[pmwiki-users] Apache 2.4 htaccess

Petko Yotov 5ko at 5ko.fr
Sun Nov 3 14:09:43 CST 2013


Oliver Betz writes:
> currently PmWiki uses
>
>  Order Deny,Allow
>  Deny from all
>
> as default .htaccess in several writeable directories.
>
> As far as I see, Apache 2.4 doesn't support this notation.
>
> Is the default behaviour of Apache 2.4 safe enough or should there be
> specific entries?

I made some research and tests.

When using this on Apache 2.4:

  Order Deny,Allow
  Deny from all

Apache 2.4 with the module access_compat_module enabled, works just fine.

Apache 2.4 without the module access_compat_module enabled, returns an  
Internal server error when trying to access a file in the protected  
directories. So, the files in these directories are still protected.

This access_compat_module may be or not installed by default.

The recommended way to protect a directory for Apache 2.4 in .htaccess is:

  Require all denied

This obviously works fine in Apache 2.4, but in 2.2 it does nothing.

The following was recommended as "backwords compatible" on some tech sites:

  # Apache 2.4
  <IfModule mod_authz_core.c>
      Require all denied
  </IfModule>

  # Apache 2.2
  <IfModule !mod_authz_core.c>
      Order Allow,Deny
      Deny from all
  </IfModule>

This works fine on my home Apache 2.4 server, but on my home 2.2 server it  
does nothing.

I'll have to investigate it further.

In the mean time, I'm not overly worried because the old .htaccess  
protection does not allow access to the protected files with the new version  
of Apache.

Petko









More information about the pmwiki-users mailing list