Module mod_access

This module is contained in the mod_access.c file, and is compiled in by default. It provides access control based on client hostname or IP address.

See also Satisfy and Require.

Allow directive

Syntax: Allow from host host ...
Context: directory, .htaccess
Override: Limit
Status: Base
Module: mod_access

The Allow directive affects which hosts can access a given directory. Host is one of the following:

all
All hosts are allowed access
A (partial) domain-name
Hosts whose names match, or end in, this string are allowed access.
A full IP address
An IP address of a host allowed access
A partial IP address
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair (Apache 1.3 and later)
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction. (i.e., 10.1.0.0/255.255.0.0)
A network/nnn CIDR specification (Apache 1.3 and later)
Similar to the previous case, except the netmask consists of nnn high-order 1 bits. (i.e., 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

Example:

Allow from .ncsa.uiuc.edu

All hosts in the specified domain are allowed access.

Note that this compares whole components; bar.edu would not match foobar.edu.

See also Deny, Order, and BrowserMatch.

Syntax: Allow from env=variablename
Context: directory, .htaccess
Override: Limit
Status: Base
Module: mod_access
Compatibility: Apache 1.2 and above

The Allow from env directive controls access to a directory by the existence (or non-existence) of an environment variable.

Example: 

BrowserMatch ^KnockKnock/2.0 let_me_in
<Directory /docroot>
    Order Deny,Allow
    Deny from all
    Allow from env=let_me_in
</Directory>
In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.

See also Deny from env and Order.

Deny directive

Syntax: Deny from host host ...
Context: directory, .htaccess
Override: Limit
Status: Base
Module: mod_access

The Deny directive affects which hosts can access a given directory. Host is one of the following:

all
all hosts are denied access
A (partial) domain-name
host whose name is, or ends in, this string are denied access.
A full IP address
An IP address of a host denied access
A partial IP address
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network/netmask pair (Apache 1.3 and later)
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction. (i.e., 10.1.0.0/255.255.0.0)
A network/nnn CIDR specification (Apache 1.3 and later)
Similar to the previous case, except the netmask consists of nnn high-order 1 bits. (i.e., 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)

Example:

Deny from 16

All hosts in the specified network are denied access.

Note that this compares whole components; bar.edu would not match foobar.edu.

See also Allow and Order.

Syntax: Deny from env=variablename
Context: directory, .htaccess
Override: Limit
Status: Base
Module: mod_access
Compatibility: Apache 1.2 and above

The Deny from env directive controls access to a directory by the existence (or non-existence) of an environment variable.

Example: 

BrowserMatch ^BadRobot/0.9 go_away
<Directory /docroot>
    Order Allow,Deny
    Allow from all
    Deny from env=go_away
</Directory>
In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.

See also Allow from env and Order.

Order directive

Syntax: Order ordering
Default: Order Deny,Allow
Context: directory, .htaccess
Override: Limit
Status: Base
Module: mod_access

The Order directive controls the order in which Allow and Deny directives are evaluated. Ordering is one of

Deny,Allow
the Deny directives are evaluated before the Allow directives. (The initial state is OK.)
Allow,Deny
the Allow directives are evaluated before the Deny directives. (The initial state is FORBIDDEN.)
Mutual-failure
Only those hosts which appear on the Allow list and do not appear on the Deny list are granted access. (The initial state is irrelevant.)

Keywords may only be separated by a comma; no whitespace is allowed between them. Note that in all cases every Allow and Deny statement is evaluated, there is no "short-circuiting".

Example:

Order Deny,Allow
Deny from all
Allow from .ncsa.uiuc.edu

Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are denied access.