Apache is the most popular web server used by millions of sites around the world. Most websites use Apache 2.2 configuration syntax. However, many of the new distributions (e.g Ubuntu 14.04 onwards) ship with Apache 2.4. Although most of the syntax remains the same, there are important differences as some of the features have been deprecated. Let us look at how to migrate your Apache configuration from 2.2 to 2.4 syntax.
How To Migrate your Apache Configuration from 2.2 to 2.4 Syntax
Authorization allows you to define what authenticated users can/cannot do. While authentication has not changed much from 2.2, authorization has been overhauled.
First of all, you can use Require directive to define authorization order easily, by defining default behavior and then exceptions.
For example, if you want to create default rules for accepting traffic, but block a malicious IP (e.g 184.108.40.206), then you can add something like
Require all granted Require not ip 220.127.116.11
You can define authorization rules, not only based on IP or user groups but also by other factors such as env, host or IP, or with a catchall value such as all
- all: matches all traffic
- env: tests whether an environmental variable is set.
- host: used to check the host name of a connecting client.
- ip: matches IP address of the user.
You can further control them using the following special blocks
RequireAll: All of the authorization requirements in the block must be fulfilled to allow access.
RequireAny: If any of the authorization requirements in this block are met, this block is marked as satisfied.
RequireNone: If any of the requirements listed succeed, the directive will fail.
You can even nest them like shown below
<RequireAny> <RequireAll> Require user root Require ip 18.104.22.168 </RequireAll> <RequireAll> <RequireAny> Require group sysadmin Require group useraccount Require user tony </RequireAny> <RequireNone> Require group restrictadmin Require host badhost.com </RequireNone> </RequireAll> </RequireAny>
In the above example, you can authorize connections based on their IP (e.g 22.214.171.124), user groups (e.g sysadmin, useraccount) or even user named “tony”, only if they are also not part of “restrictadmin” group or coming from badhost.com host
It’s a lot easier to understand and consistent. Old access control directives such as Order, Allow from, Deny from, and Satisfy have been deprecated. In fact, they have been moved to the mod_access_compat module. So if you want to support these legacy directives, you need to enable that module.
Here’s a complete list of changes. Below we will cover some of the important ones that can have a serious impact on your website.
Connection and Child Limiting
- MaxConnectionsPerChild has replaced MaxRequestsPerChild
- MaxRequestWorkers has replaced MaxClients option
The AllowOverride directive allows directive-specific configuration files to override default config files. It has been slightly modified to have a default value of None. This means your websites will be more secure by having a more locked-down configuration.
Now your server config will be locked down by default and you need to specifically override it, only if needed. This was something most admins were doing already. Now, you don’t need to explicitly do it with a AllowOverride None declaration.
It also makes your website less vulnerable to external attacks.
SendFile Default Changed
The EnableSendFile directive allows you to send a file on a server to the client, without having to read its contents. This is defaulted to Off from Apache 2.4. Now you will have explicitly switch it On
Since file transfer and management depends on file systems, operating systems, and hardware, it’s best to keep it Off, by default. Incorrect implementation can result in operation failure.
Switching it Off, by default, allows administrators to check for system compatibility before enabling it.
Before your migrate your Apache configuration, make sure you audit your existing configuration before making updates, so it’s a smooth transition. Migrating to Apache 2.4 will provide mostly same features, with the advantage of easier syntax and more intuitive server directives.