On Thu, Jul 11, 2019 at 8:21 PM Graham Leggett <minf...@sharp.fm> wrote: > > On 12 Jul 2019, at 01:46, Graham Leggett <minf...@sharp.fm> wrote: > > > I am having the exact same problem with Directory and DirectoryMatch. When > > there are Ifs in a Directory, the Directory overrides the DirectoryMatch, > > even though the DirectoryMatch is more specific and should “win” (win > > meaning be merged on top of all that has gone before it). > > Here is a simpler example: > > <Directory /home/${HOST}/storage> > Dav on > SSLVerifyClient optional > <If "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} == > 'GENEROUS'"> > require valid-user > </If> > <Else> > require valid-user > </Else> > </Directory> > <Directory /home/${HOST}/storage/home> > require all denied <—— has no effect > </Directory> > > Why, when a valid user is logged in (via cert or not cert), does httpd grant > access to the file /home/${HOST}/storage/home/foo?
Because the last thing merged into authz_cores r->per_dir_config is a dirconf w/ `require valid-user` directives from the if/else. What else could it mean for <If> to be merged last? > Most specifically, why does “require all denied” have no effect when a file > matches that directory section? Because the core added an <If> section and is going to evaluate it later. Even if you used some core directives inside the 2nd <Directory> section to cause a merge to happen, there is no directive that removes/resets existing <If> sections from cores per-dir-config. They are accumulated in the early configuration section walking then evaluated after.