Understanding Apache Order and Allow in <Directory> directive

I have tried reading the manual although to be honest I am still finding it hard to understand and get my head around what the Order/Allow actually does and what should be the default settings for web server.

I have the following default config, where I have turned off .htaccess and symbolic links.

Although I am not really sure what the Order Allow,Deny and Allow from all actually does? Should I change this to Allow from 127.0.0.1?

<Directory />
Options -Indexes -FollowSymLinks MultiViews
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>

Additionally do I need the below <Files> or is there a better way of writing this for apache?

<Directory /var/www/example/subdomains/dev/public/webapp>
    RewriteEngine Off

    <Files *>
        order allow,deny
        deny from all
    </Files>
    <FilesMatch "\.(png|gif|jpe?g|png|css|js|swf|ps|flv)$">
        order allow,deny
        allow from all
    </FilesMatch>
</Directory>

Solution 1:

Order Allow,Deny means that the Allow rules are processed before the Deny rules. If client doesn't match the Allow rules or it does match the Deny rule, it will be denied access.

So,

Order Allow,Deny
Allow from all

means that any client can access to your web server.

I want to turn off .htaccess and symbolic links.

You already did that with AllowOverride None and Options -FollowSymLinks

<Directory /var/www/example/subdomains/dev/public/webapp>
    RewriteEngine Off

    <Files *>
        order allow,deny
        deny from all
    </Files>
    <FilesMatch "\.(png|gif|jpe?g|png|css|js|swf|ps|flv)$">
        order allow,deny
        allow from all
    </FilesMatch>
</Directory>

This config did the following:

  • disable rewriting engine
  • client will be denied access to the all files in webapp folder except for images, js, swf, ...

Pay attention to:

order allow,deny
deny from all

it tells Apache to deny any access.