Mathias Bynens

Apache’s AllowOverride All doesn’t do what you think it does

Published · tagged with Apache

I just had to set up an Apache server for a school project. Because I like to use .htaccess files to set rewrite rules and fiddle with some other options, some extra modules had to be loaded in addition to the standard batch.

Checking which modules are currently loaded can easily be done using phpinfo(), as explained in this post about enabling mod_rewrite in Apache.

Activating Apache modules is easy: simply open up the httpd.conf file in the /conf/ folder of your Apache installation, and uncomment (or add) the appropriate lines. Commented lines always start with a hash (#).
Basically, to load mod_negotiation (for MultiViews) and mod_rewrite (for rewrite rules), you simply add the following lines to httpd.conf:

LoadModule negotiation_module modules/mod_negotiation.so
LoadModule rewrite_module modules/mod_rewrite.so

So far, so good. Apache is instructed to load the extra modules; we should now be able to use MultiViews and rewrite rules by defining them in a .htaccess file.
However, when I tried using Options +MultiViews, all I got was one of those infamous “500 Internal Server Error” pages.

The error log said something among the lines of .htaccess: Option MultiViews not allowed here.

Google wasn’t really helpful in this case. At first, all I could find was someone having the same problem. I couldn’t find any solutions until I actually started browsing old #apache IRC logs.

Turns out Apache has a default setting in httpd.conf which specifies the settings that can be overriden by what’s written in your .htaccess file: AllowOverride. Your httpd.conf might contain something like this:

<Directory />
Options FollowSymLinks
AllowOverride All
Order deny,allow
Deny from all
</Directory>

Contrary to what you may think, the All parameter doesn’t really mean “[allow overriding] all options”, since it doesn’t include the MultiViews option! The key here is to use AllowOverride Options=All,MultiViews. Together with all other groupings of directives, this is the code we need:

<Directory />
Options FollowSymLinks
AllowOverride AuthConfig FileInfo Indexes Limit Options=All,MultiViews
Order deny,allow
Deny from all
</Directory>

About me

Hi there! I’m Mathias. I work on Chrome DevTools and the V8 JavaScript engine at Google. HTML, CSS, JavaScript, Unicode, performance, and security get me excited. Follow me on Twitter, Mastodon, and GitHub.

Comments

Jean Delvare wrote on :

I had the exact same problem, and your solution works just fine. Very useful article, thanks!

Sebastian Wojtowicz wrote on :

Had the error because FLOW3 has Options -MultiViews in its .htaccess.

Now I have set this rule in my Apache’s .conf file for the FLOW3 folder: AllowOverride FileInfo Options=MultiViews And it works. Thanks!

Michał Roszka wrote on :

Good catch, Mathias! Thank you for a helpful post. For the sake of my curiosity I did a little research about it. It turns out, this has been the case since the very early releases of the Apache HTTP server, including 1.3. And this actually has been documented since forever. The documentation clearly says that All means All options except for MultiViews. Yet, for some reason it is somewhat difficult to catch it while reading the documentation. :-)

Jiri Svejda wrote on :

Thank you so much! This helped me immensely. Your solution is the only one that worked for me. Keep it up, you're awesome!

Leave a comment

Comment on “Apache’s AllowOverride All doesn’t do what you think it does”

Your input will be parsed as Markdown.