Posted By: Anonymous
I would like to allow only one country access, but exclude proxies within this country.
This is what I have (shortened version for convenience)
<Limit GET POST> order deny,allow deny from all allow from 126.96.36.199/16 allow from 188.8.131.52/16 allow from 184.108.40.206/11 allow from 220.127.116.11/11 . deny from 18.104.22.168 deny from 22.214.171.124 deny from 126.96.36.199 deny from 188.8.131.52 </Limit>
But I know this wont work. How do I go about doing this?
Update : for the new apache 2.4 jump directly to the end.
The Order keyword and its relation with
Allow Directives is a real nightmare. It would be quite interesting to understand how we ended up with such solution, a non-intuitive one to say the least.
- The first important point is that the
Orderkeyword will have a big impact on how
Denydirectives are used.
Allowdirectives are not applied in the order they are written, they must be seen as two distinct blocks (one the for
Denydirectives, one for
- Thirdly, they are drastically not like firewall rules: all rules are applied, the process is not stopping at the first match.
You have two main modes:
The Order-Deny-Allow-mode, or Allow-anyone-except-this-list-or-maybe-not
- This is an allow by default mode. You optionally specify
- Firstly, the
Denyrules reject some requests.
- If someone gets rejected you can get them back with an
I would rephrase it as:
Rule Deny list of Deny rules Except list of Allow rules Policy Allow (when no rule fired)
The Order-Allow-Deny-mode, or Reject-everyone-except-this-list-or-maybe-not
- This is a deny by default mode. So you usually specify
- Firstly, someone’s request must match at least one
- If someone matched an
Allow, you can still reject them with a
In the simplified form:
Rule Allow list of Allow rules Except list of Deny rules Policy Deny (when no rule fired)
Back to your case
You need to allow a list of networks which are the country networks. And in this country you want to exclude some proxies’ IP addresses.
You have taken the allow-anyone-except-this-list-or-maybe-not mode, so by default anyone can access your server, except proxies’ IPs listed in the
Deny list, but if they get rejected you still allow the country networks. That’s too broad. Not good.
By inverting to
order allow,deny you will be in the reject-everyone-except-this-list-or-maybe-not mode.
So you will reject access to everyone but allow the country networks and then you will reject the proxies. And of course you must remove the
Deny from all as stated by @Gerben and @Michael Slade (this answer only explains what they wrote).
Deny from all is usually seen with
order deny,allow to remove the allow by default access and make a simple, readable configuration. For example, specify a list of allowed IPs after that. You don’t need that rule and your question is a perfect case of a 3-way access mode (default policy, exceptions, exceptions to exceptions).
But the guys who designed these settings are certainly insane.
All this is deprecated with Apache 2.4
So the old strange
Order logic becomes a relic, and to quote the new documentation:
Controling how and in what order authorization will be applied has been a bit of a mystery in the past