httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Pepper <>
Subject Re: Significance of evaluation order?
Date Wed, 01 Nov 2006 23:31:05 GMT
At 6:22 PM -0500 2006/11/01, Eric Covener wrote:
>On 11/1/06, Chris Pepper <> wrote:
>>         I (again) banged my head against Order today.
>>>The Deny directives are evaluated before the Allow directives.
>>>Access is allowed by default. Any client which does not match a Deny
>>>directive or does match an Allow directive will be allowed access to
>>>the server.
>>         I'm used to 'evaluated before' meaning first match applies
>>(firewall style), and any later matches never being checked.
>If the incoming host matches both a Deny and an Allow, and Deny is
>evaluated first, then the Allow later on will toggle access back on.
>The result is very different if you don't consider which of the
>Allow/Deny run first, assuming someone matches one of each.
>Order Deny,Allow
># Default allow
># Uh oh, these are listed in the opposite order that Apache evaluates them
># Might be a sign of confusion
>Allow from
>Deny from
>This is in contrast to "stop at first match of either type" or "follow
>the order in httpd.conf".
>One reason to think about rewording is that the phrase that talks
>about default access policy comes "after" the phrase about the order
>of evaluation -- but  it's actually a description of the initial
>"Order Deny, Allow: Access is allowed by default, then all Deny
>directives are applied, followed by all Allow directives."

	I think a better wording would be to say that the second 
directive overrides, and sets the default state. 'before' just seems 

Chris Pepper:               <>
Rockefeller University:     <>

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message