On 27/05/17 07:52, Amos Jeffries wrote: > This is why best practice is to use a "deny" line like so: > http_access deny !auth_users > > ... which makes it clear what is happening for every non-authenticated > thing, both situation (1) and (2) traffic. Sorry "both situation (1) and (3) traffic". Amos