From a88453fbaa8104502975d40c1b53738f71168b70 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Wed, 17 Oct 2012 16:57:18 +0200
Subject: [PATCH] apache-httpd: Properly wrap access directives.

The Order/Deny directives are deprecated in version 2.4, so we're going to
define two wrappers for allDenied and allGranted in order to properly generate
configurations for both version 2.2 and 2.4.

For more information an access control changes, see:

http://httpd.apache.org/docs/2.4/upgrading.html#access

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 .../web-servers/apache-httpd/default.nix      | 37 ++++++++++++-------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/modules/services/web-servers/apache-httpd/default.nix b/modules/services/web-servers/apache-httpd/default.nix
index 05fada720ba7..29a20cae162b 100644
--- a/modules/services/web-servers/apache-httpd/default.nix
+++ b/modules/services/web-servers/apache-httpd/default.nix
@@ -116,6 +116,7 @@ let
     ]
     ++ optionals (!versionOlder httpd.version "2.4") [
       "mpm_${mainCfg.multiProcessingModule}"
+      "authz_core"
       "unixd"
     ]
     ++ (if mainCfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
@@ -123,6 +124,21 @@ let
     ++ extraApacheModules;
 
 
+  allDenied = if versionOlder httpd.version "2.4" then ''
+    Order deny,allow
+    Deny from all
+  '' else ''
+    Require all denied
+  '';
+
+  allGranted = if versionOlder httpd.version "2.4" then ''
+    Order allow,deny
+    Allow from all
+  '' else ''
+    Require all granted
+  '';
+
+
   loggingConf = ''
     ErrorLog ${mainCfg.logDir}/error_log
 
@@ -191,8 +207,7 @@ let
       <Directory "${documentRoot}">
           Options Indexes FollowSymLinks
           AllowOverride None
-          Order allow,deny
-          Allow from all
+          ${allGranted}
       </Directory>
     '';
 
@@ -246,12 +261,10 @@ let
           AllowOverride FileInfo AuthConfig Limit Indexes
           Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
           <Limit GET POST OPTIONS>
-              Order allow,deny
-              Allow from all
+              ${allGranted}
           </Limit>
           <LimitExcept GET POST OPTIONS>
-              Order deny,allow
-              Deny from all
+              ${allDenied}
           </LimitExcept>
       </Directory>
 
@@ -273,8 +286,7 @@ let
             Alias ${elem.urlPath} ${elem.dir}/
             <Directory ${elem.dir}>
                 Options +Indexes
-                Order allow,deny
-                Allow from all
+                ${allGranted}
                 AllowOverride All
             </Directory>
           '';
@@ -326,8 +338,7 @@ let
     AddHandler type-map var
 
     <Files ~ "^\.ht">
-        Order allow,deny
-        Deny from all
+        ${allDenied}
     </Files>
 
     ${mimeConf}
@@ -345,16 +356,14 @@ let
     <Directory />
         Options FollowSymLinks
         AllowOverride None
-        Order deny,allow
-        Deny from all
+        ${allDenied}
     </Directory>
 
     # But do allow access to files in the store so that we don't have
     # to generate <Directory> clauses for every generated file that we
     # want to serve.
     <Directory /nix/store>
-        Order allow,deny
-        Allow from all
+        ${allGranted}
     </Directory>
 
     # Generate directives for the main server.