Apace2 default configuration incorrect for allowoverride

Bug #276145 reported by Nick Twigg on 2008-09-30
2
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: apache2

The configuration file under /etc/apache2/sites-enabled/default (or 000-default) is set up so that the allow override all setting wont work when directories or files under /var/www are called as a site.

The values at install are :

DocumentRoot /var/www/
 <Directory />
  Options FollowSymLinks
  AllowOverride all
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride none
  Order allow,deny
  allow from all
 </Directory>

Whereas, for mod_rewrite to work correctly, they should be

DocumentRoot /var/www/
 <Directory />
  Options FollowSymLinks
  AllowOverride All
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
 </Directory>

For the record, I have chaged the first and second AllowOverride to All.

The caps A seems to be *VERY* important.

Thierry Carrez (ttx) wrote :

Values at install-time with current Intrepid/apache2 are:

 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>

Those are syntactically-correct, sensible and secure default values.

It's true that if you want to do mod_rewrite with .htaccess files, you'll need to change some AllowOverride to allow parsing the .htaccess files. That doesn't mean the default configuration shipped with Apache should change ?

Changed in apache2:
status: New → Invalid
Stefan Fritsch (sf-sfritsch) wrote :

Anything other than "AllowOverride None" has a negative impact on performance and should only be enabled on those directories where it is necessary. Therefore "AllowOverride None" is a sensible default.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers