I want to protect an entire server with Require valid-user, but I want to allow certain resources to be accessible without a login. For the sake of argument, say that files A, B, and C should be public. I've tested this requirement with the config below:
<Location "/">
...
AuthType openid-connect
Require valid-user
</Location>
<Directory "/var/www/data">
Require all denied
<Files "A">
Allow from all
Satisfy Any
</Files>
<Files "B">
Require all granted
Satisfy Any
</Files>
<Files "C">
Require all granted
</Files>
</Directory>
For this config, A and B work as expected (the files can be viewed without a login), but C doesn't work.
The configuration for file A (with allow and satisfy) is recommended by the 2.4 documentation (under "Another frequent use of the Satisfy directive is to relax access restrictions for a subdirectory").
The config for file B is the obvious equivalent without allow, but still requires a satisfy, since the config for file C doesn't work.
The problem is that satisfy is deprecated in 2.5, so how do I get this to work for 2.5? RequireAny only works within a single directory, unlike satisfy, so doesn't seem to be the right answer. I haven't tested a RequireAny that encloses all of AuthType, Require valid-user, and Require all granted for every resource that has to be public - there must be a better way.
