== Understanding Apache's Allow, Deny, and Order directives Suppose that you want to add some IP access restrictions to your web server, and you're using Apache. Apache supports this with its _Allow_ and _Deny_ directives, but how you set them up is not clear. The Apache documentation confused me on this recently, so I am going to write down my own version of it. The first thing to understand about _Allow_, _Deny_, and _Order_ is that ~~the last rule that matches wins~~ (unlike the more common 'first match wins'). _Order_ sets the order that the two sorts of rules are checked and thus determines what the 'last' can be. In turn this leads to how to decide on what to set for _Order_: you should use 'allow,deny' if you want to selectively deny some sources and 'deny,allow' if you want to selectively allow only some source. Thus we get the template for denying bad sources: > Order allow,deny > Allow from all > Deny from BADIP1 > Deny from BADIP2 And the template for selectively allowing some sources: > Order deny,allow > Deny from all > Allow from 127.0.0.1 > Allow from GOODIP1 If you are a firewall person you are now wondering what the default policy is if there is no explicit match with either an _Allow_ or a _Deny_ rule. The answer is that _Order_ is inconsistent. '_Order allow,deny_' is default-deny; '_Order deny,allow_' is default-allow. This allows you to leave off the boiler-plate '_Allow from all_' or '_Deny from all_', if you are the kind of person who wants to do that. I don't plan to ever do so; the whole situation is confusing enough as it is without adding extra things to remember in the name of saving one line. The default _Order_ is 'deny,allow', which means that at least in theory the simple way to block bad sources is just to start writing _Deny_ rules without anything else. (I have not tested this.) All of this is in the documentation for [[_Order_ http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order]], [[_Allow_ http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#allow]], and [[_Deny_ http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#deny]] if you read it carefully.