On 11/1/06, Chris Pepper <[EMAIL PROTECTED]> wrote:
I (again) banged my head against Order today. <http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order> says:>Deny,Allow >The Deny directives are evaluated before the Allow directives. >Access is allowed by default. Any client which does not match a Deny >directive or does match an Allow directive will be allowed access to >the server. I'm used to 'evaluated before' meaning first match applies (firewall style), and any later matches never being checked.
If the incoming host matches both a Deny and an Allow, and Deny is evaluated first, then the Allow later on will toggle access back on. The result is very different if you don't consider which of the Allow/Deny run first, assuming someone matches one of each. Order Deny,Allow # Default allow # Uh oh, these are listed in the opposite order that Apache evaluates them # Might be a sign of confusion Allow from bar.com Deny from foo.bar.com This is in contrast to "stop at first match of either type" or "follow the order in httpd.conf". One reason to think about rewording is that the phrase that talks about default access policy comes "after" the phrase about the order of evaluation -- but it's actually a description of the initial state. "Order Deny, Allow: Access is allowed by default, then all Deny directives are applied, followed by all Allow directives." -- Eric Covener [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
