Colm MacCarthaigh wrote:
I think the text "Deny from all" is a particularly dangerous thing to have not work as advertised! No matter how well documented :/
The question though, is where can Deny from all be expected to work? Certainly not in <Directory /foo> - the cached entity no longer lives there. Perhaps in <Location /foo> - but running the full handlers, dealing with all the regex'es all over again defeats the purpose of running a fast cache. Certainly in <VirtualHost www.cachedhost.example.com> ... although authnz doesn't work correctly there in the first place ;-) And certainly globally, if I ran a large mass vhost, yet knew full well that a list of proxies would corrupt my content, I might Deny from 10.123.55.0/24 but again, authn/authz doesn't work globally. We can discuss 'enabling' the map to storage for <Location > and running the authz stack, but we would have to ensure we bypass the filesystem dir/files entities. The deepest relevant level is <Location >. And maybe, have you considered a <CachedLocation > / <CachedLocationMatch > container for mod_cache? This would have the benefit that very long lists of directives would be ignored/not merged, in favor of a much shorter and very specific list that benefits the cache by keeping it fast, while giving the user the option to tweak the behavior of content, once cached.
