httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: [users@httpd] Order/Required configuration that is suitable to distribute to users of both Apache 2.4 and earlier
Date Sat, 16 Nov 2013 11:59:33 GMT
On Fri, Nov 15, 2013 at 7:52 PM, Claes Gyllensvärd <>wrote:

> With the deprecation of Order, I face an issue with a .htaccess file,
> that, as part of a FOSS project, is being distributed to a large number of
> users; many of which, have little technical knowledge.
> Currently, a Order directive protects a number of file endings that could
> be sensitive.
> If one tries to use that on a host upgraded to 2.4 without access_compat,
> that will give a 500 error. While a 500 error is better than risking to
> expose sensitive files, it's not ideal, and will confuse many users.
> I'm looking for a suitable configuration that would ideally work by
> default on the most common distributions (Debian/Ubuntu/RHEL/CentOS?), and
> handle both 2.4, and 2.2/0 configuration.
> There's mod_version which was introduced in 2.4 that could be used to
> identify 2.4, but if that is disabled by default by a distribution, that
> would break.
> Similarly, on Stackoverflow, it has been suggested to check for <IfModule
> mod_authz_core.c>,and do one things if it's available, and another
> otherwise. That also seems rather fragile though, and is not a contract to
> rely on.

mod_authz_core essentially means httpd > 2.2.  More specifically, it means
httpd > 2.2 that has the Require directive available.

Is your htaccess usable at all without the Require directive?  (It seems
far fetched to have a 2.4 configuration at all without the Require
directive, but I suppose there are some very specialized configurations,
possibly with custom modules, that don't have it available.)

> Does anyone have suggestions for a method to solve this, that can be
> widely applied?
> Kind regards, Claes

Born in Roswell... married an alien...

View raw message