 |  |
5.9. Order, Allow, and Deny
So far we have dealt with potential users on an individual basis. We can also allow access from or deny access to specific IP addresses, hostnames, or groups of addresses and hostnames. The commands are allow from and deny from.
The order in which the allow and deny commands are applied is not set by the order in which they appear in your file. The default order is deny then allow : if a client is excluded by deny, it is excluded unless it matches allow. If neither is matched, the client is granted access.
The order in which these commands is applied can be set by the order directive.
| allow from |
allow from host host ... directory, .htaccess
The allow directive controls access to a directory. The argument host can be one of the following:
- all
- All hosts are allowed access.
- A (partial) domain name
- All hosts whose names match or end in this string are allowed access.
- A full IP address
- The first one to three bytes of an IP address are allowed access, for subnet restriction.
- A network/netmask pair
- Network a.b.c.d and netmask w.x.y.z are allowed access, to give finer-grained subnet control. For instance, 10.1.0.0/255.255.0.0.
- A network CIDR specification
- The netmask consists of nnn high-order 1-bits. For instance, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0.
| allow from env |
allow from env=variablename ... directory, .htaccess
The allow from env directive controls access by the existence of a named environment variable. For instance:
BrowserMatch ^KnockKnock/2.0 let_me_in <Directory /docroot> order deny,allow deny from all allow from env=let_me_in </Directory>
Access by a browser called KnockKnock v2.0 sets an environment variable let_me_in,which in turn triggersallow from.
| deny from |
deny from host host ... directory, .htaccess
The deny from directive controls access by host. The argument host can be one of the following:
- all
- All hosts are denied access.
- A (partial) domain name
- All hosts whose names match or end in this string are denied access.
- A full IP address
- The first one to three bytes of an IP address are denied access, for subnet restriction.
- A network/netmask pair
- Network a.b.c.d and netmask w.x.y.z are denied access, to give finer-grained subnet control. For instance, 10.1.0.0/255.255.0.0.
- A network CIDR specification
- The netmask consists of nnn high-order 1-bits. For instance, 10.1.0.0/16 is the same as 10.1.0.0/255.255.0.0.
| deny from env |
deny from env=variablename ... directory, .htaccess
The deny from env directive controls access by the existence of a named environment variable. For instance:
BrowserMatch ^BadRobot/0.9 go_away <Directory /docroot> order allow,deny allow from all deny from env=go_away </Directory>
Access by a browser called BadRobot v0.9 sets an environment variable go_away, which in turn triggers deny from.
| Order |
order ordering directory, .htaccess
The ordering argument is one word (i.e., it is not allowed to contain a space) and controls the order in which the foregoing directives are applied. If two order directives apply to the same host, the last one to be evaluated prevails:
- deny,allow
- The deny directives are evaluated before the allow directives. This is the default.
- allow,deny
- The allow directives are evaluated before the deny s, but the user will still be rejected if a deny is encountered.
- mutual-failure
- Hosts that appear on the allow list and do not appear on the deny list are allowed access.
We could say:
allow from all
which lets everyone in and is hardly worth writing, or we could say:
allow from 123.156 deny from all
As it stands, this denies everyone except those whose IP addresses happen to start with 123.156. In other words, allow is applied last and carries the day. If, however, we changed the default order by saying:
order allow,deny allow from 123.156 deny from all
we effectively close the site because deny is now applied last. It is also possible to use domain names, so that instead of:
deny from 123.156.3.5
you could say:
deny from badguys.com
Although this has the advantage of keeping up with the Bad Guys as they move from one IP address to another, it also allows access by people who control the reverse-DNS mapping for their IP addresses.
A URL can be contain just part of the hostname. In this case, the match is done on whole words from the right. That is, allow from fred.com allows fred.com and abc.fred.com, but not notfred.com.
Good intentions, however, are not enough: before conferring any trust in a set of access rules, you want to test them very thoroughly in private before exposing them to the world. Try the site with as many different browsers as you can muster: Netscape and MSIE can behave surprisingly differently. Having done that, try the site from a public-access terminal — in a library, for instance.
|  | |
| 5.8. Variations on a Theme |  | 5.10. DBM Files on Unix |
Copyright © 2003 O'Reilly & Associates. All rights reserved.