Idea: Apache configuration snippets
adamwill at fedoraproject.org
Mon Feb 23 17:01:42 UTC 2015
On Mon, 2015-02-23 at 09:47 +0100, Remi Collet wrote:
> Le 22/02/2015 20:08, Adam Williamson a écrit :
> > On Sun, 2015-02-22 at 18:51 +0100, Remi Collet wrote:
> > > Le 22/02/2015 07:21, Adam Williamson a écrit :
> > > > Working on the ownCloud package today, it occurred to me that
> > > > we probably have quite a lot of packages carrying Apache access
> > > > control snippets around, like these:
> > >
> > > This configuration have a big advantage, it can be upstream ;)
> > Sorry, I don't quite get it - can you unpack a bit? What
> > configuration can be upstream? The existing .conf files with all
> > the boilerplate? What upstreams carry those?
> Some upstream provides the httpd configuration file.
> Ex: ocsinventory 
> (even if this one is not 2.4 aware despite I have send them the
> needed changes months ago...)
> Some others projects (perhaps more common) provides some .htaccess
> files in their sources tree (these files have to be 2.4 aware, and
> the httpd conf file, is "mostly" a merge of all the .htaccess).
This still usually needs manual changes, though, because often you
can't just copy the .htaccess file into /etc/httpd/conf.d and be done
with it. In fact, ownCloud is exactly this kind of thing, and is why I
thought of using Included snippets in the first place.
Upstream ownCloud provides a detailed .htaccess for the whole
/owncloud tree. In the Fedora package we split it up into three
different locations, so I have to apply the same config to all three
places. I could use DirectoryMatch but the regex is pretty ungainly
and it seems to make later overrides difficult, so instead I went with
separate Directory sections, but then I had a huge config files which
included the same laundry list of directives three times.
So I wrote a '.inc' file containing the shared directives and
Include'd it for all three directories, then thought of doing the same
for the authorization stuff, then thought 'well, couldn't lots of
other things benefit from the authorization stuff too? And I'd feel
safer if this whole use of included files were a distro policy with
official locations and things'.
So anyway - if you have to interpret upstream's .htaccess in any case,
replacing the boilerplate with an include is pretty easy, and to my
mind makes the config cleaner and more readable.
It seems like something that may be difficult to upstream to web apps
in most cases, because they may well not have the same
policies/deployment expectations as us. I doubt for instance that OC
would accept a 'local access only' default (even though it really
should protect the initial setup process somehow...) as it's so often
deployed on shared hosting and other environments where launching a
browser from the server system is impossible/impractical.
OC package change:
http://pkgs.fedoraproject.org/cgit/owncloud.git/commit/?id=96267cd5880d3b1baf30fe3fdf17029244b48ed3 (note that for master branch there's only *two* directories that need
the config applied, the extra one shows up in OC 8; I actually wrote
this on the OC 8 branch and then decided to move it to master as it's
useful for 7.x as well).
> 1. <IfModule mod_authz_core.c> can be used on all distro,
> the reason why I have proposed this one first, (and it have be
> adopted in most of our packages).
Is this documented somewhere? When I went looking for it in the wiki I
couldn't find anything. My version of the snippets is just cargo-
culted from some other package.
In fact, we seem to have a severe lack of web app policy/guidelines in
general, unless I'm missing something - all I could find is
which is hardly comprehensive. I mostly try to base my choices off
what the most prominent/well-maintained web app packages do, but
sometimes it'd be nice to have more explicit docs.
For instance, in the same ownCloud change linked above, I went with
something to try and help people set up universal access when
appropriate (because I find the 'local only by default' often
confuses people, and when they do override it, they don't always do it
in a good way): the owncloud-access-httpd.conf.avail file and the
instructions relating to it. But I was a bit nervous because of the
dearth of web application packaging documentation/guidelines. I can't
think of a reason why it'd be a bad thing to do, but it's always hard
to prove a negative.
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
More information about the devel