1 <?xml version='1.0' encoding='UTF-8' ?>
2 <!DOCTYPE manualpage SYSTEM "./style/manualpage.dtd">
3 <?xml-stylesheet type="text/xsl" href="./style/manual.en.xsl"?>
4 <!-- $LastChangedRevision$ -->
7 Licensed to the Apache Software Foundation (ASF) under one or more
8 contributor license agreements. See the NOTICE file distributed with
9 this work for additional information regarding copyright ownership.
10 The ASF licenses this file to You under the Apache License, Version 2.0
11 (the "License"); you may not use this file except in compliance with
12 the License. You may obtain a copy of the License at
14 http://www.apache.org/licenses/LICENSE-2.0
16 Unless required by applicable law or agreed to in writing, software
17 distributed under the License is distributed on an "AS IS" BASIS,
18 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
19 See the License for the specific language governing permissions and
20 limitations under the License.
23 <manualpage metafile="upgrading.xml.meta">
25 <title>Upgrading to 2.4 from 2.2</title>
28 <p>In order to assist folks upgrading, we maintain a document
29 describing information critical to existing Apache HTTP Server users. These
30 are intended to be brief notes, and you should be able to find
31 more information in either the <a
32 href="new_features_2_4.html">New Features</a> document, or in
33 the <code>src/CHANGES</code> file. Application and module developers
34 can find a summary of API changes in the <a href="developer/new_api_2_4.html"
35 >API updates</a> overview.</p>
37 <p>This document describes changes in server behavior that might
38 require you to change your configuration or how you use the server
39 in order to continue using 2.4 as you are currently using 2.2.
40 To take advantage of new features in 2.4, see the New Features
43 <p>This document describes only the changes from 2.2 to 2.4. If you
44 are upgrading from version 2.0, you should also consult the <a
45 href="http://httpd.apache.org/docs/2.2/upgrading.html">2.0 to 2.2
46 upgrading document.</a></p>
49 <seealso><a href="new_features_2_4.html">Overview of new features in
50 Apache HTTP Server 2.4</a></seealso>
52 <section id="compile-time">
53 <title>Compile-Time Configuration Changes</title>
55 <p>The compilation process is very similar to the one used in
56 version 2.2. Your old <code>configure</code> command line (as
57 found in <code>build/config.nice</code> in the installed server
58 directory) can be used in most cases. There are some changes in
59 the default settings. Some details of changes:</p>
62 <li>These modules have been removed: mod_authn_default,
63 mod_authz_default, mod_mem_cache. If you were using
64 mod_mem_cache in 2.2, look at <module>mod_cache_disk</module> in
67 <li>All load balancing implementations have been moved to
68 individual, self-contained mod_proxy submodules, e.g.
69 <module>mod_lbmethod_bybusyness</module>. You might need
70 to build and load any of these that your configuration
73 <li>Platform support has been removed for BeOS, TPF, and
74 even older platforms such as A/UX, Next, and Tandem. These were
75 believed to be broken anyway.</li>
77 <li>configure: dynamic modules (DSO) are built by default</li>
79 <li>configure: By default, only a basic set of modules is loaded. The
80 other <directive>LoadModule</directive> directives are commented
81 out in the configuration file.</li>
83 <li>configure: the "most" module set gets built by default</li>
85 <li>configure: the "reallyall" module set adds developer modules
91 <section id="run-time">
92 <title>Run-Time Configuration Changes</title>
93 <p>There have been significant changes in authorization configuration,
94 and other minor configuration changes, that could require changes to your 2.2
95 configuration files before using them for 2.4.</p>
98 <title>Authorization</title>
100 <p>Any configuration file that uses authorization will likely
103 <p>You should review the <a href="howto/auth.html">Authentication,
104 Authorization and Access Control Howto</a>, especially the section
105 <a href="howto/auth.html#beyond">Beyond just authorization</a>
106 which explains the new mechanisms for controlling the order in
107 which the authorization directives are applied.</p>
109 <p>Directives that control how authorization modules respond when they don't match
110 the authenticated user have been removed: This includes
111 AuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative,
112 AuthzGroupFileAuthoritative, AuthzUserAuthoritative,
113 and AuthzOwnerAuthoritative. These directives have been replaced by the
114 more expressive <directive module="mod_authz_core">RequireAny</directive>,
115 <directive module="mod_authz_core">RequireNone</directive>, and
