[OpenStack-Infra] Reconcile apache fixes for >= 2.4

Antoine Musso hashar at free.fr
Thu Nov 5 11:55:45 UTC 2015 

Le 04/11/2015 19:55, Yolanda Robla Mota a écrit :
> Hello Infra
> 
> I want to start a thread about the best way to reconcile the apache
> fixes that we put on place for upgrade to apache >= 2.4
> The are two different ways now:
> 
> 1. rely on apache mod_version , and add a check inside apache vhosts:
> 
>     <IfVersion >= 2.4>
>       Require all granted
>     </IfVersion>
> 
> That is the fix currently on place for puppet-httpd, puppet-cgit, and
> some other modules. It is quite simple, but has the disadvantage of
> depending on
> mod_version apache module, so every manifest using that needs to ensure
> that mod_version is installed.
> 
> 2. Rely on satisfy any:
> 
>     Allow from all
>     Satisfy Any
> 
> It doesn't need an extra  check for version, but it is deprecated as
> shown on: https://httpd.apache.org/docs/2.4/howto/auth.html . It also
> needs module mod_access_compat to be present
> in newer apache versions. We currently have this on puppet-zuul.
> 
> 3. Another alternatives should be:
> - add a parameter to puppet-httpd module, so we can pass the apache
> version we are expected to have
> - create a custom fact to give us the current apache version in puppet,
> and do the apache check using that fact instead of relying in mod_version
> - use osfamily/operatingsystem/lsbrelease facts to decide about apache
> version, and apply proper directives there
> 
> I'd like to get more opinions about how to better proceed with that, and
> ensure that all infra puppet modules are following the same criteria.

Hello,

The relevant Apache 2.4 documentation is at:
http://httpd.apache.org/docs/2.4/en/upgrading.html#access


Wikimedia is migrating from Ubuntu Precise/Trusty to Debian Jessie and
ended up adding a bunch of:


-    Order deny,allow
-    Allow from all
+    <IfVersion >= 2.4>
+        Require all granted
+    </IfVersion>
+    <IfVersion < 2.4>
+        Order deny,allow
+        Allow from all
+    </IfVersion>


Another solution on Apache 2.4 is to use mod_access_compat
https://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html

On Jessie it is installed (but not enabled) with 'apache2' package:

$ dpkg -S /etc/apache2/mods-available/access_compat.load
apache2: /etc/apache2/mods-available/access_compat.load


-- 
Antoine "hashar" Musso

More information about the OpenStack-Infra mailing list