Use of deny and allow in the Apache configuration file

Use of deny and allow in the Apache configuration file

Because of the needs of the product, we recently configured Apache load balancer, but we encountered some problems while configuring the access rights of the virtual host. The main problem is the order in which deny and allow are executed, taking the time to study the use of these two parameters, and now summarize the use of Deny and allow as follows.

I. Summary of Usage

Let's take a look at one of the following Apache configurations, specific code as follows:

<directory/> Order Allow,deny #1 Allow from all #2 Deny from 192.9.200.69 #3 </Directory>

The previous use of these two parameters is confusing, it is not clear exactly which parameter is in effect. Through experiments, we can summarize the following rules, the specific laws are as follows:

1. Rules

When we see an Apache configuration, we can understand it from the perspective below. One default, two order, three overlapping.

2. Configuration instructions above

[1] A default

Order Allow,deny , the function of this sentence is to configure the order of allow and deny, by default only the last keyword to work, where the function of the keyword is "Deny", the default deny all requests. For the sake of understanding, we can draw a circle, the round background color painted black , we give the circle a number, called the Circle 1.

[2] Two order

Because the upper order indicates that the order of judgment is the rule of allow, then the rule of deny. So we have to judge the allow request first, because the request is configured with allow from all,

So it means that the request allows all requests. Then we draw a circle, the background color painted white , we give a circle number, called Circle 2.

We look again at the rule of deny, because deny from 192.9.200.69 , which means that the deny from the IP address is "192.9.200.69", so we can draw a red area , "192.9.200.69", we call this area the area 3.

Note : even if the "allow from All" is written under "Deny from 192.9.200.69", it is still necessary to determine the Allow rule first, that is, only order can determine the order of allow and order precedence.

[3] Three overlapping

We stacked the top-generated circle 1, Circle 2, and area 3 sequentially from bottom to top. Each layer is opaque, and we can see that the final effect is that except for the red area of the "192.9.200.69", all the other areas are white. That is, only the "192.9.200.69" IP address does not have permission to access the directory, and other requests have permission to access the directory.

Second, take a look at the following example

Perhaps the above does not indicate the white, we look at the following example, each configuration is followed by a simple explanation, the configuration file "#" number behind the number indicates the order in which the configuration item functions.

1. Only allow 192.9.200.69 request access to directory

<directory/> Order Deny,allow #1. All requests are allowed by default deny from all #2. In order, the Deny rule is determined first, all requests are rejected Allow from 192.9.200.69 #3. Overlap, allow IP192.9.200.69 requests </Directory>

2. Allow all requests to access the directory

<directory/> Order Deny,allow #1. All requests are allowed by default Deny from 192.9.200.69 #2. In order, the Deny rule is first judged and the request is rejected 192.9.200.69 allow from all #3. overlap, allowing all requests </Directory>

3. Deny all requests to access the directory

<directory/> Order Allow,deny #1. Deny all requests by default Allow from 192.9.200.69 #2. Order, allowing 192.9.200.69 requests Deny from all#3. Overlap, Reject all requests </Directory>

4. In addition to 192.9.200.69 requests, other requests can access the directory

<directory/> Order allow,deny #1. Deny all requests by default Allow from all #2. order, allow all requests deny from 192.9.200.69#3. overlapping, rejecting 192.9.200.69 requests </Directory>

Allow and deny can be used in Apache conf files or. htaccess files (with directory, location, files, etc.) to control access authorization for directories and files.

So, the most common is:
Order Deny,allow
Allow from all

Note that there is only one comma in the middle of "Deny,allow", there can be only one comma, there is a space error, and the word is not limited in size. The meaning of the above is to set the first "check the forbidden set, no forbidden all allow", and the second sentence does not deny, that is, no forbidden access to the setting, directly allows all access. This is primarily used to ensure or overwrite the settings of the parent directory and to open all content access rights.

According to the above explanation, the following settings are unconditionally forbidden to access:
Order Allow,deny
Deny from all

If you want to prohibit access to part of the content, all other open:
Order Deny,allow
Deny from Ip1 ip2
Or
Order Allow,deny
Allow from all
Deny from Ip1 ip2

Apache will decide which rule to use at the end of order, such as the second one above, although the second sentence allows access, but since allow is not the last rule in order, it also needs to see if there is a deny rule, so in the third sentence, Access that complies with IP1 and IP2 is banned. Note that the "last" rule of order decision is very important, and here are two examples of errors and how to correct them:

Order Deny,allow
Allow from all
Deny from domain.org
Error: You want to prohibit access from domain.org, but deny is not the last rule, Apache has successfully matched the second sentence to allow, and will not see the third sentence at all.
Solution: Order Allow,deny, the following two sentences do not move, you can.

Order Allow,deny
Allow from ip1
Deny from all
Error: You want to allow access only from IP1, however, although the second sentence is set to enable rule, because the order of the deny after, so the third sentence will prevail, and the scope of the third sentence is clearly included in the IP1 (all include ip1), so all access is forbidden.
Workaround One: Remove the third sentence directly.
Workaround Two:
Order Deny,allow
Deny from all
Allow from ip1

Reference article: http://www.cnblogs.com/top5/archive/2009/09/22/1571709.html

Use of deny and allow in the Apache configuration file