1script - 6:42 am on Jan 11, 2013 (gmt 0)

Ever since 2.2 the most basic server security measure no longer works - I cannot block access to some of the internal files, including .htaccess, in httpd.conf

How come?

None of the usual config commands work anymore, such as
:

<FilesMatch "^\.ht">
Order allow,deny
Deny from all

Satisfy All
</FilesMatch>




You can still easily go to http://www.example.com/.htaccess and see the content in plain text, a ridiculous breach of security.

none of the other file name-based restrictions in httpd.conf work anymore either.

I understand that access is now managed by different modules in 2.2 and here is the list of what's loaded, am I missing something? :



Loaded Modules:
core_module (static)
authn_file_module (static)
authn_default_module (static)
authz_host_module (static)
authz_groupfile_module (static)
authz_user_module (static)
authz_default_module (static)
auth_basic_module (static)
include_module (static)
filter_module (static)
deflate_module (static)
log_config_module (static)
logio_module (static)
env_module (static)
expires_module (static)
headers_module (static)
setenvif_module (static)
version_module (static)
proxy_module (static)
proxy_connect_module (static)
proxy_ftp_module (static)
proxy_http_module (static)
proxy_scgi_module (static)
proxy_ajp_module (static)
proxy_balancer_module (static)
ssl_module (static)
mpm_prefork_module (static)
http_module (static)
mime_module (static)
status_module (static)
autoindex_module (static)
asis_module (static)
info_module (static)
suexec_module (static)
cgi_module (static)
negotiation_module (static)
dir_module (static)
actions_module (static)
userdir_module (static)
alias_module (static)
rewrite_module (static)
so_module (static)
bwlimited_module (shared)
suphp_module (shared)




Would appreciate any comment on this pressing matter.
Thanks!