httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Toscano <toscano.l...@gmail.com>
Subject Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default rule "<Directory /> Require all denied"
Date Mon, 04 Apr 2016 20:24:58 GMT
2016-04-04 19:35 GMT+02:00 Luca Toscano <toscano.luca@gmail.com>:

> Hi again,
>
> 2016-04-04 16:19 GMT+02:00 Hildegard Meier <daku8938@gmx.de>:
>
>>
>>
>> > Solution is to replace the "Order allow,deny Allow from all" with
>> "Require all granted".
>> >
>> > I do not know, why the legacy directive has no effect in this case and
>> I suggest to give a hint on this case in the upgrade guide
>> >
>> >
>> https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html]
>>
>> >> Maybe I am missing something but this use case is described in
>> https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time]
>> ==> Access control..
>>
>> The point is, that in the documentation is written "The old access
>> control idioms _should_ be replaced [...] for compatibility with old
>> configurations, the new module mod_access_compat is provided."
>>
>> But in my case, the old access control idioms _has to_ be replaced, there
>> is _no compatibility_.
>>
>> It seems to me that there is some problem with mixing old and new style,
>> which is also mentioned here:
>>
>> "A mix of allow (2.2) and require (2.4) directives while using apache
>> HTTPD 2.4, used in the same or separate directory blocks. The new 2.4
>> directives should be used exclusively, and the mod_access_compat module
>> should be unloaded by commenting out the LoadModule directive."
>>
>> (source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration)
>>
>
>
> Now it makes more sense, thanks for the clarification. AFAIK both
> configurations could have be placed in the same httpd conf as long as
> mod_access_compat and mod_authz_host modules were loaded but I might be
> wrong at this point.
>
>
>>
>>
>> > I also second the comment from 2013-05-20 on
>> >
>> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]
>>
>> > "The documentation doesn't mention how authz_host and mod_access_compat
>> directives interact when both modules are installed. From people testing
>> here it seems that "deny" rule is always in effect, regardless if it is
>> comming from authz_host or access_compat. Official description of these
>> interactions would be welcome."
>>
>> >> Info available:
>> >>
>> >> - upgrade doc ==> "In 2.4, such access control is done in the same way
>> as other authorization checks, using the new module mod_authz_host. The old
>> access control idioms should be replaced by the new authentication
>> mechanisms, although for compatibility with old configurations, the new
>> module mod_access_compat is provided."
>> >>
>> >> - mod_access_compact ==> "The directives provided by mod_access_compat
>> have been deprecated by the new authz refactoring. Please see
>> mod_authz_host."
>> >>
>> >> Could you give us some advice about the info needed to make this
>> document clearer?
>>
>> Another case:
>>
>> <Location /server-status>
>>         SetHandler server-status
>>
>>         Order deny,allow
>>         Deny from all
>>         Allow From 1.2.3.4
>> </Location>
>>
>> _works_ with 2.4. Changing it to
>>
>> <Location /server-status>
>>         SetHandler server-status
>>
>>         Require ip 1.2.3.4
>> </Location>
>>
>> Gives
>>
>> "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server
>> configuration: /var/www/docs/default/server-status"
>>
>> and does _not_ work anymore, so I have to switch back to old style.
>>
>>
> Clarification to understand: Did you load both mod_access_compat and
> mod_authz_host right? I am going to check your bug report asap to see if I
> can get a repro (should be easy), and in case we'll amend the docs
> accordingly.
>
>
Ran some tests with httpd 2.4.10 (Debian Jessie standard config) and the
following (one at the time, replacing 1.2.3.4 with 127.0.0.1):

<Location /server-status>
        SetHandler server-status

        Order deny,allow
        Deny from all
        Allow From 127.0.0.1
</Location>

<Location /server-status>
        SetHandler server-status
        Require 127.0.0.1
</Location>

Everything works as expected with curl http://localhost/server-status. I
also tried to set 1.2.3.4 instead of 127.0.0.1 and the request gets a 403
as expected. After a chat on #httpd I may know why
https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration contains a
different suggestion: the old and new directives can coexist and work
together only if merging (
http://httpd.apache.org/docs/current/sections.html#merging) is not
involved, because in case the 2.4 directives (i.e. Require) will take the
precedence.

Let me know!

Regards,

Luca

Mime
View raw message