|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
|
|
Packit |
90a5c9 |
<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
This file is generated from xml source: DO NOT EDIT
|
|
Packit |
90a5c9 |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
|
|
Packit |
90a5c9 |
-->
|
|
Packit |
90a5c9 |
<title>mod_access_compat - Apache HTTP Server Version 2.4</title>
|
|
Packit |
90a5c9 |
<link href="../style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
|
|
Packit |
90a5c9 |
<link href="../style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="../style/css/prettify.css" />
|
|
Packit |
90a5c9 |
<script src="../style/scripts/prettify.min.js" type="text/javascript">
|
|
Packit |
90a5c9 |
</script>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<link href="../images/favicon.ico" rel="shortcut icon" /></head>
|
|
Packit |
90a5c9 |
<body>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap
|
|
Packit |
90a5c9 |
Apache HTTP Server Version 2.4
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache > HTTP Server > Documentation > Version 2.4 > Modules
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Apache Module mod_access_compat
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr |
|
|
Packit |
90a5c9 |
ja
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
address)
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module Identifier:access_compat_module
|
|
Packit |
90a5c9 |
Source File:mod_access_compat.c
|
|
Packit |
90a5c9 |
Compatibility:Available in Apache HTTP Server 2.3 as a compatibility module with
|
|
Packit |
90a5c9 |
previous versions of Apache httpd 2.x. The directives provided by this module
|
|
Packit |
90a5c9 |
have been deprecated by the new authz refactoring. Please see
|
|
Packit |
90a5c9 |
mod_authz_host
|
|
Packit |
90a5c9 |
Summary
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The directives provided by mod_access_compat are
|
|
Packit |
90a5c9 |
used in <Directory> ,
|
|
Packit |
90a5c9 |
<Files> , and
|
|
Packit |
90a5c9 |
<Location> sections
|
|
Packit |
90a5c9 |
as well as .htaccess
|
|
Packit |
90a5c9 |
files to control access to particular parts of the server.
|
|
Packit |
90a5c9 |
Access can be controlled based on the client hostname, IP address, or
|
|
Packit |
90a5c9 |
other characteristics of the client request, as captured in environment variables. The Allow and Deny directives are used to
|
|
Packit |
90a5c9 |
specify which clients are or are not allowed access to the server,
|
|
Packit |
90a5c9 |
while the Order
|
|
Packit |
90a5c9 |
directive sets the default access state, and configures how the
|
|
Packit |
90a5c9 |
Allow and Deny directives interact with each
|
|
Packit |
90a5c9 |
other.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Both host-based access restrictions and password-based
|
|
Packit |
90a5c9 |
authentication may be implemented simultaneously. In that case,
|
|
Packit |
90a5c9 |
the Satisfy directive is used
|
|
Packit |
90a5c9 |
to determine how the two sets of restrictions interact.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note
|
|
Packit |
90a5c9 |
The directives provided by mod_access_compat have
|
|
Packit |
90a5c9 |
been deprecated by mod_authz_host .
|
|
Packit |
90a5c9 |
Mixing old directives like Order , Allow or Deny with new ones like
|
|
Packit |
90a5c9 |
Require is technically possible
|
|
Packit |
90a5c9 |
but discouraged. This module was created to support
|
|
Packit |
90a5c9 |
configurations containing only old directives to facilitate the 2.4 upgrade.
|
|
Packit |
90a5c9 |
Please check the upgrading guide for more
|
|
Packit |
90a5c9 |
information.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In general, access restriction directives apply to all
|
|
Packit |
90a5c9 |
access methods (GET , PUT ,
|
|
Packit |
90a5c9 |
POST , etc). This is the desired behavior in most
|
|
Packit |
90a5c9 |
cases. However, it is possible to restrict some methods, while
|
|
Packit |
90a5c9 |
leaving other methods unrestricted, by enclosing the directives
|
|
Packit |
90a5c9 |
in a <Limit> section.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Merging of configuration sections
|
|
Packit |
90a5c9 |
When any directive provided by this module is used in a new
|
|
Packit |
90a5c9 |
configuration section, no directives provided by this module are
|
|
Packit |
90a5c9 |
inherited from previous configuration sections.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Directives
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow
|
|
Packit |
90a5c9 |
Deny
|
|
Packit |
90a5c9 |
Order
|
|
Packit |
90a5c9 |
Satisfy
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Bugfix checklistSee also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require
|
|
Packit |
90a5c9 |
mod_authz_host
|
|
Packit |
90a5c9 |
mod_authz_core
|
|
Packit |
90a5c9 |
Comments
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Controls which hosts can access an area of the
|
|
Packit |
90a5c9 |
server
|
|
Packit |
90a5c9 |
Syntax: Allow from all|host|env=[!]env-variable
|
|
Packit |
90a5c9 |
[host|env=[!]env-variable] ...
