In Apache HTTP Server, the
Order directive is commonly used in conjunction with the
Deny directives to control access permissions.
This set of directives can be used to define which clients or IP addresses are allowed to access resources and which ones are denied.
Order directive determines how multiple
Deny directives are processed to determine the final access result.
Order directive has two possible values:
deny,allow, which determine the processing order of
Logic of the Two Rules:
- Allow directive takes effect first, followed by Deny directive.
- All clients are allowed access by default.
- If a Deny rule matches, access is denied regardless of previous matching Allow rules.
- If no Deny rule matches, then Allow rules are checked. Only clients matching Allow rules are allowed access.
- If no matching Allow or Deny rules are found, access is allowed.
- Deny directive takes effect first, followed by Allow directive.
- All clients are denied access by default.
- If an Allow rule matches, access is allowed regardless of previous matching Deny rules.
- If no Allow rule matches, then Deny rules are checked. Only clients matching Deny rules are denied access.
- If no matching Allow or Deny rules are found, access is denied.
- Allowing access to
/var/www/publicfor all except
<Directory "/var/www/public"> Order allow,deny Allow from all Deny from 192.168.1.100 </Directory>
allow comes first, it allows access to all by default and then denies access to
- Allowing access to
<Directory "/var/www/private"> Order deny,allow Deny from all Allow from 192.168.1.100 </Directory>
It denies all traffic first and then allows traffic only from
- Allowing access to
127.0.0.1and IP addresses starting with
<Directory "/var/www/internal"> Order deny,allow Deny from all Allow from 127.0.0.1 Allow from 192.168.1 </Directory>
Denies all traffic first and then allows traffic from
127.0.0.1 and IP addresses starting with
- Allowing access to image files in
/var/www/imagesbut denying access to all other files:
<Directory "/var/www/images"> Order allow,deny <FilesMatch "\.(jpg|png|gif)$"> Allow from all </FilesMatch> Order deny,allow Deny from all </Directory>
Allows access to image files for all IP addresses but denies access to all other files.
Multiple Order Directives in One Directory Block:
If there are two
Order directives in the Apache configuration, defining two sets of different access control rules – one using the “allow,deny” order and the other using the “deny,allow” order – they will affect the execution order of access control rules within the same
<Directory> block or a similar configuration block.
<Directory "/var/www/example"> Order allow,deny Allow from all Order deny,allow Deny from 192.168.1.100 </Directory>
In this example, the
Order allow,deny directive will be applied first, allowing all IP addresses to access the
/var/www/example directory. Then, the
Order deny,allow directive will be applied, denying access to a specific IP address (192.168.1.100). Since these two directives use different orders, their execution order is influential.
The actual execution sequence is as follows:
Order allow,denyallows all IP addresses to access the directory.
Order deny,allowdenies access to a specific IP address (192.168.1.100).
However, because the previous “allow” rule has already taken effect, this “deny” rule does not affect other IP addresses.
Default Rule in Multiple Orders:
In Apache, if a request does not match any rules in multiple
Order directives (neither allowed nor denied), the last
Order directive that appears will take effect.
Order rules one by one according to their order in the configuration file. If a request does not match any rules in all
Order directives, the last rule will determine how the request is handled.
<Directory "/var/www/example"> Order allow,deny Allow from 192.168.0 Order deny,allow Deny from 192.168.1.100 </Directory>
In this configuration, if a request comes from an IP address that does not match either
Allow from 192.168.0 or
Deny from 192.168.1.100, the request will be handled according to the last
Order directive (
Order deny,allow), which indicates “deny first, then allow.” As a result, the request will be denied.
This is how the relationship between multiple
Order directives works—they are applied in the order they appear in the configuration, allowing for more complex customization of access control rules.