"Require all granted" in Apache Konfiguration

Alles, was den Apache betrifft, kann hier besprochen werden.

"Require all granted" in Apache Konfiguration

Postby aho@salt » 10. September 2015 13:04

Hallo Apache Friends,

ich habe eine Frage bzgl. meiner Apache Konfiguration. Aktuell setzen wir Ubuntu 14.04 LTS und Apache 2.4 ein.

Wir betreiben ein OTRS Ticketsystem. Nach dem Upgrade von OS (Ubuntu 12) und Apache funktionierte SSO an einer Windowsdomäne nicht mehr. Kerberos war korrekt konfiguriert.

Nach langem Suchen habe ich den Fehler auch gefunden. Es lag an der ab Apache 2.4 eingesetzten "Require All Granted"-Direktive. Die Config könnt ihr unten sehen.
SSO funktioniert nur, wenn ich den "Reuqire all granted" -Teil im Location-Bereich komplett auskommentiere und er im Directory Bereich nur genau ein Mal vorhanden ist. Verändert man diese Konfiguration / Anzahl funktioniert SSO nicht mehr.

Kann mir jemand auf die Sprünge helfen, warum das GENAU SO sein muss, bzw. ob ich mir hier in irgendeiner Form eine Sicherheitslücke schaffe und was ich mit "Require all granted" überhaupt bewirke?


Danke für Eure Hilfe!!!!


Viele Grüße

Andreas

Code: Select all
# --
# added for OTRS (http://otrs.org/)
# --

ScriptAlias /otrs/ "/opt/otrs/bin/cgi-bin/"
Alias /otrs-web/ "/opt/otrs/var/httpd/htdocs/"

<IfModule mod_perl.c>

    # Setup environment and preload modules
    Perlrequire /opt/otrs/scripts/apache2-perl-startup.pl

    # Reload Perl modules when changed on disk
    PerlModule Apache2::Reload
    PerlInitHandler Apache2::Reload

    # general mod_perl2 options
    <Location /otrs>
#        ErrorDocument 403 /otrs/customer.pl
        ErrorDocument 403 /otrs/index.pl
        SetHandler  perl-script
        PerlResponseHandler ModPerl::Registry
        Options +ExecCGI
        PerlOptions +ParseHeaders
        PerlOptions +SetupEnv

#        <IfModule mod_version.c>
#           <IfVersion < 2.4>
#               Order allow,deny
#               Allow from all
#           </IfVersion>
#           <IfVersion >= 2.4>
#               Require all granted
#           </IfVersion>
#        </IfModule>
#        <IfModule !mod_version.c>
#            Order allow,deny
#           Allow from all
#        </IfModule>
    </Location>

    # mod_perl2 options for GenericInterface
    <Location /otrs/nph-genericinterface.pl>
        PerlOptions -ParseHeaders
    </Location>

</IfModule>

<Directory "/opt/otrs/bin/cgi-bin/">
    AllowOverride None
    Options +ExecCGI -Includes

#       #--- SSO ---
        AuthType Kerberos
        AuthName "OTRS"
        Krb5Keytab /etc/apache2/otrs.keytab
        KrbAuthRealm XXDOMAINXX.DE
        KrbMethodNegotiate On
        Require valid-user

        #--- SSO ---
#    <IfModule mod_version.c>
#        <IfVersion < 2.4>
#            Order allow,deny
#            Allow from all
#        </IfVersion>
#        <IfVersion >= 2.4>
#           Require all granted
#        </IfVersion>
#    </IfModule>
#    <IfModule !mod_version.c>
#        Order allow,deny
#        Allow from all
#    </IfModule>

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>
</Directory>

<Directory "/opt/otrs/var/httpd/htdocs/">
    AllowOverride None
#    <IfModule mod_version.c>
#        <IfVersion < 2.4>
#            Order allow,deny
#            Allow from all
#        </IfVersion>
#        <IfVersion >= 2.4>
            Require all granted
#        </IfVersion>
#    </IfModule>
#    <IfModule !mod_version.c>
#        Order allow,deny
#        Allow from all
#    </IfModule>

    <IfModule mod_deflate.c>
        AddOutputFilterByType DEFLATE text/html text/javascript text/css text/xml application/json text/json
    </IfModule>

    # Make sure CSS and JS files are read as UTF8 by the browsers.
    AddCharset UTF-8 .css
    AddCharset UTF-8 .js

    # Set explicit mime type for woff fonts since it is relatively new and apache may not know about it.
    AddType application/font-woff .woff

</Directory>

<IfModule mod_headers.c>
    # Cache css-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css-cache">
        <FilesMatch "\.(css|CSS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
    </Directory>

    # Cache css thirdparty for 4 hours, including icon fonts
    <Directory "/opt/otrs/var/httpd/htdocs/skins/*/*/css/thirdparty">
        <FilesMatch "\.(css|CSS|woff|svg)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
  </Directory>

    # Cache js-cache for 30 days
    <Directory "/opt/otrs/var/httpd/htdocs/js/js-cache">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=2592000 must-revalidate"
        </FilesMatch>
   </Directory>

    # Cache js thirdparty for 4 hours
    <Directory "/opt/otrs/var/httpd/htdocs/js/thirdparty/">
        <FilesMatch "\.(js|JS)$">
            Header set Cache-Control "max-age=14400 must-revalidate"
        </FilesMatch>
    </Directory>
</IfModule>

# Limit the number of requests per child to avoid excessive memory usage
MaxRequestsPerChild 4000
aho@salt
 
Posts: 2
Joined: 10. September 2015 12:33
Operating System: Ubuntu 14.04

Re: "Require all granted" in Apache Konfiguration

Postby Nobbie » 10. September 2015 13:11

aho@salt wrote:und was ich mit "Require all granted" überhaupt bewirke?


http://httpd.apache.org/docs/2.4/upgrading.html
http://httpd.apache.org/docs/2.4/howto/access.html
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: "Require all granted" in Apache Konfiguration

Postby aho@salt » 10. September 2015 14:27

Danke für deine Antwort, die Links habe ich mir natürlich auch schon "ergooglt", komme aber mit der Beschreibung nicht ganz klar.
aho@salt
 
Posts: 2
Joined: 10. September 2015 12:33
Operating System: Ubuntu 14.04

Re: "Require all granted" in Apache Konfiguration

Postby Nobbie » 10. September 2015 18:12

Dann suche nach anderen Seiten, ich weiß ja nicht, wann Du welche Seite und welche Erklärung verstehst.
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04


Return to Apache

Who is online

Users browsing this forum: No registered users and 25 guests