Order A, B (其中,A和B均可以代表allow或者deny,以下conlist表示控制列表)
A from conlist1
B from conlist2
那么最终访问控制的结果为:(以(A)表示A的控制范围,)
(A)= (conlist1) U (!conlist2) (!--取反,U--并集, n--交集)
(B)= (!A) = (!conlist1) n (conlist2)
(A)+(B)= I(全集)
下面有一个图简单表示了allow与deny的范围关系:
比如:
Order allow,deny
Allow from 192.168.10.0
Deny from 192.168.10.1
(Allow)= 192.168.10.0网段中除192.168.10.1之外的IP地址。
(Deny)= 192.168.10.1+192.168.10.0网段之外的IP地址。
注意:
1) Order后面allow和deny的顺序与下面Allow from和Deny from的顺序无直接关系。最终求得的范围是根据Order那一行的顺序来写的。即:上面例子的结果等同于:
Order allow,deny
Deny from 192.168.10.1
Allow from 192.168.10.0
2)如果在order之后并没有定义具体的allow或deny的访问控制列表,则默认以后者为准。
下面是Apache官方文档有关order的说明:
A from conlist1
B from conlist2
那么最终访问控制的结果为:(以(A)表示A的控制范围,)
(A)= (conlist1) U (!conlist2) (!--取反,U--并集, n--交集)
(B)= (!A) = (!conlist1) n (conlist2)
(A)+(B)= I(全集)
下面有一个图简单表示了allow与deny的范围关系:
比如:
Order allow,deny
Allow from 192.168.10.0
Deny from 192.168.10.1
(Allow)= 192.168.10.0网段中除192.168.10.1之外的IP地址。
(Deny)= 192.168.10.1+192.168.10.0网段之外的IP地址。
注意:
1) Order后面allow和deny的顺序与下面Allow from和Deny from的顺序无直接关系。最终求得的范围是根据Order那一行的顺序来写的。即:上面例子的结果等同于:
Order allow,deny
Deny from 192.168.10.1
Allow from 192.168.10.0
2)如果在order之后并没有定义具体的allow或deny的访问控制列表,则默认以后者为准。
下面是Apache官方文档有关order的说明:
The Order
directive controls the default access state and the order in which Allow
and Deny
directives are evaluated. Ordering is one of
-
The
Deny
directives are evaluated before theAllow
directives. Access is allowed by default. Any client which does not match aDeny
directive or does match anAllow
directive will be allowed access to the server. -
The
Allow
directives are evaluated before theDeny
directives. Access is denied by default. Any client which does not match anAllow
directive or does match aDeny
directive will be denied access to the server. -
Only those hosts which appear on the
Allow
list and do not appear on theDeny
list are granted access. This ordering has the same effect asOrder Allow,Deny
and is deprecated in favor of that configuration.
Deny,Allow
Allow,Deny
Mutual-failure