Forwarded to devs Can't Disable .htaccess Parsing Completely in Apache

[G J Piper]

TITLE:

Can't Disable .htaccess Parsing Completely in Apache​

PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:

Plesk Onyx 17.8.11 mu#(any?)
Apache 2.4.6
Nginx 1.13.8 (proxy)
CentOS 7.5.1804​

PROBLEM DESCRIPTION:

Because the "includes" code in each domain's httpd.conf file falls before the document root declaration for AllowOverride, .htaccess file parsing cannot be prevented through the file system using the GUI.​

STEPS TO REPRODUCE:

Place this code in the "Additional directives for HTTPS" in "Apache & Nginx Settings" in a domain subscription settings:

<Directory /var/www/vhosts/exampledomain.com/httpdocs>
   AllowOverride None
   AllowOverrideList None
   Options None
</Directory>

Then put an .htaccess file with this code in it in the root directory of the domain:

<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>

ACTUAL RESULT:

A server error is thrown if there is code in the .htaccess file, because Apache is still parsing it and my "AllowOverrideList none" says no code is allowed in .htaccess files. But, my "AllowOverride none" should be preventing Apache from even looking at .htaccess files (according to Apache 2.4 documentation)

The Apache 2.4 AllowOverrideList docs say this, specifically:
"When this directive is set to None and AllowOverride is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."


​

EXPECTED RESULT:

.htaccess file is ignored, and not even searched for by Apache, due to this code in my settings:

<Directory /var/www/vhosts/exampledomain.com/httpdocs>
   AllowOverride None
   AllowOverrideList None
   Options None
</Directory>

ANY ADDITIONAL INFORMATION:

The includes directive in the Plesk-generated httpd.conf settings should come after the directory code in this snip from the "/var/www/vhosts/system/exampledomain.com/conf/httpd.conf" file:

Include "/var/www/vhosts/system/exampledomain.com/conf/vhost_ssl.conf"

<Directory /var/www/vhosts/exampledomain.com>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,SymLinksIfOwnerMatch,MultiViews,FollowSymLinks,ExecCGI,Includes,IncludesNOEXEC
</Directory>

This way my AllowOverride directive in the GUI will successfully override the server default (Plesk) settings in the httpd.conf file.​

YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:

Confirm bug​

 

[IgorG]

Here is full developer's answer:

First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?

Apache 2.4.6

The Apache 2.4 AllowOverrideList docs say this, specifically:
"When this directive is set to None and AllowOverride is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."

58528 – AllowOverrideList None gets misparsed and .htaccess files are parsed "Bug 58528 - AllowOverrideList None gets misparsed and .htaccess files are parsed"

Yann Ylavic 2016-04-01 12:37:15 UTC

Backported to 2.4.20 in r1737366.

Relevant pieces of code:
apache/httpd
Fix bug 58528 - Do not read .htaccess if override and overridelist ar… · apache/httpd@3a91c80

Plesk relies on the apache package available for specific Linux flavour. You may ask RedHat to backport the patch and to update the package.

If available apache packages had no this bug...

I am in doubts if it as a bug or a feature request (in the latter case it should be redirected to UserVoice). At least I do not see a neat way with no drawbacks. Plesk already has various checkboxes that manage arguments of the AllowOverrride directive. Disable everything option should affect currently present checkboxes to make it clear for user that some states are inconsistent. More flexible configuration often means more complicated interface.

Look at the file /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.phpthat contains rules for generation of the AllowOverride directive. It is possible to create a customized template /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.phpwith the Include directive at the desired place. However such customizations usually lead to problems during upgrade to new version with reworked default templates. Do not forget it if you decide to go this way.

Possible workaround
If the problem is in presence of .htaccess files on some existing website, it is possible to ignore them by redefining the name to something bizarre:

AccessFileName .htaceessOff

https://httpd.apache.org/docs/2.4/mod/core.html#accessfilename

 

[G J Piper]

First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?

58528 – AllowOverrideList None gets misparsed and .htaccess files are parsed "Bug 58528 - AllowOverrideList None gets misparsed and .htaccess files are parsed"

Relevant pieces of code:
apache/httpd
Fix bug 58528 - Do not read .htaccess if override and overridelist ar… · apache/httpd@3a91c80

Plesk relies on the apache package available for specific Linux flavour. You may ask RedHat to backport the patch and to update the package.

If available apache packages had no this bug...

I am in doubts if it as a bug or a feature request (in the latter case it should be redirected to UserVoice). At least I do not see a neat way with no drawbacks. Plesk already has various checkboxes that manage arguments of the AllowOverrride directive. Disable everything option should affect currently present checkboxes to make it clear for user that some states are inconsistent. More flexible configuration often means more complicated interface.

Look at the file /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.phpthat contains rules for generation of the AllowOverride directive. It is possible to create a customized template /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.phpwith the Include directive at the desired place. However such customizations usually lead to problems during upgrade to new version with reworked default templates. Do not forget it if you decide to go this way.

Possible workaround
If the problem is in presence of .htaccess files on some existing website, it is possible to ignore them by redefining the name to something bizarre:

AccessFileName .htaceessOff

https://httpd.apache.org/docs/2.4/mod/core.html#accessfilename

• You're right, I didn't try it myself first -- I will try swapping the directives and see if that fixes it.
  
  
• Falling back on the old "you have templates that can override anything so there is your fix" solution, is not preferred. (I never use custom Plesk templates, ever)
  
  
• Renaming the .htaccess files will not help. I'm trying to stop Apache from searching through all the directories for .htaccess files at all, for efficiency sake like it always was before. Renaming it so Apache searches for .htaceessOff files instead is not any better. (in fact it is searching for an even bigger string so it may be worse lol)

I'll follow up on the swap a little later.

 

[G J Piper]

First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?

Ok. Swapping the settings didn't fix it... guess it is the Apache bug I'll have to deal with. Thanks.

I do wonder, though, why this specific hard-wired AllowOverride setting is after the Include directive anyway... all other Plesk config files place the Include after all hard-wired settings so they can be overridden if needed. No matter -- case closed. Thanks, IgorG.