| blob | a04c297f6bbb1e6751151e3047bb104a2a0af09e |
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
5 This file is generated from xml source: DO NOT EDIT
6 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
7 -->
9 <link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
10 <link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
13 <body>
15 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p>
18 <div class="up"><a href="./"><img title="<-" alt="<-" src="../images/left.gif" /></a></div>
20 <a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="../">Version 2.3</a> > <a href="./">Modules</a></div>
24 <p><span>Available Languages: </span><a href="../en/mod/mod_access_compat.html" title="English"> en </a> |
25 <a href="../ja/mod/mod_access_compat.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p>
26 </div>
27 <table class="module"><tr><th><a href="module-dict.html#Description">Description:</a></th><td>Group authorizations based on host (name or IP
28 address)</td></tr>
30 <tr><th><a href="module-dict.html#ModuleIdentifier">Module Identifier:</a></th><td>access_compat_module</td></tr>
31 <tr><th><a href="module-dict.html#SourceFile">Source File:</a></th><td>mod_access_compat.c</td></tr>
32 <tr><th><a href="module-dict.html#Compatibility">Compatibility:</a></th><td>Available in Apache 2.3 as a compatibility module with
33 previous versions of Apache 2.x. The directives provided by this module
34 have been deprecated by the new authz refactoring. Please see
35 <code class="module"><a href="../mod/mod_authz_host.html">mod_authz_host</a></code></td></tr></table>
38 <p>The directives provided by <code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code> are
39 used in <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>,
43 </code> files to control access to particular parts of the server.
44 Access can be controlled based on the client hostname, IP address, or
45 other characteristics of the client request, as captured in <a href="../env.html">environment variables</a>. The <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are used to
46 specify which clients are or are not allowed access to the server,
48 directive sets the default access state, and configures how the
49 <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives interact with each
50 other.</p>
52 <p>Both host-based access restrictions and password-based
53 authentication may be implemented simultaneously. In that case,
55 to determine how the two sets of restrictions interact.</p>
58 <p>The directives provided by <code class="module"><a href="../mod/mod_access_compat.html">mod_access_compat</a></code> have
59 been deprecated by the new authz refactoring. Please see
61 </div>
63 <p>In general, access restriction directives apply to all
66 cases. However, it is possible to restrict some methods, while
67 leaving other methods unrestricted, by enclosing the directives
68 in a <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> section.</p>
69 </div>
76 </ul>
82 </ul></div>
85 <div class="directive-section"><h2><a name="Allow" id="Allow">Allow</a> <a name="allow" id="allow">Directive</a></h2>
87 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls which hosts can access an area of the
88 server</td></tr>
89 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Allow from all|<var>host</var>|env=[!]<var>env-variable</var>
91 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
95 </table>
97 access an area of the server. Access can be controlled by
98 hostname, IP address, IP address range, or by other
99 characteristics of the client request captured in environment
100 variables.</p>
102 <p>The first argument to this directive is always
105 all hosts are allowed access, subject to the configuration of the
106 <code class="directive"><a href="#deny">Deny</a></code> and <code class="directive"><a href="#order">Order</a></code> directives as discussed
107 below. To allow only particular hosts or groups of hosts to access
109 following formats:</p>
111 <dl>
114 <dd>
116 Allow from apache.org<br />
117 Allow from .net example.edu
118 </code></p></div>
119 <p>Hosts whose names match, or end in, this string are allowed
120 access. Only complete components are matched, so the above
123 Apache to perform a double DNS lookup on the client IP
124 address, regardless of the setting of the <code class="directive"><a href="../mod/core.html#hostnamelookups">HostnameLookups</a></code> directive. It will do
125 a reverse DNS lookup on the IP address to find the associated
126 hostname, and then do a forward lookup on the hostname to assure
127 that it matches the original IP address. Only if the forward
128 and reverse DNS are consistent and the hostname matches will
129 access be allowed.</p></dd>
133 <dd>
136 Allow from 192.168.1.104 192.168.1.205
137 </code></p></div>
142 <dd>
145 Allow from 10 172.20 192.168.2
146 </code></p></div>
148 restriction.</p></dd>
152 <dd>
155 </code></p></div>
156 <p>A network a.b.c.d, and a netmask w.x.y.z. For more
157 fine-grained subnet restriction.</p></dd>
161 <dd>
164 </code></p></div>
165 <p>Similar to the previous case, except the netmask consists of
167 </dl>
169 <p>Note that the last three examples above match exactly the
170 same set of hosts.</p>
172 <p>IPv6 addresses and IPv6 subnets can be specified as shown
173 below:</p>
178 </code></p></div>
180 <p>The third format of the arguments to the
182 to be controlled based on the existence of an <a href="../env.html">environment variable</a>. When <code>Allow from
186 specified, then the request is allowed access if the environment
188 The server provides the ability to set environment
189 variables in a flexible way based on characteristics of the client
190 request using the directives provided by
191 <code class="module"><a href="../mod/mod_setenvif.html">mod_setenvif</a></code>. Therefore, this directive can be
192 used to allow access based on such factors as the clients
194 other HTTP request header fields.</p>
200 Order Deny,Allow<br />
201 Deny from all<br />
202 Allow from env=let_me_in<br />
203 </span>
205 </code></p></div>
207 <p>In this case, browsers with a user-agent string beginning
209 others will be denied.</p>
211 </div>
213 <div class="directive-section"><h2><a name="Deny" id="Deny">Deny</a> <a name="deny" id="deny">Directive</a></h2>
215 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls which hosts are denied access to the
216 server</td></tr>
217 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Deny from all|<var>host</var>|env=[!]<var>env-variable</var>
219 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
223 </table>
224 <p>This directive allows access to the server to be restricted
225 based on hostname, IP address, or environment variables. The
227 identical to the arguments for the <code class="directive"><a href="#allow">Allow</a></code> directive.</p>
229 </div>
231 <div class="directive-section"><h2><a name="Order" id="Order">Order</a> <a name="order" id="order">Directive</a></h2>
233 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Controls the default access state and the order in which
235 evaluated.</td></tr>
236 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code> Order <var>ordering</var></code></td></tr>
237 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Order Deny,Allow</code></td></tr>
238 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
242 </table>
247 controls a three-pass access control system. The first pass
248 processes either all <code class="directive"><a href="#allow">Allow</a></code> or all <code class="directive"><a href="#deny">Deny</a></code> directives, as specified
250 directive. The second pass parses the rest of the directives
253 pass applies to all requests which do not match either of the first
254 two.</p>
256 <p>Note that all <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are
257 processed, unlike a typical firewall, where only the first match is
258 used. The last match is effective (also unlike a typical firewall).
