Error because of .htaccess

[halojoy]

In .htaccess this will not work: Deny from all

Now Should be: Require all denied

The result was an internal server error after the install.

[ophian]

You are right. But where did you get that? Which theme or plugin is in use? Since I can't remember the Serendipity generated .htaccess has anything like this.

[ophian]

@halojoy Uihhh ... you certainly mean

<Files *.tpl.php>
    deny from all
</Files>

<Files *.tpl>
    deny from all
</Files>

<Files *.sql>
    deny from all
</Files>

<Files *.inc.php>
    deny from all
</Files>

<Files *.db>
    deny from all
</Files>

Its very strange I did not get this in all my years...

Could you try and replace each

    deny from all

line with this

  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>

and see how this works, please.

[halojoy]

The apache I have is 2.4.52 I have loaded module authz_core_module. It looks as 'Deny from all' no longer is supported.

I will see if I will use your suggested workaround. If so I will post back.

[ophian]

I think we can reduce that to Apache 2.3 syntax. Apache 2.2 is gone.

Thanks again!

[halojoy]

Now I have done like you said. And this works well. No internal server error.

` <Files *.tpl.php>

Require all denied

<IfModule !mod_authz_core.c> Order allow,deny Deny from all `

[ophian]

@halojoy May I ask how you got (or detailly produced) this internal server error after the install? I never had this with Apache 2.4 versions and Serendipity, though I know there were issues on web servers generally when it came to migrations to 2.3+ in the very past. So maybe this is just an issue with some (default) httpd.conf settings?

[halojoy]

500 Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request. C:/Apache24/htdocs/styx413/.htaccess: Invalid command 'deny', perhaps misspelled or defined by a module not included in the server configuration

So, ''Deny from all' is what generates this error in Apache. The install was without error. After this when I clicked to go to website, then was this error.

I tested now with the old .htaccess. Then was the same error. It is obvious Deny from all generates this error.

But if we have the IF you show me in your previous post. We can have both REQUIRED and DENY. This is a good workaround.

Maybe this error is because I use authz_core_mod

[ophian]

Maybe this error is because I use authz_core_mod

Yeah, that may be the initial culprit. Thanks for checking up.,

I still think its safe enough to only use the newer syntax like in my commit for this issue, because presumbly no one is going to install Styx on Apache 2.2.x versions nowadays. :-)

[halojoy]

Loadmodule mod_authz_core is default in Apache 2.4.52. Probably in all Apache 2.4. I am almost sure of this.

[ophian]

@halojoy Could you please do me a favour and test having both in the .htaccess file without the mod:auth ifs, please? Then we could add this as the default for a while for all those that still run presumably local old apache versions. Thanks

Like this: (Edit: Strike this example test, its not working)

 <Files *.tpl.php>
    deny from all
    Require all denied
 </Files>

 <Files *.tpl>
    deny from all
    Require all denied
 </Files>

 <Files *.sql>
    deny from all
    Require all denied
 </Files>

 <Files *.inc.php>
    deny from all
    Require all denied
 </Files>

 <Files *.db>
    deny from all
    Require all denied
 </Files>

[ophian]

No! I just found out why I didn't have these errors, since I used LoadModule access_compat_module modules/mod_access_compat.so in my Apache config. After I disabled this compat mode and running the above test I had the internal server error too. So we either use the first approach with the ifs or just say that Apache 2.2 syntax is obsolete by now. I am for the latter. :)

[ophian]

Loadmodule mod_authz_core is default in Apache 2.4.52. Probably in all Apache 2.4. I am almost sure of this.

Yes. See: https://en.wikipedia.org/wiki/List_of_Apache_modules

But also _mod_accesscompat, which probably proofes why nobody came up with this in all these years. ;-) So, thanks again for finding this bug!

[halojoy]

Yes, mod_access_compat is for this. Or it was in times before. Now in Apache 2.4 the mod_access_compat is not loaded by default.

Serendipity has only Deny Allow in the htaccess! But you now know much better :)