Understanding Apache's Allow, Deny, and Order directives

November 5, 2011

Suppose that you want to add some IP access restrictions to your web server, and you're using Apache. Apache supports this with its Allow and Deny directives, but how you set them up is not clear. The Apache documentation confused me on this recently, so I am going to write down my own version of it.

The first thing to understand about Allow, Deny, and Order is that the last rule that matches wins (unlike the more common 'first match wins'). Order sets the order that the two sorts of rules are checked and thus determines what the 'last' can be. In turn this leads to how to decide on what to set for Order: you should use 'allow,deny' if you want to selectively deny some sources and 'deny,allow' if you want to selectively allow only some source.

Thus we get the template for denying bad sources:

Order allow,deny
Allow from all
Deny from BADIP1
Deny from BADIP2

And the template for selectively allowing some sources:

Order deny,allow
Deny from all
Allow from 127.0.0.1
Allow from GOODIP1

If you are a firewall person you are now wondering what the default policy is if there is no explicit match with either an Allow or a Deny rule. The answer is that Order is inconsistent. 'Order allow,deny' is default-deny; 'Order deny,allow' is default-allow. This allows you to leave off the boiler-plate 'Allow from all' or 'Deny from all', if you are the kind of person who wants to do that. I don't plan to ever do so; the whole situation is confusing enough as it is without adding extra things to remember in the name of saving one line.

The default Order is 'deny,allow', which means that at least in theory the simple way to block bad sources is just to start writing Deny rules without anything else. (I have not tested this.)

All of this is in the documentation for Order, Allow, and Deny if you read it carefully.

Written on 05 November 2011.
« More on my Firefox 7 extensions
Ubuntu does system disk mirroring right »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sat Nov 5 00:24:44 2011
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.