mirror of
https://github.com/apache/httpd.git
synced 2025-10-30 08:05:39 +03:00
38d73313a9
replacement) and long-line (>80) shortening. No thirty.. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@81320 13f79535-47bb-0310-9956-ffa450edef68
311 lines
8.3 KiB
HTML
311 lines
8.3 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Apache module mod_access</TITLE>
|
|
</HEAD>
|
|
|
|
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
<BODY
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#000080"
|
|
ALINK="#FF0000"
|
|
>
|
|
<!--#include virtual="header.html" -->
|
|
|
|
<H1 ALIGN="CENTER">Module mod_access</H1>
|
|
<P>
|
|
This module is contained in the <CODE>mod_access.c</CODE> file, and
|
|
is compiled in by default. It provides access control based on client
|
|
hostname or IP address.
|
|
</P>
|
|
|
|
<UL>
|
|
<LI><A HREF="#allow">allow</A>
|
|
<LI><A HREF="#allowfromenv">allow from env=</A>
|
|
<LI><A HREF="#deny">deny</A>
|
|
<LI><A HREF="#denyfromenv">deny from env=</A>
|
|
<LI><A HREF="#order">order</A>
|
|
</UL>
|
|
<HR>
|
|
|
|
|
|
<H2><A NAME="allow">allow directive</A></H2>
|
|
<P>
|
|
<!--%plaintext <?INDEX {\tt allow} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> allow from <EM>host host ...</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> Limit<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_access
|
|
</P>
|
|
<P>
|
|
The allow directive affects which hosts can access a given directory.
|
|
<EM>Host</EM> is one of the following:
|
|
</P>
|
|
<DL>
|
|
<DT><CODE>all</CODE>
|
|
<DD>All hosts are allowed access
|
|
<DT>A (partial) domain-name
|
|
<DD>Hosts whose names match, or end in, this string are allowed access.
|
|
<DT>A full IP address
|
|
<DD>An IP address of a host allowed access
|
|
<DT>A partial IP address
|
|
<DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
|
|
<DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
|
|
<DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
|
|
restriction. (i.e. 10.1.0.0/255.255.0.0)
|
|
<DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
|
|
<DD>Similar to the previous case, except the netmask consists of nnn
|
|
high-order 1 bits. (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
|
|
</DL>
|
|
<P>
|
|
Example:
|
|
</P>
|
|
<BLOCKQUOTE><CODE>allow from .ncsa.uiuc.edu</CODE></BLOCKQUOTE>
|
|
<P>
|
|
All hosts in the specified domain are allowed access.
|
|
</P>
|
|
<P>
|
|
Note that this compares whole components; <CODE>bar.edu</CODE>
|
|
would not match <CODE>foobar.edu</CODE>.
|
|
</P>
|
|
<P>
|
|
See also <A HREF="#deny">deny</A>, <A HREF="#order">order</A>, and
|
|
<A HREF="mod_browser.html#browsermatch">BrowserMatch</A>.
|
|
</P>
|
|
|
|
<P>
|
|
<A NAME="allowfromenv"><STRONG>Syntax:</STRONG> allow from
|
|
env=<EM>variablename</EM></A><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> Limit<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_access<BR>
|
|
<A
|
|
HREF="directive-dict.html#Compatibility"
|
|
REL="Help"
|
|
><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
|
|
</P>
|
|
<P>
|
|
The allow from env directive controls access to a directory by the
|
|
existence (or non-existence) of an environment variable.
|
|
</P>
|
|
<P>
|
|
Example:
|
|
</P>
|
|
<BLOCKQUOTE><PRE>
|
|
BrowserMatch ^KnockKnock/2.0 let_me_in
|
|
<Directory /docroot>
|
|
order deny,allow
|
|
deny from all
|
|
allow from env=let_me_in
|
|
</Directory>
|
|
</PRE></BLOCKQUOTE>
|
|
In this case browsers with the user-agent string <TT>KnockKnock/2.0</TT> will
|
|
be allowed access, and all others will be denied.
|
|
<P>
|
|
See also <A HREF="#denyfromenv">deny from env</A>
|
|
and <A HREF="#order">order</A>.
|
|
</P>
|
|
<HR>
|
|
|
|
<H2><A NAME="deny">deny directive</A></H2>
|
|
<P>
|
|
<!--%plaintext <?INDEX {\tt deny} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> deny from <EM>host host ...</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> Limit<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_access
|
|
</P>
|
|
<P>
|
|
The deny directive affects which hosts can access a given directory.
