You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by nd...@apache.org on 2007/04/24 17:22:23 UTC
svn commit: r531980 - in /httpd/httpd/branches/2.0.x/docs/manual/mod:
mod_access.html.en mod_access.xml.ja
Author: nd
Date: Tue Apr 24 08:22:22 2007
New Revision: 531980
URL: http://svn.apache.org/viewvc?view=rev&rev=531980
Log:
`build extraclean all`
Modified:
httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.html.en
httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.xml.ja
Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.html.en?view=diff&rev=531980&r1=531979&r2=531980
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.html.en (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.html.en Tue Apr 24 08:22:22 2007
@@ -86,7 +86,7 @@
<p>The <code class="directive">Allow</code> directive affects which hosts can
access an area of the server. Access can be controlled by
- hostname, IP Address, IP Address range, or by other
+ hostname, IP address, IP address range, or by other
characteristics of the client request captured in environment
variables.</p>
@@ -229,39 +229,78 @@
<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_access</td></tr>
</table>
- <p>The <code class="directive">Order</code> directive controls the default
- access state and the order in which <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives are evaluated.
- <var>Ordering</var> is one of</p>
+ <p>The <code class="directive">Order</code> directive, along with the
+ <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives, controls a
+ three-pass access control system. The first pass processes either
+ all <code class="directive"><a href="#allow">Allow</a></code> or all
+ <code class="directive"><a href="#deny">Deny</a></code> directives, as
+ specified by the <code class="directive">Order</code> directive. The second
+ pass parses the rest of the directives (<code class="directive"><a href="#deny">Deny</a></code> or <code class="directive"><a href="#allow">Allow</a></code>). The third pass applies to
+ all requests which do not match either of the first two.</p>
+
+ <p>Note that all <code class="directive"><a href="#allow">Allow</a></code>
+ and <code class="directive"><a href="#deny">Deny</a></code> directives are
+ processed, unlike a typical firewall, where only the first match is
+ used. The last match is effective (also unlike a typical firewall).
+ Additionally, the order in which lines appear in the configuration
+ files is not significant -- all <code class="directive"><a href="#allow">Allow</a></code> lines are processed as one
+ group, all <code class="directive"><a href="#deny">Deny</a></code> lines are
+ considered as another, and the default state is considered by
+ itself.</p>
+
+ <p><em>Ordering</em> is one of:</p>
<dl>
<dt><code>Deny,Allow</code></dt>
- <dd>The <code class="directive"><a href="#deny">Deny</a></code> directives
- are evaluated before the <code class="directive"><a href="#allow">Allow</a></code> directives. Access is
- allowed by default. Any client which does not match a
- <code class="directive"><a href="#deny">Deny</a></code> directive or does
- match an <code class="directive"><a href="#allow">Allow</a></code>
- directive will be allowed access to the server.</dd>
+ <dd>First, all <code class="directive"><a href="#allow">Allow</a></code>
+ directives are evaluated; at least one must match, or the request
+ is rejected. Next, all <code class="directive"><a href="#deny">Deny</a></code> directives are evaluated. If
+ any matches, the request is rejected. Last, any requests which do
+ not match an <code class="directive"><a href="#allow">Allow</a></code> or a
+ <code class="directive"><a href="#deny">Deny</a></code> directive are
+ denied by default.</dd>
<dt><code>Allow,Deny</code></dt>
- <dd>The <code class="directive"><a href="#allow">Allow</a></code>
- directives are evaluated before the <code class="directive"><a href="#deny">Deny</a></code> directives. Access is denied
- by default. Any client which does not match an <code class="directive"><a href="#allow">Allow</a></code> directive or does match a
- <code class="directive"><a href="#deny">Deny</a></code> directive will be
- denied access to the server.</dd>
+ <dd>First, all <code class="directive"><a href="#deny">Deny</a></code>
+ directives are evaluated; if any match, the request is denied
+ <strong>unless</strong> it also matches an <code class="directive"><a href="#allow">Allow</a></code> directive. Any requests
+ which do not match any <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directives are
+ permitted.</dd>
<dt><code>Mutual-failure</code></dt>
- <dd>Only those hosts which appear on the <code class="directive"><a href="#allow">Allow</a></code> list and do not appear on
- the <code class="directive"><a href="#deny">Deny</a></code> list are
- granted access. This ordering has the same effect as <code>Order
- Allow,Deny</code> and is deprecated in favor of that
- configuration.</dd>
+ <dd>This order has the same effect as <code>Order
+ Allow,Deny</code> and is deprecated in its favor.</dd>
</dl>
- <p>Keywords may only be separated by a comma; <em>no whitespace</em> is
- allowed between them. Note that in all cases every <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> statement is evaluated.</p>
+ <p>Keywords may only be separated by a comma; <em>no whitespace</em>
+ is allowed between them.</p>
+
+ <table class="bordered">
+ <tr>
+ <th>Match</th>
+ <th>Allow,Deny result</th>
+ <th>Deny,Allow result</th>
+ </tr><tr>
+ <th>Match Allow only</th>
+ <td>Request allowed</td>
+ <td>Request allowed</td>
+ </tr><tr>
+ <th>Match Deny only</th>
+ <td>Request denied</td>
+ <td>Request denied</td>
+ </tr><tr>
+ <th>No match</th>
+ <td>Default to second directive: Denied</td>
+ <td>Default to second directive: Allowed</td>
+ </tr><tr>
+ <th>Match both Allow & Deny</th>
+ <td>Final match controls: Denied</td>
+ <td>Final match controls: Allowed</td>
+ </tr>
+ </table>
<p>In the following example, all hosts in the apache.org domain
are allowed access; all other hosts are denied access.</p>
@@ -273,10 +312,9 @@
</code></p></div>
<p>In the next example, all hosts in the apache.org domain are
- allowed access, except for the hosts which are in the
- foo.apache.org subdomain, who are denied access. All hosts not
- in the apache.org domain are denied access because the default
- state is to deny access to the server.</p>
+ allowed access, except for the hosts which are in the foo.apache.org
+ subdomain, who are denied access. All hosts not in the apache.org
+ domain are denied access because the default state is to <code class="directive"><a href="#deny">Deny</a></code> access to the server.</p>
<div class="example"><p><code>
Order Allow,Deny<br />
@@ -284,20 +322,20 @@
Deny from foo.apache.org
</code></p></div>
- <p>On the other hand, if the <code class="directive">Order</code> in the last
- example is changed to <code>Deny,Allow</code>, all hosts will
- be allowed access. This happens because, regardless of the
- actual ordering of the directives in the configuration file,
- the <code>Allow from apache.org</code> will be evaluated last
- and will override the <code>Deny from foo.apache.org</code>.
