.htaccess differences apache 2.2 vs 2.4

[RixStix]

Do I need to be concerned or reformat the zencart .htaccess files since the deny/allow seem to be renamed to require ?

An example being......
Apache 2.2

Code:

Order deny,allow 
Deny from all

translates to
Apache 2.4

Code:

Require all denied

Our host had to upgrade Apache 2.2 to Apache 2.4 to proactively clear a PCI vulnerability for LogJam / DiffieHellman and I noticed quite a few errors related to .htaccess deny which are unrelated to zencart but wanted to ask the question to make sure that the zencart .htaccess lines are not affected.

[RodG]

Do I need to be concerned or reformat the zencart .htaccess files since the deny/allow seem to be renamed to require ?

Yes if it causes a problem.
No if it doesn't.

The 'correct' answer is, if your site is hosted on a V2.4 server you should consider updating the zencart .htaccess files to suit the new method, BUT there is no current urgency to do so because Apache 2.3 & 2.4 have a compatibility module that will allow the older syntax to function as it always has done.

Cheers
RodG

[RixStix]

Yes if it causes a problem.
No if it doesn't.

The 'correct' answer is, if your site is hosted on a V2.4 server you should consider updating the zencart .htaccess files to suit the new method, BUT there is no current urgency to do so because Apache 2.3 & 2.4 have a compatibility module that will allow the older syntax to function as it always has done.

Cheers
RodG

TNX RodG

I am guessing that since "Deny" unrelated to zencart is causing an error message to be logged; the "Deny" related to zencart would also cause an error to be logged. Whether the error is due to the "Deny" functioning as intended or due to wrong syntax is beyond my current abilities.

Given that, the answer for me is to revise the zencart .htaccess files to make apache v2.4 happy instead of finding out the hard way due to a security breach that could have been prevented.

[RodG]

TNX RodG

I am guessing that since "Deny" unrelated to zencart is causing an error message to be logged; the "Deny" related to zencart would also cause an error to be logged.

Agreed.

Whether the error is due to the "Deny" functioning as intended or due to wrong syntax is beyond my current abilities.

I can't answer this either. It isn't something I've had a need to research. In fact until you mentioned it, I wasn't even aware of this change even though I do have a few sites using Apache2.4.

I've done further checks and it appears that all of our sites using 2.4 have had the mod_access_compat enabled by default. I suspect that this would be true for most webhosts else they'd be inundated with support/help requests.

Given that, the answer for me is to revise the zencart .htaccess files to make apache v2.4 happy instead of finding out the hard way due to a security breach that could have been prevented.

You make a very good point and I have to agree that this is probably the best and safest thing to do.


Cheers
RodG

[SpellweaverGypsy]

Fresh install Zen Cart v1.5.5a-05052016
Linux/openSuSE 13.2
Apache/2.4.23 (Linux/SUSE)
PHP Version 5.6.21
MySQL 5.7.10 MySQL Community Server


While attempting a fresh install of v155a on my local machine for testing and trial configurations I encountered the errors with the Apache 2.2 syntax in .htaccess. Discovering this thread, I investigated more in Apache docs and found the references to the new syntax. I'm not a network or security person at all, but I'm thinking that if Apache updated the security system in such a major way there must be a reason. My Apache installed without the compatibility module, and that was why I got the errors, including from the installer saying it could access files it should not. I have kludged together a modification for the .htaccess files that seems to work on my system, replacing Apache 2.2 syntax with Apache 2.4 syntax. Then I merged old and new with conditionals to make it hopefully, work in either environment. As an example, from the /admin/.htaccess, the original has (in pertinent part)

Code:

# deny *everything*
<FilesMatch ".*\..*">
  Order Allow,Deny
  Deny from all
</FilesMatch>

# but now allow just *certain* necessary files:
<FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
  Order Allow,Deny
  Allow from all
</FilesMatch>

IndexIgnore */*

<limit POST PUT>
order deny,allow
deny from All
</limit>

The rewritten version is

Code:

# Use the Apache2 >= 2.4 auth modules if available
<IfModule mod_authz_core.c>
    # don't allow POST and PUT methods at all
    Require not method POST PUT
    # allow just *certain* necessary files
    Require expr "%{REQUEST_URI} =~ /.*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$/i"
</IfModule>

# Use the Apache2 < 2.4 access controls if we have to
<IfModule !mod_authz_core.c>
    # deny *everything*
    <FilesMatch ".*\..*">
    Order Allow,Deny
    Deny from all
    </FilesMatch>

    # but now allow just *certain* necessary files:
    <FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
    Order Allow,Deny
    Allow from all
    </FilesMatch>

    <limit POST PUT>
        order deny,allow
        deny from All
    </limit>

</IfModule>

IndexIgnore */*

The conditionals used are based on testing for the existence of the authz_core module, which seems to be the driving force in the new system, and will not be present in older versions. At first I was testing for the compatibility module, and using old style if present. My logic error with that was that old systems also have no compatibility module (they don't need it), and the new systems with it probably should use the newer (better?) system anyway.

Is there someone who understands Apache and security better that can vet my kludging?

If the Apache update is, in fact, a better security, wouldn't it be better for all Zenners to use the newer syntax where supported?
Is this something to address in coming upgrades?

As an extra note: I think something involved with this change-over was interfering with the installation process at the database creation stage as I got a slew of errors on my server log when the progress bar in the modal dialog froze. (This is discussed in other threads, which I lost track of before registering here.)

Code:

[Sun Aug 14 02:55:50.555062 2016] [:error] [pid 25471] [client xxx.xx.xx.xx.69:42163] client denied by server configuration: /srv/www/htdocs/store/zc_install/ajaxGetProgressValues.php, referer: https://my.machine.net/store/zc_install/index.php?main_page=database

Once I switched to the Apache 2.4 syntax I was able to complete the install without errors or issues.

[DrByte]

If the Apache update is, in fact, a better security, wouldn't it be better for all Zenners to use the newer syntax where supported?
Is this something to address in coming upgrades?

Ya, v1.6.0 will have updated apache rules built-in: https://github.com/zencart/zencart/pull/1081/files