Hello community,
here is the log from the commit of package apache2.1263 for openSUSE:12.2:Update checked in at 2013-02-05 17:34:19
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.2:Update/apache2.1263 (Old)
and /work/SRC/openSUSE:12.2:Update/.apache2.1263.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "apache2.1263", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-01-09 19:40:42.352580873 +0100
+++ /work/SRC/openSUSE:12.2:Update/.apache2.1263.new/apache2.changes 2013-02-05 17:34:21.000000000 +0100
@@ -0,0 +1,3782 @@
+-------------------------------------------------------------------
+Mon Jan 28 15:04:02 CET 2013 - draht@suse.de
+
+- httpd-2.2.x-bnc798733-SNI_ignorecase.diff: ignore case when
+ checking against SNI server names. [bnc#798733]
+- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
+ Escape filename for the case that uploads are allowed with untrusted
+ user's control over filenames and mod_negotiation enabled on the
+ same directory. CVE-2012-2687 [bnc#777260]
+
+-------------------------------------------------------------------
+Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de
+
+- gensslcert: Use 0400 permissions for generated SSL certificate files
+ instead of 0644
+
+-------------------------------------------------------------------
+Fri Jul 6 11:58:03 UTC 2012 - meissner@suse.com
+
+- modified apache2.2-mpm-itk-20090414-00.patch to fix
+ itk running as root. bnc#681176 / CVE-2011-1176
+
+-------------------------------------------------------------------
+Fri Jul 6 09:42:00 UTC 2012 - meissner@suse.com
+
+- remove the insecure LD_LIBRARY_PATH line. bnc#757710
+
+-------------------------------------------------------------------
+Sun Apr 22 20:14:22 UTC 2012 - dimstar@opensuse.org
+
+- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which
+ is needed by spdy.
+- Provide apache2(mod_ssl+npn), indicating that our mod_ssl does
+ have the npn patch. This can be used by mod_spdy to ensure a
+ compatible apache/mod_ssl is installed.
+
+-------------------------------------------------------------------
+Tue Mar 20 14:05:49 UTC 2012 - adrian@suse.de
+
+- fix truncating and resulting paniking of answer headers (bnc#690734)
+
+-------------------------------------------------------------------
+Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net
+
+- update to 2.2.22
+ *) SECURITY: CVE-2011-3368 (cve.mitre.org)
+ Reject requests where the request-URI does not match the HTTP
+ specification, preventing unexpected expansion of target URLs in
+ some reverse proxy configurations.
+ *) SECURITY: CVE-2011-3607 (cve.mitre.org)
+ Fix integer overflow in ap_pregsub() which, when the mod_setenvif module
+ is enabled, could allow local users to gain privileges via a .htaccess
+ file.
+ *) SECURITY: CVE-2011-4317 (cve.mitre.org)
+ Resolve additional cases of URL rewriting with ProxyPassMatch or
+ RewriteRule, where particular request-URIs could result in undesired
+ backend network exposure in some configurations.
+ *) SECURITY: CVE-2012-0021 (cve.mitre.org)
+ mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format
+ string is in use and a client sends a nameless, valueless cookie, causing
+ a denial of service. The issue existed since version 2.2.17. PR 52256.
+ *) SECURITY: CVE-2012-0031 (cve.mitre.org)
+ Fix scoreboard issue which could allow an unprivileged child process
+ could cause the parent to crash at shutdown rather than terminate
+ cleanly.
+ *) SECURITY: CVE-2012-0053 (cve.mitre.org)
+ Fix an issue in error responses that could expose "httpOnly" cookies
+ when no custom ErrorDocument is specified for status code 400.
+ *) mod_proxy_ajp: Try to prevent a single long request from marking a worker
+ in error.
+ *) config: Update the default mod_ssl configuration: Disable SSLv2, only
+ allow >= 128bit ciphers, add commented example for speed optimized cipher
+ list, limit MSIE workaround to MSIE <= 5.
+ *) core: Fix segfault in ap_send_interim_response(). PR 52315.
+ *) mod_log_config: Prevent segfault. PR 50861.
+ *) mod_win32: Invert logic for env var UTF-8 fixing.
+ Now we exclude a list of vars which we know for sure they dont hold UTF-8
+ chars; all other vars will be fixed. This has the benefit that now also
+ all vars from 3rd-party modules will be fixed. PR 13029 / 34985.
+ *) core: Fix hook sorting for Perl modules, a regression introduced in
+ 2.2.21. PR: 45076.
+ *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20:
+ A range of '0-' will now return 206 instead of 200. PR 51878.
+ *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead
+ of "0").
+ *) mod_substitute: Fix buffer overrun.
+- adjusted SSL template/default config for upstream changes, and added
+ MaxRanges example to apache2-server-tuning.conf
+- fixed installation of (moved) man pages
+
+-------------------------------------------------------------------
+Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com
+
+- compile with pcre 8.30 - patch taken from apache bugzilla
+
+-------------------------------------------------------------------
+Sat Jan 21 13:54:01 CET 2012 - draht@suse.de
+
+- enable mod_reqtimeout by default via APACHE_MODULES in
+ /etc/sysconfig/apache2, configuration
+ /etc/apache2/mod_reqtimeout.conf .
+ Of course, the existing configuration remains unchanged.
+
+-------------------------------------------------------------------
+Fri Dec 16 20:53:39 UTC 2011 - chris@computersalat.de
+
+- add default vhost configs
+ * default-vhost.conf, default-vhost-ssl.conf, README.default-vhost
+
+-------------------------------------------------------------------
+Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de
+
+- openldap2 is not necessary, just openldap2-devel as buildrequires
+
+-------------------------------------------------------------------
+Fri Dec 2 07:18:56 UTC 2011 - coolo@suse.com
+
+- add automake as buildrequire to avoid implicit dependency
+
+-------------------------------------------------------------------
+Fri Nov 18 15:04:12 CET 2011 - draht@suse.de
+
+- update to /etc/init.d/apache2: handle reload with deleted
+ binaries after package update more thoughtfully: If the binaries
+ have been replaced, then a dlopen(3) on the apache modules is
+ prone to fail. => Don't reload then, but complain and fail.
+ Especially important for logrotate!
+
+-------------------------------------------------------------------
+Fri Oct 7 17:11:56 CEST 2011 - draht@suse.de
+
+- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy
+ reverse exposure via RewriteRule or ProxyPassMatch directives.
+ This is CVE-2011-3368.
+
+-------------------------------------------------------------------
+Fri Oct 7 14:36:31 UTC 2011 - fcrozat@suse.com
+
+- Ensure service_add_pre macro is correctly called for
+ openSUSE 12.1 or later.
+
+-------------------------------------------------------------------
+Tue Sep 27 08:19:35 UTC 2011 - fcrozat@suse.com
+
+- Fix systemd files packaging, %ghost is not a good idea.
+- Use systemd rpm macros for openSUSE 12.1 and later.
+
+-------------------------------------------------------------------
+Thu Sep 15 13:33:30 CEST 2011 - draht@suse.de
+
+- don't create $RPM_BUILD_ROOT/etc/init.d twice in %install.
+
+-------------------------------------------------------------------
+Wed Sep 14 01:11:55 CEST 2011 - draht@suse.de
+
+- Update to 2.2.21. News therein:
+ * re-worked CVE-2011-3192 (byterange_filter.c) with a regression
+ fix. New config option: MaxRanges (PR 51748)
+ * multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs,
+ mod_alias, mod_rewrite. As always, see CHANGES file.
+- added httpd-%{realver}.tar.bz2.asc to source, along with
+ 60C5442D.key which the tarball was signed with.
+
+-------------------------------------------------------------------
+Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de
+
+- need to add %ghost /lib/systemd to satisfy distributions that
+ have no systemd yet.
+
+-------------------------------------------------------------------
+Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com
+
+- Add apache2-systemd-ask-pass / apache2.service / start_apache2
+ and modify apache2-ssl-global.conf for systemd support
+ (bnc#697137).
+
+-------------------------------------------------------------------
+Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org
+
+- Update to version 2.2.20, fix CVE-2011-3192
+ mod_deflate D.o.S.
+
+
+-------------------------------------------------------------------
+Fri Aug 5 06:02:35 UTC 2011 - crrodriguez@opensuse.org
+
+- Fix apache PR 45076
+
+-------------------------------------------------------------------
+Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org
+
+- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage
+
+-------------------------------------------------------------------
+Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org
+
+- Add 2 patches from the "low hanging fruit" warnings in apache
++++ 3585 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.2:Update/.apache2.1263.new/apache2.changes
New:
----
60C5442D.key
Apache.xpm
SUSE-NOTICE
a2enflag
a2enmod
apache-20-22-upgrade
apache-ssl-stuff.tar.bz2
apache2-README
apache2-README.QUICKSTART
apache2-README.default-vhost
apache2-check_forensic
apache2-default-server.conf
apache2-default-vhost-ssl.conf
apache2-default-vhost.conf
apache2-errors.conf
apache2-httpd.conf
apache2-listen.conf
apache2-manual.conf
apache2-mod_autoindex-defaults.conf
apache2-mod_info.conf
apache2-mod_log_config.conf
apache2-mod_mime-defaults.conf
apache2-mod_reqtimeout.conf
apache2-mod_ssl_npn.patch
apache2-mod_status.conf
apache2-mod_userdir.conf
apache2-mod_usertrack.conf
apache2-server-tuning.conf
apache2-ssl-global.conf
apache2-systemd-ask-pass
apache2-vhost-ssl.template
apache2-vhost.template
apache2.2-mpm-itk-20090414-00.patch
apache2.changes
apache2.firewall
apache2.logrotate
apache2.service
apache2.spec
apache2.ssl-firewall
apache2.xml
favicon.ico
find_httpd2_includes
find_mpm
gensslcert
get_includes
get_module_list
httpd-2.0.49-log_server_status.dif
httpd-2.0.54-envvars.dif
httpd-2.1.3alpha-layout.dif
httpd-2.1.9-apachectl.dif
httpd-2.2.0-apxs-a2enmod.dif
httpd-2.2.19-linux3.patch
httpd-2.2.22.tar.bz2
httpd-2.2.22.tar.bz2.asc
httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff
httpd-2.2.x-bnc690734.patch
httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff
httpd-2.2.x-bnc798733-SNI_ignorecase.diff
httpd-2.x.x-logresolve.patch
httpd-keepalivetimeout-millisecs.patch
httpd-mod_deflate_head.patch
httpd-new_pcre.patch
load_configuration
permissions.apache2
rc.apache2
robots.txt
ssl-mode-release-buffers.patch
start_apache2
sysconf_addword
sysconfig.apache2
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ apache2.spec ++++++
++++ 1144 lines (skipped)
++++++ Apache.xpm ++++++
/* XPM */
static char *Apache[] = {
/* width height num_colors chars_per_pixel */
" 259 32 32 1",
/* colors */
". c #ffffff",
"# c #cecece",
"a c #a5a5a5",
"b c #848484",
"c c #737373",
"d c #6b6b6b",
"e c #5a5a5a",
"f c #211818",
"g c #ff4218",
"h c #ff3100",
"i c #bd5210",
"j c #dead84",
"k c #ef9c42",
"l c #ff8400",
"m c #ffce18",
"n c #ffce00",
"o c #cecec6",
"p c #bdbdc6",
"q c #3100ff",
"r c #6300ff",
"s c #9c00ff",
"t c #ef00ff",
"u c #e74aef",
"v c #de7bde",
"w c #d6a5ce",
"x c #ff009c",
"y c #ef4a8c",
"z c #ff0063",
"A c #e7849c",
"B c #ef5263",
"C c #ff0018",
"D c #000000",
/* pixels */
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################",
"#####################################aaaaa###############################################paa#####paa###############################################################################################################################################################",
"###p#########ppp#####################fDDDDDe#############################################eDD#####eDD###############################################################################################################################################################",
"###afp#######aadp##malal#############fDDaeDDb#pbebp#aeep#ec#peep#pcbp##ceapea##aca####pcceDD#####eDDbea#aeep#aec###################################################################################################################################################",
"####pbfa#####acbp#gCCCCChgllp########fDD#aDDcaDDDDDapDDbaDDpeDf#eDDDfa#fDeDDf#fDDDfp#cDDDDDD#####eDDDDDfpDDe#fDe###################################################################################################################################################",
"######pffb###dbba#zezxzCCCCChhhlmp###fDDefDDpDDfefDf#fDeeDDcfDeaDfpbDe#fDDDDccDepeDc#DDfefDD#####eDDeeDDceDDpDDp###################################################################################################################################################",
"########bffbp.ddc#xsxtcxzzeCCChhlhggafDDDDfaaDDc#cDDacDDffDfDDacDDffDD#fDDaapeDfffDfaDDb#eDD#####eDD##fDepDDfDe####################################################################################################################################################",
"#########pbfDDeDbarrsrxszszxxCCCCCCChfDDp###pDDc#cDDppDDDeeDDf#bDDaaaa#fDf###eDfaaaapDDepeDD#####eDD#aDDe#eDDDp####################################################################################################################################################",
"############eDDDeeDqqrsssstxrxxzxzeCCDDDCgglpfDDfDDf##eDDabDDe#pDDeacf#fDf###aDDeaee#fDDDDDD#####eDDDDDDa#aDDe#####################################################################################################################################################",
"##########p#aaDDDDDDqDqqrrssxtxrxsxxefDDCCCegifDDDfp##bDf##DDa##afDDDc#fDf####cDDDDa#peDDDDD#####eDDDDfb##aDDp#####################################################################################################################################################",
"##########pdeDedbqDDDDDDqqqqssrsssxsxzsxczCChChhiglampp###########pa############ap########################eDe######################################################################################################################################################",
"#########apeecd#xrrqqDDDDDqDqqeqesrstrxsxrzezCChDCChhlllgggp#############################################pDDa######################################################################################################################################################",
"#########ppppap#xsxrrrqqDDDDDDDqqqqrqsrsrxxsxrzzzzCCCCeCCChlggga########################################vfe########################################################################################################################################################",
"###########p#p#pzzztztssrrDqDDDDDDDDqqqqrsrsstxsxrxxzxxdCCDzCCCCggampp#############################################################################################################################################################################################",
"#############p#pgCCzsxxtxssrsrrDDDDDDDDDqqqrqsqsrtxsrrztxxxxczzCChhCCCCgp#############################qqrv##############sssssssssssssssssssvw############vuuuu###############oAACCCCCCCCCCCCCCAw#######wBBBBj############jhhhhj#######kkkkkkkkkkkkkkkkkkkj#########",
"################pbCCCzzzzxtsxttrsrqDDDDDDDDDqDqqqrrqrrstrssstxsxzexzxxzCzlp##########################qqqrru#############vssssssssssssssssssssw##########yxxxxxxw############wCCCCCCCCCCCCCCCCCCCA######whhhhB############jhhhhh#######kllllllllllllllllllj#########",
"#################plbCCCCzzxxxxtxxstssrqDDDDDDDDDDDqDqqrqqrrssrttstsssdzzCCCCggbzgp##################qqrrqrqu############vsssssvvvvvvvvvvvssssv#########xxxxxxxxxw###########CCCCCAAAAAAAAAAyBCCCCo#####whhhCB############jhhhhh#######klllljjjjjjjjjjjjjjj#########",
"###################pgehhDCCzzxxztxxxxstrsssrDeDDDDDDDDDDDDDqDqrqqrqsrttsbsxzsxxhblmmp#############prqrr#uqrqrp##########vsssss###########ssssv#######wxxxxv#uxxxxw##########CCCCC###########yCCCCw#####whhhhh############jhhhhh#######kllll########################",
"######################mblhhCCCCzzzxztztxtxxtttstrsdqDeDDDDDDDDDDDDDDqrrrrrrrrzbllnllnmp##########prqrr###uqrqrp#########vsssssvvvvvvvvvvvssssv######wxxxxv###vxxxxw#########CCCCC###########wAww#######whhhhhhhhhhhhhhhhhhhhhhh#######kllllkkkkkkkkj###############",
"#########################alehCCCCDzCCzxxxxxzxxxxxxxxssstssrsreerDqDDDDDDDDDeDlenlnnlnnmmp#######wrqrr#####uqrqrw########vssssssssssssssssssssw#####vxxxxv#####vxxxxA########CCCCC######################whhhhhhhhhhhhhhhhhhhhhhh#######kllllllllllllj###############",
"###########################pblehhhCCDCCCezCCzzzzxzxxxxtxxxtxxsxtxsstrxtssereeeDDDDDeeellmp#####wrqrqrrrrrrrrqrqrw#######vssssssssssssssssssvw#####vxxxxxxxxxxxxxxxxxA#######CCCCC###########ABBAw######whhhhhAAAAAAjjjjjjhhhhhh#######klllljjjjjjjjo###############",
"##############################pplbglhhhCCCCCDCCCDCeCzzxxzzxxxxxzxztxxsxxzxztxbnnnnnlnlDeDab###vqqrrqrrrrqqqrqrrqqv######vssssv###################vxxxxxxxxxxxxxxxxxxxy######CCCCC###########BCCCCw#####whhhhh############jhhhhh#######kllll########################",
"####################################ppabgbhhhhhChCCCCCCzsCCzzzzzCCexzxzCCezzxxdllnlnnnnmmp###vqqrrvwwww#wwwwwvrrqqv#####vssssv##################vxxxxvwwwwwwwwwwwAxxxxy#####CCCCCAAAAAAAAAAyBCCCCo#####whhhhh############jhhhhh#######kllllkkkjjjjjjjjjjjj#########",
"##########################################pp#pppblfbgfgCzzfCbzbCzCzCzzzzzCCfzzzzpbmbmaa#####uqqqrw############wrqqqu####vssssv#################xxxxxw#############wxxxxxw###ACCCCCCCCCCCCCCCCCCCB######whhhhh############jhhhhh#######klllllllllllllllllllo########",
"###########################################################################################pvvvvp##############pvvvvp###wvvvvw################wvvvv################wAAAAw####wAAAAAAAAAAAAAAAAAo#######ojjjjw############ojjjjj#######jjjjjjjjjjjjjjjjjjjj#########",
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################",
"###################################################################################################################################################################################################################################################################"
};
++++++ SUSE-NOTICE ++++++
The SuSE build of apache2 contains the following modifications:
* assert HAVE_POLL during compilation (safety measure)
* small fixes in apachectl to make it work with multiple MPMs, and
use w3m alternatively to lynx
* avoid error if compiled with openssl 0.9.6e
* added patch to experimental caching module that fixes segfault for 'GET
https://whatever.html HTTP/1.0' request on HTTP Port
(/modules/experimental/cache_util.c)
* RFC 2817 TLS upgrade backported from 2.1
* fixed log_server_status to use Socket.pm and match our configuration
* fixed check_forensic script (adjusted for GNU tools, use safe tmpdir)
* http://www.apache.org/dist/httpd/patches/apply_to_2.0.52/util_ldap_cache_mgr...
