Order allow,deny is a setting in your Apache web server configuration that is used to restrict access to certain directories (folders) or even globally. Configuring who can access your directories is very important for your web site security. Order allow,deny is one way to restrict who can see what.
What is Order allow,deny?
Order allow,deny directive supports or better said "combines" the basic Allow and Deny directives into a more sophisticated configuration setting. Let's explain some basics. When you open your Apache web server configuration files, you can find some references to the Allow and Deny directives which are used to specify which clients are or are not allowed access to the web dedicated server.
The Allow directive affects which hosts "can access" an area of the server. Access is usually controlled by hostname, IP address, or IP address range.
This Deny directive "restricts access" to the server. Restrictions can be based again on hostname, IP address, or environment variables.
The Order directive used in the Order allow,deny directive is a bit tricky and has two seemingly unrelated functions:
The Order directive sets the default access state which means that it controls the order in which the Allow and Deny directives are processed, AND
Configures how the Allow and Deny directives interact with each other, in other words, it sets the default policy for connections that do not match either of the Allow or Deny rules.
The Order allow,deny has only two options available which are discussed next.
Order allow,deny syntax
You can see the Order directive used in two ways.
Order allow,deny and Order deny,allow
Order allow,deny tells your web server that the Allow rules are processed before the Deny rules. If the client does not match the Allow rule or it does match the Deny rule, then the client will be denied access.
Order deny, allow means that the deny rules are processed before the allow rules. If the client does not match the deny rule or it does match the allow rule, then it will be granted access.
Order allow,deny example
Order allow,deny can be quite confusing, so let's take a look at a few examples. First, we provide a few examples related to the Allow directive alone without the Order of the Order allow,deny directive.
Example: Allow from example.com
All hosts from this domain will be allowed, for example abc.example.com as well as www.example.com. Host from www.abcexample.com would not be allowed.
Example: Allow from 10.1.2.3
Example: Allow from 10.1
You can define the access level also by providing the IP address. In the first example, just the host with just that IP address would be allowed access. In the second example, all hosts from all subnets within 10.1.x.x would be allowed access.
The Deny directive works the same way. Now that we know how Allow and Deny works, let's take a look at how Order allow,deny works.
Deny from all
Allow from all
In this case, your client would be denied access. Why? Because Apache first evaluates the Allow directive rules and then the Deny directive rules, so Allow from all would be executed first and then the Deny from all would take place.
Now the same example with the Order allow,deny swapped.
Deny from all
Allow from all
The configuration above would result in your client being allowed access because the Deny from all rule would be processed first and the Allow from all rule would be processed second. Now, let's get more specific. The following example could be used for specialized and restricted servers, for example some kind of intranet site.
Deny from all
Allow from example.com
This is a bit expanded application of the Order directive. This configuration would restrict everyone from accessing the /www directory but hosts in the example.com domain. Abc.example.com would be allowed access, www.myexample.com would be restricted. Now, let's say you want to do the opposite. You want to restrict someone from some specific domain (perhaps someone who is attacking your web site) and allow everyone else.
Allow from all
Deny from www.myexample.com
The configuration provided above would give access to everyone and restrict all hosts from the www.myexample.com domain.
Now, what happens if you forget to provide specific rules and use just the Order allow,deny directive alone?
The presence of an Order directive can affect access to a part of the server even in the absence of accompanying Allow and Deny directives. That is because when you specify the Order allow,deny you also control the default access state. The example above will Deny all access to the /www directory because the default access state is set to Deny.
Where can I find Order allow,deny?
The Order allow,deny can be found in two places. You can find it in your server configuration file httpd.conf. You can also find Order allow,deny in your .htaccess files which are used to control access to particular parts of your server.
This picture shows Order allow,deny configuration in httpd.conf and .htaccess.
Order allow,deny and module mod_access
Order allow,deny relates to the mod_access Apache server module which provides access control based on client hostname, IP address, or other characteristics of the client request.
Order allow,deny does not work
Remember that if you make any changes to the httpd.conf file, you have to restart your web server.
Your configuration that you make in your httpd.conf needs to be in sync with your configuration in your .htaccess file. It is possible that you are trying to override some configuration, but it does not have any effect because some other configuration in your other file has precedence.
Always remember to fully test your changes. Unintended access may be allowed or denied if the incorrect directive arguments order is applied. It is therefore extremely important to fully test all configurations to validate that the proper access control is attained.
Is there any other setting related to Order allow,deny?