From: Chris Pepper Date: Tue, 28 Nov 2006 04:37:04 +0000 (+0000) Subject: Reword Order section to make 3-pass design clearer. X-Git-Tag: 2.2.4~75 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b52f833785e829bfb21f0fd6380a63e06e401c52;p=thirdparty%2Fapache%2Fhttpd.git Reword Order section to make 3-pass design clearer. Add table showing results of match combinations. Fix some tenses. Fix case of CENTER & IP Address. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.2.x@479896 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_authz_host.xml b/docs/manual/mod/mod_authz_host.xml index d4eccea5ee7..d9cce0a3e38 100644 --- a/docs/manual/mod/mod_authz_host.xml +++ b/docs/manual/mod/mod_authz_host.xml @@ -78,7 +78,7 @@ server

The Allow directive affects which hosts can access an area of the server. Access can be controlled by - hostname, IP Address, IP Address range, or by other + hostname, IP address, IP address range, or by other characteristics of the client request captured in environment variables.

@@ -224,47 +224,89 @@ evaluated. Limit -

The Order directive controls the default - access state and the order in which The Order directive, along with the + Allow and Deny directives, controls a + three-pass access control system. The first pass processes either + all Allow or all + Deny directives, as + specified by the Order directive. The second + pass parses the rest of the directives (Deny or Allow). The third pass applies + to all requests which do not match either of the first two.

+ +

Note that all Allow and Deny directives are evaluated. - Ordering is one of

+ module="mod_authz_host">Deny directives are processed, + unlike a typical firewall, where only the first match is used. The + last match is effective (also unlike a typical firewall). + Additionally, the order in which lines appear in the configuration + files is not significant -- all Allow lines are processed as one + group, all Deny lines + are considered as another, and the default state is considered by + itself.

+ +

Ordering is one of:

Deny,Allow
-
The Deny directives - are evaluated before the Allow directives. Access is - allowed by default. Any client which does not match a - Deny directive or does - match an Allow - directive will be allowed access to the server.
+
First, all Allow directives are + evaluated; at least one must match, or the request is rejected. + Next, all Deny + directives are evaluated. If any matches, the request is rejected. + Last, any requests which do not match an Allow or a Deny directive are denied by + default.
Allow,Deny
-
The Allow - directives are evaluated before the Deny directives. Access is denied - by default. Any client which does not match an Allow directive or does match a - Deny directive will be - denied access to the server.
+
First, all Deny + directives are evaluated; if any match, the request is denied + unless it also matches an Allow directive. Any requests + which do not match any Allow or Deny directives are + permitted.
Mutual-failure
-
Only those hosts which appear on the Allow list and do not appear on - the Deny list are - granted access. This ordering has the same effect as Order - Allow,Deny and is deprecated in favor of that - configuration.
+
This order has the same effect as Order + Allow,Deny and is deprecated in its favor.
-

Keywords may only be separated by a comma; no whitespace is - allowed between them. Note that in all cases every Allow and Deny statement is evaluated.

+

Keywords may only be separated by a comma; no whitespace + is allowed between them.

+ + + + + + + + + + + + + + + + + + + + + + + +
MatchAllow,Deny resultDeny,Allow result
Match Allow onlyRequest allowedRequest allowed
Match Deny onlyRequest deniedRequest denied
No matchDefault to second directive: DeniedDefault to second directive: Allowed
Match both Allow & DenyFinal match controls: DeniedFinal match controls: Allowed

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

@@ -276,10 +318,10 @@ evaluated.

In the next example, all hosts in the apache.org domain are - allowed access, except for the hosts which are in the - foo.apache.org subdomain, who are denied access. All hosts not - in the apache.org domain are denied access because the default - state is to deny access to the server.

+ allowed access, except for the hosts which are in the foo.apache.org + subdomain, who are denied access. All hosts not in the apache.org + domain are denied access because the default state is to Deny access to the server.

Order Allow,Deny
@@ -287,21 +329,21 @@ evaluated. Deny from foo.apache.org -

On the other hand, if the Order in the last - example is changed to Deny,Allow, all hosts will - be allowed access. This happens because, regardless of the - actual ordering of the directives in the configuration file, - the Allow from apache.org will be evaluated last - and will override the Deny from foo.apache.org. - All hosts not in the apache.org domain will also - be allowed access because the default state will change to - allow.

- -

The presence of an Order directive can affect - access to a part of the server even in the absence of accompanying - Allow and Deny directives because of its effect - on the default access state. For example,

+

On the other hand, if the Order in the + last example is changed to Deny,Allow, all hosts will + be allowed access. This happens because, regardless of the actual + ordering of the directives in the configuration file, the + Allow from apache.org will be evaluated last and will + override the Deny from foo.apache.org. All hosts not in + the apache.org domain will also be allowed access + because the default state is Allow.

+ +

The presence of an Order directive can + affect access to a part of the server even in the absence of + accompanying Allow + and Deny directives + because of its effect on the default access state. For example,

<Directory /www>
@@ -311,23 +353,23 @@ evaluated. </Directory> -

will deny all access to the /www directory - because the default access state will be set to - deny.

+

will Deny all access to the /www directory + because the default access state is set to + Deny.

-

The Order directive controls the order of access - directive processing only within each phase of the server's +

The Order directive controls the order of + access directive processing only within each phase of the server's configuration processing. This implies, for example, that an Allow or Deny directive occurring in a - Location section will - always be evaluated after an Location section + will always be evaluated after an Allow or Deny directive occurring in a - Directory section or - .htaccess file, regardless of the setting of the - Order directive. For details on the merging - of configuration sections, see the documentation on Directory + section or .htaccess file, regardless of the setting of + the Order directive. For details on the + merging of configuration sections, see the documentation on How Directory, Location and Files sections work.