Hello community, here is the log from the commit of package apache2.1263 for openSUSE:12.2:Update checked in at 2013-02-05 17:34:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.2:Update/apache2.1263 (Old) and /work/SRC/openSUSE:12.2:Update/.apache2.1263.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "apache2.1263", Maintainer is "" Changes: -------- New Changes file: --- /dev/null 2013-01-09 19:40:42.352580873 +0100 +++ /work/SRC/openSUSE:12.2:Update/.apache2.1263.new/apache2.changes 2013-02-05 17:34:21.000000000 +0100 @@ -0,0 +1,3782 @@ +------------------------------------------------------------------- +Mon Jan 28 15:04:02 CET 2013 - draht@suse.de + +- httpd-2.2.x-bnc798733-SNI_ignorecase.diff: ignore case when + checking against SNI server names. [bnc#798733] +- httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff + Escape filename for the case that uploads are allowed with untrusted + user's control over filenames and mod_negotiation enabled on the + same directory. CVE-2012-2687 [bnc#777260] + +------------------------------------------------------------------- +Wed Jul 25 11:32:34 UTC 2012 - saschpe@suse.de + +- gensslcert: Use 0400 permissions for generated SSL certificate files + instead of 0644 + +------------------------------------------------------------------- +Fri Jul 6 11:58:03 UTC 2012 - meissner@suse.com + +- modified apache2.2-mpm-itk-20090414-00.patch to fix + itk running as root. bnc#681176 / CVE-2011-1176 + +------------------------------------------------------------------- +Fri Jul 6 09:42:00 UTC 2012 - meissner@suse.com + +- remove the insecure LD_LIBRARY_PATH line. bnc#757710 + +------------------------------------------------------------------- +Sun Apr 22 20:14:22 UTC 2012 - dimstar@opensuse.org + +- Add apache2-mod_ssl_npn.patch: Add npn support to mod_ssl, which + is needed by spdy. +- Provide apache2(mod_ssl+npn), indicating that our mod_ssl does + have the npn patch. This can be used by mod_spdy to ensure a + compatible apache/mod_ssl is installed. + +------------------------------------------------------------------- +Tue Mar 20 14:05:49 UTC 2012 - adrian@suse.de + +- fix truncating and resulting paniking of answer headers (bnc#690734) + +------------------------------------------------------------------- +Sat Feb 18 21:15:08 UTC 2012 - poeml@cmdline.net + +- update to 2.2.22 + *) SECURITY: CVE-2011-3368 (cve.mitre.org) + Reject requests where the request-URI does not match the HTTP + specification, preventing unexpected expansion of target URLs in + some reverse proxy configurations. + *) SECURITY: CVE-2011-3607 (cve.mitre.org) + Fix integer overflow in ap_pregsub() which, when the mod_setenvif module + is enabled, could allow local users to gain privileges via a .htaccess + file. + *) SECURITY: CVE-2011-4317 (cve.mitre.org) + Resolve additional cases of URL rewriting with ProxyPassMatch or + RewriteRule, where particular request-URIs could result in undesired + backend network exposure in some configurations. + *) SECURITY: CVE-2012-0021 (cve.mitre.org) + mod_log_config: Fix segfault (crash) when the '%{cookiename}C' log format + string is in use and a client sends a nameless, valueless cookie, causing + a denial of service. The issue existed since version 2.2.17. PR 52256. + *) SECURITY: CVE-2012-0031 (cve.mitre.org) + Fix scoreboard issue which could allow an unprivileged child process + could cause the parent to crash at shutdown rather than terminate + cleanly. + *) SECURITY: CVE-2012-0053 (cve.mitre.org) + Fix an issue in error responses that could expose "httpOnly" cookies + when no custom ErrorDocument is specified for status code 400. + *) mod_proxy_ajp: Try to prevent a single long request from marking a worker + in error. + *) config: Update the default mod_ssl configuration: Disable SSLv2, only + allow >= 128bit ciphers, add commented example for speed optimized cipher + list, limit MSIE workaround to MSIE <= 5. + *) core: Fix segfault in ap_send_interim_response(). PR 52315. + *) mod_log_config: Prevent segfault. PR 50861. + *) mod_win32: Invert logic for env var UTF-8 fixing. + Now we exclude a list of vars which we know for sure they dont hold UTF-8 + chars; all other vars will be fixed. This has the benefit that now also + all vars from 3rd-party modules will be fixed. PR 13029 / 34985. + *) core: Fix hook sorting for Perl modules, a regression introduced in + 2.2.21. PR: 45076. + *) Fix a regression introduced by the CVE-2011-3192 byterange fix in 2.2.20: + A range of '0-' will now return 206 instead of 200. PR 51878. + *) Example configuration: Fix entry for MaxRanges (use "unlimited" instead + of "0"). + *) mod_substitute: Fix buffer overrun. +- adjusted SSL template/default config for upstream changes, and added + MaxRanges example to apache2-server-tuning.conf +- fixed installation of (moved) man pages + +------------------------------------------------------------------- +Sat Feb 11 09:21:15 UTC 2012 - coolo@suse.com + +- compile with pcre 8.30 - patch taken from apache bugzilla + +------------------------------------------------------------------- +Sat Jan 21 13:54:01 CET 2012 - draht@suse.de + +- enable mod_reqtimeout by default via APACHE_MODULES in + /etc/sysconfig/apache2, configuration + /etc/apache2/mod_reqtimeout.conf . + Of course, the existing configuration remains unchanged. + +------------------------------------------------------------------- +Fri Dec 16 20:53:39 UTC 2011 - chris@computersalat.de + +- add default vhost configs + * default-vhost.conf, default-vhost-ssl.conf, README.default-vhost + +------------------------------------------------------------------- +Sat Dec 10 10:34:26 CET 2011 - meissner@suse.de + +- openldap2 is not necessary, just openldap2-devel as buildrequires + +------------------------------------------------------------------- +Fri Dec 2 07:18:56 UTC 2011 - coolo@suse.com + +- add automake as buildrequire to avoid implicit dependency + +------------------------------------------------------------------- +Fri Nov 18 15:04:12 CET 2011 - draht@suse.de + +- update to /etc/init.d/apache2: handle reload with deleted + binaries after package update more thoughtfully: If the binaries + have been replaced, then a dlopen(3) on the apache modules is + prone to fail. => Don't reload then, but complain and fail. + Especially important for logrotate! + +------------------------------------------------------------------- +Fri Oct 7 17:11:56 CEST 2011 - draht@suse.de + +- httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff fixes mod_proxy + reverse exposure via RewriteRule or ProxyPassMatch directives. + This is CVE-2011-3368. + +------------------------------------------------------------------- +Fri Oct 7 14:36:31 UTC 2011 - fcrozat@suse.com + +- Ensure service_add_pre macro is correctly called for + openSUSE 12.1 or later. + +------------------------------------------------------------------- +Tue Sep 27 08:19:35 UTC 2011 - fcrozat@suse.com + +- Fix systemd files packaging, %ghost is not a good idea. +- Use systemd rpm macros for openSUSE 12.1 and later. + +------------------------------------------------------------------- +Thu Sep 15 13:33:30 CEST 2011 - draht@suse.de + +- don't create $RPM_BUILD_ROOT/etc/init.d twice in %install. + +------------------------------------------------------------------- +Wed Sep 14 01:11:55 CEST 2011 - draht@suse.de + +- Update to 2.2.21. News therein: + * re-worked CVE-2011-3192 (byterange_filter.c) with a regression + fix. New config option: MaxRanges (PR 51748) + * multi fixes in mod_filter, mod_proxy_ajp, mod_dav_fs, + mod_alias, mod_rewrite. As always, see CHANGES file. +- added httpd-%{realver}.tar.bz2.asc to source, along with + 60C5442D.key which the tarball was signed with. + +------------------------------------------------------------------- +Tue Sep 13 10:37:37 CEST 2011 - draht@suse.de + +- need to add %ghost /lib/systemd to satisfy distributions that + have no systemd yet. + +------------------------------------------------------------------- +Thu Sep 1 09:43:49 UTC 2011 - fcrozat@suse.com + +- Add apache2-systemd-ask-pass / apache2.service / start_apache2 + and modify apache2-ssl-global.conf for systemd support + (bnc#697137). + +------------------------------------------------------------------- +Wed Aug 31 12:52:22 UTC 2011 - crrodriguez@opensuse.org + +- Update to version 2.2.20, fix CVE-2011-3192 + mod_deflate D.o.S. + + +------------------------------------------------------------------- +Fri Aug 5 06:02:35 UTC 2011 - crrodriguez@opensuse.org + +- Fix apache PR 45076 + +------------------------------------------------------------------- +Sun Jul 17 19:49:55 UTC 2011 - crrodriguez@opensuse.org + +- Use SSL_MODE_RELEASE_BUFFERS to reduce mod_ssl memory usage + +------------------------------------------------------------------- +Wed Jun 22 16:12:10 UTC 2011 - crrodriguez@opensuse.org + +- Add 2 patches from the "low hanging fruit" warnings in apache ++++ 3585 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.2:Update/.apache2.1263.new/apache2.changes New: ---- 60C5442D.key Apache.xpm SUSE-NOTICE a2enflag a2enmod apache-20-22-upgrade apache-ssl-stuff.tar.bz2 apache2-README apache2-README.QUICKSTART apache2-README.default-vhost apache2-check_forensic apache2-default-server.conf apache2-default-vhost-ssl.conf apache2-default-vhost.conf apache2-errors.conf apache2-httpd.conf apache2-listen.conf apache2-manual.conf apache2-mod_autoindex-defaults.conf apache2-mod_info.conf apache2-mod_log_config.conf apache2-mod_mime-defaults.conf apache2-mod_reqtimeout.conf apache2-mod_ssl_npn.patch apache2-mod_status.conf apache2-mod_userdir.conf apache2-mod_usertrack.conf apache2-server-tuning.conf apache2-ssl-global.conf apache2-systemd-ask-pass apache2-vhost-ssl.template apache2-vhost.template apache2.2-mpm-itk-20090414-00.patch apache2.changes apache2.firewall apache2.logrotate apache2.service apache2.spec apache2.ssl-firewall apache2.xml favicon.ico find_httpd2_includes find_mpm gensslcert get_includes get_module_list httpd-2.0.49-log_server_status.dif httpd-2.0.54-envvars.dif httpd-2.1.3alpha-layout.dif httpd-2.1.9-apachectl.dif httpd-2.2.0-apxs-a2enmod.dif httpd-2.2.19-linux3.patch httpd-2.2.22.tar.bz2 httpd-2.2.22.tar.bz2.asc httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff httpd-2.2.x-bnc690734.patch httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff httpd-2.2.x-bnc798733-SNI_ignorecase.diff httpd-2.x.x-logresolve.patch httpd-keepalivetimeout-millisecs.patch httpd-mod_deflate_head.patch httpd-new_pcre.patch load_configuration permissions.apache2 rc.apache2 robots.txt ssl-mode-release-buffers.patch start_apache2 sysconf_addword sysconfig.apache2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ apache2.spec ++++++ ++++ 1144 lines (skipped) ++++++ Apache.xpm ++++++ /* XPM */ static char *Apache[] = { /* width height num_colors chars_per_pixel */ " 259 32 32 1", /* colors */ ". c #ffffff", "# c #cecece", "a c #a5a5a5", "b c #848484", "c c #737373", "d c #6b6b6b", "e c #5a5a5a", "f c #211818", "g c #ff4218", "h c #ff3100", "i c #bd5210", "j c #dead84", "k c #ef9c42", "l c #ff8400", "m c #ffce18", "n c #ffce00", "o c #cecec6", "p c #bdbdc6", "q c #3100ff", "r c #6300ff", "s c #9c00ff", "t c #ef00ff", "u c #e74aef", "v c #de7bde", "w c #d6a5ce", "x c #ff009c", "y c #ef4a8c", "z c #ff0063", "A c #e7849c", "B c #ef5263", "C c #ff0018", "D c #000000", /* pixels */ "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################", "#####################################aaaaa###############################################paa#####paa###############################################################################################################################################################", "###p#########ppp#####################fDDDDDe#############################################eDD#####eDD###############################################################################################################################################################", "###afp#######aadp##malal#############fDDaeDDb#pbebp#aeep#ec#peep#pcbp##ceapea##aca####pcceDD#####eDDbea#aeep#aec###################################################################################################################################################", "####pbfa#####acbp#gCCCCChgllp########fDD#aDDcaDDDDDapDDbaDDpeDf#eDDDfa#fDeDDf#fDDDfp#cDDDDDD#####eDDDDDfpDDe#fDe###################################################################################################################################################", "######pffb###dbba#zezxzCCCCChhhlmp###fDDefDDpDDfefDf#fDeeDDcfDeaDfpbDe#fDDDDccDepeDc#DDfefDD#####eDDeeDDceDDpDDp###################################################################################################################################################", "########bffbp.ddc#xsxtcxzzeCCChhlhggafDDDDfaaDDc#cDDacDDffDfDDacDDffDD#fDDaapeDfffDfaDDb#eDD#####eDD##fDepDDfDe####################################################################################################################################################", "#########pbfDDeDbarrsrxszszxxCCCCCCChfDDp###pDDc#cDDppDDDeeDDf#bDDaaaa#fDf###eDfaaaapDDepeDD#####eDD#aDDe#eDDDp####################################################################################################################################################", "############eDDDeeDqqrsssstxrxxzxzeCCDDDCgglpfDDfDDf##eDDabDDe#pDDeacf#fDf###aDDeaee#fDDDDDD#####eDDDDDDa#aDDe#####################################################################################################################################################", "##########p#aaDDDDDDqDqqrrssxtxrxsxxefDDCCCegifDDDfp##bDf##DDa##afDDDc#fDf####cDDDDa#peDDDDD#####eDDDDfb##aDDp#####################################################################################################################################################", "##########pdeDedbqDDDDDDqqqqssrsssxsxzsxczCChChhiglampp###########pa############ap########################eDe######################################################################################################################################################", "#########apeecd#xrrqqDDDDDqDqqeqesrstrxsxrzezCChDCChhlllgggp#############################################pDDa######################################################################################################################################################", "#########ppppap#xsxrrrqqDDDDDDDqqqqrqsrsrxxsxrzzzzCCCCeCCChlggga########################################vfe########################################################################################################################################################", "###########p#p#pzzztztssrrDqDDDDDDDDqqqqrsrsstxsxrxxzxxdCCDzCCCCggampp#############################################################################################################################################################################################", "#############p#pgCCzsxxtxssrsrrDDDDDDDDDqqqrqsqsrtxsrrztxxxxczzCChhCCCCgp#############################qqrv##############sssssssssssssssssssvw############vuuuu###############oAACCCCCCCCCCCCCCAw#######wBBBBj############jhhhhj#######kkkkkkkkkkkkkkkkkkkj#########", "################pbCCCzzzzxtsxttrsrqDDDDDDDDDqDqqqrrqrrstrssstxsxzexzxxzCzlp##########################qqqrru#############vssssssssssssssssssssw##########yxxxxxxw############wCCCCCCCCCCCCCCCCCCCA######whhhhB############jhhhhh#######kllllllllllllllllllj#########", "#################plbCCCCzzxxxxtxxstssrqDDDDDDDDDDDqDqqrqqrrssrttstsssdzzCCCCggbzgp##################qqrrqrqu############vsssssvvvvvvvvvvvssssv#########xxxxxxxxxw###########CCCCCAAAAAAAAAAyBCCCCo#####whhhCB############jhhhhh#######klllljjjjjjjjjjjjjjj#########", "###################pgehhDCCzzxxztxxxxstrsssrDeDDDDDDDDDDDDDqDqrqqrqsrttsbsxzsxxhblmmp#############prqrr#uqrqrp##########vsssss###########ssssv#######wxxxxv#uxxxxw##########CCCCC###########yCCCCw#####whhhhh############jhhhhh#######kllll########################", "######################mblhhCCCCzzzxztztxtxxtttstrsdqDeDDDDDDDDDDDDDDqrrrrrrrrzbllnllnmp##########prqrr###uqrqrp#########vsssssvvvvvvvvvvvssssv######wxxxxv###vxxxxw#########CCCCC###########wAww#######whhhhhhhhhhhhhhhhhhhhhhh#######kllllkkkkkkkkj###############", "#########################alehCCCCDzCCzxxxxxzxxxxxxxxssstssrsreerDqDDDDDDDDDeDlenlnnlnnmmp#######wrqrr#####uqrqrw########vssssssssssssssssssssw#####vxxxxv#####vxxxxA########CCCCC######################whhhhhhhhhhhhhhhhhhhhhhh#######kllllllllllllj###############", "###########################pblehhhCCDCCCezCCzzzzxzxxxxtxxxtxxsxtxsstrxtssereeeDDDDDeeellmp#####wrqrqrrrrrrrrqrqrw#######vssssssssssssssssssvw#####vxxxxxxxxxxxxxxxxxA#######CCCCC###########ABBAw######whhhhhAAAAAAjjjjjjhhhhhh#######klllljjjjjjjjo###############", "##############################pplbglhhhCCCCCDCCCDCeCzzxxzzxxxxxzxztxxsxxzxztxbnnnnnlnlDeDab###vqqrrqrrrrqqqrqrrqqv######vssssv###################vxxxxxxxxxxxxxxxxxxxy######CCCCC###########BCCCCw#####whhhhh############jhhhhh#######kllll########################", "####################################ppabgbhhhhhChCCCCCCzsCCzzzzzCCexzxzCCezzxxdllnlnnnnmmp###vqqrrvwwww#wwwwwvrrqqv#####vssssv##################vxxxxvwwwwwwwwwwwAxxxxy#####CCCCCAAAAAAAAAAyBCCCCo#####whhhhh############jhhhhh#######kllllkkkjjjjjjjjjjjj#########", "##########################################pp#pppblfbgfgCzzfCbzbCzCzCzzzzzCCfzzzzpbmbmaa#####uqqqrw############wrqqqu####vssssv#################xxxxxw#############wxxxxxw###ACCCCCCCCCCCCCCCCCCCB######whhhhh############jhhhhh#######klllllllllllllllllllo########", "###########################################################################################pvvvvp##############pvvvvp###wvvvvw################wvvvv################wAAAAw####wAAAAAAAAAAAAAAAAAo#######ojjjjw############ojjjjj#######jjjjjjjjjjjjjjjjjjjj#########", "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################", "###################################################################################################################################################################################################################################################################" }; ++++++ SUSE-NOTICE ++++++ The SuSE build of apache2 contains the following modifications: * assert HAVE_POLL during compilation (safety measure) * small fixes in apachectl to make it work with multiple MPMs, and use w3m alternatively to lynx * avoid error if compiled with openssl 0.9.6e * added patch to experimental caching module that fixes segfault for 'GET https://whatever.html HTTP/1.0' request on HTTP Port (/modules/experimental/cache_util.c) * RFC 2817 TLS upgrade backported from 2.1 * fixed log_server_status to use Socket.pm and match our configuration * fixed check_forensic script (adjusted for GNU tools, use safe tmpdir) * http://www.apache.org/dist/httpd/patches/apply_to_2.0.52/util_ldap_cache_mgr... ++++++ a2enflag ++++++ #!/bin/bash # Copyright 2005 Peter Poeml <apache@suse.de>. All Rights Reserved. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. sysconf=/etc/sysconfig/apache2 var=APACHE_SERVER_FLAGS PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" debug=true function usage() { echo "$(basename $0): enable/disable a flag in $var in $sysconf" echo echo "usage: $(basename $0) [-d] flag" #echo " $(basename $0) -h runtests" exit 1 } if [ $# -lt 1 ]; then usage fi action=enable case "$1" in -d) action=disable; shift;; -*) usage;; esac case $(basename $0) in a2disflag) action=disable;; esac flag=$1 if [ $action = enable ]; then sysconf_addword $sysconf $var $flag exit $? else sysconf_addword -r $sysconf $var $flag exit $? fi ++++++ a2enmod ++++++ #!/bin/bash # Copyright 2005 Peter Poeml <apache@suse.de>. All Rights Reserved. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. sysconf=/etc/sysconfig/apache2 var=APACHE_MODULES PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" debug=true function usage() { echo "$(basename $0): enable/disable an apache module in $var in $sysconf" echo echo "usage: $(basename $0) [-d] module" echo " $(basename $0) -l list modules" echo " $(basename $0) -q module query if module is installed" #echo " $(basename $0) -h runtests" exit 1 } if [ $# -lt 1 ]; then usage fi action=enable case "$1" in -d) action=disable; shift;; -l) action=list; shift;; -q) action=query; shift;; -*) usage;; esac case $(basename $0) in a2dismod) action=disable;; esac mod=$1 if [ $action = enable ]; then sysconf_addword $sysconf $var $mod exit $? elif [ $action = disable ]; then sysconf_addword -r $sysconf $var $mod exit $? elif [ $action = query ]; then if a2enmod -l | grep -q "\<$mod\>"; then exit 0 else exit 1 fi else source $sysconf eval echo \$$var fi ++++++ apache-20-22-upgrade ++++++ #!