[Bug] Apache 2.4 with proxy_fcgi_module does not ignore .htaccess files

[pboguslawski]

What happened?

When using proxy_fcgi_module in Debian 11+Apache 2.4, direct access (from browser) to /config area is forbidden with .htaccess but during installation there is warning displayed:

PHP SAPI	fpm-fcgi
PHP FPM will ignore .htaccess rules for .php files. To ensure that sensitive files cannot be accessed directly it is recommended to exclude certain directories from being handled by PHP FPM by adding the line ProxyPass /config ! to the mod_proxy_fcgi.c section in your apache virtual host config just above the ProxyPassMatch line.

Aren't only php specific settings inside .htaccess ignored when using proxy_fcgi_module? Didn't find such settings in the following .htaccess files found after 5.0.3 installation in Debian 11:

./core/.htaccess
./js/.htaccess
./lang/.htaccess
./libs/.htaccess
./misc/cron/.htaccess
./misc/user/.htaccess
./node_modules/.htaccess
./plugins/.htaccess
./tmp/.htaccess
./vendor/.htaccess

Didn't find ProxyPassMatch line in our config, only

    <FilesMatch ".+\.ph(ar|p|tml)$">
        SetHandler "proxy:unix:/run/php/php7.4-fpm.sock|fcgi://localhost"
    </FilesMatch>

Seems the warning is misleading and should be fixed.

What should happen?

No warning when access to protected areas is already forbidden with .htaccess.

How can this be reproduced?

Install matomo 5.0.3 in Debian 11 with Apache 2.4 + mod_proxy_fcgi.

Matomo version

5.0.3

PHP version

No response

Server operating system

No response

What browsers are you seeing the problem on?

No response

Computer operating system

No response

Relevant log output

No response

Validations

• Read our Contributing Guidelines.
• Follow our Security Policy.
• Check that there isn't already an issue that reports the same bug to avoid creating duplicates.
• The provided steps to reproduce is a minimal reproducible of the Bug.