<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
-<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head><!--
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"><head>
+<meta content="text/html; charset=ISO-8859-1" http-equiv="Content-Type" />
+<!--
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
This file is generated from xml source: DO NOT EDIT
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-->
-<title>Upgrading to 2.4 from 2.2 - Apache HTTP Server</title>
+<title>Upgrading to 2.4 from 2.2 - Apache HTTP Server Version 2.5</title>
<link href="./style/css/manual.css" rel="stylesheet" media="all" type="text/css" title="Main stylesheet" />
<link href="./style/css/manual-loose-100pc.css" rel="alternate stylesheet" media="all" type="text/css" title="No Sidebar - Default font size" />
-<link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" />
+<link href="./style/css/manual-print.css" rel="stylesheet" media="print" type="text/css" /><link rel="stylesheet" type="text/css" href="./style/css/prettify.css" />
+<script src="./style/scripts/prettify.min.js" type="text/javascript">
+</script>
+
<link href="./images/favicon.ico" rel="shortcut icon" /></head>
<body id="manual-page"><div id="page-header">
-<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
+<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p>
<p class="apache">Apache HTTP Server Version 2.5</p>
-<img alt="" src="./images/feather.gif" /></div>
+<img alt="" src="./images/feather.png" /></div>
<div class="up"><a href="./"><img title="<-" alt="<-" src="./images/left.gif" /></a></div>
<div id="path">
<a href="http://www.apache.org/">Apache</a> > <a href="http://httpd.apache.org/">HTTP Server</a> > <a href="http://httpd.apache.org/docs/">Documentation</a> > <a href="./">Version 2.5</a></div><div id="page-content"><div id="preamble"><h1>Upgrading to 2.4 from 2.2</h1>
<li><img alt="" src="./images/down.gif" /> <a href="#third-party">Third Party Modules</a></li>
<li><img alt="" src="./images/down.gif" /> <a href="#commonproblems">Common problems when upgrading</a></li>
</ul><h3>See also</h3><ul class="seealso"><li><a href="new_features_2_4.html">Overview of new features in
- Apache HTTP Server 2.4</a></li></ul></div>
+ Apache HTTP Server 2.4</a></li><li><a href="#comments_section">Comments</a></li></ul></div>
<div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<div class="section">
<h2><a name="compile-time" id="compile-time">Compile-Time Configuration Changes</a></h2>
<li>configure: By default, only a basic set of modules is loaded. The
other <code class="directive">LoadModule</code> directives are commented
- out.</li>
+ out in the configuration file.</li>
<li>configure: the "most" module set gets built by default</li>
which explains the new mechanisms for controlling the order in
which the authorization directives are applied.</p>
+ <p>Directives that control how authorization modules respond when they don't match
+ the authenticated user have been removed: This includes
+ AuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative,
+ AuthzGroupFileAuthoritative, AuthzUserAuthoritative,
+ and AuthzOwnerAuthoritative. These directives have been replaced by the
+ more expressive <code class="directive"><a href="./mod/mod_authz_core.html#requireany">RequireAny</a></code>,
+ <code class="directive"><a href="./mod/mod_authz_core.html#requirenone">RequireNone</a></code>, and
+ <code class="directive"><a href="./mod/mod_authz_core.html#requireall">RequireAll</a></code>.</p>
+
+ <p>If you use <code class="module"><a href="./mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, you must port your
+ configuration to use <code>Require dbm-group ...</code> in place
+ of <code>Require group ...</code>.</p>
+
<h4><a name="access" id="access">Access control</a></h4>
although for compatibility with old configurations, the new
module <code class="module"><a href="./mod/mod_access_compat.html">mod_access_compat</a></code> is provided.</p>
+ <div class="note"><h3>Mixing old and new directives</h3>
+ <p>Mixing old directives like <code class="directive"><a href="./mod/mod_access_compat.html#order">Order</a></code>, <code class="directive"><a href="./mod/mod_access_compat.html#allow">Allow</a></code> or <code class="directive"><a href="./mod/mod_access_compat.html#deny">Deny</a></code> with new ones like
+ <code class="directive"><a href="./mod/mod_authz_core.html#require">Require</a></code> is technically possible
+ but discouraged. <code class="module"><a href="./mod/mod_access_compat.html">mod_access_compat</a></code> was created to support
+ configurations containing only old directives to facilitate the 2.4 upgrade.
+ Please check the examples below to get a better idea about issues that might arise.
