• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion
  • Inviting everyone to the UX test of a new security feature in the WP Toolkit
    For WordPress site owners, threats posed by hackers are ever-present. Because of this, we are developing a new security feature for the WP Toolkit. If the topic of WordPress website security is relevant to you, we would be grateful if you could share your experience and help us test the usability of this feature. We invite you to join us for a 1-hour online session via Google Meet. Select a convenient meeting time with our friendly UX staff here.

Forwarded to devs Can't Disable .htaccess Parsing Completely in Apache

G J Piper

G J Piper

Regular Pleskian
TITLE:
Can't Disable .htaccess Parsing Completely in Apache
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE:
Plesk Onyx 17.8.11 mu#(any?)
Apache 2.4.6
Nginx 1.13.8 (proxy)
CentOS 7.5.1804
PROBLEM DESCRIPTION:
Because the "includes" code in each domain's httpd.conf file falls before the document root declaration for AllowOverride, .htaccess file parsing cannot be prevented through the file system using the GUI.​
STEPS TO REPRODUCE:
Place this code in the "Additional directives for HTTPS" in "Apache & Nginx Settings" in a domain subscription settings:

Code: 
<Directory /var/www/vhosts/exampledomain.com/httpdocs>
   AllowOverride None
   AllowOverrideList None
   Options None
</Directory>

Then put an .htaccess file with this code in it in the root directory of the domain:
Code: 
<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>
ACTUAL RESULT:
A server error is thrown if there is code in the .htaccess file, because Apache is still parsing it and my "AllowOverrideList none" says no code is allowed in .htaccess files. But, my "AllowOverride none" should be preventing Apache from even looking at .htaccess files (according to Apache 2.4 documentation)

The Apache 2.4 AllowOverrideList docs say this, specifically:
"When this directive is set to None and AllowOverride is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."


EXPECTED RESULT:
.htaccess file is ignored, and not even searched for by Apache, due to this code in my settings:
Code: 
<Directory /var/www/vhosts/exampledomain.com/httpdocs>
   AllowOverride None
   AllowOverrideList None
   Options None
</Directory>
ANY ADDITIONAL INFORMATION:
The includes directive in the Plesk-generated httpd.conf settings should come after the directory code in this snip from the "/var/www/vhosts/system/exampledomain.com/conf/httpd.conf" file:

Code: 
Include "/var/www/vhosts/system/exampledomain.com/conf/vhost_ssl.conf"

<Directory /var/www/vhosts/exampledomain.com>
AllowOverride AuthConfig FileInfo Indexes Limit Options=Indexes,SymLinksIfOwnerMatch,MultiViews,FollowSymLinks,ExecCGI,Includes,IncludesNOEXEC
</Directory>

This way my AllowOverride directive in the GUI will successfully override the server default (Plesk) settings in the httpd.conf file.
YOUR EXPECTATIONS FROM PLESK SERVICE TEAM:
Confirm bug
 
Last edited:
Here is full developer's answer:

First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?

Apache 2.4.6

The Apache 2.4 AllowOverrideList docs say this, specifically:
"When this directive is set to None and AllowOverride is set to None, then .htaccess files are completely ignored. In this case, the server will not even attempt to read .htaccess files in the filesystem."
Click to expand...

58528 – AllowOverrideList None gets misparsed and .htaccess files are parsed "Bug 58528 - AllowOverrideList None gets misparsed and .htaccess files are parsed"

Yann Ylavic 2016-04-01 12:37:15 UTC

Backported to 2.4.20 in r1737366.
Click to expand...

Relevant pieces of code:
apache/httpd
Fix bug 58528 - Do not read .htaccess if override and overridelist ar… · apache/httpd@3a91c80

Plesk relies on the apache package available for specific Linux flavour. You may ask RedHat to backport the patch and to update the package.

If available apache packages had no this bug...

