Magento's .htaccess files will not work with Apache 2.4

[ToonSpin]

In the Magento 2 readme, Apache 2.4 is said to be compatible with Magento, but this is not in fact the case. The Order [...] and Allow from [...] and Deny from [...] directives have been replaced by Require directives in Apache 2.4, and the old directives are silently ignored. None of the 14 .htaccess files in the Magento 2 repository that implement the 2.2 directives, implement the 2.4 directives.

This leaves folders you're trying to protect (e.g. app, bin, dev, media/customer, media/import), open for the wide world to access on servers that run Apache 2.4, such as Debian 8 "Jessie", Ubuntu 14.04 LTS, and CentOS 7.

The problem is that the new directives cause 2.2 to error out, which means that to support both, you need to use <IfVersion> directives, but those require an Apache module, and I don't think that this module is enabled by default.

In any case, I feel that the Magento team and Magento developers should be aware of this, so I thought I'd bring it to your attention.

When you say "error out" what errors are you seeing? In the error.log or elsewhere?

[ToonSpin]

I must confess I've not actually tried this. I run 2.4 at home, I'll try it on a server that runs 2.2 tomorrow. I've edited my comment to reflect this.

[ToonSpin]

Tried it on a personal web site, got a 500 error when I added a .htaccess file that said nothing but "Require all denied". Did not get a chance to check the server logs. On my home server which runs 2.4, I got a 403 instead. Edited my issue back.

[MaxSavich]

Hello @ToonSpin!

The internal ticket has been created: MAGETWO-40314

Thank you!

[dsikkema-magento]

@ToonSpin it looks to me like 2.4 is maintaining backward compatibility with the 2.2 style directives, can you confirm this? I tried on a machine that was running 2.4 and everything seemed to work as expected, using the old directives (order... allow from... deny from...).

Thank you!

[SKovbel]

You can use Apache module access_compat_module for compatibility

LoadModule access_compat_module modules/mod_access_compat.so

Available in Apache HTTP Server 2.3 as a compatibility module with previous versions of Apache httpd 2.x. The directives provided by this module have been deprecated by the new authz refactoring. Please see mod_authz_host

[ToonSpin]

@dsikkema you're right; I'm running a vanilla Linux Mint 17.2 installation at home, which is based upon Ubuntu Ubuntu 14.04. I installed Apache 2 and PHP from the repositories, nothing special. The 2.2 directives work fine on my machine, even though I'm running 2.4.

This is because of the access_compat module @Mackovey mentioned; it's installed in Linux Mint 17.2 by default, so presumably also on Ubuntu 14.04, which unless I'm mistaken is the current LTS release. I haven't tried any other distros.

The presence of the module can easily be detected by inspecting the output of phpinfo(). If I disable access_compat, and try to restart Apache, by running:

sudo a2dismod access_compat
sudo service apache2 restart

Then Apache won't restart and gives me this error, suggesting that Magento 2 will in fact work fine on current Linux boxes with Apache 2.4:

AH00526: Syntax error on line 9 of /etc/apache2/mods-enabled/php5.conf:
Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

Maybe a mention of access_compat is a good idea in case future Linux distros no longer enable it by default. I'll submit a PR and comment again when I've done so.

[ToonSpin]

I've decided not to submit a PR, because I've tried fresh installs of the following distros:

• Ubuntu 14.04 LTS (well, actually Linux Mint 17.2)
• Debian 8
• CentOS 7

I've found that access_compat is enabled out-of-the-box in all of them, in a fresh install of Apache.

Also, the dev install docs are currently very good, they are not too complicated. Adding a note about access_compat would only complicate them, so I feel that adding a note or instructions would actually be detrimental to the quality of the documentation.

I suggest that we keep an eye out when new versions of popular server distros come out, but I'd surprised if any of them dropped access_compat any time soon. I don't know about CentOS, but Trusty and Jessie are sure to be around for years to come.

In summary, as far as I'm concerned this has turned out to be a fine example of a non-issue; sorry for the fuss :).

Thanks for the shout out about documentation. We're making install simpler, wait and watch...

[dsikkema-magento]

@ToonSpin thanks for raising your concern, it's the only way we can catch real issues like this in the future, and it definitely motivated us to look at the differences between 2.2 and 2.4 more in depth.