Allow, Deny or Require All in .htaccess for Different Apache Versions

.htaccess

When we want to block bots, spam referrers using .htaccess file, some websites use following code syntax:

Order allow,deny
Allow from all
Deny from env=spambot

But some websites tell that we need to use different codes for different Apache versions:

#For Apache 2.2
<IfModule !mod_authz_core.c>
<IfModule mod_authz_host.c>
    Order allow,deny
    Allow from all
    Deny from env=spambot
</IfModule>
</IfModule>

# For Apache 2.4
<IfModule mod_authz_core.c>
<RequireAll>
    Require all granted
    Require not env spambot
</RequireAll>
</IfModule>

Now I want to which cone is correct or both are correct?

Best Answer

we need to use different codes for different Apache versions

This.

The syntax changed from Apache 2.2 to 2.4. However, the old (Apache 2.2) syntax was kept (in fact, it was moved to a different module: mod_access_compat) for backwards compatibility only - so it still "works". But it is deprecated and is likely to be removed in future versions. So, code on Apache 2.4 should use the Require ... syntax.

Related Solutions

Htaccess order Deny,Allow rule

This rule allows everyone into your site.

Order Deny,Allow
Allow from all
Deny from 192.168.30.1

The Order directive determines the order in which your rules are processed. With Order deny,allow the deny list will be processed first then the allow list.

With Apache, all rules are processed with the last one matching being the effective rule.

So in this case, your last rule would be allow from all.

This means that 192.168.30.1 would initially be denied but then allowed since the allow rules are processed last.

This would produce the same result

Order Deny,Allow
Allow from all
Deny from 192.168.30.1
Allow from 192.168.30.1

Think of it this way.

The allow/deny rules are simply separate lists of IPs to be allowed/denied.
The order directive determines the order in which these lists are processed.
Apache evaluates all rules and acts on the result of the last matching rule.

The major confusion is that this is very different from how firewalls work where rule order and first match is often what determines access.

See: http://httpd.apache.org/docs/2.2/mod/mod_authz_host.html#order

Use nested directives in .htaccess in Apache 2.4

Updated Answer:

As of Apache 2.4.26 nested <If> directives are allowed.

The change log has the following change noted:

Evaluate nested If/ElseIf/Else configuration blocks. [Luca Toscano, Jacob Champion]

Original answer:

An <If> directive cannot be nested inside another <If> directive but can be nested inside other sections like <Directory>, <Location>, <Files> and <IfModule>.

The Apache 2.4 Documentation for the If Directive has the following notice:

Not a scripting language

The name of this directive is very familiar to programmers and admins but it should not be confused with its counterpart in scripting languages. For example, the current implementation does not contemplate the possibility of having a <If> section inside another one (the inner <If> will be ignored).

No reason is given for why they chose not to allow nested <If> directives.

The only other information about nesting provided in the documentation indicates each section type differs on whether or not it can be nested:

Nesting of sections

Some section types can be nested inside other section types. On the one hand, <Files> can be used inside <Directory>. On the other hand, <If> can be used inside <Directory>, <Location>, and <Files> sections (but not inside another <If>). The regex counterparts of the named section behave identically.

Best Answer

Related Solutions

Htaccess order Deny,Allow rule

Use nested directives in .htaccess in Apache 2.4

Related Topic