++++++ a2enflag ++++++
#!/bin/bash
# Copyright 2005 Peter Poeml . All Rights Reserved.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
sysconf=/etc/sysconfig/apache2
var=APACHE_SERVER_FLAGS
PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
debug=true
function usage() {
echo "$(basename $0): enable/disable a flag in $var in $sysconf"
echo
echo "usage: $(basename $0) [-d] flag"
#echo " $(basename $0) -h runtests"
exit 1
}
if [ $# -lt 1 ]; then
usage
fi
action=enable
case "$1" in
-d) action=disable; shift;;
-*) usage;;
esac
case $(basename $0) in
a2disflag) action=disable;;
esac
flag=$1
if [ $action = enable ]; then
sysconf_addword $sysconf $var $flag
exit $?
else
sysconf_addword -r $sysconf $var $flag
exit $?
fi
++++++ a2enmod ++++++
#!/bin/bash
# Copyright 2005 Peter Poeml . All Rights Reserved.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
sysconf=/etc/sysconfig/apache2
var=APACHE_MODULES
PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2"
debug=true
function usage() {
echo "$(basename $0): enable/disable an apache module in $var in $sysconf"
echo
echo "usage: $(basename $0) [-d] module"
echo " $(basename $0) -l list modules"
echo " $(basename $0) -q module query if module is installed"
#echo " $(basename $0) -h runtests"
exit 1
}
if [ $# -lt 1 ]; then
usage
fi
action=enable
case "$1" in
-d) action=disable; shift;;
-l) action=list; shift;;
-q) action=query; shift;;
-*) usage;;
esac
case $(basename $0) in
a2dismod) action=disable;;
esac
mod=$1
if [ $action = enable ]; then
sysconf_addword $sysconf $var $mod
exit $?
elif [ $action = disable ]; then
sysconf_addword -r $sysconf $var $mod
exit $?
elif [ $action = query ]; then
if a2enmod -l | grep -q "\<$mod\>"; then
exit 0
else
exit 1
fi
else
source $sysconf
eval echo \$$var
fi
++++++ apache-20-22-upgrade ++++++
#!/bin/bash
# obsolete 2.0 modules -> 2.2 modules
echo 'looking for old 2.0 modules to be renamed...'
if a2enmod -q auth; then
echo 'auth -> auth_basic authn_file'
a2dismod auth
a2enmod auth_basic
a2enmod authn_file
a2enmod authz_groupfile
a2enmod authz_default
a2enmod authz_user
cat <<-EOF
!!!ATTENTION!!!
If you use basic authentication, you will need to update your
configuration. Typically, you need to add
AuthBasicProvider file
(example for file-based authentication) below "AuthType Basic".
!!!ATTENTION!!!
EOF
fi
if a2enmod -q access; then
echo 'access -> authz_host'
a2dismod access
a2enmod authz_host
fi
if a2enmod -q auth_dbm; then
echo 'auth_dbm -> authn_dbm'
a2dismod auth_dbm
a2enmod authn_dbm
fi
if a2enmod -q imap; then
echo 'imap -> imagemap'
a2dismod imap
a2enmod imagemap
fi
if a2enmod -q image_map; then
echo 'image_map -> imagemap'
a2dismod image_map
a2enmod imagemap
fi
if a2enmod -q auth_ldap; then
echo 'auth_ldap -> mod_authnz_ldap'
a2dismod auth_ldap
a2enmod mod_authnz_ldap
fi
echo 'Done.'
++++++ apache2-README ++++++
README.SuSE for Apache 2
For The Impatient
=================
o There are several MPM packages (MPM = multiprocessing module, which implements
the threads/processes model). The MPM packages contain the actual apache binary.
At least one MPM package must be installed.
o The apache v1 and v2 packages can be installed and run side by side :)
o Some commands have a "2" suffix, and are thus easily confused with Apache 1
commands -- if you have an old apache (1.3) installation around.
o Edit /etc/sysconfig/apache2 to configure the list of modules to load, and other things.
It is no longer required to run SuSEconfig after such changes. (In fact, the
SuSEconfig.apache2 does no longer exist.)
o For building apache modules, there are 4 apxs commands (all come with the
apache2-devel package):
apxs2 builds a common module for all MPMs and installs to /usr/lib/apache2
apxs2-prefork builds for prefork and installs to /usr/lib/apache2-prefork
apxs2-worker builds for worker and installs to /usr/lib/apache2-worker
If you build apache modules, the configure script might not find apxs, and
you'll need an option like --with-apxs=apxs2[-worker, ...], or of course you can set
a symlink to apxs2.
o The Apache Runtime (APR) is in the "libapr0" package (this package was named "apr"
in the past (8.1))
Choosing the right MPM for your application
===========================================
apache2-prefork is implemented with a prefork regime, while
apache2-worker uses a hybrid threaded/preforked model.
Which one to use? The short answer is:
- if in doubt, simply use prefork
- use prefork if you use mod_php4
- use worker if you need maximal performance with (possibly) less resources
(smaller memory footprint of threade compared to the same number as processes)
The following nice article has a more in depth answer:
http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html
See
http://httpd.apache.org/docs-2.2/mpm.html and
http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime
for more technical details.
In general, using a threaded MPM (worker) requires that all libraries that are
loaded into apache (and libraries loaded by them in turn) be threadsafe as well.
See
http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on
some libraries.
Upgrading from apache 1.3
=========================
For a smooth transition from apache 1.3, apache 2 is installable alongside apache
1.3. There are a few modules for apache 1 that have not been ported or enough
tested for apache 2, but most important modules are available by now.
The mechanism of specifying modules to load into the server has been cleaned up
so a reasonable default set of modules is loaded. (It is not useful to load all
available modules by default, it would make the server quite big and slow. This
is important given as the number of modules in the apache base distribution is
rising and rising (about 50 at this time).
In previous apache packages (1.3), modules were activated by setting a
APACHE_MOD_XYZ variable to "yes" and running SuSEconfig.
Nowadays, modules are activated by adding them to a the APACHE_MODULES
variable in /etc/sysconfig/apache2, and simply restarting apache.
Building modules for apache 2
=============================
Therefore, the different MPMs will be needed and a mechanism to build
the modules spesific to them. This can now be done with the apxs2,
apxs2-worker or apxs2-prefork script.
For a module's configure script, you would typically use
--which-apxs=/usr/sbin/apxs2-prefork
In RPM spec files, you can use
%define apxs apxs2
%define apache_libexecdir %(%{apxs} -q libexecdir)
to build modules, or use apxs2-prefork (for instance) to build a module
specifically for the prefork MPM.
To further the example, apxs2-prefork will install a module below
/usr/lib/apache2-prefork/, while "apxs2" will install it below
/usr/lib/apache2/.
-a adds the module to APACHE_MODULES in /etc/sysconfig/apache2, which in turn
takes care of loading the module.
Thus, usually you will only have to call
apxs2 -cia my_module.c
and all is fine.
--
Suggestions or bug reports (via http://bugzilla.novell.com/) are most
welcome.
Mar 14 2005, Peter Poeml
++++++ apache2-README.QUICKSTART ++++++
This README is now online:
http://en.opensuse.org/Apache_Quickstart_HOWTO
General starting point:
http://www.opensuse.org/Apache
++++++ apache2-README.default-vhost ++++++
# provided by ChrisWi aka chris@computersalat.de
This is a short introduction about how to use the delivered
- default-vhost.conf
- default-vhost-ssl.conf
configuration files.
When using virtual hosts (vhosts) with apache, you want to have a
"default" config which points to your default hostname (FQDN).
And when apache is reading its configs, then our "default" configs
should be read "at first".
To achieve this, you should adapt the/those config files and then
add them to the /etc/sysconfig/apache2 config like the
following example:
# /etc/sysconfig/apache2
---- snip ----
# This allows you to add e.g. VirtualHost statements without touching
# /etc/apache2/httpd.conf itself, which makes upgrading easier.
#
APACHE_CONF_INCLUDE_FILES="default-vhost.conf default-vhost-ssl.conf"
---- snip ----
This way our "default" config are read in before conf.d/* and vhosts.d/*
Have fun :)
++++++ apache2-check_forensic ++++++
#!/bin/sh
# check_forensic <forensic log file>
# Author: Peter Poeml
# check the forensic log for requests that did not complete
# output the request log for each one
# This script is based on Ben Laurie's check_forensic, but is adjusted for GNU
# tools (as used on Linux) and it works in a safe tmpdir directory.
# todo: rewrite in a form that allows running on more operating systems.
F=${1:?give filename as argument. cannot read from stdin.}
tmpprefix=${TMPDIR:-/tmp}/check_forensic.XXXXXX
tdir=$(mktemp -d $tmpprefix); test $? = 0 || { echo >&2 Could not create tmpdir. Exiting; exit 1; }
cut -f 1 -d '|' $F > $tdir/fc-all.$$
grep ^+ < $tdir/fc-all.$$ | cut -c2- | sort > $tdir/fc-in.$$
grep -- ^- < $tdir/fc-all.$$ | cut -c2- | sort > $tdir/fc-out.$$
join -v 1 $tdir/fc-in.$$ $tdir/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F
rm $tdir/fc-all.$$ $tdir/fc-in.$$ $tdir/fc-out.$$
rmdir $tdir
++++++ apache2-default-server.conf ++++++
#
# Global configuration that will be applicable for all virtual hosts, unless
# deleted here, or overriden elswhere.
#
DocumentRoot "/srv/www/htdocs"
#
# Configure the DocumentRoot
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# for more information.
Options None
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
AllowOverride None
# Controls who can get stuff from this server.
Order allow,deny
Allow from all
</Directory>
# Aliases: aliases can be added as needed (with no limit). The format is
# Alias fakename realname
#
# Note that if you include a trailing / on fakename then the server will
# require it to be present in the URL. So "/icons" isn't aliased in this
# example, only "/icons/". If the fakename is slash-terminated, then the
# realname must also be slash terminated, and if the fakename omits the
# trailing slash, the realname must also omit it.
#
# We include the /icons/ alias for FancyIndexed directory listings. If you
# do not use FancyIndexing, you may comment this out.
#
Alias /icons/ "/usr/share/apache2/icons/"
Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# To disable it, simply remove userdir from the list of modules in APACHE_MODULES
# in /etc/sysconfig/apache2.
#
<IfModule mod_userdir.c>
# Note that the name of the user directory ("public_html") cannot simply be
# changed here, since it is a compile time setting. The apache package
# would have to be rebuilt. You could work around by deleting
# /usr/sbin/suexec, but then all scripts from the directories would be
# executed with the UID of the webserver.
UserDir public_html
# The actual configuration of the directory is in
# /etc/apache2/mod_userdir.conf.
Include /etc/apache2/mod_userdir.conf
# You can, however, change the ~ if you find it awkward, by mapping e.g.
# http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
#AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
</IfModule>
# Include all *.conf files from /etc/apache2/conf.d/.
#
# This is mostly meant as a place for other RPM packages to drop in their
# configuration snippet.
#
# You can comment this out here if you want those bits include only in a
# certain virtual host, but not here.
#
Include /etc/apache2/conf.d/*.conf
# The manual... if it is installed ('?' means it won't complain)
Include /etc/apache2/conf.d/apache2-manual?conf
++++++ apache2-default-vhost-ssl.conf ++++++
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
<IfDefine SSL>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
ServerName dummy-host.example.com
ServerAdmin webmaster@dummy-host.example.com
ServerAlias example.com www.example.com
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/srv/www/htdocs"
#ServerName www.example.com:443
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL Protocol support:
# 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3:
# List the protocol versions which clients are allowed to
# connect with. Disable SSLv2 by default (cf. RFC 6176).
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
#
# Weak ciphers are disabled by default.
# Please see the documentation via the links above, and
# "openssl ciphers -v" for a complete list of ciphers that are
# available.
#
# The following default should work with openssl running in FIPS
# mode.
# OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart
# will start the web server with FIPS mode in openssl.
# For more information, please have a look at
# /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl
# package.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
</FilesMatch>
SSLOptions +StdEnvVars
</Directory>
AllowOverride None
#Options +Indexes +MultiViews +FollowSymLinks
Options -Indexes -MultiViews +FollowSymLinks
#IndexOptions FancyIndexing
#AuthName "Top Secret on dummy-host.example.com"
#AuthType Basic
#AuthUserFile /srv/www/passwd/default
#
# Controls who can get stuff from this server.
#
#<limit GET POST>
# Require valid-user
# Order Deny,Allow
# Deny from All
# Allow from 127.0.0.1
# Allow from .example.com
# Satisfy any
#</limit>
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
#
# some Rewrite stuff for sharedssl
#
#RewriteEngine on
##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log"
##RewriteLogLevel 3
#RewriteCond %{HTTP_HOST} ^webmail\..* [NC]
#RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R]
#RewriteRule ^/$ /roundcube [R]
</VirtualHost>
</IfDefine>
</IfDefine>
++++++ apache2-default-vhost.conf ++++++
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
<VirtualHost _default_:80>
ServerName dummy-host.example.com
ServerAdmin webmaster@dummy-host.example.com
ServerAlias example.com www.example.com
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot "/srv/www/htdocs"
# if not specified, the global error log is used
ErrorLog /var/log/apache2/dummy-host.example.com-error_log
CustomLog /var/log/apache2/dummy-host.example.com-access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
# Optionally, include *.conf files from /etc/apache2/conf.d/
#
# For example, to allow execution of PHP scripts:
#
# Include /etc/apache2/conf.d/mod_php4.conf
#
# or, to include all configuration snippets added by packages:
# Include /etc/apache2/conf.d/*.conf
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have one, and where ScriptAlias points to.
