From: Chris Pepper Date: Tue, 28 Nov 2006 04:22:10 +0000 (+0000) Subject: Attempt to clarify Order's effect. X-Git-Tag: 2.3.0~2004 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=6c73e4fcf7b2a0fcb629a33722c5bbe4afe77ad1;p=apache Attempt to clarify Order's effect. Add table showing effects of the various Allow/Deny match combinations. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@479888 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_access_compat.xml b/docs/manual/mod/mod_access_compat.xml index 588053e10d..ac9c84da3c 100644 --- a/docs/manual/mod/mod_access_compat.xml +++ b/docs/manual/mod/mod_access_compat.xml @@ -90,7 +90,7 @@ server

The Allow directive affects which hosts can access an area of the server. Access can be controlled by - hostname, IP Address, IP Address range, or by other + hostname, IP address, IP address range, or by other characteristics of the client request captured in environment variables.

@@ -236,47 +236,92 @@ evaluated. Limit -

The Order directive controls the default - access state and the order in which The Order directive, along with the + Allow and + Deny directives, + controls a three-pass access control system. The first pass + processes either all Allow or all Deny directives, as specified + by the Order + directive. The second pass parses the rest of the directives + (Deny or + Allow). The third + pass applies to all requests which do not match either of the first + two.

+ +

Note that all Allow and Deny directives are evaluated. - Ordering is one of

+ module="mod_access_compat">Deny directives are + processed, unlike a typical firewall, where only the first match is + used. The last match is effective (also unlike a typical firewall). + Additionally, the order in which lines appear in the configuration + files is not significant -- all Allow lines are processed as + one group, all Deny lines are considered as + another, and the default state is considered by itself.

+ +

Ordering is one of:

Deny,Allow
-
The Deny directives - are evaluated before the Allow directives. Access is - allowed by default. Any client which does not match a - Deny directive or does - match an Allow - directive will be allowed access to the server.
+
First, all Allow directives are + evaluated; at least one must match, or the request is rejected. + Next, all Deny + directives are evaluated. If any matches, the request is rejected. + Last, any requests which do not match an Allow or a Deny directive are denied + by default.
Allow,Deny
-
The Allow - directives are evaluated before the Deny directives. Access is denied - by default. Any client which does not match an Allow directive or does match a - Deny directive will be - denied access to the server.
+
First, all Deny directives are + evaluated; if any match, the request is denied + unless it also matches an Allow directive. Any + requests which do not match any Allow or Deny directives are + permitted.
Mutual-failure
-
Only those hosts which appear on the Allow list and do not appear on - the Deny list are - granted access. This ordering has the same effect as Order - Allow,Deny and is deprecated in favor of that - configuration.
+
This order has the same effect as Order + Allow,Deny and is deprecated in its favor.
-

Keywords may only be separated by a comma; no whitespace is - allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

+

Keywords may only be separated by a comma; no whitespace + is allowed between them.

+ + + + + + + + + + + + + + + + + + + + + + + +
MatchAllow,Deny resultDeny,Allow result
Match Allow onlyRequest allowedRequest allowed
Match Deny onlyRequest deniedRequest denied
No matchDefault to second directive: DeniedDefault to second directive: Allowed
Match both Allow & DenyFinal match controls: DeniedFinal match controls: Allowed

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

@@ -291,7 +336,8 @@ evaluated. allowed access, except for the hosts which are in the foo.apache.org subdomain, who are denied access. All hosts not in the apache.org domain are denied access because the default - state is to deny access to the server.

+ state is to Deny + access to the server.

Order Allow,Deny
@@ -299,21 +345,22 @@ evaluated. Deny from foo.apache.org -

On the other hand, if the Order in the last - example is changed to Deny,Allow, all hosts will - be allowed access. This happens because, regardless of the - actual ordering of the directives in the configuration file, - the Allow from apache.org will be evaluated last - and will override the Deny from foo.apache.org. - All hosts not in the apache.org domain will also - be allowed access because the default state will change to - allow.

- -

The presence of an Order directive can affect - access to a part of the server even in the absence of accompanying - Allow and Deny directives because of its effect - on the default access state. For example,

+

On the other hand, if the Order in the + last example is changed to Deny,Allow, all hosts will + be allowed access. This happens because, regardless of the actual + ordering of the directives in the configuration file, the + Allow from apache.org will be evaluated last and will + override the Deny from foo.apache.org. All hosts not in + the apache.org domain will also be allowed access + because the default state is Allow.

+ +

The presence of an Order directive can + affect access to a part of the server even in the absence of + accompanying Allow + and Deny + directives because of its effect on the default access state. For + example,

<Directory /www>
@@ -323,9 +370,9 @@ evaluated. </Directory> -

will deny all access to the /www directory - because the default access state will be set to - deny.

+

will Deny all access to the /www directory + because the default access state is set to + Deny.

The Order directive controls the order of access directive processing only within each phase of the server's