This actually applies to the default httpd.conf and ssl.conf for Fedora since version 19/20 (on which RHEL 7 is based).
Red Hat Enterprise Linux (RHEL) 7 and its Fedora counterpart(s) brought us the goodness that is Apache 2.4.6, a significant improvement over the stock Apache 2.2.15 that ships with the latest RHEL 6 updates.
The challenge, as usual for such things, is that there also some significant differences in the configuration files. Most of these stem from syntax changes introduced by the upstream Apache HTTP Server Project.
One that bit me today was the change in “idiom” for access control directives discussed in the Upgrading from 2.2 to 2.4 document.
Basically what happened is that all those “Order, Allow, Deny” directives have now been discarded and replaced with “Require”. The convergence of the new access syntax with that traditionally used for specialized access modules like those supporting Basic Authentication was intentional, but will lead to unintended results for those who don’t thoroughly vet their existing configurations.
In my case that led to a frustrating hour trying to figure out why visitors to a particular site supposedly protected by Basic Authentication weren’t being challenged to provide a username and password.
After reviewing my configuration and being satisfied it met all the requirements of the 2.4 doc, I took a closer look at the rest of the httpd.conf file. What I found was a “Require all granted” directive in the block for the protected site. That, of course, conflicted with the “Require valid-user” further down that was invoked by the Basic Authentication configuration. The solution was to remove the offending Require directive, leaving a configuration that looked like this:
<VirtualHost *:80> ServerAdmin firstname.lastname@example.org DocumentRoot /var/www/html/wp1 ServerName www.example.com ErrorLog /var/log/httpd/www.example.com-error_log CustomLog /var/log/httpd/www.example.com-access_log combined <Directory /var/www/html/wpl> Options Indexes FollowSymlinks MultiViews AllowOverride All # Require all granted AuthType basic AuthName "myauth" AuthUserFile "/etc/httpd/conf/httpd.passwd" Require valid-user </Directory> </VirtualHost>
NOTE: When setting out statements in virtual host blocks, it’s always safest to use the full file directory path rather than the relative one, so:
rather than simply:
The latter looks prettier, but isn’t always effective.
In looking over the httpd.conf I discovered some additional Require statements further up that I decided were best commented out, especially since it’s my practice to try and control everything inside discrete virtual host blocks. Here’s what I found:
|104||all denied||Blocks access to /|
|127||all granted||Allows access to /var/www|
|156||all granted||Allows access to /var/www/html|
|172||all denied||Blocks viewing of .ht* files|
|258||all granted||Allows access to /var/www/cgi-bin|
Although these are reasonable access controls to have in place if you’re sticking with the defaults and not publishing multiple sites using additional virtual hosts, the access granted in 156 could prove problematic as it did for me (especially after I replicated it in my own virtual host block — I did leave the directives on lines 104 and 172 in place, as they actually enhanced overall security).
I guess the moral of this story is that it is important to review all your configuration files when upgrading to a major release like RHEL 7, especially those that reflect internal “standards”.
Next time on “RHEL 7 Upgrade Madness”, “In with the Post-fix, and out with the Send-Mail”.
Other upcoming episodes include: “Why don’t we just lose the mysql name altogether? It’s not like anyone ever admits to knowing anything about the product!”