132

I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:

<Directory "/home/john/development/foobar/web">
    AllowOverride All 
</Directory>

But when I ran that I got a "Forbidden. You don't have permission to access /"

After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:

<Directory "/home/john/development/foobar/web">
    AllowOverride All 
    Require all granted
</Directory>

I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."

But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.

the
  • 468
  • 8
  • 23
John Crawford
  • 2,005
  • 3
  • 15
  • 9

3 Answers3

111

The access control configuration changed in 2.4, and old configurations aren't compatible without some changes. See here.

If your old config was Allow from all (no IP addresses blocked from accessing the service), then Require all granted is the new functional equivilent.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • 5
    Not to mention, the old method was terribly confusing and was long overdue to be replaced with something more sensible. – Michael Hampton Oct 30 '13 at 02:33
  • 5
    For such a major change I'd expect some kind of support to automatically migrate configuration files or at least show all points where a change is needed. – Wolfgang Fahl Nov 28 '15 at 02:16
  • 1
    Would be nice to see a working demonstration of `Require all denied` . – Kraang Prime Apr 15 '16 at 18:05
  • @SanuelJackson What do you mean? It simply denies access, and it should do what it says on the tin. – Shane Madden Apr 17 '16 at 08:26
  • 9
    I don't think it this is equivalent to ```Allow from all```. You have to "merge" ```Require all granted``` with other existing ```Require``` rules. In my case an existing ```Require valid-user``` was ignored when blindly converting the config like it's recommended everywhere. This was the worst thing which could happen ... – rudimeier Sep 14 '16 at 12:34
  • 3
    It would be nice to have a proper answer to the OP's question. "Allow from all equivalent" is not very satisfying. – Sharcoux May 16 '17 at 18:31
  • 1
    @rudimeier I think it would be more equivalent to `Allow from all` `Satisfy any` if you have multiple auth blocks (the default being `Satisfy all`). The default/implied container on Apache 2.4 is ``, unless you explicitly state otherwise. So, if you are using Apache 2.4 syntax and you have multiple auth blocks, you may need to wrap them in a `` container. – MrWhite Mar 21 '20 at 09:52
  • The question was: what it does. The accepted answer does not say it. – Stephane Aug 29 '21 at 13:24
28

In Apache 2.2 would be like:

<Location />
   Order deny, allow
   allow from all
</Location>
<Location /adm>
    Order deny, allow
    deny from all
    allow from myniceip
</Location>
<Location /disabled>
    Order deny, allow
    deny from all
</Location>

In Apache 2.4 would be like:

<Location />
   require all granted
</Location>
#Note that you dont need to use require all denied
#to require only a group of ips..
<Location /adm>
    require ip myniceip
</Location>
<Location /disabled>
    Require all denied
</Location>

Be carefully when using .htaccess authentication, this new syntax can do some bad and unexpected things, if that is your case please read: Apache 2.4 wants me to decide: Require valid ip or require valid user and you should be fine!

Stephen Ostermiller
  • 484
  • 9
  • 23
Luciano Andress Martini
  • 401
  • 4
  • 6
  • 1
    For me, the presence of `require all granted` prevented HTTP authentication working so thanks for the info. – authentictech Jun 17 '19 at 17:47
  • 1
    @authentictech Not only require all granted can break it. The expected authentication can be completely broken with this new syntax if you do not use RequireAll or RequireAny properly . Please read: https://unix.stackexchange.com/questions/413309/apache-2-4-wants-me-to-decide-require-valid-ip-or-require-valid-user. Thank you for the feedback. – Luciano Andress Martini Jun 17 '19 at 17:57
0

Very interesting; but I don't see that anybody has answered the OP. They have told him how to do it, but not the why. I actually took the time to follow the link in the referenced article, and read just what the new "Require" directive does. Correct me if I'm wrong, but from "mod_authz_core - Apache HTTP Server Version 2.4", I gather that this only pertains to authorization to view or download web resources; since all of its options pertain to who can access the resources, authorization providers, and groups of allowed users. It doesn't seem to, e.g. offer options to allow outsiders to overwrite your html/php files. To me, it seems it only allows anyone that can connect, to view your content. If you are developing locally, and not trying to set up some special authorization scheme, you can use Require local to preventing anyone from viewing your local content from the outside.

The only real security concern there is if a "Location" directive conflicts with a location serving Web resources, in which case the wrong authentication scheme might be used. They detail steps how to resolve such a conflict in authentication schemes.

CodeLurker
  • 101
  • 1