>> The access checking on mod_pagespeed resources is >> redundant, because the resource will either be served from cache (in which >> case it had to be authenticated to get into the cache in the first place) or >> will be decoded and the original resource(s) fetched from the same server >> with full authentication.
Re: suppressing mod_authz_host: This doesn't sound like it guards against a user that meets the AAA conditions causing the resource to be cached and served to users who would not have met the AAA restrictions. Maybe you are missing a map_to_storage callback to tell the core that this thing will really, really not be served from the filesystem. Re: suppressing rewrite. Your comments in the src imply that rewrite is doing some of what you're also suppressing in server/core.c:ap_core_translate_name(). Also, it's odd that your scheme for suppressing mod_rewrite wasn't a no-op for rewrite in htaccess context, since these use the RUN_ALL fixups hook to do its magic, but maybe you're catching a break there?
