You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Téssio Fechine <pr...@yahoo.com.br> on 2012/03/26 13:10:41 UTC
[users@httpd] Question About ACL
Hello,
I am learning apache, and the ironic part is that reading the apache documentation on acl reinforced my doubt in this matter.
In this part:
In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
Order Deny,Allow
Deny from all
Allow from apache.org
---
My interpretation on this example:
Order Deny,Allow (allow everything, unless specifically denied)
Deny from all (deny everything.. kind of contradictory after the last line)
Allow from apache.org (allow this specific hosts)
---
Why not use this, that has fewer steps and seems more logical?:
Order Allow,Deny (deny by default)
Allow from apache.org (allow this specific hosts)
I am getting it wrong or what? Why almost every example I see seems kind of contradictory?
Re: [users@httpd] Question About ACL
Posted by Eric Covener <co...@gmail.com>.
I've always believed the second-thing-is-the-default is not
intuitive/obvious and people don't like to depend on it -- they just
want to choose the order of evaluation which has obvious use cases
either direction.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Téssio Fechine <pr...@yahoo.com.br>.
> De: Tom Evans <te...@googlemail.com>
> Assunto: Re: [users@httpd] Question About ACL
> Para: users@httpd.apache.org
> Data: Segunda-feira, 26 de Março de 2012, 10:14
> 2012/3/26 Téssio Fechine <pr...@yahoo.com.br>:
> >
> >> Not at all; you are right that that stanza is
> equivalent to
> >> "Order
> >> Allow,Deny", but the behaviour after adding an
> additional
> >> Allow is
> >> different.
> >>
> >> There isn't one right or wrong way, you just have
> to
> >> understand that
> >> there are two ways, and what the differences are.
> >>
> >> Cheers
> >>
> >> Tom
> >
> > "... but the behaviour after adding an additional Allow
> is different."
> > This is what I am trying to understand, but I can't.
> Can you give me an example of that, please?
> >
> > I am starting learning this now, and I can't see any
> difference in these two cases.. only the lack of logic in
> the first one:
> >
> > Order Deny,Allow (allow everything, unless
> specifically denied)
> > Deny from all (now deny everything)
> > Allow from apache.org (now allow this specific
> hosts)
> >
> > Order Allow,Deny (deny everything by default)
> > Allow from apache.org (allow this specific hosts)
> >
> > What I am asking is an example of any situation in
> which the first case is preferable.
> > Thanks!
> >
>
> Consider what would happen if you wanted to allow apache.org
> but deny
> foo.apache.org. Add a "Deny from foo.apache.org" to both,
> and the
> behaviour is different - the former will allow it, but the
> latter will
> deny it.
>
> The former also makes it more explicit what is happening,
> whilst the
> latter relies on the person reading it understanding what
> "Order
> Allow,Deny" means.
>
> Cheers
>
> Tom
Thanks!
Now I see clearly the point of all this..
> Which is exactly why in 2.4 this syntax goes away entirely.
> See http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require
I have just learned something, and it is already outdated! *crying*
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Tom Evans <te...@googlemail.com>.
2012/3/26 Téssio Fechine <pr...@yahoo.com.br>:
>
>> Not at all; you are right that that stanza is equivalent to
>> "Order
>> Allow,Deny", but the behaviour after adding an additional
>> Allow is
>> different.
>>
>> There isn't one right or wrong way, you just have to
>> understand that
>> there are two ways, and what the differences are.
>>
>> Cheers
>>
>> Tom
>
> "... but the behaviour after adding an additional Allow is different."
> This is what I am trying to understand, but I can't. Can you give me an example of that, please?
>
> I am starting learning this now, and I can't see any difference in these two cases.. only the lack of logic in the first one:
>
> Order Deny,Allow (allow everything, unless specifically denied)
> Deny from all (now deny everything)
> Allow from apache.org (now allow this specific hosts)
>
> Order Allow,Deny (deny everything by default)
> Allow from apache.org (allow this specific hosts)
>
> What I am asking is an example of any situation in which the first case is preferable.
> Thanks!
>
Consider what would happen if you wanted to allow apache.org but deny
foo.apache.org. Add a "Deny from foo.apache.org" to both, and the
behaviour is different - the former will allow it, but the latter will
deny it.
The former also makes it more explicit what is happening, whilst the
latter relies on the person reading it understanding what "Order
Allow,Deny" means.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Téssio Fechine <pr...@yahoo.com.br>.
> Not at all; you are right that that stanza is equivalent to
> "Order
> Allow,Deny", but the behaviour after adding an additional
> Allow is
> different.
>
> There isn't one right or wrong way, you just have to
> understand that
> there are two ways, and what the differences are.
>
> Cheers
>
> Tom
"... but the behaviour after adding an additional Allow is different."
This is what I am trying to understand, but I can't. Can you give me an example of that, please?
I am starting learning this now, and I can't see any difference in these two cases.. only the lack of logic in the first one:
Order Deny,Allow (allow everything, unless specifically denied)
Deny from all (now deny everything)
Allow from apache.org (now allow this specific hosts)
Order Allow,Deny (deny everything by default)
Allow from apache.org (allow this specific hosts)
What I am asking is an example of any situation in which the first case is preferable.