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:Limit
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_access_compat
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Allow directive affects which hosts can
|
|
Packit |
90a5c9 |
access an area of the server. Access can be controlled by
|
|
Packit |
90a5c9 |
hostname, IP address, IP address range, or by other
|
|
Packit |
90a5c9 |
characteristics of the client request captured in environment
|
|
Packit |
90a5c9 |
variables.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The first argument to this directive is always
|
|
Packit |
90a5c9 |
from . The subsequent arguments can take three
|
|
Packit |
90a5c9 |
different forms. If Allow from all is specified, then
|
|
Packit |
90a5c9 |
all hosts are allowed access, subject to the configuration of the
|
|
Packit |
90a5c9 |
Deny and Order directives as discussed
|
|
Packit |
90a5c9 |
below. To allow only particular hosts or groups of hosts to access
|
|
Packit |
90a5c9 |
the server, the host can be specified in any of the
|
|
Packit |
90a5c9 |
following formats:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A (partial) domain-name
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from example.org
|
|
Packit |
90a5c9 |
Allow from .net example.edu
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Hosts whose names match, or end in, this string are allowed
|
|
Packit |
90a5c9 |
access. Only complete components are matched, so the above
|
|
Packit |
90a5c9 |
example will match foo.example.org but it will not
|
|
Packit |
90a5c9 |
match fooexample.org . This configuration will cause
|
|
Packit |
90a5c9 |
Apache httpd to perform a double DNS lookup on the client IP
|
|
Packit |
90a5c9 |
address, regardless of the setting of the HostnameLookups directive. It will do
|
|
Packit |
90a5c9 |
a reverse DNS lookup on the IP address to find the associated
|
|
Packit |
90a5c9 |
hostname, and then do a forward lookup on the hostname to assure
|
|
Packit |
90a5c9 |
that it matches the original IP address. Only if the forward
|
|
Packit |
90a5c9 |
and reverse DNS are consistent and the hostname matches will
|
|
Packit |
90a5c9 |
access be allowed.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A full IP address
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from 10.1.2.3
|
|
Packit |
90a5c9 |
Allow from 192.168.1.104 192.168.1.205
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
An IP address of a host allowed access
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A partial IP address
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from 10.1
|
|
Packit |
90a5c9 |
Allow from 10 172.20 192.168.2
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The first 1 to 3 bytes of an IP address, for subnet
|
|
Packit |
90a5c9 |
restriction.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network/netmask pair
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from 10.1.0.0/255.255.0.0
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network a.b.c.d, and a netmask w.x.y.z. For more
|
|
Packit |
90a5c9 |
fine-grained subnet restriction.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
A network/nnn CIDR specification
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from 10.1.0.0/16
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Similar to the previous case, except the netmask consists of
|
|
Packit |
90a5c9 |
nnn high-order 1 bits.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note that the last three examples above match exactly the
|
|
Packit |
90a5c9 |
same set of hosts.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
IPv6 addresses and IPv6 subnets can be specified as shown
|
|
Packit |
90a5c9 |
below:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow from 2001:db8::a00:20ff:fea7:ccea
|
|
Packit |
90a5c9 |
Allow from 2001:db8::a00:20ff:fea7:ccea/10
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The third format of the arguments to the
|
|
Packit |
90a5c9 |
Allow directive allows access to the server
|
|
Packit |
90a5c9 |
to be controlled based on the existence of an environment variable. When Allow from
|
|
Packit |
90a5c9 |
env=env-variable is specified, then the request is
|
|
Packit |
90a5c9 |
allowed access if the environment variable env-variable
|
|
Packit |
90a5c9 |
exists. When Allow from env=!env-variable is
|
|
Packit |
90a5c9 |
specified, then the request is allowed access if the environment
|
|
Packit |
90a5c9 |
variable env-variable doesn't exist.
