I read this answer to a similar question asked some time ago, and it made good sense and matched the Apache 2.4 documentation. But I had the following experience, which seems to contradict that answer and the documentation. Consider the following directives:
<Directory "/opt/lampp/htdocs/foo">
AuthName "foo user"
AuthType Basic
Authuserfile /opt/lampp/passwds/foo.users
</Directory>
<VirtualHost *:80>
ServerName foo.example.com
DocumentRoot "/opt/lampp/htdocs/foo/public"
ErrorLog "logs/foo.error_log"
<Location />
Require valid-user
</Location>
<Location /wp/feed>
Require all granted
</Location>
CustomLog "logs/foo.access_log" combined
</VirtualHost>
The intent, clearly, is to protect all urls with http basic authentication, except for urls below /wp/feed. But after reloading apache, I got prompted for credentials when going to /wp/feed. That url matches both of the Location paths, so apache should have processed Require valid-user followed by Require all granted, and I should not have been prompted. Just for "fun", I tried switching the order of the location blocks, but still got prompted. The only thing I could find that worked as I intended was to remove the location block for "/" entirely. To me, that also was unexpected behavior because in that case there were no Require valid-user directives at all that should have been applied to urls not matching /wp/feed. And yet they were applied, since I got prompted for all urls that did not match /wp/feed.
Can anyone explain this? Am I just missing the boat in understanding the answer and documentation?
I had no problem specifying this behavior with nginx directives, where the longest prefix match generally wins. If what I got really is the expected behavior, how can I get what I want with apache?
