My apache 2.4 vhost configuration looks like this:
<Directory />
Require all denied
</Directory>
<Directory /http/mystuff.org/html>
Options FollowSymLinks Indexes Includes
XBitHack on
Require all granted
</Directory>
<Directory /http/mystuff.org/html/secretstuff>
Options Indexes FollowSymLinks
AuthType Digest
AuthName "archives"
AuthUserFile /etc/httpd/private/secretstuff.htaccess
Require valid-user
</Directory>
The Require valid-user directive is simply ignored (i.e. anyone can get to the secretstuff folder without having to authenticate) and I can't figure out how to make it work. I've tried adding Require all denied to the beginning of the , tried using <Location> instead of <Directory> (someone on stackexchange suggested this), but nothing seems to work. I even tried
<RequireAll>
Require valid-user
</RequireAll>
thinking this might be needed because of the Require all allowed in the parent directory, but this didn't work, either. I've read through the apache 2.4 documentation a half a dozen times now and haven't a clue as to why my directives to require a valid user are being ignore. The same configuration worked fine in apache 2.2.
Finally, I believe I have all the necessary modules loaded:
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authz_user_module modules/mod_authz_user.so
OK, the preceding configuration works. I previously had a typo in the directory location, and the page was cached on the browser after that. Total noob mistake.