Search code examples
apache.htaccessmod-authz-host

Is repeating "Deny from x.x.x.x" and "Allow from all" correct

I am using following syntax to block some IPs from my .htaccess file:

DirectoryIndex index.php
order allow,deny
deny from 17.18.19.0
deny from 18.17.19.1
allow from all

and now I am not sure if I can even use this:

DirectoryIndex index.php
order allow,deny
deny from 18.17.19.1
allow from all
deny from 18.15.19.1
allow from all
deny from 18.18.19.1
allow from all

so can I just repeate this structure?

deny from x.x.x.x
allow from all

why I am asking? Because I found php script that just Append deny from at the end of file and I am not sure if I need " allow from all" line.

can it be just like this?

DirectoryIndex index.php
order allow,deny
allow from all
deny from 17.18.19.0
deny from 18.17.19.1
deny from ... etc.
Solution

  • First of all, this documentation page does a good job explaining things.

    The following quote comes from mod_authz_host's documentation

    The Order directive, along with the Allow and Deny directives, controls a three-pass access control system. The first pass processes either all Allow or all Deny directives, as specified by the Order directive. The second pass parses the rest of the directives (Deny or Allow). The third pass applies to all requests which do not match either of the first two.

    Note that all Allow and Deny directives are processed, unlike a typical firewall, where only the first match is used. The last match is effective (also unlike a typical firewall). Additionally, the order in which lines appear in the configuration files is not significant -- all Allow lines are processed as one group, all Deny lines are considered as another, and the default state is considered by itself.

    In other words, if you have Order Allow,Deny, it will first process all Allow directives, then all Deny directives. You can probably figure out that it doesn't matter if you have 1 Allow from all or 100 Allow from all directives. The final result is the same, but with 100 of those directives your server will need more time processing. It will then process all deny directives and overwrite the permission you just gave if needed.

    Therefore, you just need one Order Allow,Deny directive and only one Allow from all directive. Whatever script you are using can then just append Deny directives as it sees fit and all will work as expected.