#
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# To disable it, simply remove userdir from the list of modules in APACHE_MODULES
# in /etc/sysconfig/apache2.
#
<IfModule mod_userdir.c>
# Note that the name of the user directory ("public_html") cannot simply be
# changed here, since it is a compile time setting. The apache package
# would have to be rebuilt. You could work around by deleting
# /usr/sbin/suexec, but then all scripts from the directories would be
# executed with the UID of the webserver.
UserDir public_html
# The actual configuration of the directory is in
# /etc/apache2/mod_userdir.conf.
Include /etc/apache2/mod_userdir.conf
# You can, however, change the ~ if you find it awkward, by mapping e.g.
# http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
#AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
</IfModule>
#
# This should be changed to whatever you set DocumentRoot to.
#
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# for more information.
#
Options +Indexes +MultiViews +FollowSymLinks
IndexOptions FancyIndexing
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
#
# some Rewrite stuff for sharedssl
#
#RewriteEngine on
##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite_log"
##RewriteLogLevel 3
#RewriteCond %{HTTP_HOST} ^sharedssl\.* [OR]
#RewriteRule ^/$ https://sharedssl.example.com/$1 [L,R]
</VirtualHost>
++++++ apache2-errors.conf ++++++
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
#
# Putting this all together, we can internationalize error responses.
#
# We use Alias to redirect any /error/HTTP_<error>.html.var response to
# our collection of by-error message multi-language collections. We use
# includes to substitute the appropriate text.
#
# You can modify the messages' appearance without changing any of the
# default HTTP_<error>.html.var files by adding the line:
#
# Alias /error/include/ "/your/include/path/"
#
# which allows you to create your own set of files by starting with the
# /usr/share/apache2/error/include/ files and copying them to /your/include/path/,
# even on a per-VirtualHost basis. The default include files will display
# your Apache version number and your ServerAdmin email address regardless
# of the setting of ServerSignature.
#
# The internationalized error documents require mod_alias, mod_include
# and mod_negotiation. To activate them, uncomment the following 30 lines.
Alias /error/ "/usr/share/apache2/error/"
<IfModule mod_negotiation.c>
<IfModule mod_include.c>
AllowOverride None
Options IncludesNoExec
AddOutputFilter Includes html
AddHandler type-map var
Order allow,deny
Allow from all
LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr
ForceLanguagePriority Prefer Fallback
</Directory>
ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
ErrorDocument 410 /error/HTTP_GONE.html.var
ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var
</IfModule>
</IfModule>
++++++ apache2-httpd.conf ++++++
#
# /etc/apache2/httpd.conf
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See URL:http://httpd.apache.org/docs-2.2/ for detailed information about
# the directives.
# Based upon the default apache configuration file that ships with apache,
# which is based upon the NCSA server configuration files originally by Rob
# McCool. This file was knocked together by Peter Poeml .
# If possible, avoid changes to this file. It does mainly contain Include
# statements and global settings that can/should be overridden in the
# configuration of your virtual hosts.
# Quickstart guide:
# http://en.opensuse.org/Apache_Quickstart_HOWTO
# Overview of include files, chronologically:
#
# httpd.conf
# |
# |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under
# |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...)
# |-- sysconfig.d/loadmodule.conf . . . . . [*] load these modules
# |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on
# |-- mod_log_config.conf . . . . . . . . . define logging formats
# |-- sysconfig.d/global.conf . . . . . . . [*] server-wide general settings
# |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring)
# |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info
# |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking
# |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings
# |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration
# |-- errors.conf . . . . . . . . . . . . . customize error responses
# |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts
# |
# |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests
# | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded)
# | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed)
# |
# |-- sysconfig.d/include.conf . . . . . . [*] your include files
# | (for each file to be included here, put its name
# | into APACHE_INCLUDE_* in /etc/sysconfig/apache2)
# |
# `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here
# `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included)
#
#
# Files marked [*] are created from sysconfig upon server restart: instead of
# these files, you edit /etc/sysconfig/apache2
# Filesystem layout:
#
# /etc/apache2/
# |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap
# |-- conf.d/
# | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc
# | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4
# | `-- ... . . . . . . . . . . . . . . . other configuration added by packages
# |-- default-server.conf
# |-- errors.conf
# |-- httpd.conf . . . . . . . . . . . . . top level configuration file
# |-- listen.conf
# |-- magic
# |-- mime.types -> ../mime.types
# |-- mod_autoindex-defaults.conf
# |-- mod_info.conf
# |-- mod_log_config.conf
# |-- mod_mime-defaults.conf
# |-- mod_perl-startup.pl
# |-- mod_status.conf
# |-- mod_userdir.conf
# |-- mod_usertrack.conf
# |-- server-tuning.conf
# |-- ssl-global.conf
# |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL)
# |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates
# |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests
# |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys
# |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files
# |-- sysconfig.d/ . . . . . . . . . . . . files that are created from /etc/sysconfig/apache2
# | |-- global.conf
# | |-- include.conf
# | `-- loadmodule.conf
# |-- uid.conf
# `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here
# |-- vhost-ssl.template
# `-- vhost.template
### Global Environment ######################################################
#
# The directives in this section affect the overall operation of Apache,
# such as the number of concurrent requests.
# run under this user/group id
Include /etc/apache2/uid.conf
# - how many server processes to start (server pool regulation)
# - usage of KeepAlive
Include /etc/apache2/server-tuning.conf
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here. If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
ErrorLog /var/log/apache2/error_log
# generated from APACHE_MODULES in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/loadmodule.conf
# IP addresses / ports to listen on
Include /etc/apache2/listen.conf
# predefined logging formats
Include /etc/apache2/mod_log_config.conf
# generated from global settings in /etc/sysconfig/apache2
Include /etc/apache2/sysconfig.d/global.conf
# optional mod_status, mod_info
Include /etc/apache2/mod_status.conf
Include /etc/apache2/mod_info.conf
# optional cookie-based user tracking
# read the documentation before using it!!
Include /etc/apache2/mod_usertrack.conf
# configuration of server-generated directory listings
Include /etc/apache2/mod_autoindex-defaults.conf
# associate MIME types with filename extensions
TypesConfig /etc/apache2/mime.types
DefaultType text/plain
Include /etc/apache2/mod_mime-defaults.conf
# set up (customizable) error responses
Include /etc/apache2/errors.conf
# global (server-wide) SSL configuration, that is not specific to
# any virtual host
Include /etc/apache2/ssl-global.conf
# forbid access to the entire filesystem by default
<Directory />
Options None
AllowOverride None
Order deny,allow
Deny from all
</Directory>
# use .htaccess files for overriding,
AccessFileName .htaccess
# and never show them
Order allow,deny
Deny from all
</Files>
# List of resources to look for when the client requests a directory
DirectoryIndex index.html index.html.var
### 'Main' server configuration #############################################
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#
Include /etc/apache2/default-server.conf
# Another way to include your own files
#
# The file below is generated from /etc/sysconfig/apache2,
# include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and
# APACHE_CONF_INCLUDE_DIRS
Include /etc/apache2/sysconfig.d/include.conf
### Virtual server configuration ############################################
#
# VirtualHost: If you want to maintain multiple domains/hostnames on your
# machine you can setup VirtualHost containers for them. Most configurations
# use only name-based virtual hosts so the server doesn't need to worry about
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# URL:http://httpd.apache.org/docs-2.2/vhosts/
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host
# configuration.
#
Include /etc/apache2/vhosts.d/*.conf
# Note: instead of adding your own configuration here, consider
# adding it in your own file (/etc/apache2/httpd.conf.local)
# putting its name into APACHE_CONF_INCLUDE_FILES in
# /etc/sysconfig/apache2 -- this will make system updates
# easier :)
++++++ apache2-listen.conf ++++++
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive.
#
# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
# When we also provide SSL we have to listen to the
# standard HTTP port (see above) and to the HTTPS port
#
# Note: Configurations that use IPv6 but not IPv4-mapped addresses need two
# Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443"
#
#Listen 12.34.56.78:80
#Listen 80
#Listen 443
Listen 80
<IfDefine SSL>
<IfModule mod_ssl.c>
Listen 443
</IfModule>
</IfDefine>
</IfDefine>
# Use name-based virtual hosting
#
# - on a specified address / port:
#
#NameVirtualHost 12.34.56.78:80
#
# - name-based virtual hosting:
#
#NameVirtualHost *:80
#
# - on all addresses and ports. This is your best bet when you are on
# dynamically assigned IP addresses:
#
#NameVirtualHost *
++++++ apache2-manual.conf ++++++
#
# This configuration file belongs to the apache2-doc package.
#
# The alias provides the manual, even if you choose to move your DocumentRoot.
# this out if you do not care for the documentation.
#
AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/share/apache2/manual$1"
Options Indexes
AllowOverride None
Order allow,deny
Allow from all
SetHandler type-map
</Files>
SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1
RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2
</Directory>
++++++ apache2-mod_autoindex-defaults.conf ++++++
#
# Directives controlling the display of server-generated directory listings.
#
# see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html
#
<IfModule mod_autoindex.c>
IndexOptions FancyIndexing VersionSort NameWidth=*
# Add Last-Modified and ETag values for the listed directory in the HTTP header,
# based on files' modification dates
#IndexOptions +TrackModified
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core
AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^
DefaultIcon /icons/unknown.gif
ReadmeName README.html
HeaderName HEADER.html
IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t
</IfModule>
++++++ apache2-mod_info.conf ++++++
#
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
#
# see http://httpd.apache.org/docs-2.2/mod/mod_info.html
#
<IfModule mod_info.c>
SetHandler server-info
Order deny,allow
Deny from all
Allow from localhost
</Location>
</IfModule>
++++++ apache2-mod_log_config.conf ++++++
#
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# http://httpd.apache.org/docs-2.2/mod/mod_log_config.html
#
#
# Format string: Nickname:
#
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
LogFormat "%h %l %u %t \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined
# To use %I and %O, you need to enable mod_logio
<IfModule mod_logio.c>
LogFormat "%h %l %u %t \"%r\" %>s %b \
\"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
# Use one of these when you want a compact non-error SSL logfile on a virtual
# host basis:
<IfModule mod_ssl.c>
Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
\"%r\" %b" ssl_common
Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \
\"%r\" %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
</IfModule>
++++++ apache2-mod_mime-defaults.conf ++++++
#
# mod_mime configuration:
# associate various bits of "meta information" with files by their filename extensions
#
# see http://httpd.apache.org/docs-2.2/mod/mod_mime.html
#
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
# English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de)
# Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja)
# Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn)
# Norwegian (no) - Polish (pl) - Portugese (pt)
# Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv)
# Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW)
