RHEL7 Apache Config Changes

This actually applies to the default httpd.conf and ssl.conf for Fedora since version 19/20 (on which RHEL 7 is based).

Red Hat Enterprise Linux (RHEL) 7 and its Fedora counterpart(s) brought us the goodness that is Apache 2.4.6, a significant improvement over the stock Apache 2.2.15 that ships with the latest RHEL 6 updates.

The challenge, as usual for such things, is that there also some significant differences in the configuration files. Most of these stem from syntax changes introduced by the upstream Apache HTTP Server Project.

One that bit me today was the change in “idiom” for access control directives discussed in the Upgrading from 2.2 to 2.4 document.

Basically what happened is that all those “Order, Allow, Deny” directives have now been discarded and replaced with “Require”. The convergence of the new access syntax with that traditionally used for specialized access modules like those supporting Basic Authentication was intentional, but will lead to unintended results for those who don’t thoroughly vet their existing configurations.

In my case that led to a frustrating hour trying to figure out why visitors to a particular site supposedly protected by Basic Authentication weren’t being challenged to provide a username and password.

After reviewing my configuration and being satisfied it met all the requirements of the 2.4 doc, I took a closer look at the rest of the httpd.conf file. What I found was a “Require all granted” directive in the block for the protected site. That, of course, conflicted with the “Require valid-user” further down that was invoked by the Basic Authentication configuration. The solution was to remove the offending Require directive, leaving a configuration that looked like this:

<VirtualHost *:80>
    ServerAdmin webmaster@example.com
    DocumentRoot /var/www/html/wp1
    ServerName www.example.com
    ErrorLog /var/log/httpd/www.example.com-error_log
    CustomLog /var/log/httpd/www.example.com-access_log combined

   <Directory /var/www/html/wpl>
       Options Indexes FollowSymlinks MultiViews
       AllowOverride All
       # Require all granted

       AuthType basic
       AuthName "myauth"
       AuthUserFile "/etc/httpd/conf/httpd.passwd"
       Require valid-user
    </Directory>
</VirtualHost>

NOTE: When setting out statements in virtual host blocks, it’s always safest to use the full file directory path rather than the relative one, so:

<Directory /var/www/html/wpl>

rather than simply:

<Directory />

The latter looks prettier, but isn’t always effective.

In looking over the httpd.conf I discovered some additional Require statements further up that I decided were best commented out, especially since it’s my practice to try and control everything inside discrete virtual host blocks. Here’s what I found:

Line State Effect
104 all denied Blocks access to /
127 all granted Allows access to /var/www
156 all granted Allows access to /var/www/html
172 all denied Blocks viewing of .ht* files
258 all granted Allows access to /var/www/cgi-bin

Although these are reasonable access controls to have in place if you’re sticking with the defaults and not publishing multiple sites using additional virtual hosts, the access granted in 156 could prove problematic as it did for me (especially after I replicated it in my own virtual host block — I did leave the directives on lines 104 and 172 in place, as they actually enhanced overall security).

I guess the moral of this story is that it is important to review all your configuration files when upgrading to a major release like RHEL 7, especially those that reflect internal “standards”.

Next time on “RHEL 7 Upgrade Madness”, “In with the Post-fix, and out with the Send-Mail”.

Other upcoming episodes include: “Why don’t we just lose the mysql name altogether? It’s not like anyone ever admits to knowing anything about the product!”

References:

Red Hat Enterprise Linux 7 System Administrator’s Guide: Web Servers

Apache 2.4 HTTP Server Documentation: Upgrading from 2.2 to 2.4

This entry was posted in System Administration, Web on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).