Order allow and deny of Apache

Allow and deny can be used in Apache conf files or. htaccess files (with directory, location, files, etc.) to control access authorization for directories and files.

Therefore, the most common ones are:
Order deny, allow
Allow from all

Note that "Deny, allow" has only one comma in the middle and only one comma in the middle. If there are spaces, errors will occur. Words are case-insensitive. The meaning of the above setting is to first set "Check prohibition settings first, not all permitted", and the second sentence does not contain deny, that is, no access prohibition settings, allow all access. This is mainly used to ensure or overwrite the settings of the upper-level directory and open access to all content.

According to the above explanation, the following settings prohibit access unconditionally:
Order allow, deny
Deny from all

If you want to disable access to part of the content, all others are open:
Order deny, allow
Deny from IP1 ip2
Or
Order allow, deny
Allow from all
Deny from IP1 ip2

Apache determines which rule will be used according to order. For example, in the second method above, although allow in the second sentence allows access, because allow in order is not the final rule, therefore, you need to check whether there are any deny rules. Therefore, in the third sentence, access that complies with IP1 and ip2. Note that the "last" rule determined by order is very important. The following are two examples of errors and the correct method:

Order deny, allow
Allow from all
Deny from domain.org
Error: If you want to disable access from domain.org, but deny is not the final rule, Apache has successfully matched the second allow sentence and won't go to the third sentence.
Solution: order allow, deny. You can leave the last two sentences unchanged.

Order allow, deny
Allow from IP1
Deny from all
Error: I want to only allow access from IP1. However, although the allow rule is set in the second sentence, because the deny in order is after, the deny in the third sentence prevails, however, the scope of the third sentence obviously contains IP1 (all include IP1), so all accesses are forbidden.
Solution 1: remove the third sentence directly.
Solution 2:
Order deny, allow
Deny from all
Allow from IP1

The following is an example of a test:
--------------------------------
Order deny, allow
Allow from all
Deny from 219.204.253.8
# All are accessible
-------------------------------
Order deny, allow
Deny from 219.204.253.8
Allow from all
# All are accessible
-------------------------------
Order allow, deny
Deny from 219.204.253.8
Allow from all
# Only 219.204.253.8 is inaccessible
-------------------------------
Order allow, deny
Allow from all
Deny from 219.204.253.8
# Only 219.204.253.8 is inaccessible
-------------------------------
-------------------------------
Order allow, deny
Deny from all
Allow from 219.204.253.8
# All cannot pass
-------------------------------
Order allow, deny
Allow from 219.204.253.8
Deny from all
# All cannot pass
-------------------------------
Order deny, allow
Allow from 219.204.253.8
Deny from all
# Only 219.204.253.8 traffic is allowed
-------------------------------
Order deny, allow
Deny from all
Allow from 219.204.253.8
# Only 219.204.253.8 traffic is allowed
-------------------------------
--------------------------------
Order deny, allow
# All are accessible (default)
-------------------------------
Order allow, deny
# All cannot pass (default)
-------------------------------
Order allow, deny
Deny from all
# All cannot pass
-------------------------------
Order deny, allow
Deny from all
# All cannot pass
-------------------------------
In the above two cases, if you change to allow from all, all traffic will be available!
-------------------------------
Order deny, allow
Deny from 219.204.253.8
# Only 219.204.253.8 is inaccessible
-------------------------------
Order allow, deny
Deny from 219.204.253.8
# All cannot pass
-------------------------------
Order allow, deny
Allow from 219.204.253.8
# Only 219.204.253.8 traffic is allowed
-------------------------------
Order deny, allow
Allow from 219.204.253.8
# All are accessible
-------------------------------
-------------------------------
Order deny, allow
Allow from 218.0000253.2
Deny from 218.20
# Deny the IP address starting with 218.20, but allow 218.255.253.2 to pass. Other IP addresses not starting with 218.20 can also pass.
-------------------------------
Order allow, deny
Allow from 218.0000253.2
Deny from 218.20
# It is similar to the above, except that the allow and deny orders in the order statement for replacement are dropped, but the final result indicates that all statements are rejected!

Form: http://hi.baidu.com/enjoypain/blog/item/f48c7aecdba298d12f2e21ac.html

Some time ago I made an HTTP Proxy Server for Apache, where order allow and deny do not quite understand this part, so I went online to find information to see who knows the more confused they are, some of them are difficult to tell right or wrong or even mislead. Like cracking Windows system passwordsArticleIn this way, many of them are cloud-based and have not been tested. I believe this is very helpful to everyone.

General --

There are only two factors that affect the final judgment result:

1. The order of allow and deny in order statement;

2. The range included in the allow and deny statements.

Reminder --

1. After the configuration is modified, save and restart the apache service to make the configuration take effect;

2. The start letter is case-insensitive;

3. The allow and deny statements are in no particular order. The final judgment result will not be affected after who is the first but will be determined;

4. In the order statement, there is only one comma (in english format) between "allow and deny" and the order is very important;

5. apache has a default rule: "order allow, deny" itself rejects all meanings by default, because deny is behind allow. Similarly, "Order deny, "Allow" is allowed by default. Of course, the final judgment result should also combine the range of the following allow and deny statements; (in other words, the Order statement can be followed by no allow or deny statements)

6. In allow and deny statements, the second word must be "from". Otherwise, Apache cannot be started due to an error,

7. "order allow, deny" means to judge the allow statement before the deny statement, and vice versa.

All of the above are to be remembered, and the following is my original understanding method. If someone doesn't suddenly feel it, it's my failure!

