ByteBlits

The Allow and Deny rules of Apache

by

luz
in

In Apache HTTP Server, the Order directive is commonly used in conjunction with the Allow and Deny directives to control access permissions.

This set of directives can be used to define which clients or IP addresses are allowed to access resources and which ones are denied.

The Order directive determines how multiple Allow and Deny directives are processed to determine the final access result.

The Order directive has two possible values: allow,deny and deny,allow, which determine the processing order of Allow and Deny directives.

Logic of the Two Rules:

Order allow,deny:

  • Allow directive takes effect first, followed by Deny directive.
  • All clients are allowed access by default.
  • If a Deny rule matches, access is denied regardless of previous matching Allow rules.
  • If no Deny rule matches, then Allow rules are checked. Only clients matching Allow rules are allowed access.
  • If no matching Allow or Deny rules are found, access is allowed.

Order deny,allow:

  • Deny directive takes effect first, followed by Allow directive.
  • All clients are denied access by default.
  • If an Allow rule matches, access is allowed regardless of previous matching Deny rules.
  • If no Allow rule matches, then Deny rules are checked. Only clients matching Deny rules are denied access.
  • If no matching Allow or Deny rules are found, access is denied.

Examples:

  1. Allowing access to /var/www/public for all except 192.168.1.100:
   <Directory "/var/www/public">
       Order allow,deny
       Allow from all
       Deny from 192.168.1.100
   </Directory>

Since allow comes first, it allows access to all by default and then denies access to 192.168.1.100.

  1. Allowing access to /var/www/private only for 192.168.1.100:
   <Directory "/var/www/private">
       Order deny,allow
       Deny from all
       Allow from 192.168.1.100
   </Directory>

It denies all traffic first and then allows traffic only from 192.168.1.100.

  1. Allowing access to /var/www/internal for 127.0.0.1 and IP addresses starting with 192.168.1:
   <Directory "/var/www/internal">
       Order deny,allow
       Deny from all
       Allow from 127.0.0.1
       Allow from 192.168.1
   </Directory>

Denies all traffic first and then allows traffic from 127.0.0.1 and IP addresses starting with 192.168.1.

  1. Allowing access to image files in /var/www/images but denying access to all other files:
   <Directory "/var/www/images">
       Order allow,deny
       <FilesMatch "\.(jpg|png|gif)$">
           Allow from all
       </FilesMatch>
       Order deny,allow
       Deny from all
   </Directory>

Allows access to image files for all IP addresses but denies access to all other files.

Multiple Order Directives in One Directory Block:

If there are two Order directives in the Apache configuration, defining two sets of different access control rules – one using the “allow,deny” order and the other using the “deny,allow” order – they will affect the execution order of access control rules within the same <Directory> block or a similar configuration block.

<Directory "/var/www/example">
    Order allow,deny
    Allow from all
    Order deny,allow
    Deny from 192.168.1.100
</Directory>

In this example, the Order allow,deny directive will be applied first, allowing all IP addresses to access the /var/www/example directory. Then, the Order deny,allow directive will be applied, denying access to a specific IP address (192.168.1.100). Since these two directives use different orders, their execution order is influential.

The actual execution sequence is as follows:

  1. First, Order allow,deny allows all IP addresses to access the directory.
  2. Then, Order deny,allow denies access to a specific IP address (192.168.1.100).

However, because the previous “allow” rule has already taken effect, this “deny” rule does not affect other IP addresses.

Default Rule in Multiple Orders:

In Apache, if a request does not match any rules in multiple Order directives (neither allowed nor denied), the last Order directive that appears will take effect.

Apache processes Order rules one by one according to their order in the configuration file. If a request does not match any rules in all Order directives, the last rule will determine how the request is handled.

For example:

<Directory "/var/www/example">
    Order allow,deny
    Allow from 192.168.0
    Order deny,allow
    Deny from 192.168.1.100
</Directory>

In this configuration, if a request comes from an IP address that does not match either Allow from 192.168.0 or Deny from 192.168.1.100, the request will be handled according to the last Order directive (Order deny,allow), which indicates “deny first, then allow.” As a result, the request will be denied.

This is how the relationship between multiple Order directives works—they are applied in the order they appear in the configuration, allowing for more complex customization of access control rules.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »