Being prepared for Apache update 2.2 to 2.4

Presently, many web hosting providers update their server software, and with it the Apache web server from version 2.2 to version 2.4.

With Apache 2.4, some directives mostly used in .htaccess files, have been changed. The most serious change is apparently the switch from Deny from to Require not to disallow the access to the website for a specified IP range, for example but also to secure log files and so on.

If you leave the old entries as they are, Apache 2.4 will find obsolete directives in .htaccess and will deliver HTTP error 503 (or 500) instead of your OXID website.

In fact, Apache offers the compatibility module but in the same breathe discourages to use it with mixed (old and new) directives:

This module was created to support configurations containing only old directives to facilitate the 2.4 upgrade.

In other words, your web hosting providers will most likely not use it as this Apache module might cause unexpected and hard to debug issues.

In order to fix this issue, please do not simply comment the appropriate entries, even if the support team of your web hosting provider told you to do so (yes, I saw it happen… ). If you follow this hint, you will not see the error message any longer, but in a matter of fact this is a security issue as an attacker can gain access to information that you actually want to hide, including voucher lists etc.

The proper solution was already committed by @Keywan to the OXID eShop repositories:

Please change your .htaccess files accordingly. This solution supports both versions of Apache, 2.2 and 2.4 so there will be no pain in the moment of the change. Please also bear in mind that their might be other .htaccess files in your installation, for example in modules. You may find these files with

$ find -name ".htaccess"

Oh and by the way – this change is not only valid for OXID eShop. All your other systems and CMSses will be affected as well – heads up!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published.