Apache 服务中order allow/deny 范围公式

Order A, B (其中，A和B均可以代表allow或者deny,以下conlist表示控制列表)
A from conlist1
B from conlist2

那么最终访问控制的结果为：（以（A）表示A的控制范围，）
(A)= (conlist1) U (!conlist2) （!--取反，U--并集，n--交集）
(B)= (!A) = (!conlist1) n (conlist2)
(A)+(B)= I（全集）

下面有一个图简单表示了allow与deny的范围关系：



比如：
Order allow,deny
Allow from 192.168.10.0
Deny from 192.168.10.1

(Allow)= 192.168.10.0网段中除192.168.10.1之外的IP地址。
(Deny）= 192.168.10.1+192.168.10.0网段之外的IP地址。

注意：

1) Order后面allow和deny的顺序与下面Allow from和Deny from的顺序无直接关系。最终求得的范围是根据Order那一行的顺序来写的。即：上面例子的结果等同于：
Order allow,deny
Deny from 192.168.10.1
Allow from 192.168.10.0

2)如果在order之后并没有定义具体的allow或deny的访问控制列表，则默认以后者为准。

下面是Apache官方文档有关order的说明：

The

Order

directive controls the default access state and the order in which

Allow

and

Deny

directives are evaluated. Ordering is one of

Deny,Allow

The

Deny

directives are evaluated before the

Allow

directives. Access is allowed by default. Any client which does not match a

Deny

directive or does match an

Allow

directive will be allowed access to the server.

Allow,Deny

The

Allow

directives are evaluated before the

Deny

directives. Access is denied by default. Any client which does not match an

Allow

directive or does match a

Deny

directive will be denied access to the server.

Mutual-failure

Only those hosts which appear on the

Allow

list and do not appear on the

Deny

list are granted access. This ordering has the same effect as

Order Allow,Deny

and is deprecated in favor of that configuration.