Apache Authentication and Order Allow, and Deny - From Apache: The Definitive Guide (1/6)
Apache: The Definitive Guide, Chapter 5: Authentication
Order, Allow, and Deny
So far we have dealt with potential
users on an individual basis. We can also allow access from or deny
access to specific IP addresses, hostnames, or groups of addresses
and hostnames. The commands are
The order in which the
deny commands are applied is not set by the order
in which they appear in your file. The default order is
allow : if a client
is excluded by
deny, it is excluded unless it
allow. If neither is matched, the client
is granted access.
The order in which these commands is applied can be set by the
allow from host host ... directory, .htaccess
directive controls access to a directory. The argument
host can be one of the following:
All hosts are allowed access.
- A (partial) domain name
All hosts whose names match or end in this string are allowed access.
- A full IP address
The first one to three bytes of an IP address are allowed access, for subnet restriction.
- A network/netmask pair
Network a.b.c.d and netmask w.x.y.z are allowed access, to give finer-grained subnet control. For instance, 10.1.0.0/255.255.0.0.
- A network CIDR specification
The netmask consists of nnn high-order 1-bits. For instance, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0.
|allow from env|
allow from env=variablename ... directory, .htaccess
env directive controls access by the existence of
a named environment variable. For instance:
BrowserMatch ^KnockKnock/2.0 let_me_in <Directory /docroot> order deny,allow deny from all allow from env=let_me_in </Directory>
Access by a browser called KnockKnock v2.0 sets an environment
Created: March 3, 2003
Revised: March 3, 2003