This discussion is related to the bolded recommendation at: http://httpd.apache.org/docs/2.2/mod/core.html#limit stating that: "In the general case, access control directives should not be placed within a <Limit> section." and further that... "A <LimitExcept> section should always be used in preference to a <Limit> section when restricting access..." Albeit, the recommendation does say "In general", however for certain types of access control, it seems to me that the use of both the Limit and LimitExcept provide the perfect and perhaps the most appropriate means of access control. I can see in some cases a LimitExcept on its own can provide appropriate access control, but not in all and perhaps not even in most. For a simple example, I have in an .htaccess file: <Limit GET POST> order deny,allow deny from all allow from 10.10.10.0/24 </Limit> <LimitExcept GET POST> order deny,allow deny from all </LimitExcept> So, for the resources affected by that .htaccess I only want my users on 10.10.10.0/24 to have access to those resources and I only want those users to make GET and POST requests. In fact, I have seen this same type of access control configuration suggested in several places when searching on the subject, although none of them as authoritative as the Apache documentation. So a user on 10.10.10.0/24 can make a GET or POST request only and all other IP addresses can do nothing. I would suggest that recommendation in the Apache Limit docs to state: "In the general case, access control directives should not be placed within a <Limit> section without an accompanying LimitExcept directive protecting the remaining methods. Am I not seeing something that would suggest that this is not an appropriate and very tight means of access control? Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|