This is an Apache 2.2 server running within a VM on CentOS.
Both the authn_basic_module and the authn_host_module are loaded. I have the following directive: <Directory "/var/www/html"> Order deny,allow Deny from 221.192.0.0/14 </Directory> Yet, today I see in my access logs: 221.192.199.35 - - [12/Jul/2010:15:26:19 -500] -500] "GET http://www.wantsfly.com/prx2.pho?hash=abbreviated HTTP/1.0" 404 ...... Why didn't Apache block this?