With the deprecation of Order, I face an issue with a .htaccess file, that, as part of a FOSS project, is being distributed to a large number of users; many of which, have little technical knowledge.
Currently, a Order directive protects a number of file endings that could be sensitive. If one tries to use that on a host upgraded to 2.4 without access_compat, that will give a 500 error. While a 500 error is better than risking to expose sensitive files, it's not ideal, and will confuse many users. I'm looking for a suitable configuration that would ideally work by default on the most common distributions (Debian/Ubuntu/RHEL/CentOS?), and handle both 2.4, and 2.2/0 configuration. There's mod_version which was introduced in 2.4 that could be used to identify 2.4, but if that is disabled by default by a distribution, that would break. Similarly, on Stackoverflow, it has been suggested to check for <IfModule mod_authz_core.c>,and do one things if it's available, and another otherwise. That also seems rather fragile though, and is not a contract to rely on. Does anyone have suggestions for a method to solve this, that can be widely applied? Kind regards, Claes