/bin/bash # obsolete 2.0 modules -> 2.2 modules echo 'looking for old 2.0 modules to be renamed...' if a2enmod -q auth; then echo 'auth -> auth_basic authn_file' a2dismod auth a2enmod auth_basic a2enmod authn_file a2enmod authz_groupfile a2enmod authz_default a2enmod authz_user cat <<-EOF !!!ATTENTION!!! If you use basic authentication, you will need to update your configuration. Typically, you need to add AuthBasicProvider file (example for file-based authentication) below "AuthType Basic". !!!ATTENTION!!! EOF fi if a2enmod -q access; then echo 'access -> authz_host' a2dismod access a2enmod authz_host fi if a2enmod -q auth_dbm; then echo 'auth_dbm -> authn_dbm' a2dismod auth_dbm a2enmod authn_dbm fi if a2enmod -q imap; then echo 'imap -> imagemap' a2dismod imap a2enmod imagemap fi if a2enmod -q image_map; then echo 'image_map -> imagemap' a2dismod image_map a2enmod imagemap fi if a2enmod -q auth_ldap; then echo 'auth_ldap -> mod_authnz_ldap' a2dismod auth_ldap a2enmod mod_authnz_ldap fi echo 'Done.' ++++++ apache2-README ++++++ README.SuSE for Apache 2 For The Impatient ================= o There are several MPM packages (MPM = multiprocessing module, which implements the threads/processes model). The MPM packages contain the actual apache binary. At least one MPM package must be installed. o The apache v1 and v2 packages can be installed and run side by side :) o Some commands have a "2" suffix, and are thus easily confused with Apache 1 commands -- if you have an old apache (1.3) installation around. o Edit /etc/sysconfig/apache2 to configure the list of modules to load, and other things. It is no longer required to run SuSEconfig after such changes. (In fact, the SuSEconfig.apache2 does no longer exist.) o For building apache modules, there are 4 apxs commands (all come with the apache2-devel package): apxs2 builds a common module for all MPMs and installs to /usr/lib/apache2 apxs2-prefork builds for prefork and installs to /usr/lib/apache2-prefork apxs2-worker builds for worker and installs to /usr/lib/apache2-worker If you build apache modules, the configure script might not find apxs, and you'll need an option like --with-apxs=apxs2[-worker, ...], or of course you can set a symlink to apxs2. o The Apache Runtime (APR) is in the "libapr0" package (this package was named "apr" in the past (8.1)) Choosing the right MPM for your application =========================================== apache2-prefork is implemented with a prefork regime, while apache2-worker uses a hybrid threaded/preforked model. Which one to use? The short answer is: - if in doubt, simply use prefork - use prefork if you use mod_php4 - use worker if you need maximal performance with (possibly) less resources (smaller memory footprint of threade compared to the same number as processes) The following nice article has a more in depth answer: http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html See http://httpd.apache.org/docs-2.2/mpm.html and http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime for more technical details. In general, using a threaded MPM (worker) requires that all libraries that are loaded into apache (and libraries loaded by them in turn) be threadsafe as well. See http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on some libraries. Upgrading from apache 1.3 ========================= For a smooth transition from apache 1.3, apache 2 is installable alongside apache 1.3. There are a few modules for apache 1 that have not been ported or enough tested for apache 2, but most important modules are available by now. The mechanism of specifying modules to load into the server has been cleaned up so a reasonable default set of modules is loaded. (It is not useful to load all available modules by default, it would make the server quite big and slow. This is important given as the number of modules in the apache base distribution is rising and rising (about 50 at this time). In previous apache packages (1.3), modules were activated by setting a APACHE_MOD_XYZ variable to "yes" and running SuSEconfig. Nowadays, modules are activated by adding them to a the APACHE_MODULES variable in /etc/sysconfig/apache2, and simply restarting apache. Building modules for apache 2 ============================= Therefore, the different MPMs will be needed and a mechanism to build the modules spesific to them. This can now be done with the apxs2, apxs2-worker or apxs2-prefork script. For a module's configure script, you would typically use --which-apxs=/usr/sbin/apxs2-prefork In RPM spec files, you can use %define apxs apxs2 %define apache_libexecdir %(%{apxs} -q libexecdir) to build modules, or use apxs2-prefork (for instance) to build a module specifically for the prefork MPM. To further the example, apxs2-prefork will install a module below /usr/lib/apache2-prefork/, while "apxs2" will install it below /usr/lib/apache2/. -a adds the module to APACHE_MODULES in /etc/sysconfig/apache2, which in turn takes care of loading the module. Thus, usually you will only have to call apxs2 -cia my_module.c and all is fine. -- Suggestions or bug reports (via http://bugzilla.novell.com/) are most welcome. Mar 14 2005, Peter Poeml ++++++ apache2-README.QUICKSTART ++++++ This README is now online: http://en.opensuse.org/Apache_Quickstart_HOWTO General starting point: http://www.opensuse.org/Apache ++++++ apache2-README.default-vhost ++++++ # provided by ChrisWi aka chris@computersalat.de This is a short introduction about how to use the delivered - default-vhost.conf - default-vhost-ssl.conf configuration files. When using virtual hosts (vhosts) with apache, you want to have a "default" config which points to your default hostname (FQDN). And when apache is reading its configs, then our "default" configs should be read "at first". To achieve this, you should adapt the/those config files and then add them to the /etc/sysconfig/apache2 config like the following example: # /etc/sysconfig/apache2 ---- snip ---- # This allows you to add e.g. VirtualHost statements without touching # /etc/apache2/httpd.conf itself, which makes upgrading easier. # APACHE_CONF_INCLUDE_FILES="default-vhost.conf default-vhost-ssl.conf" ---- snip ---- This way our "default" config are read in before conf.d/* and vhosts.d/* Have fun :) ++++++ apache2-check_forensic ++++++ #!/bin/sh # check_forensic <forensic log file> # Author: Peter Poeml <apache@suse.de> # check the forensic log for requests that did not complete # output the request log for each one # This script is based on Ben Laurie's check_forensic, but is adjusted for GNU # tools (as used on Linux) and it works in a safe tmpdir directory. # todo: rewrite in a form that allows running on more operating systems. F=${1:?give filename as argument. cannot read from stdin.} tmpprefix=${TMPDIR:-/tmp}/check_forensic.XXXXXX tdir=$(mktemp -d $tmpprefix); test $? = 0 || { echo >&2 Could not create tmpdir. Exiting; exit 1; } cut -f 1 -d '|' $F > $tdir/fc-all.$$ grep ^+ < $tdir/fc-all.$$ | cut -c2- | sort > $tdir/fc-in.$$ grep -- ^- < $tdir/fc-all.$$ | cut -c2- | sort > $tdir/fc-out.$$ join -v 1 $tdir/fc-in.$$ $tdir/fc-out.$$ | xargs -ixx egrep "^\\+xx" $F rm $tdir/fc-all.$$ $tdir/fc-in.$$ $tdir/fc-out.$$ rmdir $tdir ++++++ apache2-default-server.conf ++++++ # # Global configuration that will be applicable for all virtual hosts, unless # deleted here, or overriden elswhere. # DocumentRoot "/srv/www/htdocs" # # Configure the DocumentRoot # <Directory "/srv/www/htdocs"> # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#options # for more information. Options None # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit AllowOverride None # Controls who can get stuff from this server. Order allow,deny Allow from all </Directory> # Aliases: aliases can be added as needed (with no limit). The format is # Alias fakename realname # # Note that if you include a trailing / on fakename then the server will # require it to be present in the URL. So "/icons" isn't aliased in this # example, only "/icons/". If the fakename is slash-terminated, then the # realname must also be slash terminated, and if the fakename omits the # trailing slash, the realname must also omit it. # # We include the /icons/ alias for FancyIndexed directory listings. If you # do not use FancyIndexing, you may comment this out. # Alias /icons/ "/usr/share/apache2/icons/" <Directory "/usr/share/apache2/icons"> Options Indexes MultiViews AllowOverride None Order allow,deny Allow from all </Directory> # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have that configured. # <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory> # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # To disable it, simply remove userdir from the list of modules in APACHE_MODULES # in /etc/sysconfig/apache2. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot simply be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. UserDir public_html # The actual configuration of the directory is in # /etc/apache2/mod_userdir.conf. Include /etc/apache2/mod_userdir.conf # You can, however, change the ~ if you find it awkward, by mapping e.g. # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 </IfModule> # Include all *.conf files from /etc/apache2/conf.d/. # # This is mostly meant as a place for other RPM packages to drop in their # configuration snippet. # # You can comment this out here if you want those bits include only in a # certain virtual host, but not here. # Include /etc/apache2/conf.d/*.conf # The manual... if it is installed ('?' means it won't complain) Include /etc/apache2/conf.d/apache2-manual?conf ++++++ apache2-default-vhost-ssl.conf ++++++ # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # <IfDefine SSL> <IfDefine !NOSSL> ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> # General setup for the virtual host ServerName dummy-host.example.com ServerAdmin webmaster@dummy-host.example.com ServerAlias example.com www.example.com # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot "/srv/www/htdocs" #ServerName www.example.com:443 #ServerAdmin webmaster@example.