#
AddLanguage ca .ca
AddLanguage cs .cz .cs
AddLanguage da .dk
AddLanguage de .de
AddLanguage el .el
AddLanguage en .en
AddLanguage eo .eo
AddLanguage es .es
AddLanguage et .et
AddLanguage fr .fr
AddLanguage he .he
AddLanguage hr .hr
AddLanguage it .it
AddLanguage ja .ja
AddLanguage ko .ko
AddLanguage ltz .ltz
AddLanguage nl .nl
AddLanguage nn .nn
AddLanguage no .no
AddLanguage pl .po
AddLanguage pt .pt
AddLanguage pt-BR .pt-br
AddLanguage ru .ru
AddLanguage sv .sv
AddLanguage zh-CN .zh-cn
AddLanguage zh-TW .zh-tw
#
# LanguagePriority allows you to give precedence to some languages
# in case of a tie during content negotiation.
#
# Just list the languages in decreasing order of preference. We have
# more or less alphabetized them here. You probably want to change this.
#
<IfModule mod_negotiation.c>
LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW
#
# ForceLanguagePriority allows you to serve a result page rather than
# MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback)
# [in case no accepted languages matched the available variants]
#
ForceLanguagePriority Prefer Fallback
</IfModule>
#
# Commonly used filename extensions to character sets. You probably
# want to avoid clashes with the language extensions, unless you
# are good at carefully testing your setup after each change.
# See http://www.iana.org/assignments/character-sets for the
# official list of charset names and their respective RFCs.
#
AddCharset ISO-8859-1 .iso8859-1 .latin1
AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen
AddCharset ISO-8859-3 .iso8859-3 .latin3
AddCharset ISO-8859-4 .iso8859-4 .latin4
AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru
AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb
AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk
AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb
AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk
AddCharset ISO-2022-JP .iso2022-jp .jis
AddCharset ISO-2022-KR .iso2022-kr .kis
AddCharset ISO-2022-CN .iso2022-cn .cis
AddCharset Big5 .Big5 .big5
# For russian, more than one charset is used (depends on client, mostly):
AddCharset WINDOWS-1251 .cp-1251 .win-1251
AddCharset CP866 .cp866
AddCharset KOI8-r .koi8-r .koi8-ru
AddCharset KOI8-ru .koi8-uk .ua
AddCharset ISO-10646-UCS-2 .ucs2
AddCharset ISO-10646-UCS-4 .ucs4
AddCharset UTF-8 .utf8
# The set below does not map to a specific (iso) standard
# but works on a fairly wide range of browsers. Note that
# capitalization actually matters (it should not, but it
# does for some browsers).
#
# See http://www.iana.org/assignments/character-sets
# for a list of sorts. But browsers support few.
#
AddCharset GB2312 .gb2312 .gb
AddCharset utf-7 .utf7
AddCharset utf-8 .utf8
AddCharset big5 .big5 .b5
AddCharset EUC-TW .euc-tw
AddCharset EUC-JP .euc-jp
AddCharset EUC-KR .euc-kr
AddCharset shift_jis .sjis
#
# AddType allows you to add to or override the MIME configuration
# file mime.types for specific file types.
#
#AddType application/x-tar .tgz
#
# AddEncoding allows you to have certain browsers uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
#AddEncoding x-compress .Z
#AddEncoding x-gzip .gz .tgz
#
# If the AddEncoding directives above are commented-out, then you
# probably should define those extensions to indicate media types:
#
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
# Shortcut icons don't seem to be registered by IANA yet, but they
# are so commonly used that we add them here.
Addtype image/x-icon .ico
# Zipped SVG files (.svgz) are not registered by IANA yet, and we should hint
# clients about their encoding
AddType image/svg+xml .svg .svgz
AddEncoding gzip .svgz
#
# For type maps (negotiated resources):
# (This is enabled by default to allow the Apache "It Worked" page
# to be distributed in multiple languages.)
#
AddHandler type-map var
#
# Filters allow you to process content before it is sent to the client.
#
# To parse .shtml files for server-side includes (SSI):
# (You will also need to add "Includes" to the "Options" directive.)
#
#AddType text/html .shtml
#AddOutputFilter INCLUDES .shtml
# Guess the MIME type of a file by looking at a few bytes of its contents
# http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html
<IfModule mod_mime_magic.c>
MIMEMagicFile /etc/apache2/magic
</IfModule>
++++++ apache2-mod_reqtimeout.conf ++++++
#
# Set timeout and minimum data rate for receiving requests to limit
# the effects of denial of service attacks that connect, but let the
# server wait for the completion of the request, thereby allocating
# resources. The most commonly name for this attack method is
# slowloris.
#
# mod_reqtimeout.c must be loaded.
#
# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en
#
# Note:
# the RequestReadTimeout directive can also be placed into a
# virtual host context.
#
# Play around with variations of the below values if you are
# under attack from slowloris or a similar tool.
<IfModule mod_reqtimeout.c>
# allow 10s timeout for the headers and allow 1s more until 20s upon
# receipt of 1000 bytes.
# almost the same with the body, except that it is tricky to
# limit the request timeout within the body at all - it may take
# time to generate the body.
RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000
</IfModule>
++++++ apache2-mod_ssl_npn.patch ++++++
# This patch adds hooks for Next Protocol Negotiation (NPN) into mod_ssl. This
# change is under review to be included in Apache trunk:
# https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
# But until it becomes part of an Apache 2.2 release, we need to apply the patch
# ourselves.
Index: modules/ssl/ssl_private.h
===================================================================
--- modules/ssl/ssl_private.h (revision 1202283)
+++ modules/ssl/ssl_private.h (working copy)
@@ -603,6 +603,7 @@
#ifndef OPENSSL_NO_TLSEXT
int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
@@ -714,4 +715,3 @@
#endif /* SSL_PRIVATE_H */
/** @} */
-
Index: modules/ssl/ssl_engine_init.c
===================================================================
--- modules/ssl/ssl_engine_init.c (revision 1202283)
+++ modules/ssl/ssl_engine_init.c (working copy)
@@ -559,6 +559,11 @@
SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH);
SSL_CTX_set_info_callback(ctx, ssl_callback_Info);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ SSL_CTX_set_next_protos_advertised_cb(
+ ctx, ssl_callback_AdvertiseNextProtos, NULL);
+#endif
}
static void ssl_init_ctx_verify(server_rec *s,
@@ -1352,4 +1357,3 @@
return APR_SUCCESS;
}
-
Index: modules/ssl/ssl_engine_io.c
===================================================================
--- modules/ssl/ssl_engine_io.c (revision 1202283)
+++ modules/ssl/ssl_engine_io.c (working copy)
@@ -338,6 +338,7 @@
apr_pool_t *pool;
char buffer[AP_IOBUFSIZE];
ssl_filter_ctx_t *filter_ctx;
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;
/*
@@ -1409,6 +1410,21 @@
APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+ * our version of OpenSSL supports it). If we haven't already, find out
+ * which protocol was decided upon and inform other modules by calling
+ * npn_proto_negotiated_hook. */
+ if (!inctx->npn_finished) {
+ inctx->npn_finished = 1;
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+ const unsigned char *next_proto = NULL;
+ unsigned next_proto_len = 0;
+ SSL_get0_next_proto_negotiated(inctx->ssl, &next_proto,
+ &next_proto_len);
+ ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len);
+#endif
+ }
+
return APR_SUCCESS;
}
@@ -1753,6 +1769,7 @@
inctx->block = APR_BLOCK_READ;
inctx->pool = c->pool;
inctx->filter_ctx = filter_ctx;
+ inctx->npn_finished = 0;
}
void ssl_io_filter_init(conn_rec *c, SSL *ssl)
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c (revision 1202283)
+++ modules/ssl/ssl_engine_kernel.c (working copy)
@@ -1969,6 +1969,77 @@
}
}
+/*
+ * This callback function is executed when SSL needs to decide what protocols
+ * to advertise during Next Protocol Negotiation (NPN). It must produce a
+ * string in wire format -- a sequence of length-prefixed strings -- indicating
+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb
+ * in OpenSSL for reference.
+ */
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out,
+ unsigned int *size_out, void *arg)
+{
+ *data_out = NULL;
+ *size_out = 0;
+
+ /* Get the connection object. If it's not available, then there's nothing
+ * for us to do. */
+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl);
+ if (c == NULL) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to
+ * add alternate protocol names to advertise. */
+ apr_array_header_t *protos = apr_array_make(c->pool, 0, sizeof(char*));
+ ssl_run_npn_advertise_protos_hook(c, protos);
+ int num_protos = protos->nelts;
+
+ /* If no other modules added any alternate protocols, then we're done. */
+ if (num_protos == 0) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
+ /* We now have a list of null-terminated strings; we need to concatenate
+ * them together into a single string, where each protocol name is prefixed
+ * by its length. First, calculate how long that string will be. */
+ unsigned int size = 0;
+ int i;
+ for (i = 0; i < num_protos; ++i) {
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
+ unsigned int length = strlen(string);
+ /* If the protocol name is too long (the length must fit in one byte),
+ * then log an error and quit. */
+ if (length > 255) {
+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c,
+ "SSL NPN protocol name too long (length=%u): %s",
+ length, string);
+ return SSL_TLSEXT_ERR_OK;
+ }
+ /* Leave room for the length prefix (one byte) plus the protocol name
+ * itself. */
+ size += 1 + length;
+ }
+
+ /* Now we can build the string. Copy each protocol name string into the
+ * larger string, prefixed by its length. */
+ unsigned char* data = apr_palloc(c->pool, size * sizeof(unsigned char));
+ unsigned char* start = data;
+ for (i = 0; i < num_protos; ++i) {
+ const char* string = APR_ARRAY_IDX(protos, i, const char*);
+ size_t length = strlen(string);
+ *start = (unsigned char)length;
+ ++start;
+ memcpy(start, string, length * sizeof(unsigned char));
+ start += length;
+ }
+
+ /* Success. */
+ *data_out = data;
+ *size_out = size;
+ return SSL_TLSEXT_ERR_OK;
+}
+
#ifndef OPENSSL_NO_TLSEXT
/*
* This callback function is executed when OpenSSL encounters an extended
Index: modules/ssl/mod_ssl.c
===================================================================
--- modules/ssl/mod_ssl.c (revision 1202283)
+++ modules/ssl/mod_ssl.c (working copy)
@@ -220,6 +220,18 @@
AP_END_CMD
};
+/* Implement 'ssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ ssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec* connection, apr_array_header_t* protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'ssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ ssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec* connection, char* proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
Index: modules/ssl/mod_ssl.h
===================================================================
--- modules/ssl/mod_ssl.h (revision 1202283)
+++ modules/ssl/mod_ssl.h (working copy)
@@ -60,5 +60,26 @@
APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr));
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec* connection, apr_array_header_t* protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec* connection, char* proto_name,
+ apr_size_t proto_name_len));
+
#endif /* __MOD_SSL_H__ */
/** @} */
++++++ apache2-mod_status.conf ++++++
#
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
#
# see http://httpd.apache.org/docs-2.2/mod/mod_status.html
#
<IfModule mod_status.c>
SetHandler server-status
Order deny,allow
Deny from all
Allow from localhost 127.0.0.1
</Location>
</IfModule>
++++++ apache2-mod_userdir.conf ++++++
#
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
<IfModule mod_userdir.c>
# Note that the name of the user directory ("public_html") cannot easily be
# changed here, since it is a compile time setting. The apache package
# would have to be rebuilt. You could work around by deleting
# /usr/sbin/suexec, but then all scripts from the directories would be
# executed with the UID of the webserver.
#
# To rebuild apache with another setting you need to change the
# %userdir define in the spec file.
# not every user's directory should be visible:
UserDir disabled root
# to enable UserDir only for a certain set of users, use this instead:
#UserDir disabled
#UserDir enabled user1 user2
# the UserDir directive is actually used inside the virtual hosts, to
# have more control
#UserDir public_html
AllowOverride FileInfo AuthConfig Limit Indexes
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
</IfModule>
++++++ apache2-mod_usertrack.conf ++++++
<IfModule mod_usertrack.c>
# This is the default.
CookieName Apache
</IfModule>
++++++ apache2-server-tuning.conf ++++++
##
## Server-Pool Size Regulation (MPM specific)
##
# the MPM (multiprocessing module) is not a dynamically loadable module in the
# sense of other modules. It is a compile time decision which one is used. We
# provide different apache2 MPM packages, containing different httpd2 binaries
# compiled with the available MPMs. See APACHE_MPM in /etc/sysconfig/apache2.
# prefork MPM
<IfModule prefork.c>
# number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
StartServers 5
# minimum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers
MinSpareServers 5
# maximum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers
MaxSpareServers 10
# highest possible MaxClients setting for the lifetime of the Apache process.
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit
ServerLimit 150
# maximum number of server processes allowed to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
MaxClients 150
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
# worker MPM
<IfModule worker.c>
# initial number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
StartServers 3
# minimum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads
MinSpareThreads 25
# maximum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads
MaxSpareThreads 75
# upper limit on the configurable number of threads per child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit
ThreadLimit 64
# maximum number of simultaneous client connections
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
MaxClients 150
# number of worker threads created by each child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild
ThreadsPerChild 25
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
# leader MPM
<IfModule leader.c>
# initial number of server processes to start
StartServers 2
# minimum number of worker threads which are kept spare
MinSpareThreads 25
# maximum number of worker threads which are kept spare
MaxSpareThreads 75
# maximum number of simultaneous client connections
MaxClients 150
# constant number of worker threads in each server process
ThreadsPerChild 25
# maximum number of requests a server process serves
MaxRequestsPerChild 10000
</IfModule>
#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to "Off" to deactivate.
#
KeepAlive On
#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
MaxKeepAliveRequests 100
#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
KeepAliveTimeout 15
#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited
#
# EnableMMAP: Control whether memory-mapping is used to deliver
# files (assuming that the underlying OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap
#
#EnableMMAP off
#
# EnableSendfile: Control whether the sendfile kernel support is
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile
#
#EnableSendfile off
<IfModule mod_setenvif.c>
#
# The following directives modify normal HTTP response behavior to
# handle known problems with browser implementations.
#
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
#
# The following directive disables redirects on non-GET requests for
# a directory that does not include the trailing slash. This fixes a
# problem with Microsoft WebFolders which does not appropriately handle
# redirects for folders with DAV methods.
# Same deal with Apple's DAV filesystem and Gnome VFS support for DAV.
#
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
</IfModule>
++++++ apache2-ssl-global.conf ++++++
##
## SSL Global Context
##
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
##
# These are the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
# This global SSL configuration is ignored if
# "SSL" is not defined, or if "NOSSL" is defined.
<IfDefine SSL>
<IfModule mod_ssl.c>
#
# Some MIME-types for downloading Certificates and CRLs
#
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
# Pass Phrase Dialog:
# Configure the pass phrase gathering process.
# The filtering dialog program (`builtin' is a internal
# terminal dialog) has to provide the pass phrase on stdout.
<IfDefine SYSTEMD>
SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass
</IfDefine>
SSLPassPhraseDialog builtin
</IfDefine>
# Inter-Process Session Cache:
# Configure the SSL Session Cache: First the mechanism
# to use and second the expiring timeout (in seconds).
# shm means the same as shmht.
# Note that on most platforms shared memory segments are not allowed to be on
# network-mounted drives, so in that case you need to use the dbm method.
#SSLSessionCache none
#SSLSessionCache dbm:/var/lib/apache2/ssl_scache
#SSLSessionCache shmht:/var/lib/apache2/ssl_scache(512000)
SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000)
SSLSessionCacheTimeout 300
# Semaphore:
# Configure the path to the mutual exclusion semaphore the
# SSL engine uses internally for inter-process synchronization.
SSLMutex "file:/var/lib/apache2/ssl_mutex"
# Pseudo Random Number Generator (PRNG):
# Configure one or more sources to seed the PRNG of the
# SSL library. The seed data should be of good random quality.
# WARNING! On some platforms /dev/random blocks if not enough entropy
# is available. This means you then cannot use the /dev/random device
# because it would lead to very long connection times (as long as
# it requires to make more entropy available). But usually those
# platforms additionally provide a /dev/urandom device which doesn't
# block. So, if available, use this one instead. Read the mod_ssl User
# Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/urandom 512
</IfModule>
</IfDefine>
</IfDefine>
++++++ apache2-systemd-ask-pass ++++++
#!/bin/sh
exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2): "
++++++ apache2-vhost-ssl.template ++++++
# Template for a VirtualHost with SSL
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
# NameVirtualHost statements should be added to /etc/apache2/listen.conf.
#
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
# consult the online docs. You have been warned.
#
<IfDefine SSL>
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
# General setup for the virtual host
DocumentRoot "/srv/www/htdocs"
#ServerName www.example.com:443
#ServerAdmin webmaster@example.com
ErrorLog /var/log/apache2/error_log
TransferLog /var/log/apache2/access_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
SSLOptions +StdEnvVars
</FilesMatch>
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</IfDefine>
</IfDefine>
++++++ apache2-vhost.template ++++++
#
# VirtualHost template
# Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf.
# Files must have the .conf suffix to be loaded.
#
# See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints
# about virtual hosts.
#
# NameVirtualHost statements can be added to /etc/apache2/listen.conf.
#
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for requests without a known
# server name.
#
ServerAdmin webmaster@dummy-host.example.com
ServerName dummy-host.example.com
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
DocumentRoot /srv/www/vhosts/dummy-host.example.com
# if not specified, the global error log is used
ErrorLog /var/log/apache2/dummy-host.example.com-error_log
CustomLog /var/log/apache2/dummy-host.example.com-access_log combined
# don't loose time with IP address lookups
HostnameLookups Off
# needed for named virtual hosts
UseCanonicalName Off
# configures the footer on server-generated documents
ServerSignature On
# Optionally, include *.conf files from /etc/apache2/conf.d/
#
# For example, to allow execution of PHP scripts:
#
# Include /etc/apache2/conf.d/php5.conf
#
# or, to include all configuration snippets added by packages:
# Include /etc/apache2/conf.d/*.conf
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the client.
