Update .htaccess for Apache 2.4

[MECU]

I'm not an expert in Apache, but I think the only changes required to the .htaccess for upgrading from v2.2 to v2.4 is changing this:

<FilesMatch "\.(inc|info|module|sh|sql)$|^(\..*)$">
  Order allow,deny
</FilesMatch>

to this:

<FilesMatch "\.(inc|info|module|sh|sql)$|^(\..*)$">
  Require all denied
</FilesMatch>

Perhaps just add a comment like this:

<FilesMatch "\.(inc|info|module|sh|sql)$|^(\..*)$">
  Order allow,deny
# If using Apache 2.4, comment out the above line and un-comment this line:
#  Require all denied
</FilesMatch>

[teppokoivula]

I'm not an expert in Apache either, but I've been running PW with Apache 2.4 for quite a while without any noticeable issues. Could you please explain exactly what this change does and/or why it's needed?

[teppokoivula]

Got it -- http://httpd.apache.org/docs/2.4/upgrading.html#access. Had mod_access_compat enabled so didn't need aforementioned update, but it sure looks like this would be a good idea.

I'm wondering if version checking of some sort would be feasible here? (Doesn't seem that there's a really clean way to do that, though, at least according to this SO thread.)

[MECU]

From https://developers.google.com/speed/pagespeed/module/configuration with a few mods for our purpose. The path is problematic though, so maybe just wrap in a IfModule mod_version.c ?

<IfModule !mod_version.c>
  LoadModule version_module /usr/lib/apache2/modules/mod_version.so
</IfModule>

<IfVersion < 2.4>
  Order allow,deny
</IfVersion>
<IfVersion >= 2.4.2>
  Require all denied
</IfVersion>

[ryancramerdesign]

That FilesMatch isn't completely necessary since we have a secondary check that uses rewrite rules. I put it there just because it's presumably faster than rewrite rules and can rule out stuff more quickly. Besides, when it comes to security I always figure doubling-up on something can't hurt. But I'm not particularly concerned if the FilesMatch statement stops working as a result of an Apache version because it'll still get picked up by the rewrite rules. But I totally agree with making this Apache 2.4 compatible.

MECU's last idea looks good, but it requires knowing the path to apache. We can't hard code paths to Apache in a default htaccess file, so at that point I think we're better off just using MECU's first idea of providing a comment in the htaccess file.

[phlppschrr]

Maybe just do it like the usually well tested html5-boilerplate project does it:

<FilesMatch "(^#.*#|.(bak|conf|dist|fla|in[ci]|log|psd|sh|sql|sw[op])|~)$">

# Apache < 2.3
<IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
    Satisfy All
</IfModule>

# Apache ≥ 2.3
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>

https://github.com/h5bp/html5-boilerplate/blob/8c4b71e6c601550680d45f7d719cd9c1f6b0fe4d/.htaccess#L415

[ryancramerdesign]

Thanks, it looks like that's a good potential workaround. But also looks like that matches Apache 2.3. Aren't we trying to match Apache 2.4 instead? Or was 2.3 a transitional version where either type of directive would have worked?

[phlppschrr]

It seems there was never a stable Apache 2.3 release:
http://de.wikipedia.org/wiki/Apache_HTTP_Server#Apache_2.3

This is the original commit message with some links for more information:
h5bp/server-configs-apache@8057f17

[phlppschrr]

I think this can be closed. We have currently rules for both versions in the htaccess which can be swapped by commenting in/out.

I also just made a PR (#1128) which incorporates a universal rule like suggested above.

[ryancramerdesign]

Thanks, I will close this out and check out that PR you mentioned.