httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luca Toscano <toscano.l...@gmail.com>
Subject Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default rule "<Directory /> Require all denied"
Date Mon, 04 Apr 2016 12:18:24 GMT
Hello!

2016-04-04 12:03 GMT+02:00 Hildegard Meier <daku8938@gmx.de>:

> Hello,
>
> I have the following configuration in a vHost:
>
> [...]
>
> Alias /pnp4nagios "/usr/local/pnp4nagios-0.6.25/share"
>
> <Directory "/usr/local/pnp4nagios-0.6.25/share">
> AllowOverride None
>
> Order allow,deny
> Allow from all
>
> [...]
>
> This works with Apache 2.2 but after upgrading to 2.4 access is denied!
>
> Debug error log gives:
>
> [authz_core:debug] [client x.x.x.x:52204] AH01626: authorization result of
> <Require Any>: denied
> [authz_core:error] [client x.x.x.x:52204] AH01630: client denied by server
> configuration: /usr/local/pnp4nagios-0.6.25/share/graph
>
> I guess this is because of this default entry in /etc/apache2/apache2.conf:
>
> <Directory />
>     Options FollowSymLinks
>     AllowOverride None
>     Require all denied
> </Directory>
>
>
> Solution is to replace the "Order allow,deny Allow from all" with "Require
> all granted".
>
> I do not know, why the legacy directive has no effect in this case and I
> suggest to give a hint on this case in the upgrade guide
>
> https://httpd.apache.org/docs/2.4/upgrading.html


Maybe I am missing something but this use case is described in
https://httpd.apache.org/docs/2.4/upgrading.html#run-time ==> Access
control..

>
> I also second the comment from 2013-05-20 on
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
>
> "The documentation doesn't mention how authz_host and mod_access_compat
> directives interact when both modules are installed. From people testing
> here it seems that "deny" rule is always in effect, regardless if it is
> comming from authz_host or access_compat. Official description of these
> interactions would be welcome."
>

Info available:

- upgrade doc ==> "In 2.4, such access control is done in the same way as
other authorization checks, using the new module mod_authz_host. The old
access control idioms should be replaced by the new authentication
mechanisms, although for compatibility with old configurations, the new
module mod_access_compat is provided."

- mod_access_compact ==> "The directives provided by mod_access_compat have
been deprecated by the new authz refactoring. Please see mod_authz_host."

Could you give us some advice about the info needed to make this document
clearer?

Thanks a lot!

Luca

Mime
View raw message