Apache's order Allow,deny detailed

Allow and deny can be used in Apache conf files or. htaccess files (with directory, location, files, etc.) to control access authorization for directories and files.

So, the most common is:
Order Deny,allow
Allow from all

Note that there is only one comma in the middle of "Deny,allow", there can be only one comma, there is a space error, and the word is not limited in size. The meaning of the above is to set the first "check the forbidden set, no forbidden all allow", and the second sentence does not deny, that is, no forbidden access to the setting, directly allows all access. This is primarily used to ensure or overwrite the settings of the parent directory and to open all content access rights.

According to the above explanation, the following settings are unconditionally forbidden to access:
Order Allow,deny
Deny from all

If you want to prohibit access to part of the content, all other open:
Order Deny,allow
Deny from Ip1 ip2
Or
Order Allow,deny
Allow from all
Deny from Ip1 ip2

Apache will decide which rule to use at the end of order, such as the second one above, although the second sentence allows access, but since allow is not the last rule in order, it also needs to see if there is a deny rule, so in the third sentence, Access that complies with IP1 and IP2 is banned. Note that the "last" rule of order decision is very important, and here are two examples of errors and how to correct them:

Order Deny,allow
Allow from all
Deny from domain.org
Error: You want to prohibit access from domain.org, but deny is not the last rule, Apache has successfully matched the second sentence to allow, and will not see the third sentence at all.
Solution: Order Allow,deny, the following two sentences do not move, you can.

Order Allow,deny
Allow from ip1
Deny from all
Error: You want to allow access only from IP1, however, although the second sentence is set to enable rule, because the order of the deny after, so the third sentence will prevail, and the scope of the third sentence is clearly included in the IP1 (all include ip1), so all access is forbidden.
Workaround One: Remove the third sentence directly.
Workaround Two:
Order Deny,allow
Deny from all
Allow from ip1

Here are the tested examples:
--------------------------------
Order Deny,allow
Allow from all
Deny from 219.204.253.8
#全部都可以通行
-------------------------------
Order Deny,allow
Deny from 219.204.253.8
Allow from all
#全部都可以通行
-------------------------------
Order Allow,deny
Deny from 219.204.253.8
Allow from all
#只有219.204.253.8 can't pass.
-------------------------------
Order Allow,deny
Allow from all
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.
-------------------------------
-------------------------------
Order Allow,deny
Deny from all
Allow from 219.204.253.8
#全部都不能通行
-------------------------------
Order Allow,deny
Allow from 219.204.253.8
Deny from all
#全部都不能通行
-------------------------------
Order Deny,allow
Allow from 219.204.253.8
Deny from all
#只允许219.204.253.8 Pass
-------------------------------
Order Deny,allow
Deny from all
Allow from 219.204.253.8
#只允许219.204.253.8 Pass
-------------------------------
--------------------------------
Order Deny,allow
#全部都可以通行 (default)
-------------------------------
Order Allow,deny
#全部都不能通行 (default)
-------------------------------
Order Allow,deny
Deny from all
#全部都不能通行
-------------------------------
Order Deny,allow
Deny from all
#全部都不能通行
-------------------------------
For both of these cases, if you change to allow from all, then all can pass!
-------------------------------
Order Deny,allow
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.
-------------------------------
Order Allow,deny
Deny from 219.204.253.8
#全部都不能通行
-------------------------------
Order Allow,deny
Allow from 219.204.253.8
#只允许219.204.253.8 Pass
-------------------------------
Order Deny,allow
Allow from 219.204.253.8
#全部都可以通行
-------------------------------
-------------------------------
Order Deny,allow
Allow from 218.20.253.2
Deny from 218.20
#代表拒绝218.20 begins with IP, but allows 218.20.253.2 to pass, while other non-218.20-beginning IPs are allowed to pass.
-------------------------------
Order Allow,deny
Allow from 218.20.253.2
Deny from 218.20
#和上面的差不多, just the Allow, deny order in the swap order statement, but the end result indicates that all are rejected!

Form:http://hi.baidu.com/enjoypain/blog/item/f48c7aecdba298d12f2e21ac.html

Some time ago to do an Apache HTTP proxy server, in which the order Allow,deny this part of the not quite understand, so the internet to look for information, who know the more confused, some of them difficult to distinguish right or wrong or even misleading. Like some of the articles that cracked Windows system passwords, a lot of them came out of the way, and they weren't tested. Less nonsense, first put me through the test after the conclusion of the conclusions show out, I believe this is very helpful to everyone's understanding.

General provisions--

There are only two points that affect the outcome of the Final Judgment:

1. The order of allow, deny in the order statement;

2. Allow, deny statements each contain the scope.

Warm Reminder--

1. After modifying the configuration to save and restart the Apache service, the configuration to take effect;

2. The opening letter is not case-sensitive;

3. Allow, deny statements are not in order, who first who does not affect the final judgment results, but will be judged;

4. In the order statement, "Allow,deny" between "Have and only" a comma (in English format), and the order is important;

5. Apache has a default rule, "Order Allow,deny" itself defaults to deny all meaning, because deny is behind allow, similarly, "order Deny,allow" itself by default is allowed all; The result of the final judgment is also to synthesize the scope contained in the Allow, deny statements below, (that is, the order statement can be followed by an enable, deny statement)

6. Allow, deny statements, the second word must be "from", or Apache will be wrong to start,

7. "Order Allow,deny" means that the Allow statement is judged before the deny statement, and vice versa.

The above is to remember, and the following is my original understanding of the method. If someone looked and did not see the feeling of the enlightened, it is my failure!

