httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Toscano <toscano.l...@gmail.com>
Subject Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default rule "<Directory /> Require all denied"
Date Mon, 04 Apr 2016 17:35:56 GMT
Hi again,

2016-04-04 16:19 GMT+02:00 Hildegard Meier <daku8938@gmx.de>:

>
>
> > Solution is to replace the "Order allow,deny Allow from all" with
> "Require all granted".
> >
> > I do not know, why the legacy directive has no effect in this case and I
> suggest to give a hint on this case in the upgrade guide
> >
> >
> https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html]
>
> >> Maybe I am missing something but this use case is described in
> https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time]
> ==> Access control..
>
> The point is, that in the documentation is written "The old access control
> idioms _should_ be replaced [...] for compatibility with old
> configurations, the new module mod_access_compat is provided."
>
> But in my case, the old access control idioms _has to_ be replaced, there
> is _no compatibility_.
>
> It seems to me that there is some problem with mixing old and new style,
> which is also mentioned here:
>
> "A mix of allow (2.2) and require (2.4) directives while using apache
> HTTPD 2.4, used in the same or separate directory blocks. The new 2.4
> directives should be used exclusively, and the mod_access_compat module
> should be unloaded by commenting out the LoadModule directive."
>
> (source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration)
>


Now it makes more sense, thanks for the clarification. AFAIK both
configurations could have be placed in the same httpd conf as long as
mod_access_compat and mod_authz_host modules were loaded but I might be
wrong at this point.


>
>
> > I also second the comment from 2013-05-20 on
> >
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]
>
> > "The documentation doesn't mention how authz_host and mod_access_compat
> directives interact when both modules are installed. From people testing
> here it seems that "deny" rule is always in effect, regardless if it is
> comming from authz_host or access_compat. Official description of these
> interactions would be welcome."
>
> >> Info available:
> >>
> >> - upgrade doc ==> "In 2.4, such access control is done in the same way
> as other authorization checks, using the new module mod_authz_host. The old
> access control idioms should be replaced by the new authentication
> mechanisms, although for compatibility with old configurations, the new
> module mod_access_compat is provided."
> >>
> >> - mod_access_compact ==> "The directives provided by mod_access_compat
> have been deprecated by the new authz refactoring. Please see
> mod_authz_host."
> >>
> >> Could you give us some advice about the info needed to make this
> document clearer?
>
> Another case:
>
> <Location /server-status>
>         SetHandler server-status
>
>         Order deny,allow
>         Deny from all
>         Allow From 1.2.3.4
> </Location>
>
> _works_ with 2.4. Changing it to
>
> <Location /server-status>
>         SetHandler server-status
>
>         Require ip 1.2.3.4
> </Location>
>
> Gives
>
> "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server
> configuration: /var/www/docs/default/server-status"
>
> and does _not_ work anymore, so I have to switch back to old style.
>
>
Clarification to understand: Did you load both mod_access_compat and
mod_authz_host right? I am going to check your bug report asap to see if I
can get a repro (should be easy), and in case we'll amend the docs
accordingly.

Thanks again!

Luca

Mime
View raw message