You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Hildegard Meier <da...@gmx.de> on 2016/04/04 12:03:56 UTC
Guide for Upgrade from 2.2 to 2.4: Need to mention default rule
" Require all denied"
Hello,
I have the following configuration in a vHost:
[...]
Alias /pnp4nagios "/usr/local/pnp4nagios-0.6.25/share"
<Directory "/usr/local/pnp4nagios-0.6.25/share">
AllowOverride None
Order allow,deny
Allow from all
[...]
This works with Apache 2.2 but after upgrading to 2.4 access is denied!
Debug error log gives:
[authz_core:debug] [client x.x.x.x:52204] AH01626: authorization result of <Require Any>: denied
[authz_core:error] [client x.x.x.x:52204] AH01630: client denied by server configuration: /usr/local/pnp4nagios-0.6.25/share/graph
I guess this is because of this default entry in /etc/apache2/apache2.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
Solution is to replace the "Order allow,deny Allow from all" with "Require all granted".
I do not know, why the legacy directive has no effect in this case and I suggest to give a hint on this case in the upgrade guide
https://httpd.apache.org/docs/2.4/upgrading.html
I also second the comment from 2013-05-20 on
https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
"The documentation doesn't mention how authz_host and mod_access_compat directives interact when both modules are installed. From people testing here it seems that "deny" rule is always in effect, regardless if it is comming from authz_host or access_compat. Official description of these interactions would be welcome."
Best regards
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Aw: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Rich Bowen <rb...@rcbowen.com>.
On 04/11/2016 04:16 AM, Luca Toscano wrote:
> Final update: committed in 2.4.x
> (http://svn.apache.org/viewvc?view=revision&revision=1738542) and
> answered to the comment pointed out by Hildegard in the
> mod_access_compact doc page.
>
Awesome. Thank you.
--
Rich Bowen - rbowen@rcbowen.com - @rbowen
http://apachecon.com/ - @apachecon
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Aw: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
2016-04-08 19:37 GMT+02:00 Luca Toscano <to...@gmail.com>:
>
>
> 2016-04-07 10:57 GMT+02:00 Luca Toscano <to...@gmail.com>:
>
>>
>>
>> 2016-04-06 0:00 GMT+02:00 Rich Bowen <rb...@rcbowen.com>:
>>
>>> I haven't gotten around to fixing yet, but I (or someone) will annotate
>>> accordingly.
>>>
>>
>> I created a patch for the "upgrading" section containing examples and
>> suggestions, let me know your thoughts (also from Hildegard Meier would be
>> great). I haven't just written "please don't mix the directives" but also
>> added some examples to clarify why, not sure though if everybody likes this
>> approach or not so I am proposing it first :)
>>
>
> Committed in trunk, new sections in:
>
> 1) http://httpd.apache.org/docs/trunk/upgrading.html#run-time -> access
> control (new examples, new note banner)
> 2) https://httpd.apache.org/docs/trunk/mod/mod_access_compat.html ->
> summary (added a note)
>
> I'll probably also update
> https://httpd.apache.org/docs/trunk/howto/auth.html if everybody likes
> the changes, and backport everything to 2.4.
>
> Luca
>
>
Final update: committed in 2.4.x (
http://svn.apache.org/viewvc?view=revision&revision=1738542) and answered
to the comment pointed out by Hildegard in the mod_access_compact doc page.
Let me know if anything is missing!
Regards,
Luca
Re: Aw: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
2016-04-07 10:57 GMT+02:00 Luca Toscano <to...@gmail.com>:
>
>
> 2016-04-06 0:00 GMT+02:00 Rich Bowen <rb...@rcbowen.com>:
>
>> I haven't gotten around to fixing yet, but I (or someone) will annotate
>> accordingly.
>>
>
> I created a patch for the "upgrading" section containing examples and
> suggestions, let me know your thoughts (also from Hildegard Meier would be
> great). I haven't just written "please don't mix the directives" but also
> added some examples to clarify why, not sure though if everybody likes this
> approach or not so I am proposing it first :)
>
Committed in trunk, new sections in:
1) http://httpd.apache.org/docs/trunk/upgrading.html#run-time -> access
control (new examples, new note banner)
2) https://httpd.apache.org/docs/trunk/mod/mod_access_compat.html ->
summary (added a note)
I'll probably also update
https://httpd.apache.org/docs/trunk/howto/auth.html if everybody likes the
changes, and backport everything to 2.4.
