New Authorization Containers
The authorization container directives <RequireAll>
, <RequireAny>
and <RequireNone>
may be combined with each other and with the Require
directive to express complex authorization logic.
The example below expresses the following authorization logic. In order to access the resource, the user must either be the superadmin
user, or belong to both the admins
group and the Administrators
LDAP group and either belong to the sales
group or have the LDAP dept
attribute sales
. Furthermore, in order to access the resource, the user must not belong to either the temps
group or the LDAP group Temporary Employees
.
<Directory /www/mydocs>
<RequireAll>
<RequireAny>
Require user superadmin
<RequireAll>
Require group admins
Require ldap-group cn=Administrators,o=Airius
<RequireAny>
Require group sales
Require ldap-attribute dept="sales"
</RequireAny>
</RequireAll>
</RequireAny>
<RequireNone>
Require group temps
Require ldap-group cn=Temporary Employees,o=Airius
</RequireNone>
</RequireAll>
</Directory>
This is gonna be BIG! You can read the whole story at http://httpd.apache.org/docs/trunk/new_features_2_4.html
Core Enhancements
- KeepAliveTimeout in milliseconds
- It is now possible to specify
KeepAliveTimeout
in milliseconds. - Simple MPM
- Cleanroom MPM implementation with advanced thread pool management
- Loadable MPMs
- Multiple MPMs can now be built as loadable modules at compile time. The MPM of choice can be configured at run time.
Module Enhancements
mod_ssl
mod_ssl
can now be configured to use an OCSP server to check the validation status of a client certificate. The default responder is configurable, along with the decision on whether to prefer the responder designated in the client certificate itself.mod_ssl
now also supports OCSP stapling, where the server pro-actively obtains an OCSP verification of its certificate and transmits that to the client during the handshake.mod_ssl
can now be configured to share SSL Session data between servers through memcachedmod_lua
- Embeds the Lua language into httpd, for configuration and small business logic functions.
mod_proxy_fcgi
- FastCGI Protocol backend for
mod_proxy
Program Enhancements
- fcgistarter – FastCGI deamon starter utility
Module Developer Changes
- Check Configuration Hook Added
- A new hook,
check_config
, has been added which runs between thepre_config
andopen_logs
hooks. It also runs before thetest_config
hook when the-t
option is passed tohttpd
. Thecheck_config
hook allows modules to review interdependent configuration directive values and adjust them while messages can still be logged to the console. The user can thus be alerted to misconfiguration problems before the coreopen_logs
hook function redirects console output to the error log. - Expression Parser Added
- We now have a general-purpose expression parser, whose API is exposed in ap_expr.h. This is adapted from the expression parser previously implemented in
mod_include
. - Authorization Logic Containers
- Advanced authorization logic may now be specified using the
Require
directive and the related container directives, such as<RequireAll>
, all provided by themod_authz_core
module. - Small-Object Caching Interface
- The ap_socache.h header exposes a provider-based interface for caching small data objects, based on the previous implementation of the
mod_ssl
session cache. Providers using a shared-memory cyclic buffer, disk-based dbm files, and a memcache distributed cache are currently supported.
