19.1 mod_access

Team-Fly

	Webmaster in a Nutshell, 3rd Edition By Robert Eckstein, Stephen Spainhour
	Table of Contents
	Chapter 19.  Apache Modules

The mod_access module resolves which clients are allowed to access server directories based on their IP address or hostname.

  allow  from hostname  hostname  ... 

[Within <Directory> or .htaccess ]

The allow directive specifies which hosts can access a given directory in the site. The hostname can be any of the following:

Domain name

A domain name, like .oreilly.com . Only hosts from the domain are permitted access.

Hostname

A full hostname.

Full IP address

An IP address of a host.

Partial IP address

The first 1 to 3 bytes of an IP address, for subnet restriction.

Network address/ netmask

A full network address, followed by a full netmask. (i.e., 192.168.220.110/255.255.255.0)

Network address/CIDR specification

A full network address, followed by an abbreviated netmask. (i.e., 192.168.220.110/24 is equivalent to 192.168.220.110/255.255.255.0)

all

Using this option means that all hosts are allowed.

There can be only one allow directive per section. If omitted, there is no default.

  allow  from env  =variable  

[Within <Directory> or .htaccess ]

The allow from env directive sets whether access to a directory should be granted if a specific environment variable exists. For example, the following grants access to the secret directory if the client is using Version 5.0 of the "InternetStar" browser, via a user -agent string:

 BrowserMatch ^InternetStar/5.0 ACCESS_GRANTED <Directory /secret> order deny, allow deny from all allow from env=ACCESS_GRANTED </Directory> 

  deny  from hostname  hostname  ... 

[Within <Directory> or .htaccess ]

The deny directive specifies which hosts are denied access to a directory. The hostname can be one of the following:

Domain name

A domain name, like .oreilly.com . Hosts from that domain are denied access.

Hostname

A full hostname.

Full IP address

The IP address of a host.

Partial IP address

The first 1 to 3 bytes of an IP address, for subnet restriction.

Network address with netmask

A full network address, followed by a full netmask. (i.e., 192.168.220.110/255.255.255.0), or by an abbreviated netmask. (i.e., 192.168.220.110/24 is equivalent to 192.168.220.110/255.255.255.0)

all

Using the word all means that all hosts are denied access.

  deny  from env  =variable  

[Within <Directory> or .htaccess ]

The deny from env directive sets whether access to a directory should be denied if a specific environment variable exists. Access to the secret directory is denied if the client is using Version 4.0 of the "InternetStar" browser, via a user-agent string:

 BrowserMatch ^InternetStar/4.0 ACCESS_DENIED <Directory /secret> order deny, allow deny from env=ACCESS_DENIED allow from all </Directory> 

  order   order  

[Within <Directory> or .htaccess ]

The order directive specifies the order in which deny and allow directives are evaluated. The order directive can take one of the following forms:

order deny,allow

deny directives are evaluated before allow directives (this is the default).

order allow,deny

allow directives are evaluated before deny directives.

order mutual-failure

This setting means that any host appearing on the allow list is allowed, and any host listed on the deny list is denied. Finally, any host not appearing on either list is denied.