[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: imitExcept inside a Location overrules another Location restriction

This is not a mailing list for reporting bugs, it's the mailing list used by bugzilla.
Avoid Limit/LimitExcept in 2.4.  In the config below, if the Location / comes second,
it means the authorization config replaces the one defined in server-info, not merged with it, and GET is no longer limited.

On Fri, Nov 2, 2018 at 8:28 AM Lothar Belle <lothar.webmin@xxxxxxxxx> wrote:
We want to Allow only specific Methods i.e. HEAD POST GET.
so we are using.
<Location />
    <LimitExcept HEAD POST GET>
        Require all denied
Location is required, because we use mod_proxy, so no directory access is performed.
Strangely it overrules a previous defined.
<Location /server-info>
    SetHandler server-info
    Require local
So as a result server-info is accessible from everywhere.
According to my understanding, and documentation this behavior is not correct.
<LimitExcept> and </LimitExcept> are used to enclose a group of access control directives which will then apply to any HTTP access method not listed in the arguments

Thanks a lot!

Eric Covener