Colm MacCarthaigh wrote:
if single-allow-from-all && no-deny-rules:
no-header;
else
header;
I think that is probably reasonable and would catch 99.5% of real
configs. There is a silly case that I didn't mention:
Order deny,allow
Deny from all
Allow from all
So really, the optimal algorithm would be
if deny,allow && (no-deny-rules || allow-all-is-last)
no-header;
else if allow,deny && no-deny-rules
no-header;
else
header;
Another thing to consider, however, is:
BrowserMatch email-grabber bad-robot
Order allow,deny
Allow from all
Deny from env=bad-robot
Do env= directives get excluded from the algorithm? Otherwise,
apache.org (and many other sites) suddenly becomes completely uncachable.
To be 100% correct, any use of BrowserMatch (or SetEnvIf User-Agent)
should set Vary: User-Agent, but this is not what is desired most of the
time.
My personal opinion is that you are going to surprise many more people
by trying to infer the correct cache headers than you will by leaving
them out. As an example of us trying to be too smart, consider
mod_rewrite, which sends "Vary: Host" when doing rewriting based on the
Host: header. This header is redundant as far as I can tell (we don't
set it for ordinary name-based vhosting), but makes sites uncachable in
some browsers and proxies.
Joshua.
