At 6:22 PM -0500 2006/11/01, Eric Covener wrote:
On 11/1/06, Chris Pepper <[EMAIL PROTECTED]> wrote:
I (again) banged my head against Order today.
<http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order>
says:
Deny,Allow
The Deny directives are evaluated before the Allow directives.
Access is allowed by default. Any client which does not match a Deny
directive or does match an Allow directive will be allowed access to
the server.
I'm used to 'evaluated before' meaning first match applies
(firewall style), and any later matches never being checked.
If the incoming host matches both a Deny and an Allow, and Deny is
evaluated first, then the Allow later on will toggle access back on.
The result is very different if you don't consider which of the
Allow/Deny run first, assuming someone matches one of each.
Order Deny,Allow
# Default allow
# Uh oh, these are listed in the opposite order that Apache evaluates them
# Might be a sign of confusion
Allow from bar.com
Deny from foo.bar.com
This is in contrast to "stop at first match of either type" or "follow
the order in httpd.conf".
One reason to think about rewording is that the phrase that talks
about default access policy comes "after" the phrase about the order
of evaluation -- but it's actually a description of the initial
state.
"Order Deny, Allow: Access is allowed by default, then all Deny
directives are applied, followed by all Allow directives."
I think a better wording would be to say that the second
directive overrides, and sets the default state. 'before' just seems
confusing.
Chris
--
Chris Pepper: <http://www.reppep.com/~pepper/>
<http://www.reppep.com/weblog/pepper/>
Rockefeller University: <http://www.rockefeller.edu/>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
