2.3.28 Allow
Allow restricts the clients that can access the web server.
Description
Allow specifies to restrict the clients that can access the web server. You can specify the domain name, IP address, subnet, and netmask of the hosts that are permitted access in host. To permit access from all hosts, specify all.
In addition, the domain name, address, and prefix length that are related to the IPv6 address can be specified in host. When you specify an IPv6 address, do not enclose the IPv6 address in square brackets ([ ]). Specify the prefix length in the format IPv6_address/prefix_length. Specify the prefix length as a decimal.
If env=environment_variable is specified, access to the web server can be controlled by using the environment variable. If env=environment_variable is used together with the BrowserMatch, BrowserMatchNoCase, SetEnvIf, and SetEnvIfNoCase directives, the access to the web server can be restricted based on the HTTP request header field.
The Allow directive (access permitted) and the Deny directive (access restricted) can specify the order of evaluation by using the Order directive.
Host |
Meaning |
---|---|
Domain name |
Permits access from the host specified for the domain name. |
IP address |
Permits access from the host specified for the IP address. |
Subnet |
Permits access from the host specified for the subnet (the first 3 bytes of the IP address). |
Netmask |
Permits access from the host specified for the netmask notation (Example: 10.1.0.0/255.255.0.0). When specified in the format 10.1.0.0/16, it is the same meaning as 10.1.0.0/255.255.0.0. |
Syntax
Allow from {host|all|env=environment_variable} [{host|env=environment_variable} ...]
Locations where it can be written
<Directory> and .htaccess
Overwrite permission
Limit level
Examples
- Example 1:
-
SetEnvIf User-Agent Mozilla.* access_ok <Directory /docroot> Order deny,allow Deny from all Allow from env=access_ok </Directory>
In this case, only requests from browsers that include Mozilla in the character string of User-Agent are permitted, and other requests are refused.
- Example 2:
-
To specify the IPv6 address in host:
allow from 2001::123:4567:89ab:cdef
In addition, when specifying the prefix length, all of the following specifications have the same meaning.
allow from 2001:0:0:89ab::/64 allow from 2001:0:0:89AB::/64 allow from 2001::89ab:0:0:0:0/64 allow from 2001:0000:0000:89ab:0000:0000:0000:0000/64