# The same rules about trailing "/" apply to ScriptAlias directives as to
# Alias.
#
ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/"
# "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have one, and where ScriptAlias points to.
#
AllowOverride None
Options +ExecCGI -Includes
Order allow,deny
Allow from all
</Directory>
# UserDir: The name of the directory that is appended onto a user's home
# directory if a ~user request is received.
#
# To disable it, simply remove userdir from the list of modules in APACHE_MODULES
# in /etc/sysconfig/apache2.
#
<IfModule mod_userdir.c>
# Note that the name of the user directory ("public_html") cannot simply be
# changed here, since it is a compile time setting. The apache package
# would have to be rebuilt. You could work around by deleting
# /usr/sbin/suexec, but then all scripts from the directories would be
# executed with the UID of the webserver.
UserDir public_html
# The actual configuration of the directory is in
# /etc/apache2/mod_userdir.conf.
Include /etc/apache2/mod_userdir.conf
# You can, however, change the ~ if you find it awkward, by mapping e.g.
# http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/
#AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2
</IfModule>
#
# This should be changed to whatever you set DocumentRoot to.
#
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# Options FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
++++++ apache2.2-mpm-itk-20090414-00.patch ++++++
++++ 2021 lines (skipped)
++++++ apache2.firewall ++++++
## Name: HTTP Server
## Description: Opens ports for Apache Web Server.
# space separated list of allowed TCP ports
TCP="http"
# space separated list of allowed UDP ports
UDP="http"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ apache2.logrotate ++++++
/var/log/apache2/access_log {
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 644 root root
postrotate
/etc/init.d/apache2 reload
endscript
}
/var/log/apache2/error_log {
compress
dateext
maxage 365
rotate 99
size=+1024k
notifempty
missingok
create 644 root root
postrotate
/etc/init.d/apache2 reload
endscript
}
/var/log/apache2/suexec.log {
compress
dateext
maxage 365
rotate 99
size=+1024k
notifempty
missingok
create 644 root root
postrotate
/etc/init.d/apache2 reload
endscript
}
/var/log/apache2/ssl_request_log {
compress
dateext
maxage 365
rotate 99
size=+4096k
notifempty
missingok
create 644 root root
postrotate
/etc/init.d/apache2 reload
endscript
}
/var/log/apache2/ssl_engine_log {
compress
dateext
maxage 365
rotate 99
size=+1024k
notifempty
missingok
create 644 root root
postrotate
/etc/init.d/apache2 reload
endscript
}
++++++ apache2.service ++++++
[Unit]
Description=apache
After=syslog.target network.target
Before=getty@tty1.service
[Service]
Type=forking
PIDFile=/var/run/httpd2.pid
EnvironmentFile=/etc/sysconfig/apache2
ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -k start
ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -t
ExecReload=/bin/kill -HUP $MAINPID
ExecStop=/usr/sbin/httpd2 -D SYSTEMD -k stop
[Install]
WantedBy=multi-user.target
++++++ apache2.ssl-firewall ++++++
## Name: HTTPS Server
## Description: Opens ports for Apache Web Server.
# space separated list of allowed TCP ports
TCP="https"
# space separated list of allowed UDP ports
UDP="https"
# space separated list of allowed RPC services
RPC=""
# space separated list of allowed IP protocols
IP=""
# space separated list of allowed UDP broadcast ports
BROADCAST=""
++++++ find_httpd2_includes ++++++
#!/bin/bash
# Read the configuration (recursing through all include files)
. /usr/share/apache2/load_configuration
: ${sysconfdir:=/etc/apache2}
httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf}
find_include_files () {
local found i
found=$(awk '/^[[:space:]]*Include/ { print $2 }' $1 2>/dev/null)
for i in $found; do
case $i in
*\**)
# filter filenames that are unexpanded, in the lack of a match,
# like /etc/apache2/conf.d/*.conf
;;
*)
conffiles="$conffiles $i"
find_include_files $i
;;
esac
done
}
find_include_files $httpd_conf
#echo $httpd_conf $conffiles
echo $conffiles
exit 0
++++++ find_mpm ++++++
#!/bin/bash
: ${apache_link:=/usr/sbin/httpd2}
. /usr/share/apache2/load_configuration
if ! ${mpm_set:=false}; then
if [ -z "$APACHE_MPM" ]; then
# guess
for i in $r/$apache_link-*; do
test -f $i || continue
i=$(basename $i)
i=${i#*-}
installed_mpms=(${installed_mpms[*]} $i)
done
if [ -z "${installed_mpms[*]}" ]; then
echo >&2 ${warn}Apache binary ${apache_link#*-} not found. No MPM package installed? $norm
echo >&2 Hint: install the apache2-prefork package, and try again.
fi
if [ ${#installed_mpms[*]} = 1 ]; then
APACHE_MPM=${installed_mpms[*]}
else
case ${installed_mpms[*]} in
*prefork*) APACHE_MPM=prefork;;
*worker*) APACHE_MPM=worker;;
*event*) APACHE_MPM=event;;
*leader*) APACHE_MPM=leader;;
*metuxmpm*) APACHE_MPM=metuxmpm;;
*threadpool*) APACHE_MPM=threadpool;;
*itk*) APACHE_MPM=itk;;
esac
fi
fi
if [ -x $apache_link-$APACHE_MPM ]; then
ln -sf $apache_link-$APACHE_MPM $apache_link
echo $apache_link-$APACHE_MPM
else
echo >&2 ${warn}$apache_link-$APACHE_MPM is not a valid httpd2 binary.
echo >&2 Check your APACHE_MPM setting.$norm
exit 1
fi
export APACHE_MPM mpm_set=true
fi
++++++ gensslcert ++++++
#!/bin/bash
# Peter Poeml
#
# Script to generate ssl keys for mod_ssl, without requiring user input
# most of it is copied from mkcert.sh of the mod_ssl distribution
#
# XXX This is just a hack, it won't be able to do anything you want!
#
function usage
{
cat <<-EOF
`basename $0` will generate a test certificate "the quick way", i.e. without interaction.
You can change some defaults however.
It will overwrite /root/.mkcert.cfg
These options are recognized: Default:
-C Common name "$name"
-N comment "$comment"
-c country (two letters, e.g. DE) $C
-s state $ST
-l city $L
-o organisation "$O"
-u organisational unit "$U"
-n fully qualified domain name $CN (\$FQHOSTNAME)
-e email address of webmaster webmaster@$CN
-y days server cert is valid for $srvdays
-Y days CA cert is valid for $CAdays
-d run in debug mode
-h show usage
EOF
}
test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; }
function myecho { echo $BRIGHT$@$NORMAL; }
function error { echo $RED$@$NORMAL; }
function myexit { error something ugly seems to have happened in line $1...; exit $2; }
r=$ROOT
. $r/etc/sysconfig/network/config
FQHOSTNAME=`cat /etc/HOSTNAME`
# defaults
comment="mod_ssl server certificate"
name=
C=XY
ST=unknown
L=unknown
U="web server"
O="SuSE Linux Web Server"
CN=$FQHOSTNAME
email=webmaster@$FQHOSTNAME
CAdays=$((365 * 6))
srvdays=$((365 * 2))
while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do
case $OPT in
C) name=$OPTARG-;;
N) comment=$OPTARG;;
c) C=$OPTARG;;
s) ST=$OPTARG;;
l) L=$OPTARG;;
u) U=$OPTARG;;
o) O=$OPTARG;;
n) CN=$OPTARG;;
e) email=$OPTARG;;
y) srvdays=$OPTARG;;
Y) CAdays=$OPTARG;;
d) set -x;;
h) usage; exit 2;;
*) echo unrecognized option: $OPT; usage; exit 2;;
esac
done
GO_LEFT="\033[80D"
GO_MIDDLE="$GO_LEFT\033[15C"
for i in comment name C ST L U O CN email srvdays CAdays; do
eval "echo -e $i\"$GO_MIDDLE\" \$$i;"
done
openssl=$r/usr/bin/openssl
sslcrtdir=$r/etc/apache2/ssl.crt
sslcsrdir=$r/etc/apache2/ssl.csr
sslkeydir=$r/etc/apache2/ssl.key
sslprmdir=$r/etc/apache2/ssl.prm
#
# CA
#
echo;myecho creating CA key ...
(umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?)
cat >$r/root/.mkcert.cfg <$r/root/.mkcert.cfg <$r/root/.mkcert.cfg <$r/root/.mkcert.serial
myecho "creating server certificate ..."
(umask 0377 ; $openssl x509 \
-extfile $r/root/.mkcert.cfg \
-days $srvdays \
-CAserial $r/root/.mkcert.serial \
-CA $sslcrtdir/${name}ca.crt \
-CAkey $sslkeydir/${name}ca.key \
-in $sslcsrdir/${name}server.csr -req \
-out $sslcrtdir/${name}server.crt || myexit $LINENO $?)
rm -f $r/root/.mkcert.cfg
echo;myecho "Verify: matching certificate & key modulus"
modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?`
if [ ".$modcrt" != ".$modkey" ]; then
error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
echo;myecho Verify: matching certificate signature
$openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $?
if [ $? -ne 0 ]; then
error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2
myexit $LINENO $?
fi
exit 0
++++++ get_includes ++++++
#!/bin/bash
pname=apache2
: ${sysconfdir:=/etc/$pname}
: ${sysconfig_apache:=/etc/sysconfig/$pname}
test -z "$APACHE_MODULES" && . /usr/share/$pname/load_configuration
apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null)
APACHE_MPM=${apache_bin##*-}
if [ -z "$APACHE_MPM" ]; then
echo >&2 Warning: no MPM found. Some modules are dependant on the type of MPM.
fi
#echo -n writing sysconfig.d/include.conf
exec 3>$sysconfdir/sysconfig.d/include.conf
echo >&3 "#
# This file is created at apache start time by /usr/sbin/rc$pname. Do not edit it!
#
# as listed in APACHE_INCLUDE_* ($sysconfig_apache)
"
for file in $APACHE_CONF_INCLUDE_FILES; do
test ${file:0:1} = / || file=$sysconfdir/$file
if [ -e $file ]; then
echo >&3 Include $file
else
echo >&2 File $file from APACHE_CONF_INCLUDE_FILES not found. Ignored.
fi
done
# here, we do not want to use globbing. apache will do it
set -o noglob
for dir in $APACHE_CONF_INCLUDE_DIRS; do
test ${dir:0:1} = / || dir=$sysconfdir/$dir
if [ -d $dir -o -d /$(dirname $dir) ]; then
echo >&3 Include $dir
else
echo >&2 Directory $dir from APACHE_CONF_INCLUDE_DIRS not found. Ignored.
fi
done
set +o noglob
echo >&3 -e "#\n"
exec 3<&-
#echo -n ". "
++++++ get_module_list ++++++
#!/bin/bash
pname=apache2
: ${sysconfdir:=/etc/$pname}
: ${sysconfig_apache:=/etc/sysconfig/$pname}
default_APACHE_DOCUMENT_ROOT=/srv/www/htdocs
test -z "$APACHE_MODULES" && . /usr/share/$pname/load_configuration
apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null)
APACHE_MPM=${apache_bin##*-}
if [ -z "$APACHE_MPM" ]; then
echo >&2 Warning: no MPM found. Some modules are dependant on the type of MPM.
fi
if [ "$1" = -q ]; then
quiet=true
else
quiet=false
fi
#echo -n writing sysconfig.d/loadmodule.conf
TMPFILE=`/bin/mktemp /tmp/$pname.XXXXXXXXXXXX`
if [ -z "$TMPFILE" ]; then
echo >&2 Error: could not create temporary file for writing loadmodules.conf.
exit 1
fi
exec 3>$TMPFILE
echo >&3 "#
# Files in this directory are created at apache start time by /usr/sbin/rc$pname
# Do not edit them!
#
# as listed in APACHE_MODULES ($sysconfig_apache)
"
test -z "$APACHE_MODULES" && APACHE_MODULES=$LOADMODULES
# see whether APACHE_MODULES is declared as array (it was so, in the past)
# if it is not an array, we convert it to one.
if [[ -z ${APACHE_MODULES[1]} ]]; then
# strip leading and trailing parens... since it might erroneously be written as
# APACHE_MODULES="(asdf 1234)"
APACHE_MODULES=${APACHE_MODULES/(}; APACHE_MODULES=${APACHE_MODULES/)}
APACHE_MODULES=($APACHE_MODULES)
fi
for i in ${APACHE_MODULES[*]}; do
unset module_path module_id
case $i in mod_cgid|cgid) case $APACHE_MPM in prefork|leader|itk) i=${i%d};; esac;; esac
case $i in mod_cgi|cgi) case $APACHE_MPM in event|worker) i=${i}d;; esac;; esac
module_id=${i##*/}
module_id=${module_id#mod_}
module_id=${module_id#lib}
module_id=${module_id%.so}_module
# special case
case $module_id in auth_mysql_module) module_id=mysql_auth_module;; esac
case $i in
/*)
module_path=$i
;;
*)
for j in /usr/lib/$pname-$APACHE_MPM/mod_$i.so \
/usr/lib/$pname-$APACHE_MPM/$i.so \
/usr/lib/$pname-$APACHE_MPM/mod_$i \
/usr/lib/$pname-$APACHE_MPM/$i \
/usr/lib/$pname-$APACHE_MPM/${i/mod_}.so \
/usr/lib/$pname-$APACHE_MPM/${i/mod_} \
/usr/lib/$pname-$APACHE_MPM/lib${i/mod_}.so \
/usr/lib/$pname-$APACHE_MPM/lib${i/mod_} \
/usr/lib/$pname-$APACHE_MPM/lib$i.so \
/usr/lib/$pname-$APACHE_MPM/lib$i \
/usr/lib/$pname/mod_$i.so \
/usr/lib/$pname/$i.so \
/usr/lib/$pname/mod_$i \
/usr/lib/$pname/$i \
/usr/lib/$pname/${i/mod_}.so \
/usr/lib/$pname/${i/mod_} \
/usr/lib/$pname/lib${i/mod_}.so \
/usr/lib/$pname/lib${i/mod_} \
/usr/lib/$pname/lib$i.so \
/usr/lib/$pname/lib$i
do
if [ -f $j ]; then
module_path=$j
break
fi
done
;;
esac
if [[ -f $module_path ]]; then
printf "LoadModule %-30s %s\n" $module_id $module_path >&3
else
# print a warning?
# php modules are in the list by default, so we don't warn about it [#66729]
if ! $quiet && [ $i != "php4" -a $i != "php5" ]; then
echo >&2 "Module \"$i\" is not installed, ignoring."
echo >&2 "Check the APACHE_MODULES setting in /etc/sysconfig/$pname."
