<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html lang="en-us" xml:lang="en-us"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="security" content="public" /> <meta name="Robots" content="index,follow" /> <meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' /> <meta name="DC.Type" content="topic" /> <meta name="DC.Title" content="Module mod_access" /> <meta name="copyright" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2002,2006" /> <meta name="DC.Format" content="XHTML" /> <meta name="DC.Identifier" content="rzaiemod_access" /> <meta name="DC.Language" content="en-us" /> <!-- All rights reserved. Licensed Materials Property of IBM --> <!-- US Government Users Restricted Rights --> <!-- Use, duplication or disclosure restricted by --> <!-- GSA ADP Schedule Contract with IBM Corp. --> <link rel="stylesheet" type="text/css" href="./ibmdita.css" /> <link rel="stylesheet" type="text/css" href="./ic.css" /> <title>Module mod_access</title> </head> <body id="rzaiemod_access"><a name="rzaiemod_access"><!-- --></a> <!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script> <!--Java sync-link--><h1 class="topictitle1">Module mod_access</h1> <div><div class="important"><span class="importanttitle">Important:</span> Information for this topic supports the latest PTF levels for HTTP Server for i5/OS . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for i5/OS. Some of the topics documented here are not available prior to this update. See <a href="http://www-03.ibm.com/servers/eserver/iseries/software/http/services/service.html" target="_blank">http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm</a> <img src="www.gif" alt="Link outside Information Center" /> for more information. </div> <p><strong>Summary</strong></p> <p>The module mod_access provides access control based on a client's hostname or IP address.</p> <p><strong>Directives</strong></p> <ul><li><a href="#allow">Allow</a></li> <li><a href="#deny">Deny</a></li> <li><a href="#order">Order</a></li> </ul> </div> <div class="hr" id="allow"><a name="allow"><!-- --></a><h2 class="topictitle2">Allow</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: allow from <em>all | env=[!]envvar | host [host ...]</em></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="allow__allow_context"><a name="allow__allow_context"><!-- --></a>directory, .htaccess</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="allow__allow_origin"><a name="allow__allow_origin"><!-- --></a>Apache</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from all</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from env=go_away</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: allow from 10.10.10.10 .ibm.com</td> </tr> </tbody> </table> </div> <p>The Allow directive affects which hosts can access a given directory.</p> <dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>host</em></dt> <dd><ul><li>If <em>all</em>, all hosts are allowed access.</li> <li>If <em>full</em> or <em>partial domain-name</em>, hosts whose names match or end in this string are allowed access. </li> <li>If <em>full IP address</em>, only IP address of a host are allowed access. </li> <li>If <em>partial IP address</em>, only the first 1 to 3 bytes of an IP address, for subnet restriction. </li> <li>If<em> network/netmask</em>, a network a.b.c.d. And a netmask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0). </li> <li>If <em>network/nnn CIDR specification</em>, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).</li> </ul> <div class="note"><span class="notetitle">Note:</span> This compares whole components, ibm.com<sup>®</sup> would not match <em>QIBMibm.com</em>.</div> </dd> </dl> <p>The allow from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example: </p> <pre class="block">BrowserMatch ^KnockKnock/2.0 let_me_in <Directory /docroot> order deny,allow deny from all allow from env=let_me_in </Directory></pre> <p>In this case browsers with the user-agent string KnockKnock/2.0 will be allowed access, and all others will be denied.</p> <p>See also <a href="#deny">Deny</a>, <a href="#order">Order</a>, and BrowserMatch.</p> </div> </div> <div class="hr" id="deny"><a name="deny"><!-- --></a><h2 class="topictitle2">Deny</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: deny from <em>all | env=[!]envvar | host [host ...]</em></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: none</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="deny__deny_context"><a name="deny__deny_context"><!