So I have finally roused myself to quit relying on my host's mod_compat module and to convert my .htaccess file over from 2.2 to 2.4.

The mod_authz stuff seems straightforward: Allow/Deny --> Require Any/All / Require not, although I'm going to have to study the possibilities of nesting commands more thoroughly.

At the same time, though, I'm also going to be converting some portion of my mod_authz Allow/Deny stuff to mod_setenvif in order to get more granular control.

Right now, I'm already using mod_setenvif to cut holes for DuckDuckBot in a block against AWS ranges. My current Apache 2.2

SetEnvIf Remote_Addr ^107\.20\.0\.0\/14 bad_range
SetEnvIf Remote_Addr ^107\.21\.1\.8$ !bad_range # DuckDuckBot
deny from env=bad_range

(There's an Allow from command already in place above where the deny from env=bad_range is placed.)

My new Apache 2.4 configuration for the above and for using mod_setenvif to control any other IP range or address under 2.4, as I understand it, should be

SetEnvIf Remote_Addr ^107\.20\.0\.0\/14 bad_range
SetEnvIf Remote_Addr ^107\.21\.1\.8$ !bad_range # DuckDuckBot
<RequireAll>
Require not env=bad_range
</RequireAll>

My questions are, before I blow things up, is the above new 2.4 configuration correct, and is the RequireAll envelope even necessary? My understand as to the latter is that it is necessary, taking the place of the prior 2.2 Allow from all preceding any subsequent Deny from commands.

Thanks.