116 <directive module="mod_authz_core">RequireAll</directive>.</p>
118 <p>If you use <module>mod_authz_dbm</module>, you must port your
119 configuration to use <code>Require dbm-group ...</code> in place
120 of <code>Require group ...</code>.</p>
122 <section id="access">
123 <title>Access control</title>
125 <p>In 2.2, access control based on client hostname, IP address,
126 and other characteristics of client requests was done using the
127 directives <directive
128 module="mod_access_compat">Order</directive>, <directive
129 module="mod_access_compat">Allow</directive>, <directive
130 module="mod_access_compat">Deny</directive>, and <directive
131 module="mod_access_compat">Satisfy</directive>.</p>
133 <p>In 2.4, such access control is done in the same way as other
134 authorization checks, using the new module
135 <module>mod_authz_host</module>. The old access control idioms
136 should be replaced by the new authentication mechanisms,
137 although for compatibility with old configurations, the new
138 module <module>mod_access_compat</module> is provided.</p>
140 <note><title>Mixing old and new directives</title>
141 <p>Mixing old directives like <directive
142 module="mod_access_compat">Order</directive>, <directive
143 module="mod_access_compat">Allow</directive> or <directive
144 module="mod_access_compat">Deny</directive> with new ones like
146 module="mod_authz_core">Require</directive> is technically possible
147 but discouraged. <module>mod_access_compat</module> was created to support
148 configurations containing only old directives to facilitate the 2.4 upgrade.
149 Please check the examples below to get a better idea about issues that might arise.
153 <p>Here are some examples of old and new ways to do the same
156 <p>In this example, all requests are denied.</p>
158 <title>2.2 configuration:</title>
159 <highlight language="config">
165 <title>2.4 configuration:</title>
166 <highlight language="config">
171 <p>In this example, all requests are allowed.</p>
173 <title>2.2 configuration:</title>
174 <highlight language="config">
180 <title>2.4 configuration:</title>
181 <highlight language="config">
186 <p>In the following example, all hosts in the example.org domain
187 are allowed access; all other hosts are denied access.</p>
190 <title>2.2 configuration:</title>
191 <highlight language="config">
194 Allow from example.org
198 <title>2.4 configuration:</title>
199 <highlight language="config">
200 Require host example.org
204 <p>In the following example, mixing old and new directives leads to
205 unexpected results.</p>
208 <title>Mixing old and new directives: NOT WORKING AS EXPECTED</title>
209 <highlight language="config">
210 DocumentRoot "/var/www/html"
212 <Directory "/">
218 <Location "/server-status">
219 SetHandler server-status
223 access.log - GET /server-status 403 127.0.0.1
224 error.log - AH01797: client denied by server configuration: /var/www/html/server-status
227 <p>Why httpd denies access to servers-status even if the configuration seems to allow it?
228 Because <module>mod_access_compat</module> directives take precedence
229 over the <module>mod_authz_host</module> one in this configuration
230 <a href="sections.html#merging">merge</a> scenario.</p>
232 <p>This example conversely works as expected:</p>
235 <title>Mixing old and new directives: WORKING AS EXPECTED</title>
236 <highlight language="config">
237 DocumentRoot "/var/www/html"
239 <Directory "/">
244 <Location "/server-status">
245 SetHandler server-status
251 access.log - GET /server-status 200 127.0.0.1
254 <p>So even if mixing configuration is still
255 possible, please try to avoid it when upgrading: either keep old directives and then migrate
256 to the new ones on a later stage or just migrate everything in bulk.
262 <section id="config">
263 <title>Other configuration changes</title>
265 <p>Some other small adjustments may be necessary for particular
266 configurations as discussed below.</p>
269 <li><directive>MaxRequestsPerChild</directive> has been renamed to
270 <directive module="mpm_common">MaxConnectionsPerChild</directive>,
271 describes more accurately what it does. The old name is still
274 <li><directive>MaxClients</directive> has been renamed to
275 <directive module="mpm_common">MaxRequestWorkers</directive>,
276 which describes more accurately what it does. For async MPMs, like
277 <module>event</module>, the maximum number of clients is not
278 equivalent than the number of worker threads. The old name is still
281 <li>The <directive module="core">DefaultType</directive>
282 directive no longer has any effect, other than to emit a
283 warning if it's used with any value other than
284 <code>none</code>. You need to use other configuration
285 settings to replace it in 2.4.