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Protocol support: # 4 possible values: All, SSLv2, SSLv3, TLSv1. Allow TLS and SSLv3: # List the protocol versions which clients are allowed to # connect with. Disable SSLv2 by default (cf. RFC 6176). SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. # # Weak ciphers are disabled by default. # Please see the documentation via the links above, and # "openssl ciphers -v" for a complete list of ciphers that are # available. # # The following default should work with openssl running in FIPS # mode. # OPENSSL_FORCE_FIPS_MODE=1 rcapache2 restart # will start the web server with FIPS mode in openssl. # For more information, please have a look at # /usr/share/doc/packages/openssl/README-FIPS.txt from the openssl # package. SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), # you might want to force clients to specific, performance # optimized ciphers. In this case, prepend those ciphers # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. # Caveat: by giving precedence to RC4-SHA and AES128-SHA # (as in the example below), most connections will no longer # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 #SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile /etc/apache2/ssl.crt/server.crt #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/apache2/ssl.key/server.key #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/apache2/ssl.crt #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Directory "/srv/www/htdocs"> AllowOverride None #Options +Indexes +MultiViews +FollowSymLinks Options -Indexes -MultiViews +FollowSymLinks #IndexOptions FancyIndexing #AuthName "Top Secret on dummy-host.example.com" #AuthType Basic #AuthUserFile /srv/www/passwd/default # # Controls who can get stuff from this server. # #<limit GET POST> # Require valid-user # Order Deny,Allow # Deny from All # Allow from 127.0.0.1 # Allow from .example.com # Satisfy any #</limit> </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log ssl_combined # # some Rewrite stuff for sharedssl # #RewriteEngine on ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite-ssl_log" ##RewriteLogLevel 3 #RewriteCond %{HTTP_HOST} ^webmail\..* [NC] #RewriteRule ^/$ https://sharedssl.example.com/roundcube/ [L,R] #RewriteRule ^/$ /roundcube [R] </VirtualHost> </IfDefine> </IfDefine> ++++++ apache2-default-vhost.conf ++++++ # # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # <VirtualHost _default_:80> ServerName dummy-host.example.com ServerAdmin webmaster@dummy-host.example.com ServerAlias example.com www.example.com # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot "/srv/www/htdocs" # if not specified, the global error log is used ErrorLog /var/log/apache2/dummy-host.example.com-error_log CustomLog /var/log/apache2/dummy-host.example.com-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # configures the footer on server-generated documents ServerSignature On # Optionally, include *.conf files from /etc/apache2/conf.d/ # # For example, to allow execution of PHP scripts: # # Include /etc/apache2/conf.d/mod_php4.conf # # or, to include all configuration snippets added by packages: # Include /etc/apache2/conf.d/*.conf # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www/cgi-bin/" # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have one, and where ScriptAlias points to. # <Directory "/srv/www/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory> # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # To disable it, simply remove userdir from the list of modules in APACHE_MODULES # in /etc/sysconfig/apache2. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot simply be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. UserDir public_html # The actual configuration of the directory is in # /etc/apache2/mod_userdir.conf. Include /etc/apache2/mod_userdir.conf # You can, however, change the ~ if you find it awkward, by mapping e.g. # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 </IfModule> # # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www/htdocs"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#options # for more information. # Options +Indexes +MultiViews +FollowSymLinks IndexOptions FancyIndexing # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> # # some Rewrite stuff for sharedssl # #RewriteEngine on ##RewriteLog "/var/log/apache2/dummy-host.example.com-rewrite_log" ##RewriteLogLevel 3 #RewriteCond %{HTTP_HOST} ^sharedssl\.* [OR] #RewriteRule ^/$ https://sharedssl.example.com/$1 [L,R] </VirtualHost> ++++++ apache2-errors.conf ++++++ # # Customizable error responses come in three flavors: # 1) plain text 2) local redirects 3) external redirects # # Some examples: #ErrorDocument 500 "The server made a boo boo." #ErrorDocument 404 /missing.html #ErrorDocument 404 "/cgi-bin/missing_handler.pl" #ErrorDocument 402 http://www.example.com/subscription_info.html # # # Putting this all together, we can internationalize error responses. # # We use Alias to redirect any /error/HTTP_<error>.html.var response to # our collection of by-error message multi-language collections. We use # includes to substitute the appropriate text. # # You can modify the messages' appearance without changing any of the # default HTTP_<error>.html.var files by adding the line: # # Alias /error/include/ "/your/include/path/" # # which allows you to create your own set of files by starting with the # /usr/share/apache2/error/include/ files and copying them to /your/include/path/, # even on a per-VirtualHost basis. The default include files will display # your Apache version number and your ServerAdmin email address regardless # of the setting of ServerSignature. # # The internationalized error documents require mod_alias, mod_include # and mod_negotiation. To activate them, uncomment the following 30 lines. Alias /error/ "/usr/share/apache2/error/" <IfModule mod_negotiation.c> <IfModule mod_include.c> <Directory "/usr/share/apache2/error"> AllowOverride None Options IncludesNoExec AddOutputFilter Includes html AddHandler type-map var Order allow,deny Allow from all LanguagePriority en cs de es fr it ja ko nl pl pt-br ro sv tr ForceLanguagePriority Prefer Fallback </Directory> ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var ErrorDocument 410 /error/HTTP_GONE.html.var ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var </IfModule> </IfModule> ++++++ apache2-httpd.conf ++++++ # # /etc/apache2/httpd.conf # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. # See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about # the directives. # Based upon the default apache configuration file that ships with apache, # which is based upon the NCSA server configuration files originally by Rob # McCool. This file was knocked together by Peter Poeml <poeml+apache@suse.de>. # If possible, avoid changes to this file. It does mainly contain Include # statements and global settings that can/should be overridden in the # configuration of your virtual hosts. # Quickstart guide: # http://en.opensuse.org/Apache_Quickstart_HOWTO # Overview of include files, chronologically: # # httpd.conf # | # |-- uid.conf . . . . . . . . . . . . . . UserID/GroupID to run under # |-- server-tuning.conf . . . . . . . . . sizing of the server (how many processes to start, ...) # |-- sysconfig.d/loadmodule.conf . . . . . [*] load these modules # |-- listen.conf . . . . . . . . . . . . . IP adresses / ports to listen on # |-- mod_log_config.conf . . . . . . . . . define logging formats # |-- sysconfig.d/global.conf . . . . . . . [*] server-wide general settings # |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring) # |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info # |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking # |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings # |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration # |-- errors.conf . . . . . . . . . . . . . customize error responses # |-- ssl-global.conf . . . . . . . . . . . SSL conf that applies to default server _and all_ virtual hosts # | # |-- default-server.conf . . . . . . . . . set up the default server that replies to non-virtual-host requests # | |--mod_userdir.conf . . . . . . . . enable UserDir (if mod_userdir is loaded) # | `--conf.d/apache2-manual?conf . . . add the docs ('?' = if installed) # | # |-- sysconfig.d/include.conf . . . . . . [*] your include files # | (for each file to be included here, put its name # | into APACHE_INCLUDE_* in /etc/sysconfig/apache2) # | # `-- vhosts.d/ . . . . . . . . . . . . . . for each virtual host, place one file here # `-- *.conf . . . . . . . . . . . . . (*.conf is automatically included) # # # Files marked [*] are created from sysconfig upon server restart: instead of # these files, you edit /etc/sysconfig/apache2 # Filesystem layout: # # /etc/apache2/ # |-- charset.conv . . . . . . . . . . . . for mod_auth_ldap # |-- conf.d/ # | |-- apache2-manual.conf . . . . . . . conf that comes with apache2-doc # | |-- mod_php4.conf . . . . . . . . . . (example) conf that comes with apache2-mod_php4 # | `-- ... . . . . . . . . . . . . . . . other configuration added by packages # |-- default-server.conf # |-- errors.conf # |-- httpd.conf . . . . . . . . . . . . . top level configuration file # |-- listen.conf # |-- magic # |-- mime.types -> ../mime.types # |-- mod_autoindex-defaults.conf # |-- mod_info.conf # |-- mod_log_config.conf # |-- mod_mime-defaults.conf # |-- mod_perl-startup.pl # |-- mod_status.conf # |-- mod_userdir.conf # |-- mod_usertrack.conf # |-- server-tuning.conf # |-- ssl-global.conf # |-- ssl.crl/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Revocation Lists (CRL) # |-- ssl.crt/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificates # |-- ssl.csr/ . . . . . . . . . . . . . . PEM-encoded X.509 Certificate Signing Requests # |-- ssl.key/ . . . . . . . . . . . . . . PEM-encoded RSA Private Keys # |-- ssl.prm/ . . . . . . . . . . . . . . public DSA Parameter Files # |-- sysconfig.d/ . . . . . . . . . . . . files that are created from /etc/sysconfig/apache2 # | |-- global.conf # | |-- include.conf # | `-- loadmodule.conf # |-- uid.conf # `-- vhosts.d/ . . . . . . . . . . . . . . put your virtual host configuration (*.conf) here # |-- vhost-ssl.template # `-- vhost.template ### Global Environment ###################################################### # # The directives in this section affect the overall operation of Apache, # such as the