This article describes the order Allow,deny usage in Apache. Share it for your reference, as follows: allow and deny can be used in Apache conf files or. htaccess files (with directory, location, files, etc.) to control access authorization for directories and Files. so, the most commonly used is: Order deny,allowallow from all note that there is only one comma in the middle of the "deny,allow", there can be only one comma, there will be a space error; The meaning of the above is to set the first "check the Forbidden set, no forbidden all allow", and the second sentence does not deny, that is, no forbidden access to the setting, directly allows all access. This is primarily used to ensure or overwrite the settings of the parent directory and to open all content access Rights. As explained above, the following settings are unconditionally forbidden: order Allow,denydeny from all if you want to prohibit access to part of the content, all other open: order deny,allowdeny from ip1 ip2 or order allow , the Denyallow from Alldeny from Ip1 Ip2apache will decide which rule to use in order, such as the second method above, Although the second sentence allows access, but since allow is not the last rule in order, So it is also necessary to see if there is a deny rule, so in the third sentence, the access to IP1 and IP2 is Banned. Note that the "last" rule of order decision is very important, and here are two examples of errors and how to correct them: order deny,allowallow from Alldeny Domain.org Error: want to prohibit access from domain.org, but deny is not the last rule, Apache in processing to allow the second sentence has been matched successfully, will not see the third sentence. Solution: Order allow,deny, The following two sentences do not move, you Can. Order Allow,denyallow from Ip1deny to all error: you want to allow access only from ip1, but although the second sentence is set to enable rule, the third sentence will prevail because the deny is in the Order. In the third sentence, ip1 (all include Ip1) is clearly included, so all access is Forbidden. Workaround One: Remove the third sentence directly. Workaround two: Order Deny,allowdeny from AllallowFrom IP1 Below is an example of the test: order deny,allowallow from Alldeny from 219.204.253.8# all can pass order Deny,allowdeny from 219.204.253.8allow from all# All can pass the order allow,denydeny from 219.204.253.8allow to all# only 219.204.253.8 cannot pass order Allow,denyallow from Alldeny to 219.204.253.8# only 219.204.253.8 cannot pass order Allow,denydeny from Allallow from 219.204.253.8# all cannot pass the order allow,denyallow from 219.204.253.8deny to all# all cannot pass the order deny,allowallow from 219.204.253.8deny from all# only allows 219.204.253.8 pass order deny,allowdeny from Allallow to 219.204.253.8# Only allow 219.204.253.8 pass order deny,allow# all passable (default) order allow,deny# all are not available (default) order Allow,denydeny from all# All of them are impassable. order Deny,allowdeny from all# none of them can pass. for the above two cases, if you change to allow from all, then all are passable! Order Deny,allowdeny from 219.204.253.8# only 219.204.253.8 cannot pass order Allow,denydeny from 219.204.253.8# all cannot pass order allow , Denyallow from 219.204.253.8# only allow 219.204.253.8 pass order Deny,allowallow from 219.204.253.8# all can pass order deny, Allowallow from 218.20.253.2deny on behalf of 218.20# rejection 218.20The IP at the beginning, but allows 218.20.253.2 to pass, while the other IP that is not 218.20 starts is Allowed. The order allow,denyallow from 218.20.253.2deny is almost the same as above, just the allow, deny order in the swap order statement, but the end result means that all are rejected! Some time ago to do an Apache HTTP proxy server, in which the order Allow,deny this part of the not quite understand, so the internet to look for information, who know the more confused, some of them difficult to distinguish right or wrong or even misleading. Like some of the articles that cracked Windows system passwords, a lot of them came out of the way, and they weren't tested. Less nonsense, first put me through the test after the conclusion of the conclusions show out, I believe this is very helpful to everyone's understanding. The general rules affect the final judgment result only two Points: 1. The order of allow and deny in the order statement; 2. The ranges contained in the allow, deny Statements. Warm Reminder 1. After modifying the configuration to save and restart the Apache service, the configuration to take effect; 2. The beginning of the letter is not case-sensitive; 3. allow, deny statements are not in order, who first who does not affect the final Judgment results, but will be judged; 4. In the order statement, "allow,deny" between "have and only" a comma (in English format), and the order is important; 5. Apache has a default rule, "order allow,deny" itself defaults to deny all the meaning, because deny is behind allow, similarly, "order deny,allow" itself by default is allowed all; The result of the final judgment is also to synthesize the scope contained in the allow, deny statements below, (that is, The order statement may not be allowed, deny Statements) 6. allow, deny statements, The second word must be "from", or Apache will be wrong to start, 7. The "order allow,deny" indicates that the Allow statement is judged before the Deny statement, and Vice Versa. The above is to remember, and the following is my original understanding of the Method. If someone looked and did not see the feeling of the enlightened, it is my failure! The judging principle is divided into 4 steps: 1. First judge the default; 2. Then judge the comma before the; 3. 