259 Additionally, the order in which lines appear in the configuration
260 files is not significant -- all <code class="directive"><a href="#allow">Allow</a></code> lines are processed as
262 another, and the default state is considered by itself.</p>
266 <dl>
270 evaluated; at least one must match, or the request is rejected.
272 directives are evaluated. If any matches, the request is rejected.
273 Last, any requests which do not match an <code class="directive"><a href="#allow">Allow</a></code> or a <code class="directive"><a href="#deny">Deny</a></code> directive are denied
274 by default.</dd>
279 evaluated; if any match, the request is denied
280 <strong>unless</strong> it also matches an <code class="directive"><a href="#allow">Allow</a></code> directive. Any
281 requests which do not match any <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directives are
282 permitted.</dd>
288 </dl>
291 is allowed between them.</p>
294 <tr>
298 </tr><tr>
302 </tr><tr>
306 </tr><tr>
310 </tr><tr>
314 </tr>
315 </table>
317 <p>In the following example, all hosts in the apache.org domain
318 are allowed access; all other hosts are denied access.</p>
321 Order Deny,Allow<br />
322 Deny from all<br />
323 Allow from apache.org
324 </code></p></div>
326 <p>In the next example, all hosts in the apache.org domain are
327 allowed access, except for the hosts which are in the
328 foo.apache.org subdomain, who are denied access. All hosts not
329 in the apache.org domain are denied access because the default
331 access to the server.</p>
334 Order Allow,Deny<br />
335 Allow from apache.org<br />
336 Deny from foo.apache.org
337 </code></p></div>
341 be allowed access. This happens because, regardless of the actual
342 ordering of the directives in the configuration file, the
349 affect access to a part of the server even in the absence of
352 directives because of its effect on the default access state. For
353 example,</p>
358 Order Allow,Deny<br />
359 </span>
361 </code></p></div>
364 because the default access state is set to
368 directive processing only within each phase of the server's
369 configuration processing. This implies, for example, that an
370 <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
371 <code class="directive"><a href="../mod/core.html#location"><Location></a></code> section will
372 always be evaluated after an <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
373 <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code> section or
376 of configuration sections, see the documentation on <a href="../sections.html">How Directory, Location and Files sections
379 </div>
381 <div class="directive-section"><h2><a name="Satisfy" id="Satisfy">Satisfy</a> <a name="satisfy" id="satisfy">Directive</a></h2>
383 <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Interaction between host-level access control and
384 user authentication</td></tr>
385 <tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>Satisfy Any|All</code></td></tr>
386 <tr><th><a href="directive-dict.html#Default">Default:</a></th><td><code>Satisfy All</code></td></tr>
387 <tr><th><a href="directive-dict.html#Context">Context:</a></th><td>directory, .htaccess</td></tr>
391 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Influenced by <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> and <code class="directive"><a href="../mod/core.html#limitexcept"><LimitExcept></a></code> in version 2.0.51 and
392 later</td></tr>
393 </table>
394 <p>Access policy if both <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> used. The parameter can be
396 useful if access to a particular area is being restricted by both
401 granted access if they either pass the host restriction or enter a
402 valid username and password. This can be used to password restrict
403 an area, but to let clients from particular addresses in without
404 prompting for a password.</p>
406 <p>For example, if you wanted to let people on your network have
407 unrestricted access to a portion of your website, but require that
408 people outside of your network provide a password, you could use a
409 configuration similar to the following:</p>
412 Require valid-user<br />
414 Satisfy Any
415 </code></p></div>
418 be restricted to particular methods by <code class="directive"><a href="../mod/core.html#limit"><Limit></a></code> and <code class="directive"><a href="../mod/core.html#limitexcept"><LimitExcept></a></code> sections.</p>
421 <ul>
423 <li><code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code></li>
424 </ul>
425 </div>
426 </div>
428 <p><span>Available Languages: </span><a href="../en/mod/mod_access_compat.html" title="English"> en </a> |
429 <a href="../ja/mod/mod_access_compat.html" hreflang="ja" rel="alternate" title="Japanese"> ja </a></p>
431 <p class="apache">Copyright 2009 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
432 <p class="menu"><a href="../mod/">Modules</a> | <a href="../mod/directives.html">Directives</a> | <a href="../faq/">FAQ</a> | <a href="../glossary.html">Glossary</a> | <a href="../sitemap.html">Sitemap</a></p></div>
433 </body></html>