- All hosts not in the <code>apache.org</code> domain will also
- be allowed access because the default state will change to
- <var>allow</var>.</p>
-
- <p>The presence of an <code class="directive">Order</code> directive can affect
- access to a part of the server even in the absence of accompanying
- <code class="directive"><a href="#allow">Allow</a></code> and <code class="directive"><a href="#deny">Deny</a></code> directives because of its effect
- on the default access state. For example,</p>
+ <p>On the other hand, if the <code class="directive">Order</code> in the
+ last example is changed to <code>Deny,Allow</code>, all hosts will
+ be allowed access. This happens because, regardless of the actual
+ ordering of the directives in the configuration file, the
+ <code>Allow from apache.org</code> will be evaluated last and will
+ override the <code>Deny from foo.apache.org</code>. All hosts not in
+ the <code>apache.org</code> domain will also be allowed access
+ because the default state is <code class="directive"><a href="#allow">Allow</a></code>.</p>
+
+ <p>The presence of an <code class="directive">Order</code> directive can
+ affect access to a part of the server even in the absence of
+ accompanying <code class="directive"><a href="#allow">Allow</a></code> and
+ <code class="directive"><a href="#deny">Deny</a></code> directives because
+ of its effect on the default access state. For example,</p>
<div class="example"><p><code>
<Directory /www><br />
@@ -307,20 +345,20 @@
</Directory>
</code></p></div>
- <p>will deny all access to the <code>/www</code> directory
- because the default access state will be set to
- <var>deny</var>.</p>
+ <p>will <code class="directive"><a href="#deny">Deny</a></code> all access
+ to the <code>/www</code> directory because the default access state
+ is set to <code class="directive"><a href="#deny">Deny</a></code>.</p>
- <p>The <code class="directive">Order</code> directive controls the order of access
- directive processing only within each phase of the server's
+ <p>The <code class="directive">Order</code> directive controls the order of
+ access directive processing only within each phase of the server's
configuration processing. This implies, for example, that an
<code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
- <code class="directive"><a href="../mod/core.html#location"><Location></a></code> section will
- always be evaluated after an <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
- <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code> section or
- <code>.htaccess</code> file, regardless of the setting of the
- <code class="directive">Order</code> directive. For details on the merging
- of configuration sections, see the documentation on <a href="../sections.html">How Directory, Location and Files sections
+ <code class="directive"><a href="../mod/core.html#location"><Location></a></code> section
+ will always be evaluated after an <code class="directive"><a href="#allow">Allow</a></code> or <code class="directive"><a href="#deny">Deny</a></code> directive occurring in a
+ <code class="directive"><a href="../mod/core.html#directory"><Directory></a></code>
+ section or <code>.htaccess</code> file, regardless of the setting of
+ the <code class="directive">Order</code> directive. For details on the
+ merging of configuration sections, see the documentation on <a href="../sections.html">How Directory, Location and Files sections
work</a>.</p>
</div>
Modified: httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.xml.ja
URL: http://svn.apache.org/viewvc/httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.xml.ja?view=diff&rev=531980&r1=531979&r2=531980
==============================================================================
--- httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.xml.ja [iso-2022-jp] (original)
+++ httpd/httpd/branches/2.0.x/docs/manual/mod/mod_access.xml.ja [iso-2022-jp] Tue Apr 24 08:22:22 2007
@@ -1,7 +1,7 @@
<?xml version="1.0" encoding="iso-2022-jp"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.ja.xsl"?>
-<!-- English Revision: 151405:421174 (outdated) -->
+<!-- English Revision: 151405:479897 (outdated) -->
<!--
Licensed to the Apache Software Foundation (ASF) under one or more