On 10 Jun 2013, at 14:35, Eric Covener <cove...@gmail.com> wrote: > I'd like to add an immutable Forbid directive to the core and use it in some > places in the default configuration instead of "require all denied". > > http://people.apache.org/~covener/forbid.diff > > This protects from a broad <Location or <If being added that supercedes > Directory/Files. > > I thought someone might object to the duplication w/ AAA or the presence in > the core, so opting for RTC.
Just a comment: other places that do broadly similar things often have a “deny by default” philosophy. I like this approach. Obviously this isn't going to please admins with existing configurations, so is there a way to design the mechanism so it's still possible to get something more strict than we have at the moment? In terms of directives, this could look like: <Directory /> # For example, insiset that exemptions must be defined in the same place as the Forbid is set. Forbid ForbidExemption /srv/web /nfs/foo/bar </Directory> # Require HTTPS except from IPv4 localhost <If "%{REQUEST_SCHEME} != HTTPS && (! -R 127.0.0.0/8 ) "> # Expression evaluation doesn't need exemptions Forbid </Directory> -- Tim Bannister – is...@jellybaby.net