fi
fi
done
echo >&3 -e "#\n"
exec 3<&-
chmod 644 $TMPFILE
mv $TMPFILE $sysconfdir/sysconfig.d/loadmodule.conf
#echo -n ". "
#echo -n writing sysconfig.d/global.conf
exec 3>$sysconfdir/sysconfig.d/global.conf
echo >&3 "#
# Files in this directory are created at apache start time by /usr/sbin/rc$pname
# Do not edit them!
#
# see $sysconfig_apache
"
if [[ -n $APACHE_DOCUMENT_ROOT ]]; then
echo >&3 "DocumentRoot $APACHE_DOCUMENT_ROOT"
# else
# if ! grep -q "^DocumentRoot" $sysconfdir/httpd.conf 2>/dev/null; then
# echo >&3 "DocumentRoot $default_APACHE_DOCUMENT_ROOT"
# fi
fi
[[ -n $APACHE_TIMEOUT ]] && echo >&3 "Timeout $APACHE_TIMEOUT"
if [[ -n $APACHE_SERVERSIGNATURE ]]; then
case $APACHE_SERVERSIGNATURE in
no) APACHE_SERVERSIGNATURE=off;;
yes) APACHE_SERVERSIGNATURE=on;;
esac
echo >&3 "ServerSignature $APACHE_SERVERSIGNATURE"
fi
[[ -n $APACHE_SERVERADMIN ]] && echo >&3 "ServerAdmin $APACHE_SERVERADMIN"
[[ -n $APACHE_SERVERNAME ]] && echo >&3 "ServerName $APACHE_SERVERNAME"
[[ -n $APACHE_USE_CANONICAL_NAME ]] && echo >&3 "UseCanonicalName $APACHE_USE_CANONICAL_NAME"
[[ -n $APACHE_SERVERTOKENS ]] && echo >&3 "ServerTokens $APACHE_SERVERTOKENS"
[[ $APACHE_EXTENDED_STATUS = on ]] && echo -e >&3 "<IfModule mod_status.c>\n ExtendedStatus on\n</IfModule>"
[[ $APACHE_BUFFERED_LOGS = on ]] && echo >&3 "BufferedLogs on"
[[ -n $APACHE_LOGLEVEL ]] && echo >&3 "LogLevel $APACHE_LOGLEVEL"
if [[ -n $APACHE_ACCESS_LOG ]]; then
# split multiple entries
APACHE_ACCESS_LOG=($APACHE_ACCESS_LOG)
for ((i=0; $i<${#APACHE_ACCESS_LOG[*]}; i=i+2)); do
filename=${APACHE_ACCESS_LOG[$i]}
format=${APACHE_ACCESS_LOG[$i+1]}
echo >&3 "CustomLog $filename ${format/%,}"
done
fi
exec 3<&-
#echo -n ". "
++++++ httpd-2.0.49-log_server_status.dif ++++++
--- httpd-2.0.49.orig/support/log_server_status.in 2004-02-09 21:59:49.000000000 +0100
+++ httpd-2.0.49/support/log_server_status2 2004-06-18 11:34:37.000000000 +0200
@@ -24,18 +24,18 @@
# it to a file. Make sure the directory $wherelog is writable by the
# user who runs this script.
#
-require 'sys/socket.ph';
+use Socket;
-$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312"
+$wherelog = "/var/log/apache2/status/"; # Logs will be like "/var/log/apache2/status/19960312"
$server = "localhost"; # Name of server, could be "www.foo.com"
$port = "80"; # Port on server
-$request = "/status/?auto"; # Request to send
+$request = "/server-status/?auto"; # Request to send
sub tcp_connect
{
local($host,$port) =@_;
$sockaddr='S n a4 x8';
- chop($hostname=`hostname`);
+ chop($hostname='localhost');
$port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/;
$me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]);
$them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]);
@@ -66,8 +66,8 @@
}
print S "GET $request\n";
while (<S>) {
- $requests=$1 if ( m|^BusyServers:\ (\S+)|);
- $idle=$1 if ( m|^IdleServers:\ (\S+)|);
+ $requests=$1 if ( m|^BusyWorkers:\ (\S+)|);
+ $idle=$1 if ( m|^IdleWorkers:\ (\S+)|);
$number=$1 if ( m|sses:\ (\S+)|);
$cpu=$1 if (m|^CPULoad:\ (\S+)|);
}
++++++ httpd-2.0.54-envvars.dif ++++++
diff -uNr httpd-2.0.54.orig/support/envvars-std.in httpd-2.0.54/support/envvars-std.in
--- httpd-2.0.54.orig/support/envvars-std.in 2005-02-04 21:21:18.000000000 +0100
+++ httpd-2.0.54/support/envvars-std.in 2005-10-07 13:56:49.223546288 +0200
@@ -19,6 +19,6 @@
# This file is generated from envvars-std.in
#
-@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@"
+@SHLIBPATH_VAR@="@exp_libdir@${@SHLIBPATH_VAR@+:$@SHLIBPATH_VAR@}"
export @SHLIBPATH_VAR@
#
@OS_SPECIFIC_VARS@
++++++ httpd-2.1.3alpha-layout.dif ++++++
--- httpd-2.1.3-alpha.orig/config.layout
+++ httpd-2.1.3-alpha/config.layout
@@ -202,6 +202,54 @@
proxycachedir: /var/cache/httpd
</Layout>
+# SuSE >= 8.1 layout (32 bit system)
+<Layout SuSE81>
+ prefix: /srv/www
+ exec_prefix: /usr
+ bindir: ${exec_prefix}/bin
+ sbindir: ${exec_prefix}/sbin
+ libdir: ${exec_prefix}/lib
+ libexecdir: ${exec_prefix}/lib/apache2${mpm_suffix}
+ mandir: ${exec_prefix}/share/man
+ sysconfdir: /etc/apache2
+ datadir: ${prefix}
+ installbuilddir: ${exec_prefix}/share/apache2/build
+ errordir: ${exec_prefix}/share/apache2/error
+ iconsdir: ${exec_prefix}/share/apache2/icons
+ htdocsdir: ${datadir}/htdocs
+ manualdir: ${exec_prefix}/share/apache2/manual
+ cgidir: ${datadir}/cgi-bin
+ includedir: ${exec_prefix}/include/apache2${mpm_suffix}
+ localstatedir: /var/lib/apache2
+ runtimedir: /var/run
+ logfiledir: /var/log/apache2
+ proxycachedir: /var/cache/apache2
+</Layout>
+
+# SuSE >= 8.1 layout (64 bit system)
+<Layout SuSE81_64>
+ prefix: /srv/www
+ exec_prefix: /usr
+ bindir: ${exec_prefix}/bin
+ sbindir: ${exec_prefix}/sbin
+ libdir: ${exec_prefix}/lib64
+ libexecdir: ${exec_prefix}/lib64/apache2${mpm_suffix}
+ mandir: ${exec_prefix}/share/man
+ sysconfdir: /etc/apache2
+ datadir: ${prefix}
+ installbuilddir: ${exec_prefix}/share/apache2/build
+ errordir: ${exec_prefix}/share/apache2/error
+ iconsdir: ${exec_prefix}/share/apache2/icons
+ htdocsdir: ${datadir}/htdocs
+ manualdir: ${exec_prefix}/share/apache2/manual
+ cgidir: ${datadir}/cgi-bin
+ includedir: ${exec_prefix}/include/apache2${mpm_suffix}
+ localstatedir: /var/lib/apache2
+ runtimedir: /var/run
+ logfiledir: /var/log/apache2
+ proxycachedir: /var/cache/apache2
+</Layout>
+
# BSD/OS layout
<Layout BSDI>
prefix: /var/www
++++++ httpd-2.1.9-apachectl.dif ++++++
diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/apachectl.in
--- httpd-2.1.3-alpha.orig/support/apachectl.in 2005-02-04 21:28:49.000000000 +0100
+++ httpd-2.1.3-alpha/support/apachectl.in 2005-02-25 02:52:49.203566813 +0100
@@ -41,17 +41,32 @@
# -------------------- --------------------
#
# the path to your httpd binary, including options if necessary
-HTTPD='@exp_sbindir@/@progname@'
+HTTPD='@exp_sbindir@/httpd2'
#
# pick up any necessary environment variables
if test -f @exp_sbindir@/envvars; then
. @exp_sbindir@/envvars
fi
+
+pname=apache2
+sysconfig_apache=/etc/sysconfig/$pname
+sysconfdir=/etc/$pname
+
+test -s $sysconfig_apache && source $sysconfig_apache
+httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf}
+
#
# a command that outputs a formatted text version of the HTML at the
# url given on the command line. Designed for lynx, however other
# programs may work.
-LYNX="@LYNX_PATH@ -dump"
+
+if [ -x "`which w3m`" ]; then
+ LYNX="w3m -dump -cols ${COLUMNS:-80}"
+elif [ -x "`which lynx`" ]; then
+ LYNX="lynx -dump -width=${COLUMNS:-80}"
+fi
+
+
#
# the URL to your server's mod_status status page. If you do not
# have one, then status and fullstatus will not work.
@@ -77,7 +92,7 @@
case $ARGV in
start|stop|restart|graceful|graceful-stop)
- $HTTPD -k $ARGV
+ $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV
ERROR=$?
;;
startssl|sslstart|start-SSL)
@@ -87,7 +102,7 @@
ERROR=2
;;
configtest)
- $HTTPD -t
+ $HTTPD ${httpd_conf+-f $httpd_conf} -t
ERROR=$?
;;
status)
@@ -97,7 +112,7 @@
$LYNX $STATUSURL
;;
*)
- $HTTPD $ARGV
+ $HTTPD ${httpd_conf+-f $httpd_conf} $ARGV
ERROR=$?
esac
++++++ httpd-2.2.0-apxs-a2enmod.dif ++++++
Index: httpd-2.2.16/support/apxs.in
===================================================================
--- httpd-2.2.16.orig/support/apxs.in
+++ httpd-2.2.16/support/apxs.in
@@ -526,108 +526,14 @@ if ($opt_i or $opt_e) {
# activate module via LoadModule/AddModule directive
if ($opt_a or $opt_A) {
- if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") {
- error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found");
- exit(1);
- }
-
- open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die;
- my $content = join('', <FP>);
- close(FP);
-
- if ($content !~ m|\n#?\s*LoadModule\s+|) {
- error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file.");
- error("At least one `LoadModule' directive already has to exist.");
- exit(1);
- }
my $lmd;
my $c = '';
$c = '#' if ($opt_A);
foreach $lmd (@lmd) {
- my $what = $opt_A ? "preparing" : "activating";
- my $lmd_re = $lmd;
- $lmd_re =~ s/\s+/\\s+/g;
-
- if ($content !~ m|\n#?\s*$lmd_re|) {
- # check for open <containers>, so that the new LoadModule
- # directive always appears *outside* of an <container>.
-
- my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0];
-
- # the '()=' trick forces list context and the scalar
- # assignment counts the number of list members (aka number
- # of matches) then
- my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg);
- my $cntclose = () = ($before =~ m|^\s*$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) {
- print FP $content;
- close(FP);
- system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " .
- "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " .
- "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new");
- } else {
- notice("unable to open configuration file");
- }
- }
}
}
++++++ httpd-2.2.19-linux3.patch ++++++
--- configure.in.orig
+++ configure.in
@@ -274,13 +274,7 @@ case $host in
APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
;;
*-linux-*)
- case `uname -r` in
- 2.[[2-9]]* )
- APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
- ;;
- * )
- ;;
- esac
+ APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
;;
*486-*-bsdi* | *-netbsd* | *-freebsd* | *-apple-darwin* | *-dec-osf* | *-qnx)
APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1])
++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++
diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c
--- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200
+++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200
@@ -623,40 +623,64 @@
#if 0
/* XXX If we want to keep track of the Method, the protocol module should do
* it. That support isn't in the scoreboard yet. Hopefully next week
* sometime. rbb */
ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method",
r->method);
#endif
uri = ap_getword_white(r->pool, &ll);
/* Provide quick information about the request method as soon as known */
r->method_number = ap_method_number_of(r->method);
if (r->method_number == M_GET && r->method[0] == 'H') {
r->header_only = 1;
}
ap_parse_uri(r, uri);
+/*
+ https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch
+ This is the fix for CVE-2011-3368; via bnc#722545.
+ */
+
+ /* RFC 2616:
+ * Request-URI = "*" | absoluteURI | abs_path | authority
+ *
+ * authority is a special case for CONNECT. If the request is not
+ * using CONNECT, and the parsed URI does not have scheme, and
+ * it does not begin with '/', and it is not '*', then, fail
+ * and give a 400 response. */
+ if (r->method_number != M_CONNECT
+ && !r->parsed_uri.scheme
+ && uri[0] != '/'
+ && !(uri[0] == '*' && uri[1] == '\0')) {
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
+ "invalid request-URI %s", uri);
+ r->args = NULL;
+ r->hostname = NULL;
+ r->status = HTTP_BAD_REQUEST;
+ r->uri = apr_pstrdup(r->pool, uri);
+ }
+
if (ll[0]) {
r->assbackwards = 0;
pro = ll;
len = strlen(ll);
} else {
r->assbackwards = 1;
pro = "HTTP/0.9";
len = 8;
}
r->protocol = apr_pstrmemdup(r->pool, pro, len);
/* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */
/* Avoid sscanf in the common case */
if (len == 8
&& pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P'
&& pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.'
&& apr_isdigit(pro[7])) {
r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0');
}
++++++ httpd-2.2.x-bnc690734.patch ++++++
diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c
--- ../httpd-2.2.17-o/server/util_script.c 2009-01-12 14:59:56.000000000 +0100
+++ ./server/util_script.c 2011-07-26 15:39:50.000000000 +0200
@@ -406,6 +406,7 @@
{
char x[MAX_STRING_LEN];
char *w, *l;
+ int wlen;
int p;
int cgi_status = HTTP_UNSET;
apr_table_t *merge;
@@ -414,7 +415,14 @@
if (buffer) {
*buffer = '\0';
}
- w = buffer ? buffer : x;
+
+ if (r->server->limit_req_fieldsize + 2 > MAX_STRING_LEN) {
+ w = apr_palloc(r->pool, r->server->limit_req_fieldsize + 2);
+ wlen = r->server->limit_req_fieldsize + 2;
+ } else {
+ w = buffer ? buffer : x;
+ wlen = MAX_STRING_LEN;
+ }
/* temporary place to hold headers to merge in later */
merge = apr_table_make(r->pool, 10);
@@ -430,7 +438,7 @@
while (1) {
- int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data);
+ int rv = (*getsfunc) (w, wlen - 1, getsfunc_data);
if (rv == 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
"Premature end of script headers: %s",
@@ -537,9 +545,12 @@
if (!buffer) {
/* Soak up all the script output - may save an outright kill */
- while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) {
+ while ((*getsfunc) (w, wlen - 1, getsfunc_data)) {
continue;
}
+ } else if (w != buffer) {
+ strncpy(buffer, w, MAX_STRING_LEN - 1);
+ buffer[MAX_STRING_LEN - 1] = 0;
}
ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r,
++++++ httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff ++++++
diff -rNU 20 ../httpd-2.2.22-o/modules/mappers/mod_negotiation.c ./modules/mappers/mod_negotiation.c
--- ../httpd-2.2.22-o/modules/mappers/mod_negotiation.c 2011-09-08 17:59:38.000000000 +0200
+++ ./modules/mappers/mod_negotiation.c 2013-01-28 15:09:56.000000000 +0100
@@ -2641,43 +2641,43 @@
* fill it with the variant list, and then concatenate the entire array.
*/
arr = apr_array_make(r->pool, max_vlist_array, sizeof(char *));
*((const char **) apr_array_push(arr)) = "Available variants:\n<ul>\n";
for (i = 0; i < neg->avail_vars->nelts; ++i) {
var_rec *variant = &((var_rec *) neg->avail_vars->elts)[i];
const char *filename = variant->file_name ? variant->file_name : "";
apr_array_header_t *languages = variant->content_languages;
const char *description = variant->description
? variant->description
: "";
/* The format isn't very neat, and it would be nice to make
* the tags human readable (eg replace 'language en' with 'English').
