The directives provided by .htaccess
files to control access to particular parts of the server. Access
can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in environment variables. The
Both host-based access restrictions and password-based
authentication may be implemented simultaneously. In that case,
the
In general, access restriction directives apply to all
access methods (GET
, PUT
,
POST
, etc). This is the desired behavior in most
cases. However, it is possible to restrict some methods, while
leaving other methods unrestricted, by enclosing the directives
in a
The
The first argument to this directive is always
from
. The subsequent arguments can take three
different forms. If Allow from all
is specified, then
all hosts are allowed access, subject to the configuration of the
Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match foo.apache.org
but it will not
match fooapache.org
. This configuration will cause
Apache to perform a double reverse DNS lookup on the client IP
address, regardless of the setting of the
An IP address of a host allowed access
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified as shown below:
The third format of the arguments to the
Allow from
env=env-variable
is specified, then the request is
allowed access if the environment variable env-variable
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
User-Agent
(browser type), Referer
, or
other HTTP request header fields.
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0
will be allowed access, and all
others will be denied.
This directive allows access to the server to be restricted
based on hostname, IP address, or environment variables. The
arguments for the
The
Note that all
Ordering is one of:
Allow,Deny
Deny,Allow
Mutual-failure
Order
Allow,Deny
and is deprecated in its favor.Keywords may only be separated by a comma; no whitespace is allowed between them.
Match | Allow,Deny result | Deny,Allow result |
---|---|---|
Match Allow only | Request allowed | Request allowed |
Match Deny only | Request denied | Request denied |
No match | Default to second directive: Denied | Default to second directive: Allowed |
Match both Allow & Deny | Final match controls: Denied | Final match controls: Allowed |
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
In the next example, all hosts in the apache.org domain are
allowed access, except for the hosts which are in the foo.apache.org
subdomain, who are denied access. All hosts not in the apache.org
domain are denied access because the default state is to
On the other hand, if the Deny,Allow
, all hosts will
be allowed access. This happens because, regardless of the actual
ordering of the directives in the configuration file, the
Allow from apache.org
will be evaluated last and will
override the Deny from foo.apache.org
. All hosts not in
the apache.org
domain will also be allowed access
because the default state is
The presence of an
will /www
directory because the default access state
is set to
The .htaccess
file, regardless of the setting of
the