htaccess “order” Deny, Allow, Deny

by

Update : for the new apache 2.4 jump directly to the end.

The Order keyword and its relation with Deny and Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such solution, a non-intuitive one to say the least.

  • The first important point is that the Order keyword will have a big impact on how Allow and Deny directives are used.
  • Secondly, Deny and Allow directives are not applied in the order they are written, they must be seen as two distinct blocks (one the for Deny directives, one for Allow).
  • Thirdly, they are drastically not like firewall rules: all rules are applied, the process is not stopping at the first match.

You have two main modes:

The Order-Deny-Allow-mode, or Allow-anyone-except-this-list-or-maybe-not

Order Deny,Allow
  • This is an allow by default mode. You optionally specify Deny rules.
  • Firstly, the Deny rules reject some requests.
  • If someone gets rejected you can get them back with an Allow.

I would rephrase it as:

Rule Deny
     list of Deny rules
Except
     list of Allow rules
Policy Allow (when no rule fired)

The Order-Allow-Deny-mode, or Reject-everyone-except-this-list-or-maybe-not

Order Allow,Deny
  • This is a deny by default mode. So you usually specify Allow rules.
  • Firstly, someone’s request must match at least one Allow rule.
  • If someone matched an Allow, you can still reject them with a Deny.

In the simplified form:

Rule Allow
     list of Allow rules
Except
     list of Deny rules
Policy Deny (when no rule fired)

Back to your case

You need to allow a list of networks which are the country networks. And in this country you want to exclude some proxies’ IP addresses.

You have taken the allow-anyone-except-this-list-or-maybe-not mode, so by default anyone can access your server, except proxies’ IPs listed in the Deny list, but if they get rejected you still allow the country networks. That’s too broad. Not good.

By inverting to order allow,deny you will be in the reject-everyone-except-this-list-or-maybe-not mode.
So you will reject access to everyone but allow the country networks and then you will reject the proxies. And of course you must remove the Deny from all as stated by @Gerben and @Michael Slade (this answer only explains what they wrote).

The Deny from all is usually seen with order deny,allow to remove the allow by default access and make a simple, readable configuration. For example, specify a list of allowed IPs after that. You don’t need that rule and your question is a perfect case of a 3-way access mode (default policy, exceptions, exceptions to exceptions).

But the guys who designed these settings are certainly insane.

All this is deprecated with Apache 2.4

The whole authorization scheme has been refactored in Apache 2.4 with RequireAll, RequireAny and RequireNone directives. See for example this complex logic example.

So the old strange Order logic becomes a relic, and to quote the new documentation:

Controling how and in what order authorization will be applied has been a bit of a mystery in the past

More Related Contents:

  1. Reference: mod_rewrite, URL rewriting and “pretty links” explained
  2. Tips for debugging .htaccess rewrite rules
  3. htaccess redirect to https://www
  4. How to Set AllowOverride all
  5. How do I disable directory browsing?
  6. htaccess remove index.php from url
  7. .htaccess rewrite subdomain to directory
  8. How to prevent http file caching in Apache httpd (MAMP)
  9. Deny access to one specific folder in .htaccess
  10. Hidden features of mod_rewrite
  11. How to debug .htaccess RewriteRule not working
  12. Forbidden You don’t have permission to access / on this server [closed]
  13. .htaccess ErrorDocument 404 not showing up
  14. .htaccess rewrite query string as path
  15. deny directory listing with htaccess
  16. How to redirect URLs based on query string?
  17. mod_rewrite: remove trailing slash (only one!)
  18. Remove Characters from URL with htaccess
  19. CSS, JS and images do not display with pretty url
  20. mod_rewrite: remove query string from URL?
  21. How to manually generate pages in Nuxt router with a 404 page fallback for .htaccess
  22. Rewrite Problem – L(ast) not being respected?
  23. Difference between $1 vs %1 in .htaccess
  24. Configure apache on elastic beanstalk
  25. .htaccess: how to restrict access to a single file by IP?
  26. Internal URL rewrite no longer working after upgrading Apache to 2.4
  27. Set Content-Disposition header to attachment only on files in a certain directory?
  28. RewriteCond to match query string parameters in any order
  29. htaccess RewriteRule page with query string
  30. URL rewriting for different protocols in .htaccess

Leave a Comment