Ubuntu
apache2 package

Apace2 default configuration incorrect for allowoverride

Bug #276145 reported by Nick Twigg
2
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

Binary package hint: apache2

The configuration file under /etc/apache2/sites-enabled/default (or 000-default) is set up so that the allow override all setting wont work when directories or files under /var/www are called as a site.

The values at install are :

DocumentRoot /var/www/
 <Directory />
  Options FollowSymLinks
  AllowOverride all
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride none
  Order allow,deny
  allow from all
 </Directory>

Whereas, for mod_rewrite to work correctly, they should be

DocumentRoot /var/www/
 <Directory />
  Options FollowSymLinks
  AllowOverride All
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride All
  Order allow,deny
  allow from all
 </Directory>

For the record, I have chaged the first and second AllowOverride to All.

The caps A seems to be *VERY* important.

Revision history for this message
Thierry Carrez (ttx) wrote :

Values at install-time with current Intrepid/apache2 are:

 <Directory />
  Options FollowSymLinks
  AllowOverride None
 </Directory>
 <Directory /var/www/>
  Options Indexes FollowSymLinks MultiViews
  AllowOverride None
  Order allow,deny
  allow from all
 </Directory>

Those are syntactically-correct, sensible and secure default values.

It's true that if you want to do mod_rewrite with .htaccess files, you'll need to change some AllowOverride to allow parsing the .htaccess files. That doesn't mean the default configuration shipped with Apache should change ?

Changed in apache2:
status: New → Invalid
Revision history for this message
Stefan Fritsch (sf-sfritsch) wrote :

Anything other than "AllowOverride None" has a negative impact on performance and should only be enabled on those directories where it is necessary. Therefore "AllowOverride None" is a sensible default.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.