httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cliff Woolley <cliffwool...@yahoo.com>
Subject Re: mod_access.html
Date Fri, 15 Dec 2000 02:43:29 GMT

--- Joshua Slive <slive@finance.commerce.ubc.ca> wrote:
> Comments VERY welcome.

Looks good.  I just have a few comments:


1)
    The first argument to this directive is always from. The subsequent arguments can
    take three different forms. If Allow from all is specified, then all hosts are
    allowed access. To allow only particular hosts or groups of hosts to access the
    server, the host can be specified in any of the following formats:"

For the Allow from all part, how about an additional qualifier:

    ... If Allow from all is specified, then all hosts are allowed access except
    those that are specifically denied through the Deny directive (see also
    the Order directive for more information about this interaction).  ...

Or something like that.  =-)


2) In Allow/Deny, is a leading/trailing period required for partial matches?  I don't
remember.


3)
    SetEnvIf User-Agent ^KnockKnock/2.0 let_me_in
    <Directory /docroot>
        Order Deny,Allow
        Deny from all
        Allow from env=let_me_in
    </Directory>
    In this case browsers with the user-agent string KnockKnock/2.0 will be
    allowed access, and all others will be denied.

Just to be picky, doesn't the SetEnvIf regex used here actually allow any user-agent
string BEGINNING with KnockKnock/2.0 (since there's no trailing $ on the regex)?  I think
that actually is the behavior you want, so don't change the SetEnvIf... just stick a
"beginning" in the description there somewhere.


4)
  Deny,Allow 
      the Deny directives are evaluated before the Allow directives. (The initial
      state is OK.) 
  Allow,Deny 
      the Allow directives are evaluated before the Deny directives. (The initial
      state is FORBIDDEN.)"

Changing "The initial state is FOO" in these two descriptions might make it more clear
what's going on... it's currently worded in kind of a programmer-friendly way.

Maybe make it say "The default behavior is to FOO clients neither specifically allowed
nor denied."


5) See my previous email about the short-circuiting thing.


6)
  Order Allow,Deny
  Allow from apache.org
  Deny from foo.apache.org

  Note that if the Order in the last example is changed to Deny,Allow, then all hosts
  will be allowed access since the default state will be OK, and the Allow from
  apache.org will be evaluated last and will override the Deny from foo.apache.org.

This part tripped me up... it's a perfectly valid and correct example, it just wasn't
100% obvious.  How about this:

  Order Allow,Deny
  Allow from apache.org
  Deny from foo.apache.org

  If the Order is changed to Deny,Allow, however, all clients will end up being
  allowed access.  That's because with Deny,Allow, the default is to allow,
  and because the Allow from apache.org will be evaluated last and will
  override the Deny from foo.apache.org (regardless of their actual order in
  the configuration file).

It's not much of a change... I don't even know if it helps any.  What do you think?

--Cliff

__________________________________________________
Do You Yahoo!?
Yahoo! Shopping - Thousands of Stores. Millions of Products.
http://shopping.yahoo.com/

Mime
View raw message