+ </p>
+ </div>
+
<p>Here are some examples of old and new ways to do the same
access control.</p>
- <p>In this example, all requests are denied.</p>
- <div class="example"><h3>2.2 configuration:</h3><p><code>
-
- Order deny,allow<br />
- Deny from all
- </code></p></div>
- <div class="example"><h3>2.4 configuration:</h3><p><code>
-
- Require all denied
- </code></p></div>
-
- <p>In this example, all requests are allowed.</p>
- <div class="example"><h3>2.2 configuration:</h3><p><code>
-
- Order allow,deny<br />
- Allow from all
- </code></p></div>
- <div class="example"><h3>2.4 configuration:</h3><p><code>
-
- Require all granted
- </code></p></div>
-
- <p>In the following example, all hosts in the example.org domain
+ <p>In this example, there is no authentication and all requests are denied.</p>
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order deny,allow
+Deny from all</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config">Require all denied</pre>
+</div>
+
+ <p>In this example, there is no authentication and all requests are allowed.</p>
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order allow,deny
+Allow from all</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config">Require all granted</pre>
+</div>
+
+ <p>In the following example, there is no authentication and all hosts in the example.org domain
are allowed access; all other hosts are denied access.</p>
- <div class="example"><h3>2.2 configuration:</h3><p><code>
-
- Order Deny,Allow<br />
- Deny from all<br />
- Allow from example.org
- </code></p></div>
- <div class="example"><h3>2.4 configuration:</h3><p><code>
-
- Require host example.org
- </code></p></div>
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order Deny,Allow
+Deny from all
+Allow from example.org</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config">Require host example.org</pre>
+</div>
+
+ <p>In the following example, mixing old and new directives leads to
+ unexpected results.</p>
+
+ <div class="example"><h3>Mixing old and new directives: NOT WORKING AS EXPECTED</h3><pre class="prettyprint lang-config">DocumentRoot "/var/www/html"
+
+<Directory "/">
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+</Directory>
+
+<Location "/server-status">
+ SetHandler server-status
+ Require 127.0.0.1
+</Location>
+
+access.log - GET /server-status 403 127.0.0.1
+error.log - AH01797: client denied by server configuration: /var/www/html/server-status</pre>
+</div>
+ <p>Why httpd denies access to servers-status even if the configuration seems to allow it?
+ Because <code class="module"><a href="./mod/mod_access_compat.html">mod_access_compat</a></code> directives take precedence
+ over the <code class="module"><a href="./mod/mod_authz_host.html">mod_authz_host</a></code> one in this configuration
+ <a href="sections.html#merging">merge</a> scenario.</p>
+
+ <p>This example conversely works as expected:</p>
+
+ <div class="example"><h3>Mixing old and new directives: WORKING AS EXPECTED</h3><pre class="prettyprint lang-config">DocumentRoot "/var/www/html"
+
+<Directory "/">
+ AllowOverride None
+ Require all denied
+</Directory>
+
+<Location "/server-status">
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow From 127.0.0.1
+</Location>
+
+access.log - GET /server-status 200 127.0.0.1</pre>
+</div>
+ <p>So even if mixing configuration is still
+ possible, please try to avoid it when upgrading: either keep old directives and then migrate
+ to the new ones on a later stage or just migrate everything in bulk.
+ </p>
+ <p>In many configurations with authentication, where the value of the
+ <code class="directive">Satisfy</code> was the default of <em>ALL</em>, snippets
+ that simply disabled host-based access control are omitted:</p>
+
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order Deny,Allow
+Deny from all
+AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+Require valid-user</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config"># No replacement needed
+AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+Require valid-user</pre>
+</div>
+
+ <p>In configurations where both authentication and access control were meaningfully combined, the
+ access control directives should be migrated. This example allows requests meeting <em>both</em> criteria:</p>
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order allow,deny
+Deny from all
+# Satisfy ALL is the default
+Satisfy ALL
+Allow from 127.0.0.1
+AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+Require valid-user</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config">AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+<RequireAll>
+ Require valid-user
+ Require ip 127.0.0.1
+</RequireAll></pre>
+</div>
+
+ <p>In configurations where both authentication and access control were meaningfully combined, the
+ access control directives should be migrated. This example allows requests meeting <em>either</em> criteria:</p>
+ <div class="example"><h3>2.2 configuration:</h3><pre class="prettyprint lang-config">Order allow,deny
+Deny from all
+Satisfy any
+Allow from 127.0.0.1
+AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+Require valid-user</pre>
+</div>
+ <div class="example"><h3>2.4 configuration:</h3><pre class="prettyprint lang-config">AuthBasicProvider File
+AuthUserFile /example.com/conf/users.passwd
+AuthName secure
+# Implicitly <RequireAny>
+Require valid-user
+Require ip 127.0.0.1</pre>
+</div>
+
<h3><a name="config" id="config">Other configuration changes</a></h3>
settings to replace it in 2.4.