Luca
Re: Aw: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
2016-04-06 0:00 GMT+02:00 Rich Bowen <rb...@rcbowen.com>:
> I haven't gotten around to fixing yet, but I (or someone) will annotate
> accordingly.
>
I created a patch for the "upgrading" section containing examples and
suggestions, let me know your thoughts (also from Hildegard Meier would be
great). I haven't just written "please don't mix the directives" but also
added some examples to clarify why, not sure though if everybody likes this
approach or not so I am proposing it first :)
Thanks!
Luca
Re: Aw: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Rich Bowen <rb...@rcbowen.com>.
I haven't gotten around to fixing yet, but I (or someone) will annotate
accordingly.
On Apr 5, 2016 8:00 AM, "Hildegard Meier" <da...@gmx.de> wrote:
> Thanks,
>
> that is correct, it was absoluteley not clear to me that having the module
> "access_compat" enabled and mixing old and new style would be absoluteley
> not supported.
>
> Would be clearer, if the new style directives would lead to errors when
> having "access_compat" enabled, I guess.
>
> So I would suggest to make the 2.2->2.4 Upgrade guide (
> https://httpd.apache.org/docs/2.4/upgrading.html) clearer regarding this.
>
> I disabled now the "access_compat" module and converted all the old style
> directives to the new style in one (big) step, and now everything is
> working as before.
>
> Initially, I wanted to do the conversion stepwise, and that let to the
> initial problem.
>
> Best regards
>
> *Gesendet:* Dienstag, 05. April 2016 um 13:15 Uhr
> *Von:* "Rich Bowen" <rb...@rcbowen.com>
> *An:* docs@httpd.apache.org
> *Betreff:* Re: Aw: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
> default rule "<Directory /> Require all denied"
>
>
> You _must_ pick one or the other. Either use compat, or unload it. If you
> have compat loaded, it expects the "old" format.
>
> I thought we had made this clear in the doc but apparently not.
>
> Recommended best practice, of course, is to use the new syntax. Compat
> things always result in long term confusion in exchange for your short term
> convenience.
> --------------------------------------------------------------------- To
> unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional
> commands, e-mail: docs-help@httpd.apache.org
Re: Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
Hi!
2016-04-05 14:00 GMT+02:00 Hildegard Meier <da...@gmx.de>:
> Thanks,
>
> that is correct, it was absoluteley not clear to me that having the module
> "access_compat" enabled and mixing old and new style would be absoluteley
> not supported.
>
Sorry to jump in again but this is not true in my opinion. As stated in my
previous email, the issue present itself only when a configuration merge
happens. I'll expand my previous example:
<Directory />
AllowOverride None
Require all denied
</Directory>
AND one of the following:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow From 127.0.0.1
</Location>
<Location /server-status>
SetHandler server-status
Require 127.0.0.1
</Location>
works without triggering any issue (tested it on httpd 2.4.10). The
following version instead triggers the error that you mentioned in your
original email:
<Directory />
Options FollowSymLinks
AllowOverride None
Order Allow,Deny
</Directory>
<Location /server-status>
SetHandler server-status
Require 127.0.0.1
</Location>
[Tue Apr 05 16:37:18.023324 2016] [access_compat:error] [pid 3235:tid
140233374893824] [client 127.0.0.1:55979] AH01797: client denied by server
configuration: /var/www/html/server-status
So access_compact takes the precedence over authz_host in certain merge
config scenarios.
>
> Would be clearer, if the new style directives would lead to errors when
> having "access_compat" enabled, I guess.
>
> So I would suggest to make the 2.2->2.4 Upgrade guide (
> https://httpd.apache.org/docs/2.4/upgrading.html) clearer regarding this.
>
Definitely, I will probably use the above example to explain why the usage
of a mixed configuration can lead to issues.
>
> I disabled now the "access_compat" module and converted all the old style
> directives to the new style in one (big) step, and now everything is
> working as before.
>
> Initially, I wanted to do the conversion stepwise, and that let to the
> initial problem.