|
|
<EM>Host</EM> is one of the following:
|
|
</P>
|
|
<DL>
|
|
<DT><CODE>all</CODE>
|
|
<DD>all hosts are denied access
|
|
<DT>A (partial) domain-name
|
|
<DD>host whose name is, or ends in, this string are denied access.
|
|
<DT>A full IP address
|
|
<DD>An IP address of a host denied access
|
|
<DT>A partial IP address
|
|
<DD>The first 1 to 3 bytes of an IP address, for subnet restriction.
|
|
<DT>A network/netmask pair (<STRONG>Apache 1.3 and later</STRONG>)
|
|
<DD>A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet
|
|
restriction. (i.e. 10.1.0.0/255.255.0.0)
|
|
<DT>A network/nnn CIDR specification (<STRONG>Apache 1.3 and later</STRONG>)
|
|
<DD>Similar to the previous case, except the netmask consists of nnn
|
|
high-order 1 bits. (i.e. 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0)
|
|
</DL>
|
|
<P>
|
|
Example:
|
|
</P>
|
|
<BLOCKQUOTE><CODE>deny from 16</CODE></BLOCKQUOTE>
|
|
<P>
|
|
All hosts in the specified network are denied access.
|
|
</P>
|
|
<P>
|
|
Note that this compares whole components; <CODE>bar.edu</CODE>
|
|
would not match <CODE>foobar.edu</CODE>.
|
|
</P>
|
|
<P>
|
|
See also <A HREF="#allow">allow</A> and <A HREF="#order">order</A>.
|
|
</P>
|
|
|
|
<P>
|
|
<A NAME="denyfromenv"><STRONG>Syntax:</STRONG> deny from
|
|
env=<EM>variablename</EM></A><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> Limit<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_access<BR>
|
|
<A
|
|
HREF="directive-dict.html#Compatibility"
|
|
REL="Help"
|
|
><STRONG>Compatibility:</STRONG></A> Apache 1.2 and above
|
|
</P>
|
|
<P>
|
|
The deny from env directive controls access to a directory by the
|
|
existence (or non-existence) of an environment variable.
|
|
</P>
|
|
<P>
|
|
Example:
|
|
</P>
|
|
<BLOCKQUOTE><PRE>
|
|
BrowserMatch ^BadRobot/0.9 go_away
|
|
<Directory /docroot>
|
|
order allow,deny
|
|
allow from all
|
|
deny from env=go_away
|
|
</Directory>
|
|
</PRE></BLOCKQUOTE>
|
|
In this case browsers with the user-agent string <TT>BadRobot/0.9</TT> will
|
|
be denied access, and all others will be allowed.
|
|
|
|
<P>
|
|
See also <A HREF="#allowfromenv">allow from env</A>
|
|
and <A HREF="#order">order</A>.
|
|
</P>
|
|
<HR>
|
|
|
|
<H2><A NAME="order">order directive</A></H2>
|
|
<P>
|
|
<!--%plaintext <?INDEX {\tt order} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> order <EM>ordering</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Default"
|
|
REL="Help"
|
|
><STRONG>Default:</STRONG></A> <CODE>order deny,allow</CODE><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> Limit<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_access
|
|
</P>
|
|
<P>
|
|
The order directive controls the order in which <A HREF="#allow">allow</A> and
|
|
<A HREF="#deny">deny</A> directives are evaluated. <EM>Ordering</EM> is one
|
|
of
|
|
</P>
|
|
<DL>
|
|
<DT>deny,allow
|
|
<DD>the deny directives are evaluated before the allow directives. (The
|
|
initial state is OK.)
|
|
<DT>allow,deny
|
|
<DD>the allow directives are evaluated before the deny directives. (The
|
|
initial state is FORBIDDEN.)
|
|
<DT>mutual-failure
|
|
<DD>Only those hosts which appear on the allow list and do not appear
|
|
on the deny list are granted access. (The initial state is irrelevant.)
|
|
</DL>
|
|
<P>
|
|
<STRONG>Note that in all cases every <CODE>allow</CODE> and <CODE>deny</CODE>
|
|
statement is evaluated, there is no "short-circuiting".</STRONG>
|
|
</P>
|
|
<P>
|
|
Example:
|
|
</P>
|
|
<BLOCKQUOTE><CODE>
|
|
order deny,allow<BR>
|
|
deny from all<BR>
|
|
allow from .ncsa.uiuc.edu<BR>
|
|
</CODE></BLOCKQUOTE>
|
|
<P>
|
|
Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
|
|
denied access.
|
|
</P>
|
|
<!--#include virtual="footer.html" -->
|
|
</BODY>
|
|
</HTML>
|