You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Chris Darroch <ch...@pearsoncmg.com> on 2010/06/22 00:27:04 UTC

Re: svn commit: r956396 - /httpd/httpd/trunk/docs/manual/upgrading.xml

poirier@apache.org wrote:

> Author: poirier
> Date: Sun Jun 20 19:48:13 2010
> New Revision: 956396
> 
> URL: http://svn.apache.org/viewvc?rev=956396&view=rev
> Log:
> First pass at documentation for upgrading to 2.4.
> Went through CHANGES and tried to pick out things that would
> require a 2.2 user to make changes for 2.4.
> 
> Modified:
>     httpd/httpd/trunk/docs/manual/upgrading.xml
> 
> Modified: httpd/httpd/trunk/docs/manual/upgrading.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/upgrading.xml?rev=956396&r1=956395&r2=956396&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/upgrading.xml (original)
> +++ httpd/httpd/trunk/docs/manual/upgrading.xml Sun Jun 20 19:48:13 2010
[snip]
>    <section id="run-time">
>      <title>Run-Time Configuration Changes</title>
> +    <p>There have been significant changes in authorization configuration,
> +    and other minor configuration changes, that could require changes to your 2.2
> +    configuration files before using them for 2.4.</p>
> +
> +    <section id="authz">
> +      <title>Authorization</title>
> +
> +      <p>Any configuration file that uses authorization will likely
> +      need changes.</p>
> +
> +    <p>You should review the <a href="howto/auth.html">Authentication,
> +    Authorization and Access Control Howto</a>, especially the section
> +    <a href="howto/auth.html#beyond">Beyond just authorization</a>
> +    which explains the new mechanisms for controlling the order in
> +    which the authorization directives are applied.</p>
> +
> +    <section id="access">
> +      <title>Access control</title>
> +
> +      <p>In 2.2, access control based on client hostname, IP address,
> +      and other characteristics of client requests was done using the
> +      directives <directive
> +      module="mod_access_compat">Order</directive>, <directive
> +      module="mod_access_compat">Allow</directive>, <directive
> +      module="mod_access_compat">Deny</directive>, and <directive
> +      module="mod_access_compat">Satisfy</directive>.</p>
> +
> +      <p>In 2.4, such access control is done in the same way as other
> +      authorization checks, using the new module
> +      <module>mod_authz_host</module>.  The old access control idioms
> +      should be replaced by the new authentication mechanisms,
> +      although for compatibility with old configurations, the new
> +      module <module>mod_access_compat</module> is provided.</p>
> +
> +      <p>Here are some examples of old and new ways to do the same
> +      access control.</p>
> +
> +      <p>In this example, all requests are denied.</p>
> +      <example>
> +        <title>2.2 configuration:</title>
> +        Order deny,allow<br />
> +        Deny from all
> +      </example>
> +      <example>
> +        <title>2.4 configuration:</title>
> +        Require all denied
> +      </example>
> +
> +      <p>In this example, all requests are allowed.</p>
> +      <example>
> +        <title>2.2 configuration:</title>
> +        Order allow,deny<br />
> +        Allow from all
> +      </example>
> +      <example>
> +        <title>2.4 configuration:</title>
> +        Require all granted
> +      </example>
> +
> +      <p>In the following example, all hosts in the apache.org domain
> +      are allowed access; all other hosts are denied access.</p>
> +
> +      <example>
> +        <title>2.2 configuration:</title>
> +        Order Deny,Allow<br />
> +        Deny from all<br />
> +        Allow from apache.org
> +      </example>
> +      <example>
> +        <title>2.4 configuration:</title>
> +        Require host apache.org
> +      </example>
> +    </section>


   Thanks for the work on documenting the trunk/2.4 authn/z stuff -- as
usual, I've been swamped with other work and unable to circle back to
any of it.  Hopefully I can provide bits of info and support, though,
to help push 2.4 on its way.

   One thing I should note overall about any work I did in the last
year or two is that the intention was always to ensure that (a) existing
modules written for 2.2 should continue to function without changes, and
(b) existing httpd configurations from 2.2 should work out-of-the-box
(so long as you loaded the necessary modules in 2.4), and not lose any
degree of security or functionality.  I can't say that those goals were
achieved 100%, but that was the intention, at least.  The previous
rewrite of trunk authn/z, which introduced the "containers", created
a number of incompatibilities, and the idea was to iron those out.
I think you've captured the key issues here very neatly.  Thank you,

Chris.

-- 
GPG Key ID: 088335A9
GPG Key Fingerprint: 86CD 3297 7493 75BC F820  6715 F54F E648 0883 35A9