* Note that if you change the number of substrings pushed, you also
* need to change the calculation of max_vlist_array above.
*/
*((const char **) apr_array_push(arr)) = "<li>pool, filename);
*((const char **) apr_array_push(arr)) = "\">";
- *((const char **) apr_array_push(arr)) = filename;
+ *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename);
*((const char **) apr_array_push(arr)) = "</a> ";
*((const char **) apr_array_push(arr)) = description;
if (variant->mime_type && *variant->mime_type) {
*((const char **) apr_array_push(arr)) = ", type ";
*((const char **) apr_array_push(arr)) = variant->mime_type;
}
if (languages && languages->nelts) {
*((const char **) apr_array_push(arr)) = ", language ";
*((const char **) apr_array_push(arr)) = apr_array_pstrcat(r->pool,
languages, ',');
}
if (variant->content_charset && *variant->content_charset) {
*((const char **) apr_array_push(arr)) = ", charset ";
*((const char **) apr_array_push(arr)) = variant->content_charset;
}
if (variant->content_encoding) {
*((const char **) apr_array_push(arr)) = ", encoding ";
*((const char **) apr_array_push(arr)) = variant->content_encoding;
}
++++++ httpd-2.2.x-bnc798733-SNI_ignorecase.diff ++++++
diff -rNU 20 ../httpd-2.2.22-o/modules/ssl/ssl_engine_kernel.c ./modules/ssl/ssl_engine_kernel.c
--- ../httpd-2.2.22-o/modules/ssl/ssl_engine_kernel.c 2013-01-28 14:59:57.000000000 +0100
+++ ./modules/ssl/ssl_engine_kernel.c 2013-01-28 15:02:47.000000000 +0100
@@ -119,41 +119,41 @@
#ifndef OPENSSL_NO_TLSEXT
if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
char *host, *scope_id;
apr_port_t port;
apr_status_t rv;
/*
* The SNI extension supplied a hostname. So don't accept requests
* with either no hostname or a different hostname.
*/
if (!r->hostname) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Hostname %s provided via SNI, but no hostname"
" provided in HTTP request", servername);
return HTTP_BAD_REQUEST;
}
rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool);
if (rv != APR_SUCCESS || scope_id) {
return HTTP_BAD_REQUEST;
}
- if (strcmp(host, servername)) {
+ if (strcasecmp(host, servername)) {
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"Hostname %s provided via SNI and hostname %s provided"
" via HTTP are different", servername, host);
return HTTP_BAD_REQUEST;
}
}
else if ((((mySrvConfig(r->server))->strict_sni_vhost_check
== SSL_ENABLED_TRUE)
|| (mySrvConfig(sslconn->server))->strict_sni_vhost_check
== SSL_ENABLED_TRUE)
&& r->connection->vhost_lookup_data) {
/*
* We are using a name based configuration here, but no hostname was
* provided via SNI. Don't allow that if are requested to do strict
* checking. Check wether this strict checking was setup either in the
* server config we used for handshaking or in our current server.
* This should avoid insecure configuration by accident.
*/
ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server,
"No hostname was provided via SNI for a name based"
++++++ httpd-2.x.x-logresolve.patch ++++++
diff -Naur ../httpd-2.2.4.orig/support/logresolve.pl.in ./support/logresolve.pl.in
--- ../httpd-2.2.4.orig/support/logresolve.pl.in 2006-07-12 05:38:44.000000000 +0200
+++ ./support/logresolve.pl.in 2007-10-23 13:59:27.000000000 +0200
@@ -57,6 +57,7 @@
use FileHandle;
use Socket;
+use File::Temp;
use strict;
no strict 'refs';
@@ -71,11 +72,13 @@
my %hash = ();
my $parent = $$;
+my $tempdir = File::Temp::tempdir("logresolve.pl2.sockets.XXXXXX", CLEANUP => 1);
+
my @children = ();
for (my $child = 1; $child <=$CHILDREN; $child++) {
my $f = fork();
if (!$f) {
- $filename = "./.socket.$parent.$child";
+ $filename = "$tempdir/socket.$parent.$child";
if (-e $filename) { unlink($filename) || warn "$filename .. $!\n";}
&child($child);
exit(0);
@@ -91,9 +94,9 @@
# die kiddies, die
kill(15, @children);
for (my $child = 1; $child <=$CHILDREN; $child++) {
- if (-e "./.socket.$parent.$child") {
- unlink("./.socket.$parent.$child")
- || warn ".socket.$parent.$child $!";
+ if (-e "$tempdir/socket.$parent.$child") {
+ unlink("$tempdir/socket.$parent.$child")
+ || warn "$tempdir/socket.$parent.$child $!";
}
}
}
@@ -113,7 +116,7 @@
if (!socket($CHILDSOCK{$child}, AF_UNIX, SOCK_STREAM, $PROTOCOL)) {
warn "parent socket to child failed $!";
}
- $filename = "./.socket.$parent.$child";
+ $filename = "$tempdir/socket.$parent.$child";
my $response;
do {
$response = connect($CHILDSOCK{$child}, sockaddr_un($filename));
@@ -176,7 +179,7 @@
# create a socket to communicate with parent
socket(INBOUND, AF_UNIX, SOCK_STREAM, $PROTOCOL)
|| die "Error with Socket: !$\n";
- $filename = "./.socket.$parent.$me";
+ $filename = "$tempdir/socket.$parent.$me";
bind(INBOUND, sockaddr_un($filename))
|| die "Error Binding $filename: $!\n";
listen(INBOUND, 5) || die "Error Listening: $!\n";
++++++ httpd-keepalivetimeout-millisecs.patch ++++++
--- modules/http/http_core.c.orig
+++ modules/http/http_core.c
@@ -47,12 +47,15 @@ static int ap_process_http_connection(co
static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy,
const char *arg)
{
+ apr_interval_time_t timeout;
const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT);
if (err != NULL) {
return err;
}
-
- cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg));
+ /* Stolen from mod_proxy.c */
+ if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS)
+ return "KeepAliveTimeout has wrong format";
+ cmd->server->keep_alive_timeout = timeout;
return NULL;
}
++++++ httpd-mod_deflate_head.patch ++++++
--- modules/filters/mod_deflate.c.orig
+++ modules/filters/mod_deflate.c
@@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a
apr_bucket *b;
apr_size_t len;
+ /*
+ * Optimization: If we are a HEAD request and bytes_sent is not zero
+ * it means that we have passed the content-length filter once and
+ * have more data to sent. This means that the content-length filter
+ * could not determine our content-length for the response to the
+ * HEAD request anyway (the associated GET request would deliver the
+ * body in chunked encoding) and we can stop compressing.
+ */
+ if (r->header_only && r->bytes_sent) {
+ ap_remove_output_filter(f);
+ return ap_pass_brigade(f->next, bb);
+ }
+
+
e = APR_BRIGADE_FIRST(bb);
if (APR_BUCKET_IS_EOS(e)) {
++++++ httpd-new_pcre.patch ++++++
Index: server/util_pcre.c
===================================================================
--- server/util_pcre.c.orig 2012-02-11 10:07:31.000000000 +0100
+++ server/util_pcre.c 2012-02-11 10:08:23.062838133 +0100
@@ -128,6 +128,7 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *p
const char *errorptr;
int erroffset;
int options = 0;
+int nsub;
if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS;
if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE;
@@ -137,7 +138,9 @@ preg->re_erroffset = erroffset;
if (preg->re_pcre == NULL) return AP_REG_INVARG;
-preg->re_nsub = pcre_info((const pcre *)preg->re_pcre, NULL, NULL);
+pcre_fullinfo((const pcre *)preg->re_pcre, NULL,
+ PCRE_INFO_CAPTURECOUNT, &nsub);
+preg->re_nsub = nsub;
return 0;
}
++++++ load_configuration ++++++
#!/bin/bash
: ${sysconfig_apache:=/etc/sysconfig/apache2}
#
# load the configuration, but only if it hasn't been done already
#
if [ -z "$APACHE_MODULES" ]; then
. $sysconfig_apache
fi
++++++ permissions.apache2 ++++++
/usr/sbin/suexec2 root:root 4755
++++++ rc.apache2 ++++++
#!/bin/sh
#
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002, 2003, (2004?) SuSE Linux AG
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker , 2001
# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011.
# Roman Drahtmueller , 2010, 2011, 2012.
#
#
# /etc/init.d/apache2
#
### BEGIN INIT INFO
# Provides: apache apache2 httpd
# Required-Start: $local_fs $remote_fs $network
# Should-Start: $named $time postgresql sendmail mysql ypclient dhcp radiusd
# Should-Stop: $named $time postgresql sendmail mysql ypclient dhcp radiusd
# Required-Stop: $local_fs $remote_fs $network
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# X-Interactive: true
# Short-Description: Apache 2.2 HTTP Server
# Description: Start the Apache HTTP daemon
### END INIT INFO
pname=apache2
: ${sysconfdir:=/etc/$pname}
: ${apache_link:=/usr/sbin/httpd2}
: ${sysconfig_apache:=/etc/sysconfig/$pname}
: ${pidfile:=/var/run/httpd2.pid}
: ${logdir:=/var/log/$pname}
: ${homedir:=/var/lib/$pname}
#
# load the configuration
#
#
# Note about ulimits:
# if you want to set ulimits, e.g. to increase the max number of open file handle,
# or to allow core files, you can do so by editing /etc/sysconfig/apache2 and
# simply write the ulimit commands into that file.
# Example:
# ulimit -n 16384
# ulimit -H -n 16384
# ulimit -c unlimited
# See the output of "help ulimit" in the bash, or "man 1 ulimit".
#
test -s /etc/rc.status && . /etc/rc.status && rc_reset
. /usr/share/$pname/load_configuration
export ${!APACHE_*}
httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf}
apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null)
test -L $apache_link && apache_bin=$(readlink $apache_link)
if [ -z "$APACHE_MPM" ]; then
APACHE_MPM=${apache_bin##*-}
fi
if ! [ -x $apache_bin ]; then
echo >&2 ${warn}$apache_bin-$APACHE_MPM is not a valid httpd2 binary.
echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname. $norm
rc_failed 5
rc_status -v1
rc_exit
fi
# a proper home should be set, otherwise the server might end up
# with HOME=/root and some script might try to use that
HOME=$homedir
get_server_flags()
{
unset server_flags
case "$action" in startssl) server_flags="-DSSL";; esac
for i in $APACHE_SERVER_FLAGS; do
case $i in
-D) ;;
-D*) server_flags="$server_flags $i";;
*) server_flags="$server_flags -D$i";;
esac
done
}
action="$1"
case "$action" in
stop|try-restart|*status*|probe)
;;
*)
shift; get_server_flags
${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true
${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true
;;
esac
#
# main part
#
case "$action" in
start*)
if [ -e $pidfile ]; then
$0 status &>/dev/null
ret=$?
if [ $ret = 1 ]; then
echo "Warning: found stale pidfile (unclean shutdown?)"
elif [ $ret = 0 ]; then
echo "Apache is already running ($pidfile)"
rc_failed $ret
rc_status -v1
rc_exit
fi
fi
echo -n "Starting httpd2 (${APACHE_MPM:-${apache_bin#*-}}) "
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
if eval $cmdline -t > $logdir/rc$pname.out 2>&1 ; then
export -n ${!APACHE_*}
eval startproc -f -t ${APACHE_START_TIMEOUT:-2} $cmdline
ret=$?
if test -t 1 && stty -a 2>/dev/null | grep -q -- -echo\ ; then
# this means that apache was still waiting for a passphrase to be entered
stty echo 2>/dev/null
echo;echo
echo >&2 An SSL passphrase has not been entered within ${APACHE_START_TIMEOUT:-<not set>} seconds.
echo >&2 To increase this timeout, adjust APACHE_START_TIMEOUT in $sysconfig_apache .
# this surely means that apache won't start, despite it looked good to startproc
killall $apache_bin
echo >&2 "Trying to start the server without SSL (-D NOSSL)."
$0 start "$@" -D NOSSL
# rc_failed 1
# rc_status -v1
# rc_exit
else
rc_failed $ret
rc_status -v
fi
else
if [ "$link" = "$base" ] ; then
cat $logdir/rc$pname.out
echo >&2
echo >&2 The command line was:
echo >&2 $cmdline
echo >&2
else
echo -e -n "\nsee $logdir/rc$pname.out for details\n";
fi
rc_failed 1
rc_status -v1
fi
;;
stop)
echo -n "Shutting down httpd2 "
if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi
if ! [ -f $pidfile ]; then
echo -n "(not running)"
else
pid=$(<$pidfile)
# re-read exe symlink, it could be (deleted) in the meanwhile.
apache_bin=$(readlink /proc/$pid/exe 2>/dev/null)
kill -TERM $pid 2>/dev/null
case $? in
1) echo -n "(not running)";;
0) # wait until the processes are gone (the parent is the last one)
echo -n "(waiting for all children to terminate) "
for ((wait=0; wait<120; wait++)); do
if test -f $pidfile; then
usleep 500000
continue
fi
if ! test -f /proc/$pid/exe; then
break
fi
if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then
usleep 500000
else
break
fi
done
;;
esac
fi
rc_status -v
;;
stop-graceful)
echo "Shutting down httpd2 gracefully (SIGWINCH)"
if ! [ -f $pidfile ]; then
echo -n "(not running)"
else
pid=$(<$pidfile)
kill -WINCH $pid 2>/dev/null
case $? in
1) echo -n "(not running)";;
0) # wait until the pidfile is gone. The parent stays there, but closes the listen ports.
echo -n "(waiting for parent to close listen ports and remove pidfile) "
for ((wait=0; wait<120; wait++)); do
if test -f $pidfile; then
usleep 500000
continue
else
break
fi
done
;;
esac
fi
rc_status -v
;;
try-restart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
$0 configtest "$@" || { rc_failed $?; rc_exit; }
if $0 status &>/dev/null; then
$0 stop
fi
$0 start "$@"
# Remember status and be quiet
rc_status
;;
restart-hup)
$0 configtest "$@" || { rc_failed $?; rc_exit; }
if $0 status &>/dev/null; then
echo -n "Restarting httpd2 (SIGHUP)"
kill -HUP $(<$pidfile) || return=$rc_failed
else
$0 start "$@"
fi
# Remember status and be quiet
rc_status -v
;;
restart-graceful)
$0 configtest "$@" || { rc_failed $?; rc_exit; }
if $0 status &>/dev/null; then
$0 stop-graceful "$@"
$0 start "$@"
else
$0 start "$@"
fi
# Remember status and be quiet
rc_status
;;
reload|force-reload|graceful)
# check if there is a deleted binary. If there is, then logrotate
# or other occasions will fail to reload, as dlopen(3) of apache
# modules is prone to fail due to symbol mismatches.
# in this case, we only complain and fail.
if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi
executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null )
case "$executable" in
*httpd*delete*)
echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! "
rc_failed 1
rc_status -v
rc_exit
;;
*)
;;
esac
echo -n "Reload httpd2 (graceful restart)"
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
if eval $cmdline -t &> $logdir/rc$pname.out; then
killproc -USR1 $apache_bin || return=$rc_failed
rc_status -v
else
if [ "$link" = "$base" ] ; then
echo -e -n "\n\n"
cat $logdir/rc$pname.out
echo >&2
echo >&2 The command line was:
echo >&2 $cmdline
echo >&2
else
echo -e -n "\nsee $logdir/rc$pname.out for details\n";
fi
rc_failed 6
rc_status -v1
fi
;;
status)
if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi
echo -n "Checking for httpd2: "
# we don't use checkproc here since it is confused when we exchange the binaries
if ! [ -f $pidfile ]; then
# not running
rc_failed 3
elif [ -s $pidfile -a -d /proc/$(<$pidfile) ]; then
# running
:
else
# stale pid file
rc_failed 1
#rm -f $pidfile
fi
rc_status -v
;;
probe)
## Optional: Probe for the necessity of a reload,
## give out the argument which is required for a reload.
for i in $httpd_conf \
$APACHE_CONF_INCLUDE_FILES \
$APACHE_CONF_INCLUDE_DIRS
do
if [ $i -nt $pidfile ]; then
echo reload
break
fi
done
;;
conf*|test|syntax|check)
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
eval $cmdline -t
rc_failed $?
rc_exit
;;
extr*)
cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@")
out=$(su - nobody -c "$cmdline" 2>&1)
case $out in
*make_sock:\ could\ not\ bind\ to\ address*) echo Syntax: OK; rc_failed=0;;
*) echo Syntax: NOT OK:; echo $out; rc_failed=1;;
esac
rc_exit
;;
server-status)
apache2ctl status
;;
full-server-status|fullstatus)
apache2ctl fullstatus
;;
*)
cat >&2 <<-EOF
Usage: $0 <command> <server flags>
where <command> is one of:
start - start httpd
startssl - start httpd with -DSSL
stop - stop httpd (sending SIGTERM to parent)
try-restart - stop httpd and if this succeeds (i.e. if
it was running before), start it again.
status - check whether httpd is running
restart - stop httpd if running; start httpd
restart-graceful - stop httpd gracefully if running; start httpd
reload|graceful - do a graceful restart by sending a SIGUSR1, or
start if not running
stop-graceful - stop httpd (sending SIGWINCH to parent)
configtest - do a configuration syntax test
extreme-configtest - try to run httpd as nobody (detects more errors
by actually loading the configuration, but cannot
read SSL certificates)
probe - probe for the necessity of a reload, give
out the argument which is required for a reload.
