Return-Path:
Delivered-To: apmail-httpd-cvs-archive@www.apache.org
Received: (qmail 93272 invoked from network); 28 Nov 2006 04:38:05 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2)
by minotaur.apache.org with SMTP; 28 Nov 2006 04:38:05 -0000
Received: (qmail 64108 invoked by uid 500); 28 Nov 2006 04:38:14 -0000
Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org
Received: (qmail 63903 invoked by uid 500); 28 Nov 2006 04:38:13 -0000
Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help:
list-unsubscribe:
List-Post:
List-Id:
Delivered-To: mailing list cvs@httpd.apache.org
Received: (qmail 63892 invoked by uid 99); 28 Nov 2006 04:38:13 -0000
Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133)
by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2006 20:38:12 -0800
X-ASF-Spam-Status: No, hits=-9.4 required=10.0
tests=ALL_TRUSTED,NO_REAL_NAME
X-Spam-Check-By: apache.org
Received: from [140.211.11.3] (HELO eris.apache.org) (140.211.11.3)
by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 27 Nov 2006 20:38:00 -0800
Received: by eris.apache.org (Postfix, from userid 65534)
id 63F211A984A; Mon, 27 Nov 2006 20:37:05 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Subject: svn commit: r479896 -
/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml
Date: Tue, 28 Nov 2006 04:37:05 -0000
To: cvs@httpd.apache.org
From: pepper@apache.org
X-Mailer: svnmailer-1.1.0
Message-Id: <20061128043705.63F211A984A@eris.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
Author: pepper
Date: Mon Nov 27 20:37:04 2006
New Revision: 479896
URL: http://svn.apache.org/viewvc?view=rev&rev=479896
Log:
Reword Order section to make 3-pass design clearer.
Add table showing results of match combinations.
Fix some tenses.
Fix case of CENTER & IP Address.
Modified:
httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml
Modified: httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml?view=diff&rev=479896&r1=479895&r2=479896
==============================================================================
--- httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml (original)
+++ httpd/httpd/branches/2.2.x/docs/manual/mod/mod_authz_host.xml Mon Nov 27 20:37:04 2006
@@ -78,7 +78,7 @@
The Allow directive affects which hosts can
access an area of the server. Access can be controlled by
- hostname, IP Address, IP Address range, or by other
+ hostname, IP address, IP address range, or by other
characteristics of the client request captured in environment
variables.
@@ -224,47 +224,89 @@
Limit
- The Order directive controls the default
- access state and the order in which The Order directive, along with the
+ Allow and Deny directives, controls a
+ three-pass access control system. The first pass processes either
+ all Allow or all
+ Deny directives, as
+ specified by the Order directive. The second
+ pass parses the rest of the directives (Deny or Allow). The third pass applies
+ to all requests which do not match either of the first two.
+
+ Note that all Allow and Deny directives are evaluated.
- Ordering is one of
+ module="mod_authz_host">Deny directives are processed,
+ unlike a typical firewall, where only the first match is used. The
+ last match is effective (also unlike a typical firewall).
+ Additionally, the order in which lines appear in the configuration
+ files is not significant -- all Allow lines are processed as one
+ group, all Deny lines
+ are considered as another, and the default state is considered by
+ itself.
+
+ Ordering is one of:
Deny,Allow
- - The Deny directives
- are evaluated before the Allow directives. Access is
- allowed by default. Any client which does not match a
- Deny directive or does
- match an Allow
- directive will be allowed access to the server.
+ - First, all Allow directives are
+ evaluated; at least one must match, or the request is rejected.
+ Next, all Deny
+ directives are evaluated. If any matches, the request is rejected.
+ Last, any requests which do not match an Allow or a Deny directive are denied by
+ default.
Allow,Deny
- - The Allow
- directives are evaluated before the Deny directives. Access is denied
- by default. Any client which does not match an Allow directive or does match a
- Deny directive will be
- denied access to the server.
+ - First, all Deny
+ directives are evaluated; if any match, the request is denied
+ unless it also matches an Allow directive. Any requests
+ which do not match any Allow or Deny directives are
+ permitted.
Mutual-failure
- - Only those hosts which appear on the Allow list and do not appear on
- the Deny list are
- granted access. This ordering has the same effect as
Order
- Allow,Deny
and is deprecated in favor of that
- configuration.
+ - This order has the same effect as
Order
+ Allow,Deny
and is deprecated in its favor.
- Keywords may only be separated by a comma; no whitespace is
- allowed between them. Note that in all cases every Allow and Deny statement is evaluated.
+ Keywords may only be separated by a comma; no whitespace
+ is allowed between them.
+
+
+
+ Match |
+ Allow,Deny result |
+ Deny,Allow result |
+
+ Match Allow only |
+ Request allowed |
+ Request allowed |
+
+ Match Deny only |
+ Request denied |
+ Request denied |
+
+ No match |
+ Default to second directive: Denied |
+ Default to second directive: Allowed |
+
+ Match both Allow & Deny |
+ Final match controls: Denied |
+ Final match controls: Allowed |
+
+
In the following example, all hosts in the apache.org domain
are allowed access; all other hosts are denied access.
@@ -276,10 +318,10 @@
In the next example, all hosts in the apache.org domain are
- allowed access, except for the hosts which are in the
- foo.apache.org subdomain, who are denied access. All hosts not
- in the apache.org domain are denied access because the default
- state is to deny access to the server.
+ allowed access, except for the hosts which are in the foo.apache.org
+ subdomain, who are denied access. All hosts not in the apache.org
+ domain are denied access because the default state is to Deny access to the server.
Order Allow,Deny
@@ -287,21 +329,21 @@
Deny from foo.apache.org
- On the other hand, if the Order in the last
- example is changed to Deny,Allow
, all hosts will
- be allowed access. This happens because, regardless of the
- actual ordering of the directives in the configuration file,
- the Allow from apache.org
will be evaluated last
- and will override the Deny from foo.apache.org
.
- All hosts not in the apache.org
domain will also
- be allowed access because the default state will change to
- allow.
-
- The presence of an Order directive can affect
- access to a part of the server even in the absence of accompanying
- Allow and Deny directives because of its effect
- on the default access state. For example,
+ On the other hand, if the Order in the
+ last example is changed to Deny,Allow
, all hosts will
+ be allowed access. This happens because, regardless of the actual
+ ordering of the directives in the configuration file, the
+ Allow from apache.org
will be evaluated last and will
+ override the Deny from foo.apache.org
. All hosts not in
+ the apache.org
domain will also be allowed access
+ because the default state is Allow.
+
+ The presence of an Order directive can
+ affect access to a part of the server even in the absence of
+ accompanying Allow
+ and Deny directives
+ because of its effect on the default access state. For example,
<Directory /www>
@@ -311,23 +353,23 @@
</Directory>
- will deny all access to the /www
directory
- because the default access state will be set to
- deny.
+ will Deny all access to the /www
directory
+ because the default access state is set to
+ Deny.
- The Order directive controls the order of access
- directive processing only within each phase of the server's
+
The Order directive controls the order of
+ access directive processing only within each phase of the server's
configuration processing. This implies, for example, that an
Allow or Deny directive occurring in a
- Location section will
- always be evaluated after an Location section
+ will always be evaluated after an Allow or Deny directive occurring in a
- Directory section or
- .htaccess
file, regardless of the setting of the
- Order directive. For details on the merging
- of configuration sections, see the documentation on Directory
+ section or .htaccess
file, regardless of the setting of
+ the Order directive. For details on the
+ merging of configuration sections, see the documentation on How Directory, Location and Files sections
work.