From c0b3ae4906b8a473a22268e07532f6e5f7762ae6 Mon Sep 17 00:00:00 2001 From: Luca Toscano Date: Fri, 8 Apr 2016 08:06:53 +0000 Subject: [PATCH] Documentation rebuild git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1738218 13f79535-47bb-0310-9956-ffa450edef68 --- docs/manual/mod/mod_access_compat.html.en | 12 +++-- docs/manual/upgrading.html.en | 56 +++++++++++++++++++++++ 2 files changed, 65 insertions(+), 3 deletions(-) diff --git a/docs/manual/mod/mod_access_compat.html.en b/docs/manual/mod/mod_access_compat.html.en index 70c1b467a6..452c7d464d 100644 --- a/docs/manual/mod/mod_access_compat.html.en +++ b/docs/manual/mod/mod_access_compat.html.en @@ -62,9 +62,15 @@ have been deprecated by the new authz refactoring. Please see

Note

The directives provided by mod_access_compat have - been deprecated by the new authz refactoring. Please see - mod_authz_host.

-
+ been deprecated by mod_authz_host. + Mixing old directives like Order, Allow or Deny with new ones like + Require is technically possible + but discouraged. This module was created to support + configurations containing only old directives to facilitate the 2.4 upgrade. + Please check the upgrading guide for more + information. +

+

In general, access restriction directives apply to all access methods (GET, PUT, diff --git a/docs/manual/upgrading.html.en b/docs/manual/upgrading.html.en index 36ea70a478..9684ad12c4 100644 --- a/docs/manual/upgrading.html.en +++ b/docs/manual/upgrading.html.en @@ -138,6 +138,15 @@ although for compatibility with old configurations, the new module mod_access_compat is provided.

+

Mixing old and new directives

+

Mixing old directives like Order, Allow or Deny with new ones like + Require is technically possible + but discouraged. mod_access_compat was created to support + configurations containing only old directives to facilitate the 2.4 upgrade. + Please check the examples below to get a better idea about issues that might arise. +

+
+

Here are some examples of old and new ways to do the same access control.

@@ -164,6 +173,53 @@ Allow from example.org

2.4 configuration:

Require host example.org
+ +

In the following example, mixing old and new directives leads to + unexpected results.

+ +

Mixing old and new directives: NOT WORKING AS EXPECTED

DocumentRoot "/var/www/html"
+
+<Directory "/">
+    AllowOverride None
+    Order deny,allow
+    Deny from all
+</Directory>
+
+<Location "/server-status">
+    SetHandler server-status
+    Require 127.0.0.1
+</Location>
+
+access.log - GET /server-status 403 127.0.0.1
+error.log - AH01797: client denied by server configuration: /var/www/html/server-status
+
+

Why httpd denies access to servers-status even if the configuration seems to allow it? + Because mod_access_compat directives take precedence + over the mod_authz_host one in this configuration + merge scenario.

+ +

This example conversely works as expected:

+ +

Mixing old and new directives: WORKING AS EXPECTED

DocumentRoot "/var/www/html"
+
+<Directory "/">
+    AllowOverride None
+    Require all denied
+</Directory>
+
+<Location "/server-status">
+    SetHandler server-status
+    Order deny,allow
+    Deny from all
+    Allow From 127.0.0.1
+</Location>
+
+access.log - GET /server-status 200 127.0.0.1
+
+

So even if mixing configuration is still + possible, please try to avoid it when upgrading: either keep old directives and then migrate + to the new ones on a later stage or just migrate everything in bulk. +

-- 2.50.1