9/23/2010

Apache Access Control Order, Allow, Deny Confusion Ended!

Sometimes I go weeks, or even months between teaching how to control access to directories using an Apache web server. When the time comes to teach it again, I sometimes find that even I am confused about how the Order statement affects Allow and Deny from statements. Today, I worked out a couple of examples to help end this confusion permanently!

First of all, I will assume your web server is already up and running, and that there is a directory block that will permit the use of a .htaccess file to control access to that directory or its subdirectories.

In the default configuration file, I have enabled user home directories with the statement:
UserDir public_html
and not disabled by adding a #, so the other UserDir line looks like this:
# UserDir disabled

Just below this, I have also uncommented the Directory block for user home directories like this:

AllowOverride FileInfo AuthConfig Limit
# Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
#
# Order allow,deny
# Allow from all
#

#
# Order deny,allow
# Deny from all
#


The important thing in this block is that AllowOverride permits Limit,
which lets us use .htaccess files with Order, Allow from and Deny from statements.

To allow just the web server access to my home directory, I have executed:

setfacl -m u:apache:x /home/keith/
mkdir /home/keith/public_html
restorecon -v /home/keith/public_html


To create a directory that would be mostly open:

mkdir /home/keith/public_html/denyremote
echo 'Deny from 192.168.1. network' > /home/keith/public_html/denyremote/index.html


In a file /home/keith/public_html/denyremote/.htaccess

Order Deny,Allow
# Deny is processed first
Deny from 192.168.1.
# Allow is processed second
Allow from 127.0.0.1
# If matched by both then allowed
# If matched by neither then allowed

To create a directory that would be mostly closed:

mkdir /home/keith/public_html/localsonly
echo 'Allow from 127.0.0.1 only' > /home/keith/public_html/localsonly/index.html


In a file /home/keith/public_html/localsonly/.htaccess

Order Allow,Deny
# Allow is processed first
Allow from 127.0.0.1
# Deny is processed second
Deny from 192.168.1.1
# If matched by both, then denied
# If matched by neither, then denied

No comments:

About Me - WrightRocket

My photo

I've worked with computers for over 30 years, programming, administering, using and building them from scratch.

I'm an instructor for technical computer courses, an editor and developer of training manuals, and an Android developer.