We want to Allow only specific Methods i.e. HEAD POST GET.
so we are using.
<Location />
<LimitExcept HEAD POST GET>
Require all denied
</LimitExcept>
</Location>
Location is required, because we use mod_proxy, so no directory access is
performed.
Strangely it overrules a previous defined.
<Location /server-info>
SetHandler server-info
Require local
</Location>
So as a result server-info is accessible from everywhere.
According to my understanding, and documentation this behavior is not
correct.
*https://httpd.apache.org/docs/2.4/en/mod/core.html#limitexcept
<https://httpd.apache.org/docs/2.4/en/mod/core.html#limitexcept>:*
*<LimitExcept> and </LimitExcept> are used to enclose a group of access
control directives which will then apply to any HTTP access method not
listed in the arguments *
Thanks a lot!
Regards,
Lothar
