The directives provided by .htaccess
files to control access to particular parts of the server.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in environment variables. The
Both host-based access restrictions and password-based
authentication may be implemented simultaneously. In that case,
the
The directives provided by
In general, access restriction directives apply to all
access methods (GET
, PUT
,
POST
, etc). This is the desired behavior in most
cases. However, it is possible to restrict some methods, while
leaving other methods unrestricted, by enclosing the directives
in a
The
The first argument to this directive is always
from
. The subsequent arguments can take three
different forms. If Allow from all
is specified, then
all hosts are allowed access, subject to the configuration of the
Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match foo.apache.org
but it will not
match fooapache.org
. This configuration will cause
Apache to perform a double DNS lookup on the client IP
address, regardless of the setting of the
An IP address of a host allowed access
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified as shown below:
The third format of the arguments to the
Allow from
env=env-variable
is specified, then the request is
allowed access if the environment variable env-variable
exists. When Allow from env=!env-variable
is
specified, then the request is allowed access if the environment
variable env-variable doesn't exist.
The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
User-Agent
(browser type), Referer
, or
other HTTP request header fields.
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0
will be allowed access, and all
others will be denied.
This directive allows access to the server to be restricted
based on hostname, IP address, or environment variables. The
arguments for the
The
Note that all
Ordering is one of:
Allow,Deny
Deny,Allow
Mutual-failure
Order
Allow,Deny
and is deprecated in its favor.Keywords may only be separated by a comma; no whitespace is allowed between them.
Match | Allow,Deny result | Deny,Allow result |
---|---|---|
Match Allow only | Request allowed | Request allowed |
Match Deny only | Request denied | Request denied |
No match | Default to second directive: Denied | Default to second directive: Allowed |
Match both Allow & Deny | Final match controls: Denied | Final match controls: Allowed |
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
In the next example, all hosts in the apache.org domain are
allowed access, except for the hosts which are in the
foo.apache.org subdomain, who are denied access. All hosts not
in the apache.org domain are denied access because the default
state is to
On the other hand, if the Deny,Allow
, all hosts will
be allowed access. This happens because, regardless of the actual
ordering of the directives in the configuration file, the
Allow from apache.org
will be evaluated last and will
override the Deny from foo.apache.org
. All hosts not in
the apache.org
domain will also be allowed access
because the default state is
The presence of an
will Deny all access to the /www
directory
because the default access state is set to
The .htaccess
file, regardless of the setting of the
Access policy if both All
or Any
. This directive is only
useful if access to a particular area is being restricted by both
username/password and client host address. In this case
the default behavior (All
) is to require that the client
passes the address access restriction and enters a valid
username and password. With the Any
option the client will be
granted access if they either pass the host restriction or enter a
valid username and password. This can be used to password restrict
an area, but to let clients from particular addresses in without
prompting for a password.
For example, if you wanted to let people on your network have unrestricted access to a portion of your website, but require that people outside of your network provide a password, you could use a configuration similar to the following:
Since version 2.0.51