No. Also from the Apache documentation:
My understanding is that because any <Location>
directive could potentially overturn any <Directory>
directive[1], the least restrictive <Location>
directive must not be less restrictive than the most restrictive <Directory>
directive across the entire server.
Starting with a sensible <Directory />
default of Require all denied
and following the above rule would require any <Location>
directive to not be less restrictive than Require all denied
, which would of course make it impossible to access the server at all.
Note also that the purpose of the <Location>
directive is to configure resources which reside outside of the filesystem.
Bottom line is that for any requests which might touch the filesystem, for any <Location>
directives which might apply to any of those requests, the applicable <Location>
directives must not include the Require
statement.[2]
[1]: For example, using symbolic links.
[2]: It is possible to use filesystem permissions or tools like apparmor to mitigate the security hole opened by including a Require
statement in certain <Location>
directives, but remember the principle of Defense In Depth.