# Apache22 Access Control



## tessio (Mar 24, 2012)

Hello,
I'm reading Absolute FreeBSD 2nd Ed, at the "Web and FTP Services" chapter.
The author wrote this as examples of apache's access control functionality.

A)

```
Order allow,deny
Allow from all
```

B)or if I did not understand it at all:


```
Order deny,allow
Allow from 192.168.0.0/16
Deny from all
```

My question is whether the same examples could have been written in this more compact form..

A)

```
Order deny,allow
```

B)

```
Order allow,deny
Allow from 192.168.0.0/16
```

or I just missed the entire point of "Order"..
Thanks.


----------



## idle (Mar 25, 2012)

> My question is whether the same examples could have been written in this more compact form


That's right, according to http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order.


----------



## tessio (Mar 25, 2012)

The ironic part is that reading the apache documentation reinforced my doubt in this matter.



> In the following example, all hosts in the apache.org domain are allowed access; all other hosts are denied access.




```
Order Deny,Allow
Deny from all
Allow from apache.org
```

Why not write in this, more concise and logical, way?

```
Order Allow,Deny
Allow from apache.org
```

I can't stop thinking that if they need tree lines to do this, it is because it's the best solution and I'm missing an important point..


----------



## idle (Mar 25, 2012)

There is always another way to make it shorter. But shorter not mean clearly. Saw Perl? )


----------



## anomie (Mar 26, 2012)

@tessio: With flexibility comes complexity (and multiple ways to achieve the same goal). 

Just remember with Apache web server ACLs -- read the rules in the sequence they appear in the "Order" directive, and last match wins. 

If your own method for writing Apache's ACLs are more intuitive (to you) than what you're reading in examples, then use it. What's really important is that you _test_ each time to confirm it's behaving as you would expect.


----------



## tessio (Mar 27, 2012)

Thanks everyone..
I now understand the subtleties in these constructions.. 

Those are the same thing:

```
Order Deny,Allow
Deny from all
Allow from apache.org

Order Allow,Deny
Allow from apache.org
```

But if I put this same line in both ACLs:

```
Deny from foo.apache.org
```

now I have two different behaviors. foo.apache.org will only be denied in the last ACL.

So, even if I have two construction that say the same thing, and I put an identical line in both, I can end up having two different things..


----------

