On Fri, Nov 15, 2013 at 7:52 PM, Claes Gyllensvärd <[email protected]>wrote:
> With the deprecation of Order, I face an issue with a .htaccess file, > that, as part of a FOSS project, is being distributed to a large number of > users; many of which, have little technical knowledge. > > Currently, a Order directive protects a number of file endings that could > be sensitive. > > If one tries to use that on a host upgraded to 2.4 without access_compat, > that will give a 500 error. While a 500 error is better than risking to > expose sensitive files, it's not ideal, and will confuse many users. > > > I'm looking for a suitable configuration that would ideally work by > default on the most common distributions (Debian/Ubuntu/RHEL/CentOS?), and > handle both 2.4, and 2.2/0 configuration. > > There's mod_version which was introduced in 2.4 that could be used to > identify 2.4, but if that is disabled by default by a distribution, that > would break. > > Similarly, on Stackoverflow, it has been suggested to check for <IfModule > mod_authz_core.c>,and do one things if it's available, and another > otherwise. That also seems rather fragile though, and is not a contract to > rely on. > mod_authz_core essentially means httpd > 2.2. More specifically, it means httpd > 2.2 that has the Require directive available. Is your htaccess usable at all without the Require directive? (It seems far fetched to have a 2.4 configuration at all without the Require directive, but I suppose there are some very specialized configurations, possibly with custom modules, that don't have it available.) > Does anyone have suggestions for a method to solve this, that can be > widely applied? > > Kind regards, Claes > -- Born in Roswell... married an alien... http://emptyhammock.com/
