Insufficient description how to configure AllowOverride directive for Apache configuration

[sgnsajgon]

Feedback on page: /guides/v2.1/install-gde/prereq/apache.html

Aforementioned page is aimed to explain how to enable Apache 2.2 and 2.4 Rewrites module and specify a setting for the distributed configuration file, .htaccess. In fact, presented explanation is insufficient and superficial, because does not concern the heart of the matter, namely how to setup AllowOverride directive of site configuration. It merely forces reader to see the guidelines in the Apache documentation. In my opinion, this page should precisely show how Apache configuration for Magento has to be setup. It is likely that user would have to spend some time to find proper configuration using "trials and errors" approach, or would be discouraged to find a solution on her/his own and would configure it as "AllowOverride All", what is probably not a good idea due to security concerns.

I have done some recognitions and I have concluded that the minimal configuration for working site on Apache 2.4 should be as shown below, assuming that document root is "/var/www/html/magento":

<Directory /var/www/html/magento>
    AllowOverride FileInfo Indexes Limit Options=FollowSymLinks,Indexes,MultiViews
    Require all granted
</Directory>

<Directory /var/www/html/magento/pub/media>
    AllowOverride FileInfo Limit Options=All
</Directory>

Rationale:

• FileInfo: to enable Rewrites module.
• Indexes: to enable directory index (i.e. DirectoryIndex directive).
• Limit: to enable directives controlling host access (Allow, Deny and Order).
• Options=FollowSymLinks: to enable Options +FollowSymLinks directive i.e. in main directory .htaccess file.
• Options=Indexes: to enable Options +Indexes directive i.e. in main directory .htaccess file.
• Options=MultiViews: to enable Options -MultiViews directive i.e. in pub/static/.htaccess file.
• Options=All in case of pub/media and directories: to enable Options=All directive in .htaccess files within these directories.

To test above configuration, we can run Magento virtual host site (without installation steps performed), and try to access (simulating web browser) each Magento filesystem directory which contains .htaccess file using the following command (assuming that virtual host in configured for magento.sgnsajgon.pl domain):

find -name .htaccess -printf 'http://magento.sgnsajgon.pl%h/\n' | sed -e 's|\./|/|' | xargs curl -vIL --stderr - | grep "500\|403" -B 10

We can see that there is no page causing 403 (Forbidden) error, and only 2 pages cause 500 (Internal Error) error, but due to PHP exceptions, not Apache configuration issues.

It is minimal configuration for Apache 2.4. Configuration for Apache 2.2 is likely the same or very similar, but I have no tested it with version 2.2.

I have several additional proposals of improvements for this page:

• In section "Enable rewrites and .htaccess for Apache 2.4" there is an advise:

  In some cases, additional parameters might be required. For more information, see the Apache 2.4 documentation.

  For clarify it should be explained what cases are meant here.

• In section "Enable rewrites and .htaccess for Apache 2.2" there is an advise:

  The preceding values for Order might not work in all cases. For more information, see the Apache documentation (2.2, 2.4).

  For clarify it should be explained what cases are meant here.

• in sections "Solving 403 Forbidden errors for Apache 2.4" and "Solving 403 Forbidden errors for Apache 2.2" there are advices:

  The preceding values for Order might not work in all cases. For more information, see the Apache documentation.

  For clarify it should be explained what cases are meant here.

• In configuration examples on page there is presented Options directive:
  Options Indexes FollowSymLinks MultiViews

  Is it necessary? I have found that several .htaccess configurations enable or disable these options explicitly for directory if needed ( thus "AllowOverride Options=FollowSymLinks,Indexes,MultiViews" directive is required, as I describe above), so I guess that it is not required to enable them for entire site. In fact, it may cause security issues, i.e. if Indexes option in set for entire site and we forget to apply DiretoryIndex directive in any .htaccess file - it would cause directory content leak.

[jbliesener]

I have found this AllowOverride directive for /var/www/html/magento/pub/media to be insufficient. The problem is that /var/www/html/magento/pub/media inherits from /var/www/html/magento and therefore can NOT have more permissions on Options than /var/www/html/magento.

I got an error 500 due to Options -ExecCGI in /var/www/html/magento/pub/media/.htaccess. Adding ,ExecCGI to AllowOverride in the <Directory /var/www/html/magento/pub/media/> block didn't resolve the issue. I had to include it in the <Directory /var/www/html/magento> block.

[jcalcaben]

Hi @sgnsajgon, would you be willing to create a PR with this information for the page?

[jeff-matthews]

@osrecio, is this something you could help us with?

[osrecio]

For sure. Now I'm at MM18DE. I will check on Thursday.

[jeff-matthews]

Hi @osrecio, can you take a look at this this week?

[osrecio]

I tested the config from @sgnsajgon and seems to be ok. I compared with other projects in production with Apache and is so similar.

I will create a PR to add the advices I think is a good idea to have a guideline if is your first time with Magento and Apache configuration.

IMHO the Apache configuration depends at all of your environment although it is true that we can have a "standard".