Apache configuration parameter deny and allow usages

Source: Internet
Author: User
Tags parent directory

This article mainly introduces the Apache configuration parameter deny and allow use examples, need friends can refer to the following

Due to the needs of the product, the Apache load Balancing function was recently configured, but we encountered some problems when configuring access rights for the virtual host. The main problem is the execution order of deny and allow, and the use of these two parameters is studied, and the use of deny and allow is summarized as follows.

A summary of the use of

Let's take a look at one of the following Apache configurations, the following code:

The code is as follows:

  

Order Allow,deny #1

Allow from all #2

Deny from 192.9.200.69 #3

  

The previous use of these two parameters is confusing, it is not clear exactly which parameter is at work. Through experiments, we can sum up the law, the specific rules are as follows:

1. Regular

When we see an Apache configuration, we can understand it from the following perspective. One default, two order, three overlap.

2. Configuration instructions above

[1] A default

Order Allow,deny, which is the function of configuring allow and deny, by default only the last keyword works, and the key word that works here is "Deny", which rejects all requests by default. For the sake of understanding, we can draw a circle, the background color of the circle painted black, we give this circle a number, called Circle 1.

[2] Two order

Because the order above indicates that the sequence of judgments is to judge the rules of allow first, then the rule of deny. So we have to judge allow's request first, because the request is configured with allow from all,

So it means that the request allows all requests. Then we draw a circle, the background color painted white, we give the circle a number, called Circle 2.

Let's take a look at the judgment rule for deny, because the deny from 192.9.200.69, which means that the rejection comes from the IP address "192.9.200.69", so we can draw a red area that says "192.9.200.69," we call this area 3.

Note: Even if you write "Allow from all" under "Deny from 192.9.200.69", it is still necessary to determine the Allow rule, which means that only the order can determine the precedence of Allow and orders.

[3] Three overlapping

We stack the circles 1, 2, and 3 from the top to the bottom. Each layer is opaque, and then we can see that the final effect is that except for the red area of "192.9.200.69", all the other areas are white. That is, only "192.9.200.69" This IP address does not have permission to access the directory, and other requests have permission to access the directory.

Second, look at the following example

Perhaps the above is not white, let's take a look at the following example, each configuration is followed by a simple description, the "#" in the configuration file after the number indicates the order in which the configuration items work.

1. Allow only 192.9.200.69 requests access to the directory

The code is as follows:

  

Order Deny,allow #1. All requests are allowed by default

Deny from all #2. In order, first determine the Deny rule, reject all requests

Allow from 192.9.200.69 #3. overlap, allowing IP192.9.200.69 requests

  

2. Allow all requests to access the directory

The code is as follows:

  

Order Deny,allow #1. All requests are allowed by default

Deny from 192.9.200.69 #2. In order, first judge the Deny rule and reject the 192.9.200.69 request

Allow from all #3. Overlap, allow all requests

  

3. Deny access to all requests directory

The code is as follows:

  

Order Allow,deny #1. Reject all requests by default

Allow from 192.9.200.69 #2. Order, allow 192.9.200.69 request

Deny from all#3. Overlap, rejecting all requests

  

4. In addition to 192.9.200.69 requests, the directory can be accessed by other requests

The code is as follows:

  

Order Allow,deny #1. Reject all requests by default

Allow from all #2. Order, allow all requests

Deny from 192.9.200.69#3. Overlap, rejecting 192.9.200.69 requests

  

Allow and deny can be used in Apache conf files or. htaccess files (with directory, Location, files, etc.) to control access authorization for directories and files.

So, the most common is:

The code is as follows:

Order Deny,allow

Allow from all

Note that there is only one comma in the middle of "Deny,allow", and there can be only one comma, and there will be errors in the spaces. The meaning set above is to set "first check prohibit set, no prohibition of all allow", and the second sentence without deny, that is, no access to prohibit the setting, directly is to allow all access. This is primarily used to ensure or overwrite the settings of the parent directory, and to open access to all content.

As explained above, the following settings are unconditional access forbidden:

The code is as follows:

Order Allow,deny

Deny from all

If you want to block access to part of the content, all others are open:

The code is as follows:

Order Deny,allow

Deny from Ip1 ip2

Or

The code is as follows:

Order Allow,deny

Allow from all

Deny from Ip1 ip2

Apache will decide which rule to use in accordance with the order, such as the second way, although the second sentence allow allow access, but because in order allow is not the final rule, so also need to see if there is a deny rule, so to the third sentence, Interviews with IP1 and IP2 were banned. Note that the "last" rule of the order decision is very important, and here are two examples of errors and how to correct them:

The code is as follows:

Order Deny,allow

Allow from all

Deny from domain.org

Error: Want to prohibit access from domain.org, but the deny is not the final rule, Apache in the second sentence to deal with the allow has been successful, not to see the third sentence.

Solution: Order Allow,deny, the following two words do not move, you can.

The code is as follows:

Order Allow,deny

Allow from Ip1

Deny from all

Error: Want to allow only access from IP1, however, although the Allow rule is set in the second sentence, since the Deny is in the order, the third sentence will prevail, and the third sentence contains the ip1 (all include ip1), so all access is prohibited.

Solution One: Remove the third sentence directly.

Workaround Two:

Copy code code as follows:

Order Deny,allow

Deny from all

Allow from Ip1

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.