Hi again, 2016-04-04 16:19 GMT+02:00 Hildegard Meier <daku8...@gmx.de>:
> > > > Solution is to replace the "Order allow,deny Allow from all" with > "Require all granted". > > > > I do not know, why the legacy directive has no effect in this case and I > suggest to give a hint on this case in the upgrade guide > > > > > https://httpd.apache.org/docs/2.4/upgrading.html[https://httpd.apache.org/docs/2.4/upgrading.html] > > >> Maybe I am missing something but this use case is described in > https://httpd.apache.org/docs/2.4/upgrading.html#run-time[https://httpd.apache.org/docs/2.4/upgrading.html#run-time] > ==> Access control.. > > The point is, that in the documentation is written "The old access control > idioms _should_ be replaced [...] for compatibility with old > configurations, the new module mod_access_compat is provided." > > But in my case, the old access control idioms _has to_ be replaced, there > is _no compatibility_. > > It seems to me that there is some problem with mixing old and new style, > which is also mentioned here: > > "A mix of allow (2.2) and require (2.4) directives while using apache > HTTPD 2.4, used in the same or separate directory blocks. The new 2.4 > directives should be used exclusively, and the mod_access_compat module > should be unloaded by commenting out the LoadModule directive." > > (source: https://wiki.apache.org/httpd/ClientDeniedByServerConfiguration) > Now it makes more sense, thanks for the clarification. AFAIK both configurations could have be placed in the same httpd conf as long as mod_access_compat and mod_authz_host modules were loaded but I might be wrong at this point. > > > > I also second the comment from 2013-05-20 on > > > https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html[https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html] > > > "The documentation doesn't mention how authz_host and mod_access_compat > directives interact when both modules are installed. From people testing > here it seems that "deny" rule is always in effect, regardless if it is > comming from authz_host or access_compat. Official description of these > interactions would be welcome." > > >> Info available: > >> > >> - upgrade doc ==> "In 2.4, such access control is done in the same way > as other authorization checks, using the new module mod_authz_host. The old > access control idioms should be replaced by the new authentication > mechanisms, although for compatibility with old configurations, the new > module mod_access_compat is provided." > >> > >> - mod_access_compact ==> "The directives provided by mod_access_compat > have been deprecated by the new authz refactoring. Please see > mod_authz_host." > >> > >> Could you give us some advice about the info needed to make this > document clearer? > > Another case: > > <Location /server-status> > SetHandler server-status > > Order deny,allow > Deny from all > Allow From 1.2.3.4 > </Location> > > _works_ with 2.4. Changing it to > > <Location /server-status> > SetHandler server-status > > Require ip 1.2.3.4 > </Location> > > Gives > > "[access_compat:error] [client 1.2.3.4] AH01797: client denied by server > configuration: /var/www/docs/default/server-status" > > and does _not_ work anymore, so I have to switch back to old style. > > Clarification to understand: Did you load both mod_access_compat and mod_authz_host right? I am going to check your bug report asap to see if I can get a repro (should be easy), and in case we'll amend the docs accordingly. Thanks again! Luca
