Search code examples
apache.htaccess

.htaccess, order allow, deny, deny from all: confusion

In my .htaccess, I have the following:

<Limit GET POST>
order deny,allow
deny from all
allow from all
</Limit>
<Limit PUT DELETE>
order deny,allow
deny from all
</Limit>
<Files .htaccess>
order allow,deny
deny from all
</Files>

I looked online and in the Apache documentation and don't understand the limit get post put delete etc., but I put it in thinking that whatever it's doing it is saying to allow then after allowing it is denying again. It just does not make sense to me and I am not sure if I should remove it from .htaccess. I guess the third one means deny access to .htaccess file but this order allow then deny seems like it first allows then immediately denies.

Solution

  • This is a quite confusing way of using Apache configuration directives.

    Technically, the first bit is equivalent to

    Allow From All

    This is because Order Deny,Allow makes the Deny directive evaluated before the Allow Directives. In this case, Deny and Allow conflict with each other, but Allow, being the last evaluated will match any user, and access will be granted.

    Now, just to make things clear, this kind of configuration is BAD and should be avoided at all cost, because it borders undefined behaviour.

    The Limit sections define which HTTP methods have access to the directory containing the .htaccess file.

    Here, GET and POST methods are allowed access, and PUT and DELETE methods are denied access. Here's a link explaining what the various HTTP methods are: http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html

    However, it's more than often useless to use these limitations as long as you don't have custom CGI scripts or Apache modules that directly handle the non-standard methods (PUT and DELETE), since by default, Apache does not handle them at all.

    It must also be noted that a few other methods exist that can also be handled by Limit, namely CONNECT, OPTIONS, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, and UNLOCK.

    The last bit is also most certainly useless, since any correctly configured Apache installation contains the following piece of configuration (for Apache 2.2 and earlier):

    #
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
    Satisfy all
</Files>

    which forbids access to any file beginning by ".ht".

    The equivalent Apache 2.4 configuration should look like:

    <Files ~ "^\.ht">
    Require all denied
</Files>