<li>configure: By default, only a basic set of modules is loaded. The
other <directive>LoadModule</directive> directives are commented
- out.</li>
+ out in the configuration file.</li>
<li>configure: the "most" module set gets built by default</li>
which explains the new mechanisms for controlling the order in
which the authorization directives are applied.</p>
+ <p>Directives that control how authorization modules respond when they don't match
+ the authenticated user have been removed: This includes
+ AuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative,
+ AuthzGroupFileAuthoritative, AuthzUserAuthoritative,
+ and AuthzOwnerAuthoritative. These directives have been replaced by the
+ more expressive <directive module="mod_authz_core">RequireAny</directive>,
+ <directive module="mod_authz_core">RequireNone</directive>, and
+ <directive module="mod_authz_core">RequireAll</directive>.</p>
+
+ <p>If you use <module>mod_authz_dbm</module>, you must port your
+ configuration to use <code>Require dbm-group ...</code> in place
+ of <code>Require group ...</code>.</p>
+
<section id="access">
<title>Access control</title>
although for compatibility with old configurations, the new
module <module>mod_access_compat</module> is provided.</p>
+ <note><title>Mixing old and new directives</title>
+ <p>Mixing old directives like <directive
+ module="mod_access_compat">Order</directive>, <directive
+ module="mod_access_compat">Allow</directive> or <directive
+ module="mod_access_compat">Deny</directive> with new ones like
+ <directive
+ module="mod_authz_core">Require</directive> is technically possible
+ but discouraged. <module>mod_access_compat</module> was created to support
+ configurations containing only old directives to facilitate the 2.4 upgrade.
+ Please check the examples below to get a better idea about issues that might arise.
+ </p>
+ </note>
+
<p>Here are some examples of old and new ways to do the same
access control.</p>
Require host example.org
</highlight>
</example>
+
+ <p>In the following example, mixing old and new directives leads to
+ unexpected results.</p>
+
+ <example>
+ <title>Mixing old and new directives: NOT WORKING AS EXPECTED</title>
+ <highlight language="config">
+DocumentRoot "/var/www/html"
+
+<Directory "/">
+ AllowOverride None
+ Order deny,allow
+ Deny from all
+</Directory>
+
+<Location "/server-status">
+ SetHandler server-status
+ Require 127.0.0.1
+</Location>
+
+access.log - GET /server-status 403 127.0.0.1
+error.log - AH01797: client denied by server configuration: /var/www/html/server-status
+ </highlight>
+ </example>
+ <p>Why httpd denies access to servers-status even if the configuration seems to allow it?
+ Because <module>mod_access_compat</module> directives take precedence
+ over the <module>mod_authz_host</module> one in this configuration
+ <a href="sections.html#merging">merge</a> scenario.</p>
+
+ <p>This example conversely works as expected:</p>
+
+ <example>
+ <title>Mixing old and new directives: WORKING AS EXPECTED</title>
+ <highlight language="config">
+DocumentRoot "/var/www/html"
+
+<Directory "/">
+ AllowOverride None
+ Require all denied
+</Directory>
+
+<Location "/server-status">
+ SetHandler server-status
+ Order deny,allow
+ Deny from all
+ Allow From 127.0.0.1
+</Location>
+
+access.log - GET /server-status 200 127.0.0.1
+ </highlight>
+ </example>
+ <p>So even if mixing configuration is still
+ possible, please try to avoid it when upgrading: either keep old directives and then migrate
+ to the new ones on a later stage or just migrate everything in bulk.
+ </p>
</section>
</section>
settings to replace it in 2.4.
</li>
+ <li><directive module="core">AllowOverride</directive> now
+ defaults to <code>None</code>.</li>
+
<li><directive module="core">EnableSendfile</directive> now
defaults to Off.</li>
<li><directive module="core">FileETag</directive> now
defaults to "MTime Size" (without INode).</li>
- <li><module>mod_log_config</module>: <a
- href="modules/mod_log_config.html#formats">${cookie}C</a>
- matches whole cookie names. Previously any substring would
- match.</li>
-
<li><module>mod_dav_fs</module>: The format of the <directive
module="mod_dav_fs">DavLockDB</directive> file has changed for
systems with inodes. The old <directive
<code>jsessionid</code>.
