</table>
<p>The <code class="directive">Allow</code> directive affects which hosts can
access an area of the server. Access can be controlled by
- hostname, IP Address, IP Address range, or by other
+ hostname, IP address, IP address range, or by other
characteristics of the client request captured in environment
variables.</p>
<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr>
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access_compat</td></tr>
</table>
- <p>The <code class="directive">Order</code> directive controls the default
- access state and the order in which <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are evaluated.
- <var>Ordering</var> is one of</p>
+
+ <p>The <code class="directive">Order</code> directive, along with the
+ <code class="directive"><a href="#allow">Allow</a></code> and
+ <code class="directive"><a href="#deny">Deny</a></code> directives,
+ controls a three-pass access control system. The first pass
+ processes either all <code class="directive"><a href="#allow">Allow</a></code> or all <code class="directive"><a href="#deny">Deny</a></code> directives, as specified
+ by the <code class="directive"><a href="#order">Order</a></code>
+ directive. The second pass parses the rest of the directives
+ (<code class="directive"><a href="#deny">Deny</a></code> or
+ <code class="directive"><a href="#allow">Allow</a></code>). The third
+ pass applies to all requests which do not match either of the first
+ two.</p>
+
+ <p>Note that all <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are
+ processed, unlike a typical firewall, where only the first match is
+ used. The last match is effective (also unlike a typical firewall).
+ Additionally, the order in which lines appear in the configuration
+ files is not significant -- all <code class="directive"><a href="#allow">Allow</a></code> lines are processed as
+ one group, all <code class="directive"><a href="#deny">Deny</a></code> lines are considered as
+ another, and the default state is considered by itself.</p>
+
+ <p><em>Ordering</em> is one of:</p>
<dl>
<dt><code>Deny,Allow</code></dt>
- <dd>The <code class="directive"><a href="#deny">Deny</a></code> directives
- are evaluated before the <code class="directive"><a href="#allow">Allow</a></code> directives. Access is
- allowed by default. Any client which does not match a
- <code class="directive"><a href="#deny">Deny</a></code> directive or does
- match an <code class="directive"><a href="#allow">Allow</a></code>
- directive will be allowed access to the server.</dd>
+ <dd>First, all <code class="directive"><a href="#allow">Allow</a></code> directives are
+ evaluated; at least one must match, or the request is rejected.
+ Next, all <code class="directive"><a href="#deny">Deny</a></code>
+ directives are evaluated. If any matches, the request is rejected.
+ Last, any requests which do not match an <code class="directive"><a href="#allow">Allow</a></code> or a <code class="directive"><a href="#deny">Deny</a></code> directive are denied
+ by default.</dd>
<dt><code>Allow,Deny</code></dt>
- <dd>The <code class="directive"><a href="#allow">Allow</a></code>
- directives are evaluated before the <code class="directive"><a href="#deny">Deny</a></code> directives. Access is denied
- by default. Any client which does not match an <code class="directive"><a href="#allow">Allow</a></code> directive or does match a
- <code class="directive"><a href="#deny">Deny</a></code> directive will be
- denied access to the server.</dd>
+ <dd>First, all <code class="directive"><a href="#deny">Deny</a></code> directives are
+ evaluated; if any match, the request is denied
+ <strong>unless</strong> it also matches an <code class="directive"><a href="#allow">Allow</a></code> directive. Any
+ requests which do not match any <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directives are
+ permitted.</dd>
<dt><code>Mutual-failure</code></dt>
- <dd>Only those hosts which appear on the <code class="directive"><a href="#allow">Allow</a></code> list and do not appear on
- the <code class="directive"><a href="#deny">Deny</a></code> list are
- granted access. This ordering has the same effect as <code>Order
- Allow,Deny</code> and is deprecated in favor of that
- configuration.</dd>
+ <dd>This order has the same effect as <code class="directive">Order
+ Allow,Deny</code> and is deprecated in its favor.</dd>
</dl>
- <p>Keywords may only be separated by a comma; <em>no whitespace</em> is
- allowed between them. Note that in all cases every <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> statement is evaluated.</p>
+ <p>Keywords may only be separated by a comma; <em>no whitespace</em>
+ is allowed between them.</p>
+
+ <table class="bordered">
+ <tr>
+ <th>Match</th>
+ <th>Allow,Deny result</th>
+ <th>Deny,Allow result</th>
+ </tr><tr>
+ <th>Match Allow only</th>
+ <td>Request allowed</td>
+ <td>Request allowed</td>
+ </tr><tr>
+ <th>Match Deny only</th>
+ <td>Request denied</td>
+ <td>Request denied</td>
+ </tr><tr>
+ <th>No match</th>
+ <td>Default to second directive: Denied</td>
+ <td>Default to second directive: Allowed</td>
+ </tr><tr>
+ <th>Match both Allow & Deny</th>
+ <td>Final match controls: Denied</td>
+ <td>Final match controls: Allowed</td>
+ </tr>
+ </table>
<p>In the following example, all hosts in the apache.org domain
are allowed access; all other hosts are denied access.</p>
allowed access, except for the hosts which are in the
foo.apache.org subdomain, who are denied access. All hosts not
in the apache.org domain are denied access because the default
- state is to deny access to the server.</p>
+ state is to <code class="directive"><a href="#deny">Deny</a></code>
+ access to the server.</p>
<div class="example"><p><code>
Order Allow,Deny<br />
Deny from foo.apache.org
</code></p></div>
- <p>On the other hand, if the <code class="directive">Order</code> in the last
- example is changed to <code>Deny,Allow</code>, all hosts will
- be allowed access. This happens because, regardless of the
- actual ordering of the directives in the configuration file,
- the <code>Allow from apache.org</code> will be evaluated last
- and will override the <code>Deny from foo.apache.org</code>.
- All hosts not in the <code>apache.org</code> domain will also
- be allowed access because the default state will change to
- <em>allow</em>.</p>
-
- <p>The presence of an <code class="directive">Order</code> directive can affect
- access to a part of the server even in the absence of accompanying
- <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives because of its effect
- on the default access state. For example,</p>
+ <p>On the other hand, if the <code class="directive">Order</code> in the
+ last example is changed to <code>Deny,Allow</code>, all hosts will
+ be allowed access. This happens because, regardless of the actual
+ ordering of the directives in the configuration file, the
+ <code>Allow from apache.org</code> will be evaluated last and will
+ override the <code>Deny from foo.apache.org</code>. All hosts not in
+ the <code>apache.org</code> domain will also be allowed access
+ because the default state is <code class="directive"><a href="#allow">Allow</a></code>.</p>
+
+ <p>The presence of an <code class="directive">Order</code> directive can
+ affect access to a part of the server even in the absence of
+ accompanying <code class="directive"><a href="#allow">Allow</a></code>
+ and <code class="directive"><a href="#deny">Deny</a></code>
+ directives because of its effect on the default access state. For
+ example,</p>
<div class="example"><p><code>
<Directory /www><br />
</Directory>
</code></p></div>
- <p>will deny all access to the <code>/www</code> directory
- because the default access state will be set to
- <em>deny</em>.</p>
+ <p>will Deny all access to the <code>/www</code> directory
+ because the default access state is set to
+ <code class="directive"><a href="#deny">Deny</a></code>.</p>
<p>The <code class="directive">Order</code> directive controls the order of access
directive processing only within each phase of the server's
projects / apache / commitdiff