>
>
+1 for the migration, more 2.4 users are always welcomed :)
Let me know your thoughts!
Regards,
Luca
Re: Aw: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention
default rule " Require all denied"
Posted by Rich Bowen <rb...@rcbowen.com>.
On Apr 4, 2016 10:19, "Hildegard Meier" <da...@gmx.de> wrote:
>
>
>
> <Location /server-status>
> SetHandler server-status
>
> Order deny,allow
> Deny from all
> Allow From 1.2.3.4
> </Location>
>
> _works_ with 2.4. Changing it to
>
> <Location /server-status>
> SetHandler server-status
>
> Require ip 1.2.3.4
> </Location>
>
> Gives
>
> "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server
configuration: /var/www/docs/default/server-status"
>
> and does _not_ work anymore, so I have to switch back to old style.
>
>
You _must_ pick one or the other. Either use compat, or unload it. If you
have compat loaded, it expects the "old" format.
I thought we had made this clear in the doc but apparently not.
Recommended best practice, of course, is to use the new syntax. Compat
things always result in long term confusion in exchange for your short term
convenience.
Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default
rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
2016-04-04 19:35 GMT+02:00 Luca Toscano <to...@gmail.com>:
> Hi again,
>
> 2016-04-04 16:19 GMT+02:00 Hildegard Meier <da...@gmx.de>:
>
>>
>>
>> > Solution is to replace the "Order allow,deny Allow from all" with
>> "Require all granted".
>> >
>> > I do not know, why the legacy directive has no effect in this case and
>> I suggest to give a hint on this case in the upgrade guide
>> >
>> >
>> https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html]
>>
>> >> Maybe I am missing something but this use case is described in
>> https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time]
>> ==> Access control..
>>
>> The point is, that in the documentation is written "The old access
>> control idioms _should_ be replaced [...] for compatibility with old
>> configurations, the new module mod_access_compat is provided."
>>
>> But in my case, the old access control idioms _has to_ be replaced, there
>> is _no compatibility_.
>>
>> It seems to me that there is some problem with mixing old and new style,
>> which is also mentioned here:
>>
>> "A mix of allow (2.2) and require (2.4) directives while using apache
>> HTTPD 2.4, used in the same or separate directory blocks. The new 2.4
>> directives should be used exclusively, and the mod_access_compat module
>> should be unloaded by commenting out the LoadModule directive."
>>
>> (source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration)
>>
>
>
> Now it makes more sense, thanks for the clarification. AFAIK both
> configurations could have be placed in the same httpd conf as long as
> mod_access_compat and mod_authz_host modules were loaded but I might be
> wrong at this point.
>
>
>>
>>
>> > I also second the comment from 2013-05-20 on
>> >
>> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]
>>
>> > "The documentation doesn't mention how authz_host and mod_access_compat
>> directives interact when both modules are installed. From people testing
>> here it seems that "deny" rule is always in effect, regardless if it is
>> comming from authz_host or access_compat. Official description of these
>> interactions would be welcome."
>>
>> >> Info available:
>> >>
>> >> - upgrade doc ==> "In 2.4, such access control is done in the same way
>> as other authorization checks, using the new module mod_authz_host. The old
>> access control idioms should be replaced by the new authentication
>> mechanisms, although for compatibility with old configurations, the new
>> module mod_access_compat is provided."
>> >>
>> >> - mod_access_compact ==> "The directives provided by mod_access_compat
>> have been deprecated by the new authz refactoring. Please see
>> mod_authz_host."
>> >>
>> >> Could you give us some advice about the info needed to make this
>> document clearer?
>>
>> Another case:
>>
>> <Location /server-status>
>> SetHandler server-status
>>
>> Order deny,allow
>> Deny from all
>> Allow From 1.2.3.4
>> </Location>
>>
>> _works_ with 2.4. Changing it to
>>
>> <Location /server-status>
>> SetHandler server-status
>>
>> Require ip 1.2.3.4
>> </Location>
>>
>> Gives
>>
>> "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server
>> configuration: /var/www/docs/default/server-status"
>>
>> and does _not_ work anymore, so I have to switch back to old style.
