03.08.2013 14:14, Eric Covener wrote:
> I don't agree re: necessity. As Ben said, httpd only knows that /tiv
> (where you tried to punch a hole) and the target of your Action
> directive have different per-directory configurations, so
> authorization is checked on the subrequest. It's erring on the side
> of running authz checks, and I don't disagree that it could be
> enhanced/optimized.
Point is, it is /erring/. I asked Ben for possible use-cases and his two
examples were modules, which use the authorization rules to generate
different content depending on the result. Rather than to decide,
whether to authorize the request at all.
The situation would've made some sense, if I could configure things
separately. For example:
# Lock-out attempts to invoke php-fpm directly:
<Location /php-fpm>
Require none granted
</Location>
# Allow any PHP script under DocumentRoot to be executed otherwise:
<LocationMatch \.php$>
Require all granted
</LocationMatch>
But I can't -- all requests for foo.php would go through /both/ of the
above...
-mi
