On Thu, Jul 11, 2019 at 8:21 PM Graham Leggett <minf...@sharp.fm> wrote:
>
> On 12 Jul 2019, at 01:46, Graham Leggett <minf...@sharp.fm> wrote:
>
> > I am having the exact same problem with Directory and DirectoryMatch. When
> > there are Ifs in a Directory, the Directory overrides the DirectoryMatch,
> > even though the DirectoryMatch is more specific and should “win” (win
> > meaning be merged on top of all that has gone before it).
>
> Here is a simpler example:
>
> <Directory /home/${HOST}/storage>
> Dav on
> SSLVerifyClient optional
> <If "%{SSL_CLIENT_VERIFY} == 'SUCCESS' || %{SSL_CLIENT_VERIFY} ==
> 'GENEROUS'">
> require valid-user
> </If>
> <Else>
> require valid-user
> </Else>
> </Directory>
> <Directory /home/${HOST}/storage/home>
> require all denied <—— has no effect
> </Directory>
>
> Why, when a valid user is logged in (via cert or not cert), does httpd grant
> access to the file /home/${HOST}/storage/home/foo?
Because the last thing merged into authz_cores r->per_dir_config is a
dirconf w/ `require valid-user` directives from the if/else.
What else could it mean for <If> to be merged last?
> Most specifically, why does “require all denied” have no effect when a file
> matches that directory section?
Because the core added an <If> section and is going to evaluate it
later. Even if you used some core directives inside the 2nd
<Directory> section to cause a merge to happen, there is no directive
that removes/resets existing <If> sections from cores per-dir-config.
They are accumulated in the early configuration section walking then
evaluated after.
