Joshua Slive | 1 Nov 16:15 2006
Picon

Apache HTTP Server user-docs wiki

A wiki for user-contributed documentation has recently been setup for
the Apache web server at
http://wiki.apache.org/httpd/

Feel free to contribute your tips and tricks.  To edit pages you need
to create an account and login.

Please note that this wiki is experimental at the moment.  It may
change or vanish in the future if we find that it is not developing as
we would like.

Joshua.
Chris Pepper | 1 Nov 22:53 2006

Significance of evaluation order?

	I (again) banged my head against Order today. 
<http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order> 
says:

>Deny,Allow
>The Deny directives are evaluated before the Allow directives. 
>Access is allowed by default. Any client which does not match a Deny 
>directive or does match an Allow directive will be allowed access to 
>the server.

	I'm used to 'evaluated before' meaning first match applies 
(firewall style), and any later matches never being checked.

	I can't figure out how 'before' is relevant in this sentence, 
since all Allow matches are checked, even if a Deny matches ('before' 
the Allow match).

	Is there a meaning to 'before' I'm just not getting, or can 
this be removed as confusing?? Is it a historical artifact having to 
do with code internals, and not relevant to .conf syntax?

						Regards,

						Chris Pepper
--

-- 
Chris Pepper:               <http://www.reppep.com/~pepper/>
                             <http://www.reppep.com/weblog/pepper/>
Rockefeller University:     <http://www.rockefeller.edu/>
Eric Covener | 2 Nov 00:22 2006
Picon

Re: Significance of evaluation order?

On 11/1/06, Chris Pepper <pepper <at> reppep.com> wrote:
>         I (again) banged my head against Order today.
> <http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order>
> says:
>
> >Deny,Allow
> >The Deny directives are evaluated before the Allow directives.
> >Access is allowed by default. Any client which does not match a Deny
> >directive or does match an Allow directive will be allowed access to
> >the server.
>
>         I'm used to 'evaluated before' meaning first match applies
> (firewall style), and any later matches never being checked.

If the incoming host matches both a Deny and an Allow, and Deny is
evaluated first, then the Allow later on will toggle access back on.
The result is very different if you don't consider which of the
Allow/Deny run first, assuming someone matches one of each.

Order Deny,Allow
# Default allow
# Uh oh, these are listed in the opposite order that Apache evaluates them
# Might be a sign of confusion
Allow from bar.com
Deny from foo.bar.com

This is in contrast to "stop at first match of either type" or "follow
the order in httpd.conf".

One reason to think about rewording is that the phrase that talks
(Continue reading)

Chris Pepper | 2 Nov 00:31 2006

Re: Significance of evaluation order?

At 6:22 PM -0500 2006/11/01, Eric Covener wrote:
>On 11/1/06, Chris Pepper <pepper <at> reppep.com> wrote:
>>         I (again) banged my head against Order today.
>><http://httpd.apache.org/docs/trunk/mod/mod_access_compat.html#order>
>>says:
>>
>>>Deny,Allow
>>>The Deny directives are evaluated before the Allow directives.
>>>Access is allowed by default. Any client which does not match a Deny
>>>directive or does match an Allow directive will be allowed access to
>>>the server.
>>
>>         I'm used to 'evaluated before' meaning first match applies
>>(firewall style), and any later matches never being checked.
>
>If the incoming host matches both a Deny and an Allow, and Deny is
>evaluated first, then the Allow later on will toggle access back on.
>The result is very different if you don't consider which of the
>Allow/Deny run first, assuming someone matches one of each.
>
>Order Deny,Allow
># Default allow
># Uh oh, these are listed in the opposite order that Apache evaluates them
># Might be a sign of confusion
>Allow from bar.com
>Deny from foo.bar.com
>
>This is in contrast to "stop at first match of either type" or "follow
>the order in httpd.conf".
>
(Continue reading)

Rodent of Unusual Size | 2 Nov 05:57 2006
Picon

[STATUS] (httpd-docs-2.0) Wed Nov 1 23:57:03 2006

Apache HTTP Server 2.0 Documentation Status File.
Last modified: $Date: 2004-11-21 09:35:21 -0500 (Sun, 21 Nov 2004) $

For more information on how to contribute to the Apache Documentation
Project, please see http://httpd.apache.org/docs-project/

This document contains only documentation issues related to 2.0 alone.
For general documentation issues, or those that relate both to 2.0 and
to future versions, please see the same file in httpd-2.0 HEAD.
robert.kennington | 3 Nov 21:33 2006
Picon

Re: Significance of evaluation order?

 On 11/1/06, Chris Pepper <pepper <at> reppep.com> wrote: 

 >    I (again) banged my head against Order today.  

So did I a couple of months go.   

 >  Is there a meaning to 'before'  

 Regardless of whether the word 'before' is removed or revised.  I find the entire definition difficult to
read and jibe/validate against the examples.  However, if this is expressed in terms of a flag being set in a
particular order then it makes more sense to me. Here are some proposed definitions:  

Order Allow, Deny:  Initially a flag for each incoming URL is set to Deny.  Then all Allow directives (i.e.
"Allow foobar.org") are applied followed by all Deny directives regardless or which order the Allow and
Deny directives appear after the Order directive. 

