httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Claes Gyllensvärd <>
Subject [users@httpd] Order/Required configuration that is suitable to distribute to users of both Apache 2.4 and earlier
Date Sat, 16 Nov 2013 00:52:56 GMT
With the deprecation of Order, I face an issue with a .htaccess file, that,
as part of a FOSS project, is being distributed to a large number of users;
many of which, have little technical knowledge.

Currently, a Order directive protects a number of file endings that could
be sensitive.

If one tries to use that on a host upgraded to 2.4 without access_compat,
that will give a 500 error. While a 500 error is better than risking to
expose sensitive files, it's not ideal, and will confuse many users.

I'm looking for a suitable configuration that would ideally work by default
on the most common distributions (Debian/Ubuntu/RHEL/CentOS?), and handle
both 2.4, and 2.2/0 configuration.

There's mod_version which was introduced in 2.4 that could be used to
identify 2.4, but if that is disabled by default by a distribution, that
would break.

Similarly, on Stackoverflow, it has been suggested to check for <IfModule
mod_authz_core.c>,and do one things if it's available, and another
otherwise. That also seems rather fragile though, and is not a contract to
rely on.

Does anyone have suggestions for a method to solve this, that can be widely

Kind regards, Claes

View raw message