Le 04/11/2015 19:55, Yolanda Robla Mota a écrit : > Hello Infra > > I want to start a thread about the best way to reconcile the apache > fixes that we put on place for upgrade to apache >= 2.4 > The are two different ways now: > > 1. rely on apache mod_version , and add a check inside apache vhosts: > > <IfVersion >= 2.4> > Require all granted > </IfVersion> > > That is the fix currently on place for puppet-httpd, puppet-cgit, and > some other modules. It is quite simple, but has the disadvantage of > depending on > mod_version apache module, so every manifest using that needs to ensure > that mod_version is installed. > > 2. Rely on satisfy any: > > Allow from all > Satisfy Any > > It doesn't need an extra check for version, but it is deprecated as > shown on: https://httpd.apache.org/docs/2.4/howto/auth.html . It also > needs module mod_access_compat to be present > in newer apache versions. We currently have this on puppet-zuul. > > 3. Another alternatives should be: > - add a parameter to puppet-httpd module, so we can pass the apache > version we are expected to have > - create a custom fact to give us the current apache version in puppet, > and do the apache check using that fact instead of relying in mod_version > - use osfamily/operatingsystem/lsbrelease facts to decide about apache > version, and apply proper directives there > > I'd like to get more opinions about how to better proceed with that, and > ensure that all infra puppet modules are following the same criteria.
Hello, The relevant Apache 2.4 documentation is at: http://httpd.apache.org/docs/2.4/en/upgrading.html#access Wikimedia is migrating from Ubuntu Precise/Trusty to Debian Jessie and ended up adding a bunch of: - Order deny,allow - Allow from all + <IfVersion >= 2.4> + Require all granted + </IfVersion> + <IfVersion < 2.4> + Order deny,allow + Allow from all + </IfVersion> Another solution on Apache 2.4 is to use mod_access_compat https://httpd.apache.org/docs/2.4/en/mod/mod_access_compat.html On Jessie it is installed (but not enabled) with 'apache2' package: $ dpkg -S /etc/apache2/mods-available/access_compat.load apache2: /etc/apache2/mods-available/access_compat.load -- Antoine "hashar" Musso _______________________________________________ OpenStack-Infra mailing list OpenStack-Infra@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-infra
