<!-- review: finished -->

<a id="http-access"></a>

# Access

The module controls access to server resources based on client IP addresses or
networks. It allows permitting or blocking access for specific IP addresses,
IP ranges, or UNIX domain sockets to enhance security by restricting access to
sensitive areas of a website or application.

Access can also be restricted by using a password with the [Auth Basic](https://en.angie.software//angie/docs/configuration/modules/http/http_auth_basic.md#http-auth-basic) module or based on the result of a subrequest with the
[Auth Request](https://en.angie.software//angie/docs/configuration/modules/http/http_auth_request.md#http-auth-request) module. To apply both address and
password restrictions at the same time, use the [satisfy](https://en.angie.software//angie/docs/configuration/modules/http/index.md#satisfy) directive.

<a id="configuration-example-3"></a>

## Configuration Example

```nginx
location / {

    deny 192.168.1.1;
    allow 192.168.1.0/24;
    allow 10.1.1.0/16;
    allow 2001:0db8::/32;
    deny all;
}
```

Rules are evaluated sequentially until a match is found. In this example, access
is allowed only for the IPv4 networks `10.1.1.0/16` and
`192.168.1.0/24`, excluding the specific address `192.168.1.1`, and
for the IPv6 network `2001:0db8::/32`. When there are many rules, it is
preferable to use variables from the [Geo](https://en.angie.software//angie/docs/configuration/modules/http/http_geo.md#http-geo) module.

<a id="directives-3"></a>

## Directives

<a id="index-0"></a>

<a id="allow"></a>

### allow

| [Syntax](https://en.angie.software//angie/docs/configuration/configfile.md#configfile)   | `allow` address | CIDR | `unix:` | `all`;   |
|------------------------------------------------------------------------------------------|---------------------------------------------|
| Default                                                                                  | —                                           |
| [Context](https://en.angie.software//angie/docs/configuration/configfile.md#configfile)  | http, server, location, limit_except        |

Allows access for a specified network or address.
The special value `all` means all client IP addresses.

The special value `unix:` allows access for any UNIX domain sockets.

<a id="index-1"></a>

<a id="deny"></a>

### deny

| [Syntax](https://en.angie.software//angie/docs/configuration/configfile.md#configfile)   | `deny` address | CIDR | `unix:` | `all`;   |
|------------------------------------------------------------------------------------------|--------------------------------------------|
| Default                                                                                  | —                                          |
| [Context](https://en.angie.software//angie/docs/configuration/configfile.md#configfile)  | http, server, location, limit_except       |

Denies access for a specified network or address.
The special value `all` means all client IP addresses.

The special value `unix:` denies access for any UNIX domain sockets.