This is mostly just a helpful note to my future self, but hopefully will help others who are frustrated with the shitty documentation of these Apache directives on the net.
The Allow directive takes an IP address or a hostname, like
Allow from 127.0.0.1. The Deny directive does the same thing, but with the word
If a request matches at least one Allow directive and no Deny directives, it's allowed. If it matches at least one Deny and no Allows, it's denied.
If a request matches at least one of each, or matches none of them, the Order directive determines the default action.
Order Deny,Allow allows requests in these two situations, while
Order Allow,Deny denies them.
The ordering of these directives has no effect, but traditionally the
Order directive is put first, followed by the Allow and Deny ones.
If all you want to do is deny a few IPs, you can get by with just:
Order Deny,Allow Deny from 127.0.0.1 Deny from 127.0.0.2 ...
This'll deny the specific things you want to kill, and then allow everything else by default.
Note to self: NearlyFreeSpeech doesn't allow access control via .htaccess, due to their network architecture. Instead, set them up in the Site tab, under "IP Access Control".