>>
>>
> Clarification to understand: Did you load both mod_access_compat and
> mod_authz_host right? I am going to check your bug report asap to see if I
> can get a repro (should be easy), and in case we'll amend the docs
> accordingly.
>
>
Ran some tests with httpd 2.4.10 (Debian Jessie standard config) and the
following (one at the time, replacing 1.2.3.4 with 127.0.0.1):
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow From 127.0.0.1
</Location>
<Location /server-status>
SetHandler server-status
Require 127.0.0.1
</Location>
Everything works as expected with curl http://localhost/server-status. I
also tried to set 1.2.3.4 instead of 127.0.0.1 and the request gets a 403
as expected. After a chat on #httpd I may know why
https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration contains a
different suggestion: the old and new directives can coexist and work
together only if merging (
http://httpd.apache.org/docs/current/sections.html#merging) is not
involved, because in case the 2.4 directives (i.e. Require) will take the
precedence.
Let me know!
Regards,
Luca
Re: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default
rule " Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
Hi again,
2016-04-04 16:19 GMT+02:00 Hildegard Meier <da...@gmx.de>:
>
>
> > Solution is to replace the "Order allow,deny Allow from all" with
> "Require all granted".
> >
> > I do not know, why the legacy directive has no effect in this case and I
> suggest to give a hint on this case in the upgrade guide
> >
> >
> https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html]
>
> >> Maybe I am missing something but this use case is described in
> https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time]
> ==> Access control..
>
> The point is, that in the documentation is written "The old access control
> idioms _should_ be replaced [...] for compatibility with old
> configurations, the new module mod_access_compat is provided."
>
> But in my case, the old access control idioms _has to_ be replaced, there
> is _no compatibility_.
>
> It seems to me that there is some problem with mixing old and new style,
> which is also mentioned here:
>
> "A mix of allow (2.2) and require (2.4) directives while using apache
> HTTPD 2.4, used in the same or separate directory blocks. The new 2.4
> directives should be used exclusively, and the mod_access_compat module
> should be unloaded by commenting out the LoadModule directive."
>
> (source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration)
>
Now it makes more sense, thanks for the clarification. AFAIK both
configurations could have be placed in the same httpd conf as long as
mod_access_compat and mod_authz_host modules were loaded but I might be
wrong at this point.
>
>
> > I also second the comment from 2013-05-20 on
> >
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]
>
> > "The documentation doesn't mention how authz_host and mod_access_compat
> directives interact when both modules are installed. From people testing
> here it seems that "deny" rule is always in effect, regardless if it is
> comming from authz_host or access_compat. Official description of these
> interactions would be welcome."
>
> >> Info available:
> >>
> >> - upgrade doc ==> "In 2.4, such access control is done in the same way
> as other authorization checks, using the new module mod_authz_host. The old
> access control idioms should be replaced by the new authentication
> mechanisms, although for compatibility with old configurations, the new
> module mod_access_compat is provided."
> >>
> >> - mod_access_compact ==> "The directives provided by mod_access_compat
> have been deprecated by the new authz refactoring. Please see
> mod_authz_host."
> >>
> >> Could you give us some advice about the info needed to make this
> document clearer?
>
> Another case:
>
> <Location /server-status>
> SetHandler server-status
>
> Order deny,allow
> Deny from all
> Allow From 1.2.3.4
> </Location>
>
> _works_ with 2.4. Changing it to
>
> <Location /server-status>
> SetHandler server-status
>
> Require ip 1.2.3.4
> </Location>
>
> Gives
>
> "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server
> configuration: /var/www/docs/default/server-status"
>
> and does _not_ work anymore, so I have to switch back to old style.
>
>
Clarification to understand: Did you load both mod_access_compat and
mod_authz_host right? I am going to check your bug report asap to see if I
can get a repro (should be easy), and in case we'll amend the docs
accordingly.
Thanks again!
Luca
Aw: Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default
rule " Require all denied"
Posted by Hildegard Meier <da...@gmx.de>.
> Solution is to replace the "Order allow,deny Allow from all" with "Require all granted".
>
> I do not know, why the legacy directive has no effect in this case and I suggest to give a hint on this case in the upgrade guide
>
> https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html]
>> Maybe I am missing something but this use case is described in https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time] ==> Access control..
