On Mon, Apr 27, 2020 at 12:14 PM Yann Ylavic <ylavic....@gmail.com> wrote: > > On Mon, Apr 27, 2020 at 5:37 PM Eric Covener <cove...@gmail.com> wrote: > > > > Bumping a very old thread. tl;dr people are often surprised that when > > Location sections have access control directives and overlap with the > > filesystem it undoes the default > > <Files ".ht*"> > > Require all denied > > </Files> > > Thanks for pointing at this, I was wondering what baptx was talking > about on users@. TIL... > > What about upper sf proposal to default AuthMerging to "and"? > Would that be too disruptive? Or at least, if this is a direction, > could we do that in our default httpd.conf (and docs)?
AuthMerging in default conf for at least the .ht* case seems to make sense. Haven't tested, never occurred to me before. Maybe because it was not analagous for 2.2 back then. I don't think we can change the compiled-in default in 2.4. Maybe in trunk?
