is rejected. Next, all Deny directives are evaluated. If - any matches, the request is rejected. Last, any requests which do - not match an Allow or a - Deny directive are - denied by default.
Deny,Allow: First, all Deny - directives are evaluated; if any match, the request is denied - unless it also matches an Allow directive. Any requests - which do not match any Allow or Deny directives are - permitted.
Mutual-failure: This order has the same effect as Order - Allow,Deny and is deprecated in its favor.

- -

Keywords may only be separated by a comma; no whitespace - is allowed between them.

- - - - - - - - - - - - - - - - - - - - - - - -

Match	Allow,Deny result	Deny,Allow result
Match Allow only	Request allowed	Request allowed
Match Deny only	Request denied	Request denied
No match	Default to second directive: Denied	Default to second directive: Allowed
Match both Allow & Deny	Final match controls: Denied	Final match controls: Allowed

- -

In the following example, all hosts in the apache.org domain - are allowed access; all other hosts are denied access.

- -

- Order Deny,Allow - Deny from all - Allow from apache.org -

- -

In the next example, all hosts in the apache.org domain are - allowed access, except for the hosts which are in the foo.apache.org - subdomain, who are denied access. All hosts not in the apache.org - domain are denied access because the default state is to Deny access to the server.

- -

- Order Allow,Deny - Allow from apache.org - Deny from foo.apache.org -

- -

On the other hand, if the Order in the - last example is changed to Deny,Allow, all hosts will - be allowed access. This happens because, regardless of the actual - ordering of the directives in the configuration file, the - Allow from apache.org will be evaluated last and will - override the Deny from foo.apache.org. All hosts not in - the apache.org domain will also be allowed access - because the default state is Allow.

- -

The presence of an Order directive can - affect access to a part of the server even in the absence of - accompanying Allow and - Deny directives because - of its effect on the default access state. For example,

- -

- <Directory /www> - - Order Allow,Deny - - </Directory> -

- -

will Deny all access - to the /www directory because the default access state - is set to Deny.

- -

The Order directive controls the order of - access directive processing only within each phase of the server's - configuration processing. This implies, for example, that an - Allow or Deny directive occurring in a - <Location> section - will always be evaluated after an Allow or Deny directive occurring in a - <Directory> - section or .htaccess file, regardless of the setting of - the Order directive. For details on the - merging of configuration sections, see the documentation on How Directory, Location and Files sections - work.

- -

Apache Module mod_access

Summary

Directives

See also

Allow Directive

Example:

Example:

Example:

Example:

Example:

Example:

Deny Directive

Order Directive