Chapter 4. Access Controls
Access to resources can be restricted by authorization rules based on an authenticated user and by non-user-based access controls. If non-user-based access controls are specified, they are applied first. Authentication is only performed if needed to evaluate authorization rules specified with Require directives. Access controls and authorization rules can be restricted to particular HTTP methods by enclosing them in <Limit> or <LimitExcept> blocks.
Access controls can also be implemented with mod_rewrite, and the mod_ssl module provides SSL-based access control features.
Non-User-Based Access Controls
The mod_authz_host module implements non-user-based access controls. These are usually host-based but can also be tied to environment variables. Hosts are specified by full or partial domain names, full or partial IP addresses, network/netmask pairs, or network/prefix-length pairs.
If authorization rules and non-user-based access controls are specified, the Satisfy directive determines whether requests have to satisfy either or both; authentication and authorization will be skipped if, having evaluated the access controls, Apache can determine definitively whether access is allowed or denied.
Allow
DH* (Limit)
mod_authz_host (B)
Allow from { all | { host | env=var } ... }
Allows requests to a resource from the specified hosts or with the specified environment variable set.
Deny
DH* (Limit)
mod_authz_host (B)
Deny from { all | { host | env=var } ... }
Denies requests to ...