number of concurrent requests. # run under this user/group id Include /etc/apache2/uid.conf # - how many server processes to start (server pool regulation) # - usage of KeepAlive Include /etc/apache2/server-tuning.conf # ErrorLog: The location of the error log file. # If you do not specify an ErrorLog directive within a <VirtualHost> # container, error messages relating to that virtual host will be # logged here. If you *do* define an error logfile for a <VirtualHost> # container, that host's errors will be logged there and not here. ErrorLog /var/log/apache2/error_log # generated from APACHE_MODULES in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/loadmodule.conf # IP addresses / ports to listen on Include /etc/apache2/listen.conf # predefined logging formats Include /etc/apache2/mod_log_config.conf # generated from global settings in /etc/sysconfig/apache2 Include /etc/apache2/sysconfig.d/global.conf # optional mod_status, mod_info Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf # optional cookie-based user tracking # read the documentation before using it!! Include /etc/apache2/mod_usertrack.conf # configuration of server-generated directory listings Include /etc/apache2/mod_autoindex-defaults.conf # associate MIME types with filename extensions TypesConfig /etc/apache2/mime.types DefaultType text/plain Include /etc/apache2/mod_mime-defaults.conf # set up (customizable) error responses Include /etc/apache2/errors.conf # global (server-wide) SSL configuration, that is not specific to # any virtual host Include /etc/apache2/ssl-global.conf # forbid access to the entire filesystem by default <Directory /> Options None AllowOverride None Order deny,allow Deny from all </Directory> # use .htaccess files for overriding, AccessFileName .htaccess # and never show them <Files ~ "^\.ht"> Order allow,deny Deny from all </Files> # List of resources to look for when the client requests a directory DirectoryIndex index.html index.html.var ### 'Main' server configuration ############################################# # # The directives in this section set up the values used by the 'main' # server, which responds to any requests that aren't handled by a # <VirtualHost> definition. These values also provide defaults for # any <VirtualHost> containers you may define later in the file. # # All of these directives may appear inside <VirtualHost> containers, # in which case these default settings will be overridden for the # virtual host being defined. # Include /etc/apache2/default-server.conf # Another way to include your own files # # The file below is generated from /etc/sysconfig/apache2, # include arbitrary files as named in APACHE_CONF_INCLUDE_FILES and # APACHE_CONF_INCLUDE_DIRS Include /etc/apache2/sysconfig.d/include.conf ### Virtual server configuration ############################################ # # VirtualHost: If you want to maintain multiple domains/hostnames on your # machine you can setup VirtualHost containers for them. Most configurations # use only name-based virtual hosts so the server doesn't need to worry about # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at # <URL:http://httpd.apache.org/docs-2.2/vhosts/> # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host # configuration. # Include /etc/apache2/vhosts.d/*.conf # Note: instead of adding your own configuration here, consider # adding it in your own file (/etc/apache2/httpd.conf.local) # putting its name into APACHE_CONF_INCLUDE_FILES in # /etc/sysconfig/apache2 -- this will make system updates # easier :) ++++++ apache2-listen.conf ++++++ # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the <VirtualHost> directive. # # http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # # When we also provide SSL we have to listen to the # standard HTTP port (see above) and to the HTTPS port # # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" # #Listen 12.34.56.78:80 #Listen 80 #Listen 443 Listen 80 <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> Listen 443 </IfModule> </IfDefine> </IfDefine> # Use name-based virtual hosting # # - on a specified address / port: # #NameVirtualHost 12.34.56.78:80 # # - name-based virtual hosting: # #NameVirtualHost *:80 # # - on all addresses and ports. This is your best bet when you are on # dynamically assigned IP addresses: # #NameVirtualHost * ++++++ apache2-manual.conf ++++++ # # This configuration file belongs to the apache2-doc package. # # The alias provides the manual, even if you choose to move your DocumentRoot. # this out if you do not care for the documentation. # AliasMatch ^/manual(?:/(?:de|en|es|fr|ja|ko|ru))?(/.*)?$ "/usr/share/apache2/manual$1" <Directory "/usr/share/apache2/manual"> Options Indexes AllowOverride None Order allow,deny Allow from all <Files *.html> SetHandler type-map </Files> SetEnvIf Request_URI ^/manual/(de|en|es|fr|ja|ko|ru)/ prefer-language=$1 RedirectMatch 301 ^/manual(?:/(de|en|es|fr|ja|ko|ru)){2,}(/.*)?$ /manual/$1$2 </Directory> ++++++ apache2-mod_autoindex-defaults.conf ++++++ # # Directives controlling the display of server-generated directory listings. # # see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html # <IfModule mod_autoindex.c> IndexOptions FancyIndexing VersionSort NameWidth=* # Add Last-Modified and ETag values for the listed directory in the HTTP header, # based on files' modification dates #IndexOptions +TrackModified AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip AddIconByType (TXT,/icons/text.gif) text/* AddIconByType (IMG,/icons/image2.gif) image/* AddIconByType (SND,/icons/sound2.gif) audio/* AddIconByType (VID,/icons/movie.gif) video/* AddIcon /icons/binary.gif .bin .exe AddIcon /icons/binhex.gif .hqx AddIcon /icons/tar.gif .tar AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip AddIcon /icons/a.gif .ps .ai .eps AddIcon /icons/layout.gif .html .shtml .htm .pdf AddIcon /icons/text.gif .txt AddIcon /icons/c.gif .c AddIcon /icons/p.gif .pl .py AddIcon /icons/f.gif .for AddIcon /icons/dvi.gif .dvi AddIcon /icons/uuencoded.gif .uu AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl AddIcon /icons/tex.gif .tex AddIcon /icons/bomb.gif core AddIcon /icons/back.gif .. AddIcon /icons/hand.right.gif README AddIcon /icons/folder.gif ^^DIRECTORY^^ AddIcon /icons/blank.gif ^^BLANKICON^^ DefaultIcon /icons/unknown.gif ReadmeName README.html HeaderName HEADER.html IndexIgnore .??* *~ *# HEADER* RCS CVS *,v *,t </IfModule> ++++++ apache2-mod_info.conf ++++++ # # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # # see http://httpd.apache.org/docs-2.2/mod/mod_info.html # <IfModule mod_info.c> <Location /server-info> SetHandler server-info Order deny,allow Deny from all Allow from localhost </Location> </IfModule> ++++++ apache2-mod_log_config.conf ++++++ # # The following directives define some format nicknames for use with # a CustomLog directive. # # http://httpd.apache.org/docs-2.2/mod/mod_log_config.html # # # Format string: Nickname: # LogFormat "%h %l %u %t \"%r\" %>s %b" common LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i" agent LogFormat "%h %l %u %t \"%r\" %>s %b \ \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%v %h %l %u %t \"%r\" %>s %b \ \"%{Referer}i\" \"%{User-Agent}i\"" vhost_combined # To use %I and %O, you need to enable mod_logio <IfModule mod_logio.c> LogFormat "%h %l %u %t \"%r\" %>s %b \ \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio </IfModule> # Use one of these when you want a compact non-error SSL logfile on a virtual # host basis: <IfModule mod_ssl.c> Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ \"%r\" %b" ssl_common Logformat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \ \"%r\" %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined </IfModule> ++++++ apache2-mod_mime-defaults.conf ++++++ # # mod_mime configuration: # associate various bits of "meta information" with files by their filename extensions # # see http://httpd.apache.org/docs-2.2/mod/mod_mime.html # # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) # English (en) - Esperanto (eo) - Estonian (et) - French (fr) - German (de) # Greek-Modern (el) - Hebrew (he) - Italian (it) - Japanese (ja) # Korean (ko) - Luxembourgeois* (ltz) - Norwegian Nynorsk (nn) # Norwegian (no) - Polish (pl) - Portugese (pt) # Brazilian Portuguese (pt-BR) - Russian (ru) - Swedish (sv) # Simplified Chinese (zh-CN) - Spanish (es) - Traditional Chinese (zh-TW) # AddLanguage ca .ca AddLanguage cs .cz .cs AddLanguage da .dk AddLanguage de .de AddLanguage el .el AddLanguage en .en AddLanguage eo .eo AddLanguage es .es AddLanguage et .et AddLanguage fr .fr AddLanguage he .he AddLanguage hr .hr AddLanguage it .it AddLanguage ja .ja AddLanguage ko .ko AddLanguage ltz .ltz AddLanguage nl .nl AddLanguage nn .nn AddLanguage no .no AddLanguage pl .po AddLanguage pt .pt AddLanguage pt-BR .pt-br AddLanguage ru .ru AddLanguage sv .sv AddLanguage zh-CN .zh-cn AddLanguage zh-TW .zh-tw # # LanguagePriority allows you to give precedence to some languages # in case of a tie during content negotiation. # # Just list the languages in decreasing order of preference. We have # more or less alphabetized them here. You probably want to change this. # <IfModule mod_negotiation.c> LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv zh-CN zh-TW # # ForceLanguagePriority allows you to serve a result page rather than # MULTIPLE CHOICES (Prefer) [in case of a tie] or NOT ACCEPTABLE (Fallback) # [in case no accepted languages matched the available variants] # ForceLanguagePriority Prefer Fallback </IfModule> # # Commonly used filename extensions to character sets. You probably # want to avoid clashes with the language extensions, unless you # are good at carefully testing your setup after each change. # See http://www.iana.org/assignments/character-sets for the # official list of charset names and their respective RFCs. # AddCharset ISO-8859-1 .iso8859-1 .latin1 AddCharset ISO-8859-2 .iso8859-2 .latin2 .cen AddCharset ISO-8859-3 .iso8859-3 .latin3 AddCharset ISO-8859-4 .iso8859-4 .latin4 AddCharset ISO-8859-5 .iso8859-5 .latin5 .cyr .iso-ru AddCharset ISO-8859-6 .iso8859-6 .latin6 .arb AddCharset ISO-8859-7 .iso8859-7 .latin7 .grk AddCharset ISO-8859-8 .iso8859-8 .latin8 .heb AddCharset ISO-8859-9 .iso8859-9 .latin9 .trk AddCharset ISO-2022-JP .iso2022-jp .jis