- deny,allow
The deny directives are evaluated before the
allow directives.
- allow,deny
The allow directives are evaluated before the
denys.
- mutual-failure
Hosts that appear on the allow list and do not
appear on the deny list are allowed access.
We could say:
allow from all
which lets everyone in and is hardly worth writing, or we could say:
allow from 123.156
deny from all
As it stands, this denies everyone except those whose IP addresses
happen to start with 123.156. In other words,
allow is applied last and carries the day. If,
however, we changed the default order by saying:
order allow,deny
allow from 123.156
deny from all
we effectively close the site because deny is now
applied last. It is also possible to use domain names, so that
instead of:
deny from 123.156.3.5
you could say:
deny from badguys.com
Although this has the advantage of keeping up with the Bad Guys as
they move from one IP address to another, it also allows access by
people who control the reverse-DNS mapping for their IP addresses.
A URL can be partial. In this case, the match is done on whole words
from the right. That is, allow
from fred.com allows
fred.com and abc.fred.com,
but not notfred.com.