Harden config protection .htaccess

+ Set "Satisfy All" whenever available, as well on Apache 2.4+. This is required to override possible "Satisfy Any" on parent dir, which otherwise would allow direct access to data, regardless of "Require" directive.
+ Set "Deny from all" as well whenever available, to block access regardless of which access control directive takes priority.
+ Assume Apache 2.2 only, if mod_authz_core and mod_access_compat are both not available, to avoid doubled directives. In this case set "Deny from all" directive only if the providing mod_authz_host module is available. "Satisfy" is a core directive on Apache 2.2.
+ Update Apache version strings. Regarding the used directives/modules, Apache 2.4 and 2.5 behave the same.
+ Add ordering spaces to better reflect the nested directives and to match style of other .htaccess files.

Fixes: #6449 (for the config directory)

Signed-off-by: Micha Felle <micha@dietpi.com>
This commit is contained in:
MichaIng 2019-08-19 15:17:39 +02:00 committed by GitHub
parent dcbf8fa8e3
commit e84cdc609a
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -1,14 +1,23 @@
# line below if for Apache 2.4
# Section for Apache 2.4 and 2.5
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
<ifModule mod_access_compat.c>
Deny from all
Satisfy All
</ifModule>
# section for Apache 2.2 and 2.4
# Section for Apache 2.2
<ifModule !mod_authz_core.c>
<ifModule !mod_access_compat.c>
<ifModule mod_authz_host.c>
Deny from all
</ifModule>
Satisfy All
</ifModule>
</ifModule>
# Section for Apache 2.2 to 2.5
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>