[Defender] Add .htaccess support for Apache 2.4

In Apache 2.4, access control has changed. v2.2 syntax will still be supported for a while, so code added to .htaccess by Defender works in 2.4.
But when we want to make use of v2.4 features, problems can arise when adding new directives to the old. See: https://httpd.apache.org/docs/2.4/upgrading.html

I recommend that the code which updates .htaccess should check the version of the web server, and use the latest directives available for that release.


  • Paul Kevin
    • Neo

    Hello Tony G ,

    Hope you are well today. Defender has support for Apache 2.2 and 2.4. We do check the version of the web server using the headers returned from a simple curl request or using the in-built function apache_get_version though most web server disable this function and hide the Apache version. When this happens the fallback is 2.2

    Warm Regards
    Paul Kevin

    • Tony G
      • Mr. LetsFixTheWorld

      That makes perfect sense. Yes, my server is not returning its version. In this case I propose a choice of three mechanisms to improve upon that logic:
      1) Check for a defined global that specifies an Apache override version. When present, avoid the query and use that provided value.
      or 2) Allow entry of this override in the Defender UI, to avoid the query.

      That's not so much an override for the Apache version, but an override for the version of .htaccess, so this value may or may not be usable for other purposes.

      Also note, there is a difference between an override and a fallback/default. I don't know if there is a case where Apache would be reporting its version as 2.2 when it's really 2.4. If we set a default, the version will still be whatever is reported by the server. So I think I'm looking for an override.

      Consider a scenario where we're building a site in one system with the intent to deploy it elsewhere. We want the .htaccess to suit the production environment. So even if we develop over Apache 2.4, and Defender creates 2.4-compliant .htaccess, we might want to override that to use 2.2-compliant directives, since v2.4 directives won't work on the target site. In this scenario we can assume that the admin will run a new file scan on the new system. But that shouldn't be a requirement - and I don't believe it's currently a stated requirement or suggestion. Someone duplicating a site just expects it to work in the target environment. It would be a shame if Defender becomes a stumbling block in that effort.

      In another thread I suggest that Defender require a file scan on update. It seems that because of this scenario where the source and target web servers might be different (not just version but they might now be running over Nginx), maybe Defender should require a new filescan on activation too.

      Anything actionable here?

Thank NAME, for their help.

Let NAME know exactly why they deserved these points.

Gift a custom amount of points.