Disable SECURITY NOTICE: .htaccess files are disable

Hello all,

Is it possible to disable the warning about disabled .htaccess files from FreePBX ?
I have FreePBX 12 (custom build) on a public facing server and have disabled .htaccess overrides using “AllowOverride None” inside the VirtualHost directive in Apache. I have done this because I have access rules setup in this same VirtualHost directive in Apache. From other posts I have learned that you cannot safely modify the .htaccess files inside the FreePBX web directory and assume it will survive an update. Therefor I believe my current configuration is safer (only allow then enabling AllowOverride and thereby the .htaccess which in turn will allow access to the FreePBX admin panel once an updated FreePBX version overwrites these files.

Any thoughts on this ?

Well here’s what I’ve told other people. You can enable AllowOverride and it won’t affect your own setup. In fact whatever you set in the higher level will still work (and I know this because the work inside htaccess is minimal).

So why not just set it to All and see what happens. I assume nothing and your own settings will work just fine.

If you look at the htaccess file you will see we do no Allow, Denys per ip address in there, just by file. Meaning your allow/denys will still work in your higher up level (especially if its in a conf file) Not saying your method is any less secure but this stops people from getting hacked that don’t know as much as you, if we allowed it to be turned off then someone who thinks they knew better would turn it off and distribute it to their clients then cry wolf when they got hacked for “not knowing” because “the guy who gave this to me said I was safe”

Hi Andrew, Thanks for taking the time to reply. You are absolutely right in the higher up level Allow/Deny restrictions. I wrongly assumed the FreePBX allow/deny rules were messing things up while in fact it was my caching servers (ip) that made the rules to have no effect.

Thanks again,


1 Like

Should you glance now at htaccess file, you’ll find that we only permit or block entry based on file rather than per Internet address. Consequently, your higher-level levels will still use your allow/deny decisions (especially if its in a conf file) Not that your technique is any less safe, but if we permitted it to be turned off, someone who thought they knew better would turn it off and distribute it to their clientele, then cry wolf when they got scammed for “n’t yet having to know” because “the guy who gave this to me said I was safe,” this prevents individuals who didn’t as much as you from hacker attacks.