Apache 2.4+ Directory Security Changes


(Guy) #1

I have seen this mentioned as part of longer discussions, but I want to just put this up plainly and clearly.

If you move to Apache 2.4 and later, to be certain you have secured your directories, you need to edit your apache configuration file; as example:

Change:
<Directory “/export/srv/www/office.myhealthymind.ca/emr/sites/*/documents”>
order deny,allow
Deny from all
</Directory>

To:
<Directory “/export/srv/www/office.myhealthymind.ca/emr/sites/*/documents”>
Require all denied
</Directory>

The old directives (inside the <directory> </directory>) are deprecated and may not work as expected or at all. The new directive ( Require all denied ) is now the correct way.


(Brady Miller) #2

Hi @Guy ,

Thanks for bringing this up. Some docs on this here:
https://httpd.apache.org/docs/2.4/upgrading.html

The dockers (alpine based) and ubuntu packages and xampp package use the 2.2 syntax and are all working as expected. However, agree we need to update these along with our installation instructions to the 2.4 syntax. We will also then need to require OpenEMR to only be able to run on apache 2.4 or better.

-brady


(Dan Ehrlich) #3

Working on the new config file now. See: openemr-devops/openemr.conf at 54be943e9ea55efdb6309b8a892e11603f78fd0f · openemr/openemr-devops · GitHub