apache2: why <LimitExcept> parameter results “deny not allowed here” error in virtualhost tag?

Solution 1:

As long as your <LimitExcept> block is within a context that's valid for the Allow/Deny directives, then it will work just fine.

If you try putting even a naked Deny rule directly in the <VirtualHost> context, you'll see that it's denied in the same way - <VirtualHost> with a Deny in it is not allowed, so neither adding a <LimitExcept> between them.

But, the trick is that <LimitExcept>, and some other block types like <IfModule>, do not modify the context of a directive; you'll never see "limit" in the list of acceptable contexts in the documentation for a directive.

There's are only four contexts that can dictate whether a directive is allowed:

  • server config
  • virtual host
  • directory (which includes <Location> and <Files> type directives, too)
  • .htaccess

In the case of the mod_authz_host directives (Order, Allow, and Deny), they're allowed only in directory and htaccess contexts, so they'll always error when they're not in one.

In your case, there's no filesystem location for this reverse-proxy vhost, so you'll want to use a <Location> block (which is a valid context for Allow/Deny because it's of the directory context type):

<Location />
    Order allow,deny
    Allow from all
    <LimitExcept HEAD POST GET>
        Deny from all
    </LimitExcept>
</Location>

Oh, and get rid of that <Proxy *> block, as it's not doing anything - the <Location> takes precedence over it anyway, but it's in conflict with the <LimitExcept>'s restrictions.. so it makes me nervous.

Solution 2:

The error message is saying that Deny is not allowed in a <LimitExcept> block.

From a different part of the docs: "The directives provided by mod_authz_host are used in <Directory>, <Files>, and <Location> sections as well as .htaccess files".