can someone test mod_access_compat too

Gregg · August 26, 2010, 06:56:32 PM

In another post I mentioned that mod_access_compat didn't seem to be working in my SSL config, this is not the case. What I am seeing is this;

mod_access_compat works as advertised as long as the entire config uses the old style order, allow, deny & satisfy.

The minute you mix old style with the new Require whatever style, every single host on the system gives a 403 error, including the main host.

Does anyone else see this? If so, it's gotta be a bug which I'll report.

mario · August 27, 2010, 11:35:46 AM

You might post an example.

Gregg · August 27, 2010, 11:40:09 PM

No problemo .... follow the yellow brick road.

http://www.gammaquadrant.info/mod_access_compat_test

Ok, so it's not yellow nor brick, there is yellow in it.

I am partially out of my mind in that not ALL host 403 as I had stated!

Any hosts directory/location*/files* containers that are still old style order/allow/deny/satisfy still work. Just the stuff using Require all granted are borked ... or my thinking is borked?

DnvrSysEngr · August 29, 2010, 05:23:53 AM

I had that issue when I installed 2.3.6. I am not running the SSL piece, and I am running VHosts. I had to enable the mod_Compat in my httpd.conf file in order to not get 403 errors with my VHosts (Gregg helped me with this).

Gregg · August 29, 2010, 10:04:55 AM

Hi DSE,

well yes, and that's what I have done.

It may be my thinking is wrong, or call it what it is, assumption, in that mod_access_compat is there as a crutch to help us while we are migrating to the new style config. It seems perfectly logical, and I scanned the docs and there is no mention that I could find saying it has to be one style or the other but not both.

Even I have a couple configs that I am going to have to sit down and really think through before switching them. I would like to work my way there, as time and brain power permits, while converting all the easy stuff in the meantime.

Maybe that's asking to much, but at least I get a good head start. I can hear the cries of pain when the masses switch over already.

DnvrSysEngr · August 30, 2010, 02:44:04 AM

You are correct Gregg. You are the one that helped me initially with my 403 errors. As I have my site/s up and running using Mod_compat, I have not played with it any further (namely due to lack of time).

- S

Gregg · August 31, 2010, 07:44:54 PM

Actually DSE, you are probably the one best suited to confirm or deny my findings.

Take 1 host, change to;
Require all granted
restart Apache and try to connect to that specific host. Do you get a 403?

put it back to Order bla bla and restart again.

DnvrSysEngr · September 01, 2010, 05:30:03 AM

Gregg:

I just updated to 2.3.8 today. I did a totally fresh install (wiped 2.3.6 completely - registry entries file directories and all). I copied my tweaks from my 2.3.6 httpd.conf into the httpd.conf file for 2.3.8. I also copied my tweaks from my vhosts file as well.

I will try what you have written and get back to you with my findings.

- S

DnvrSysEngr · September 01, 2010, 05:51:14 AM

Gregg:

I went ahead and did the following:

1. commented out LoadModule access_compat_module modules/mod_access_compat.so in my HTTPD.CONF

2. commented out
Order deny,allow
Allow from all
Satisfy All
in my HTTPD-VHOSTS.CONF

3. added in Require all granted to each of my sites HTTPD-VHOSTS.CONF

4. stopped and restarted Apache service and all sites DO NOT report 403 errors

Gregg · September 01, 2010, 05:05:29 PM

Hi DSE,

Thanks, but that is not the issue. The issue is when using mod_access_compat, that it is all or nothing, meaning all order/allow/deny and don't you dare use a Require in there, anywhere. Once you unloaded, or more precisely didn't load mod_access_compat and switched all your hosts to Require, you removed the issue.

The issue basically comes down to compatibility. mod_access_compat is only compatible with the old Order Allow,Deny. You cannot slowly migrate a large config, such as mine that cover many hosts/domains.

The link I had posted goes through it pretty well. Sorry for the 100k background image. Anyway, that happens to be one of my disposable domains that I have moved over to 2.3.6 now 2.3.8. If I were to use a Require all granted, that site would 403. However, if you went via https it would work, provided I left that part of the config in the old order/allow/deny.

Thanks for trying tho, I do appreciate the effort.

DnvrSysEngr · September 01, 2010, 07:25:37 PM

I will re-enable the Mod_Compat and leave the Require along with Allow in my vhost config and see what happens.

- S

DnvrSysEngr · September 01, 2010, 08:00:55 PM

Gregg:

I went ahead and did the following:

1. Loaded LoadModule access_compat_module modules/mod_access_compat.so in my HTTPD.CONF

2. added
Order deny,allow
Allow from all
Satisfy All
in my HTTPD-VHOSTS.CONF

3. added in Require all granted to each of my sites HTTPD-VHOSTS.CONF

4. stopped and restarted Apache service and all sites DO NOT report 403 errors

I can include my HTTPD-VHOSTS.CONF file if needed

Gregg · September 01, 2010, 09:39:49 PM

Thank you!

DnvrSysEngr · September 01, 2010, 09:56:04 PM

Let me know if you want to see my HTTPD.CONF or HTTPD-VHOSTS.CONF.

- S