Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 93272 invoked from network); 28 Nov 2006 04:38:05 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 28 Nov 2006 04:38:05 -0000 Received: (qmail 64108 invoked by uid 500); 28 Nov 2006 04:38:14 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 63903 invoked by uid 500); 28 Nov 2006 04:38:13 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 63892 invoked by uid 99); 28 Nov 2006 04:38:13 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2006 20:38:12 -0800 X-ASF-Spam-Status: No, hits=-9.4 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2006 20:38:00 -0800 Received: by eris.apache.org (Postfix, from userid 65534) id 63F211A984A; Mon, 27 Nov 2006 20:37:05 -0800 (PST) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r479896 - /httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml Date: Tue, 28 Nov 2006 04:37:05 -0000 To: cvs@httpd.apache.org From: pepper@apache.org X-Mailer: svnmailer-1.1.0 Message-Id: <20061128043705.63F211A984A@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: pepper Date: Mon Nov 27 20:37:04 2006 New Revision: 479896 URL: http://svn.apache.org/viewvc?view=rev&rev=479896 Log: Reword Order section to make 3-pass design clearer. Add table showing results of match combinations. Fix some tenses. Fix case of CENTER & IP Address. Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml?view=diff&rev=479896&r1=479895&r2=479896 ============================================================================== --- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml (original) +++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml Mon Nov 27 20:37:04 2006 @@ -78,7 +78,7 @@

The Allow directive affects which hosts can access an area of the server. Access can be controlled by - hostname, IP Address, IP Address range, or by other + hostname, IP address, IP address range, or by other characteristics of the client request captured in environment variables.

@@ -224,47 +224,89 @@ Limit -

The Order directive controls the default - access state and the order in which The Order directive, along with the + Allow and Deny directives, controls a + three-pass access control system. The first pass processes either + all Allow or all + Deny directives, as + specified by the Order directive. The second + pass parses the rest of the directives (Deny or Allow). The third pass applies + to all requests which do not match either of the first two.

+ +

Note that all Allow and Deny directives are evaluated. - Ordering is one of

+ module="mod_authz_host">Deny directives are processed, + unlike a typical firewall, where only the first match is used. The + last match is effective (also unlike a typical firewall). + Additionally, the order in which lines appear in the configuration + files is not significant -- all Allow lines are processed as one + group, all Deny lines + are considered as another, and the default state is considered by + itself.

+ +

Ordering is one of:

Deny,Allow: The Deny directives - are evaluated before the Allow directives. Access is - allowed by default. Any client which does not match a - Deny directive or does - match an Allow - directive will be allowed access to the server.; First, all Allow directives are + evaluated; at least one must match, or the request is rejected. + Next, all Deny + directives are evaluated. If any matches, the request is rejected. + Last, any requests which do not match an Allow or a Deny directive are denied by + default.
Allow,Deny: The Allow - directives are evaluated before the Deny directives. Access is denied - by default. Any client which does not match an Allow directive or does match a - Deny directive will be - denied access to the server.; First, all Deny + directives are evaluated; if any match, the request is denied + unless it also matches an Allow directive. Any requests + which do not match any Allow or Deny directives are + permitted.
Mutual-failure: Only those hosts which appear on the Allow list and do not appear on - the Deny list are - granted access. This ordering has the same effect as Order - Allow,Deny and is deprecated in favor of that - configuration.; This order has the same effect as Order + Allow,Deny and is deprecated in its favor.

Keywords may only be separated by a comma; no whitespace is - allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

Keywords may only be separated by a comma; no whitespace + is allowed between them.

+ + + + + + + + + + + + + + + + + + + + + + + +

Match	Allow,Deny result	Deny,Allow result
Match Allow only	Request allowed	Request allowed
Match Deny only	Request denied	Request denied
No match	Default to second directive: Denied	Default to second directive: Allowed
Match both Allow & Deny	Final match controls: Denied	Final match controls: Allowed

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

@@ -276,10 +318,10 @@

In the next example, all hosts in the apache.org domain are - allowed access, except for the hosts which are in the - foo.apache.org subdomain, who are denied access. All hosts not - in the apache.org domain are denied access because the default - state is to deny access to the server.

+ allowed access, except for the hosts which are in the foo.apache.org + subdomain, who are denied access. All hosts not in the apache.org + domain are denied access because the default state is to Deny access to the server.

Order Allow,Deny
@@ -287,21 +329,21 @@ Deny from foo.apache.org -

On the other hand, if the Order in the last - example is changed to Deny,Allow, all hosts will - be allowed access. This happens because, regardless of the - actual ordering of the directives in the configuration file, - the Allow from apache.org will be evaluated last - and will override the Deny from foo.apache.org. - All hosts not in the apache.org domain will also - be allowed access because the default state will change to - allow.

- -

The presence of an Order directive can affect - access to a part of the server even in the absence of accompanying - Allow and Deny directives because of its effect - on the default access state. For example,

On the other hand, if the Order in the + last example is changed to Deny,Allow, all hosts will + be allowed access. This happens because, regardless of the actual + ordering of the directives in the configuration file, the + Allow from apache.org will be evaluated last and will + override the Deny from foo.apache.org. All hosts not in + the apache.org domain will also be allowed access + because the default state is Allow.

+ +

The presence of an Order directive can + affect access to a part of the server even in the absence of + accompanying Allow + and Deny directives + because of its effect on the default access state. For example,

<Directory /www>
@@ -311,23 +353,23 @@ </Directory> -

will deny all access to the /www directory - because the default access state will be set to - deny.

will Deny all access to the /www directory + because the default access state is set to + Deny.

The Order directive controls the order of access - directive processing only within each phase of the server's +

The Order directive controls the order of + access directive processing only within each phase of the server's configuration processing. This implies, for example, that an Allow or Deny directive occurring in a - Location section will - always be evaluated after an Location section + will always be evaluated after an Allow or Deny directive occurring in a - Directory section or - .htaccess file, regardless of the setting of the - Order directive. For details on the merging - of configuration sections, see the documentation on Directory + section or .htaccess file, regardless of the setting of + the Order directive. For details on the + merging of configuration sections, see the documentation on How Directory, Location and Files sections work.