Support

Admin Tools

#43008 directive Options +FollowSymLinks and Internal Server Error (500)

Posted in ‘Admin Tools for Joomla!’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
6.1.1
PHP version
8.4
Admin Tools version
Admin Tools Pro

Latest post by moira on Tuesday, 09 June 2026 10:51 CDT

Tuesday, 09 June 2026 04:56 CDT

strigaris

I am opening this ticket regarding an issue with the .htaccess generation on my Virtualmin-managed server for my website.

On this specific server environment, Apache is configured very strictly regarding ownership and overrides. In my previous, working .htaccess file, I had to use the following specific configuration to avoid crashes:


## Can be commented out if causes errors, see notes above.
## Options +FollowSymlinks
Options -Indexes

If the directive Options +FollowSymLinks is injected or if the server environment is forced into a standard override config, the server immediately triggers an Internal Server Error (500).

Could you please assist me in configuring the system (or advise on the best workaround/custom code placement) so that the core security rules can be applied without overriding or triggering the forbidden FollowSymLinks directive?

Thank you in advance for your assistance.

Best regards,

George Strigaris

Tuesday, 09 June 2026 06:04 CDT

moira

The Options +FollowSymLinks directive in the generated .htaccess is coming from the Follow symlinks setting in Admin Tools' .htaccess Maker. Some Apache configurations — particularly security-hardened ones like yours on Virtualmin — forbid .htaccess files from setting +FollowSymLinks, and Apache responds with a 500 error when it encounters that directive.

To fix this:

  1. Go to Components → Admin Tools → .htaccess Maker.
  2. Find the Follow symlinks option (it is labelled "may cause a blank page or 500 Internal Server Error" — that warning is precisely for your situation).
  3. Change it to Default. This removes the Options +FollowSymLinks line from the generated .htaccess entirely.
  4. Click Save & Create .htaccess in the toolbar.

Your server will continue to use whatever symlink-following behaviour is configured in the Apache virtual host or server config, which is exactly what you want. The security rules Admin Tools applies do not depend on symlink following, so this change has no negative effect on your site's protection.

Moira Fari

Support Specialist

🇬🇧English: native 🕐 My time zone is Asia / Nicosia
Kindly note that my replies are fully vetted by our developers.

Tuesday, 09 June 2026 09:12 CDT

strigaris

 

Hello,

 

Thank you for your prompt response and the detailed instructions. 

I followed your advice and changed the Follow symlinks option to "Default" inside the .htaccess Maker configuration, and then regenerated the file. Unfortunately, the site immediately triggered a 500 Internal Server Error again. 

It appears that this specific Virtualmin/Apache server environment is extremely strict and completely forbids any Options or Header overrides from being declared inside the .htaccess file, not just the FollowSymLinks directive (for example, Options -Indexes or Options -MultiViews might also be causing the crash). 

For now, I have reverted to the core Joomla factory .htaccess file (with Options commented out), which loads the site perfectly.

Since I would still like to use the advanced server-level protections of the .htaccess Maker, is there a way to completely strip out or disable all Options directives from being generated by the Maker? Or would you recommend sticking with the core Joomla .htaccess while ke

Thank you again for your time and expertise.

Best regards,

George Strigaris

Edited by strigaris on 2026-06-09 09:21 CDT

Tuesday, 09 June 2026 10:51 CDT

moira

The Header directives are generated by most of the security header settings in the .htaccess Maker — click-jacking protection, MIME type risks, reflected XSS protection, HSTS, referrer policy, no server signature, and more. Disabling them one by one is impractical and would strip out a significant portion of the security benefit.

This points to two distinct server-side issues on your Virtualmin/Apache setup:

1. Options directives are blocked — your Apache virtual host does not allow .htaccess files to use Options. Fix: add Options to the AllowOverride directive in your virtual host config.

2. Header directives are blocked — most likely mod_headers is not enabled in Apache. Fix:

sudo a2enmod headers
sudo systemctl restart apache2

Once mod_headers is enabled, Header directives in .htaccess will work. You may also need to ensure AllowOverride includes FileInfo in your virtual host block.

The combined AllowOverride line that covers everything Admin Tools needs is:

AllowOverride Options FileInfo AuthConfig Limit

After making both changes and restarting Apache, regenerate the .htaccess from the .htaccess Maker with your preferred security settings — everything should work correctly.

If for any reason you cannot enable mod_headers on this server, the only alternative is to disable all of the security header features in the .htaccess Maker individually, which would leave your site without HTTP security headers. In that case, you would need to configure those headers at the Apache virtual host level instead, which is actually a more robust approach (headers set at the vhost level cannot be stripped by a compromised .htaccess).

Moira Fari

Support Specialist

🇬🇧English: native 🕐 My time zone is Asia / Nicosia
Kindly note that my replies are fully vetted by our developers.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!