On Wed, 4 Apr 2018 10:46:31 -0400
Eric Covener <cove...@gmail.com> wrote:


> What is the correct configuration that doesn't cause htaccess to be
> visited?  If it's trunk only, I think it should be an alternate config
> mechanism rather than making it incompatible with any other setting in
> htaccess.

Anything equivalent to the "canonical" example in both the
mod_status docs and the shipped httpd-info.conf.in .

Note that the latter also implies it can be restricted to
an access list, which is misleading if any "Require" can
be bypassed through .htaccess.

# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
# Change the ".example.com" to match your domain to enable.

<Location /server-status>
    SetHandler server-status
    Require host .example.com
    Require ip 127
</Location>

> >> Comments?
> 
> RewriteRule [P] in htaccess isn't anywhere near "screwed up".

I disagree.  .htaccess has no business enabling a user to
access server resources outside his/her own directories.
AllowOverride Fileinfo is a mess of largely-unrelated stuff,
as pointed out by (IIRC) Jacob in the earlier discussion.

-- 
Nick Kew

Reply via email to