authz_host is an Apache module used to restrict access based on the client’s IP address or hostname. Order Allow,Deny and Order Deny,Allow are two of its directives that determine how the following Allow from and Deny from statements are interpreted. This post hopes to explain in simple terms how to use these properly.
Think of whitelisting in terms of access to an exclusive club. By default everyone is denied access. To get access your name needs to be on the whitelist that the club maintains. If you want to whitelist access to your website you use Allow,Deny:
1 2 3 4
Order Allow,Deny Allow from 192.168.0.1 Allow from 192.168.0.2 Allow from vip.isp.example.com
The default behaviour is to deny. You only allow specific clients access.
Think of blacklisting in terms of access to public services. By default everyone is allowed to use them. But some elements are denied access because of bad behaviour. Their names are found on the blacklist. If you want to blacklist clients and prevent them from accessing your site you use Deny,Allow:
1 2 3 4
Order Deny,Allow Deny from 192.168.0.1 Deny from bad.bot.example.com Deny from 192.168.0.2
By default people are allowed access. Only specific IPs and hosts are denied access.
Maybe you only want to allow access to people from one organization except for those working in a certain department. This is a whitelist with exceptions:
1 2 3
Order Allow,Deny Allow from bigorg.com Deny from marketing.bigorg.com
As with all whitelists the default policy is to deny access. We allow access from bigorg.com but disallow access from their marketing department sub-domain.
Exceptions in the case of blacklists are demonstrated below:
1 2 3
Order Deny,Allow Deny from bigorg.com Allow from it.bigorg.com
Clients from bigorg.com are denied access except for those working in IT. Everyone else is allowed access.