Order A, B (where, A and B can both represent allow or deny, and the following conlist represents the Control List)
A from conlist1
B from conlist2
The final access control result is: (A) Represents the Control Range of ,)
(A) = (conlist1) U (! Conlist2 )(! -- Reverse, U -- Union, n -- intersection)
(B) = (! A) = (! Conlist1) n (conlist2)
(A) (B) = I (full set)
The following figure shows the relationship between allow and deny.
The most common ones are:
The code is as follows: |
Copy code |
Order Deny, Allow Allow from All
|
Note: "Deny, Allow" has only one comma in the middle, and there cannot be any space or comma.
The meaning of the setting is: first set "first check prohibition settings, not all allow", and the second sentence does not have Deny, that is, no access prohibition settings, allow all access. This is mainly used to ensure or overwrite the settings of the upper-level directory and open access to all content.
According to the above explanation, the following settings prohibit access unconditionally:
The code is as follows: |
Copy code |
Order Allow, Deny Deny from All If you want to disable access to part of the content, all others are open: Order Deny, Allow Deny from ip1 ip2 Or Order Allow, Deny Allow from all Deny from ip1 ip2
|
Apache will decide which rule to use in order of order. For example, in the second method above, although allow in the second sentence allows access, because allow in order is not the final rule, therefore, you need to check whether there are any deny rules. In the third sentence, access that complies with ip1 and ip2.
Note: the "last" rule determined by order is very important.
Two error examples and solutions:
The code is as follows: |
Copy code |
1> Order Deny, Allow Allow from all Deny from domain.com |
Error: If you want to disable access from domain.com, but deny is not the final rule, apache will successfully match the second allow statement and will not process the third sentence at all.
The code is as follows: |
Copy code |
Solution: Order Deny, Allow Change Order Allow, Deny Others unchanged 2> Order Allow, Deny Allow from ip1 Deny from all |
Error: I want to only allow access from ip1. However, although the allow rule is set in the second sentence, because the deny in order is after, the deny in the third sentence prevails, the third clause contains ip1 (all include ip1), so all accesses are forbidden.
Solution:
The code is as follows: |
Copy code |
Order Deny, Allow Deny from all Allow from ip1 |
General --
There are only two factors that affect the final judgment result:
1. The order of allow and deny in order statement;
2. The range included in the allow and deny statements.
Reminder --
1. After the configuration is modified, save and restart the Apache service to make the configuration take effect;
2. The start letter is case-insensitive;
3. The allow and deny statements are in no particular order. The final judgment result will not be affected after who is the first but will be determined;
4. In the order statement, there is only one comma (in English format) between "allow and deny" and the order is very important;
5. apache has a default rule: "order allow, deny" itself rejects all meanings by default, because deny is behind allow. Similarly, "order deny, "allow" is allowed by default. Of course, the final judgment result should also combine the range of the following allow and deny statements; (In other words, the order statement can be followed by No allow or deny statements)
6. In allow and deny statements, the second word must be "from". Otherwise, Apache cannot be started due to an error,
7. "order allow, deny" means to judge the allow statement before the deny statement, and vice versa.