Thanks!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Tom Evans <te...@googlemail.com>.
2012/3/26 Téssio Fechine <pr...@yahoo.com.br>:
> So, constructions like that:
>
> Order Deny,Allow (allow by default)
> Deny from all (deny everything)
>
> are indeed kind of pointless, right? Nonetheless it's the most used form, even in the official documentation.
>
Not at all; you are right that that stanza is equivalent to "Order
Allow,Deny", but the behaviour after adding an additional Allow is
different.
There isn't one right or wrong way, you just have to understand that
there are two ways, and what the differences are.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Téssio Fechine <pr...@yahoo.com.br>.
> De: Tom Evans <te...@googlemail.com>
> Assunto: Re: [users@httpd] Question About ACL
> Para: users@httpd.apache.org
> Data: Segunda-feira, 26 de Março de 2012, 8:19
> 2012/3/26 Téssio Fechine <pr...@yahoo.com.br>
> >
> > Hello,
> > I am learning apache, and the ironic part is that
> reading the apache
> > documentation on acl reinforced my doubt in this
> matter.
> >
> > In this part:
> > In the following example, all hosts in the apache.org
> domain are allowed
> > access; all other hosts are denied access.
> >
> > Order Deny,Allow
> > Deny from all
> > Allow from apache.org
> >
> > ---
> > My interpretation on this example:
> >
> > Order Deny,Allow (allow everything, unless
> specifically denied)
> > Deny from all (deny everything.. kind of
> contradictory after the last
> > line)
> > Allow from apache.org (allow this specific hosts)
> >
> > ---
> > Why not use this, that has fewer steps and seems more
> logical?:
> >
> > Order Allow,Deny (deny by default)
> > Allow from apache.org (allow this specific hosts)
> >
> > I am getting it wrong or what? Why almost every example
> I see seems kind
> > of contradictory?
>
> The main differences are when you match both allow and deny,
> or match neither.
>
> With "allow,deny", you must match an "allow", and not match
> any
> "deny"s to get access, and with "deny,allow", you always get
> access
> unless you match a "deny".
>
> This allows you to control whether it is more important that
> if you
> specifically deny someone that they do not get access, or
> whether it
> is more important that if you specifically allow someone
> that they do
> get access.
>
> Cheers
>
> Tom
>
So, constructions like that:
Order Deny,Allow (allow by default)
Deny from all (deny everything)
are indeed kind of pointless, right? Nonetheless it's the most used form, even in the official documentation.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Tom Evans <te...@googlemail.com>.
2012/3/26 Téssio Fechine <pr...@yahoo.com.br>
>
> Hello,
> I am learning apache, and the ironic part is that reading the apache
> documentation on acl reinforced my doubt in this matter.
>
> In this part:
> In the following example, all hosts in the apache.org domain are allowed
> access; all other hosts are denied access.
>
> Order Deny,Allow
> Deny from all
> Allow from apache.org
>
> ---
> My interpretation on this example:
>
> Order Deny,Allow (allow everything, unless specifically denied)
> Deny from all (deny everything.. kind of contradictory after the last
> line)
> Allow from apache.org (allow this specific hosts)
>
> ---
> Why not use this, that has fewer steps and seems more logical?:
>
> Order Allow,Deny (deny by default)
> Allow from apache.org (allow this specific hosts)
>
> I am getting it wrong or what? Why almost every example I see seems kind
> of contradictory?
The main differences are when you match both allow and deny, or match neither.
With "allow,deny", you must match an "allow", and not match any
"deny"s to get access, and with "deny,allow", you always get access
unless you match a "deny".
This allows you to control whether it is more important that if you
specifically deny someone that they do not get access, or whether it
is more important that if you specifically allow someone that they do
get access.
Cheers
Tom
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Question About ACL
Posted by Rich Bowen <rb...@rcbowen.com>.
On Mar 26, 2012, at 7:10 AM, Téssio Fechine wrote:
> Hello,
> I am learning apache, and the ironic part is that reading the apache documentation on acl reinforced my doubt in this matter.
>
> In this part:
> In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.
>
> Order Deny,Allow
> Deny from all
> Allow from apache.org
>
> ---
> My interpretation on this example:
>
> Order Deny,Allow (allow everything, unless specifically denied)
> Deny from all (deny everything.. kind of contradictory after the last line)
> Allow from apache.org (allow this specific hosts)
>
> ---
> Why not use this, that has fewer steps and seems more logical?:
>
> Order Allow,Deny (deny by default)
> Allow from apache.org (allow this specific hosts)
>
> I am getting it wrong or what? Why almost every example I see seems kind of contradictory?
Which is exactly why in 2.4 this syntax goes away entirely. See http://httpd.apache.org/docs/current/mod/mod_authz_core.html#require
--
Rich Bowen
rbowen@rcbowen.com :: @rbowen
rbowen@apache.org