Description: Control which hosts can access an area of the server Syntax: Allow from all|host|env=env-variable [host|env=env-variable] ...
Context: directory, .htaccess
Coverage: Limit
Status: Base
Module: mod_access
The Allow directive affects which hosts can access an area of the server. Access can be controlled using client request characteristics captured in hostnames, IP addresses, IP address ranges, or other environment variables.
The first parameter of this directive is always from. The subsequent parameters can take three different forms. If Allow from all is specified, all hosts are allowed access, requiring the Deny and Order directives to be configured as discussed below. To allow only a specific subset of hosts or host groups to access the server, host can be specified in any of the following formats:
A domain name (part)
Example: Allow from apache.org
Allow access to hosts whose names match or end with the given string. Only complete name components are matched, so the above example will match foo.apache.org but not fooapache.org. Such a configuration will cause the server to perform a reverse domain name lookup operation on the client's IP address regardless of whether the HostnameLookups directive sets the complete IP address. Example: Allow from 10.1.2.3
Allow access from one IP address of one host.
Some IP address examples: Allow from 10.1
The first 1 to 3 bytes of the IP address are used for subnet restrictions.
Network/mask pair example: Allow from 10.1.0.0/255.255.0.0
a network abcd, and a mask wxyz. For more precise subnet restrictions.
Network/nnn No intra-area routing specification example: Allow from 10.1.0.0/16
Similar to the previous case, except the mask consists of nnn high-order bytes.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified like this:
Allow from fe80::a00:20ff:fea7:ccea
Allow from fe80::a00:20ff:fea7:ccea/10
The third parameter format of the Allow directive allows access to the server specified by an extension of the environment variable. When Allow from env=env-variable is specified, the access request is allowed if the environment variable env-variable exists. Using the directives provided by mod_setenvif, the server provides the ability to set environment variables in a flexible manner based on client requests. Therefore, this directive can be used to allow access based on fields like User-Agent (browser type), Referer, or other HTTP request header fields.
example:
SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in
<Directory /docroot>
Order Deny,Allow
Deny from all
Allow from env=let_me_in
</Directory>
In this case, browsers sending user-agent identifiers starting with KnockKnock/2.0 will be allowed access, while all other browsers will be blocked.
Deny instruction description: Control which hosts are prohibited from accessing the server Syntax: Deny from all|host|env=env-variable [host|env=env-variable] ...
Context: directory, .htaccess
Coverage: Limit
Status: Base
Module: mod_access
This directive allows restricting access to the server based on hostname, IP address or environment variables. The parameter settings of the Deny command are exactly the same as those of the Allow command.
Order instruction description: Controls the default access status and the order in which Allow and Deny instructions are evaluated.
Syntax: Order ordering
Default value: Order Deny,Allow
Context: directory, .htaccess
Coverage: Limit
Status: Base
Module: mod_access
The Order directive controls the default access status and the order in which Allow and Deny directives are evaluated. Ordering is one of the following examples:
Deny,Allow
Deny instructions are evaluated before Allow instructions. All access is allowed by default. Any client that does not match the Deny directive or matches the Allow directive is allowed to access the server.
Allow,Deny
The Allow directive is evaluated before the Deny directive. All access is prohibited by default. Any client that does not match the Allow directive or matches the Deny directive will be prohibited from accessing the server.
Mutual-failure
Only hosts that appear in the Allow list and not in the Deny list are allowed to access. This order has the same effect as Order Allow, Deny and is deprecated. Which configuration does it include?
Keywords can only be separated by commas; there can be no spaces between them. Note that each Allow and Deny directive statement will be evaluated in all cases.
In the example below, access is allowed to all hosts in the apache.org domain, while access to any other host is denied.
Order Deny,Allow
Deny from all
Allow from apache.org
In the following example, access is allowed to all hosts in the apache.org domain, except for hosts contained in the foo.apache.org subdomain, which are denied access. All hosts that are not in the apache.org domain are not allowed to access, because the default state is to deny access to the server.
Order Allow, Deny
Allow from apache.org
Deny from foo.apache.org
On the other hand, if the Order directive in the previous example is changed to Deny,Allow, access from all hosts will be allowed. This is because, regardless of the actual order of directives in the configuration file, the Allow from apache.org directive will be evaluated last and overwrite the previous Deny from foo.apache.org. All hosts not in the apache.org domain are also allowed access because the default status has been changed to allow.
Even if it is not accompanied by Allow and Deny instructions, the existence of an Order instruction will affect access to a certain part of the server. This is due to its impact on the default access state. For example,
<Directory /www>
Order Allow, Deny
</Directory>
This will disable all access to the /www directory, as the default status will be set to deny.
The Order directive controls the processing of access instructions only within each segment of the server configuration. This means that, for example, an Allow or Deny directive appearing in a <Location> section will always be evaluated after an Allow or Deny directive appearing in a <Directory> section or .htaccess file, regardless of the setting in the Order directive. Why. For details on merging configuration sections, see How Directory, Location and Files sections work.