Module mod_access

The Allow directive affects which hosts can access a given directory.

Parameter: host

• If all, all hosts are allowed access.
• If full or partial domain-name, hosts whose names match or end in this string are allowed access.
• If full IP address, only IP address of a host are allowed access.
• If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
• If network/netmask, a network a.b.c.d. And a netmask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
• If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).

Note: This compares whole components, ibm.com® would not match QIBMibm.com.

The allow from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example:

BrowserMatch ^KnockKnock/2.0 let_me_in
<Directory /docroot>
   order deny,allow
   deny from all
   allow from env=let_me_in
</Directory>

In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.

See also Deny, Order, and BrowserMatch.

The deny directive affects which hosts can access a given directory.

Parameter: host

• If all, all hosts are denied access.
• If full or partial domain-name, hosts whose names match or end in this string are denied access.
• If full IP address, only IP address of a host are denied access.
• If partial IP address, only the first 1 to 3 bytes of an IP address, for subnet restriction.
• If network/netmask, a network a.b.c.d. And a net mask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0).
• If network/nnn CIDR specification, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).

Note: This compares whole components (ibm.com would not match QIBMibm.com).

The deny from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example:

BrowserMatch ^BadRobot/0.9 go_away
<Directory /docroot>
   order allow,deny
   allow from all
   deny from env=go_away
</Directory>

In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.

See also Allow and Order.

The order directive controls the order in which Allow and Deny directives are evaluated. .

Parameter: ordering

• If deny,allow, the deny directives are evaluated before the allow directives (the initial state is OK).
• If allow,deny, the allow directives are evaluated before the deny directives (the initial state is FORBIDDEN).
• If mutual-failure, only those hosts which appear on the allow list and do not appear on the deny list are granted access (the initial state is irrelevant).

Keywords may only be separated by a comma; no whitespace is allowed between them. Note: that in all cases every allow and deny statement is evaluated, there is no "short-circuiting". For Example:

order deny,allow 
deny from all 
allow from .ibm.com

In this example, the first container's intent is to keep everyone out. The next container overrides for the appropriate subdirectory.

<Directory/>
   Order deny,allow
   deny from all
   allow from none
</Directory>

Alias /root /bobtest/xyz/html
<Directory /bobtest/xyz/html/>
   Order allow,deny
   allow from all
   Authtype Basic
   AuthName "root and %%SYSTEM%%"
   PasswdFile %%SYSTEM%%
   Require valid-user
   UserID %%SYSTEM%%
</Directory>

Hosts in the ibm.com domain are allowed access; all other hosts are denied access.