Idea: Apache configuration snippets

Adam Williamson adamwill at
Mon Feb 23 17:01:42 UTC 2015

On Mon, 2015-02-23 at 09:47 +0100, Remi Collet wrote:
> Le 22/02/2015 20:08, Adam Williamson a écrit :
> > On Sun, 2015-02-22 at 18:51 +0100, Remi Collet wrote:
> > > Le 22/02/2015 07:21, Adam Williamson a écrit :
> > > > Working on the ownCloud package today, it occurred to me that 
> > > > we probably have quite a lot of packages carrying Apache access
> > > > control snippets around, like these:
> > > 
> > > This configuration have a big advantage, it can be upstream ;)
> > 
> > Sorry, I don't quite get it - can you unpack a bit? What 
> > configuration can be upstream? The existing .conf files with all 
> > the boilerplate? What upstreams carry those?
> Some upstream provides the httpd configuration file.
> Ex: ocsinventory [1]
> (even if this one is not 2.4 aware despite I have send them the 
> needed changes months ago...)

Hum, OK.

> Some others projects (perhaps more common) provides some .htaccess 
> files in their sources tree (these files have to be 2.4 aware, and 
> the httpd conf file, is "mostly" a merge of all the .htaccess).

This still usually needs manual changes, though, because often you 
can't just copy the .htaccess file into /etc/httpd/conf.d and be done 
with it. In fact, ownCloud is exactly this kind of thing, and is why I 
thought of using Included snippets in the first place.

Upstream ownCloud provides a detailed .htaccess for the whole 
/owncloud tree. In the Fedora package we split it up into three 
different locations, so I have to apply the same config to all three 
places. I could use DirectoryMatch but the regex is pretty ungainly 
and it seems to make later overrides difficult, so instead I went with 
separate Directory sections, but then I had a huge config files which 
included the same laundry list of directives three times.

So I wrote a '.inc' file containing the shared directives and 
Include'd it for all three directories, then thought of doing the same 
for the authorization stuff, then thought 'well, couldn't lots of 
other things benefit from the authorization stuff too? And I'd feel 
safer if this whole use of included files were a distro policy with 
official locations and things'.

So anyway - if you have to interpret upstream's .htaccess in any case, 
replacing the boilerplate with an include is pretty easy, and to my 
mind makes the config cleaner and more readable.

It seems like something that may be difficult to upstream to web apps 
in most cases, because they may well not have the same 
policies/deployment expectations as us. I doubt for instance that OC 
would accept a 'local access only' default (even though it really 
should protect the initial setup process somehow...) as it's so often 
deployed on shared hosting and other environments where launching a 
browser from the server system is impossible/impractical.

OC package change: (note that for master branch there's only *two* directories that need 
the config applied, the extra one shows up in OC 8; I actually wrote 
this on the OC 8 branch and then decided to move it to master as it's 
useful for 7.x as well).

> Notices:
> 1. <IfModule mod_authz_core.c> can be used on all distro,
> the reason why I have proposed this one first, (and it have be 
> adopted in most of our packages).

Is this documented somewhere? When I went looking for it in the wiki I 
couldn't find anything. My version of the snippets is just cargo-
culted from some other package.

In fact, we seem to have a severe lack of web app policy/guidelines in 
general, unless I'm missing something - all I could find is , 
which is hardly comprehensive. I mostly try to base my choices off 
what the most prominent/well-maintained web app packages do, but 
sometimes it'd be nice to have more explicit docs.

For instance, in the same ownCloud change linked above, I went with 
something to try and help people set up universal access when 
appropriate (because I find the 'local only  by default' often 
confuses people, and when they do override it, they don't always do it 
in a good way): the owncloud-access-httpd.conf.avail file and the 
instructions relating to it. But I was a bit nervous because of the 
dearth of web application packaging documentation/guidelines. I can't 
think of a reason why it'd be a bad thing to do, but it's always hard 
to prove a negative.
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net

More information about the devel mailing list