[opensuse-packaging] Packaging web-apps for Apache 2.2/2.4 containing require/deny sections
Dear all! Recently many Webapp packages contain complicated constructions to allow/deny access to directories; those constructions can IMHO be simplified. 1) Allow access. To ensured that access on Apache 2.4 is allowed it must be ensured that the compatibility module (if installed) allows access _and_ the new module, too. Both could inherit DENY from other paths: <IfVersion >= 2.4> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> 2) Disallow access. For Apache 2.4 it's enough to disallow access with one strategy. So the structure can be more simple: <IfVersion >= 2.4> Require all denied </IfVersion> <IfVersion < 2.4> Order allow,deny Deny from all </IfVersion> Is this logic correct? Does anyone see a problem with that? Shall that be documented in the wiki? -- Johannes Weberhofer Weberhofer GmbH, Austria, Vienna -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Am Freitag, 24. April 2015, 10:44:02 schrieb Johannes Weberhofer:
Dear all!
Recently many Webapp packages contain complicated constructions to allow/deny access to directories; those constructions can IMHO be simplified.
1) Allow access. To ensured that access on Apache 2.4 is allowed it must be ensured that the compatibility module (if installed) allows access _and_ the new module, too. Both could inherit DENY from other paths:
<IfVersion >= 2.4> <IfModule mod_access_compat.c> Order allow,deny Allow from all </IfModule> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion>
2) Disallow access. For Apache 2.4 it's enough to disallow access with one strategy. So the structure can be more simple:
<IfVersion >= 2.4> Require all denied </IfVersion> <IfVersion < 2.4> Order allow,deny Deny from all </IfVersion>
Is this logic correct? Does anyone see a problem with that? Shall that be documented in the wiki?
Point 1 seems from new bugzilla source. Diskussion about that at: https://bugzilla.mozilla.org/show_bug.cgi?id=1121477 I normaly use: <IfModule mod_authz_core.c> # Apache 2.4 Require all granted </IfModule> <IfModule !mod_authz_core.c> # Apache 2.2 Order allow,deny Allow from all </IfModule> and the complement for deny. Regards Eric -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (2)
-
Eric Schirra -
Johannes Weberhofer