Home > Articles

  • Print
  • + Share This
This chapter is from the book

Access Control

The mod_access module, enabled by default, enables you to restrict access to resources based on parameters of the client request, such as the presence of a specific header or the IP address or hostname of the client.

Access Rules

You can specify access rules using the Allow and Deny directives. Each of these directives takes a list of arguments such as IP addresses, environment variables, and domain names.

IP Addresses

You can deny or grant access to a client based on its IP address:

Allow from

You can also specify IP address ranges, with a partial IP address or a network/mask pair.

A Partial IP Address

You can specify the first one, two, or three bytes of an IP address. Any IP address containing those will match this rule. For example, the rule

Deny from 10.0

will match any address starting with 10.0, such as and

A Network/Mask Pair

The IP address specifies the network and the mask specifies which bits belong to the network prefix and which ones belong to the nodes.

Allow from

will match IP addresses,, and so on, to

You can also specify the network mask via high-order bits. For example, the previous rule could be written as

Allow from

Domain Name

You can control access based on specific hostnames or partial domain names. For example, Allow from example.com will match http://www.example.com, foo.example.com, and so on.


Enabling access rules based on domain names will force Apache to do a reverse DNS lookup on the client address, bypassing the settings of the HostNameLookups directive. The HostNameLookups directive is described in Hour 8, "Logging and Monitoring." This has performance implications.

Environment Variables

You can specify access rules based on the presence of a certain environment variable, prefixing the name of the variable with env=. You can use this feature to grant or deny access to certain browsers or browser versions, to prevent specific sites from linking to your resources, and so on. Listing 7.4 shows you how to implement browser blocking.

Listing 7.4 Using Environment Variables to Restrict Access

BrowserMatch MSIE iexplorer
Deny from env=iexplorer

Note that, for this example to work as intended, the client needs to transmit the User-Agent header. Because the client sends this header, it could be omitted or manipulated, but most users will not do so and the technique will work in most cases.

How to set environment variables is explained in Hour 9, "Content Negotiation and Environment Variables."

All Clients

The keyword all matches all clients. You can specify Allow from all or Deny from all to grant or deny access to all clients.

Access Rules Evaluation

You can have several Allow and Deny access rules. You can choose the order in which the rules are evaluated by using the Order directive. Rules that are evaluated later have higher precedence. Order accepts one argument, which can be Deny,Allow, Allow,Deny, or Mutual-Failure. Deny,Allow is the default value for the Order directive. Note that there is no space in the value.


Deny,Allow specifies that Deny directives are evaluated before Allow directives. With Deny,Allow, the client is granted access by default if there are no Allow or Deny directives or the client does not match any of the rules. If the client matches a Deny rule, it will be denied access unless it also matches an Allow rule, which will take precedence because Allow directives are evaluated last and have greater priority.

Listing 7.5 shows how to configure Apache to allow access to the /private location to clients coming from the internal network or the domain example.com and deny access to everyone else.

Listing 7.5 Sample Access Control Configuration

1: <location /private>
2:  Order Deny,Allow
3:  Allow from example.com
4:  Deny from all
5: </location>


Allow,Deny specifies that Allow directives are evaluated before Deny directives. With Allow,Deny, the client is denied access by default if there are no Allow or Deny directives or if the client does not match any of the rules. If the client matches an Allow rule, it will be granted access unless it also matches a Deny rule, which will take precedence.

Note that the presence of Order Allow,Deny without any Allow or Deny rules will cause all requests to the specified resource to be denied because the default behavior is to deny access.

Listing 7.6 allows access to everyone except a specific host.

Listing 7.6 Sample Access Control Configuration

1: <location /some/location/>
2:  Order Allow,Deny
3:  Allow from all
4:  Deny from host.example.com
5: </location>


In this case, the host will be granted access only if it matches an Allow directive and does not match any Deny directive.

  • + Share This
  • 🔖 Save To Your Account