</li>
+ <li><code class="directive"><a href="./mod/core.html#allowoverride">AllowOverride</a></code> now
+ defaults to <code>None</code>.</li>
+
<li><code class="directive"><a href="./mod/core.html#enablesendfile">EnableSendfile</a></code> now
defaults to Off.</li>
<li><code class="directive"><a href="./mod/core.html#fileetag">FileETag</a></code> now
defaults to "MTime Size" (without INode).</li>
- <li><code class="module"><a href="./mod/mod_log_config.html">mod_log_config</a></code>: <a href="modules/mod_log_config.html#formats">${cookie}C</a>
- matches whole cookie names. Previously any substring would
- match.</li>
-
<li><code class="module"><a href="./mod/mod_dav_fs.html">mod_dav_fs</a></code>: The format of the <code class="directive"><a href="./mod/mod_dav_fs.html#davlockdb">DavLockDB</a></code> file has changed for
systems with inodes. The old <code class="directive"><a href="./mod/mod_dav_fs.html#davlockdb">DavLockDB</a></code> file must be deleted on
upgrade.
<code>jsessionid</code>.
</li>
+ <li><code class="module"><a href="./mod/mod_cache.html">mod_cache</a></code>: The second parameter to
+ <code class="directive"><a href="./mod/mod_cache.html#cacheenable">CacheEnable</a></code> only
+ matches forward proxy content if it begins with the correct
+ protocol. In 2.2 and earlier, a parameter of '/' matched all
+ content.</li>
+
<li><code class="module"><a href="./mod/mod_ldap.html">mod_ldap</a></code>: <code class="directive"><a href="./mod/mod_ldap.html#ldaptrustedclientcert">LDAPTrustedClientCert</a></code> is now
consistently a per-directory setting only. If you use this
directive, review your configuration to make sure it is
option has been removed in favour of per-module <code class="directive"><a href="./mod/core.html#loglevel">LogLevel</a></code> configuration.
</li>
- <li><code class="module"><a href="./mod/mod_ext-filter.html">mod_ext-filter</a></code>: The <code>DebugLevel</code>
+ <li><code class="module"><a href="./mod/mod_ext_filter.html">mod_ext_filter</a></code>: The <code>DebugLevel</code>
option has been removed in favour of per-module <code class="directive"><a href="./mod/core.html#loglevel">LogLevel</a></code> configuration.
</li>
+ <li><code class="module"><a href="./mod/mod_proxy_scgi.html">mod_proxy_scgi</a></code>: The default setting for
+ <code>PATH_INFO</code> has changed from httpd 2.2, and
+ some web applications will no longer operate properly with
+ the new <code>PATH_INFO</code> setting. The previous setting
+ can be restored by configuring the <code>proxy-scgi-pathinfo</code>
+ variable.</li>
+
<li><code class="module"><a href="./mod/mod_ssl.html">mod_ssl</a></code>: CRL based revocation checking
now needs to be explicitly configured through <code class="directive"><a href="./mod/mod_ssl.html#sslcarevocationcheck">SSLCARevocationCheck</a></code>.
</li>
<li><code class="module"><a href="./mod/mod_reqtimeout.html">mod_reqtimeout</a></code>: If the module is loaded, it
will now set some default timeouts.</li>
+ <li><code class="module"><a href="./mod/mod_dumpio.html">mod_dumpio</a></code>: <code class="directive">DumpIOLogLevel</code>
+ is no longer supported. Data is always logged at <code class="directive"><a href="./mod/core.html#loglevel">LogLevel</a></code> <code>trace7</code>.</li>
+
+ <li>On Unix platforms, piped logging commands configured using
+ either <code class="directive"><a href="./mod/core.html#errorlog">ErrorLog</a></code> or
+ <code class="directive"><a href="./mod/mod_log_config.html#customlog">CustomLog</a></code> were invoked using
+ <code>/bin/sh -c</code> in 2.2 and earlier. In 2.4 and later,
+ piped logging commands are executed directly. To restore the
+ old behaviour, see the <a href="logs.html#piped">piped logging
+ documentation</a>.</li>
+
</ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
<li><code class="module"><a href="./mod/mod_ssl.html">mod_ssl</a></code>: The default format of the <code>*_DN</code>
variables has changed. The old format can still be used with the new
<code>LegacyDNStringFormat</code> argument to <code class="directive"><a href="./mod/mod_ssl.html#ssloptions">SSLOptions</a></code>. The SSLv2 protocol is
- no longer supported.</li>
+ no longer supported. <code class="directive"><a href="./mod/mod_ssl.html#sslproxycheckpeercn">SSLProxyCheckPeerCN
+ </a></code> and <code class="directive"><a href="./mod/mod_ssl.html#sslproxycheckpeerexpire">SSLProxyCheckPeerExpire
+ </a></code> now default to On, causing proxy requests to HTTPS hosts
+ with bad or outdated certificates to fail with a 502 status code (Bad
+ gateway)</li>
<li><code class="program"><a href="./programs/htpasswd.html">htpasswd</a></code> now uses MD5 hash by default on
all platforms.</li>
enabled for the directory containing the error documents.