-- --></a>directory, .htaccess</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="deny__deny_origin"><a name="deny__deny_origin"><!-- --></a>Apache</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: deny from env=go_away</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: deny from 10.10.10.10 .ibm.com</td> </tr> </tbody> </table> </div> <p>The deny directive affects which hosts can access a given directory.</p> <dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>host</em></dt> <dd><ul><li>If <em>all</em>, all hosts are denied access. </li> <li>If <em>full</em> or <em>partial domain-name</em>, hosts whose names match or end in this string are denied access. </li> <li>If <em>full IP address</em>, only IP address of a host are denied access. </li> <li>If <em>partial IP address</em>, only the first 1 to 3 bytes of an IP address, for subnet restriction. </li> <li>If <em>network/netmask</em>, a network a.b.c.d. And a net mask w.x.y.z. Can be used for fine-grained subnet restriction (for example, 10.2.0.0/255.255.0.0). </li> <li>If <em>network/nnn CIDR specification</em>, it is similar to the previous case, except the netmask consists of nnn higher-order 1 bits (for example, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0).</li> </ul> <div class="note"><span class="notetitle">Note:</span> This compares whole components (ibm.com would not match <em>QIBMibm.com</em>). </div> </dd> </dl> <p>The deny from env option controls access to a directory by the existence (or nonexistence) of an environment variable. For example: </p> <pre class="block">BrowserMatch ^BadRobot/0.9 go_away <Directory /docroot> order allow,deny allow from all deny from env=go_away </Directory></pre> <p>In this case browsers with the user-agent string BadRobot/0.9 will be denied access, and all others will be allowed.</p> <p>See also <a href="#allow">Allow</a> and <a href="#order">Order</a>. </p> </div> </div> <div class="hr" id="order"><a name="order"><!-- --></a><h2 class="topictitle2">Order</h2> <div> <div class="tablenoborder"><table cellpadding="4" cellspacing="0" summary="" frame="void" border="0" rules="none"><tbody><tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Module">Module</a></strong>: mod_access</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Syntax">Syntax</a></strong>: order <em>ordering</em></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Default">Default</a></strong>: order deny,allow</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Context">Context</a></strong>: <span id="order__order_context"><a name="order__order_context"><!-- --></a>directory, .htaccess</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Override">Override</a></strong>: Limit</td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Origin">Origin</a></strong>: <span id="order__order_origin"><a name="order__order_origin"><!-- --></a>Modified</span></td> </tr> <tr><td colspan="2" valign="top"><strong><a href="rzaiedirective-dict.htm#rzaiedirective-dict__Example">Example</a></strong>: order deny,allow</td> </tr> </tbody> </table> </div> <p>The order directive controls the order in which Allow and Deny directives are evaluated. .</p> <dl class="block"><dt class="dlterm"><strong>Parameter</strong>: <em>ordering</em></dt> <dd><ul><li>If <em>deny,allow</em>, the deny directives are evaluated before the allow directives (the initial state is OK).</li> <li>If <em>allow,deny</em>, the allow directives are evaluated before the deny directives (the initial state is FORBIDDEN).</li> <li>If <em>mutual-failure</em>, only those hosts which appear on the allow list and do not appear on the deny list are granted access (the initial state is irrelevant). </li> </ul> </dd> </dl> <p>Keywords may only be separated by a comma; no whitespace is allowed between them. Note: that in all cases every allow and deny statement is evaluated, there is no "short-circuiting". For Example: </p> <pre class="block">order deny,allow deny from all allow from .ibm.com</pre> <p>In this example, the first container's intent is to keep everyone out. The next container overrides for the appropriate subdirectory. </p> <pre class="block"><Directory/> Order deny,allow deny from all allow from none </Directory> Alias /root /bobtest/xyz/html <Directory /bobtest/xyz/html/> Order allow,deny allow from all Authtype Basic AuthName "root and %%SYSTEM%%" PasswdFile %%SYSTEM%% Require valid-user UserID %%SYSTEM%% </Directory></pre> <p>Hosts in the ibm.com domain are allowed access; all other hosts are denied access.</p> </div> </div> </body> </html>