Full List of Security / Code Changes
-*- coding: utf-8 -*- Changes with Apache 2.2.15 *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: Comprehensive fix of the TLS renegotiation prefix injection attack when compiled against OpenSSL version 0.9.8m or later. Introduces the 'SSLInsecureRenegotiation' directive to reopen this vulnerability and offer unsafe legacy renegotiation with clients which do not yet support the new secure renegotiation protocol, RFC 5746. [Joe Orton, and with thanks to the OpenSSL Team] *) SECURITY: CVE-2009-3555 (cve.mitre.org) mod_ssl: A partial fix for the TLS renegotiation prefix injection attack by rejecting any client-initiated renegotiations. Forcibly disable keepalive for the connection if there is any buffered data readable. Any configuration which requires renegotiation for per-directory/location access control is still vulnerable, unless using OpenSSL >= 0.9.8l. [Joe Orton, Ruediger Pluem, Hartmut Keil ] *) SECURITY: CVE-2010-0408 (cve.mitre.org) mod_proxy_ajp: Respond with HTTP_BAD_REQUEST when the body is not sent when request headers indicate a request body is incoming; not a case of HTTP_INTERNAL_SERVER_ERROR. [Niku Toivola ] *) SECURITY: CVE-2010-0425 (cve.mitre.org) mod_isapi: Do not unload an isapi .dll module until the request processing is completed, avoiding orphaned callback pointers. [Brett Gervasoni , Jeff Trawick] *) SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body. PR 48359 [Jake Scott, William Rowe, Ruediger Pluem] *) mod_reqtimeout: New module to set timeouts and minimum data rates for receiving requests from the client. [Stefan Fritsch] *) mod_proxy_ajp: Really regard the operation a success, when the client aborted the connection. In addition adjust the log message if the client aborted the connection. [Ruediger Pluem] *) mod_negotiation: Preserve query string over multiviews negotiation. This buglet was fixed for type maps in 2.2.6, but the same issue affected multiviews and was overlooked. PR 33112 [Joergen Thomsen ] *) mod_cache: Introduce the thundering herd lock, a mechanism to keep the flood of requests at bay that strike a backend webserver as a cached entity goes stale. [Graham Leggett] *) mod_proxy_http: Make sure that when an ErrorDocument is served from a reverse proxied URL, that the subrequest respects the status of the original request. This brings the behaviour of proxy_handler in line with default_handler. PR 47106. [Graham Leggett] *) mod_log_config: Add the R option to log the handler used within the request. [Christian Folini ] *) mod_include: Allow fine control over the removal of Last-Modified and ETag headers within the INCLUDES filter, making it possible to cache responses if desired. Fix the default value of the SSIAccessEnable directive. [Graham Leggett] *) mod_ssl: Fix a potential I/O hang if a long list of trusted CAs is configured for client cert auth. PR 46952. [Joe Orton] *) core: Fix potential memory leaks by making sure to not destroy bucket brigades that have been created by earlier filters. [Stefan Fritsch] *) mod_authnz_ldap: Add AuthLDAPBindAuthoritative to allow Authentication to try other providers in the case of an LDAP bind failure. PR 46608 [Justin Erenkrantz, Joe Schaefer, Tony Stevenson] *) mod_proxy, mod_proxy_http: Support remote https proxies by using HTTP CONNECT. PR 19188. [Philippe Dutrueux , Rainer Jung] *) worker: Don't report server has reached MaxClients until it has. Add message when server gets within MinSpareThreads of MaxClients. PR 46996. [Dan Poirier] *) mod_ssl: When extracting certificate subject/issuer names to the SSL_*_DN_* variables, handle RDNs with duplicate tags by exporting multiple varialables with an "_n" integer suffix. PR 45875. [Joe Orton, Peter Sylvester ] *) mod_authnz_ldap: Failures to map a username to a DN, or to check a user password now result in an informational level log entry instead of warning level. [Eric Covener] *) core: Preserve Port information over internal redirects PR 35999 [Jonas Ringh ] *) mod_filter: fix FilterProvider matching where "dispatch" string doesn't exist. PR 48054 [] *) Build: fix --with-module to work as documented PR 43881 [Gez Saunders ] *) mod_mime: Make RemoveType override the info from TypesConfig. PR 38330. [Stefan Fritsch] *) mod_proxy: unable to connect to a backend is SERVICE_UNAVAILABLE, rather than BAD_GATEWAY or (especially) NOT_FOUND. PR 46971 [evanc nortel.com] *) mod_charset_lite: Honor 'CharsetOptions NoImplicitAdd'. [Eric Covener] *) mod_ldap: If LDAPSharedCacheSize is too small, try harder to purge some cache entries and log a warning. Also increase the default LDAPSharedCacheSize to 500000. This is a more realistic size suitable for the default values of 1024 for LdapCacheEntries/LdapOpCacheEntries. PR 46749. [Stefan Fritsch] *) mod_disk_cache, mod_mem_cache: don't cache incomplete responses, per RFC 2616, 13.8. PR15866. [Dan Poirier] *) mod_rewrite: Make sure that a hostname:port isn't fully qualified if the request is a CONNECT request. PR 47928 [Bill Zajac ] *) mod_cache: correctly consider s-maxage in cacheability decisions. [Dan Poirier] *) core: Return APR_EOF if request body is shorter than the length announced by the client. PR 33098 [ Stefan Fritsch ] *) mod_rewrite: Add scgi scheme detection. [André Malo] *) mod_mime: Detect invalid use of MultiviewsMatch inside Location and LocationMatch sections. PR 47754. [Dan Poirier] *) ab, mod_ssl: Restore compatibility with OpenSSL < 0.9.7g. [Guenter Knauf]
Leave a comment