In another post I mentioned that mod_access_compat didn't seem to be working in my SSL config, this is not the case. What I am seeing is this;
mod_access_compat works as advertised as long as the entire config uses the old style order, allow, deny & satisfy.
The minute you mix old style with the new Require whatever style, every single host on the system gives a 403 error, including the main host.
Does anyone else see this? If so, it's gotta be a bug which I'll report.
You might post an example.
No problemo .... follow the yellow brick road.
http://www.gammaquadrant.info/mod_access_compat_test
Ok, so it's not yellow nor brick, there is yellow in it.
I am partially out of my mind in that not ALL host 403 as I had stated!
Any hosts directory/location*/files* containers that are still old style order/allow/deny/satisfy still work. Just the stuff using Require all granted are borked ... or my thinking is borked?
I had that issue when I installed 2.3.6. I am not running the SSL piece, and I am running VHosts. I had to enable the mod_Compat in my httpd.conf file in order to not get 403 errors with my VHosts (Gregg helped me with this).
Hi DSE,
well yes, and that's what I have done.
It may be my thinking is wrong, or call it what it is, assumption, in that mod_access_compat is there as a crutch to help us while we are migrating to the new style config. It seems perfectly logical, and I scanned the docs and there is no mention that I could find saying it has to be one style or the other but not both.
Even I have a couple configs that I am going to have to sit down and really think through before switching them. I would like to work my way there, as time and brain power permits, while converting all the easy stuff in the meantime.
Maybe that's asking to much, but at least I get a good head start. I can hear the cries of pain when the masses switch over already.
You are correct Gregg. You are the one that helped me initially with my 403 errors. As I have my site/s up and running using Mod_compat, I have not played with it any further (namely due to lack of time).
- S
Actually DSE, you are probably the one best suited to confirm or deny my findings.
Take 1 host, change to;
Require all granted
restart Apache and try to connect to that specific host. Do you get a 403?
put it back to Order bla bla and restart again.
Gregg:
I just updated to 2.3.8 today. I did a totally fresh install (wiped 2.3.6 completely - registry entries file directories and all). I copied my tweaks from my 2.3.6 httpd.conf into the httpd.conf file for 2.3.8. I also copied my tweaks from my vhosts file as well.
I will try what you have written and get back to you with my findings.
- S
Gregg:
I went ahead and did the following:
1. commented out LoadModule access_compat_module modules/mod_access_compat.so in my HTTPD.CONF
2. commented out
Order deny,allow
Allow from all
Satisfy All
in my HTTPD-VHOSTS.CONF
3. added in Require all granted to each of my sites HTTPD-VHOSTS.CONF
4. stopped and restarted Apache service and all sites DO NOT report 403 errors
Hi DSE,
Thanks, but that is not the issue. The issue is when using mod_access_compat, that it is all or nothing, meaning all order/allow/deny and don't you dare use a Require in there, anywhere. Once you unloaded, or more precisely didn't load mod_access_compat and switched all your hosts to Require, you removed the issue.
The issue basically comes down to compatibility. mod_access_compat is only compatible with the old Order Allow,Deny. You cannot slowly migrate a large config, such as mine that cover many hosts/domains.
The link I had posted goes through it pretty well. Sorry for the 100k background image. Anyway, that happens to be one of my disposable domains that I have moved over to 2.3.6 now 2.3.8. If I were to use a Require all granted, that site would 403. However, if you went via https it would work, provided I left that part of the config in the old order/allow/deny.
Thanks for trying tho, I do appreciate the effort.
I will re-enable the Mod_Compat and leave the Require along with Allow in my vhost config and see what happens.
- S
Gregg:
I went ahead and did the following:
1. Loaded LoadModule access_compat_module modules/mod_access_compat.so in my HTTPD.CONF
2. added
Order deny,allow
Allow from all
Satisfy All
in my HTTPD-VHOSTS.CONF
3. added in Require all granted to each of my sites HTTPD-VHOSTS.CONF
4. stopped and restarted Apache service and all sites DO NOT report 403 errors
I can include my HTTPD-VHOSTS.CONF file if needed
Thank you!
Let me know if you want to see my HTTPD.CONF or HTTPD-VHOSTS.CONF.
- S