</li>
+ <li><module>mod_cache</module>: The second parameter to
+ <directive module="mod_cache">CacheEnable</directive> only
+ matches forward proxy content if it begins with the correct
+ protocol. In 2.2 and earlier, a parameter of '/' matched all
+ content.</li>
+
<li><module>mod_ldap</module>: <directive
module="mod_ldap">LDAPTrustedClientCert</directive> is now
consistently a per-directory setting only. If you use this
module="core">LogLevel</directive> configuration.
</li>
- <li><module>mod_ext-filter</module>: The <code>DebugLevel</code>
+ <li><module>mod_ext_filter</module>: The <code>DebugLevel</code>
option has been removed in favour of per-module <directive
module="core">LogLevel</directive> configuration.
</li>
+ <li><module>mod_proxy_scgi</module>: The default setting for
+ <code>PATH_INFO</code> has changed from httpd 2.2, and
+ some web applications will no longer operate properly with
+ the new <code>PATH_INFO</code> setting. The previous setting
+ can be restored by configuring the <code>proxy-scgi-pathinfo</code>
+ variable.</li>
+
<li><module>mod_ssl</module>: CRL based revocation checking
now needs to be explicitly configured through <directive
module="mod_ssl">SSLCARevocationCheck</directive>.
<li><module>mod_reqtimeout</module>: If the module is loaded, it
will now set some default timeouts.</li>
+ <li><module>mod_dumpio</module>: <directive>DumpIOLogLevel</directive>
+ is no longer supported. Data is always logged at <directive
+ module="core">LogLevel</directive> <code>trace7</code>.</li>
+
+ <li>On Unix platforms, piped logging commands configured using
+ either <directive module="core">ErrorLog</directive> or
+ <directive module="mod_log_config">CustomLog</directive> were invoked using
+ <code>/bin/sh -c</code> in 2.2 and earlier. In 2.4 and later,
+ piped logging commands are executed directly. To restore the
+ old behaviour, see the <a href="logs.html#piped">piped logging
+ documentation</a>.</li>
+
</ul>
</section>
</section>
no longer supported. <directive module="mod_ssl">SSLProxyCheckPeerCN
</directive> and <directive module="mod_ssl">SSLProxyCheckPeerExpire
</directive> now default to On, causing proxy requests to HTTPS hosts
- with bad or outdated certificates to fail with a 502 status code (Bad
+ with bad or outdated certificates to fail with a 502 status code (Bad
gateway)</li>
<li><program>htpasswd</program> now uses MD5 hash by default on
</li>
<li>The functionality provided by <code>mod_authn_alias</code>
- in previous versions (i.e., the <directive
+ in previous versions (i.e., the <directive
module="mod_authn_core">AuthnProviderAlias</directive> directive)
- has been moved into <module>mod_authn_core</module>.
+ has been moved into <module>mod_authn_core</module>.
+ </li>
+
+ <li><module>mod_cgid</module> uses the servers <directive module="core"
+ >Timeout</directive> to limit the length of time to wait for CGI output.
+ This timeout can be overridden with <directive module="mod_cgid">
+ CGIDScriptTImeout</directive>.
</li>
</ul>
- load module <module>mod_access_compat</module>, or update configuration to 2.4 authorization directives.</li>
<li><code>Ignoring deprecated use of DefaultType in line NN of /path/to/httpd.conf</code> - remove <directive module="core">DefaultType</directive>
and replace with other configuration settings.</li>
+ <li><code>Invalid command 'AddOutputFilterByType', perhaps misspelled
+ or defined by a module not included in the server configuration
+ </code> - <directive module="mod_filter">AddOutputFilterByType</directive>
+ has moved from the core to mod_filter, which must be loaded.</li>
</ul></li>
<li>Errors serving requests:
<ul>
<li><code>configuration error: couldn't check user: /path</code> -
load module <module>mod_authn_core</module>.</li>
+ <li><code>.htaccess</code> files aren't being processed - Check for an
+ appropriate <directive module="core">AllowOverride</directive> directive;
+ the default changed to <code>None</code> in 2.4.</li>
</ul>
</li>
</ul>
projects / apache / blobdiff