Upgrading httpd.conf from version 2.2 to 2.4 - apache

I have a problem, I accidentally upgraded from Apache 2.2 to 2.4 and now need to change my httpd.conf file to use the new Require directives instead of using the old Order and Allow directives. I think I have made all the changes I need to but there is one section I am not sure what I should replace it with. This is the section:
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
This combination of Order, Deny and Satisfy confuses me as I am a newb at this. What is the proper 2.4 configuration to accomplish the same thing. I have tried googling an answer and searched this site but haven't found anything (perhaps using the wrong terms - I don't know). If some guru out there could provide some help that would be greatly appreciated.
Thanks!

The idioms have changed in Apache 2.4.
Read through "Upgrading to 2.4 from 2.2" at http://httpd.apache.org/docs/trunk/upgrading.html
Look for these entries:
2.2 configuration:
Order deny,allow
Deny from all
2.4 configuration:
Require all denied

In your case Satisfy All is not needed anymore:
v2.2
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
Order allow,deny
Deny from all
Satisfy All
</FilesMatch>
v2.4:
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
<FilesMatch "^\.ht">
Require all denied
</FilesMatch>

i know this question was asked in 2014, but this solution is too good not to be published here...
on the old 2.2 Apache, i prepare the migration with:
<Location />
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
order allow,deny
allow from all
</IfVersion>
</Location>
Depending on the Apache version, the correct configuration-syntax will be used. And it does not matter if you run 2.2 or 2.4 .

Here's what I did to get Apache back up and running after upgrading:
Use the new installed apache2.conf file in the 'etc/apache2' directory. This will clear up quite a few errors. The new file has the new 'Require' syntax built in.
In the apache2.conf file the 'default' directory path is 'var/www'. Mine was different so I was pulling my hair out until I noticed it.
change all your VH files in the 'sites-available' directory e.g. xyzsite.com.conf (add '.conf' to the files. Same with the default file. You'll have to change the 'Require' syntax in this file as Henk points out.
The httpd.conf is simply not used, so if you have one you might as well delete it to avoid confusion in the future.
Hope this helps.

Related

Apache configuration - Point to a directory in Ubuntu 14.04

I have an Ubuntu 14.04 server with LAMP stack already installed.
I have a directory /home/alex/checkhtml which included some testing php and html.
What I want is when I access http://localhost/checkhtml , the content of /home/alex/checkhtml will be showed (Actually /home/alex/checkhtml/index.html)
Here is what I did:
Go to: /etc/apache2/conf-available and create apache-php.conf file
Add these lines to apache-php.conf:
Alias ^/php "/home/alex/php"
<Directory /home/alex/php>
Order allow,deny
Require all granted
</Directory>
Go to /home/alex/checkhtml and create .htaccess and add these lines:
<FilesMatch ".">
Allow from all
</FilesMatch>
Enable apache-php.conf and restart apache
However, when I tried: http://localhost/checkhtml . The error appear:
The requested URL /checkhtml was not found on this server.
Does anyone know what I did wrong here ?
Thank you and best regards.
Alex
You should use Alias driective for exact URL matching. If you want to use Regex matching then use AliasMatch directive:
AliasMatch "^/checkhtml" "/home/alex/checkhtml"
<Directory /home/alex/checkhtml>
Require all granted
</Directory>

apache2 and php5-fpm, how to correctly process *.phps files?

I've setup my server using apache2 and php5-fpm, pretty much like in this guide:
http://www.versatilewebsolutions.com/blog/2012/11/installing-apache-2-with-php-fastcgi-on-ubuntu-12-10.html
The only question left is, how can I configure it to correctly process the *.phps files?
I want to show the highlighted code of them.
There are guides for nginx and php-fpm ( https://blog.kamalnasser.net/post/highlighting-phps-files-in-nginx/ ), but what should we do with apache2 ?
Caveats: Ubuntu 14.10, Apache/2.4.10
In the file /etc/apache2/mods-available/php5.conf:
<FilesMatch ".+\.phps$">
SetHandler application/x-httpd-php-source
# Deny access to raw php sources by default
# To re-enable it's recommended to enable access to the files
# only in specific virtual host or directory
Order Deny,Allow
Deny from all
</FilesMatch>
Add a with "Allow from all" (or something more appropriate to your paranoia-level) to you host config, and you'll be all set.
My config:
<Directory /my/very/long/and/winding/server/path/public_html/phpsource/>
<FilesMatch ".+\.phps$">
Order Deny,Allow
Allow from all
</FilesMatch>
</Directory>
Php Source files in other directories get denied, the ones in that directory gets displayed. It works like a charm...
This should do it:
AddType application/x-httpd-php-source .phps
Add it to your apache config file. There should be a similar line like this:
AddType application/x-httpd-php .php
So just add it below.

How to Set AllowOverride all

I want to set the AllowOverride all But I don't know how to do it. I have found the following code by searching the google and pasted it in .htaccess:
<Directory>
AllowOverride All
</Directory>
But after pasting it I started receiving "Internal Server Error"
Can anyone guide me where to put this code or how to do it?
In case you are on Ubuntu, edit the file /etc/apache2/apache2.conf (here we have an example of /var/www):
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
and change it to;
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>
then,
sudo service apache2 restart
You may need to also do sudo a2enmod rewrite to enable module rewrite.
The main goal of AllowOverride is for the manager of main configuration files of apache (the one found in /etc/apache2/ mainly) to decide which part of the configuration may be dynamically altered on a per-path basis by applications.
If you are not the administrator of the server, you depend on the AllowOverride Level that theses admins allows for you. So that they can prevent you to alter some important security settings;
If you are the master apache configuration manager you should always use AllowOverride None and transfer all google_based example you find, based on .htaccess files to Directory sections on the main configuration files. As a .htaccess content for a .htaccess file in /my/path/to/a/directory is the same as a <Directory /my/path/to/a/directory> instruction, except that the .htaccess dynamic per-HTTP-request configuration alteration is something slowing down your web server. Always prefer a static configuration without .htaccess checks (and you will also avoid security attacks by .htaccess alterations).
By the way in your example you use <Directory> and this will always be wrong, Directory instructions are always containing a path, like <Directory /> or <Directory C:> or <Directory /my/path/to/a/directory>. And of course this cannot be put in a .htaccess as a .htaccess is like a Directory instruction but in a file present in this directory. Of course you cannot alter AllowOverride in a .htaccess as this instruction is managing the security level of .htaccess files.
Goto your_severpath/apache_ver/conf/
Open the file httpd.conf in Notepad.
Find this line:
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
Remove the hash symbol:
LoadModule vhost_alias_module modules/mod_vhost_alias.so
Then goto <Directory />
and change to:
<Directory />
Options FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
Then restart your local server.
On Linux, in order to relax access to the document root, you should edit the following file:
/etc/httpd/conf/httpd.conf
And depending on what directory level you want to relax access to, you have to change the directive
AllowOverride None
to
AllowOverride All
So, assuming you want to allow access to files on the /var/www/html directory, you should change the following lines from:
<Directory "/var/www/html">
AllowOverride None
</Directory>
to
<Directory "/var/www/html">
AllowOverride All
</Directory>
If you are using Linux you may edit the code in the directory of
/etc/httpd/conf/httpd.conf
now, here find the code line kinda like
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
Change the AllowOveride None to AllowOveride All
Now now you can set any kind of rule in your .httacess file inside your directories
if any other operating system just try to find the file of httpd.conf and edit it.
As other users explained here about the usage of allowoveride directive, which is used to give permission to .htaccess usage. one thing I want to point out that never use allowoverride all if other users have access to write .htaccess instead use allowoveride as to permit certain modules.
Such as AllowOverride AuthConfig mod_rewrite Instead of
AllowOverride All
Because module like mod_mime can render your server side files as plain text.
enter code hereif you are using linux you have to edit the
`/etc/apache2/sites-available/000-default.conf`
under the Documentroot . add the following code
`<Directory /var/www/>
AllowOverride all
Require all granted
</Directory>`
then ,
`sudo service apache2 restart`
and you have to enable the apache mod rewrite
`sudo a2enmod rewrite`
I think you want to set it in your httpd.conf file instead of the .htaccess file.
I am not sure what OS you use, but this link for Ubuntu might give you some pointers on what to do.
https://help.ubuntu.com/community/EnablingUseOfApacheHtaccessFiles
I also meet this problem, and I found the solution as 2 step below:
1. In sites-enabled folder of apache2, you edit in Directory element by set "AllowOverride all" (should be "all" not "none")
2. In kohana project in www folder, rename "example.htaccess" to ".htaccess"
I did it on ubuntu. Hope that it will help you.
There are several answers but there a number of things wrong with this question and I would like to address these:
If you get an error (e.g. 500), look in the log files (if you have access to them). e.g. /var/log/apache2/ssl_error.log
e.g.
cat /var/log/apache2/ssl_error.log
[Tue Jun 01 19:05:34 2021] [alert] [pid 31154] config.c(2119):
[client *******] /var/www/mysite/public/tmp/.htaccess:
<Directory not allowed here [lid YLZo3quRlv2EKOAABVoFLwAAAIM]
Putting AllowOverrides in a .htaccess makes no sense and is not allowed. See Context. See also my explanation below. It should be defined in the Apache configuration (e.g. /etc/apache2)
Allowing everything is usually not the best idea. Be as restrictive as possible!
the Directory directive is missing a directory, should be e.g. <Directory /var/www/html/etc>
the Directory directive does not make sense in an .htaccess. The location of the .htaccess in a directory already has the effect of making the statements within apply to a specific directory
do not mix and match snippets that are intended to be put in the Apache configuration (e.g. in /etc/apache2/...) with statements that are intended to be put in .htaccess - though most of the time, they will be identical, there are some subtle differences
If you have the possibility to modify the Apache configuration directly, do not use .htaccess and deactivate it. (for performance reasons, among others. Also you can have all configuration in one place, put it in version control or manage it via a software configuration management tool, e.g. Puppet, Ansible, SaltStack)
Unless you really cannot access and modify the Apache configuration directly, you do not need .htaccess. This is a common misconception.
That you saw a 500 error proves my point. If you change configuration in the Apache configuration directly (and not in .htaccess), you will usually get an error message with an explanation and information about the error and the line number (e.g. when you do service apache2 reload or apachectl configtest) - which gives you the possibility to fix the error before applying this in production(!).
Also, look in the documentation. It is really quite good. For most directives, you can find where they apply (see "Context").
For example, for IfModule, you can see:
Context: server config, virtual host, directory, .htaccess
For, AllowOverrides it is:
Context: directory
Note the missing .htaccess in the Context!
Instead of googling for information which repeat the same mistakes over and over, look in the documentation!
Docs
AllowOverrides
https://www.danielmorell.com/guides/htaccess-seo/basics/dont-use-htaccess-unless-you-must
SuSE Linux Enterprise Server
Make sure you are editing the right file
https://www.suse.com/documentation/sles11/book_sle_admin/data/sec_apache2_configuration.html
httpd.conf
The main Apache server configuration file. Avoid changing this file. It primarily contains include statements and global settings. Overwrite global settings in the pertinent configuration files listed here. Change host-specific settings (such as document root) in your virtual host configuration.
In such case vhosts.d/*.conf must be edited
Plus those upvoted correct answers sometimes same error could be seen because of mismatched and different settings on SSL part of webserver configurations. (Obviously when not using .htaccess file).