AddCharset ISO-2022-KR .iso2022-kr .kis AddCharset ISO-2022-CN .iso2022-cn .cis AddCharset Big5 .Big5 .big5 # For russian, more than one charset is used (depends on client, mostly): AddCharset WINDOWS-1251 .cp-1251 .win-1251 AddCharset CP866 .cp866 AddCharset KOI8-r .koi8-r .koi8-ru AddCharset KOI8-ru .koi8-uk .ua AddCharset ISO-10646-UCS-2 .ucs2 AddCharset ISO-10646-UCS-4 .ucs4 AddCharset UTF-8 .utf8 # The set below does not map to a specific (iso) standard # but works on a fairly wide range of browsers. Note that # capitalization actually matters (it should not, but it # does for some browsers). # # See http://www.iana.org/assignments/character-sets # for a list of sorts. But browsers support few. # AddCharset GB2312 .gb2312 .gb AddCharset utf-7 .utf7 AddCharset utf-8 .utf8 AddCharset big5 .big5 .b5 AddCharset EUC-TW .euc-tw AddCharset EUC-JP .euc-jp AddCharset EUC-KR .euc-kr AddCharset shift_jis .sjis # # AddType allows you to add to or override the MIME configuration # file mime.types for specific file types. # #AddType application/x-tar .tgz # # AddEncoding allows you to have certain browsers uncompress # information on the fly. Note: Not all browsers support this. # Despite the name similarity, the following Add* directives have nothing # to do with the FancyIndexing customization directives above. # #AddEncoding x-compress .Z #AddEncoding x-gzip .gz .tgz # # If the AddEncoding directives above are commented-out, then you # probably should define those extensions to indicate media types: # AddType application/x-compress .Z AddType application/x-gzip .gz .tgz # Shortcut icons don't seem to be registered by IANA yet, but they # are so commonly used that we add them here. Addtype image/x-icon .ico # Zipped SVG files (.svgz) are not registered by IANA yet, and we should hint # clients about their encoding AddType image/svg+xml .svg .svgz AddEncoding gzip .svgz # # For type maps (negotiated resources): # (This is enabled by default to allow the Apache "It Worked" page # to be distributed in multiple languages.) # AddHandler type-map var # # Filters allow you to process content before it is sent to the client. # # To parse .shtml files for server-side includes (SSI): # (You will also need to add "Includes" to the "Options" directive.) # #AddType text/html .shtml #AddOutputFilter INCLUDES .shtml # Guess the MIME type of a file by looking at a few bytes of its contents # http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html <IfModule mod_mime_magic.c> MIMEMagicFile /etc/apache2/magic </IfModule> ++++++ apache2-mod_reqtimeout.conf ++++++ # # Set timeout and minimum data rate for receiving requests to limit # the effects of denial of service attacks that connect, but let the # server wait for the completion of the request, thereby allocating # resources. The most commonly name for this attack method is # slowloris. # # mod_reqtimeout.c must be loaded. # # see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # # Note: # the RequestReadTimeout directive can also be placed into a # virtual host context. # # Play around with variations of the below values if you are # under attack from slowloris or a similar tool. <IfModule mod_reqtimeout.c> # allow 10s timeout for the headers and allow 1s more until 20s upon # receipt of 1000 bytes. # almost the same with the body, except that it is tricky to # limit the request timeout within the body at all - it may take # time to generate the body. RequestReadTimeout header=10-20,MinRate=1000 body=20,MinRate=1000 </IfModule> ++++++ apache2-mod_ssl_npn.patch ++++++ # This patch adds hooks for Next Protocol Negotiation (NPN) into mod_ssl. This # change is under review to be included in Apache trunk: # https://issues.apache.org/bugzilla/show_bug.cgi?id=52210 # But until it becomes part of an Apache 2.2 release, we need to apply the patch # ourselves. Index: modules/ssl/ssl_private.h =================================================================== --- modules/ssl/ssl_private.h (revision 1202283) +++ modules/ssl/ssl_private.h (working copy) @@ -603,6 +603,7 @@ #ifndef OPENSSL_NO_TLSEXT int ssl_callback_ServerNameIndication(SSL *, int *, modssl_ctx_t *); #endif +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); /** Session Cache Support */ void ssl_scache_init(server_rec *, apr_pool_t *); @@ -714,4 +715,3 @@ #endif /* SSL_PRIVATE_H */ /** @} */ - Index: modules/ssl/ssl_engine_init.c =================================================================== --- modules/ssl/ssl_engine_init.c (revision 1202283) +++ modules/ssl/ssl_engine_init.c (working copy) @@ -559,6 +559,11 @@ SSL_CTX_set_tmp_dh_callback(ctx, ssl_callback_TmpDH); SSL_CTX_set_info_callback(ctx, ssl_callback_Info); + +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + SSL_CTX_set_next_protos_advertised_cb( + ctx, ssl_callback_AdvertiseNextProtos, NULL); +#endif } static void ssl_init_ctx_verify(server_rec *s, @@ -1352,4 +1357,3 @@ return APR_SUCCESS; } - Index: modules/ssl/ssl_engine_io.c =================================================================== --- modules/ssl/ssl_engine_io.c (revision 1202283) +++ modules/ssl/ssl_engine_io.c (working copy) @@ -338,6 +338,7 @@ apr_pool_t *pool; char buffer[AP_IOBUFSIZE]; ssl_filter_ctx_t *filter_ctx; + int npn_finished; /* 1 if NPN has finished, 0 otherwise */ } bio_filter_in_ctx_t; /* @@ -1409,6 +1410,21 @@ APR_BRIGADE_INSERT_TAIL(bb, bucket); } + /* By this point, Next Protocol Negotiation (NPN) should be completed (if + * our version of OpenSSL supports it). If we haven't already, find out + * which protocol was decided upon and inform other modules by calling + * npn_proto_negotiated_hook. */ + if (!inctx->npn_finished) { + inctx->npn_finished = 1; +#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + const unsigned char *next_proto = NULL; + unsigned next_proto_len = 0; + SSL_get0_next_proto_negotiated(inctx->ssl, &next_proto, + &next_proto_len); + ssl_run_npn_proto_negotiated_hook(f->c, next_proto, next_proto_len); +#endif + } + return APR_SUCCESS; } @@ -1753,6 +1769,7 @@ inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; inctx->filter_ctx = filter_ctx; + inctx->npn_finished = 0; } void ssl_io_filter_init(conn_rec *c, SSL *ssl) Index: modules/ssl/ssl_engine_kernel.c =================================================================== --- modules/ssl/ssl_engine_kernel.c (revision 1202283) +++ modules/ssl/ssl_engine_kernel.c (working copy) @@ -1969,6 +1969,77 @@ } } +/* + * This callback function is executed when SSL needs to decide what protocols + * to advertise during Next Protocol Negotiation (NPN). It must produce a + * string in wire format -- a sequence of length-prefixed strings -- indicating + * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb + * in OpenSSL for reference. + */ +int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, + unsigned int *size_out, void *arg) +{ + *data_out = NULL; + *size_out = 0; + + /* Get the connection object. If it's not available, then there's nothing + * for us to do. */ + conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); + if (c == NULL) { + return SSL_TLSEXT_ERR_OK; + } + + /* Invoke our npn_advertise_protos hook, giving other modules a chance to + * add alternate protocol names to advertise. */ + apr_array_header_t *protos = apr_array_make(c->pool, 0, sizeof(char*)); + ssl_run_npn_advertise_protos_hook(c, protos); + int num_protos = protos->nelts; + + /* If no other modules added any alternate protocols, then we're done. */ + if (num_protos == 0) { + return SSL_TLSEXT_ERR_OK; + } + + /* We now have a list of null-terminated strings; we need to concatenate + * them together into a single string, where each protocol name is prefixed + * by its length. First, calculate how long that string will be. */ + unsigned int size = 0; + int i; + for (i = 0; i < num_protos; ++i) { + const char* string = APR_ARRAY_IDX(protos, i, const char*); + unsigned int length = strlen(string); + /* If the protocol name is too long (the length must fit in one byte), + * then log an error and quit. */ + if (length > 255) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, + "SSL NPN protocol name too long (length=%u): %s", + length, string); + return SSL_TLSEXT_ERR_OK; + } + /* Leave room for the length prefix (one byte) plus the protocol name + * itself. */ + size += 1 + length; + } + + /* Now we can build the string. Copy each protocol name string into the + * larger string, prefixed by its length. */ + unsigned char* data = apr_palloc(c->pool, size * sizeof(unsigned char)); + unsigned char* start = data; + for (i = 0; i < num_protos; ++i) { + const char* string = APR_ARRAY_IDX(protos, i, const char*); + size_t length = strlen(string); + *start = (unsigned char)length; + ++start; + memcpy(start, string, length * sizeof(unsigned char)); + start += length; + } + + /* Success. */ + *data_out = data; + *size_out = size; + return SSL_TLSEXT_ERR_OK; +} + #ifndef OPENSSL_NO_TLSEXT /* * This callback function is executed when OpenSSL encounters an extended Index: modules/ssl/mod_ssl.c =================================================================== --- modules/ssl/mod_ssl.c (revision 1202283) +++ modules/ssl/mod_ssl.c (working copy) @@ -220,6 +220,18 @@ AP_END_CMD }; +/* Implement 'ssl_run_npn_advertise_protos_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + ssl, AP, int, npn_advertise_protos_hook, + (conn_rec* connection, apr_array_header_t* protos), + (connection, protos), OK, DECLINED); + +/* Implement 'ssl_run_npn_proto_negotiated_hook'. */ +APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( + ssl, AP, int, npn_proto_negotiated_hook, + (conn_rec* connection, char* proto_name, apr_size_t proto_name_len), + (connection, proto_name, proto_name_len), OK, DECLINED); + /* * the various processing hooks */ Index: modules/ssl/mod_ssl.h =================================================================== --- modules/ssl/mod_ssl.h (revision 1202283) +++ modules/ssl/mod_ssl.h (working copy) @@ -60,5 +60,26 @@ APR_DECLARE_OPTIONAL_FN(apr_array_header_t *, ssl_extlist_by_oid, (request_rec *r, const char *oidstr)); +/** The npn_advertise_protos optional hook allows other modules to add entries + * to the list of protocol names advertised by the server during the Next + * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is + * given the connection and