httpd.conf AllowOverride All
AllowOverride
directive is used to allow the use of .htaccess
within the web server to allow overriding of the Apache config on a per directory basis. I believe CI uses mod_rewrites to make it work correctly. That's why it only works when you have AllowOverride All
because you are telling the webserver to allow the use of an .htaccess file which CI uses. That's the simple answer. It's not about security per say, it's for the use of .htaccess
files.
You will most likely have to use AllowOverride All
to use codeigniter because that's the way it works. There shouldn't be any major security concerns with using this directive. Security wise you should be fine. Just don't use AllowOverride All
in a <Directory />
block.
Only use it in a specific web directory only. This below is what you have now and should be fine with AllowOverride All
.
<Directory "c:/Apache24/htdocs">
if it wasn't for this directive, .htaccess
files would not work. Have a look at the documentation for more detailed explanation.
http://httpd.apache.org/docs/current/mod/core.html#allowoverride
Smudger
Updated on July 09, 2022Comments
-
Smudger almost 2 years
I am trying to remove the index.php from my codeigniter URL. I have apache24 with codeigniter and ion auth. The only way I can get this to work is by allowing
AllowOverride All
.The relevant code is:
<Directory "c:/Apache24/htdocs"> Options Indexes FollowSymLinks AllowOverride All Require all granted </Directory>
Using
AllowOverride None
this returns a 404 error code. UsingAllowOverride All
it works.What are the security implications with this on a production server?
-
Apurva Kunkulol over 6 yearsWhat are the implications of using the
AllowOverride All
in<Directory />
block? -
MrWhite almost 6 years@ApurvaKunkulol That would permit Apache to search for
.htaccess
files all the way up to the server root. Apart from being unnecessary, the Apache docs specifically warn against this for "security and performance" reasons.