The apache2 manuals reflect its insanity.
Here is what I think its really doing(after hacking with allow denys for a while)
file loading precedence appears to be:
apache2.conf mods-enabled directory (not certain could be after conf.d but suspects its before) conf.d file global doc roots .htaccess virtual hosts and .htaccessIt appears that each DocRoot is searched for .htaccess files to be loaded when the vhost block is closed.
NOTE .htaccess files are NOT loaded 100%.. Their parsing is crippled to what the AllowOverride directive says. Non-allowed lines in the .htaccess files are basically ignored!
directive operating precedence (from weakest to strongest)
Directory File Location
So the full loading order on a per-file/directive basis becomes.
Directory (conf) Directory (.htaccess from default docroot) Directory (vhost) Directory (.htaccess) File (conf) File (.htaccess from default docroot) File (vhost) File (.htaccess) Location (conf) Location (.htaccess from default docroot) Location (vhost) Location (.htaccess)
This means that to generically block all accesses to a test server with test versions of web sites u need to use the weakest most overloadable type. So in the conf.d area add a "block_all" file with these contents;
<Directory /> Order deny, allow Deny form all Allow form <IP_OR_RANGE> <Directory>