Apache configuration parameter deny and allow usages _linux

Due to the needs of the product, the Apache load Balancing function was recently configured, but we encountered some problems when configuring access rights for the virtual host. The main problem is the execution order of deny and allow, and the use of these two parameters is studied, and the use of deny and allow is summarized as follows.

A summary of the use of

Let's take a look at one of the following Apache configurations, the following code:

Copy Code code as follows:

<directory/>
Order Allow,deny #1
Allow from all #2
Deny from 192.9.200.69 #3
</Directory>

The previous use of these two parameters is confusing, it is not clear exactly which parameter is at work. Through experiments, we can sum up the law, the specific rules are as follows:

1. Regular

When we see an Apache configuration, we can understand it from the following perspective. One default, two order, three overlap.

2. Configuration instructions above

[1] A default
Order Allow,deny, which is the function of configuring allow and deny, by default only the last keyword works, and the key word that works here is "Deny", which rejects all requests by default. For the sake of understanding, we can draw a circle, the background color of the circle painted black, we give this circle a number, called Circle 1.
[2] Two order
Because the order above indicates that the sequence of judgments is to judge the rules of allow first, then the rule of deny. So we have to judge allow's request first, because the request is configured with allow from all,
So it means that the request allows all requests. Then we draw a circle, the background color painted white, we give the circle a number, called Circle 2.
Let's take a look at the judgment rule for deny, because the deny from 192.9.200.69, which means that the rejection comes from the IP address "192.9.200.69", so we can draw a red area that says "192.9.200.69," we call this area 3.
Note: Even if you write "Allow from all" under "Deny from 192.9.200.69", it is still necessary to determine the Allow rule, which means that only the order can determine the precedence of Allow and orders.

[3] Three overlapping

We stack the circles 1, 2, and 3 from the top to the bottom. Each layer is opaque, and then we can see that the final effect is that except for the red area of "192.9.200.69", all the other areas are white. That is, only "192.9.200.69" This IP address does not have permission to access the directory, and other requests have permission to access the directory.

Second, look at the following example

Perhaps the above is not white, let's take a look at the following example, each configuration is followed by a simple description, the "#" in the configuration file after the number indicates the order in which the configuration items work.
1. Allow only 192.9.200.69 requests access to the directory

Copy Code code as follows:

<directory/>
Order Deny,allow #1. All requests are allowed by default
Deny from all #2. In order, first determine the Deny rule, reject all requests
Allow from 192.9.200.69 #3. overlap, allowing IP192.9.200.69 requests
</Directory>

2. Allow all requests to access the directory

Copy Code code as follows:

<directory/>
Order Deny,allow #1. All requests are allowed by default
Deny from 192.9.200.69 #2. In order, first judge the Deny rule and reject the 192.9.200.69 request
Allow from all #3. Overlap, allow all requests
</Directory>

3. Deny access to all requests directory

Copy Code code as follows:

<directory/>
Order Allow,deny #1. Reject all requests by default
Allow from 192.9.200.69 #2. Order, allow 192.9.200.69 request
Deny from all#3. Overlap, rejecting all requests
</Directory>

4. In addition to 192.9.200.69 requests, the directory can be accessed by other requests

Copy Code code as follows:

<directory/>
Order Allow,deny #1. Reject all requests by default
Allow from all #2. Order, allow all requests
Deny from 192.9.200.69#3. Overlap, rejecting 192.9.200.69 requests
</Directory>

Allow and deny can be used in Apache conf files or. htaccess files (with directory, Location, files, etc.) to control access authorization for directories and files.
So, the most common is:

Copy Code code as follows:

Order Deny,allow
Allow from all

Note that there is only one comma in the middle of "Deny,allow", and there can be only one comma, and there will be errors in the spaces. The meaning set above is to set "first check prohibit set, no prohibition of all allow", and the second sentence without deny, that is, no access to prohibit the setting, directly is to allow all access. This is primarily used to ensure or overwrite the settings of the parent directory, and to open access to all content.

As explained above, the following settings are unconditional access forbidden:

Copy Code code as follows:

Order Allow,deny
Deny from all

If you want to block access to part of the content, all others are open:

Copy Code code as follows:

Order Deny,allow
Deny from Ip1 ip2

Or

Copy Code code as follows:

Order Allow,deny
Allow from all
Deny from Ip1 ip2

Apache will decide which rule to use in accordance with the order, such as the second way, although the second sentence allow allow access, but because in order allow is not the final rule, so also need to see if there is a deny rule, so to the third sentence, Interviews with IP1 and IP2 were banned. Note that the "last" rule of the order decision is very important, and here are two examples of errors and how to correct them:

Copy Code code as follows:

Order Deny,allow
Allow from all
Deny from domain.org

Error: Want to prohibit access from domain.org, but the deny is not the final rule, Apache in the second sentence to deal with the allow has been successful, not to see the third sentence.
Solution: Order Allow,deny, the following two words do not move, you can.

Copy Code code as follows:

Order Allow,deny
Allow from Ip1
Deny from all

Error: Want to allow only access from IP1, however, although the Allow rule is set in the second sentence, since the Deny is in the order, the third sentence will prevail, and the third sentence contains the ip1 (all include ip1), so all access is prohibited.
Solution One: Remove the third sentence directly.
Workaround Two:

Copy Code code as follows:

Order Deny,allow
Deny from all
Allow from Ip1