Can the Apache <Location> directive be safely used to configure access to a server?

Question

In my Apache configuration, I first deny access to the entire filesystem:

<Directory />
    Require all denied
</Directory>

Then, in the configuration for each virtual host, I allow unrestricted access:

<VirtualHost ...>
    <Directory /var/www/example.com/>
        Require all granted
    </Directory>
</VirtualHost>

Or require authenticated access:

<VirtualHost ...>
    <Directory /var/www/example.com/>
        AuthType Basic
        AuthName "example.com"
        AuthUserFile htpasswd
        Require valid-user
    </Directory>
</VirtualHost>

I noticed in the Apache documentation that:

For content that lives in the filesystem, use <Directory> and <Files>. An exception is <Location />, which is an easy way to apply a configuration to the entire server.

And I wondered whether using <Location /> might be a way to require authenticated access for a particular virtual host:

<VirtualHost ...>
    <Location />
        AuthType Basic
        AuthName "example.com"
        AuthUserFile htpasswd
        Require valid-user
    </Location>
</VirtualHost>

But the Apache documentation states that:

<Location> directives should not be used to control access to filesystem locations.

Which led me to wonder whether should not was a recommendation for <Location> directives in general, and whether in certain situations a <Location /> directive in particular may be used as an exception to allow access, or in other words, can the Apache <Location> directive be safely used to configure access to a server?

Answer 1

No. Also from the Apache documentation:

Pay particular attention to the interactions of Location and Directory directives; for instance, even if <Directory /> denies access, a <Location /> directive might overturn it.

My understanding is that because any <Location> directive could potentially overturn any <Directory> directive[1], the least restrictive <Location> directive must not be less restrictive than the most restrictive <Directory> directive across the entire server.

Starting with a sensible <Directory /> default of Require all denied and following the above rule would require any <Location> directive to not be less restrictive than Require all denied, which would of course make it impossible to access the server at all.

Note also that the purpose of the <Location> directive is to configure resources which reside outside of the filesystem.

Bottom line is that for any requests which might touch the filesystem, for any <Location> directives which might apply to any of those requests, the applicable <Location> directives must not include the Require statement.[2]

[1]: For example, using symbolic links.
[2]: It is possible to use filesystem permissions or tools like apparmor to mitigate the security hole opened by including a Require statement in certain <Location> directives, but remember the principle of Defense In Depth.