The principle of judgment is 4 steps away--

1. First judge the default;

2. Then judge the comma before the;

3. After the final judgment of the comma;

4. Finally, the results are obtained by stacking them sequentially.

The above three points I said simple and image, mainly for the convenience of memory. Do not understand the moment, continue to see the following detailed explanation will naturally understand. The following is an explanation for a common example--

Order Deny,allow

Allow from 218.20.253.2

Deny from 218.20

1. The so-called "first judgment Default", is to judge the "order Deny,allow" This sentence, it is allowed all by default;

2. The so-called "then judge before the comma", because in this example, the order statement, deny in front of the comma, so now it is time to judge the following deny statement-"Deny from 218.20";

3. The so-called "Last Judgment comma", because in this example, in the order statement, allow behind the comma, so the last turn to determine the following allow statement-"Allow from 218.20.253.2."

4. The so-called "final sequential superposition of the results of the judgement", this is a visualization, I see every step of judgment as an "opaque layer," and then step by step in order to stack up, the final "image" is the judgment result.

People who have used graphing software should know what "layers" are, and I estimate that Apache's design philosophy for order allow deny is the same as that of Photoshop and other graphing software. That is, the "rules of the game" are the same.

So the above example can be such a step and an image--

1. First draw a large white circle, representing the "order Deny,allow" statement, the default meaning is to allow all;

2. Then draw a smaller black circle, representing the "Deny from 218.20" statement, which means rejecting all IP starting with 218.20 and putting it into the white circle;

3. Finally, draw a white circle, representing the "Allow from 218.20.253.2" statement, which means allowing the 218.20.253.2 to pass through, on top of the black circle.

4. So far, we can see a result, the white circle above a black circle, black circle above a white circle. Finally, the black part that we can see is rejected, and the rest of the white ones are allowed to pass. The result of judgment is such a simple image!

If you do not understand the software as a diagram, we have a very close to the life of the metaphor-

Change the above example a little bit to better understand:

Order Deny,allow

Allow from 218.20.253.2

Deny from 219.30

1. First take a piece of A4 white paper, on behalf of the order statement, meaning to allow all;

2. Then take a black paper cut a circle, placed in the A4 paper in a position, representing the Deny statement, which means to reject all the IP starting with 219.30;

3. Finally take a white paper and then cut a circle, placed next to the black Circle, on behalf of the Allow statement, meaning is allowed 218.20.253.2 through; Note that this example is not put in the black circle, because the deny and allow statements no longer have a mutually inclusive relationship.

4. A4 paper has a black circle and a white round, the result is naturally obvious. But white A4 paper on a white circle, is obviously superfluous, because everyone is white, are allowed, so repeat, you can remove the white circle without affecting the results of judgment.

If you don't see it here, it must be something I haven't made clear about. Then please analyze the test examples that I have done and will be listed at the end.

Here again, allow, deny statements followed by the parameters have many forms, there are different expressions, I see on the Internet is the practice of deny from IP1 IP2 IP3 or allow from domain.com. Other forms of expression let's look at other information. What I want to say is another way of expressing:

Order Deny,allow

Allow from IP1 IP2

Allow from Domain.info

Allow from 219.20.55.0/24

Deny from all

I did not specifically verify that this is true, but this is the normal start of the Apache service, according to the truth should be the correct way to express. Haha, like me, the entry can only do so, but also hope that we have a lot of advice!

Here are the tested examples:
--------------------------------
Order Deny,allow
Allow from all
Deny from 219.204.253.8
#全部都可以通行
-------------------------------
Order Deny,allow
Deny from 219.204.253.8
Allow from all
#全部都可以通行
-------------------------------
Order Allow,deny
Deny from 219.204.253.8
Allow from all
#只有219.204.253.8 can't pass.
-------------------------------
Order Allow,deny
Allow from all
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.
-------------------------------
-------------------------------
Order Allow,deny
Deny from all
Allow from 219.204.253.8
#全部都不能通行
-------------------------------
Order Allow,deny
Allow from 219.204.253.8
Deny from all
#全部都不能通行
-------------------------------
Order Deny,allow
Allow from 219.204.253.8
Deny from all
#只允许219.204.253.8 Pass
-------------------------------
Order Deny,allow
Deny from all
Allow from 219.204.253.8
#只允许219.204.253.8 Pass
-------------------------------
--------------------------------
Order Deny,allow
#全部都可以通行 (default)
-------------------------------
Order Allow,deny
#全部都不能通行 (default)
-------------------------------
Order Allow,deny
Deny from all
#全部都不能通行
-------------------------------
Order Deny,allow
Deny from all
#全部都不能通行
-------------------------------
For both of these cases, if you change to allow from all, then all can pass!
-------------------------------
Order Deny,allow
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.
-------------------------------
Order Allow,deny
Deny from 219.204.253.8
#全部都不能通行
-------------------------------
Order Allow,deny
Allow from 219.204.253.8
#只允许219.204.253.8 Pass
-------------------------------
Order Deny,allow
Allow from 219.204.253.8
#全部都可以通行
-------------------------------
-------------------------------
Order Deny,allow
Allow from 218.20.253.2
Deny from 218.20
#代表拒绝218.20 begins with IP, but allows 218.20.253.2 to pass, while other non-218.20-beginning IPs are allowed to pass.
-------------------------------
Order Allow,deny
Allow from 218.20.253.2
Deny from 218.20
#和上面的差不多, just the Allow, deny order in the swap order statement, but the end result indicates that all are rejected!

Apache's order Allow,deny detailed