httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ben Yau" <>
Subject RE: [users@httpd] allow override directive
Date Thu, 15 Jan 2004 20:07:02 GMT

> Yes, the require user does still work, and it is 2.0.47 that I am
> running this on.
> I thought that my Order directive was already correct for a default deny
> policy. "Order deny,allow" - ( from docs; "implements a restrictive
> access policy where most hosts are denied and then a smaller subset
> given access" ). Wrong? I also tried putting in the netmask, and it
> didn't help any.

Anyway, check out

In particular the "Order" section.  Counter-intuitive to me too, but that's
what it says.  Here's a cut and paste.  The key phrase is "Access is _____
by default":

The Deny directives are evaluated before the Allow directives. Access is
allowed by default. Any client which does not match a Deny directive or does
match an Allow directive will be allowed access to the server.

The Allow directives are evaluated before the Deny directives. Access is
denied by default. Any client which does not match an Allow directive or
does match a Deny directive will be denied access to the server.

Check the examples out also. I actually read this this morning and had to
read it about three to four times over to make sure I was comprehending what
it said.  Like you, I thought Order Deny,Allow was the more restrictive but
apparently not.  Because the allow is evaluated last.  So theoretically your
user could put a "allow from all" in his .htaccess file and that would allow
everyone in regardless of your deny and allow. (which is the symptom you are
seeing even though your allow is only from one IP)

The other key paragraph is:

On the other hand, if the Order in the last example is changed to
Deny,Allow, all hosts will be allowed access. This happens because,
regardless of the actual ordering of the directives in the configuration
file, the Allow from will be evaluated last and will override the
Deny from All hosts not in the domain will also
be allowed access because the default state will change to allow.

A bit confusing.

Not to mention .htaccess is already insecure, esp if your users can edit
their own .htaccess file.  You may want to just get rid of .htaccess
altogether and do everything from your httpd.conf if possible.

Good luck. I'm curious to see what you come up with from reading the docs


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message