Team-Fly   Previous section   Next section
Webmaster in a Nutshell, 3rd Edition
By Robert Eckstein, Stephen Spainhour
Table of Contents
Chapter 19.  Apache Modules

19.1 mod_access

The mod_access module resolves which clients are allowed to access server directories based on their IP address or hostname.

allow
allow from hostname hostname ...

[Within <Directory> or .htaccess]

The allow directive specifies which hosts can access a given directory in the site. The hostname can be any of the following:

Domain name

A domain name, like .oreilly.com. Only hosts from the domain are permitted access.

Hostname

A full hostname.

Full IP address

An IP address of a host.

Partial IP address

The first 1 to 3 bytes of an IP address, for subnet restriction.

Network address/netmask

A full network address, followed by a full netmask. (i.e., 192.168.220.110/255.255.255.0)

Network address/CIDR specification

A full network address, followed by an abbreviated netmask. (i.e., 192.168.220.110/24 is equivalent to 192.168.220.110/255.255.255.0)

all

Using this option means that all hosts are allowed.

There can be only one allow directive per section. If omitted, there is no default.

allow
allow from env=variable

[Within <Directory> or .htaccess]

The allow from env directive sets whether access to a directory should be granted if a specific environment variable exists. For example, the following grants access to the secret directory if the client is using Version 5.0 of the "InternetStar" browser, via a user-agent string: 

BrowserMatch ^InternetStar/5.0 ACCESS_GRANTED
<Directory /secret>
order deny, allow
deny from all
allow from env=ACCESS_GRANTED
</Directory>
deny
deny from hostname hostname ...

[Within <Directory> or .htaccess]

The deny directive specifies which hosts are denied access to a directory. The hostname can be one of the following:

Domain name

A domain name, like .oreilly.com. Hosts from that domain are denied access.

Hostname

A full hostname.

Full IP address

The IP address of a host.

Partial IP address

The first 1 to 3 bytes of an IP address, for subnet restriction.

Network address with netmask

A full network address, followed by a full netmask. (i.e., 192.168.220.110/255.255.255.0), or by an abbreviated netmask. (i.e., 192.168.220.110/24 is equivalent to 192.168.220.110/255.255.255.0)

all

Using the word all means that all hosts are denied access.

deny
deny from env=variable

[Within <Directory> or .htaccess]

The deny from env directive sets whether access to a directory should be denied if a specific environment variable exists. Access to the secret directory is denied if the client is using Version 4.0 of the "InternetStar" browser, via a user-agent string: 

BrowserMatch ^InternetStar/4.0 ACCESS_DENIED
<Directory /secret>
order deny, allow
deny from env=ACCESS_DENIED
allow from all
</Directory>
order
order order

[Within <Directory> or .htaccess]

The order directive specifies the order in which deny and allow directives are evaluated. The order directive can take one of the following forms:

order deny,allow

deny directives are evaluated before allow directives (this is the default).

order allow,deny

allow directives are evaluated before deny directives.

order mutual-failure

This setting means that any host appearing on the allow list is allowed, and any host listed on the deny list is denied. Finally, any host not appearing on either list is denied.

    Team-Fly   Previous section   Next section
    Top
    stats