4. After the Last Judgment of the comma; finally, the results are determined by stacking them sequentially. The above three points I said simple and image, mainly for the convenience of Memory. Do not understand the moment, continue to see the following detailed explanation will naturally understand. The following is a general example to Explain--order Deny,allowallow frOm 218.20.253.2deny from 218.201. The so-called "first judgment default", is to judge "order deny,allow" this sentence, it is allowed by default all; 2. The so-called "then judge the comma before", because in this example, the order statement, deny in front of the comma, so now it is time to judge the following deny Statement-"deny from 218.20"; 3. The so-called "last judgment comma", because in this example, in the order statement, allow behind the comma, so the last turn to determine the following allow Statement-"allow from 218.20.253.2." 4. The so-called "final sequential superposition of the results of the judgement", this is a visualization, I see every step of judgment as an "opaque layer," and then step by step in order to stack up, the final "image" is the judgment Result. People who have used graphing software should know what "layers" are, and I estimate that Apache's design philosophy for order allow deny is the same as that of Photoshop and other graphing software. That is, the "rules of the game" are the Same. Then the above example can be such a step and image--1. Draw a white circle first, representing the "order deny,allow" statement, the default meaning is to allow all; 2. Then draw a smaller black circle, representing the "deny from 218.20" statement, which means to reject all IP starting with 218.20 and put it in a white circle; 3. finally, draw a white circle, which represents the "allow from 218.20.253.2" statement, which means allowing the 218.20.253.2 to pass through, on top of the black Circle. 4. So far, we can see a result, the white circle above a black circle, black circle above a white circle. finally, The black part that we can see is rejected, and the rest of the white ones are allowed to pass. The result of judgment is such a simple image! If you don't know what to use as a diagram software, let's take a very close-to-life metaphor-changing The example a little bit to better understand: order deny,allowallow from 218.20.253.2deny to 219.301. First take a piece of A4 white paper, representing the first order statement, meaning to allow all; 2. Then take a piece of black paper cut a circle, placed in the A4 paper somewhere inside, representing the deny statement, meaning to reject all start with 219.30 ip;3. Finally take a white paper and then cut a circle, placed next to the black circle, on behalf of the Allow statement, meaning is allowed 218.20.253.2 pass; Note that thisThe example is not put in the black circle because the deny and allow statements no longer have a mutually inclusive relationship. 4. A4 paper has a black circle and a white round, the result is naturally obvious. But white A4 paper on a white circle, is obviously superfluous, because everyone is white, are allowed, so repeat, you can remove the white circle without affecting the results of Judgment. If you don't see it here, it must be something I haven't made clear About. Then please analyze the test examples that I have done and will be listed at the End. Here again, allow, deny statements followed by the parameters have many forms, there are different expressions, I see on the Internet is the practice of deny from IP1 IP2 IP3 or allow from domain.com. Other forms of expression let's look at other Information. What I want to say is another way of saying: order deny,allowallow from IP1 Ip2allow from Domain.infoallow to 219.20.55.0/24deny from all I didn't specifically verify if this was right, however, This is the normal start of the Apache service, according to the truth should be the correct way to Express. haha, like me, the entry can only do so, but also hope that we have a lot of advice! The following is an example of the test: order deny,allowallow from Alldeny from 219.204.253.8# all can pass order Deny,allowdeny from 219.204.253.8allow From all# all can pass the order allow,denydeny from 219.204.253.8allow to all# only 219.204.253.8 cannot pass order allow,denyallow from Alldeny from 219.204.253.8# only 219.204.253.8 cannot pass order Allow,denydeny from Allallow to 219.204.253.8# all cannot pass order allow , Denyallow from 219.204.253.8deny to all# all cannot pass order Deny,allowallow from 219.204.253.8deny to all# Only 219.204.253.8 pass order Deny,allowdeny from Allallow is allowed from 219.204.253.8# only allow 219.204.253.8 pass order deny,allow# all accessible (default) order allow,deny# all are impassable (default) order Allow,denydeny from all# All of them are impassable. order Deny,allowdeny from all# none of them can pass. for the above two cases, if you change to allow from all, then all are passable! Order Deny,allowdeny from 219.204.253.8# only 219.204.253.8 cannot pass order Allow,denydeny from 219.204.253.8# all cannot pass order allow , Denyallow from 219.204.253.8# only allow 219.204.253.8 pass order Deny,allowallow from 219.204.253.8# all can pass order deny, Allowallow from 218.20.253.2deny The From 218.20# represents a denial of 218.20 ip, but allows the 218.20.253.2 to pass, while other non-218.20 IP addresses are allowed. The order allow,denyallow from 218.20.253.2deny is almost the same as above, just the allow, deny order in the swap order statement, but the end result means that all are rejected! I hope this article is helpful for you to configure Apache server Configuration.
Order Allow,deny usage in Apache
