Apache22 Access Control

[tessio]

Hello,
I'm reading Absolute FreeBSD 2nd Ed, at the "Web and FTP Services" chapter.
The author wrote this as examples of apache's access control functionality.

A)

Order allow,deny
Allow from all

B)or if I did not understand it at all:

Order deny,allow
Allow from 192.168.0.0/16
Deny from all

My question is whether the same examples could have been written in this more compact form..

A)

Order deny,allow

B)

Order allow,deny
Allow from 192.168.0.0/16

or I just missed the entire point of "Order"..
Thanks.

 

[idle]

My question is whether the same examples could have been written in this more compact form

That's right, according to http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order.

 

[tessio]

The ironic part is that reading the apache documentation reinforced my doubt in this matter.

In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.

Order Deny,Allow
Deny from all
Allow from apache.org

Why not write in this, more concise and logical, way?

Order Allow,Deny
Allow from apache.org

I can't stop thinking that if they need tree lines to do this, it is because it's the best solution and I'm missing an important point..

 

[idle]

There is always another way to make it shorter. But shorter not mean clearly. Saw Perl? )

 

[anomie]

@tessio: With flexibility comes complexity (and multiple ways to achieve the same goal).

Just remember with Apache web server ACLs -- read the rules in the sequence they appear in the "Order" directive, and last match wins.

If your own method for writing Apache's ACLs are more intuitive (to you) than what you're reading in examples, then use it. What's really important is that you test each time to confirm it's behaving as you would expect.

 

[tessio]

Thanks everyone..
I now understand the subtleties in these constructions..

Those are the same thing:

Order Deny,Allow
Deny from all
Allow from apache.org

Order Allow,Deny
Allow from apache.org

But if I put this same line in both ACLs:

Deny from foo.apache.org

now I have two different behaviors. foo.apache.org will only be denied in the last ACL.

So, even if I have two construction that say the same thing, and I put an identical line in both, I can end up having two different things..