While developing a new site we had a Location directive similar to the one below: <Location /> Order deny,allow Deny from all Allow from 10.20.30. Allow from 140.211.11.4/32 Allow from 140.211.11.130/32 # Allow from the W3C validator Allow from 128.30.52.13/32 </Location> During this time we saw that most requests in the log files for IP addresses not on that list were returning 403 errors but occasionally Apache would return a 200. We verified that it was actually returning the requested page and not a logging error by using anonymous web proxies. Most received 403 errors but some displayed the page. The problem isn't consistent for a particular IP address. We saw the Google bot crawling the site from a single IP address. Most of the time it would receive 403 errors but occasionally it would receive the page it was requesting. It's also not consistent for a particular file. Of the 117 requests for robots.txt that the Google bot has made over the last two months, only three were returned as 200, the rest were 403. Return codes and their counts for all files and all IP addresses apart from the IP addresses in the Location directive are: 139 304 1172 302 1193 200 20142 403 Let me know if you would like any more information to help find this bug.
Use of <Location> for local contents is NOT recommended, because it WILL confuse you. The problem you describe is likely to be due to it interacting with another container in a manner you don't expect. The other possible explanation is that you're using mod_cache, which is known not to work with host-based access restrictions.
Thanks for the info, I hadn't noticed that in the Apache2 documentation before. It still seems like a bug but it's a bug in mod_cache rather than the Apache Core. I have changed the component to be mod_cache and I'll have a look around again to make sure it's not a duplicate of another bug. In case someone with the same problem finds this bug we are planning on working around this bug using mod_rewrite for whole sites that shouldn't be accessed and CacheDisable for paths that shouldn't be accessed.
hello, I had the same problem, but it seems to be the behavior of mod_cache, as describe in http://issues.apache.org/bugzilla/show_bug.cgi?id=36937 "Content is stored in and retrieved from the cache using URI based keys. Content with access protection is not cached." taken from apache documentation: http://httpd.apache.org/docs/2.2/mod/mod_cache.html
*** This bug has been marked as a duplicate of 36937 ***