Univention Bugzilla – Bug 47244
Replace "Order allow/deny" Apache config directive with "Require all granted/…"
Last modified: 2023-09-26 11:00:48 CEST
The UCR template for /etc/apache2/sites-available/univention-saml.conf uses both old Apache 2.2 and new Apache 2.4 access control Syntax. " old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. mod_access_compat was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the examples below to get a better idea about issues that might arise. " Quote from: https://httpd.apache.org/docs/current/upgrading.html The diff for new Apache 2.4 syntax looks as follows: @@ -28,8 +28,7 @@ </FilesMatch> Action php-cgi /saml-bin/php-cgi - Order allow,deny - Allow from all + Require all granted </Directory> <Directory /var/www/saml/> Options -Indexes
This is not as simple as it seems, because we don't have an drop-in replacement for the line "Order allow,deny". The apache2 documentation says "Mixing old directives like Order, Allow or Deny with new ones like Require is technically possible but discouraged. mod_access_compat was created to support configurations containing only old directives to facilitate the 2.4 upgrade. Please check the examples below to get a better idea about issues that might arise.". This is a problem, because we have a UCR variable named "apache2/proxy/access/order", which is for setting this exact line which we should not mix with "Require". In UCS, we use the UCR variable in the following source files: - services/univention-apache/conffiles/etc/apache2/mods-available/proxy.conf - services/univention-apache/debian/univention-apache.univention-config-registry - services/univention-apache/debian/univention-apache.univention-config-registry-variables In UCS, we use the Order instruction in the following source files: - saml/univention-saml/conffiles/etc/apache2/sites-available/univention-saml.conf - services/univention-apache/conffiles/etc/apache2/conf-available/ucs.conf - services/univention-apache/conffiles/etc/apache2/mods-available/proxy.conf - services/univention-printserver/conffiles/etc/cups/cupsd.conf.d/01cupsd-base - services/univention-printserver/conffiles/etc/cups/cupsd.conf.d/02cups-access-limit
A draft MR was: https://git.knut.univention.de/univention/ucs/-/merge_requests/599