As apache.org says:
In general, you should only use
.htaccessfiles when you don't have access to the main server configuration file.
Using the <directory> directive I moved the content of .htaccess to the respective .httpd.conf file for the webspace, as this file will be included by apache. So far, so good -- everything works as expected.
BUT: Status reports in Drupal continue to throw an error about "unsave /…/files" directory, which I think is not the case.
So does anybody know, whether Drupal is smart enough to check for the protection level of any directory actually in effect, or does it just check for the existence of an .htaccess file with the recommended SA-* directives included?
If Drupal does not check for the actual protection level, but just throws in a prefab .htaccess if it doesn't find any, I think there should be a way to tell Drupal to stop that behaviour, as I don't want to sacrifice performance because of odd .htaccess files.
Comments
Drupal attempts to create
Drupal attempts to create .htaccess files, and checks them, core/modules/system.install (search for .htaccess). You can probably change this behaviour by making your own small module implementing hook_requirements(). I do not think there is a ready-made way to change this aspect of the status page.
Perhaps if you feel strongly enough about it, open a ticket for Drupal core. Although there are so many tickets that have been open for upwards of 10 years, that it is always hard to get traction unless a group of people well connected in core development are enthused by the idea. There is nothing to stop you doing open a ticket and then sharing a contributed module for the purpose though.
Digit Professionals specialising in Drupal, WordPress & CiviCRM support for publishers in non-profit and related sectors
+1
Thanks. Pretty much what I thought.
Norbert
-- form follows function