an APR array; it should push one or more char*'s + * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto + * the array and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_advertise_protos_hook, + (conn_rec* connection, apr_array_header_t* protos)); + +/** The npn_proto_negotiated optional hook allows other modules to discover the + * name of the protocol that was chosen during the Next Protocol Negotiation + * (NPN) portion of the SSL handshake. Note that this may be the empty string + * (in which case modules should probably assume HTTP), or it may be a protocol + * that was never even advertised by the server. The hook callee is given the + * connection, a non-null-terminated string containing the protocol name, and + * the length of the string; it should do something appropriate (i.e. insert or + * remove filters) and return OK, or do nothing and return DECLINED. */ +APR_DECLARE_EXTERNAL_HOOK(ssl, AP, int, npn_proto_negotiated_hook, + (conn_rec* connection, char* proto_name, + apr_size_t proto_name_len)); + #endif /* __MOD_SSL_H__ */ /** @} */ ++++++ apache2-mod_status.conf ++++++ # # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # # see http://httpd.apache.org/docs-2.2/mod/mod_status.html # <IfModule mod_status.c> <Location /server-status> SetHandler server-status Order deny,allow Deny from all Allow from localhost 127.0.0.1 </Location> </IfModule> ++++++ apache2-mod_userdir.conf ++++++ # # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot easily be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. # # To rebuild apache with another setting you need to change the # %userdir define in the spec file. # not every user's directory should be visible: UserDir disabled root # to enable UserDir only for a certain set of users, use this instead: #UserDir disabled #UserDir enabled user1 user2 # the UserDir directive is actually used inside the virtual hosts, to # have more control #UserDir public_html <Directory /home/*/public_html> AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec <Limit GET POST OPTIONS PROPFIND> Order allow,deny Allow from all </Limit> <LimitExcept GET POST OPTIONS PROPFIND> Order deny,allow Deny from all </LimitExcept> </Directory> </IfModule> ++++++ apache2-mod_usertrack.conf ++++++ <IfModule mod_usertrack.c> # This is the default. CookieName Apache </IfModule> ++++++ apache2-server-tuning.conf ++++++ ## ## Server-Pool Size Regulation (MPM specific) ## # the MPM (multiprocessing module) is not a dynamically loadable module in the # sense of other modules. It is a compile time decision which one is used. We # provide different apache2 MPM packages, containing different httpd2 binaries # compiled with the available MPMs. See APACHE_MPM in /etc/sysconfig/apache2. # prefork MPM <IfModule prefork.c> # number of server processes to start # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers StartServers 5 # minimum number of server processes which are kept spare # http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers MinSpareServers 5 # maximum number of server processes which are kept spare # http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers MaxSpareServers 10 # highest possible MaxClients setting for the lifetime of the Apache process. # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit ServerLimit 150 # maximum number of server processes allowed to start # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients MaxClients 150 # maximum number of requests a server process serves # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 </IfModule> # worker MPM <IfModule worker.c> # initial number of server processes to start # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers StartServers 3 # minimum number of worker threads which are kept spare # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads MinSpareThreads 25 # maximum number of worker threads which are kept spare # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads MaxSpareThreads 75 # upper limit on the configurable number of threads per child process # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit ThreadLimit 64 # maximum number of simultaneous client connections # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients MaxClients 150 # number of worker threads created by each child process # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild ThreadsPerChild 25 # maximum number of requests a server process serves # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 </IfModule> # leader MPM <IfModule leader.c> # initial number of server processes to start StartServers 2 # minimum number of worker threads which are kept spare MinSpareThreads 25 # maximum number of worker threads which are kept spare MaxSpareThreads 75 # maximum number of simultaneous client connections MaxClients 150 # constant number of worker threads in each server process ThreadsPerChild 25 # maximum number of requests a server process serves MaxRequestsPerChild 10000 </IfModule> # # KeepAlive: Whether or not to allow persistent connections (more than # one request per connection). Set to "Off" to deactivate. # KeepAlive On # # MaxKeepAliveRequests: The maximum number of requests to allow # during a persistent connection. Set to 0 to allow an unlimited amount. # We recommend you leave this number high, for maximum performance. # MaxKeepAliveRequests 100 # # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # KeepAliveTimeout 15 # # MaxRanges: Maximum number of Ranges in a request before # returning the entire resource, or one of the special # values 'default', 'none' or 'unlimited'. # Default setting is to accept 200 Ranges. #MaxRanges unlimited # # EnableMMAP: Control whether memory-mapping is used to deliver # files (assuming that the underlying OS supports it). # The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see # http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap # #EnableMMAP off # # EnableSendfile: Control whether the sendfile kernel support is # used to deliver files (assuming that the OS supports it). # The default is on; turn this off if you serve from NFS-mounted # filesystems. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile # #EnableSendfile off <IfModule mod_setenvif.c> # # The following directives modify normal HTTP response behavior to # handle known problems with browser implementations. # BrowserMatch "Mozilla/2" nokeepalive BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer 4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0" force-response-1.0 # # The following directive disables redirects on non-GET requests for # a directory that does not include the trailing slash. This fixes a # problem with Microsoft WebFolders which does not appropriately handle # redirects for folders with DAV methods. # Same deal with Apple's DAV filesystem and Gnome VFS support for DAV. # BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully BrowserMatch "^WebDrive" redirect-carefully BrowserMatch "^WebDAVFS/1.[012]" redirect-carefully BrowserMatch "^gnome-vfs" redirect-carefully </IfModule> ++++++ apache2-ssl-global.conf ++++++ ## ## SSL Global Context ## ## All SSL configuration in this context applies both to ## the main server and all SSL-enabled virtual hosts. ## # These are the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # This global SSL configuration is ignored if # "SSL" is not defined, or if "NOSSL" is defined. <IfDefine SSL> <IfDefine !NOSSL> <IfModule mod_ssl.c> # # Some MIME-types for downloading Certificates and CRLs # AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. <IfDefine SYSTEMD> SSLPassPhraseDialog exec:/usr/sbin/apache2-systemd-ask-pass </IfDefine> <IfDefine !SYSTEMD> SSLPassPhraseDialog builtin </IfDefine> # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism # to use and second the expiring timeout (in seconds). # shm means the same as shmht. # Note that on most platforms shared memory segments are not allowed to be on # network-mounted drives, so in that case you need to use the dbm method. #SSLSessionCache none #SSLSessionCache dbm:/var/lib/apache2/ssl_scache #SSLSessionCache shmht:/var/lib/apache2/ssl_scache(512000) SSLSessionCache shmcb:/var/lib/apache2/ssl_scache(512000) SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex "file:/var/lib/apache2/ssl_mutex" # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/urandom 512 </IfModule> </IfDefine> </IfDefine> ++++++ apache2-systemd-ask-pass ++++++ #!/bin/sh exec /bin/systemd-ask-password "Enter SSL pass phrase for $1 ($2): " ++++++ apache2-vhost-ssl.template ++++++ # Template for a VirtualHost with SSL # Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. # Files must have the .conf suffix to be loaded. # # See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints # about virtual hosts. # NameVirtualHost statements should be added to /etc/apache2/listen.conf. # # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these # directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure # consult the online docs. You have been warned. # <IfDefine SSL> <IfDefine !NOSSL> ## ## SSL Virtual Host Context ## <VirtualHost _default_:443> # General setup for the virtual host DocumentRoot "/srv/www/htdocs" #ServerName www.example.com:443 #ServerAdmin webmaster@example.com ErrorLog /var/log/apache2/error_log TransferLog /var/log/apache2/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL protocols # Supporting TLS only is adequate nowadays SSLProtocol all -SSLv2 # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 # Speed-optimized SSL Cipher configuration: # If speed is your main concern (on busy HTTPS servers e.g.), # you might want to force clients to specific, performance # optimized ciphers. In this case, prepend those ciphers # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. # Caveat: by giving precedence to RC4-SHA and AES128-SHA # (as in the example below), most connections will no longer # have perfect forward secrecy - if the server's key is # compromised, captures of past or future traffic must be # considered compromised, too. #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 #SSLHonorCipherOrder on # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. Keep # in mind that if you have both an RSA and a DSA certificate you # can configure both in parallel (to also