[WEB4LIB] Apache config question

James Cayz cayz at lib.de.us
Wed Mar 22 12:02:20 EST 2000 

Thomas and group.

The order of the allow / deny list in apache is irrelevant.  The Order
directive says which to evaluate first (Allows or Denys).  It is also
important to note that EVERY statement is evaluated, no "dropout on
match".

From
http://{apache-server-name}/ApacheManual/mod/mod_access.html#order

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

The order directive controls the order in which allow and deny directives
are evaluated. Ordering is one of 

deny,allow 
     the deny directives are evaluated before the allow directives. (The
	initial state is OK.) 
allow,deny 
     the allow directives are evaluated before the deny directives. (The
	initial state is FORBIDDEN.) 
mutual-failure 
     Only those hosts which appear on the allow list and do not appear on
the deny list are granted access. (The initial state is irrelevant.) 

Keywords may only be separated by a comma; no whitespace is allowed
between them. Note that in all cases every allow and deny statement is
evaluated, there is no "short-circuiting". 

Example: 

     order deny,allow
     deny from all
     allow from .ncsa.uiuc.edu

Hosts in the ncsa.uiuc.edu domain are allowed access; all other hosts are
denied access. 

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 

So, in your case, the default is OK, and the "denys" are evaluated first,
namely your deny all and deny specific IP address.  THEN, the allow is
done, which does all for the IP range, basically invalidating the previous
deny.

I think you want to change the order to "order allow, deny", and remove
the deny all.  That should make the "doughnut" shaped area you want.

I don't know when it was changed.  I'm running 1.3.X .

Hope this helps.

James Cayz

+--------------------------------------------------------------------------+
| James Cayz  #  cayz at lib.de.us #  DelAWARE homepage: http://www.lib.de.us |
| Network Processing Administrator #  302-739-4748 x130 # Fax 302-739-6948 |
| Delaware Division of Libraries # 43 S. DuPont Hwy / Dover, DE 19901-7430 |
+--------------------------------------------------------------------------+

On Wed, 22 Mar 2000, Thomas Dowling wrote:
>Has anyone observed anything like this in Apache?  We have a number of IP
>ranges for which we need to allow access, but with a specific address or
>addresses that we need to deny (something like a FreeNet or a proxy that's
>open to users we don't allow, etc.).  For years, we have had something
>like this in our Apache config files:
>
><Directory /foo>
>  <Limit GET POST>
>  order deny, allow
>  deny from all
>  allow from 150.134.
>  deny from 150.134.50.5
>  </Limit>
></Directory>
>
>This would allow access to Youngstown State U, but keep out the Youngstown
>FreeNet.
>
>Apparently, sometime between Apache 1.3.3 and 1.3.9, this stopped
>working--or at least, similar configurations on different servers running
>those versions don't keep out the FreeNet IP.  Has anyone else observed
>this?  And if so, did you find a workaround?
>
>[Apache is great in so many ways, but it really is frustrating how many
>tiny little things change from one version to the next, from the location
>of the httpd executable to the default Options for directories.]
>
>Thomas Dowling
>OhioLINK - Ohio Library and Information Network
>tdowling at ohiolink.edu
>
>

More information about the Web4lib mailing list