Merge lp:~gnuoy/charms/precise/apache2/24-auth-format into lp:charms/apache2

Proposed by Liam Young on 2014-05-27
Status: Merged
Merged at revision: 56
Proposed branch: lp:~gnuoy/charms/precise/apache2/24-auth-format
Merge into: lp:charms/apache2
Diff against target: 32 lines (+6/-0)
2 files modified
data/security.template (+5/-0)
hooks/hooks.py (+1/-0)
To merge this branch: bzr merge lp:~gnuoy/charms/precise/apache2/24-auth-format
Reviewer Review Type Date Requested Status
Matt Bruzek (community) 2014-05-27 Approve on 2014-06-20
Jorge Niedbalski (community) Approve on 2014-06-20
Review via email: mp+221108@code.launchpad.net

Description of the change

The acl syntax has changed between apache 2.2 and apache 2.4 ( http://httpd.apache.org/docs/2.4/upgrading.html ) and Trusty has 2.4

The default security conf created by the charm uses the 2.2 syntax. This mp is to switch it to use the 2.4 if 2.4 is installed.

Here's the output of the tests I ran to check that access to directories other than /var/www was still blocked and that the deny could be overridded in a hosts file:

ubuntu@gnuoy-bastion:~$ cat vhost-denied.txt
<VirtualHost *:80>
    DocumentRoot /srv/website
</VirtualHost>

ubuntu@gnuoy-bastion:~$ cat vhost-precise-allowed.txt
<VirtualHost *:80>
    DocumentRoot /srv/website

    <Directory /srv/website>
         Order allow,deny
         Allow from all
    </Directory>
</VirtualHost>

ubuntu@gnuoy-bastion:~$ cat vhost-trusty-allowed.txt
<VirtualHost *:80>
    DocumentRoot /srv/website

    <Directory /srv/website>
        Require all granted
    </Directory>
</VirtualHost>

ubuntu@gnuoy-bastion:~$ juju deploy local:precise/apache2 apache2-precise
Added charm "local:precise/apache2-0" to the environment.
ubuntu@gnuoy-bastion:~$ juju deploy local:trusty/apache2 apache2-trusty
Added charm "local:trusty/apache2-0" to the environment.

ubuntu@gnuoy-bastion:~$ juju ssh apache2-precise/0 "sudo mkdir /srv/website; sudo cp /var/www/index.html /srv/website"
Connection to 10.5.0.179 closed.
ubuntu@gnuoy-bastion:~$
ubuntu@gnuoy-bastion:~$ juju ssh apache2-trusty/0 "sudo mkdir /srv/website; sudo cp /var/www/html/index.html /srv/website"
Connection to 10.5.0.180 closed.

ubuntu@gnuoy-bastion:~$ juju set apache2-precise "vhost_http_template=$(base64 vhost-denied.txt)"
ubuntu@gnuoy-bastion:~$ juju set apache2-trusty "vhost_http_template=$(base64 vhost-denied.txt)"

ubuntu@gnuoy-bastion:~$ juju ssh apache2-precise/0 "curl -I http://localhost/index.html"
Warning: Permanently added '10.5.0.179' (ECDSA) to the list of known hosts.
HTTP/1.1 403 Forbidden
Date: Tue, 27 May 2014 15:43:30 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1

Connection to 10.5.0.179 closed.
ubuntu@gnuoy-bastion:~$ juju ssh apache2-trusty/0 "curl -I http://localhost/index.html"
Warning: Permanently added '10.5.0.180' (ECDSA) to the list of known hosts.
HTTP/1.1 403 Forbidden
Date: Tue, 27 May 2014 15:43:39 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1

Connection to 10.5.0.180 closed.

ubuntu@gnuoy-bastion:~$ juju set apache2-precise "vhost_http_template=$(base64 vhost-precise-allowed.txt)"
ubuntu@gnuoy-bastion:~$ juju set apache2-trusty "vhost_http_template=$(base64 vhost-trusty-allowed.txt)"

ubuntu@gnuoy-bastion:~$ juju ssh apache2-precise/0 "curl -I http://localhost/index.html"
Warning: Permanently added '10.5.0.179' (ECDSA) to the list of known hosts.
HTTP/1.1 200 OK
Date: Tue, 27 May 2014 15:43:57 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Tue, 27 May 2014 15:42:48 GMT
ETag: "2057f-b1-4fa638c43b6a9"
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Content-Type: text/html
X-Pad: avoid browser bug

Connection to 10.5.0.179 closed.
ubuntu@gnuoy-bastion:~$ juju ssh apache2-trusty/0 "curl -I http://localhost/index.html"
Warning: Permanently added '10.5.0.180' (ECDSA) to the list of known hosts.
HTTP/1.1 200 OK
Date: Tue, 27 May 2014 15:44:02 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Tue, 27 May 2014 15:43:07 GMT
ETag: "2cf6-4fa638d67edeb"
Accept-Ranges: bytes
Content-Length: 11510
Vary: Accept-Encoding
Content-Type: text/html

Connection to 10.5.0.180 closed.

To post a comment you must log in.
Jorge Niedbalski (niedbalski) wrote :

This change LGTM +1. I tried this charm code on my environment with the upstream apache charm and also compared the results with this proposal adding the 'Require all denied' directive does the trick on apache 24 , the HTTP/1.1 403 Forbidden was replaced by a HTTP/1.1 200.

services:
  apache2-precise:
    charm: local:precise/apache2-0
    exposed: false
    units:
      apache2-precise/0:
        agent-state: started
        agent-version: 1.18.4.1
        machine: "3"
        open-ports:
        - 80/tcp
        - 443/tcp
        public-address: 10.0.3.106
  apache2-trusty:
    charm: local:trusty/apache2-1
    exposed: false
    units:
      apache2-trusty/0:
        agent-state: started
        agent-version: 1.18.4.1
        machine: "4"
        open-ports:
        - 80/tcp
        - 443/tcp
        public-address: 10.0.3.3

review: Approve
Matt Bruzek (mbruzek) wrote :

LGTM!

Thank you for this submission!

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'data/security.template'
2--- data/security.template 2013-02-04 23:25:08 +0000
3+++ data/security.template 2014-05-27 15:52:42 +0000
4@@ -8,11 +8,16 @@
5
6 <Directory />
7 AllowOverride None
8+{%- if is_apache24 %}
9+ Require all denied
10+{%- else %}
11 Order Deny,Allow
12 Deny from all
13+{%- endif %}
14 </Directory>
15
16
17+
18 # Changing the following options will not really affect the security of the
19 # server, but might make attacks slightly more difficult in some cases.
20
21
22=== modified file 'hooks/hooks.py'
23--- hooks/hooks.py 2014-02-08 15:03:11 +0000
24+++ hooks/hooks.py 2014-05-27 15:52:42 +0000
25@@ -376,6 +376,7 @@
26 'server_tokens': config_data['server_tokens'],
27 'server_signature': config_data['server_signature'],
28 'trace_enabled': config_data['trace_enabled'],
29+ 'is_apache24': is_apache24(),
30 }
31 template = \
32 template_env.get_template('security.template').render(templ_vars)

Subscribers

People subscribed via source and target branches

to all changes: