On Tue, Mar 16, 2021 at 9:41 AM Dennis Jacobfeuerborn <dennisml@xxxxxxxxxxxx> wrote: > > Hi, > I trying to understand how the "Require" directive works in non-trivial > cases. This is one example: > > <VirtualHost *:80> > ServerName 127.0.0.1 > DocumentRoot "/var/www/html/site" > <Location "/area/admin/"> > Authtype Basic > Authname "site" > AuthUserFile /etc/httpd/conf/htpasswd > Require valid-user > </Location> > <Files "README.*"> > Require all denied > </Files> > </VirtualHost> > > When I access http://localhost/area/admin/README.txt without a password > httpd will respond with a 401 as expected but when I supply the correct > credentials not only do I get access to the admin location (expected) > but also to the README.txt file (unexpected). > > Why is the "Require all denied" ignored in this case? When I comment out > the location block then I will get the correct 403 Forbidden response so > it seems the "Require valid-user" seems to basically erase the > restrictions defined elsewhere. > > How would I specify this correctly so that a password grants me access > to the admin area but the limitation on the README files stays intact? It's counter-intuitive but Location is merged in after Directory/Files so it takes precedence. "AuthMerging and" can be used in the location block to merge the rules rather than replacing them. http://httpd.apache.org/docs/2.4/mod/mod_authz_core.html#authmerging --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx