Apache

How to Create a Negative Policy in Apache Web Server

A common mistake that we could make is to misplace the order of Allow and Deny, which is the key to determine the behavior of access control.

For example, if you want to make a negative policy to deny accesses with some explicit exceptions. The order shouldn’t be Allow,Deny:
<Location /status/>
    Order Allow,Deny
    Deny from all
    Allow from 192.168.0.0/24
</Location>

The above order have no effects on access control. It doesn’t deny anything.

The correct way make a negative rule is to put Deny first, then Allow. Therefore, the correct sequence to set Order properly is as following.
<Location /status/>
    Order Deny,Allow
    Deny from all
    Allow from 192.168.0.0/24
</Location>

Leave a Reply

Your email address will not be published. Required fields are marked *