How To Migrate your Apache Configuration from 2.2 to 2.4 Syntax


migrate your apache configuration

Apache is the most popular web server used by millions of sites around the world. Most websites use Apache 2.2 configuration syntax. However, many of the new distributions (e.g Ubuntu 14.04 onwards) ship with Apache 2.4. Although most of the syntax remains the same, there are important differences as some of the features have been deprecated. Let us look at how to migrate your Apache configuration from 2.2 to 2.4 syntax.

 

How To Migrate your Apache Configuration from 2.2 to 2.4 Syntax

 

Authorization Changes

Authorization allows you to define what authenticated users can/cannot do. While authentication has not changed much from 2.2, authorization has been overhauled.

First of all, you can use Require directive to define authorization order easily, by defining default behavior and then exceptions.

For example, if you want to create default rules for accepting traffic, but block a malicious IP (e.g 111.111.111.111), then you can add something like


Require all granted
Require not ip 111.111.111.111

You can define authorization rules, not only based on IP or user groups but also by other factors such as env, host or IP, or with a catchall value such as all

  • all: matches all traffic
  • env: tests whether an environmental variable is set.
  • host: used to check the host name of a connecting client.
  • ip: matches IP address of the user.

You can further control them using the following special blocks

 

RequireAll: All of the authorization requirements in the block must be fulfilled to allow access.
RequireAny: If any of the authorization requirements in this block are met, this block is marked as satisfied.
RequireNone: If any of the requirements listed succeed, the directive will fail.

 

You can even nest them like shown below


<RequireAny>
 <RequireAll>
  Require user root
  Require ip 101.101.101.101
 </RequireAll>
 <RequireAll>
  <RequireAny>
   Require group sysadmin
   Require group useraccount
   Require user tony
  </RequireAny>
  <RequireNone>
   Require group restrictadmin
   Require host badhost.com
  </RequireNone>
 </RequireAll>
</RequireAny>

 

In the above example, you can authorize connections based on their IP (e.g 101.101.101.101), user groups (e.g sysadmin, useraccount) or even user named “tony”, only if they are also not part of “restrictadmin” group or coming from badhost.com host

It’s a lot easier to understand and consistent. Old access control directives such as Order, Allow from, Deny from, and Satisfy have been deprecated. In fact, they have been moved to the mod_access_compat module. So if you want to support these legacy directives, you need to enable that module.

 

 

Here’s a complete list of changes. Below we will cover some of the important ones that can have a serious impact on your website.

Connection and Child Limiting

  1. MaxConnectionsPerChild has replaced MaxRequestsPerChild
  2. MaxRequestWorkers has replaced MaxClients option

 

 

AllowOverride Changes

The AllowOverride directive allows directive-specific configuration files to override default config files. It has been slightly modified to have a default value of None. This means your websites will be more secure by having a more locked-down configuration.

Now your server config will be locked down by default and you need to specifically override it, only if needed. This was something most admins were doing already. Now, you don’t need to explicitly do it with a AllowOverride None declaration.

It also makes your website less vulnerable to external attacks.

 

SendFile Default Changed

The EnableSendFile directive allows you to send a file on a server to the client, without having to read its contents. This is defaulted to Off from Apache 2.4. Now you will have explicitly switch it On

Since file transfer and management depends on file systems, operating systems, and hardware, it’s best to keep it Off, by default. Incorrect implementation can result in operation failure.

Switching it Off, by default, allows administrators to check for system compatibility before enabling it.

 

 

Conclusion

Before your migrate your Apache configuration, make sure you audit your existing configuration before making updates, so it’s a smooth transition. Migrating to Apache 2.4 will provide mostly same features, with the advantage of easier syntax and more intuitive server directives.

About Sreeram Sreenivasan

Sreeram Sreenivasan is the Founder of Ubiq, a business dashboard & reporting platform for small & medium businesses. Ubiq makes it easy to build business dashboards & reports for your business. Try it for free today!