Lighttpd

Greetings,

I've just migrated an Apache server to Lighttpd, and am running into some oddities with url.access-deny My config file has:

url.access-deny = ( "~", ".inc" )
$HTTP["referer"] !~ "^(http://(www\.)?domain\.com)" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif", ".bmp" )

The problem is that when the referer conditional is satisfied, '~' and '.inc' files are no longer denied. It appears to completely reset the url.access-deny list in the hotlink protection block, even if a request matched a higher-level setting.

To make it work, I'm having to add all the global settings into each lower-level block.

Is there a way to enforce the global setting and the lower-level ones? For instance, is there something like:
url.access-deny += ( ".sfs" )

The above is just an example, but I had intended to add a few more things to the top-level url.access-deny, as well as more conditional blocks using it. If the only way to make it all work is to specify every single blocked extension at every possible, the config is going to get hard to maintain real fast :/. For example:

url.access-deny = ( "~", ".inc" )
$HTTP["referer"] !~ "^(http://(www\.)?domain\.com)" {
url.access-deny = ( ".jpg", ".jpeg", ".png", ".gif", ".bmp" )
$HTTP["remoteip"] == "1.1.1.1" {
url.access-deny = ( "/admin" )

Looking at this, I would have expected:
1) if request is for a file ending in '~' or '.inc', 403
2) if request has a bad referer and is for an image, 403
3) if a request is from the bad IP for that location, 403

True, we get all those effects, but we also get a number of side effects:
1) 1.1.1.1 is able to hotlink
2) everyone with a bad referrer can read '~' and '.inc' files
3) The order of the statements affects the result (flip the referer and remoteip blocks... 1.1.1.1 would be able to access the restricted area if he has a bad referer!)

Anyone know of a setting I'm just missing that does what I'm after? Is this behavior documented anywhere?

Thanks!