Re: /etc/apache2/conf.d/security default for the release after lenny

[Stefan Fritsch <sf@sfritsch.de>]

On Friday 05 November 2010, Teodor MICU wrote:
> I've noticed that this paragraph is still a comment in the default
> conf.d/security file:
> 
> # This currently breaks the configurations that come with some web 
application
> # Debian packages. It will be made the default for the release after 
lenny.
> #
> #<Directory />
> #       AllowOverride None
> #       Order Deny,Allow
> #       Deny from all
> #</Directory>
> 
> Are there any plans to enable this for squeeze? I know that I've
> manually removed the # for my own installs and it didn't had any
> side effects.

No, the comment is outdated. I forgot that I put such a definite 
statement about squeeze in there. The reason I have not changed it is 
that I am no longer so sure it would be a good idea: Webapps that ship 
their files in some directory outside of /var/www would have to have 
an "Allow from all" snippet in their configuration to work by default. 
Now, if the admin doesn't want "allow from all" but e.g. "allow from 
192.168.0.0/24", he would have to change many distinct configuration 
sections, which is a pain.

If there is another update for apache2 in squeeze, I will change the 
comment. Thanks for bringing this to my attention.

Cheers,
Stefan