|
|
Packit |
90a5c9 |
The server provides the ability to set environment
|
|
Packit |
90a5c9 |
variables in a flexible way based on characteristics of the client
|
|
Packit |
90a5c9 |
request using the directives provided by
|
|
Packit |
90a5c9 |
mod_setenvif . Therefore, this directive can be
|
|
Packit |
90a5c9 |
used to allow access based on such factors as the clients
|
|
Packit |
90a5c9 |
User-Agent (browser type), Referer , or
|
|
Packit |
90a5c9 |
other HTTP request header fields.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
SetEnvIf User-Agent ^KnockKnock/2\.0 let_me_in
|
|
Packit |
90a5c9 |
<Directory "/docroot">
|
|
Packit |
90a5c9 |
Order Deny,Allow
|
|
Packit |
90a5c9 |
Deny from all
|
|
Packit |
90a5c9 |
Allow from env=let_me_in
|
|
Packit |
90a5c9 |
</Directory>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In this case, browsers with a user-agent string beginning
|
|
Packit |
90a5c9 |
with KnockKnock/2.0 will be allowed access, and all
|
|
Packit |
90a5c9 |
others will be denied.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Merging of configuration sections
|
|
Packit |
90a5c9 |
When any directive provided by this module is used in a new
|
|
Packit |
90a5c9 |
configuration section, no directives provided by this module are
|
|
Packit |
90a5c9 |
inherited from previous configuration sections.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Controls which hosts are denied access to the
|
|
Packit |
90a5c9 |
server
|
|
Packit |
90a5c9 |
Syntax: Deny from all|host|env=[!]env-variable
|
|
Packit |
90a5c9 |
[host|env=[!]env-variable] ...
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:Limit
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_access_compat
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This directive allows access to the server to be restricted
|
|
Packit |
90a5c9 |
based on hostname, IP address, or environment variables. The
|
|
Packit |
90a5c9 |
arguments for the Deny directive are
|
|
Packit |
90a5c9 |
identical to the arguments for the Allow directive.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Controls the default access state and the order in which
|
|
Packit |
90a5c9 |
Allow and Deny are
|
|
Packit |
90a5c9 |
evaluated.
|
|
Packit |
90a5c9 |
Syntax: Order ordering
|
|
Packit |
90a5c9 |
Default:Order Deny,Allow
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:Limit
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_access_compat
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Order directive, along with the
|
|
Packit |
90a5c9 |
Allow and
|
|
Packit |
90a5c9 |
Deny directives,
|
|
Packit |
90a5c9 |
controls a three-pass access control system. The first pass
|
|
Packit |
90a5c9 |
processes either all Allow or all Deny directives, as specified
|
|
Packit |
90a5c9 |
by the Order
|
|
Packit |
90a5c9 |
directive. The second pass parses the rest of the directives
|
|
Packit |
90a5c9 |
(Deny or
|
|
Packit |
90a5c9 |
Allow ). The third
|
|
Packit |
90a5c9 |
pass applies to all requests which do not match either of the first
|
|
Packit |
90a5c9 |
two.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Note that all Allow and Deny directives are
|
|
Packit |
90a5c9 |
processed, unlike a typical firewall, where only the first match is
|
|
Packit |
90a5c9 |
used. The last match is effective (also unlike a typical firewall).
|
|
Packit |
90a5c9 |
Additionally, the order in which lines appear in the configuration
|
|
Packit |
90a5c9 |
files is not significant -- all Allow lines are processed as
|
|
Packit |
90a5c9 |
one group, all Deny lines are considered as
|
|
Packit |
90a5c9 |
another, and the default state is considered by itself.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Ordering is one of:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow,Deny
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
First, all Allow directives are
|
|
Packit |
90a5c9 |
evaluated; at least one must match, or the request is rejected.
|
|
Packit |
90a5c9 |
Next, all Deny
|
|
Packit |
90a5c9 |
directives are evaluated. If any matches, the request is rejected.
