Apache Documentation

Module mod_access

This module is contained in the mod_access.c file, and is compiled in by default. It provides access control based on client hostname or IP address.
allow directive(directive)
allow directive

Syntax: allow from host host ...

Context: directory, .htaccess

Override: Limit

Status: Base

Compatibility: Apache 1.2 and above

The allow directive affects which hosts can access a given directory. Host is one of the following:

allAll hosts are allowed access A (partial) domain-name Hosts whose names match, or end in, this string are allowed access. A full IP address An IP address of a host allowed access A partial IP address The first 1 to 3 bytes of an IP address, for subnet restriction. A network/netmask pair (Apache 1.3 and later) A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction. (i.e., 10.1.0.0/255.255.0.0) A network/nnn CIDR specification (Apache 1.3 and later) Similar to the previous case, except the netmask consists of nnn high-order 1 bits. (i.e., 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

Example:
allow from .ncsa.uiuc.edu

All hosts in the specified domain are allowed access.

Note that this compares whole components; bar.edu would not match foobar.edu.

See also:deny - order - BrowserMatch -

allow from env(directive)
allow from env

Syntax: allow from env=variablename

Context: directory, .htaccess

Override: Limit

Status: Base

Compatibility: Apache 1.2 and above

The allow from env directive controls access to a directory by the existence (or non-existence) of an environment variable.

Example:
BrowserMatch ^KnockKnock/2.0 let_me_in <Directory /docroot> order deny,allow deny from all allow from env=let_me_in </Directory>

In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.

See also:deny from env -

deny(directive)
deny

Syntax: deny from host host ...

Context: directory, .htaccess

Override: Limit

Status: Base

Compatibility: Apache 1.2 and above

The deny directive affects which hosts can access a given directory. Host is one of the following:

allall hosts are denied access A (partial) domain-name host whose name is, or ends in, this string are denied access. A full IP address An IP address of a host denied access A partial IP address The first 1 to 3 bytes of an IP address, for subnet restriction. A network/netmask pair (Apache 1.3 and later) A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction. (i.e., 10.1.0.0/255.255.0.0) A network/nnn CIDR specification (Apache 1.3 and later) Similar to the previous case, except the netmask consists of nnn high-order 1 bits. (i.e., 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

Example:
deny from 16

All hosts in the specified network are denied access.

Note that this compares whole components; bar.edu would not match foobar.edu.

See also:allow - order -

deny from env(directive)
deny from env

Syntax: deny from env=variablename

Context: directory, .htaccess

Override: Limit

Status: Base

Compatibility: Apache 1.2 and above

The deny from env directive controls access to a directory by the existence (or non-existence) of an environment variable.

Example:
BrowserMatch ^BadRobot/0.9 go_away <Directory /docroot> order allow,deny allow from all deny from env=go_away </Directory>

In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.

See also:allow from env - order -

order directive(directive)
order directive

Syntax: order ordering

order deny,allow

Context: directory, .htaccess

Override: Limit

Status: Base

The order directive controls the order in which allow and deny directives are evaluated. Ordering is one of

deny,allow the deny directives are evaluated before the allow directives. (The initial state is OK.) allow,deny the allow directives are evaluated before the deny directives. (The initial state is FORBIDDEN.) mutual-failure Only those hosts which appear on the allow list and do not appear on the deny list are granted access. (The initial state is irrelevant.)

Keywords may only be separated by a comma; no whitespace is allowed between them. Note that in all cases every allow and deny statement is evaluated, there is no "short-circuiting".

Example:
order deny,allow deny from all allow from .ncsa.uiuc.edu

Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are denied access.