2013-03-01

Apache: Order allow,deny VS Order deny,allow

Nunca me consegui entender com as configurações do Apache em termos das regras de acesso.

Aqui fica, portanto, um excerto de uma resposta no StackOverflow, uma descrição mais decente do que querem dizer as diretivas Order Allow, Deny e Order Deny, Allow.


The Order keyword and his relation with Deny and Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such configuration solutions, which is a least non intuitive.
  • The first important point is that the Order keyword will have a big impact on how Allow and Deny directives are used.
  • The second point is that Deny and Allow directives are not applied in the order they are written, it must be seen as two blocks of directives (one the for Deny, one for the Allow) where all lines are applied.
  • The third point is that it does not apply like firewall rules, not at all, especially, rules are all read and the process is not stopping at the first match
Now you have to main modes:

The Order-Deny-Allow-mode, or Allow-anyone-except-this-list-or-maybe-not

Order Deny,Allow
  • This is an allow by default mode. Where you will give optionnaly a list of Deny rules.
  • Then the Deny rules are checked, to reject requests based on theses rules.
  • If someone gets rejected by one of the Deny rules you can maybe get him back with an Allow rule.
I would call it
Policy Allow
Rule Deny
     list of Deny rules
Exception
     list of Allow rules

The Order-Allow-Deny-mode, or Reject-everyone-except-this-list-or-maybe-not

Order Allow,Deny
  • This is a Deny by default mode. Where you will give optionnaly a list of Allow rules.
  • Then the Allow rules are checked, And someone willing access must match at least one rule.
  • If someone gets allowed by one of the Allow rules you can still reject him with a Deny rule.
In the simplified form:
Policy Deny
Rule Allow
     list of Allow rules
Exception
     list of Deny rules
Snippet retirado de "htaccess “order” Deny, Allow, Deny", escrito por regilero

No comments: