Order Allow,deny usage in Apache _linux

This article describes the order Allow,deny usage in Apache. Share to everyone for your reference, specific as follows:

Allow and deny can be used in Apache conf files or. htaccess files (with directory, Location, files, etc.) to control access authorization for directories and files.

So, the most common is:

Order Deny,allow
Allow from all

Note that there is only one comma in the middle of "Deny,allow", and there can be only one comma, and there will be errors in the spaces. the meaning set above is to set "first check prohibit set, no prohibition of all allow", and the second sentence without deny, that is, no access to prohibit the setting, directly is to allow all access. This is primarily used to ensure or overwrite the settings of the parent directory, and to open access to all content.

As explained above, the following settings are unconditional access forbidden:

Order Allow,deny
Deny from all

If you want to block access to part of the content, all others are open:

Order Deny,allow
Deny from Ip1 ip2

Or

Order Allow,deny
Allow from all
Deny from Ip1 ip2

Apache will decide which rule to use in accordance with the order, such as the second way, although the second sentence allow allow access, but because in order allow is not the final rule, so also need to see if there is a deny rule, so to the third sentence, Interviews with IP1 and IP2 were banned. Note that the "last" rule of the order decision is very important , and here are two examples of errors and how to correct them:

Order Deny,allow
Allow from all
Deny from domain.org

Error: Want to prohibit access from domain.org, but the deny is not the final rule, Apache in the second sentence to deal with the allow has been successful, not to see the third sentence.

Solution: Order Allow,deny, the following two words do not move, you can.

Order Allow,deny
Allow from Ip1
Deny from all

Error: Want to allow only access from IP1, however, although the Allow rule is set in the second sentence, since the Deny is in the order, the third sentence will prevail, and the third sentence contains the ip1 (all include ip1), so all access is prohibited.

Solution One: Remove the third sentence directly.

Workaround Two:

Order Deny,allow
Deny from all
Allow from Ip1

Here are the examples that have been tested:

Order Deny,allow
Allow from all
Deny from 219.204.253.8
#全部都可以通行

Order Deny,allow
Deny from 219.204.253.8
Allow from all
#全部都可以通行

Order Allow,deny
Deny from 219.204.253.8
Allow from all
#只有219.204.253.8 can't pass.

Order Allow,deny
Allow from all
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.

Order Allow,deny
Deny from all
Allow from 219.204.253.8
#全部都不能通行

Order Allow,deny
Allow from 219.204.253.8
Deny from all
#全部都不能通行

Order Deny,allow
Allow from 219.204.253.8
Deny from all
#只允许219.204.253.8 Traffic

Order Deny,allow
Deny from all
Allow from 219.204.253.8
#只允许219.204.253.8 Traffic

Order Deny,allow
#全部都可以通行 (default)

Order Allow,deny
#全部都不能通行 (default)

Order Allow,deny
Deny from all
#全部都不能通行

Order Deny,allow
Deny from all
#全部都不能通行

For the above two cases, if replaced by allow from all, then all can pass!

Order Deny,allow
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.

Order Allow,deny
Deny from 219.204.253.8
#全部都不能通行

Order Allow,deny
Allow from 219.204.253.8
#只允许219.204.253.8 Traffic

Order Deny,allow
Allow from 219.204.253.8
#全部都可以通行

Order Deny,allow
Allow from 218.20.253.2
Deny from 218.20
#代表拒绝218.20 IP, but allows 218.20.253.2 to pass, while other non-218.20 IPs are allowed to pass.

Order Allow,deny
Allow from 218.20.253.2
Deny from 218.20

#和上面的差不多, only the Allow in Swap order statement, the deny sequence, but the final result indicates that all reject!

Some time ago to do an Apache HTTP proxy server, where the order Allow,deny this part of the do not understand, so the internet to look for information, who know more and more confused, some of them difficult to distinguish right or wrong even misleading. As with some of the articles in the Windows system password, many of them are parrot-like and have not been tested. Less nonsense, first put my test after analysis summed up the conclusion show out, I believe this is very helpful to everyone's understanding.

General

There are only two points that affect the outcome of the Final Judgment:

1. Sequence of allow and deny in order statement;

2. The range contained in the Allow and DENY statements.

Warm reminder

1. After modifying the configuration to save and restart the Apache service, the configuration can be effective;

2. The opening letters are not case-insensitive;

3. Allow, deny statements in the order of precedence, who first who does not affect the outcome of the final judgment, but will be judged;

4. In the order statement, "Allow,deny" between "Have and only" a comma (in English format), and the sequence is very important;

5. Apache has a default rule that "order Allow,deny" itself defaults to rejecting all meanings because the deny is behind the allow; likewise, "Order Deny,allow" itself defaults to allow all; The final judgment will also be combined with the scope contained in the following allow, deny statements (i.e., there can be no allow, deny statements after the order statement)

6. In the Allow, deny statement, the second word must be "from", otherwise Apache will not start because of the error,

7. The "Order Allow,deny" representative first judges the Allow statement and then judges the deny statement, and vice versa.

The above is all to remember, and the following is my original understanding method. If someone looked and did not feel the sudden, that is my failure!

