I wonder if someone can offer a path to circumvent this Apache limitation (or feature - whatever it is, I cannot do what I need because of that, so for me it is a limitation)
From Apache 2.2 manual:
Regardless of any access restrictions placed in <Directory> sections, the <Location> section will be evaluated last and will allow unrestricted access to the server. In other words, order of merging is important, so be careful!
However, some of the directives just have to be placed in <Location> because they need to apply to virtual URLs (for which there are no files in the filesystem) and some other ones have to apply to actual files in the filesystem, hence they have to be placed in the directory <Directory>. However, since <Location> is processed last, it seems to cancel out whatever is in <Directory> if the <Location> has to have "Allow from all" directive.
Does anyone have an idea on how to reconcile this? Is there a way to stop further processing of these rules after one has been matched in <Directory>?
One alternative is to use mod_rewrite with a RewriteCond looking at THE_REQUEST. The Request is whatever the user originally asked for, whether or not it "really" exists. So you can make the rule do the same job as the <Location> envelope.
But then, I'm more comfortable writing rules aimed at files that actually exist. For, ahem, a given definition of "exist".
Now, if you absolutely have to have those envelopes, you could add an environmental flag to the result of all other rules, and then start the <Location> ruleset by looking at that environment flag and letting it overrule everything else...
... or you could proceed directly to Apache 2.4, which apparently allows a generalized If/Then construction ;)