Use of deny and allow in the Apache configuration file,

Use of deny and allow in the Apache configuration file,

Use of deny and allow in the Apache configuration file

Due to product requirements, we recently configured the apache Server Load balancer function, but we encountered some problems when configuring the access permissions of the virtual host. The main problem is the execution sequence of deny and allow. After studying the use of these two parameters, we can summarize the usage of deny and allow as follows.

I. Usage Summary

Let's take a look at the following apache configuration. The specific code is as follows:

<Directory/> Order allow, deny #1 Allow from all #2 Deny from 192.9.200.69 #3 </Directory>

The previous use of these two parameters was confusing, but it was not clear which parameter was working. Through experiments, we can summarize the rules as follows:

1. Rule

When we see an apache configuration, we can understand it from the following perspective. One default, two orders, three overlapping.

2. configuration instructions above

[1] 1 default

Order allow, denyThe purpose of this statement is to configure the order of allow and deny. By default, only the last keyword takes effect. The keyword used here is "deny". By default, all requests are rejected. For ease of understanding, we can draw a circle. The background color of the circle is black. We give this circle a number, called Circle 1.

[2] binary order

Because the Order above indicates that the Order of judgment is to judge the allow rule first, and then the deny rule. Therefore, we must first determine the allow request, because the request is configuredAllow from all,

Therefore, this request allows all requests. Then we draw another circle, and the background color is white. We give the circle a number, called circle 2.

Let's look at the Judgment Rules of deny.Deny from 192.9.200.69, Indicates that the request from the IP address is rejected192.9.200.69", So we can draw a red area, indicating"192.9.200.69We call this area Area 3.

Note:: Even if "Allow from all" is written under "deny from 192.9.200.69", the allow rule must be judged first, that is, only Order can determine the priority of allow and order.

[3] three overlapping

We stack the circle 1, circle 2, and area 3 from bottom to top. Each layer is not transparent. In this case, we can see that the final effect is192.9.200.69"Outside this red area, all others are white areas. That is, only192.9.200.69"This IP address does not have the permission to access this directory. Other requests have the permission to access this directory.

Ii. Take a look at the example below

Maybe it is not described above. Let's take a look at the example below. Each configuration is followed by a simple description. The number after "#" in the configuration file indicates the order in which the configuration item takes effect.

1. Only the Access Directory of 192.9.200.69 is allowed. 

<Directory/> Order deny, allow #1. All requests are allowed by default. Deny from all #2. Determine the deny rule first in order to reject all requests Allow from 192.9.200.69 #3. Overlapping, allowing IP192.9.200.69 requests </Directory>

2. Allow all requests to access the Directory 

<Directory/> Order deny, allow #1. All requests are allowed by default. Deny from 192.9.200.69 #2. Determine the deny rule in sequence and reject the request of 192.9.200.69. Allow from all #3. Overlapping, Allow all requests </Directory>

3. Deny all access requests to the directory

<Directory/> Order allow, deny #1. All requests are rejected by default. Allow from 192.9.200.69 #2. Order, Allow requests from 192.9.200.69 Deny from all #3. overlap, reject all requests </Directory>

4. Except for the 192.9.200.69 request, other requests can access the directory. 

<Directory/> Order allow, deny #1. All requests are rejected by default. Allow from all #2. Order, Allow all requests Deny from 192.9.200.69 #3. Overwrite and reject the 192.9.200.69 request </Directory>

Allow and Deny can be used in apache conf Files or. htaccess Files (with Directory, Location, Files, etc.) to control access authorization for directories and Files.

Therefore, the most common ones are:
Order Deny, Allow
Allow from All

Note that "Deny, Allow" has only one comma in the middle and only one comma in the middle. If there are spaces, errors will occur. Words are case-insensitive. The meaning of the above setting is to first set "Check prohibition settings first, not all permitted", and the second sentence does not contain Deny, that is, no access prohibition settings, allow all access. This is mainly used to ensure or overwrite the settings of the upper-level directory and open access to all content.

According to the above explanation, the following settings prohibit access unconditionally:
Order Allow, Deny
Deny from All

If you want to disable access to part of the content, all others are open:
Order Deny, Allow
Deny from ip1 ip2
Or
Order Allow, Deny
Allow from all
Deny from ip1 ip2

Apache determines which rule will be used according to order. For example, in the second method above, although allow in the second sentence allows access, because allow in order is not the final rule, therefore, you need to check whether there are any deny rules. Therefore, in the third sentence, access that complies with ip1 and ip2. Note that the "last" rule determined by order is very important. The following are two examples of errors and the correct method:

Order Deny, Allow
Allow from all
Deny from domain.org
Error: If you want to disable access from domain.org, but deny is not the final rule, apache has successfully matched the second allow sentence and won't go to the third sentence.
Solution: Order Allow, Deny. You can leave the last two sentences unchanged.

Order Allow, Deny
Allow from ip1
Deny from all
Error: I want to only allow access from ip1. However, although the allow rule is set in the second sentence, because the deny in order is after, the deny in the third sentence prevails, however, the scope of the third sentence obviously contains ip1 (all include ip1), so all accesses are forbidden.
Solution 1: remove the third sentence directly.
Solution 2:
Order Deny, Allow
Deny from all
Allow from ip1

Reference: http://www.cnblogs.com/top5/archive/2009/09/22/1571709.html