I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
AllowOverride All
</Directory>
But when I ran that I got a "Forbidden. You don't have permission to access /"
After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:
<Directory "/home/john/development/foobar/web">
AllowOverride All
Require all granted
</Directory>
I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."
But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.
The access control configuration changed in 2.4, and old configurations aren't compatible without some changes. See here.
If your old config was
Allow from all
(no IP addresses blocked from accessing the service), thenRequire all granted
is the new functional equivilent.In Apache 2.2 would be like:
In Apache 2.4 would be like:
Be carefully when using
.htaccess
authentication, this new syntax can do some bad and unexpected things, if that is your case please read: Apache 2.4 wants me to decide: Require valid ip or require valid user and you should be fine!