The directives provided by .htaccess
files to control access to particular parts of the server.
Access can be controlled based on the client hostname, IP address, or
other characteristics of the client request, as captured in environment variables. The
Both host-based access restrictions and password-based
authentication may be implemented simultaneously. In that case,
the
In general, access restriction directives apply to all
access methods (GET
, PUT
,
POST
, etc). This is the desired behavior in most
cases. However, it is possible to restrict some methods, while
leaving other methods unrestricted, by enclosing the directives
in a
The
The first argument to this directive is always
from
. The subsequent arguments can take three
different forms. If Allow from all
is specified, then
all hosts are allowed access, subject to the configuration of the
Hosts whose names match, or end in, this string are allowed
access. Only complete components are matched, so the above
example will match foo.apache.org
but it will not
match fooapache.org
. This configuration will cause
Apache to perform a double reverse DNS lookup on the client IP
address, regardless of the setting of the
An IP address of a host allowed access
The first 1 to 3 bytes of an IP address, for subnet restriction.
A network a.b.c.d, and a netmask w.x.y.z. For more fine-grained subnet restriction.
Similar to the previous case, except the netmask consists of nnn high-order 1 bits.
Note that the last three examples above match exactly the same set of hosts.
IPv6 addresses and IPv6 subnets can be specified as shown below:
The third format of the arguments to the
Allow from
env=env-variable
is specified, then the request is
allowed access if the environment variable env-variable
exists. The server provides the ability to set environment
variables in a flexible way based on characteristics of the client
request using the directives provided by
User-Agent
(browser type), Referer
, or
other HTTP request header fields.
In this case, browsers with a user-agent string beginning
with KnockKnock/2.0
will be allowed access, and all
others will be denied.
This directive allows access to the server to be restricted
based on hostname, IP address, or environment variables. The
arguments for the
The
Deny,Allow
Allow,Deny
Mutual-failure
Order
Allow,Deny
and is deprecated in favor of that
configuration.Keywords may only be separated by a comma; no whitespace is
allowed between them. Note that in all cases every
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
In the next example, all hosts in the apache.org domain are allowed access, except for the hosts which are in the foo.apache.org subdomain, who are denied access. All hosts not in the apache.org domain are denied access because the default state is to deny access to the server.
On the other hand, if the Deny,Allow
, all hosts will
be allowed access. This happens because, regardless of the
actual ordering of the directives in the configuration file,
the Allow from apache.org
will be evaluated last
and will override the Deny from foo.apache.org
.
All hosts not in the apache.org
domain will also
be allowed access because the default state will change to
allow.
The presence of an
will deny all access to the /www
directory
because the default access state will be set to
deny.
The .htaccess
file, regardless of the setting of the