2

I am no expert on apache conf files, but I am reasonably familiar with them. A security plugin I have installed on one of my wordpress sites (https://ithemes.com/security/) makes edits to an .htaccess files in order to enforce automated IP bans (for example, if you have too many failed login attempts in a short period of time). Here is the block that it generated: (xxx added by me for the IP address)

<IfModule mod_authz_core.c>
        <RequireAll>
                Require all granted
                Require not env DenyAccess
                Require not ip xxx.xxx.xxx.xxx
        </RequireAll>
</IfModule>
<IfModule !mod_authz_core.c>
        Order allow,deny
        Deny from env=DenyAccess
        Deny from xxx.xxx.xxx.xxx
        Allow from all
</IfModule>

Now, this causes the site to bomb out with a 500 error. The error I get in my log is

Expected </RequireAll>> but saw </RequireAll>

(Note the extra trailing >). And, lo and behold, if I add an extra >, the site works again.

What syntax rule is at play here? Why on earth do I need the extra > in a closing tag? Why would the (popular and genreally respected) plugin be generating an invalid .htaccess? Since this looks so wrong to me I'm inclined to believe I have some obscure server setting or an outdated apache or something causing this. Any insight would be much appreciated.

Using Apache/2.0.46

chiliNUT
  • 18,989
  • 14
  • 66
  • 106
  • 1
    That's definitely some sort of bug, and doesn't look like something that would be configurable. Docs do not show it, and some examples of those directives do not either... However, this seems to be only part of Apache 2.3 and newer, so it shouldn't work on 2.0... – Mike Rockétt May 27 '16 at 15:54
  • @MikeRockett Sorry, can you clarify for me, `what` is only part of Apache 2.3 and newer? – chiliNUT May 27 '16 at 15:57
  • 1
    oh you must mean the `authz_core_module`. – chiliNUT May 27 '16 at 16:06
  • Well, it should probably work if you disable authz_core_module. But still, man, **2.0.46**? – Dusan Bajic May 27 '16 at 18:55
  • @dusan.bajic ha, yeah, I know. It's an old server! Will definitely be updating it soon, its just never given us a reason to update until now. – chiliNUT May 27 '16 at 19:49

0 Answers0