http://httpd.apache.org/docs/trunk/mod/mod_authz_core.html#matchall "If none of the directives contained within the <MatchAll> directive fails, and at least one succeeds, then the <MatchAll> directive succeeds. "
According to this, following config would grant an access from 127.0.0.1 with no username/password. <Location /server-info> SetHandler server-info AuthType Digest AuthName "private area" AuthUserFile "/var/www/password" Match valid-user Match ip 127.0.0.0/8 </Location> But actually 127.0.0.1 needs to be "valid-user". Considering difference between MatchAll and MatchAny, this is correct behavior. The How to says different thing from mod_authz_core doc: http://httpd.apache.org/docs/trunk/howto/auth.html#beyond "To authorize the request, none of the negated directives can match their parameters, while all of the positive directives must match their parameters (or else return a neutral result)." mod_authz_core doc should be fixed ? I'm not sure which is better for this mail, docs@ or [EMAIL PROTECTED] Regards, Takashi