A common mistake that we could make is to misplace the order of Allow and Deny, which is the key to determine the behavior of access control.
For example, if you want to make a negative policy to deny accesses with some explicit exceptions. The order shouldn't be Allow,Deny:
<Location /status/>
Order Allow,Deny
Deny from all
Allow from 192.168.0.0/24
</Location>
The above order have no effects on access control. It doesn't deny anything.
The correct way make a negative rule is to put Deny first, then Allow. Therefore, the correct sequence to set Order properly is as following.
<Location /status/>
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/24
</Location>