X-Git-Url: https://granicus.if.org/sourcecode?a=blobdiff_plain;f=docs%2Fmanual%2Fupgrading.html.en;h=ad6b4540aaf8bcc6657ee58f53098adeba3e9ba7;hb=f0348fc28341bfdcce16cbf8c7d736de12ff85da;hp=2a14c18887cd41b6dab12c76cc85631e4ecf7f65;hpb=3c2235b46b73759644706b60abc7084eb6d62d5d;p=apache diff --git a/docs/manual/upgrading.html.en b/docs/manual/upgrading.html.en index 2a14c18887..ad6b4540aa 100644 --- a/docs/manual/upgrading.html.en +++ b/docs/manual/upgrading.html.en @@ -1,22 +1,27 @@ -
-Apache HTTP Server Version 2.3
-Apache HTTP Server Version 2.5
+LoadModule
directives are commented
+ out in the configuration file.Directives that control how authorization modules respond when they don't match
+ the authenticated user have been removed: This includes
+ AuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative,
+ AuthzGroupFileAuthoritative, AuthzUserAuthoritative,
+ and AuthzOwnerAuthoritative. These directives have been replaced by the
+ more expressive RequireAny
,
+ RequireNone
, and
+ RequireAll
.
If you use mod_authz_dbm
, you must port your
+ configuration to use Require dbm-group ...
in place
+ of Require group ...
.
mod_access_compat
is provided.
+ Mixing old directives like Order
, Allow
or Deny
with new ones like
+ Require
is technically possible
+ but discouraged. mod_access_compat
was created to support
+ configurations containing only old directives to facilitate the 2.4 upgrade.
+ Please check the examples below to get a better idea about issues that might arise.
+
Here are some examples of old and new ways to do the same access control.
-In this example, all requests are denied.
-
-
- Order deny,allow
- Deny from all
-
-
- Require all denied
-
In this example, all requests are allowed.
-
-
- Order allow,deny
- Allow from all
-
-
- Require all granted
-
In the following example, all hosts in the example.org domain +
In this example, there is no authentication and all requests are denied.
+Order deny,allow +Deny from all+
Require all denied+
In this example, there is no authentication and all requests are allowed.
+Order allow,deny +Allow from all+
Require all granted+
In the following example, there is no authentication and all hosts in the example.org domain are allowed access; all other hosts are denied access.
-
-
- Order Deny,Allow
- Deny from all
- Allow from example.org
-
-
- Require host example.org
-
Order Deny,Allow +Deny from all +Allow from example.org+
Require host example.org+
In the following example, mixing old and new directives leads to + unexpected results.
+ +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Order deny,allow + Deny from all +</Directory> + +<Location "/server-status"> + SetHandler server-status + Require 127.0.0.1 +</Location> + +access.log - GET /server-status 403 127.0.0.1 +error.log - AH01797: client denied by server configuration: /var/www/html/server-status+
Why httpd denies access to servers-status even if the configuration seems to allow it?
+ Because mod_access_compat
directives take precedence
+ over the mod_authz_host
one in this configuration
+ merge scenario.
This example conversely works as expected:
+ +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Require all denied +</Directory> + +<Location "/server-status"> + SetHandler server-status + Order deny,allow + Deny from all + Allow From 127.0.0.1 +</Location> + +access.log - GET /server-status 200 127.0.0.1+
So even if mixing configuration is still + possible, please try to avoid it when upgrading: either keep old directives and then migrate + to the new ones on a later stage or just migrate everything in bulk. +
+In many configurations with authentication, where the value of the
+ Satisfy
was the default of ALL, snippets
+ that simply disabled host-based access control are omitted:
Order Deny,Allow +Deny from all +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
# No replacement needed +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting both criteria:
+Order allow,deny +Deny from all +# Satisfy ALL is the default +Satisfy ALL +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +<RequireAll> + Require valid-user + Require ip 127.0.0.1 +</RequireAll>+
In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting either criteria:
+Order allow,deny +Deny from all +Satisfy any +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +# Implicitly <RequireAny> +Require valid-user +Require ip 127.0.0.1+
AllowOverride
now
+ defaults to None
.EnableSendfile
now
defaults to Off.FileETag
now
defaults to "MTime Size" (without INode).mod_log_config
: ${cookie}C
- matches whole cookie names. Previously any substring would
- match.mod_dav_fs
: The format of the DavLockDB
file has changed for
systems with inodes. The old DavLockDB
file must be deleted on
upgrade.
@@ -217,6 +343,12 @@
jsessionid
.
mod_cache
: The second parameter to
+ CacheEnable
only
+ matches forward proxy content if it begins with the correct
+ protocol. In 2.2 and earlier, a parameter of '/' matched all
+ content.mod_ldap
: LDAPTrustedClientCert
is now
consistently a per-directory setting only. If you use this
directive, review your configuration to make sure it is
@@ -241,10 +373,17 @@
option has been removed in favour of per-module LogLevel
configuration.
mod_ext-filter
: The DebugLevel
+ mod_ext_filter
: The DebugLevel
option has been removed in favour of per-module LogLevel
configuration.
mod_proxy_scgi
: The default setting for
+ PATH_INFO
has changed from httpd 2.2, and
+ some web applications will no longer operate properly with
+ the new PATH_INFO
setting. The previous setting
+ can be restored by configuring the proxy-scgi-pathinfo
+ variable.mod_ssl
: CRL based revocation checking
now needs to be explicitly configured through SSLCARevocationCheck
.
mod_reqtimeout
: If the module is loaded, it
+ will now set some default timeouts.mod_dumpio
: DumpIOLogLevel
+ is no longer supported. Data is always logged at LogLevel
trace7
.ErrorLog
or
+ CustomLog
were invoked using
+ /bin/sh -c
in 2.2 and earlier. In 2.4 and later,
+ piped logging commands are executed directly. To restore the
+ old behaviour, see the piped logging
+ documentation.mod_ssl
: The default format of the *_DN
variables has changed. The old format can still be used with the new
- LegacyDNStringFormat
argument to SSLOptions
.LegacyDNStringFormat
argument to SSLOptions
. The SSLv2 protocol is
+ no longer supported. SSLProxyCheckPeerCN
+
and SSLProxyCheckPeerExpire
+
now default to On, causing proxy requests to HTTPS hosts
+ with bad or outdated certificates to fail with a 502 status code (Bad
+ gateway)
htpasswd
now uses MD5 hash by default on
all platforms.mod_authn_alias
+ in previous versions (i.e., the AuthnProviderAlias
directive)
+ has been moved into mod_authn_core
.
+ mod_cgid
uses the servers Timeout
to limit the length of time to wait for CGI output.
+ This timeout can be overridden with
+ CGIDScriptTImeout
.
+ mod_access_compat
, or update configuration to 2.4 authorization directives.
Ignoring deprecated use of DefaultType in line NN of /path/to/httpd.conf
- remove DefaultType
and replace with other configuration settings.Invalid command 'AddOutputFilterByType', perhaps misspelled
+ or defined by a module not included in the server configuration
+
- AddOutputFilterByType
+ has moved from the core to mod_filter, which must be loaded.configuration error: couldn't check user: /path
-
load module mod_authn_core
..htaccess
files aren't being processed - Check for an
+ appropriate AllowOverride
directive;
+ the default changed to None
in 2.4.