On Nov 7, 2005, at 3:10 PM, Ruediger Pluem wrote:
Not for every page, but if I get it right once you lock out one bad
boy via
deny ipaddress
than it should be sent. AFAIK this not done automatically currently
once you add a deny
directive somewhere. Does this need to be changed?
I can't remember which directive applies where, but if the
access control is set to deny all and allow some, where some
is a locally restricted subset of all, then cache-control
private is required on non-error responses unless the request
included Authorization (in which case cache-control private
is optional because it is already implied with Auth).
If the directive is set to allow all and deny some, then
it is reasonable to assume that the access control is for
service reasons, not authentication, and thus anyone who
receives the message should be allowed to cache it for others.
It would be wise to make both configurable.
....Roy
