Apache authz_host: Order Deny,Allow vs. Order Allow,Deny

Apacheauthz_host is an Apache module used to restrict access based on the client’s IP address or hostname. Order Allow,Deny and Order Deny,Allow are two of its directives that determine how the following Allow from and Deny from statements are interpreted. This post hopes to explain in simple terms how to use these properly.

Whitelisting

Think of whitelisting in terms of access to an exclusive club. By default everyone is denied access. To get access your name needs to be on the whitelist that the club maintains. If you want to whitelist access to your website you use Allow,Deny:

1
2
3
4
Order Allow,Deny
Allow from 192.168.0.1
Allow from 192.168.0.2
Allow from vip.isp.example.com

The default behaviour is to deny. You only allow specific clients access.

vultr

Blacklisting

Think of blacklisting in terms of access to public services. By default everyone is allowed to use them. But some elements are denied access because of bad behaviour. Their names are found on the blacklist. If you want to blacklist clients and prevent them from accessing your site you use Deny,Allow:

1
2
3
4
Order Deny,Allow
Deny from 192.168.0.1
Deny from bad.bot.example.com
Deny from 192.168.0.2

By default people are allowed access. Only specific IPs and hosts are denied access.

Exceptions

Maybe you only want to allow access to people from one organization except for those working in a certain department. This is a whitelist with exceptions:

1
2
3
Order Allow,Deny
Allow from bigorg.com
Deny from marketing.bigorg.com

As with all whitelists the default policy is to deny access. We allow access from bigorg.com but disallow access from their marketing department sub-domain.

Exceptions in the case of blacklists are demonstrated below:

1
2
3
Order Deny,Allow
Deny from bigorg.com
Allow from it.bigorg.com

Clients from bigorg.com are denied access except for those working in IT. Everyone else is allowed access.

Leave a Reply

Your email address will not be published. Required fields are marked *