I've a very easy question. However I have been digging all the manuals for an answer for a full day already.
What I want is to configure Apache to give anyone read access to /var/www but restrict /var/www/private to my team only. I'm looking for the new solution of version 2.4. Thus not using deprecated directives like Allow, Deny, Order and Satisfy. I have write permission for the /etc/apache2/sites-available/* files but only read permission for /etc/apache2/apache2.conf.
What I've tried so far is this: Content of /etc/apache2/apache2.conf:
<Directory />
    Require all denied
</Directory>
<Directory /var/www>
    Require all granted
</Directory>
Content of /etc/apache2/sites-available/000-default.conf:
<Directory /var/www/private>
    Require group team
</Directory>
But with this configuration everyone has access to /var/www/private. And this I can understand, since Apache merges all the environments for /var/www/private to something like this:
Require all denied  # inherited from /
Require all granted # inherited from /var/www
Require group team  # inherited from /var/www/private
And since Require directives outside <RequireAll>, <RequireAny> or <RequireNone> are equivalent to being in a <RequireAny> block, the merged view is thus:
<RequireAny>
    Require all denied  # inherited from /
    Require all granted # inherited from /var/www
    Require group team  # inherited from /var/www/private
</RequireAny>
And this shows clearly why /var/www/private is open for everyone (the second statement always matches).
My question is thus: "Can you somehow overide the Require all granted in a parent directory in a subdirectory or can you change the default <RequireAny> behaviour to <RequireAll>?"

require group teamwon't do what you want except you need to create the group in a htpasswd file (system group doesn't apply) and the users need to login with their user/pass.RequireAnyso it can usually be omitted unless you need to change it.