288 <li><directive module="core">AllowOverride</directive> now
289 defaults to <code>None</code>.</li>
291 <li><directive module="core">EnableSendfile</directive> now
292 defaults to Off.</li>
294 <li><directive module="core">FileETag</directive> now
295 defaults to "MTime Size" (without INode).</li>
297 <li><module>mod_dav_fs</module>: The format of the <directive
298 module="mod_dav_fs">DavLockDB</directive> file has changed for
299 systems with inodes. The old <directive
300 module="mod_dav_fs">DavLockDB</directive> file must be deleted on
304 <li><directive module="core">KeepAlive</directive> only
305 accepts values of <code>On</code> or <code>Off</code>.
306 Previously, any value other than "Off" or "0" was treated as
309 <li>Directives AcceptMutex, LockFile, RewriteLock, SSLMutex,
310 SSLStaplingMutex, and WatchdogMutexPath have been replaced
311 with a single <directive module="core">Mutex</directive>
312 directive. You will need to evaluate any use of these removed
313 directives in your 2.2 configuration to determine if they can
314 just be deleted or will need to be replaced using <directive
315 module="core">Mutex</directive>.</li>
317 <li><module>mod_cache</module>: <directive
318 module="mod_cache">CacheIgnoreURLSessionIdentifiers</directive>
319 now does an exact match against the query string instead of a
320 partial match. If your configuration was using partial
321 strings, e.g. using <code>sessionid</code> to match
322 <code>/someapplication/image.gif;jsessionid=123456789</code>,
323 then you will need to change to the full string
324 <code>jsessionid</code>.
327 <li><module>mod_cache</module>: The second parameter to
328 <directive module="mod_cache">CacheEnable</directive> only
329 matches forward proxy content if it begins with the correct
330 protocol. In 2.2 and earlier, a parameter of '/' matched all
333 <li><module>mod_ldap</module>: <directive
334 module="mod_ldap">LDAPTrustedClientCert</directive> is now
335 consistently a per-directory setting only. If you use this
336 directive, review your configuration to make sure it is
337 present in all the necessary directory contexts.</li>
339 <li><module>mod_filter</module>: <directive
340 module="mod_filter">FilterProvider</directive> syntax has changed and
341 now uses a boolean expression to determine if a filter is applied.
344 <li><module>mod_include</module>:
346 <li>The <code>#if expr</code> element now uses the new <a
347 href="expr.html">expression parser</a>. The old syntax can be
348 restored with the new directive <directive module="mod_include"
349 >SSILegacyExprParser</directive>.
351 <li>An SSI* config directive in directory scope no longer causes
352 all other per-directory SSI* directives to be reset to their
357 <li><module>mod_charset_lite</module>: The <code>DebugLevel</code>
358 option has been removed in favour of per-module <directive
359 module="core">LogLevel</directive> configuration.
362 <li><module>mod_ext_filter</module>: The <code>DebugLevel</code>
363 option has been removed in favour of per-module <directive
364 module="core">LogLevel</directive> configuration.
367 <li><module>mod_proxy_scgi</module>: The default setting for
368 <code>PATH_INFO</code> has changed from httpd 2.2, and
369 some web applications will no longer operate properly with
370 the new <code>PATH_INFO</code> setting. The previous setting
371 can be restored by configuring the <code>proxy-scgi-pathinfo</code>
374 <li><module>mod_ssl</module>: CRL based revocation checking
375 now needs to be explicitly configured through <directive
376 module="mod_ssl">SSLCARevocationCheck</directive>.