I am in doubts if it as a bug or a feature request (in the latter case it should be redirected to UserVoice). At least I do not see a neat way with no drawbacks. Plesk already has various checkboxes that manage arguments of the AllowOverrride directive. Disable everything option should affect currently present checkboxes to make it clear for user that some states are inconsistent. More flexible configuration often means more complicated interface.

Look at the file /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.phpthat contains rules for generation of the AllowOverride directive. It is possible to create a customized template /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.phpwith the Include directive at the desired place. However such customizations usually lead to problems during upgrade to new version with reworked default templates. Do not forget it if you decide to go this way.

Possible workaround
If the problem is in presence of .htaccess files on some existing website, it is possible to ignore them by redefining the name to something bizarre:

AccessFileName .htaceessOff

https://httpd.apache.org/docs/2.4/mod/core.html#accessfilename
 
IgorG said:
First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?

58528 – AllowOverrideList None gets misparsed and .htaccess files are parsed "Bug 58528 - AllowOverrideList None gets misparsed and .htaccess files are parsed"

Relevant pieces of code:
apache/httpd
Fix bug 58528 - Do not read .htaccess if override and overridelist ar… · apache/httpd@3a91c80

Plesk relies on the apache package available for specific Linux flavour. You may ask RedHat to backport the patch and to update the package.

If available apache packages had no this bug...

I am in doubts if it as a bug or a feature request (in the latter case it should be redirected to UserVoice). At least I do not see a neat way with no drawbacks. Plesk already has various checkboxes that manage arguments of the AllowOverrride directive. Disable everything option should affect currently present checkboxes to make it clear for user that some states are inconsistent. More flexible configuration often means more complicated interface.

Look at the file /usr/local/psa/admin/conf/templates/default/domain/domainVirtualHost.phpthat contains rules for generation of the AllowOverride directive. It is possible to create a customized template /usr/local/psa/admin/conf/templates/custom/domain/domainVirtualHost.phpwith the Include directive at the desired place. However such customizations usually lead to problems during upgrade to new version with reworked default templates. Do not forget it if you decide to go this way.

Possible workaround
If the problem is in presence of .htaccess files on some existing website, it is possible to ignore them by redefining the name to something bizarre:

AccessFileName .htaceessOff

https://httpd.apache.org/docs/2.4/mod/core.html#accessfilename
Click to expand...

  • You're right, I didn't try it myself first -- I will try swapping the directives and see if that fixes it.

  • Falling back on the old "you have templates that can override anything so there is your fix" solution, is not preferred. (I never use custom Plesk templates, ever)

  • Renaming the .htaccess files will not help. I'm trying to stop Apache from searching through all the directories for .htaccess files at all, for efficiency sake like it always was before. Renaming it so Apache searches for .htaceessOff files instead is not any better. (in fact it is searching for an even bigger string so it may be worse lol)
I'll follow up on the swap a little later.
 
IgorG said:
First of all, a portion of bad news.
Have you tried suggested recipe to swap config sections?
Click to expand...

Ok. Swapping the settings didn't fix it... guess it is the Apache bug I'll have to deal with. Thanks.

I do wonder, though, why this specific hard-wired AllowOverride setting is after the Include directive anyway... all other Plesk config files place the Include after all hard-wired settings so they can be overridden if needed. No matter -- case closed. Thanks, IgorG.
 
Last edited:
You must log in or register to reply here.

Similar threads

Bod
Question Upstream Apache directive blocking .htaccess file directives
Replies
5
Views
6K
Bod
Bod
Hajime Tanaka
Resolved AlmaLinux HTTPD will not recognize the error with .htaccess
Replies
4
Views
2K
Peter Debik
P
A
Issue Additional Apache directives doesn't work
Replies
1
Views
92
Kaspar@Plesk
Kaspar@Plesk
J
Resolved domain with storage in sub-folder of another domain
Replies
3
Views
641
jonny512379
J
K
Forwarded to devs Custom 403 error document never shown for document root
Replies
8
Views
2K
Kaspar
K
Back
Top