Results 1 to 6 of 6

Hybrid View

  1. #1
    Join Date
    Aug 2016
    Location
    USA
    Posts
    1
    Plugin Contributions
    0

    Default Re: .htaccess differences apache 2.2 vs 2.4

    Fresh install Zen Cart v1.5.5a-05052016
    Linux/openSuSE 13.2
    Apache/2.4.23 (Linux/SUSE)
    PHP Version 5.6.21
    MySQL 5.7.10 MySQL Community Server


    While attempting a fresh install of v155a on my local machine for testing and trial configurations I encountered the errors with the Apache 2.2 syntax in .htaccess. Discovering this thread, I investigated more in Apache docs and found the references to the new syntax. I'm not a network or security person at all, but I'm thinking that if Apache updated the security system in such a major way there must be a reason. My Apache installed without the compatibility module, and that was why I got the errors, including from the installer saying it could access files it should not. I have kludged together a modification for the .htaccess files that seems to work on my system, replacing Apache 2.2 syntax with Apache 2.4 syntax. Then I merged old and new with conditionals to make it hopefully, work in either environment. As an example, from the /admin/.htaccess, the original has (in pertinent part)

    Code:
    # deny *everything*
    <FilesMatch ".*\..*">
      Order Allow,Deny
      Deny from all
    </FilesMatch>
    
    # but now allow just *certain* necessary files:
    <FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
      Order Allow,Deny
      Allow from all
    </FilesMatch>
    
    IndexIgnore */*
    
    <limit POST PUT>
    order deny,allow
    deny from All
    </limit>
    The rewritten version is

    Code:
    # Use the Apache2 >= 2.4 auth modules if available
    <IfModule mod_authz_core.c>
        # don't allow POST and PUT methods at all
        Require not method POST PUT
        # allow just *certain* necessary files
        Require expr "%{REQUEST_URI} =~ /.*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$/i"
    </IfModule>
    
    # Use the Apache2 < 2.4 access controls if we have to
    <IfModule !mod_authz_core.c>
        # deny *everything*
        <FilesMatch ".*\..*">
        Order Allow,Deny
        Deny from all
        </FilesMatch>
    
        # but now allow just *certain* necessary files:
        <FilesMatch "(?i).*\.(php|js|css|html?|ico|otf|jpe?g|gif|webp|png|swf|flv|xml|xsl)$">
        Order Allow,Deny
        Allow from all
        </FilesMatch>
    
        <limit POST PUT>
            order deny,allow
            deny from All
        </limit>
    
    </IfModule>
    
    IndexIgnore */*
    The conditionals used are based on testing for the existence of the authz_core module, which seems to be the driving force in the new system, and will not be present in older versions. At first I was testing for the compatibility module, and using old style if present. My logic error with that was that old systems also have no compatibility module (they don't need it), and the new systems with it probably should use the newer (better?) system anyway.

    Is there someone who understands Apache and security better that can vet my kludging?

    If the Apache update is, in fact, a better security, wouldn't it be better for all Zenners to use the newer syntax where supported?
    Is this something to address in coming upgrades?

    As an extra note: I think something involved with this change-over was interfering with the installation process at the database creation stage as I got a slew of errors on my server log when the progress bar in the modal dialog froze. (This is discussed in other threads, which I lost track of before registering here.)

    Code:
    [Sun Aug 14 02:55:50.555062 2016] [:error] [pid 25471] [client xxx.xx.xx.xx.69:42163] client denied by server configuration: /srv/www/htdocs/store/zc_install/ajaxGetProgressValues.php, referer: https://my.machine.net/store/zc_install/index.php?main_page=database
    Once I switched to the Apache 2.4 syntax I was able to complete the install without errors or issues.

  2. #2
    Join Date
    Jan 2004
    Posts
    66,446
    Plugin Contributions
    81

    Default Re: .htaccess differences apache 2.2 vs 2.4

    Quote Originally Posted by SpellweaverGypsy View Post
    If the Apache update is, in fact, a better security, wouldn't it be better for all Zenners to use the newer syntax where supported?
    Is this something to address in coming upgrades?
    Ya, v1.6.0 will have updated apache rules built-in: https://github.com/zencart/zencart/pull/1081/files
    .

    Zen Cart - putting the dream of business ownership within reach of anyone!
    Donate to: DrByte directly or to the Zen Cart team as a whole

    Remember: Any code suggestions you see here are merely suggestions. You assume full responsibility for your use of any such suggestions, including any impact ANY alterations you make to your site may have on your PCI compliance.
    Furthermore, any advice you see here about PCI matters is merely an opinion, and should not be relied upon as "official". Official PCI information should be obtained from the PCI Security Council directly or from one of their authorized Assessors.

 

 

Similar Threads

  1. v150 Yellow alert at setup: "Apache .htaccess Support = OFF"
    By dream_mike in forum Installing on a Linux/Unix Server
    Replies: 4
    Last Post: 15 May 2012, 06:36 PM
  2. Apache .htaccess Support = OFF
    By chad2012 in forum Installing on a Mac Server
    Replies: 2
    Last Post: 23 Jan 2012, 05:38 AM
  3. Apache .htaccess Support = OFF
    By discoverytdi in forum Upgrading to 1.5.x
    Replies: 13
    Last Post: 14 Jan 2012, 05:45 AM
  4. .htaccess problems on Unix / Apache
    By rjenkins in forum Installing on a Linux/Unix Server
    Replies: 1
    Last Post: 10 Aug 2011, 10:16 PM
  5. Are there .htaccess files for Apache 1.3 available for ZC 1.3.x?
    By neekfenwick in forum General Questions
    Replies: 2
    Last Post: 3 Nov 2010, 04:44 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
disjunctive-egg