htacces Order directive, Allow directive, Deny directive

Home Forums BulletProof Security Free htacces Order directive, Allow directive, Deny directive

Viewing 4 posts - 1 through 4 (of 4 total)
  • Author
  • #23359

    Allowing and denying access via IP address lists in the .htaccess file is very powerful, but it appears to me that the usage options are quite limited (probably by Apache’s protocol) to just two steps: either you get to Allow,Deny, or you get to Deny,Allow. Is there any way to run a “third” step in the Order command?

    In my case, I’d like to do this:

    Order Allow,Deny,[then Allow from a final whitelist]
    # Start with Allow from all because it's a public site and access should be the default.
    Allow from all
    # Blacklist hackers and spammers etc.
    Deny from (list of blacklisted IP addresses)
    # THEN have a final whitelist of IP addresses that should override 
    # any IPs accidentally placed in the Blacklist above
    Allow from (list of whitelisted IP addresses)

    Is there any way to do such a thing? Maybe a second “Allow from” process could be run (after the first Allow from and Deny from processes have run), and that final “Allow from” process could just operate on a specific list of whitelist IPs, and should not read and execute the earlier “Allow from all” command. But I have no idea if this is possible.

    I think this would be a very useful function for many sites that are public, but which maintain a hacker blacklist, and which also have an nontrivial list of IPs that must be whitelisted (which makes it hard to double-check that list against the blacklist).

    AITpro Admin
    # Allow,Deny
    # First, all Allow directives are evaluated. At least one must match, or the request is rejected.
    # Next, all Deny directives are evaluated. If any matches, the request is rejected.
    # Last, any requests which do not match an Allow or a Deny directive are denied by default.
    # Deny,Allow
    # First, all Deny directives are evaluated. If any match, the request is denied unless
    # it also matches an Allow directive. Any requests which do not match any Allow or Deny directives are permitted.
    # *Match* -------------------- *Allow,Deny result* -------------------- *Deny,Allow result*
    # Match Allow only ----------- Request allowed ------------------------ Request allowed
    # Match Deny only ------------ Request denied ------------------------- Request denied
    # No match ------------------- Default to second directive: Denied ---- Default to second directive: Allowed
    # Match both Allow & Deny ---- Final match controls: Denied ----------- Final match controls: Allowed

    The Allow and Deny directives are literal. If you Deny an ip address then it is denied. Trying to allow and deny the same ip address will not work and would be directly conflicting rules. With RewriteRules you could do x and then later in the htaccess code processing you could do y with x. The flow of rule processing would go from top to bottom of the ruleset. Since the Allow and Deny htaccess directives are literal then you cannot do the same type of thing that you can do with RewriteRules or Rewrite Conditions. An analogy of allow and deny directives would be a light switch. The light switch can be either turned On or Off – there is no inbetween or On and Off at the same time.


    Thanks for the detailed info. Yes, your description is exactly how I already understood the .htaccess Order rules to work.  I like your analogy of the light switch. I’m not proposing that the switch be both on and off at the same time. I’m simply proposing (wishing!) that there were a way to run the switch analysis a third time.

    The current .htaccess process analyzes the light switch just twice. For example, with Order Allow,Deny… if an IP address is allowed in the Allow list, the switch is essentially turned “on” (…pending the analysis of the upcoming Deny list). Then the process analyzes the Deny list, and even if the IP is in the Allow list above, the Deny list will override that and the end result is that the IP address is denied.

    So, the switch is turned on, then off. I would like one more step in which the switch can be turned back “on” for a true end-of-analysis whitelist after all the denies have been processed (yet still providing an “Allow from all” as the first default).  But I’m just repeating myself. It seems there is no way to do this in .htaccess, but I think there is a need for such a thing.

    AITpro Admin

    You can do what you want to do with the Order directive, but without adding the additional invalid/conflicting htaccess code. You cannot do a check for a mistake in the htaccess code with the htaccess code.

    # Blacklist hackers and spammers etc.
    Order Allow,Deny
    Deny from x.x.x.x
    Deny from y.y.y.y
    Deny from z.z.z.z
    Allow from all
Viewing 4 posts - 1 through 4 (of 4 total)
  • You must be logged in to reply to this topic.