|
|
Packit |
90a5c9 |
Last, any requests which do not match an Allow or a Deny directive are denied
|
|
Packit |
90a5c9 |
by default.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Deny,Allow
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
First, all Deny directives are
|
|
Packit |
90a5c9 |
evaluated; if any match, the request is denied
|
|
Packit |
90a5c9 |
unless it also matches an Allow directive. Any
|
|
Packit |
90a5c9 |
requests which do not match any Allow or Deny directives are
|
|
Packit |
90a5c9 |
permitted.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Mutual-failure
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
This order has the same effect as Order
|
|
Packit |
90a5c9 |
Allow,Deny and is deprecated in its favor.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Keywords may only be separated by a comma; no whitespace
|
|
Packit |
90a5c9 |
is allowed between them.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Match
|
|
Packit |
90a5c9 |
Allow,Deny result
|
|
Packit |
90a5c9 |
Deny,Allow result
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Match Allow only
|
|
Packit |
90a5c9 |
Request allowed
|
|
Packit |
90a5c9 |
Request allowed
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Match Deny only
|
|
Packit |
90a5c9 |
Request denied
|
|
Packit |
90a5c9 |
Request denied
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
No match
|
|
Packit |
90a5c9 |
Default to second directive: Denied
|
|
Packit |
90a5c9 |
Default to second directive: Allowed
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Match both Allow & Deny
|
|
Packit |
90a5c9 |
Final match controls: Denied
|
|
Packit |
90a5c9 |
Final match controls: Allowed
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In the following example, all hosts in the example.org domain
|
|
Packit |
90a5c9 |
are allowed access; all other hosts are denied access.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Order Deny,Allow
|
|
Packit |
90a5c9 |
Deny from all
|
|
Packit |
90a5c9 |
Allow from example.org
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In the next example, all hosts in the example.org domain are
|
|
Packit |
90a5c9 |
allowed access, except for the hosts which are in the
|
|
Packit |
90a5c9 |
foo.example.org subdomain, who are denied access. All hosts not
|
|
Packit |
90a5c9 |
in the example.org domain are denied access because the default
|
|
Packit |
90a5c9 |
state is to Deny
|
|
Packit |
90a5c9 |
access to the server.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Order Allow,Deny
|
|
Packit |
90a5c9 |
Allow from example.org
|
|
Packit |
90a5c9 |
Deny from foo.example.org
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
On the other hand, if the Order in the
|
|
Packit |
90a5c9 |
last example is changed to Deny,Allow , all hosts will
|
|
Packit |
90a5c9 |
be allowed access. This happens because, regardless of the actual
|
|
Packit |
90a5c9 |
ordering of the directives in the configuration file, the
|
|
Packit |
90a5c9 |
Allow from example.org will be evaluated last and will
|
|
Packit |
90a5c9 |
override the Deny from foo.example.org . All hosts not in
|
|
Packit |
90a5c9 |
the example.org domain will also be allowed access
|
|
Packit |
90a5c9 |
because the default state is Allow .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The presence of an Order directive can
|
|
Packit |
90a5c9 |
affect access to a part of the server even in the absence of
|
|
Packit |
90a5c9 |
accompanying Allow
|
|
Packit |
90a5c9 |
and Deny
|
|
Packit |
90a5c9 |
directives because of its effect on the default access state. For
|
|
Packit |
90a5c9 |
example,
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<Directory "/www">
|
|
Packit |
90a5c9 |
Order Allow,Deny
|
|
Packit |
90a5c9 |
</Directory>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
will Deny all access to the /www directory
|
|
Packit |
90a5c9 |
because the default access state is set to
|
|
Packit |
90a5c9 |
Deny .
