Issue #1599774 by longwave, ben.bunk, Rob C, stefan.r, David_Rothstein, BTMash, kristofferwiklund, marcingy, mpdonadio, DuneBL, serundeputy, Letharion, quicksketch, alexpott, J-Lee, Morbus Iff: Drupal fails to boot with 503 error and .htaccess protections do not work on Apache 2.4 without mod_access_compat

.htaccess

@@ -4,7 +4,12 @@
 
 # Protect files and directories from prying eyes.
 <FilesMatch "\.(engine|inc|info|install|make|module|profile|test|po|sh|.*sql|theme|tpl(\.php)?|xtmpl)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock))$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig\.save)$">
-  Order allow,deny
+  <IfModule mod_authz_core.c>
+    Require all denied
+  </IfModule>
+  <IfModule !mod_authz_core.c>
+    Order allow,deny
+  </IfModule>
 </FilesMatch>
 
 # Don't show directory listings for URLs which map to a directory.

CHANGELOG.txt

@@ -7,6 +7,8 @@ Drupal 7.xx, xxxx-xx-xx (development version)
 - Allowed services such as Let's Encrypt to work with Drupal on Apache, by
   making Drupal's .htaccess file allow access to the .well-known directory
   defined by RFC 5785.
+- Made new Drupal sites work correctly on Apache 2.4 when the mod_access_compat
+  Apache module is disabled.
 - Fixed Drupal's URL-generating functions to always encode '[' and ']' so that
   the URLs will pass HTML5 validation.
 - Several bug fixes.

includes/file.inc

@@ -535,7 +535,18 @@ SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
 EOF;
 
   if ($private) {
-    $lines = "Deny from all\n\n" . $lines;
+    $lines = <<<EOF
+# Deny all requests from Apache 2.4+.
+<IfModule mod_authz_core.c>
+  Require all denied
+</IfModule>
+
+# Deny all requests from Apache 2.0-2.2.
+<IfModule !mod_authz_core.c>
+  Deny from all
+</IfModule>
+EOF
+    . "\n\n" . $lines;
   }
 
   return $lines;