You are viewing a plain text version of this content. The canonical link for it is here.

Posted to docs@httpd.apache.org by Chris Pepper <pe...@reppep.com> on 2006/11/01 22:53:17 UTC

Significance of evaluation order?

	I (again) banged my head against Order today. 
<http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order> 
says:

>Deny,Allow
>The Deny directives are evaluated before the Allow directives. 
>Access is allowed by default. Any client which does not match a Deny 
>directive or does match an Allow directive will be allowed access to 
>the server.

	I'm used to 'evaluated before' meaning first match applies 
(firewall style), and any later matches never being checked.

	I can't figure out how 'before' is relevant in this sentence, 
since all Allow matches are checked, even if a Deny matches ('before' 
the Allow match).

	Is there a meaning to 'before' I'm just not getting, or can 
this be removed as confusing?? Is it a historical artifact having to 
do with code internals, and not relevant to .conf syntax?


						Regards,


						Chris Pepper
-- 
Chris Pepper:               <http://www.reppep.com/~pepper/>
                             <http://www.reppep.com/weblog/pepper/>
Rockefeller University:     <http://www.rockefeller.edu/>

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Significance of evaluation order?

Posted by Chris Pepper <pe...@reppep.com>.

At 6:22 PM -0500 2006/11/01, Eric Covener wrote:
>On 11/1/06, Chris Pepper <pe...@reppep.com> wrote:
>>         I (again) banged my head against Order today.
>><http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order>
>>says:
>>
>>>Deny,Allow
>>>The Deny directives are evaluated before the Allow directives.
>>>Access is allowed by default. Any client which does not match a Deny
>>>directive or does match an Allow directive will be allowed access to
>>>the server.
>>
>>         I'm used to 'evaluated before' meaning first match applies
>>(firewall style), and any later matches never being checked.
>
>If the incoming host matches both a Deny and an Allow, and Deny is
>evaluated first, then the Allow later on will toggle access back on.
>The result is very different if you don't consider which of the
>Allow/Deny run first, assuming someone matches one of each.
>
>Order Deny,Allow
># Default allow
># Uh oh, these are listed in the opposite order that Apache evaluates them
># Might be a sign of confusion
>Allow from bar.com
>Deny from foo.bar.com
>
>This is in contrast to "stop at first match of either type" or "follow
>the order in httpd.conf".
>
>One reason to think about rewording is that the phrase that talks
>about default access policy comes "after" the phrase about the order
>of evaluation -- but  it's actually a description of the initial
>state.
>
>"Order Deny, Allow: Access is allowed by default, then all Deny
>directives are applied, followed by all Allow directives."

	I think a better wording would be to say that the second 
directive overrides, and sets the default state. 'before' just seems 
confusing.


						Chris
-- 
Chris Pepper:               <http://www.reppep.com/~pepper/>
                             <http://www.reppep.com/weblog/pepper/>
Rockefeller University:     <http://www.rockefeller.edu/>

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org

Re: Significance of evaluation order?

Posted by Eric Covener <co...@gmail.com>.

On 11/1/06, Chris Pepper <pe...@reppep.com> wrote:
>         I (again) banged my head against Order today.
> <http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order>
> says:
>
> >Deny,Allow
> >The Deny directives are evaluated before the Allow directives.
> >Access is allowed by default. Any client which does not match a Deny
> >directive or does match an Allow directive will be allowed access to
> >the server.
>
>         I'm used to 'evaluated before' meaning first match applies
> (firewall style), and any later matches never being checked.

If the incoming host matches both a Deny and an Allow, and Deny is
evaluated first, then the Allow later on will toggle access back on.
The result is very different if you don't consider which of the
Allow/Deny run first, assuming someone matches one of each.

Order Deny,Allow
# Default allow
# Uh oh, these are listed in the opposite order that Apache evaluates them
# Might be a sign of confusion
Allow from bar.com
Deny from foo.bar.com

This is in contrast to "stop at first match of either type" or "follow
the order in httpd.conf".

One reason to think about rewording is that the phrase that talks
about default access policy comes "after" the phrase about the order
of evaluation -- but  it's actually a description of the initial
state.

"Order Deny, Allow: Access is allowed by default, then all Deny
directives are applied, followed by all Allow directives."

-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org