The legacy authz directives from 2.2 will indeed cause issues when mixed
with Require (2.4). Do not mix them.
On Mon, Apr 10, 2023 at 11:48 PM Tatsuki Makino <tatsuki_mak...@hotmail.com>
wrote:
> Dave Wreski wrote on 2023/04/11 10:54:
> > SetEnvIf user-agent "(?i:TurnitinBot)" stayout=1
> > SetEnvIf Request_URI "^linuxsecurity_features\.*$" !stayout
>
> I have done it in the past, too.
> It was like allowing another level of conditions to be attached to Allow
> and Deny, depending on the condition that defines the variable and the
> condition that undefines the variable, right? :)
> This is no longer needed, so change the name to something that makes sense.
>
> SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1
> SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2
>
> And let it meet all the requirements.
>
> <RequireAll>
> Require all granted
> Require not env SOMENAME1
> Require env SOMENAME2
> </RequireAll>
>
> ...According to mod_authz_core.html, it looks like we don't even need
> SetEnvIf.
>
> <RequireAny>
> <RequireAll>
> Require all granted
> Require not expr "%{HTTP_USER_AGENT} =~ /SomeBot/"
> </RequireAll>
> Require expr "%{REQUEST_URI} =~ /^linuxfoo/"
> </RequireAny>
>
> The outermost <RequireAny> is verbose.
> I'm on the teaching side, but I've never used expr, so I don't know if the
> syntax is correct. :)
>
> I did my research on it a long time ago and I don't know if it is still
> correct...
> The result of this access control is broken by the Order, Allow, and Deny
> directives :)
> Sure, I thought that all of those directives should be allowed by
> Order Deny,Allow
> or
> Allow from all
> , but I forgot :)
> For now, Order, Allow, and Deny should be removed if they exist somewhere
> :)
>
> Regards.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
