Merge lp:~gnuoy/charms/precise/apache2/24-auth-format into lp:charms/apache2
Status: | Merged |
---|---|
Merged at revision: | 56 |
Proposed branch: | lp:~gnuoy/charms/precise/apache2/24-auth-format |
Merge into: | lp:charms/apache2 |
Diff against target: |
32 lines (+6/-0) 2 files modified
data/security.template (+5/-0) hooks/hooks.py (+1/-0) |
To merge this branch: | bzr merge lp:~gnuoy/charms/precise/apache2/24-auth-format |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Matt Bruzek (community) | Approve | ||
Jorge Niedbalski (community) | Approve | ||
Review via email: mp+221108@code.launchpad.net |
Description of the change
The acl syntax has changed between apache 2.2 and apache 2.4 ( http://
The default security conf created by the charm uses the 2.2 syntax. This mp is to switch it to use the 2.4 if 2.4 is installed.
Here's the output of the tests I ran to check that access to directories other than /var/www was still blocked and that the deny could be overridded in a hosts file:
ubuntu@
<VirtualHost *:80>
DocumentRoot /srv/website
</VirtualHost>
ubuntu@
<VirtualHost *:80>
DocumentRoot /srv/website
<Directory /srv/website>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
ubuntu@
<VirtualHost *:80>
DocumentRoot /srv/website
<Directory /srv/website>
Require all granted
</Directory>
</VirtualHost>
ubuntu@
Added charm "local:
ubuntu@
Added charm "local:
ubuntu@
Connection to 10.5.0.179 closed.
ubuntu@
ubuntu@
Connection to 10.5.0.180 closed.
ubuntu@
ubuntu@
ubuntu@
Warning: Permanently added '10.5.0.179' (ECDSA) to the list of known hosts.
HTTP/1.1 403 Forbidden
Date: Tue, 27 May 2014 15:43:30 GMT
Server: Apache/2.2.22 (Ubuntu)
Vary: Accept-Encoding
Content-Type: text/html; charset=iso-8859-1
Connection to 10.5.0.179 closed.
ubuntu@
Warning: Permanently added '10.5.0.180' (ECDSA) to the list of known hosts.
HTTP/1.1 403 Forbidden
Date: Tue, 27 May 2014 15:43:39 GMT
Server: Apache/2.4.7 (Ubuntu)
Content-Type: text/html; charset=iso-8859-1
Connection to 10.5.0.180 closed.
ubuntu@
ubuntu@
ubuntu@
Warning: Permanently added '10.5.0.179' (ECDSA) to the list of known hosts.
HTTP/1.1 200 OK
Date: Tue, 27 May 2014 15:43:57 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Tue, 27 May 2014 15:42:48 GMT
ETag: "2057f-
Accept-Ranges: bytes
Content-Length: 177
Vary: Accept-Encoding
Content-Type: text/html
X-Pad: avoid browser bug
Connection to 10.5.0.179 closed.
ubuntu@
Warning: Permanently added '10.5.0.180' (ECDSA) to the list of known hosts.
HTTP/1.1 200 OK
Date: Tue, 27 May 2014 15:44:02 GMT
Server: Apache/2.4.7 (Ubuntu)
Last-Modified: Tue, 27 May 2014 15:43:07 GMT
ETag: "2cf6-4fa638d67
Accept-Ranges: bytes
Content-Length: 11510
Vary: Accept-Encoding
Content-Type: text/html
Connection to 10.5.0.180 closed.
This change LGTM +1. I tried this charm code on my environment with the upstream apache charm and also compared the results with this proposal adding the 'Require all denied' directive does the trick on apache 24 , the HTTP/1.1 403 Forbidden was replaced by a HTTP/1.1 200.
services: apache2- 0 precise/ 0:
agent- state: started
agent- version: 1.18.4.1
public- address: 10.0.3.106 apache2- 1 trusty/ 0:
agent- state: started
agent- version: 1.18.4.1
public- address: 10.0.3.3
apache2-precise:
charm: local:precise/
exposed: false
units:
apache2-
machine: "3"
open-ports:
- 80/tcp
- 443/tcp
apache2-trusty:
charm: local:trusty/
exposed: false
units:
apache2-
machine: "4"
open-ports:
- 80/tcp
- 443/tcp