2011-11-05
Understanding Apache's Allow, Deny, and Order directives
Suppose that you want to add some IP access restrictions to your web
server, and you're using Apache. Apache supports this with its Allow
and Deny directives, but how you set them up is not clear. The Apache
documentation confused me on this recently, so I am going to write down
my own version of it.
The first thing to understand about Allow, Deny, and Order
is that the last rule that matches wins (unlike the more common
'first match wins'). Order sets the order that the two sorts of
rules are checked and thus determines what the 'last' can be. In
turn this leads to how to decide on what to set for Order: you
should use 'allow,deny' if you want to selectively deny some sources
and 'deny,allow' if you want to selectively allow only some source.
Thus we get the template for denying bad sources:
Order allow,deny Allow from all Deny from BADIP1 Deny from BADIP2
And the template for selectively allowing some sources:
Order deny,allow Deny from all Allow from 127.0.0.1 Allow from GOODIP1
If you are a firewall person you are now wondering what the default
policy is if there is no explicit match with either an Allow or
a Deny rule. The answer is that Order is inconsistent. 'Order
allow,deny' is default-deny; 'Order deny,allow' is default-allow.
This allows you to leave off the boiler-plate 'Allow from all' or
'Deny from all', if you are the kind of person who wants to do that. I
don't plan to ever do so; the whole situation is confusing enough as it
is without adding extra things to remember in the name of saving one
line.
The default Order is 'deny,allow', which means that at least in theory
the simple way to block bad sources is just to start writing Deny
rules without anything else. (I have not tested this.)
All of this is in the documentation for Order,
Allow,
and Deny if
you read it carefully.