0

We have an Apache 2.4 server. And in our VHost for a WordPress install we only allow overriding Limit, Options and FileInfo. (AllowOverride Limit Options FileInfo).

<VirtualHost *:443>
DocumentRoot /www/www.wordpressblog.com
ServerName www.wordpressblog.com
ServerAlias wordpressblog.com

ErrorLog /var/log/apache2/www.wordpressblog.com_error.log
CustomLog /var/log/apache2/www.wordpressblog.com_access.log combined

SetEnv APPLICATION_ENV production

Include conf-available/server-ssl.conf

<Directory /www/www.wordpressblog.com>
    Options FollowSymLinks
    AllowOverride Limit Options FileInfo
    DirectoryIndex index.php
    Order allow,deny
    Allow from all
</Directory>

So a WordPress Plugin uses .htaccess with FilesMatch to Require all denied for .php-Files to ensure that the underlying directories cannot be abused by malicious PHP Scripts.

<FilesMatch  "\.php$">
<IfModule mod_authz_core.c>
    Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
</IfModule>

But with these options, all underlying accessible files (for example CSS) respond with a 500 HTTP Status Code (Internal Server Error).

/www/www.wordpressblog.com/wp-content/plugins/awesomeplugin/.htaccess: Require not allowed here

If I extend AllowOverride with AuthConfig in the VHost the same happens, "require is not allowed there". But I can't find the failure. Also AllowOverride AuthConfig cannot be the solution as other plugins can put an .htaccess with "Require all granted" what I would try to avoid.

MrWhite
  • 12,647
  • 4
  • 29
  • 41
frankhammer
  • 137
  • 1
  • 5
  • 15
  • You are missing a "" terminator tag to close off the FilesMatch block. – parkamark Aug 07 '18 at 13:04
  • Require all granted is the default. It doesn't matter if someone can insert this in .htaccess, because it does nothing. Just set AllowOverride AuthConfig and move on with your life. – Michael Hampton Aug 07 '18 at 14:11
  • Presumably you restarted Apache after making this change to the server config? Do you have any other `AllowOverride` directives in your server config that are perhaps overriding this setting? – MrWhite Aug 07 '18 at 16:26
  • "for `.php`-Files to ensure that the underlying directories cannot be abused by malicious PHP Scripts." - Actually, that's not what those directives do. They don't do anything to protect against "malicious PHP scripts". All they do is prevent the end user from accessing these scripts directly (which could also be implemented in the PHP scripts themselves). – MrWhite Aug 07 '18 at 16:36
  • @MichaelHampton "Just set AllowOverride AuthConfig and move on" - Although the OP appears to be saying that this is what they have tried but it didn't resolve the error. – MrWhite Aug 07 '18 at 16:38

0 Answers0