The judgment principle is divided into four steps --

1. First, determine the default value;

2. Then judge before the comma;

3. The last comma after the judgment;

4. The final result of the judgment is superimposed in order.

The three points above are simple and visual, mainly for convenience of memory. It doesn't matter if you don't understand it for the time being. Continue to read the detailed explanation below and you will naturally understand it. The following is a general example --

Order deny, allow

Allow from 218.0000253.2

Deny from 218.20

1. The so-called "first judge the default" is to judge the sentence "Order deny, allow", which allows all by default;

2. the so-called "then judge before the comma", because in the order statement in this example, deny is before the comma, so it is now the turn to judge the following deny statement-"Deny from 218.20 ";

3. the so-called "last judge after comma", because in the order statement in this example, allow is behind the comma, so the last turn is to judge the following allow statement-"allow from 218.255.253.2 ".

4. the so-called "final superposition in order to get the judgment result" is a visual statement, I regard each step of the judgment as an "opaque layer", and then step by step stacked up, the final "image" is the judgment result.

People who have used drawing software should know what the "layer" is, I guess Apache's design philosophy on order allow deny is the same as that of Photoshop and other plotting software on layers. That is, "Game Rules" are the same.

The above example can be a step and image --

1. First draw a white circle, representing the "Order deny, allow" statement. By default, it means allow all;

2. then draw a small black circle, representing the "Deny from 218.20" Statement, which means to reject all IP addresses starting with 218.20 and put them in the White Circle;

3. Finally, draw another white circle, which indicates the "allow from 218.0000253.2" Statement, which means that 218.0000253.2 can be passed and placed on the black circle.

4. So far, we can see a result. There is a black circle on the white circle, and a white circle on the black circle. Finally, we can see that the black part is rejected, and the rest of the white part is permitted. The result of the judgment is such a simple image!

If we don't know how to use the plotting software, let's look at a metaphor that is very close to life --

Modify the above example to better understand:

Order deny, allow

Allow from 218.0000253.2

Deny from 219.30

1. First, take an A4 White Paper, which indicates the order statement, meaning allow all;

2. Cut a circle with a piece of black paper and place it in a certain position in A4 paper, representing the deny statement, which means rejecting all IP addresses starting with 219.30;

3. finally, cut a circle with White Paper and place it next to the black circle, representing the allow statement, which means that 218.0000253.2 is allowed. Note that this example is not included in the black circle, because the deny and allow statements do not have the mutual inclusion relationship.

4. There is a black circle and a white circle on the A4 paper. The result is naturally obvious. However, it is obviously redundant to put another white circle on the white A4 paper, because everyone is white and all represent allow, so it is repeated, the white circle can be removed without affecting the judgment result.

If you don't understand it yet, I have nothing to say. Analyze the test examples that I have performed and list them at the end.

Here, let's try again. The parameters following allow and deny statements have multiple forms and different expressions, what I see on the Internet is deny from IP1 ip2 IP3 or allow from domain.com. For other expressions, look for other materials. I want to talk about another expression:

Order deny, allow

Allow from IP1 ip2

Allow from domain.info

Allow from 219.42555.0/24

Deny from all

I have not specifically verified whether this is correct, but it is possible to start the apache service normally. It should be the correct expression. Haha, this is the only option for beginners like me. I hope you can give me more advice!

The following is an example of a test:
--------------------------------
Order deny, allow
Allow from all
Deny from 219.204.253.8
# All are accessible
-------------------------------
Order deny, allow
Deny from 219.204.253.8
Allow from all
# All are accessible
-------------------------------
Order allow, deny
Deny from 219.204.253.8
Allow from all
# Only 219.204.253.8 is inaccessible
-------------------------------
Order allow, deny
Allow from all
Deny from 219.204.253.8
# Only 219.204.253.8 is inaccessible
-------------------------------
-------------------------------
Order allow, deny
Deny from all
Allow from 219.204.253.8
# All cannot pass
-------------------------------
Order allow, deny
Allow from 219.204.253.8
Deny from all
# All cannot pass
-------------------------------
Order deny, allow
Allow from 219.204.253.8
Deny from all
# Only 219.204.253.8 traffic is allowed
-------------------------------
Order deny, allow
Deny from all
Allow from 219.204.253.8
# Only 219.204.253.8 traffic is allowed
-------------------------------
--------------------------------
Order deny, allow
# All are accessible (default)
-------------------------------
Order allow, deny
# All cannot pass (default)
-------------------------------
Order allow, deny
Deny from all
# All cannot pass
-------------------------------
Order deny, allow
Deny from all
# All cannot pass
-------------------------------
In the above two cases, if you change to allow from all, all traffic will be available!
-------------------------------
Order deny, allow
Deny from 219.204.253.8
# Only 219.204.253.8 is inaccessible
-------------------------------
Order allow, deny
Deny from 219.204.253.8
# All cannot pass
-------------------------------
Order allow, deny
Allow from 219.204.253.8
# Only 219.204.253.8 traffic is allowed
-------------------------------
Order deny, allow
Allow from 219.204.253.8
# All are accessible
-------------------------------
-------------------------------
Order deny, allow
Allow from 218.0000253.2
Deny from 218.20
# Deny the IP address starting with 218.20, but allow 218.255.253.2 to pass. Other IP addresses not starting with 218.20 can also pass.
-------------------------------
Order allow, deny
Allow from 218.0000253.2
Deny from 218.20
# It is similar to the above, except that the allow and deny orders in the order statement for replacement are dropped, but the final result indicates that all statements are rejected!