httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Sutton <p...@c2.net>
Subject Re: order mutual-failure
Date Tue, 15 Dec 1998 15:41:12 GMT
On Tue, 15 Dec 1998, Lars Eilebrecht wrote:
> I already posted a message about the sense of the 'mutal-failure' option
> some weeks ago, but never received a reply.
> 
> So here's again my question: Can anyone show me a situation where I need
> to use 'order mutual-failure' instead of 'deny,allow' or 'allow,deny'?
> 
> In all cases every allow and deny statement is evaluated, so why
> do I need 'mutual-failure'?

If you want to restrict access to group of hosts, but deny a few specific
hosts within that group. 

Say for instance you are a university and want to allow local users
access:

  order deny,allow
  deny from all
  allow from univ.edu

(example only: you'd probably use IP addresses in real life).

Now you put some public access terminals in your entrance halls,
libraries, etc, that the _public_ have access to. To stop them getting at
local only resources, you want to add a "deny from public1.univ.edu
public2.univ.edu", but where?

You'd use

  order mutual-failure
  allow from univ.edu
  deny from public1.univ.edu public2.univ.edu

(Other examples could be: to exclude dial-up IP lines, to exclude specific
departments/sections, to exclude inbound proxies on your network since you
don't know the clients real addres). It really is useful.

Paul


Mime
View raw message