On Oct 2, 2019, at 5:53 PM, Jack Simmons <goldendev@xxxxxxx.INVALID> wrote: > Is it possible to force apache to return HTTP 401 instead of HTTP [403] if any condition inside RequireAll fails? The two codes mean different things. 401 basically means “hey, you need to login or login again” (Unauthorized) while 403 means “Hey, I know you logged in, but you aren’t allowed to access this” (Forbidden). > Yet if I will put "Require env SMTH" additionally, apache will check "Require valid user" but then, after it will fail with "denied (no authentocated user yet)", it will also check my second "Require" and will fail just with "denied" and throw HTTP 403. I think this is a bug. Why apache checks for a second Require in RequireAll if the first one failed already? Digging far into the recesses of my memory, RequireAll always checks every clause because, for example, you can do something like this: <RequireAll> Require all granted Require not ip 10.252.46.165 </RequireAll> Which allows all users UNLESS they are from 10.252.46.165 <https://httpd.apache.org/docs/2.4/howto/access.html> The purpose of <requireAll> is to group things into one logical block. If you want things to fail in order without checking other conditions, don’t use requireAll? -- I'm just going to go home, lie down, and listen to country music. The music of pain. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx