.htaccess error "not allowed here" for all for all instructions

Question

I am using Debian Lenny and Apache 2. I changed the default .htaccess file with:

AllowOverride AuthConfig 

But I always get the error message not allowed here when putting any instructions in the .htaccess file.

EDIT:

file default:

<VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /var/www/ <Directory /> Options FollowSymLinks Order allow,deny Allow from all AllowOverride All </Directory> <Directory /var/www/> Options Indexes FollowSymLinks Includes #AllowOverride All #AllowOverride Indexes AuthConfig Limit FileInfo AllowOverride AuthConfig Order allow,deny Allow from all </Directory> ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ <Directory "/usr/lib/cgi-bin"> AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Order allow,deny Allow from all </Directory> ErrorLog /var/log/apache2/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog /var/log/apache2/access.log combined Alias /doc/ "/usr/share/doc/" <Directory "/usr/share/doc/"> Options Indexes MultiViews FollowSymLinks AllowOverride None Order deny,allow Deny from all Allow from 127.0.0.0/255.0.0.0 ::1/128 </Directory> </VirtualHost> 

.htaccess:

#Options +FollowSymlinks # Prevent Directoy listing Options -Indexes # Prevent Direct Access to files <FilesMatch "\.(tpl|ini)"> Order deny,allow Deny from all </FilesMatch> # SEO URL Settings RewriteEngine On RewriteBase / RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^(.*)\?*$ index.php?_route_=$1 [L,QSA] 

PHP info:

apache2handler Apache Version = Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch Apache API Version = 20051115 Server Administrator = webmaster@localhost Hostname:Port = hw-linux.homework:80 User/Group = www-data(33)/33 Max Requests = Per Child: 0 - Keep Alive: on - Max Per Connection: 100 Timeouts = Connection: 300 - Keep-Alive: 15 Virtual Server = Yes Server Root = /etc/apache2 Loaded Modules = core mod_log_config mod_logio prefork http_core mod_so mod_alias mod_auth_basic mod_authn_file mod_authz_default mod_authz_groupfile mod_authz_host mod_authz_user mod_autoindex mod_cgi mod_deflate mod_dir mod_env mod_mime mod_negotiation mod_php5 mod_rewrite mod_setenvif mod_status 

Answer 1

You will require a minimum of AllowOverride Authconfig FileInfo Options inside your <Directory> block to get the .htaccess you've posted here to work - mod_rewrite will require FileInfo Options and your <FilesMatch> block requires the Authconfig.

Also: your statement "does not work with AllowOverride All" is mistaken. You cannot specify a MORE permissive environment than AllowOverride All. When in doubt, start with that to make sure the rest of your configuration works, then narrow it down more specifically (for security's sake).

Answer 2

This option can be used only inside a Directory element. So you have to specify a directory which should be protected.

Answer 3

not allowed here is usually caused by trying to set directives in .htaccess file that can only be defined in httpd.conf.

First try

AllowOverride All 

In your ower most <Directory> tag to your www folder. Now your .htaccess can work in its full capacity. If this solves the problem, then you can start focusing on security and decrease the number of allowed directives one-by-one.