What does Apache's "Require all granted" really do?
- by John Crawford
I've just update my Apache server to Apache/2.4.6 which is running under Ubuntu 13.04. I used to have a vhost file that had the following:
<Directory "/home/john/development/foobar/web">
AllowOverride All
</Directory>
But when I ran that I got a "Forbidden. You don't have permission to access /"
After doing a little bit of googling I found out that to get my site working again I needed to add the following line "Require all granted" so that my vhost looked like this:
<Directory "/home/john/development/foobar/web">
AllowOverride All
Require all granted
</Directory>
I want to know if this is "safe" and does not bring in any security issues. I read on Apache's page that this "mimics the functionality the was previously provided by the 'Allow from all' and 'Deny from all' directives. This provider can take one of two arguments which are 'granted' or 'denied'. The following examples will grant or deny access to all requests."
But it didn't say if this was a security issue of some sort or why we now have to do it when in the past you did not have to.