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
The Order directive controls the order of access
|
|
Packit |
90a5c9 |
directive processing only within each phase of the server's
|
|
Packit |
90a5c9 |
configuration processing. This implies, for example, that an
|
|
Packit |
90a5c9 |
Allow or Deny directive occurring in a
|
|
Packit |
90a5c9 |
<Location> section will
|
|
Packit |
90a5c9 |
always be evaluated after an Allow or Deny directive occurring in a
|
|
Packit |
90a5c9 |
<Directory> section or
|
|
Packit |
90a5c9 |
.htaccess file, regardless of the setting of the
|
|
Packit |
90a5c9 |
Order directive. For details on the merging
|
|
Packit |
90a5c9 |
of configuration sections, see the documentation on How Directory, Location and Files sections
|
|
Packit |
90a5c9 |
work.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Merging of configuration sections
|
|
Packit |
90a5c9 |
When any directive provided by this module is used in a new
|
|
Packit |
90a5c9 |
configuration section, no directives provided by this module are
|
|
Packit |
90a5c9 |
inherited from previous configuration sections.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Description:Interaction between host-level access control and
|
|
Packit |
90a5c9 |
user authentication
|
|
Packit |
90a5c9 |
Syntax:Satisfy Any|All
|
|
Packit |
90a5c9 |
Default:Satisfy All
|
|
Packit |
90a5c9 |
Context:directory, .htaccess
|
|
Packit |
90a5c9 |
Override:AuthConfig
|
|
Packit |
90a5c9 |
Status:Extension
|
|
Packit |
90a5c9 |
Module:mod_access_compat
|
|
Packit |
90a5c9 |
Compatibility:Influenced by <Limit> and <LimitExcept> in version 2.0.51 and
|
|
Packit |
90a5c9 |
later
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Access policy if both Allow and Require used. The parameter can be
|
|
Packit |
90a5c9 |
either All or Any . This directive is only
|
|
Packit |
90a5c9 |
useful if access to a particular area is being restricted by both
|
|
Packit |
90a5c9 |
username/password and client host address. In this case
|
|
Packit |
90a5c9 |
the default behavior (All ) is to require that the client
|
|
Packit |
90a5c9 |
passes the address access restriction and enters a valid
|
|
Packit |
90a5c9 |
username and password. With the Any option the client will be
|
|
Packit |
90a5c9 |
granted access if they either pass the host restriction or enter a
|
|
Packit |
90a5c9 |
valid username and password. This can be used to password restrict
|
|
Packit |
90a5c9 |
an area, but to let clients from particular addresses in without
|
|
Packit |
90a5c9 |
prompting for a password.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
For example, if you wanted to let people on your network have
|
|
Packit |
90a5c9 |
unrestricted access to a portion of your website, but require that
|
|
Packit |
90a5c9 |
people outside of your network provide a password, you could use a
|
|
Packit |
90a5c9 |
configuration similar to the following:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
Allow from 192.168.1
|
|
Packit |
90a5c9 |
Satisfy Any
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Another frequent use of the Satisfy directive
|
|
Packit |
90a5c9 |
is to relax access restrictions for a subdirectory:
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<Directory "/var/www/private">
|
|
Packit |
90a5c9 |
Require valid-user
|
|
Packit |
90a5c9 |
</Directory>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
<Directory "/var/www/private/public">
|
|
Packit |
90a5c9 |
Allow from all
|
|
Packit |
90a5c9 |
Satisfy Any
|
|
Packit |
90a5c9 |
</Directory>
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
In the above example, authentication will be required for the
|
|
Packit |
90a5c9 |
/var/www/private directory, but will not be required
|
|
Packit |
90a5c9 |
for the /var/www/private/public directory.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Since version 2.0.51 Satisfy directives can
|
|
Packit |
90a5c9 |
be restricted to particular methods by <Limit> and <LimitExcept> sections.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Merging of configuration sections
|
|
Packit |
90a5c9 |
When any directive provided by this module is used in a new
|
|
Packit |
90a5c9 |
configuration section, no directives provided by this module are
|
|
Packit |
90a5c9 |
inherited from previous configuration sections.
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
See also
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Allow
|
|
Packit |
90a5c9 |
Require
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
|
|
Packit |
90a5c9 |
Available Languages: en |
|
|
Packit |
90a5c9 |
fr |
|
|
Packit |
90a5c9 |
ja
|
|
Packit |
90a5c9 |
Notice:This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our mailing lists.
|
|
Packit |
90a5c9 |
<script type="text/javascript">
|
|
Packit |
90a5c9 |
var comments_shortname = 'httpd';
|
|
Packit |
90a5c9 |
var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_access_compat.html';
|
|
Packit |
90a5c9 |
(function(w, d) {
|
|
Packit |
90a5c9 |
if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
var s = d.createElement('script');
|
|
Packit |
90a5c9 |
s.type = 'text/javascript';
|
|
Packit |
90a5c9 |
s.async = true;
|
|
Packit |
90a5c9 |
s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
|
|
Packit |
90a5c9 |
(d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
else {
|
|
Packit |
90a5c9 |
d.write('
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
})(window, document);
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
Copyright 2018 The Apache Software Foundation. Licensed under the Apache License, Version 2.0.
|
|
Packit |
90a5c9 |
Modules | Directives | FAQ | Glossary | Sitemap <script type="text/javascript">
|
|
Packit |
90a5c9 |
if (typeof(prettyPrint) !== 'undefined') {
|
|
Packit |
90a5c9 |
prettyPrint();
|
|
Packit |
90a5c9 |
}
|
|
Packit |
90a5c9 |
//--></script>
|
|
Packit |
90a5c9 |
</body></html>
|