Bug#312360: [pkg-horde] Bug#312360: horde3: Here is a proposed configuration

Lionel Elie Mamane lionel at mamane.lu
Wed Aug 23 05:21:01 UTC 2006

On Tue, Aug 22, 2006 at 11:42:08AM -0400, Roberto C. Sanchez wrote:
> On Tue, Aug 22, 2006 at 03:53:28PM +0200, Jerome Warnier wrote:

>> Please put the attached file as /etc/horde/horde3/apache.conf and
>> link to it from /etc/apache/conf.d and /etc/apache2/conf.d. It will
>> work out-of-the-box and make everybody happy.

>> Alias /horde3 "/usr/share/horde3/"
>> <Directory "/usr/share/horde3">
>>     	Options Indexes MultiViews FollowSymLinks
>> 	AllowOverride None
>> 	Order allow,deny
>> 	Allow From all
>> </Directory>

If we put something automatically, I'd rather put:

Alias ...
<Directory "/usr/share/horde3">
	Options FollowSymLinks
	AllowOverride Limit
	Order ...

> NO!!!!!

> Are you crazy?  This would make me very upset.  I would not want an
> application which relies on authentication to the system to be
> accessible over a clear-text protocol my default.  That is a
> decision that must be made by the system administrator.  I would
> consider your suggestion a big "No, No."

It is not *that* bad... By default (in non-configured state) horde
does not rely on authentication to the system. Just anybody can access
the configuration interface without authentication. :-) So, when the
administrator configures reliance on authentication, he can also
change the Apache-Horde config to require TLS/SSL.

My worry is more the upgrades. People already have a working config,
we drop the default config in addition to that, hell breaks loose. If
we can manage to do the "link to it" part only on new installs, not
upgrades, I'd feel better about it.


More information about the pkg-horde-hackers mailing list