On Mon, 2015-02-23 at 09:47 +0100, Remi Collet wrote: > Le 22/02/2015 20:08, Adam Williamson a écrit : > > On Sun, 2015-02-22 at 18:51 +0100, Remi Collet wrote: > > > Le 22/02/2015 07:21, Adam Williamson a écrit : > > > > Working on the ownCloud package today, it occurred to me that > > > > we probably have quite a lot of packages carrying Apache access > > > > control snippets around, like these: > > > > > > This configuration have a big advantage, it can be upstream ;) > > > > Sorry, I don't quite get it - can you unpack a bit? What > > configuration can be upstream? The existing .conf files with all > > the boilerplate? What upstreams carry those? > > Some upstream provides the httpd configuration file. > > Ex: ocsinventory [1] > (even if this one is not 2.4 aware despite I have send them the > needed changes months ago...) Hum, OK. > Some others projects (perhaps more common) provides some .htaccess > files in their sources tree (these files have to be 2.4 aware, and > the httpd conf file, is "mostly" a merge of all the .htaccess). This still usually needs manual changes, though, because often you can't just copy the .htaccess file into /etc/httpd/conf.d and be done with it. In fact, ownCloud is exactly this kind of thing, and is why I thought of using Included snippets in the first place. Upstream ownCloud provides a detailed .htaccess for the whole /owncloud tree. In the Fedora package we split it up into three different locations, so I have to apply the same config to all three places. I could use DirectoryMatch but the regex is pretty ungainly and it seems to make later overrides difficult, so instead I went with separate Directory sections, but then I had a huge config files which included the same laundry list of directives three times. So I wrote a '.inc' file containing the shared directives and Include'd it for all three directories, then thought of doing the same for the authorization stuff, then thought 'well, couldn't lots of other things benefit from the authorization stuff too? And I'd feel safer if this whole use of included files were a distro policy with official locations and things'. So anyway - if you have to interpret upstream's .htaccess in any case, replacing the boilerplate with an include is pretty easy, and to my mind makes the config cleaner and more readable. It seems like something that may be difficult to upstream to web apps in most cases, because they may well not have the same policies/deployment expectations as us. I doubt for instance that OC would accept a 'local access only' default (even though it really should protect the initial setup process somehow...) as it's so often deployed on shared hosting and other environments where launching a browser from the server system is impossible/impractical. OC package change: http://pkgs.fedoraproject.org/cgit/owncloud.git/commit/?id=96267cd5880d3b1baf30fe3fdf17029244b48ed3 (note that for master branch there's only *two* directories that need the config applied, the extra one shows up in OC 8; I actually wrote this on the OC 8 branch and then decided to move it to master as it's useful for 7.x as well). > Notices: > > 1. <IfModule mod_authz_core.c> can be used on all distro, > the reason why I have proposed this one first, (and it have be > adopted in most of our packages). Is this documented somewhere? When I went looking for it in the wiki I couldn't find anything. My version of the snippets is just cargo- culted from some other package. In fact, we seem to have a severe lack of web app policy/guidelines in general, unless I'm missing something - all I could find is https://fedoraproject.org/wiki/Packaging:Guidelines#Web_Applications ;, which is hardly comprehensive. I mostly try to base my choices off what the most prominent/well-maintained web app packages do, but sometimes it'd be nice to have more explicit docs. For instance, in the same ownCloud change linked above, I went with something to try and help people set up universal access when appropriate (because I find the 'local only by default' often confuses people, and when they do override it, they don't always do it in a good way): the owncloud-access-httpd.conf.avail file and the instructions relating to it. But I was a bit nervous because of the dearth of web application packaging documentation/guidelines. I can't think of a reason why it'd be a bad thing to do, but it's always hard to prove a negative. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
