You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Alex Bligh <al...@alex.org.uk> on 2014/06/26 20:17:33 UTC
[users@httpd] mod_access_compat issue
I have a site configuration that I would like to work on apache 2.4
# apache2ctl -v
Server version: Apache/2.4.7 (Ubuntu)
Server built: Apr 3 2014 12:20:28
Apache 2.4 (on Ubuntu 14.04) is more picky than 2.2 on Ubuntu 12.04
about directory permissions. This is due to the inclusion of the
following stanza in apache2.conf:
<Directory />
Options FollowSymLinks
AllowOverride None
Require all denied
</Directory>
In order to get the site to work under Apache 2.4 I need to introduce
this stanza inside the host declaration. This works fine.
<Directory /path/to/my/site>
Options -Indexes -SymLinksIfOwnerMatch +FollowSymLinks
AllowOverride None
Require all granted
</Directory>
However, I'd like my site configuration to work with apache 2.2 and
apache 2.4. mod_access_compat is loaded, so I use the following:
<Directory /path/to/my/site>
Options -Indexes -SymLinksIfOwnerMatch +FollowSymLinks
AllowOverride None
Order Allow,Deny
Allow from all
</Directory>
This fails giving a 404 with
"AH01630: client denied by server configuration"
in the log
I've also tried "Order allow,deny".
My understanding was that with mod_access_compat the two lines
given were exactly equivalent to "Require all granted".
Is there something I am missing here?
--
Alex Bligh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access_compat issue
Posted by Eric Covener <co...@gmail.com>.
> I think that controls the interaction between user authentication
> and host authentication. I'm not using any user authentication.
> However, adding 'Satisfy any' fixes it. Is that because the
> host authentication is still denying access, but the default user
> authentication is to allow? Or because the host authentication
> is working OK and the default user authentication is to permit?
I'm not 1000% clear, but I think it is moreso that Satisfy controls
how two phases (access control and authorization) are combined, and
require "providers" are in the latter phase even though they make
user-indepdendent authorization decisions.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access_compat issue
Posted by Alex Bligh <al...@alex.org.uk>.
On 26 Jun 2014, at 19:25, Eric Covener <co...@gmail.com> wrote:
> On Thu, Jun 26, 2014 at 2:17 PM, Alex Bligh <al...@alex.org.uk> wrote:
>> Is there something I am missing here?
>
> They are not exactly equivalent, they are on separate sides of the
> "Satisfy" check. The default is "Satisfy all".
Hmm...
I think that controls the interaction between user authentication
and host authentication. I'm not using any user authentication.
However, adding 'Satisfy any' fixes it. Is that because the
host authentication is still denying access, but the default user
authentication is to allow? Or because the host authentication
is working OK and the default user authentication is to permit?
To be clear can auth supplied using mod_auth_compat override
auth denied by 'Require' directives? If they are the other side
of another check, I'm wondering if the issue is simply that they
can't. In which case various upgrade guides might need tweaking.
--
Alex Bligh
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_access_compat issue
Posted by Eric Covener <co...@gmail.com>.
On Thu, Jun 26, 2014 at 2:17 PM, Alex Bligh <al...@alex.org.uk> wrote:
> Is there something I am missing here?
They are not exactly equivalent, they are on separate sides of the
"Satisfy" check. The default is "Satisfy all".
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org