Order Allow Deny in apache

Source: Internet
Author: User

Order A, B (where, A and B can both represent allow or deny, and the following conlist represents the Control List)
A from conlist1
B from conlist2
The final access control result is: (A) Represents the Control Range of ,)
(A) = (conlist1) U (! Conlist2 )(! -- Reverse, U -- Union, n -- intersection)
(B) = (! A) = (! Conlist1) n (conlist2)
(A) (B) = I (full set)
The following figure shows the relationship between allow and deny.


The most common ones are:

The code is as follows: Copy code
Order Deny, Allow
Allow from All

Note: "Deny, Allow" has only one comma in the middle, and there cannot be any space or comma.
The meaning of the setting is: first set "first check prohibition settings, not all allow", and the second sentence does not have Deny, that is, no access prohibition settings, allow all access. This is mainly used to ensure or overwrite the settings of the upper-level directory and open access to all content.
According to the above explanation, the following settings prohibit access unconditionally:

The code is as follows: Copy code
Order Allow, Deny
Deny from All
If you want to disable access to part of the content, all others are open:
Order Deny, Allow
Deny from ip1 ip2
Or
Order Allow, Deny
Allow from all
Deny from ip1 ip2

Apache will decide which rule to use in order of order. For example, in the second method above, although allow in the second sentence allows access, because allow in order is not the final rule, therefore, you need to check whether there are any deny rules. In the third sentence, access that complies with ip1 and ip2.
Note: the "last" rule determined by order is very important.
Two error examples and solutions:

The code is as follows: Copy code
1>
Order Deny, Allow
Allow from all
Deny from domain.com


Error: If you want to disable access from domain.com, but deny is not the final rule, apache will successfully match the second allow statement and will not process the third sentence at all.

The code is as follows: Copy code
Solution:
Order Deny, Allow
Change
Order Allow, Deny
Others unchanged
2>
Order Allow, Deny
Allow from ip1
Deny from all


Error: I want to only allow access from ip1. However, although the allow rule is set in the second sentence, because the deny in order is after, the deny in the third sentence prevails, the third clause contains ip1 (all include ip1), so all accesses are forbidden.
Solution:

The code is as follows: Copy code
Order Deny, Allow
Deny from all
Allow from ip1


General --

There are only two factors that affect the final judgment result:

1. The order of allow and deny in order statement;

2. The range included in the allow and deny statements.

Reminder --

1. After the configuration is modified, save and restart the Apache service to make the configuration take effect;

2. The start letter is case-insensitive;

3. The allow and deny statements are in no particular order. The final judgment result will not be affected after who is the first but will be determined;

4. In the order statement, there is only one comma (in English format) between "allow and deny" and the order is very important;

5. apache has a default rule: "order allow, deny" itself rejects all meanings by default, because deny is behind allow. Similarly, "order deny, "allow" is allowed by default. Of course, the final judgment result should also combine the range of the following allow and deny statements; (In other words, the order statement can be followed by No allow or deny statements)

6. In allow and deny statements, the second word must be "from". Otherwise, Apache cannot be started due to an error,

7. "order allow, deny" means to judge the allow statement before the deny statement, and vice versa.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.