apache2: why <LimitExcept> parameter results “deny not allowed here” error in virtualhost tag?
Solution 1:
As long as your <LimitExcept>
block is within a context that's valid for the Allow
/Deny
directives, then it will work just fine.
If you try putting even a naked Deny
rule directly in the <VirtualHost>
context, you'll see that it's denied in the same way - <VirtualHost>
with a Deny
in it is not allowed, so neither adding a <LimitExcept>
between them.
But, the trick is that <LimitExcept>
, and some other block types like <IfModule>
, do not modify the context of a directive; you'll never see "limit" in the list of acceptable contexts in the documentation for a directive.
There's are only four contexts that can dictate whether a directive is allowed:
- server config
- virtual host
- directory (which includes
<Location>
and<Files>
type directives, too) - .htaccess
In the case of the mod_authz_host
directives (Order
, Allow
, and Deny
), they're allowed only in directory and htaccess contexts, so they'll always error when they're not in one.
In your case, there's no filesystem location for this reverse-proxy vhost, so you'll want to use a <Location>
block (which is a valid context for Allow
/Deny
because it's of the directory context type):
<Location />
Order allow,deny
Allow from all
<LimitExcept HEAD POST GET>
Deny from all
</LimitExcept>
</Location>
Oh, and get rid of that <Proxy *>
block, as it's not doing anything - the <Location>
takes precedence over it anyway, but it's in conflict with the <LimitExcept>
's restrictions.. so it makes me nervous.
Solution 2:
The error message is saying that Deny
is not allowed in a <LimitExcept>
block.
From a different part of the docs: "The directives provided by mod_authz_host are used in <Directory>
, <Files>
, and <Location>
sections as well as .htaccess files".