(by comparing conf files with pidfile timestamp)
full-server-status - dump a full status screen; requires lynx or w3m
and mod_status enabled
server-status - dump a short status screen; requires lynx or w3m
and mod_status enabled
help - this screen
optional server flags are passed through to httpd.
EOF
exit 1
esac
# Inform the caller not only verbosely and set an exit status.
rc_exit
++++++ robots.txt ++++++
# exclude help system from robots
User-agent: *
Disallow: /manual/
Disallow: /doc/
Disallow: /gif/
# but allow htdig to index our doc-tree
User-agent: susedig
Disallow:
# disallow stress test
user-agent: stress-agent
Disallow: /
++++++ ssl-mode-release-buffers.patch ++++++
--- modules/ssl/ssl_engine_init.c.orig
+++ modules/ssl/ssl_engine_init.c
@@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server
}
mctx->ssl_ctx = ctx;
-
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!(protocol & SSL_PROTOCOL_SSLV2)) {
++++++ start_apache2 ++++++
#!/bin/sh
#
# Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH
# Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH
# Copyright (c) 2002, 2003, (2004?) SuSE Linux AG
# Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH
#
# Authors: Rolf Haberrecker , 2001
# Peter Poeml , 2002, 2003, 2004, 2005, 2006, 2007,
# 2008, 2009, 2010
#
#
pname=apache2
. /usr/share/$pname/load_configuration
export ${!APACHE_*}
apache_link=/usr/sbin/httpd2
apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null)
httpd_conf=${APACHE_HTTPD_CONF:-/etc/apache2/httpd.conf}
test -L $apache_link && apache_bin=$(readlink $apache_link)
if [ -z "$APACHE_MPM" ]; then
APACHE_MPM=${apache_bin##*-}
fi
if ! [ -x $apache_bin ]; then
echo >&2 $apache_bin-$APACHE_MPM is not a valid httpd2 binary.
echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname.
exit 5
fi
# a proper home should be set, otherwise the server might end up
# with HOME=/root and some script might try to use that
HOME=/var/lib/apache2
unset server_flags
case "$action" in startssl) server_flags="-DSSL";; esac
for i in $APACHE_SERVER_FLAGS; do
case $i in
-D) ;;
-D*) server_flags="$server_flags $i";;
*) server_flags="$server_flags -D$i";;
esac
done
${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true
${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true
export -n ${!APACHE_*}
exec $apache_bin -f $httpd_conf $server_flags $@
++++++ sysconf_addword ++++++
#!/bin/bash
# Copyright 2005 Peter Poeml . All Rights Reserved.
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
debug=false
function usage() {
cat <<-EOF
usage: $(basename $0) [-r] FILE VAR WORD
Add word WORD to variable VAR in file FILE, or remove
it if the -r option is given.
Example:
$(basename $0) /etc/sysconfig/apache2 APACHE_SERVER_FLAGS asdf
leads to the change:
-APACHE_SERVER_FLAGS="SSL STATUS ruby"
+APACHE_SERVER_FLAGS="SSL STATUS ruby asdf"
If multiple lines matching ^VAR= are found (which happens to be a habit of
mine), only the last one is manipulated.
It does not work for WORD starting with characters like a dash which
prevent word boundary matching.
EOF
}
function find_last_occurrence () {
# takes two arguments, FILE and VAR
# and return the number of the last line where
# VAR occurs in FILE (not commented)
grep -n -- "^[[:space:]]*$1" $2 | tail -n 1 | cut -d: -f1
}
function word_present () {
. $file
case " ${!var} " in
*" $word "*) true;;
*) false;;
esac
}
function add_word() {
local word=$1
local word_quoted=$2
if ! word_present; then
$debug && cp $file $tmpf
sed -i -e "${lineno} {
s/^[[:space:]]*\($var=\".*\)\(\".*\)/\1 $word_quoted\2/;
s/=\" /=\"/
}" $file
$debug && diff -u $tmpf $file
else
echo \"$word\" already present
fi
# some balancing for vim"s syntax highlighting
}
function remove_word() {
local word=$1
local word_quoted=$2
if word_present; then
$debug && cp $file $tmpf
sed -i -e "${lineno} {
s/\(['\" ]\)$word_quoted\(['\" ]\)/\1 \2/g
s/ / /g
}" $file
$debug && diff -u $tmpf $file
else
echo \"$word\" not present
fi
# some balancing for vim"s syntax highlighting
}
# poor man's option parsing
case "$1" in
-h) usage; exit 0;;
esac
if [ $# -lt 3 ]; then
echo not enough arguments
echo
usage; exit 1
fi
action=add
case "$1" in
-r) action=remove; shift;;
esac
file=$1; shift
var=$1; shift
word=$1
word_quoted=${1//\//\\\/}
if $debug; then
echo FILE: $file
echo VAR: $var
echo WORD: $word
echo current content:
grep "^$var=" $file | tail -n 1
echo
fi
if ! [ -r $file ]; then
echo ${0##*/}: file $file is not a readable file
exit 1
fi
lineno=$(find_last_occurrence $var $file)
if [ -z $lineno ]; then
echo ${0##*/}: variable $var does not occur in $file
exit 1
fi
$debug && tmpf=$(mktemp /tmp/$(basename $0).XXXXXX)
if [ $action = add ]; then
add_word $word $word_quoted $lineno
else
remove_word $word $word_quoted $lineno
fi
$debug && rm -f $tmpf
exit 0
++++++ sysconfig.apache2 ++++++
## Path: Network/WWW/Apache2
## Description: Configuration for Apache 2
## Type: string
## Default: ""
## ServiceRestart: apache2
#
# Here you can name files, separated by spaces, that should be Include'd from
# httpd.conf.
#
# This allows you to add e.g. VirtualHost statements without touching
# /etc/apache2/httpd.conf itself, which makes upgrading easier.
#
APACHE_CONF_INCLUDE_FILES=""
## Type: string
## Default: ""
## ServiceRestart: apache2
#
# Here you can name directories, separated by spaces, that should be Include'd
# from httpd.conf.
#
# All files contained in these directories will be recursively included by apache.
# If a pattern like *.conf is appended, apache will use it.
#
# Examples: "/etc/apache2/my_conf/"
# "/etc/apache2/virtual_hosts/*.conf"
# "local/*.conf /srv/www/virtual/"
#
APACHE_CONF_INCLUDE_DIRS=""
## Type: string
## Default: "actions alias auth_basic authz_host authn_file authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5"
## ServiceRestart: apache2
#
# [It might look silly to not simply edit httpd.conf for the LoadModule statements.
# However, since the LoadModule statements might need an absolute path to the modules,
# switching between MPMs can be quite a hassle. It's easier to just give the names here.]
#
# * list of all modules shipped with the base distribution:
#
@@all_modules@@
#
# see http://httpd.apache.org/docs-2.2/mod/ !
#
# * It pays to use IfDefine statements... like
# <IfModule mod_xyz.c>
# ....
# </IfModule>
#
# * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax.
# You may also name an absolute path if you like.
#
# * NOTE ON SSL: before you can use mod_ssl, you need a server certificate.
# A test certificate can be created by entering
# 'cd /usr/share/doc/packages/apache2; ./certificate.sh' as root.
# Also, you need to set the ServerName inside the <VirtualHost _default_:443>
# block to the fully qualified domain name (see /etc/HOSTNAME).
# * if your server certificate is protected by a passphrase you should increase the
# APACHE_START_TIMEOUT (see above)
# * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS
# below.
#
# * modules listed here will be ignored if they are not installed
#
#
# EXAMPLES:
#
# fairly minimal
# APACHE_MODULES="authz_host alias auth dir log_config mime setenvif"
#
# apache's default installation
# APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir"
# your settings
APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout"
## Type: string
## Default: ""
## ServiceRestart: apache2
#
# Additional server flags:
#
# Put here any server flags ("Defines") that you want to hand over to
# httpd at start time, or other command line flags.
#
# Background: Any directives within an <IfDefine flag>...</IfDefine>
# section are only processed if the flag is defined.
# This allows to write configuration which is active only in a
# special cases, like during server maintenance, or for testing
# something temporarily.
#
# Notably, to enable ssl support, 'SSL' needs to be added here.
# To enable the server-status, 'STATUS' needs to be added here.
#
# It does not matter if you write flag1, -D flag1 or -Dflag1.
# Multiple flags can be given as "-D flag1 -D flag2" or simply "flag1 flag2".
#
# Specifying such flags here is equivalent to giving them on the commandline.
# (e.g. via rcapache2 start -DReverseProxy)
#
# Example:
# "SSL STATUS AWSTATS SVN_VIEWCVS no_subversion_today"
#
APACHE_SERVER_FLAGS=""
## Type: string
## Default: ""
## ServiceRestart: apache2
#
# Which config file do you want to use?
# (if not set, /etc/apache2/httpd.conf is used.)
# It is unusual to need to use this setting.
#
# Note about ulimits:
# if you want to set ulimits, e.g. to increase the max number of open file handle,
# or to allow core files, you can do so by editing /etc/sysconfig/apache2 and
# simply write the ulimit commands into that file.
# Example:
# ulimit -n 16384
# ulimit -H -n 16384
# ulimit -c unlimited
# See the output of "help ulimit" in the bash, or "man 1 ulimit".
#
APACHE_HTTPD_CONF=""
## Type: list(prefork,worker,event,itk)
## Default: ""
## ServiceRestart: apache2
#
# MPM (multi-processing module) to use.
#
# Needed to determine with which MPM apache will run, as well as
# against which header files modules will be built.
#
# If not set, the system will simply pick one of the installed MPMs.
#
# The implementation of the logic is in /usr/share/apache2/find_mpm,
# a script which can be used standalone as well if needed.
#
APACHE_MPM=""
## Type: string
## Default: ""
## ServiceReload: apache2
#
# email address of the server administrator (ServerAdmin directive)
# This address is added to the server's responses if APACHE_SERVERSIGNATURE
# is set to "email".
#
# If empty ("") it defaults to webmaster@$FQHOSTNAME, where FQHOSTNAME is
# taken from /etc/HOSTNAME.
#
# Note that ServerAdmin directives inside VirtualHost statements are not
# changed, even not the one in the stock SSL virtual host block.
#
APACHE_SERVERADMIN=""
## Type: string
## Default: ""
## ServiceReload: apache2
#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If this is not set to valid DNS name for your host, server-generated
# redirections will not work. See also the UseCanonicalName directive.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
# You will have to access it by its address anyway, and this will make
# redirections work in a sensible way.
#
APACHE_SERVERNAME=""
## Type: integer
## Default: 2
#
# timeout during server startup (seconds)
# after this time, the start script decides wether the httpd process started without error.
#
# Increase it, if you use mod_ssl and your certificate is passphrase protected!
#
APACHE_START_TIMEOUT="2"
## Type: list(on,off,email)
## Default: "on"
## ServiceReload: apache2
#
# Configures the footer on server-generated documents
# This correlates to the ServerSignature directive.
#
APACHE_SERVERSIGNATURE="on"
## Type: list(debug,info,notice,warn,error,crit,alert,emerg)
## Default: "warn"
## ServiceReload: apache2
#
# LogLevel: Control the number of messages logged to the error_log.
#
APACHE_LOGLEVEL="warn"
## Type: string
## Default: "/var/log/apache2/access_log combined"
## ServiceRestart: apache2
#
# The location and format of the access logfile (Common Logfile Format).
# If you do not define any access logfiles within a <VirtualHost>
# container, they will be logged here. Contrarywise, if you *do*
# define per-<VirtualHost> access logfiles, transactions will be
# logged therein and *not* in this file.
#
# Simply set it to empty, if you configure it yourself somewhere else.
#
# Examples:
#
# If you would like to have agent and referer logfiles:
#
# setting it to "/var/log/apache2/referer_log referer, /var/log/apache2/agent_log agent"
# corresponds to
# CustomLog /var/log/apache2/referer_log referer
# CustomLog /var/log/apache2/agent_log agent
#
# If you prefer a single logfile with access, agent, and referer information
# (Combined Logfile Format):
#
# setting it to "/var/log/apache2/access_log combined"
# corresponds to
# CustomLog /var/log/apache2/access_log combined
#
APACHE_ACCESS_LOG="/var/log/apache2/access_log combined"
## Type: list(On,Off,DNS)
## Default: "Off"
## ServiceReload: apache2
#
# UseCanonicalName: Determines how Apache constructs self-referencing
# URLs and the SERVER_NAME and SERVER_PORT variables.
# When set "Off", Apache will use the Hostname and Port supplied
# by the client. When set "On", Apache will use the value of the
# ServerName directive.
#
APACHE_USE_CANONICAL_NAME="off"
## Type: list(Major,Minor,Minimal,ProductOnly,OS,Full)
## Default: "OS"
## ServiceReload: apache2
#
# How much information the server response header field contains about the server.
# (installed modules, versions, etc.)
# see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens
#
APACHE_SERVERTOKENS="OS"
## Type: list(on,off)
## Default: "off"
## ServiceReload: apache2
#
# If mod_status is used, include extended information about the server, like
# CPU usage, in the status report. It is a server-wide setting, and it can cost
# some performance!
#
APACHE_EXTENDED_STATUS="off"
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org