What does Apache's "Require all granted" really do?
I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
AllowOverride All
</Directory>
But when I ran that I got a "Forbidden. You don't have permission to access /"
After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:
<Directory "/home/john/development/foobar/web">
AllowOverride All
Require all granted
</Directory>
I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."
But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.
Solution 1:
The access control configuration changed in 2.4, and old configurations aren't compatible without some changes. See here.
If your old config was Allow from all
(no IP addresses blocked from accessing the service), then Require all granted
is the new functional equivilent.
Solution 2:
I know it is an old post but I think that I can help more with a functional example that I always use!
In apache 2.2 would be like:
<Location />
Order deny, allow
allow from all
</Location>
<Location /adm>
Order deny, allow
deny from all
allow from myniceip
</Location>
<Location /disabled>
Order deny, allow
deny from all
</Location>
In apache 2.4 would be like:
<Location />
require all granted
</Location>
#Note that you dont need to use require all denied
#to require only a group of ips..
<Location /adm>
require ip myniceip
</Location>
<Location /disabled>
Require all denied
</Location>
Be carefully when using htacess authentication, this new syntax can do some bad and unexpected things, if that is your case please read: https://unix.stackexchange.com/questions/413309/apache-2-4-wants-me-to-decide-require-valid-ip-or-require-valid-user and you should be fine!