The point is, that in the documentation is written "The old access control idioms _should_ be replaced [...] for compatibility with old configurations, the new module mod_access_compat is provided."
But in my case, the old access control idioms _has to_ be replaced, there is _no compatibility_.
It seems to me that there is some problem with mixing old and new style, which is also mentioned here:
"A mix of allow (2.2) and require (2.4) directives while using apache HTTPD 2.4, used in the same or separate directory blocks. The new 2.4 directives should be used exclusively, and the mod_access_compat module should be unloaded by commenting out the LoadModule directive."
(source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration)
> I also second the comment from 2013-05-20 on
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html]
> "The documentation doesn't mention how authz_host and mod_access_compat directives interact when both modules are installed. From people testing here it seems that "deny" rule is always in effect, regardless if it is comming from authz_host or access_compat. Official description of these interactions would be welcome."
>> Info available:
>>
>> - upgrade doc ==> "In 2.4, such access control is done in the same way as other authorization checks, using the new module mod_authz_host. The old access control idioms should be replaced by the new authentication mechanisms, although for compatibility with old configurations, the new module mod_access_compat is provided."
>>
>> - mod_access_compact ==> "The directives provided by mod_access_compat have been deprecated by the new authz refactoring. Please see mod_authz_host."
>>
>> Could you give us some advice about the info needed to make this document clearer?
Another case:
<Location /server-status>
SetHandler server-status
Order deny,allow
Deny from all
Allow From 1.2.3.4
</Location>
_works_ with 2.4. Changing it to
<Location /server-status>
SetHandler server-status
Require ip 1.2.3.4
</Location>
Gives
"[access_compat:error] [client 1.2.3.4] AH01797: client denied by server configuration: /var/www/docs/default/server-status"
and does _not_ work anymore, so I have to switch back to old style.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: Guide for Upgrade from 2.2 to 2.4: Need to mention default rule
" Require all denied"
Posted by Luca Toscano <to...@gmail.com>.
Hello!
2016-04-04 12:03 GMT+02:00 Hildegard Meier <da...@gmx.de>:
> Hello,
>
> I have the following configuration in a vHost:
>
> [...]
>
> Alias /pnp4nagios "/usr/local/pnp4nagios-0.6.25/share"
>
> <Directory "/usr/local/pnp4nagios-0.6.25/share">
> AllowOverride None
>
> Order allow,deny
> Allow from all
>
> [...]
>
> This works with Apache 2.2 but after upgrading to 2.4 access is denied!
>
> Debug error log gives:
>
> [authz_core:debug] [client x.x.x.x:52204] AH01626: authorization result of
> <Require Any>: denied
> [authz_core:error] [client x.x.x.x:52204] AH01630: client denied by server
> configuration: /usr/local/pnp4nagios-0.6.25/share/graph
>
> I guess this is because of this default entry in /etc/apache2/apache2.conf:
>
> <Directory />
> Options FollowSymLinks
> AllowOverride None
> Require all denied
> </Directory>
>
>
> Solution is to replace the "Order allow,deny Allow from all" with "Require
> all granted".
>
> I do not know, why the legacy directive has no effect in this case and I
> suggest to give a hint on this case in the upgrade guide
>
> https://httpd.apache.org/docs/2.4/upgrading.html
Maybe I am missing something but this use case is described in
https://httpd.apache.org/docs/2.4/upgrading.html#run-time ==> Access
control..
>
> I also second the comment from 2013-05-20 on
> https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html
>
> "The documentation doesn't mention how authz_host and mod_access_compat
> directives interact when both modules are installed. From people testing
> here it seems that "deny" rule is always in effect, regardless if it is
> comming from authz_host or access_compat. Official description of these
> interactions would be welcome."
>
Info available:
- upgrade doc ==> "In 2.4, such access control is done in the same way as
other authorization checks, using the new module mod_authz_host. The old
access control idioms should be replaced by the new authentication
mechanisms, although for compatibility with old configurations, the new
module mod_access_compat is provided."
- mod_access_compact ==> "The directives provided by mod_access_compat have
been deprecated by the new authz refactoring. Please see mod_authz_host."
Could you give us some advice about the info needed to make this document
clearer?
Thanks a lot!
Luca