Order Deny, Allow:  Initially a flag for each incoming URL is set to Allow.  Then all Deny directives (i.e.
"Allow foobar.org") are applied followed by all Allow directives regardless of which order the Allow and
Deny directives appear after the Order directive. 

 Ironically, now when I read the online definition I understand them.  But, the wording is still obtuse and
difficult to digest the first time it is read.  

 Bob K. 

Rich Bowen | 3 Nov 21:40 2006

Re: Significance of evaluation order?


On Nov 3, 2006, at 15:33, robert.kennington <at> yahoo.com wrote:

>   Here are some proposed definitions:
>
> Order Allow, Deny:  Initially a flag for each incoming URL is set  
> to Deny.  Then all Allow directives (i.e. "Allow foobar.org") are  
> applied followed by all Deny directives regardless or which order  
> the Allow and Deny directives appear after the Order directive.
>
> Order Deny, Allow:  Initially a flag for each incoming URL is set  
> to Allow.  Then all Deny directives (i.e. "Allow foobar.org") are  
> applied followed by all Allow directives regardless of which order  
> the Allow and Deny directives appear after the Order directive.

+1. These are an improvement over what we have, and will alleviate  
much confusion.

--
http://feathercast.org/
Joshua Slive | 3 Nov 21:57 2006
Picon

Re: Significance of evaluation order?

On 11/3/06, Rich Bowen <rbowen <at> rcbowen.com> wrote:
>
> On Nov 3, 2006, at 15:33, robert.kennington <at> yahoo.com wrote:
>
> >   Here are some proposed definitions:
> >
> > Order Allow, Deny:  Initially a flag for each incoming URL is set
> > to Deny.  Then all Allow directives (i.e. "Allow foobar.org") are
> > applied followed by all Deny directives regardless or which order
> > the Allow and Deny directives appear after the Order directive.
> >
> > Order Deny, Allow:  Initially a flag for each incoming URL is set
> > to Allow.  Then all Deny directives (i.e. "Allow foobar.org") are
> > applied followed by all Allow directives regardless of which order
> > the Allow and Deny directives appear after the Order directive.
>
> +1. These are an improvement over what we have, and will alleviate
> much confusion.

I'm all for improvements, but this suggestions has lots of problem:
- No space after the comma between Allow and Deny.
- "for each incoming URL" is superfluous and confusing.
- The mini example "(i.e. ...)" doesn't add anything
- Why introduce the concept of a "flag"?  I think it just obscures things.
- It doesn't solve Chris' initially reported confusion, which is that
it needs to be specified that the last evaluated directive wins.

How about:

Deny,Allow
(Continue reading)

robert.kennington | 4 Nov 00:09 2006
Picon

Re: Significance of evaluation order?

> ... lots of problem

Thanks for clarifying the spaces. State's fine.  

> "Clients are allowed access if they do not match any Deny directive <strong>or</strong> they do match an
Allow directive." 

This language is a rehash of the old language.  Logically, it's correct but difficult to read.

Whereas, "Then all Allow directives are applied followed by all Deny directives " takes a different
approach to describing how the state is changed when the initial state is Deny. 

I thought it clarified Chris's initial confusion as it states the Deny directives are applied last but I
guess I did not specify the last directive WINS. But, which last directive?

> that the last evaluated directive wins. 

in the Allow,Deny isn't it the LAST DENY directive that wins and vice versa for the latter case?  Or, better
yet, of the DENY directives, are they processed in sequential order after the ALLOW directives?

Bob K. 

----- Original Message ----
From: Joshua Slive <joshua <at> slive.ca>
To: docs <at> httpd.apache.org
Sent: Friday, November 3, 2006 3:57:45 PM
Subject: Re: Significance of evaluation order?

On 11/3/06, Rich Bowen <rbowen <at> rcbowen.com> wrote:
>
(Continue reading)

Joshua Slive | 4 Nov 01:05 2006
Picon

Re: Significance of evaluation order?

On 11/3/06, robert.kennington <at> yahoo.com <robert.kennington <at> yahoo.com> wrote:
> > ... lots of problem
>
> Thanks for clarifying the spaces. State's fine.
>
> > "Clients are allowed access if they do not match any Deny directive <strong>or</strong> they do match an
Allow directive."
>
> This language is a rehash of the old language.  Logically, it's correct but difficult to read.

For some people, yes.  But it is an alternative explanation that may
be helpful for some people.  For something that confuses people, it is
good to explain it in more than one way.  Perhaps we can figure out
some way of setting it off from the other explanation.

There was once a suggestion to do a 2x2 table for each Order type with
Allow matched/unmatched on the rows and Deny matched/unmatched on the
columns and then each cell saying whether access is allowed or denied.
 I'm not sure that is clearer, however.

> > that the last evaluated directive wins.
>
> in the Allow,Deny isn't it the LAST DENY directive that wins and vice versa for the latter case?  Or, better
yet, of the DENY directives, are they processed in sequential order after the ALLOW directives?

The order of the directives within each category (deny/allow) doesn't
matter.  So I don't really understand the problem here.

Joshua.
(Continue reading)


Gmane