Apache Authentication and Order Allow, and Deny - From Apache: The Definitive Guide (3/6) | WebReference

Apache Authentication and Order Allow, and Deny - From Apache: The Definitive Guide (3/6)

Apache: The Definitive Guide, Chapter 5: Authentication


order ordering
directory, .htaccess

The ordering argument is one word (i.e., it is not allowed to contain a space) and controls the order in which the foregoing directives are applied. If two order directives apply to the same host, the last one to be evaluated prevails:


The deny directives are evaluated before the allow directives. This is the default.


The allow directives are evaluated before the denys, but the user will still be rejected if a deny is encountered.


Hosts that appear on the allow list and do not appear on the deny list are allowed access.

We could say:

allow from all

which lets everyone in and is hardly worth writing, or we could say:

allow from 123.156
deny from all

As it stands, this denies everyone except those whose IP addresses happen to start with 123.156. In other words, allow is applied last and carries the day. If, however, we changed the default order by saying:

order allow,deny
allow from 123.156
deny from all

we effectively close the site because deny is now applied last. It is also possible to use domain names, so that instead of:

deny from

you could say:

deny from badguys.com 

Although this has the advantage of keeping up with the Bad Guys as they move from one IP address to another, it also allows access by people who control the reverse-DNS mapping for their IP addresses.

A URL can be contain just part of the hostname. In this case, the match is done on whole words from the right. That is, allow from fred.com allows fred.com and abc.fred.com, but not notfred.com.

Good intentions, however, are not enough: before conferring any trust in a set of access rules, you want to test them very thoroughly in private before exposing them to the world. Try the site with as many different browsers as you can muster: Netscape and MSIE can behave surprisingly differently. Having done that, try the site from a public-access terminal — in a library, for instance.

Created: March 3, 2003
Revised: March 3, 2003

URL: http://webreference.com/internet/apache/chap5/2/3.html