From: Luca Toscano Date: Mon, 11 Apr 2016 08:11:06 +0000 (+0000) Subject: Clarification of mod_access_compact and mod_authz_host usage. X-Git-Tag: 2.4.21~271 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9d5310a4619a04f4d79069ff4cf7f5aa4bd52bff;p=apache Clarification of mod_access_compact and mod_authz_host usage. A recent email in docs@ brought up an interesting use case, namely mixing mod_access_compact (Order, Deny, Allow) and mod_authz_host (Require) directives while migrating from 2.2 to 2.4. This is technically possible but it leads to a lot of confusion due to how config merge works between these modules. This change adds some examples on the documentation about things that might go wrong when mixing old and new directives, stating clearly that mod_access_compact or mod_authz_host should not be used together. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1738542 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/howto/auth.xml b/docs/manual/howto/auth.xml index 388e69eee6..24ea182319 100644 --- a/docs/manual/howto/auth.xml +++ b/docs/manual/howto/auth.xml @@ -560,6 +560,21 @@ Require group GroupName Satisfy are no longer needed. However to provide backwards compatibility for older configurations, these directives have been moved to the mod_access_compat module.

+ + Note +

The directives provided by mod_access_compat have + been deprecated by mod_authz_host. + Mixing old directives like Order, Allow or Deny with new ones like + Require is technically possible + but discouraged. The mod_access_compat module was created to support + configurations containing only old directives to facilitate the 2.4 upgrade. + Please check the upgrading guide for more + information. +

+ diff --git a/docs/manual/mod/mod_access_compat.xml b/docs/manual/mod/mod_access_compat.xml index 5d5f4cee77..1feda12871 100644 --- a/docs/manual/mod/mod_access_compat.xml +++ b/docs/manual/mod/mod_access_compat.xml @@ -59,9 +59,19 @@ have been deprecated by the new authz refactoring. Please see Note

The directives provided by mod_access_compat have - been deprecated by the new authz refactoring. Please see - mod_authz_host.

- + been deprecated by mod_authz_host. + Mixing old directives like Order, Allow or Deny with new ones like + Require is technically possible + but discouraged. This module was created to support + configurations containing only old directives to facilitate the 2.4 upgrade. + Please check the upgrading guide for more + information. +

+

In general, access restriction directives apply to all access methods (GET, PUT, diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml index 71ea9da5c8..64580c69be 100644 --- a/docs/manual/upgrading.xml +++ b/docs/manual/upgrading.xml @@ -137,6 +137,19 @@ although for compatibility with old configurations, the new module mod_access_compat is provided.

+ Mixing old and new directives +

Mixing old directives like Order, Allow or Deny with new ones like + Require is technically possible + but discouraged. mod_access_compat was created to support + configurations containing only old directives to facilitate the 2.4 upgrade. + Please check the examples below to get a better idea about issues that might arise. +

+ +

Here are some examples of old and new ways to do the same access control.

@@ -187,6 +200,61 @@ Allow from example.org Require host example.org + +

In the following example, mixing old and new directives leads to + unexpected results.

+ + + Mixing old and new directives: NOT WORKING AS EXPECTED + +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Order deny,allow + Deny from all +</Directory> + +<Location "/server-status"> + SetHandler server-status + Require 127.0.0.1 +</Location> + +access.log - GET /server-status 403 127.0.0.1 +error.log - AH01797: client denied by server configuration: /var/www/html/server-status + + +

Why httpd denies access to servers-status even if the configuration seems to allow it? + Because mod_access_compat directives take precedence + over the mod_authz_host one in this configuration + merge scenario.

+ +

This example conversely works as expected:

+ + + Mixing old and new directives: WORKING AS EXPECTED + +DocumentRoot "/var/www/html" + +<Directory "/"> + AllowOverride None + Require all denied +</Directory> + +<Location "/server-status"> + SetHandler server-status + Order deny,allow + Deny from all + Allow From 127.0.0.1 +</Location> + +access.log - GET /server-status 200 127.0.0.1 + + +

So even if mixing configuration is still + possible, please try to avoid it when upgrading: either keep old directives and then migrate + to the new ones on a later stage or just migrate everything in bulk. +