Apache’s ‘Order deny,allow’ or ‘Order allow,deny’

If you wish to restrict access to portions of your site based on the host address of your visitors, this is most easily done using mod_authz_host

The Allow and Deny directives let you allow and deny access based on the host name, or host address, of the machine requesting a document. The Order directive goes hand-in-hand with these two, and tells Apache in which order to apply the filters.

So for example:

Allow from ip-address

Deny from ip-address

Order allow,deny or Order deny,allow directives combine the basic Allow and Deny directives into a more sophisticated configuration setting.

However, the result are a little different from what most people would expect – and so did I in the beginning.

The Order directive used in the Order allow,deny or Order deny,allow directives is not easy to understand and has two functions:

  • The Order directive sets the default access state which means that it controls the order in which the Allow and Deny directives are processed, AND
  • Configures how the Allow and Deny directives interact with each other, in other words, it sets the default policy for connections that do not match either of the Allow or Deny rules.

The Order allow,deny has only two options available which are discussed next.

Order allow,deny

Order allow,deny tells your web server that the Allow rules are processed before the Deny rules. If the client does not match the Allow rule or it does match the Deny rule, then the client will be denied access.

<Directory “/somePath”>
Order Allow,Deny
Deny from all
Allow from all
</Directory>

In this case, your client would be denied access. Why? Because Apache first evaluates the Allow directive rules and then the Deny directive rules, so Allow from all would be executed first and then the Deny from all would take place.

 

Order deny, allow

Order deny, allow means that the deny rules are processed before the allow rules. If the client does not match the deny rule or it does match the allow rule, then it will be granted access.

<Directory “/someOtherPath”>
Order Deny,Allow
Deny from all
Allow from all
</Directory>

The configuration above would result in your client being allowed access because the Deny from all rule would be processed first and the Allow from all rule would be processed  second. Now, let’s get more specific. The following example could be used for specialized and restricted servers, for example some kind of intranet site.

 

Leave a Comment

Your email address will not be published. Required fields are marked *

You must tick the checkbox for 'I am not a robot' before you can submit your comment!