Hi, consider this config: =================== <Location /sec> Order deny,allow Deny from all Allow from 1.2.3.4 </Location>
<Location /> <LimitExcept GET POST > Order allow,deny Deny from all </LimitExcept> </Location> =================== From the LimitExcept docs, I would expect that the <Location /> block does not affect GET/POST requests at all. But actually, it is allowing access from everywhere, overriding the previous <Location /sec> block. It this a bug in httpd or a documentation problem? I would argue it is a httpd bug because it can easily open security holes in a configuration. PR 47019 is filed against 1.3, but the issue affects 2.x/trunk, too. Cheers, Stefan
