DevHeads.net

AllowOverride - Mis-behaving Default

Hi,

According to the documentation[1], the default for `AllowOverride` is
`None`, and when `AllowOverride` is set to `None`, .htaccess files are
not read at all.

When I set `AllowOverride` to `None` explicitly, I find that is the
behaviour I see, but when I don't specify it at all, the .htaccess file
is still read and I receive a ".htaccess: [...] not allowed here" error.
So it looks like even though no override is allowed by default, the
`.htaccess` file is still being read when `None` is not specified
explicitly.

This is with Apache 2.4.6 on CentOS 7, so perhaps it has been fixed in a
later version, but I am not in a position to easily test that, so
thought I'd mention it here in case it's useful.

If this is expected behaviour then the documentation could be clearer on
this point. It states:

"When this directive is set to None and AllowOverrideList is set to
None, .htaccess files are completely ignored."

So leaving it as the default should surely exhibit the same behaviour as
setting the default explicitly?

Best,
Nigel

[1] <a href="https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride" title="https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride">https://httpd.apache.org/docs/2.4/mod/core.html#allowoverride</a>

Comments

Re: AllowOverride - Mis-behaving Default

By Frank Gingras at 06/18/2017 - 16:38

On 18/06/17 05:17 PM, Nigel Peck wrote:
You probably have another <Directory> block that has AllowOverride set,
for the / path or another. Inspect all files shipped by CentOS, and the
ones you modified.

Re: AllowOverride - Mis-behaving Default

By Nigel Peck at 06/18/2017 - 17:16

On 18/06/2017 16:38, Frank wrote:
I only have one config file, since I merged all of the others in to it
that I needed. I already double checked that there are no other
AllowOverride directives that could be affecting this. The only others
are in other virtual hosts in separate directories not above the one I
tested. Also setting `AllowOverride None` on the root directory block
prevents it, which it wouldn't if another directive were causing the
problem.

Thanks
Nigel

Re: AllowOverride - Mis-behaving Default

By Frank Gingras at 06/18/2017 - 18:01

On 18/06/17 06:16 PM, Nigel Peck wrote:
As per <a href="http://httpd.apache.org/docs/current/mod/core.html#allowoverride" title="http://httpd.apache.org/docs/current/mod/core.html#allowoverride">http://httpd.apache.org/docs/current/mod/core.html#allowoverride</a> :

Default: AllowOverride None (2.3.9 and later), AllowOverride All (2.3.8
and earlier)

Re: AllowOverride - Mis-behaving Default

By Nigel Peck at 06/18/2017 - 19:22

On 18/06/2017 18:01, Frank wrote:
I'm not sure what your point is. I am aware of that and it supports the
point I am making in my email. The default should be none, which also
means .htaccess files should not be read at all, but if the default is
used then .htaccess files are read. It has to be stated explicitly to
prevent .htaccess files being read.

Nigel

Re: AllowOverride - Mis-behaving Default

By Frank Gingras at 06/18/2017 - 23:41

On 18/06/17 08:22 PM, Nigel Peck wrote:
Nigel,

The point is that the default value changed for 2.3 (and hence 2.4), and
you seem to be missing it, yes.

As for why that change was made, the development mailing list might be
better suited for that thread.

Re: AllowOverride - Mis-behaving Default

By Nigel Peck at 06/19/2017 - 00:21

No Frank, I'm not missing the point at all. I'm afraid that's you. I will explain again. Please read carefully and understand this time before replying.

The default for AllowOverride is None on my version. If I make use of that default setting, and do not specify any value for AllowOverride in any way at all, it does not behave in the same way as if I specify None explicitly.

Specifically, .htaccess files are looked for and opened if present, which is not the specified behaviour for a setting of None. The behaviour is correct if I specify None explicitly (.htaccess files are not processed in any way), if I allow None to be specified implicitly, by not setting AllowOverride at all, and using the default, then they are processed, albeit creating an error that the settings are not allowed. With a setting of None, this should not happen, since they should not be opened at all.

Nigel