OpenBSD's httpd daemon {block} directives not working

Question

I'am trying to restrict access to some subfolders of simple website hosted on OpenBSD's httpd native server. Config is rather simple, it is for testing purposes:

server "10.0.1.222" {
        listen on 10.0.1.222 port 80
        log style combined
        location "/*php*"{
                root "/FOLDER"
                fastcgi socket "/run/php-fpm.sock"
        }

        directory {
                index "index.php"
        }

        location "/*" {
                root "/FOLDER"
        }

        location "/SUBFOLDER/*" {block}
}

Inside the SUBFOLDER I placed some htmls not intended to direct viewing. With last location directive I expect requests like http://10.0.1.222/SUBFOLDER/01.html to be blocked with 403 code but I can't achieve it.

While http://10.0.1.222/SUBFOLDER/ returns access denied , requesting any proper html document name within SUBFOLDER serves that request without any complaints.

If string: /SUBFOLDER/* is (as I suppose) proper shell glob that should match string /SUBFOLDER/ itself + any string given after, then requests like http://10.0.1.222/SUBFOLDER/01.html should be returned with code 403 . But it isn't working. I tried many combinations: "/SUBFOLDER/*" , "/SUBFOLDER/*.html" and so on with or without leading / . No effect.

There is probably something I do not understand, but I can't debug my mistake. What am I missing?

Answer 1

Quick answer for my own question, obtained from misc@openbsd.org: according to the manual man httpd.conf in case of the location statement first match wins. To avoid some more specific rules being ignored it is necessary to put them before more global ones. In my case putting blocking directive just after log style combined solved the problem.