The principle of judgment is divided into 4 steps:

1. First judge the default;

2. Then judge the comma before;

3. After the final judgment of the comma;

4. The final results are obtained by stacking sequentially.

The above three points I said simple and image, mainly for the convenience of memory. Do not understand the matter, continue to read the following detailed explanation will naturally understand. Here's a general example to explain--

Order Deny,allow
Allow from 218.20.253.2
Deny from 218.20

1. The so-called "first judgment default" is to judge the sentence "Order Deny,allow", which by default is allowed by all;

2. The so-called "then judge the comma", because in the order statement in this example, the Deny is in front of the comma, so now it's time to judge the following deny statement-"Deny from 218.20";

3. The so-called "last judge after the comma", because in the order statement in this example, allow is behind the comma, so the final turn to judge the following allow statement-"Allow from 218.20.253.2."

4. The so-called "final in order to stack the results of the judgment," which is a visualization of the statement, I think each step as an "opaque layer", and then step by step in order to stack up, the final "image" is the result of judgment.

People who have used drawing software should have known what "layers" are, and I estimate that Apache's design philosophy about order allow Deny is the same as the design concepts of Photoshop and other drawing software on layers. The "rules of the game" is the same.

So the example above can be such a step and an image--

1. First draw a white circle, representing the "order Deny,allow" statement, the default meaning is to allow all;

2. Then draw a smaller black circle, representing the "Deny from 218.20" statement, which means rejecting all IP with a 218.20 start and putting it inside the white circle;

3. Finally, draw a white circle, representing the "Allow from 218.20.253.2" statement, which means allowing the 218.20.253.2 to pass, placed on top of the black circle.

4. So far, we can see a result, the white circle has a black circle above the black circle with a white circle. Finally, the black part that we can see is the refusal to pass, and the remaining white parts are allowed to pass. The result of judgment is such a simple image!

If you do not understand the use of graphics software, we have a very close to the life of metaphor-

Change the above example a little bit to get a better understanding:

Order Deny,allow

Allow from 218.20.253.2

Deny from 219.30

1. First take a A4 white paper, on behalf of the order statement, meaning to allow all;

2. Then take a piece of black paper to cut a circle, placed in the A4 paper inside a position, representing the Deny statement, meaning that all 219.30 start with the IP;

3. Finally take a white paper and then cut a circle, placed next to the black Circle, representing the Allow statement, meaning to allow 218.20.253.2 to pass; Note that this example is not put into a black circle, because the deny and allow statements no longer have a mutually contained relationship.

4. A4 paper has a black circle and a white round, the result naturally very obvious. However, white A4 paper on a white circle, is obviously superfluous, because everyone is white, are representative of the permission, so repeat, you can remove the white circle without affecting the judgment result.

If I do not understand this, it must be something I have not made clear. Then please analyze the test examples that I have done and will list them at the end.

Here again, allow, deny statements followed by a variety of parameters, there are different ways of expression, I see online practice is the deny from IP1 IP2 IP3 or allow from domain.com. Other forms of expression you can look for other information. What I want to say is another way of saying:

Order Deny,allow
Allow from IP1 IP2
Allow from Domain.info
Allow from 219.20.55.0/24
Deny from all

I did not specifically verify that this is true, but this is normal to start the Apache service, according to the truth should be the correct way of expression. Haha, like me such a beginner can only do so, but also hope that we have a lot of advice!

Here are the examples that have been tested:

Order Deny,allow
Allow from all
Deny from 219.204.253.8
#全部都可以通行

Order Deny,allow
Deny from 219.204.253.8
Allow from all
#全部都可以通行

Order Allow,deny
Deny from 219.204.253.8
Allow from all
#只有219.204.253.8 can't pass.

Order Allow,deny
Allow from all
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.

Order Allow,deny
Deny from all
Allow from 219.204.253.8
#全部都不能通行

Order Allow,deny
Allow from 219.204.253.8
Deny from all
#全部都不能通行

Order Deny,allow
Allow from 219.204.253.8
Deny from all
#只允许219.204.253.8 Traffic

Order Deny,allow
Deny from all
Allow from 219.204.253.8
#只允许219.204.253.8 Traffic

Order Deny,allow
#全部都可以通行 (default)

Order Allow,deny
#全部都不能通行 (default)

Order Allow,deny
Deny from all
#全部都不能通行

Order Deny,allow
Deny from all
#全部都不能通行

For the above two cases, if replaced by allow from all, then all can pass!

Order Deny,allow
Deny from 219.204.253.8
#只有219.204.253.8 can't pass.

Order Allow,deny
Deny from 219.204.253.8
#全部都不能通行

Order Allow,deny
Allow from 219.204.253.8
#只允许219.204.253.8 Traffic

Order Deny,allow
Allow from 219.204.253.8
#全部都可以通行

Order Deny,allow
Allow from 218.20.253.2
Deny from 218.20
#代表拒绝218.20 IP, but allows 218.20.253.2 to pass, while other non-218.20 IPs are allowed to pass.

Order Allow,deny
Allow from 218.20.253.2
Deny from 218.20
#和上面的差不多, only the Allow in Swap order statement, the deny sequence, but the final result indicates that all reject!

I hope this article will help you with your Apache server configuration.