Order/Allow/Deny fiasco

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Order/Allow/Deny fiasco

Postby gsmith » 01. July 2014 19:57

A sort of an off-topic reply to viewtopic.php?f=16&t=69001
Altrea wrote:NameVirtualHost Definition is obsolet with PHP 5.5 and will produce a Notice in your log

I do not know what this has to do with PHP but it is definitely obsolete in Apache 2.4

Altrea wrote:
DigitalArtwork wrote: Order Allow,Deny
Allow From All

This is old access syntax and only functional for Apache 2.4 through a compatibility module.
If the new Syntax is already used in prior definitions you will not override it with this definitions so you will very common get an http status error 403 anyway.

Exactly, and I was wondering where users of Xampp are getting this from so I had a look through the config. There are some traces of Order/Allow/Deny still in there.

By removing all traces of Order/Allow/Deny from the config you remove the need for mod_access_compat, which when not loaded Apache will not recognize the old Order/Allow/Deny directives. In my opinion, this is a better place to start a user of Xampp from. Teach them properly at the start. So here are these and other config suggestion I have. Do with or nothing with as you wish :)

Code: Select all
# XAMPP Win32 configuration suggestions
#
# Remove the ability to use Order/Allow/Deny, force users to wrap their
# head around the "Require" directive. Teach them properly from the start.
#
# If they will need AcceptFilter http none, they will most likely also need
# AcceptFilter https none since SSL is on by default in Xampp.
#
--- win32/xampp/apache/conf/httpd.conf   (revision 8)
+++ win32/xampp/apache/conf/httpd.conf   (working copy)
@@ -62,7 +62,7 @@
 # LoadModule foo_module modules/mod_foo.so
 #
 
-LoadModule access_compat_module modules/mod_access_compat.so
+#LoadModule access_compat_module modules/mod_access_compat.so
 LoadModule actions_module modules/mod_actions.so
 LoadModule alias_module modules/mod_alias.so
 LoadModule allowmethods_module modules/mod_allowmethods.so
@@ -207,6 +207,7 @@
 # XAMPP: We disable operating system specific optimizations for a listening
 # socket by the http protocol here. IE 64 bit make problems without this. 
 AcceptFilter http none
+AcceptFilter https none
 
 #
 # Note that from this point forward you must specifically allow
#
# Remove all uses of the old Order/Allow/Deny from the default config.
#
--- win32/xampp/apache/conf/extra/httpd-userdir.conf   (revision 8)
+++ win32/xampp/apache/conf/extra/httpd-userdir.conf   (working copy)
@@ -19,12 +19,10 @@
     AllowOverride FileInfo AuthConfig Limit Indexes
     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
     <Limit GET POST OPTIONS>
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Limit>
     <LimitExcept GET POST OPTIONS>
-        Order deny,allow
-        Deny from all
+        Require all denied
     </LimitExcept>
 </Directory>
 
#
# Remove all uses of the old Order/Allow/Deny from the default config.
#
--- win32/xampp/apache/conf/extra/httpd-xampp.conf   (revision 8)
+++ win32/xampp/apache/conf/extra/httpd-xampp.conf   (working copy)
@@ -118,9 +118,7 @@
 # New XAMPP security concept
 #
 <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
-   Order deny,allow
-   Deny from all
-   Allow from ::1 127.0.0.0/8 \
+   Require ip ::1 127.0.0.0/8 \
       fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
       fe80::/10 169.254.0.0/16
 
#
# Remove NameVirtualHost from the default config as it has been from the upstream config.
# http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/conf/extra/httpd-vhosts.conf.in?view=co
#
# Configure the first (Default) host for the user pointing to the default htdocs location.
#
--- win32/xampp/apache/conf/extra/httpd-vhosts.conf   (revision 8)
+++ win32/xampp/apache/conf/extra/httpd-vhosts.conf   (working copy)
@@ -16,7 +16,14 @@
 #
 # Use name-based virtual hosting.
 #
-##NameVirtualHost *:80
+
+#
+# The "Default" host. Place all new virtual hosts below this.
+#
+
+<VirtualHost _default_:80>
+   DocumentRoot "/xampp/htdocs"
+</VirtualHost>
 
 #
 # VirtualHost example:
@@ -24,6 +31,7 @@
 # The first VirtualHost section is used for all requests that do not
 # match a ServerName or ServerAlias in any <VirtualHost> block.
 #
+
 ##<VirtualHost *:80>
     ##ServerAdmin postmaster@dummy-host.localhost
     ##DocumentRoot "/xampp/htdocs/dummy-host.localhost"

Last edited by gsmith on 01. July 2014 22:26, edited 2 times in total.
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Order/Allow/Deny fiasco

Postby Altrea » 01. July 2014 20:14

gsmith wrote:A sort of an off-topic reply to viewtopic.php?f=16&t=69001
Altrea wrote:NameVirtualHost Definition is obsolet with PHP 5.5 and will produce a Notice in your log

I do not know what this has to do with PHP but it is definitely obsolete in Apache 2.4

Thanks your pointing that out. I have corrected my other thread :)

I mostly agree with your improvements, exept the one line where you have used Require all granted instead of Require all denied.
<LimitExcept GET POST OPTIONS>
- Order deny,allow
- Deny from all
+ Require all granted
</LimitExcept>


I will create a Bug report with this changes. Thanks for the good work.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 8294
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 10 Pro x64

Re: Order/Allow/Deny fiasco

Postby gsmith » 01. July 2014 21:11

Altrea wrote:I mostly agree with your improvements, exept the one line where you have used Require all granted instead of Require all denied.
<LimitExcept GET POST OPTIONS>
- Order deny,allow
- Deny from all
+ Require all granted
</LimitExcept>


Well now if that isn't an embarrassing copy & paste error :oops:
Thanks for catching it! I'll edit and fix the above.
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14

Re: Order/Allow/Deny fiasco

Postby gsmith » 01. July 2014 22:26

I really blew it. the end of httpd-xampp.conf should be
Code: Select all
@@ -118,8 +118,7 @@
 # New XAMPP security concept
 #
 <LocationMatch "^/(?i:(?:xampp|security|licenses|phpmyadmin|webalizer|server-status|server-info))">
-  Require all denied
-   Allow from ::1 127.0.0.0/8 \
+   Require ip ::1 127.0.0.0/8 \
       fc00::/7 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 \
       fe80::/10 169.254.0.0/16
 


again, fixed above
gsmith
 
Posts: 194
Joined: 29. November 2013 18:04
Location: San Diego
XAMPP version: 0.0.0
Operating System: Win XP to 2012R2/VS 6,9,11,14


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 22 guests