httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: Significance of evaluation order?
Date Wed, 01 Nov 2006 23:22:23 GMT
On 11/1/06, Chris Pepper <> wrote:
>         I (again) banged my head against Order today.
> <>
> says:
> >Deny,Allow
> >The Deny directives are evaluated before the Allow directives.
> >Access is allowed by default. Any client which does not match a Deny
> >directive or does match an Allow directive will be allowed access to
> >the server.
>         I'm used to 'evaluated before' meaning first match applies
> (firewall style), and any later matches never being checked.

If the incoming host matches both a Deny and an Allow, and Deny is
evaluated first, then the Allow later on will toggle access back on.
The result is very different if you don't consider which of the
Allow/Deny run first, assuming someone matches one of each.

Order Deny,Allow
# Default allow
# Uh oh, these are listed in the opposite order that Apache evaluates them
# Might be a sign of confusion
Allow from
Deny from

This is in contrast to "stop at first match of either type" or "follow
the order in httpd.conf".

One reason to think about rewording is that the phrase that talks
about default access policy comes "after" the phrase about the order
of evaluation -- but  it's actually a description of the initial

"Order Deny, Allow: Access is allowed by default, then all Deny
directives are applied, followed by all Allow directives."

Eric Covener

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message