http://httpd.apache.org/docs/2.4/upgrading.html
In this example, all requests are denied.
2.2 configuration:
Order deny,allow
Deny from all
2.4 configuration:
Require all denied
In this example, all requests are allowed.
2.2 configuration:
Order allow,deny
Allow from all
2.4 configuration:
Require all granted
In the following example, all hosts in the example.org domain are allowed access; all other hosts are denied access.
2.2 configuration:
Order Deny,Allow
Deny from all
Allow from example.org
2.4 configuration:
Require host example.org
In the following example, mixing old and new directives leads to unexpected results.
Mixing old and new directives: NOT WORKING AS EXPECTED
DocumentRoot "/var/www/html"
<Directory "/">
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Location "/server-status">
SetHandler server-status
Require 127.0.0.1
</Location>
access.log - GET /server-status 403 127.0.0.1
error.log - AH01797: client denied by server configuration: /var/www/html/server-status
Why httpd denies access to servers-status even if the configuration seems to allow it? Because mod_access_compat
directives take precedence over the mod_authz_host one in this configuration merge scenario.
This example conversely works as expected:
Mixing old and new directives: WORKING AS EXPECTED
DocumentRoot "/var/www/html"
<Directory "/">
AllowOverride None
Require all denied
</Directory>
<Location "/server-status">
SetHandler server-status
Order deny,allow
Deny from all
Allow From 127.0.0.1
</Location>
access.log - GET /server-status 200 127.0.0.1
So even if mixing configuration is still possible, please try to avoid it when upgrading: either keep old
directives and then migrate to the new ones on a later stage or just migrate everything in bulk.