379 <li><module>mod_substitute</module>: The maximum line length is now
383 <li><module>mod_reqtimeout</module>: If the module is loaded, it
384 will now set some default timeouts.</li>
386 <li><module>mod_dumpio</module>: <directive>DumpIOLogLevel</directive>
387 is no longer supported. Data is always logged at <directive
388 module="core">LogLevel</directive> <code>trace7</code>.</li>
390 <li>On Unix platforms, piped logging commands configured using
391 either <directive module="core">ErrorLog</directive> or
392 <directive module="mod_log_config">CustomLog</directive> were invoked using
393 <code>/bin/sh -c</code> in 2.2 and earlier. In 2.4 and later,
394 piped logging commands are executed directly. To restore the
395 old behaviour, see the <a href="logs.html#piped">piped logging
396 documentation</a>.</li>
403 <title>Misc Changes</title>
406 <li><module>mod_autoindex</module>: will now extract titles and
407 display descriptions for .xhtml files, which were previously
410 <li><module>mod_ssl</module>: The default format of the <code>*_DN</code>
411 variables has changed. The old format can still be used with the new
412 <code>LegacyDNStringFormat</code> argument to <directive
413 module="mod_ssl">SSLOptions</directive>. The SSLv2 protocol is
414 no longer supported. <directive module="mod_ssl">SSLProxyCheckPeerCN
415 </directive> and <directive module="mod_ssl">SSLProxyCheckPeerExpire
416 </directive> now default to On, causing proxy requests to HTTPS hosts
417 with bad or outdated certificates to fail with a 502 status code (Bad
420 <li><program>htpasswd</program> now uses MD5 hash by default on
423 <li>The <directive module="core">NameVirtualHost</directive>
424 directive no longer has any effect, other than to emit a
425 warning. Any address/port combination appearing in multiple
426 virtual hosts is implicitly treated as a name-based virtual host.
429 <li><module>mod_deflate</module> will now skip compression if it knows
430 that the size overhead added by the compression is larger than the data
434 <li>Multi-language error documents from 2.2.x may not work unless
435 they are adjusted to the new syntax of <module>mod_include</module>'s
436 <code>#if expr=</code> element or the directive
437 <directive module="mod_include">SSILegacyExprParser</directive> is
438 enabled for the directory containing the error documents.
441 <li>The functionality provided by <code>mod_authn_alias</code>
442 in previous versions (i.e., the <directive
443 module="mod_authn_core">AuthnProviderAlias</directive> directive)
444 has been moved into <module>mod_authn_core</module>.
447 <li><module>mod_cgid</module> uses the servers <directive module="core"
448 >Timeout</directive> to limit the length of time to wait for CGI output.
449 This timeout can be overridden with <directive module="mod_cgid">
450 CGIDScriptTImeout</directive>.
457 <section id="third-party">
458 <title>Third Party Modules</title>
459 <p>All modules must be recompiled for 2.4 before being loaded.</p>
461 <p>Many third-party modules designed for version 2.2 will
462 otherwise work unchanged with the Apache HTTP Server version 2.4.
463 Some will require changes; see the <a href="developer/new_api_2_4.html">API
464 update</a> overview.</p>
467 <section id="commonproblems">
468 <title>Common problems when upgrading</title>
469 <ul><li>Startup errors:
471 <li><code>Invalid command 'User', perhaps misspelled or defined by a module not included in the server configuration</code> - load module <module>mod_unixd</module></li>
472 <li><code>Invalid command 'Require', perhaps misspelled or defined by a module not included in the server configuration</code>, or
473 <code>Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration</code>
474 - load module <module>mod_access_compat</module>, or update configuration to 2.4 authorization directives.</li>
475 <li><code>Ignoring deprecated use of DefaultType in line NN of /path/to/httpd.conf</code> - remove <directive module="core">DefaultType</directive>
476 and replace with other configuration settings.</li>
477 <li><code>Invalid command 'AddOutputFilterByType', perhaps misspelled
478 or defined by a module not included in the server configuration
479 </code> - <directive module="mod_filter">AddOutputFilterByType</directive>
480 has moved from the core to mod_filter, which must be loaded.</li>
482 <li>Errors serving requests:
484 <li><code>configuration error: couldn't check user: /path</code> -
485 load module <module>mod_authn_core</module>.</li>
486 <li><code>.htaccess</code> files aren't being processed - Check for an
487 appropriate <directive module="core">AllowOverride</directive> directive;
488 the default changed to <code>None</code> in 2.4.</li>