Lets say you want to allow DELETE for a small sub-set of requests, based on remap.config rules. The reasonable configuration is to do e.g.
However, this does not work, since the global "DENY" in ip_allow.config takes precedence (it denies all DELETE's). This is actually sort of a regression I think, it did not use to behave like this I'm fairly certain.
The workaround (which is incredibly cumbersom if you have even a moderately large remap.config, is to inverse the rules. E.g.
This kinda sucks to maintain, and also opens up a PEBKAC security problem, when someone adds a new remap.config rule and forgets to deny the DELETEs.
I really feel that the ACLs from remap.config (if they match, you can specify IP ranges etc. as well), should take precedence over ip_allow.config.