https://bugzilla.novell.com/show_bug.cgi?id=855049 https://bugzilla.novell.com/show_bug.cgi?id=855049#c0 Summary: apache-2.4 new or old access control syntax does nothing Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: x86-64 OS/Version: openSUSE 13.1 Status: NEW Severity: Normal Priority: P5 - None Component: Apache AssignedTo: bnc-team-apache@forge.provo.novell.com ReportedBy: jimc@math.ucla.edu QAContact: qa-bugs@suse.de Found By: Customer Blocker: --- Sorry for the extra verbiage, but this topic is a can of worms and I think it's important to be very clear what I'm complaining about. I was surprised to not find any SuSE bug reports on this issue (with the keywords I used) given complaints in forums. In Apache-2.4 there is a new syntax for access control. In Apache-2.4 you would say (in a Directory or Location block or several other places): Order allow,deny Allow from all --or-- Deny from all In Apache-2.4 the non-deprecated syntax is Require all granted --or-- denied In addition, if you load mod_authz_host you can replace "all" with a host name or pattern, which was a core function of Allow/Deny. The new directives and their underlying modules are superior in that they integrate better with the workflow of the other authorization and authentication modules, and they provide more flexible access control conditions. However, there are a lot of websites out there which use Order/Allow/Deny, and if the website goes down immediately upon upgrading to OpenSuSE-13.1 with Apache-2.4, this is a showstopper. Therefore a compatibility module, auth_compat, has been provided. Webmasters generally believe that with this module, you should be able to use either syntax and it will be obeyed. They are mistaken. The history of Apache versions on SuSE-13.1 goes like this: apache2-2.4.6-6.3.1 In OpenSuSE-13.1-final apache2-2.4.6-6.6.1 First patch apache2-2.4.6-6.10.1 Second patch I'm going step by step, first downgrading to apache2-2.4.6-6.3.1 and investigating which syntaxes are effective. I have attached base copies of /etc/sysconfig/apache2 and /etc/apache2/conf.d/simba.conf; the latter is the only conf file in that directory and has most complications removed. apache2-prefork is the MPM in use. Whenever I change a configuration file I do "systemctl restart apache2" (not reload). When I say that the outcome is 200, that means the site index page is delivered to the browser in the normal way, whereas an outcome of 403 means that access is forbidden and this message appears in /var/log/apache2/error_log: [Wed Dec 11 10:41:24.475511 2013] [access_compat:error] [pid 6838] [client 2607:f010:8061:47d:baca:3aff:fe80:8cbb:35026] AH01797: client denied by server configuration: /h1/www/htdocs/ Results for apache2-2.4.6-6.3.1 : Would not start, saying that /etc/apache2/default-server.conf has "Require" syntax (3 places). Changed by hand to Order/Allow. Now it starts, saying: [Wed Dec 11 11:34:43.462409 2013] [core:warn] [pid 8075] AH00117: Ignoring deprecated use of DefaultType in line 140 of /etc/apache2/httpd.conf. [Wed Dec 11 11:34:43.473428 2013] [ssl:warn] [pid 8075] AH01873: Init: Session Cache is not configured [hint: SSLSessionCache] [Wed Dec 11 11:34:43.474066 2013] [mpm_prefork:notice] [pid 8075] AH00163: Apache/2.4.6 (Linux/SUSE) OpenSSL/1.0.1e configured -- resuming normal operations [Wed Dec 11 11:34:43.474080 2013] [core:notice] [pid 8075] AH00094: Command line: '/usr/sbin/httpd2-prefork -f /etc/apache2/httpd.conf -D SYSTEMD -D FOREGROUND' But the outcome is 500 "Internal Server Error". [Wed Dec 11 11:35:04.957751 2013] [core:crit] [pid 8093] [client 2607:f010:8061:47d:baca:3aff:fe80:8cbb:35055] AH00025: configuration error: couldn't check user: / It's saying that it wants mod_authz_core. I provided it. Now the outcome is 200. Summary of the outcomes with and without each kind of authorization syntax: 403: no Require, no Order 200: no Require, yes Order die: yes Require, no Order (Require is considered to be a syntax error) die: yes Require, yes Order Upgrading to apache2-2.4.6-6.6.1 : /etc/apache2/default-server.conf now has "Require all granted" (3 places), and I changed simba.conf accordingly. The server starts and the outcome is 200. 403: no Require, no Order 403: no Require, yes Order 200: yes Require, no Order 200: yes Require, yes Order Upgrading to apache2-2.4.6-6.10.1 : /etc/apache2/default-server.conf has reverted to "Order; Accept" (3 places). I reverted simba.conf correspondingly and got an outcome of 200. 403: no Require, no Order 200: no Require, yes Order 403: yes Require, no Order 200: yes Require, yes Order So in summary, there is a default authorization denying access to everything, and you get a 403 unless you add some sort of positive authorization. "Order; Accept" is accepted in all versions but does nothing in apache2-2.4.6-6.6.1. "Require" is accepted in all but the original apache2-2.4.6-6.3.1, but does nothing in apache2-2.4.6-6.10.1. What I would like the developers to do in the next Apache iteration: make both "Require all granted/denied" and "Order; Accept/Deny" give or block access. I'm not happy that when apache2-2.4.6-6.6.1 appeared I converted all my webservers to use the new syntax, and now I have to convert them all back for apache2-2.4.6-6.10.1. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.