When satisfy any follows a deny/allow rule like the following and hit from an IP that is NOT allowed it says it blocks it: AH01797: client denied by server configuration: /var/www/html But in fact the page is allowed, and the access_log shows a 200 response code. These are the lines in question: Order Deny,Allow Deny from all Allow from 88.88.88.88 Satisfy any I would expect that if the apache error_log says it is blocking the request it really does block the request. The mismatch behavior makes me wonder if while processing it sees the Deny and says "This is being blocked" but since the Deny is "satisfied" the Satisfy any then allows it through? # httpd -V Server version: Apache/2.4.29 Server built: Feb 2 2018 14:40:21 Server's Module Magic Number: 20120211:68 Server loaded: APR 1.5.2, APR-UTIL 1.5.2 Compiled using: APR 1.5.2, APR-UTIL 1.5.2 Architecture: 64-bit Server MPM: event threaded: yes (fixed thread count) forked: yes (variable process count) Server compiled with.... -D APR_HAS_SENDFILE -D APR_HAS_MMAP -D APR_HAVE_IPV6 (IPv4-mapped addresses disabled) -D APR_USE_SYSVSEM_SERIALIZE -D APR_USE_PTHREAD_SERIALIZE -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT -D APR_HAS_OTHER_CHILD -D AP_HAVE_RELIABLE_PIPED_LOGS -D DYNAMIC_MODULE_LIMIT=256 -D HTTPD_ROOT="/etc/apache2" -D SUEXEC_BIN="/usr/sbin/suexec" -D DEFAULT_PIDLOG="/var/run/apache2/httpd.pid" -D DEFAULT_SCOREBOARD="logs/apache_runtime_status" -D DEFAULT_ERRORLOG="logs/error_log" -D AP_TYPES_CONFIG_FILE="conf/mime.types" -D SERVER_CONFIG_FILE="conf/httpd.conf"
the logging may be misleading in this configuration, but the behavior is working as designed. "satisfy any" means that only one of access control and authentication/ authorization need to permit the user. You didn't configure any restrictions on the latter, so the request is accepted. When the former is failing access control, it doesn't know if/how the result will be rolled up.