The legacy authz directives from 2.2 will indeed cause issues when mixed with Require (2.4). Do not mix them.
On Mon, Apr 10, 2023 at 11:48 PM Tatsuki Makino <tatsuki_mak...@hotmail.com> wrote: > Dave Wreski wrote on 2023/04/11 10:54: > > SetEnvIf user-agent "(?i:TurnitinBot)" stayout=1 > > SetEnvIf Request_URI "^linuxsecurity_features\.*$" !stayout > > I have done it in the past, too. > It was like allowing another level of conditions to be attached to Allow > and Deny, depending on the condition that defines the variable and the > condition that undefines the variable, right? :) > This is no longer needed, so change the name to something that makes sense. > > SetEnvIf user-agent "(?i:TurnitinBot)" SOMENAME1 > SetEnvIf Request_URI "^linuxsecurity_features\.*$" SOMENAME2 > > And let it meet all the requirements. > > <RequireAll> > Require all granted > Require not env SOMENAME1 > Require env SOMENAME2 > </RequireAll> > > ...According to mod_authz_core.html, it looks like we don't even need > SetEnvIf. > > <RequireAny> > <RequireAll> > Require all granted > Require not expr "%{HTTP_USER_AGENT} =~ /SomeBot/" > </RequireAll> > Require expr "%{REQUEST_URI} =~ /^linuxfoo/" > </RequireAny> > > The outermost <RequireAny> is verbose. > I'm on the teaching side, but I've never used expr, so I don't know if the > syntax is correct. :) > > I did my research on it a long time ago and I don't know if it is still > correct... > The result of this access control is broken by the Order, Allow, and Deny > directives :) > Sure, I thought that all of those directives should be allowed by > Order Deny,Allow > or > Allow from all > , but I forgot :) > For now, Order, Allow, and Deny should be removed if they exist somewhere > :) > > Regards. > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >