From: Eric Covener Date: Mon, 5 Dec 2016 19:39:40 +0000 (+0000) Subject: Merge r1772758 from trunk: X-Git-Tag: 2.4.24~73 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4add50908a90ccdd824a81a4d9360b22ff875305;p=thirdparty%2Fapache%2Fhttpd.git Merge r1772758 from trunk: provide more access control migration hints current examples don't account for when access control overlaps with authentication. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1772762 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/upgrading.xml b/docs/manual/upgrading.xml index 64580c69beb..f340fa310cb 100644 --- a/docs/manual/upgrading.xml +++ b/docs/manual/upgrading.xml @@ -153,7 +153,7 @@

Here are some examples of old and new ways to do the same access control.

-

In this example, all requests are denied.

+

In this example, there is no authentication and all requests are denied.

2.2 configuration: @@ -168,7 +168,7 @@ Deny from all -

In this example, all requests are allowed.

+

In this example, there is no authentication and all requests are allowed.

2.2 configuration: @@ -183,7 +183,7 @@ Allow from all -

In the following example, all hosts in the example.org domain +

In the following example, there is no authentication and all hosts in the example.org domain are allowed access; all other hosts are denied access.

@@ -257,6 +257,88 @@ access.log - GET /server-status 200 127.0.0.1

+

In many configurations with authentication, where the value of the + Satisfy was the default of ALL, snippets + that simply disabled host-based access control are omitted:

+ + + 2.2 configuration: + +Order Deny,Allow +Deny from all +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +# No replacement needed +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + +

In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting both criteria:

+ + 2.2 configuration: + +Order allow,deny +Deny from all +# Satisfy ALL is the default +Satisfy ALL +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +<RequireAll> + Require valid-user + require ip 127.0.0.1 +</RequireAll> + + + +

In configurations where both authentication and access control were meaningfully combined, the + access control directives should be migrated. This example allows requests meeting either criteria:

+ + 2.2 configuration: + +Order allow,deny +Deny from all +Satisfy any +Allow from 127.0.0.1 +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +Require valid-user + + + + 2.4 configuration: + +AuthBasicProvider File +AuthUserFile /example.com/conf/users.passwd +AuthName secure +# Implicitly <RequireAny> +Require valid-user +Require ip 127.0.0.1 + + +