Apache HTTP Server Version 2.5
-
Apache HTTP Server Version 2.5
-
Third Party Modules Common problems when upgrading
LoadModule directives are commented
- out.Directives that control how authorization modules respond when they don't match
+ the authenticated user have been removed: This includes
+ AuthzLDAPAuthoritative, AuthzDBDAuthoritative, AuthzDBMAuthoritative,
+ AuthzGroupFileAuthoritative, AuthzUserAuthoritative,
+ and AuthzOwnerAuthoritative. These directives have been replaced by the
+ more expressive RequireAny,
+ RequireNone, and
+ RequireAll.
If you use mod_authz_dbm, you must port your
+ configuration to use Require dbm-group ... in place
+ of Require group ....
mod_access_compat is provided.
+ Mixing old directives like Order, Allow or Deny with new ones like
+ Require is technically possible
+ but discouraged. mod_access_compat was created to support
+ configurations containing only old directives to facilitate the 2.4 upgrade.
+ Please check the examples below to get a better idea about issues that might arise.
+
Here are some examples of old and new ways to do the same access control.
-In this example, all requests are denied.
-
-
- Order deny,allow
- Deny from all
-
-
- Require all denied
-
In this example, all requests are allowed.
-
-
- Order allow,deny
- Allow from all
-
-
- Require all granted
-
In the following example, all hosts in the example.org domain +
In this example, there is no authentication and all requests are denied.
+Order deny,allow +Deny from all+
Require all denied+
In this example, there is no authentication and all requests are allowed.
+Order allow,deny +Allow from all+
Require all granted+
In the following example, there is no authentication and all hosts in the example.org domain are allowed access; all other hosts are denied access.
-
-
- Order Deny,Allow
- Deny from all
- Allow from example.org
-
-
- Require host example.org
-
Order Deny,Allow +Deny from all +Allow from example.org+
Require host example.org+
In the following example, mixing old and new directives leads to + unexpected results.
+ +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Order deny,allow + Deny from all +</Directory> + +<Location "/server-status"> + SetHandler server-status + Require 127.0.0.1 +</Location> + +access.log - GET /server-status 403 127.0.0.1 +error.log - AH01797: client denied by server configuration: /var/www/html/server-status+
Why httpd denies access to servers-status even if the configuration seems to allow it?
+ Because mod_access_compat directives take precedence
+ over the mod_authz_host one in this configuration
+ merge scenario.
This example conversely works as expected:
+ +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Require all denied +</Directory> + +<Location "/server-status"> + SetHandler server-status + Order deny,allow + Deny from all + Allow From 127.0.0.1 +</Location> + +access.log - GET /server-status 200 127.0.0.1+
So even if mixing configuration is still + possible, please try to avoid it when upgrading: either keep old directives and then migrate + to the new ones on a later stage or just migrate everything in bulk. +
+In many configurations with authentication, where the value of the
+ Satisfy was the default of ALL, snippets
+ that simply disabled host-based access control are omitted:
Order Deny,Allow +Deny from all +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
# No replacement needed +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting both criteria:
+Order allow,deny +Deny from all +# Satisfy ALL is the default +Satisfy ALL +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +<RequireAll> + Require valid-user + Require ip 127.0.0.1 +</RequireAll>+
In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting either criteria:
+Order allow,deny +Deny from all +Satisfy any +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user+
AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +# Implicitly <RequireAny> +Require valid-user +Require ip 127.0.0.1+
AllowOverride now
+ defaults to None.EnableSendfile now
defaults to Off.FileETag now
defaults to "MTime Size" (without INode).mod_log_config: ${cookie}C
- matches whole cookie names. Previously any substring would
- match.mod_dav_fs: The format of the DavLockDB file has changed for
systems with inodes. The old DavLockDB file must be deleted on
upgrade.
@@ -224,6 +343,12 @@
jsessionid.
mod_cache: The second parameter to
+ CacheEnable only
+ matches forward proxy content if it begins with the correct
+ protocol. In 2.2 and earlier, a parameter of '/' matched all
+ content.mod_ldap: LDAPTrustedClientCert is now
consistently a per-directory setting only. If you use this
directive, review your configuration to make sure it is
@@ -248,10 +373,17 @@
option has been removed in favour of per-module LogLevel configuration.
mod_ext-filter: The DebugLevel
+ mod_ext_filter: The DebugLevel
option has been removed in favour of per-module LogLevel configuration.
mod_proxy_scgi: The default setting for
+ PATH_INFO has changed from httpd 2.2, and
+ some web applications will no longer operate properly with
+ the new PATH_INFO setting. The previous setting
+ can be restored by configuring the proxy-scgi-pathinfo
+ variable.mod_ssl: CRL based revocation checking
now needs to be explicitly configured through SSLCARevocationCheck.
mod_reqtimeout: If the module is loaded, it
will now set some default timeouts.mod_dumpio: DumpIOLogLevel
+ is no longer supported. Data is always logged at LogLevel trace7.ErrorLog or
+ CustomLog were invoked using
+ /bin/sh -c in 2.2 and earlier. In 2.4 and later,
+ piped logging commands are executed directly. To restore the
+ old behaviour, see the piped logging
+ documentation.mod_ssl: The default format of the *_DN
variables has changed. The old format can still be used with the new
LegacyDNStringFormat argument to SSLOptions. The SSLv2 protocol is
- no longer supported.SSLProxyCheckPeerCN
+ and SSLProxyCheckPeerExpire
+ now default to On, causing proxy requests to HTTPS hosts
+ with bad or outdated certificates to fail with a 502 status code (Bad
+ gateway)
htpasswd now uses MD5 hash by default on
all platforms.mod_authn_alias
+ in previous versions (i.e., the AuthnProviderAlias directive)
+ has been moved into mod_authn_core.
+ mod_cgid uses the servers Timeout to limit the length of time to wait for CGI output.
+ This timeout can be overridden with
+ CGIDScriptTImeout.
+ mod_access_compat, or update configuration to 2.4 authorization directives.
Ignoring deprecated use of DefaultType in line NN of /path/to/httpd.conf - remove DefaultType
and replace with other configuration settings.Invalid command 'AddOutputFilterByType', perhaps misspelled
+ or defined by a module not included in the server configuration
+ - AddOutputFilterByType
+ has moved from the core to mod_filter, which must be loaded.configuration error: couldn't check user: /path -
load module mod_authn_core..htaccess files aren't being processed - Check for an
+ appropriate AllowOverride directive;
+ the default changed to None in 2.4.