The access control to my server is defined like this:
Order allow,deny
Allow from 127.0.0.1
And this works the way I want it. First, only access from the local machine is allowed and then everything else is denied. But I found lots of examples that would do something like this instead:
Order deny,allow
Deny from all
Allow from 127.0.0.1
This makes more sense. First, all access is denied and then, only local access is allowed.
My question is, are they equivalent and do exactly the same thing? They way I see it, they are, but I just want to make sure they are exactly the same. If not, how do they differ and which one should I go for to allow access to my local machine only?
Yes, they are equivalent in the aspect of both providing the same result, only allowing access from 127.0.0.1. Let me quote the relevant part from the documentation on the Order directive.
I do not believe they are actually the same, because in your first example you do not deny any hosts explicitly (unsure of what Apache defaults to if anything at all).
The second more regular example you showed is correct for allowing only the localhost to access the webserver. This is because the access control directives in Apache are applied in the order used by the Order directive. So with "deny,allow" first the deny directives are applied, then any allow directives. In this case all hosts are blocked first then 127.0.0.1 is allowed. Nothing else can get in except localhost. If you were to reverse only the order making it "allow,deny" that would mean first 127.0.0.1 is allowed, then all hosts are blocked. Meaning no one can get to the webserver at all (not even localhost)!
Just think of it as white/blacklisting. In the 'deny,allow' case with Deny from All you are essentially creating a whitelist of the users you want to be able to access the server, with each Allow from X you add. If you used 'allow,deny' with Allow from All and adding Deny from X you create a blacklist of people you specifically do not want to be able to access the webserver.