As the AcIS Unix Systems Group transitions from Apache 1 to Apache 2, there will be several changes related to the structure of the new servers. This page documents these changes.

• New Authentication Mechanism
• Stricter <limit> Syntax
• Stricter SSI Syntax
• SSI flastmod does not work for directories
• Default Directory Listing
• Config Timefmt Problem

New Authentication Mechanism

The Apache 2 secure servers use a new module for authentication, mod_auth_pamacea. This module works very differently from the Apache 1 authentication mechanism, although existing .htaccess files should require little updating.

• Instead of using Basic Auth (with the browser popping up a dialog box asking for username and password), mod_auth_pamacea generates a login form.
• Non-preauthenticated POST operations are not supported. Before a user can post to a page requiring authentication (including such CGIs as the restricted version of generic-inbox), the user must already be logged in.
• For local user database authentication, UDB files are not supported. Instead, the plain text version of the file (the one that was used as input to apache-convertdb) must be used. Additionally, local user database groups are not supported.
• Requests for URIs containing a document anchor reference (#) will lose the reference when passing through an authentication request. This is because the reference is processed by the browser and not returned to the server.
• .htaccess files using AuthKrbUserType krb must list UNIs for require user, UNIX usernames are no longer valid.
• Logout no longer requires people to login again, removing their cached password. We are currently investigating an issue where the browser caches password-protected pages after logout. Closing the browser window is a current work-around.
• Secure Personal webspace in ~user directories is in a different 'realm' than the standard locations for generic-inbox.pl and other public scripts. Any references in personal pages to /sec-cgi-bin/acled/restr/ should instead point to /sec-cgi-bin/acled/personal/

During the transition phase, mod_auth_pamacea will interpret the old directives (eg: AuthType Basic) currently in use. The old directives will be translated during the upgrade process.

Stricter Limit Syntax

If you use <limit> directives such as order deny,allow and satisfy any, make sure they work as expected. See the documentation for mod_access for more information. If you run into problems you most likely do not need <limit> at all.

Stricter SSI Syntax

Documents using Server Side Includes cannot have any spaces in the command tag. For example, the following are invalid:

	<--# echo var="foo" -->
	<-- #echo var="foo" -->
	

	<--#echo var="foo" -->
	

SSI flastmod does not work for directories

flastmod used to work for files AND directories. Now it only works on files.

Default Directory Listing

World-readable directories without index.html files display the 'auto-directory' differently that with Apache 1. Before, even if a sub-directory had special permissions it was listed as a link. Now, any directories with restricted permissions (greater than that of the autodirectory page) will not be visible as links.

To list all the directories, including those protected, create an index.html file with all the directory links necessary.

Config Timefmt Problem

Using <!--#config timefmt="" --> works differently. It only works if you have a .htaccess file with "AddHander server-parsed html" and the executable bit on the html file is turned off.