Apache: client denied by server configuration

I am getting
[Tue Apr 24 12:12:55 2012] [error] [client 127.0.0.1] client denied by server configuration: /labs/Projects/Nebula/bin/
My directory structure looks like (I am using Symfony 2, should be similar structure for other web frameworks)
I have vhosts setup like:
<VirtualHost nebula:80>
DocumentRoot "/labs/Projects/Nebula/web/"
ServerName nebula
ErrorLog "/var/log/httpd/nebula-errors.log"
</VirtualHost>
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
Order allow,deny
Allow from 127.0.0 192.168.1 ::1 localhost
</Directory>
I wonder whats the problem and how do I fix it?
Apache 2.4.3 (or maybe slightly earlier) added a new security feature that often results in this error. You would also see a log message of the form "client denied by server configuration". The feature is requiring an authorized user identity to access a directory. It is turned on by DEFAULT in the httpd.conf that ships with Apache. You can see the enabling of the feature with the directive
Require all denied
This basically says to deny access to all users. To fix this problem, either remove the denied directive (or much better) add the following directive to the directories you want to grant access to:
Require all granted
as in
<Directory "your directory here">
Order allow,deny
Allow from all
# New directive needed in Apache 2.4.3:
Require all granted
</Directory>
OK I am using the wrong syntax, I should be using
Allow from 127.0.0.1
Allow from ::1
...
In Apache 2.4 the old access authorisation syntax has been deprecated and replaced by a new system using Require.
What you want then is something like the following:
<Directory "/labs/Projects/Nebula/">
Options All
AllowOverride All
<RequireAny>
Require local
Require ip 192.168.1
</RequireAny>
</Directory>
This will allow connections that originate either from the local host or from ip addresses that start with "192.168.1".
There is also a new module available that makes Apache 2.4 recognise the old syntax if you don't want to update your configuration right away:
sudo a2enmod access_compat
I had this issue using Vesta CP and for me, the trick was remove .htaccess and try to access to any file again.
That resulted on regeneration of .htaccess file and then I was able to access to my files.
Can you try changing "Allow from 127.0.0 192.168.1 ::1 localhost" to "Allow from all".
If that fixes your problem, you need to be less restrict about where content can be requested from
Here's my symfony 1.4 virtual host file on debian, which works fine.
<Directory /var/www/sf_project/web/>
Options All Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from all
</Directory>
If you wan't to restrict access to a specific ip range, e.g. localhost use this:
Allow from 127.0.0.0/8
The mod_authz_host is responsible for filtering ip ranges. You can look up detailed things in there.
But maybe the problem could be related to some kind of misconfiguration in your "apache2.conf".
On what OS is the apache running?
if you are having the
Allow from All
in httpd.conf then make sure us have
index.php
like in the below line in httpd.conf
DirectoryIndex index.html index.php
In my case the key was:
AllowOverride All
in vhost definition.
I hope it helps someone.
This code worked for me..
<Location />
Allow from all
Order Deny,Allow
</Location>
Hope this helps others

using apache location directive to list folders from trac

I have the following directory structure:
--var
----trac
------company1
--------project1
--------project2
------company2
--------project3
--------project4
and i was wondering if theres a way to specify in httpd.conf to list the directories when i go to domain.com/trac. Currently i wrote:
<Location /trac>
Options Indexes
</Location>
But i dont know how to specify the document root to /var/trac.
I tried to do
PythonOption TracEnvParentDir "/var/trac"
PythonOption TracUriRoot "/trac
but i get error 500, and i believe that is because the folders in /var/trac are not trac environments.
thanks.
I think you're right. You need to find a way to let Apache handle requests to "/" without the help of Python and trac.
It's a bit hard to give you advice because I don't know what your httpd.conf looks right now, but my trac-setup used a <LocationMatch> directive to catch everything that should not be handled by trac so Apache can take care of it.
So you could do something like this:
<LocationMatch "^/trac/.+">
# Your trac directives here
PythonHandler trac.web.modpython_frontend
....
</Location>
Alias /trac "/var/trac"
<Directory "/var/trac">
Options Indexes
Order allow,deny
Allow from all
</Directory>