Order allow,deny example

Order allow,deny example

Order allow,deny can be quite confusing, so let's take a look at a few examples. First, we provide a few examples related to the Allow directive alone without the Order of the Order allow,deny directive.

Example: Allow from example.com

All hosts from this domain will be allowed, for example abc.example.com as well as www.example.com. Host from www.abcexample.com would not be allowed.

Example: Allow from 10.1.2.3
Example: Allow from 10.1

You can define the access level also by providing the IP address. In the first example, just the host with just that IP address would be allowed access. In the second example, all hosts from all subnets within 10.1.x.x would be allowed access.

The Deny directive works the same way. Now that we know how Allow and Deny works, let's take a look at how Order allow,deny works.

<Directory "/www">
Order Allow,Deny
Deny from all
Allow from all
</Directory>

In this case, your client would be denied access. Why? Because Apache first evaluates the Allow directive rules and then the Deny directive rules, so Allow from all would be executed first and then the Deny from all would take place.

Now the same example with the Order allow,deny swapped.

<Directory "/www">
Order Deny,Allow
Deny from all
Allow from all
</Directory>

The configuration above would result in your client being allowed access because the Deny from all rule would be processed first and the Allow from all rule would be processed second. Now, let's get more specific. The following example could be used for specialized and restricted servers, for example some kind of intranet site.

<Directory "/www">
Order Deny,Allow
Deny from all
Allow from example.com
</Directory>

This is a bit expanded application of the Order directive. This configuration would restrict everyone from accessing the /www directory but hosts in the example.com domain. Abc.example.com would be allowed access, www.myexample.com would be restricted. Now, let's say you want to do the opposite. You want to restrict someone from some specific domain (perhaps someone who is attacking your web site) and allow everyone else.

<Directory "/www">
Order Allow,Deny
Allow from all
Deny from www.myexample.com
</Directory>

The configuration provided above would give access to everyone and restrict all hosts from the www.myexample.com domain.

Now, what happens if you forget to provide specific rules and use just the Order allow,deny directive alone?

<Directory /www>
Order Allow,Deny
</Directory>

The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives. That is because when you specify the Order allow,deny you also control the default access state. The example above will Deny all access to the /www directory because the default access state is set to Deny.