lighttpd2/doc/mod_access.xml

<?xml version="1.0" encoding="UTF-8"?>
<module xmlns="urn:lighttpd.net:lighttpd2/doc1">
	<short>
		lets you filter clients by IP address.
	</short>

	<action name="access.deny">
		<short>denies access by returning a 403 status code</short>
	</action>

	<action name="access.check">
		<short>allows or denies access based on client IP address</short>
		<parameter name="rules">
			<short>A key value list mapping "access" and/or "deny" keys to a list of CIDR addresses or "all".</short>
		</parameter>
		<description>
				Checks the client IP address agains the rules. Default is to deny all addresses. The most precise matching rule defines the result ("192.168.100.0/24" takes precedence over "192.168.0.0/16"; similar to routing tables); if the same CIDR is in both lists the second action is taken. "all" is a synonym for "0.0.0.0/0" and "::/0", matching all IPv4 and IPv6 addresses.
		</description>
		<example title="Example: restrict access to local network" anchor="#">
			<description>
				Limit access to clients from the local network. The deny rule isn't strictly required, as the default is to deny anyway. The smaller CIDR strings for the local networks override the global deny rule.
			</description>
			<config>
				setup {
					module_load "mod_access";
				}

				access.check (
					"allow" => ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"),
					"deny" => ("all")
				);
			</config>
		</example>
		<example title="Example: restrict access to subnet with exception" anchor="#">
			<description>
				Limit access to clients from "192.168.10.0/24", but deny access to "192.168.10.1". As "192.168.10.1" (equivalent to "192.168.10.1/32") is a more precise match it overwrites the allow rule for the subnet "192.168.10.0/24" containing it.
			</description>
			<config>
				setup {
					module_load "mod_access";
				}

				access.check (
					"allow" => ("192.168.10.0/24"),
					"deny" => ("192.168.10.1")
				);
			</config>
		</example>
	</action>

	<option name="access.redirect_url">
		<short>url to redirect to if access was denied (not implemented yet)</short>
		<parameter name="url" />
		<default><text>not set</text></default>
		<description>
			<textile>
				*NOT IMPLEMENTED YET*
			</textile>
		</description>
	</option>

	<option name="access.log_blocked">
		<short>whether to log when access was denied (with log level "info")</short>
		<parameter name="url" />
		<default><value>false</value></default>
	</option>

</module>
[doc] document core config and modules in tree 9 years ago			`<?xml version="1.0" encoding="UTF-8"?>`
			`<module xmlns="urn:lighttpd.net:lighttpd2/doc1">`
			`<short>`
			`lets you filter clients by IP address.`
			`</short>`

			`<action name="access.deny">`
			`<short>denies access by returning a 403 status code</short>`
			`</action>`

			`<action name="access.check">`
			`<short>allows or denies access based on client IP address</short>`
			`<parameter name="rules">`
			`<short>A key value list mapping "access" and/or "deny" keys to a list of CIDR addresses or "all".</short>`
			`</parameter>`
			`<description>`
			`Checks the client IP address agains the rules. Default is to deny all addresses. The most precise matching rule defines the result ("192.168.100.0/24" takes precedence over "192.168.0.0/16"; similar to routing tables); if the same CIDR is in both lists the second action is taken. "all" is a synonym for "0.0.0.0/0" and "::/0", matching all IPv4 and IPv6 addresses.`
			`</description>`
			`<example title="Example: restrict access to local network" anchor="#">`
			`<description>`
			`Limit access to clients from the local network. The deny rule isn't strictly required, as the default is to deny anyway. The smaller CIDR strings for the local networks override the global deny rule.`
			`</description>`
			`<config>`
			`setup {`
			`module_load "mod_access";`
			`}`

			`access.check (`
			`"allow" => ("127.0.0.0/8", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"),`
			`"deny" => ("all")`
			`);`
			`</config>`
			`</example>`
			`<example title="Example: restrict access to subnet with exception" anchor="#">`
			`<description>`
			`Limit access to clients from "192.168.10.0/24", but deny access to "192.168.10.1". As "192.168.10.1" (equivalent to "192.168.10.1/32") is a more precise match it overwrites the allow rule for the subnet "192.168.10.0/24" containing it.`
			`</description>`
			`<config>`
			`setup {`
			`module_load "mod_access";`
			`}`

			`access.check (`
			`"allow" => ("192.168.10.0/24"),`
			`"deny" => ("192.168.10.1")`
			`);`
			`</config>`
			`</example>`
			`</action>`

			`<option name="access.redirect_url">`
			`<short>url to redirect to if access was denied (not implemented yet)</short>`
			`<parameter name="url" />`
			`<default><text>not set</text></default>`
			`<description>`
			`<textile>`
			`NOT IMPLEMENTED YET`
			`</textile>`
			`</description>`
			`</option>`

			`<option name="access.log_blocked">`
			`<short>whether to log when access was denied (with log level "info")</short>`
			`<parameter name="url" />`
			`<default><value>false</value></default>`
			`</option>`

			`</module>`