</li>
+ <li>The functionality provided by <code>mod_authn_alias</code>
+ in previous versions (i.e., the <code class="directive"><a href="./mod/mod_authn_core.html#authnprovideralias">AuthnProviderAlias</a></code> directive)
+ has been moved into <code class="module"><a href="./mod/mod_authn_core.html">mod_authn_core</a></code>.
+ </li>
+
+ <li><code class="module"><a href="./mod/mod_cgid.html">mod_cgid</a></code> uses the servers <code class="directive"><a href="./mod/core.html#timeout">Timeout</a></code> to limit the length of time to wait for CGI output.
+ This timeout can be overridden with <code class="directive"><a href="./mod/mod_cgid.html#cgidscripttimeout">
+ CGIDScriptTImeout</a></code>.
+ </li>
+
</ul>
</div><div class="top"><a href="#page-header"><img alt="top" src="./images/up.gif" /></a></div>
- load module <code class="module"><a href="./mod/mod_access_compat.html">mod_access_compat</a></code>, or update configuration to 2.4 authorization directives.</li>
<li><code>Ignoring deprecated use of DefaultType in line NN of /path/to/httpd.conf</code> - remove <code class="directive"><a href="./mod/core.html#defaulttype">DefaultType</a></code>
and replace with other configuration settings.</li>
+ <li><code>Invalid command 'AddOutputFilterByType', perhaps misspelled
+ or defined by a module not included in the server configuration
+ </code> - <code class="directive"><a href="./mod/mod_filter.html#addoutputfilterbytype">AddOutputFilterByType</a></code>
+ has moved from the core to mod_filter, which must be loaded.</li>
</ul></li>
<li>Errors serving requests:
<ul>
<li><code>configuration error: couldn't check user: /path</code> -
load module <code class="module"><a href="./mod/mod_authn_core.html">mod_authn_core</a></code>.</li>
+ <li><code>.htaccess</code> files aren't being processed - Check for an
+ appropriate <code class="directive"><a href="./mod/core.html#allowoverride">AllowOverride</a></code> directive;
+ the default changed to <code>None</code> in 2.4.</li>
</ul>
</li>
</ul>
<div class="bottomlang">
<p><span>Available Languages: </span><a href="./en/upgrading.html" title="English"> en </a> |
<a href="./fr/upgrading.html" hreflang="fr" rel="alternate" title="Français"> fr </a></p>
-</div><div id="footer">
-<p class="apache">Copyright 2011 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
-<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/directives.html">Directives</a> | <a href="./faq/">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div>
+</div><div class="top"><a href="#page-header"><img src="./images/up.gif" alt="top" /></a></div><div class="section"><h2><a id="comments_section" name="comments_section">Comments</a></h2><div class="warning"><strong>Notice:</strong><br />This is not a Q&A section. Comments placed here should be pointed towards suggestions on improving the documentation or server, and may be removed again by our moderators if they are either implemented or considered invalid/off-topic. Questions on how to manage the Apache HTTP Server should be directed at either our IRC channel, #httpd, on Freenode, or sent to our <a href="http://httpd.apache.org/lists.html">mailing lists</a>.</div>
+<script type="text/javascript"><!--//--><![CDATA[//><!--
+var comments_shortname = 'httpd';
+var comments_identifier = 'http://httpd.apache.org/docs/trunk/upgrading.html';
+(function(w, d) {
+ if (w.location.hostname.toLowerCase() == "httpd.apache.org") {
+ d.write('<div id="comments_thread"><\/div>');
+ var s = d.createElement('script');
+ s.type = 'text/javascript';
+ s.async = true;
+ s.src = 'https://comments.apache.org/show_comments.lua?site=' + comments_shortname + '&page=' + comments_identifier;
+ (d.getElementsByTagName('head')[0] || d.getElementsByTagName('body')[0]).appendChild(s);
+ }
+ else {
+ d.write('<div id="comments_thread">Comments are disabled for this page at the moment.<\/div>');
+ }
+})(window, document);
+//--><!]]></script></div><div id="footer">
+<p class="apache">Copyright 2017 The Apache Software Foundation.<br />Licensed under the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License, Version 2.0</a>.</p>
+<p class="menu"><a href="./mod/">Modules</a> | <a href="./mod/quickreference.html">Directives</a> | <a href="http://wiki.apache.org/httpd/FAQ">FAQ</a> | <a href="./glossary.html">Glossary</a> | <a href="./sitemap.html">Sitemap</a></p></div><script type="text/javascript"><!--//--><![CDATA[//><!--
+if (typeof(prettyPrint) !== 'undefined') {
+ prettyPrint();
+}
+//--><!]]></script>
</body></html>
\ No newline at end of file