allow the use of DSA # ciphers, etc.) SSLCertificateFile /etc/apache2/ssl.crt/server.crt #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/apache2/ssl.key/server.key #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/apache2/ssl.crt #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache2/ssl.crl #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #<Location /> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ #</Location> # SSL Engine Options: # Set various options for the SSL engine. # o FakeBasicAuth: # Translate the client X.509 into a Basic Authorisation. This means that # the standard Auth/DBMAuth methods can be used for access control. The # user name is the `one line' version of the client's X.509 certificate. # Note that no password is obtained from the user. Every entry in the user # file needs this password: `xxj31ZMTZzkVA'. # o ExportCertData: # This exports two additional environment variables: SSL_CLIENT_CERT and # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o StrictRequire: # This denies access when "SSLRequireSSL" or "SSLRequire" applied even # under a "Satisfy any" situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/srv/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable "nokeepalive" for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and # "force-response-1.0" for this. BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log ssl_combined </VirtualHost> </IfDefine> </IfDefine> ++++++ apache2-vhost.template ++++++ # # VirtualHost template # Note: to use the template, rename it to /etc/apache2/vhost.d/yourvhost.conf. # Files must have the .conf suffix to be loaded. # # See /usr/share/doc/packages/apache2/README.QUICKSTART for further hints # about virtual hosts. # # NameVirtualHost statements can be added to /etc/apache2/listen.conf. # # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for requests without a known # server name. # <VirtualHost *:80> ServerAdmin webmaster@dummy-host.example.com ServerName dummy-host.example.com # DocumentRoot: The directory out of which you will serve your # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. DocumentRoot /srv/www/vhosts/dummy-host.example.com # if not specified, the global error log is used ErrorLog /var/log/apache2/dummy-host.example.com-error_log CustomLog /var/log/apache2/dummy-host.example.com-access_log combined # don't loose time with IP address lookups HostnameLookups Off # needed for named virtual hosts UseCanonicalName Off # configures the footer on server-generated documents ServerSignature On # Optionally, include *.conf files from /etc/apache2/conf.d/ # # For example, to allow execution of PHP scripts: # # Include /etc/apache2/conf.d/php5.conf # # or, to include all configuration snippets added by packages: # Include /etc/apache2/conf.d/*.conf # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/srv/www/vhosts/dummy-host.example.com/cgi-bin/" # "/srv/www/cgi-bin" should be changed to whatever your ScriptAliased # CGI directory exists, if you have one, and where ScriptAlias points to. # <Directory "/srv/www/vhosts/dummy-host.example.com/cgi-bin"> AllowOverride None Options +ExecCGI -Includes Order allow,deny Allow from all </Directory> # UserDir: The name of the directory that is appended onto a user's home # directory if a ~user request is received. # # To disable it, simply remove userdir from the list of modules in APACHE_MODULES # in /etc/sysconfig/apache2. # <IfModule mod_userdir.c> # Note that the name of the user directory ("public_html") cannot simply be # changed here, since it is a compile time setting. The apache package # would have to be rebuilt. You could work around by deleting # /usr/sbin/suexec, but then all scripts from the directories would be # executed with the UID of the webserver. UserDir public_html # The actual configuration of the directory is in # /etc/apache2/mod_userdir.conf. Include /etc/apache2/mod_userdir.conf # You can, however, change the ~ if you find it awkward, by mapping e.g. # http://www.example.com/users/karl-heinz/ --> /home/karl-heinz/public_html/ #AliasMatch ^/users/([a-zA-Z0-9-_.]*)/?(.*) /home/$1/public_html/$2 </IfModule> # # This should be changed to whatever you set DocumentRoot to. # <Directory "/srv/www/vhosts/dummy-host.example.com"> # # Possible values for the Options directive are "None", "All", # or any combination of: # Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews # # Note that "MultiViews" must be named *explicitly* --- "Options All" # doesn't give it to you. # # The Options directive is both complicated and important. Please see # http://httpd.apache.org/docs-2.2/mod/core.html#options # for more information. # Options Indexes FollowSymLinks # # AllowOverride controls what directives may be placed in .htaccess files. # It can be "All", "None", or any combination of the keywords: # Options FileInfo AuthConfig Limit # AllowOverride None # # Controls who can get stuff from this server. # Order allow,deny Allow from all </Directory> </VirtualHost> ++++++ apache2.2-mpm-itk-20090414-00.patch ++++++ ++++ 2021 lines (skipped) ++++++ apache2.firewall ++++++ ## Name: HTTP Server ## Description: Opens ports for Apache Web Server. # space separated list of allowed TCP ports TCP="http" # space separated list of allowed UDP ports UDP="http" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ apache2.logrotate ++++++ /var/log/apache2/access_log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 644 root root postrotate /etc/init.d/apache2 reload endscript } /var/log/apache2/error_log { compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 644 root root postrotate /etc/init.d/apache2 reload endscript } /var/log/apache2/suexec.log { compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 644 root root postrotate /etc/init.d/apache2 reload endscript } /var/log/apache2/ssl_request_log { compress dateext maxage 365 rotate 99 size=+4096k notifempty missingok create 644 root root postrotate /etc/init.d/apache2 reload endscript } /var/log/apache2/ssl_engine_log { compress dateext maxage 365 rotate 99 size=+1024k notifempty missingok create 644 root root postrotate /etc/init.d/apache2 reload endscript } ++++++ apache2.service ++++++ [Unit] Description=apache After=syslog.target network.target Before=getty@tty1.service [Service] Type=forking PIDFile=/var/run/httpd2.pid EnvironmentFile=/etc/sysconfig/apache2 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -k start ExecReload=/usr/sbin/start_apache2 -D SYSTEMD -t ExecReload=/bin/kill -HUP $MAINPID ExecStop=/usr/sbin/httpd2 -D SYSTEMD -k stop [Install] WantedBy=multi-user.target ++++++ apache2.ssl-firewall ++++++ ## Name: HTTPS Server ## Description: Opens ports for Apache Web Server. # space separated list of allowed TCP ports TCP="https" # space separated list of allowed UDP ports UDP="https" # space separated list of allowed RPC services RPC="" # space separated list of allowed IP protocols IP="" # space separated list of allowed UDP broadcast ports BROADCAST="" ++++++ find_httpd2_includes ++++++ #!/bin/bash # Read the configuration (recursing through all include files) . /usr/share/apache2/load_configuration : ${sysconfdir:=/etc/apache2} httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} find_include_files () { local found i found=$(awk '/^[[:space:]]*Include/ { print $2 }' $1 2>/dev/null) for i in $found; do case $i in *\**) # filter filenames that are unexpanded, in the lack of a match, # like /etc/apache2/conf.d/*.conf ;; *) conffiles="$conffiles $i" find_include_files $i ;; esac done } find_include_files $httpd_conf #echo $httpd_conf $conffiles echo $conffiles exit 0 ++++++ find_mpm ++++++ #!/bin/bash : ${apache_link:=/usr/sbin/httpd2} . /usr/share/apache2/load_configuration if ! ${mpm_set:=false}; then if [ -z "$APACHE_MPM" ]; then # guess for i in $r/$apache_link-*; do test -f $i || continue i=$(basename $i) i=${i#*-} installed_mpms=(${installed_mpms[*]} $i) done if [ -z "${installed_mpms[*]}" ]; then echo >&2 ${warn}Apache binary ${apache_link#*-} not found. No MPM package installed? $norm echo >&2 Hint: install the apache2-prefork package, and try again. fi if [ ${#installed_mpms[*]} = 1 ]; then APACHE_MPM=${installed_mpms[*]} else case ${installed_mpms[*]} in *prefork*) APACHE_MPM=prefork;; *worker*) APACHE_MPM=worker;; *event*) APACHE_MPM=event;; *leader*) APACHE_MPM=leader;; *metuxmpm*) APACHE_MPM=metuxmpm;; *threadpool*) APACHE_MPM=threadpool;; *itk*) APACHE_MPM=itk;; esac fi fi if [ -x $apache_link-$APACHE_MPM ]; then ln -sf $apache_link-$APACHE_MPM $apache_link echo $apache_link-$APACHE_MPM else echo >&2 ${warn}$apache_link-$APACHE_MPM is not a valid httpd2 binary. echo >&2 Check your APACHE_MPM setting.$norm exit 1 fi export APACHE_MPM mpm_set=true fi ++++++ gensslcert ++++++ #!/bin/bash # Peter Poeml <apache@suse.de> # # Script to generate ssl keys for mod_ssl, without requiring user input # most of it is copied from mkcert.sh of the mod_ssl distribution # # XXX This is just a hack, it won't be able to do anything you want! # function usage { cat <<-EOF `basename $0` will generate a test certificate "the quick way", i.e. without interaction. You can change some defaults however. It will overwrite /root/.mkcert.cfg These options are recognized: Default: -C Common name "$name" -N comment "$comment" -c country (two letters, e.g. DE) $C -s state $ST -l city $L -o organisation "$O" -u organisational unit "$U" -n fully qualified domain name $CN (\$FQHOSTNAME) -e email address of webmaster webmaster@$CN -y days server cert is valid for $srvdays -Y days CA cert is valid for $CAdays -d run in debug mode -h show usage EOF } test -t && { BRIGHT='[01m'; RED='[31m'; NORMAL='[00m'; } function myecho { echo $BRIGHT$@$NORMAL; } function error { echo $RED$@$NORMAL; } function myexit { error something ugly seems to have happened in line $1...; exit $2; } r=$ROOT . $r/etc/sysconfig/network/config FQHOSTNAME=`cat /etc/HOSTNAME` # defaults comment="mod_ssl server certificate" name= C=XY ST=unknown L=unknown U="web server" O="SuSE Linux Web Server" CN=$FQHOSTNAME email=webmaster@$FQHOSTNAME CAdays=$((365 * 6)) srvdays=$((365 * 2)) while getopts C:N:c:s:l:o:u:n:e:y:Y:dh OPT; do case $OPT in C) name=$OPTARG-;; N) comment=$OPTARG;; c) C=$OPTARG;; s) ST=$OPTARG;; l) L=$OPTARG;; u) U=$OPTARG;; o) O=$OPTARG;; n) CN=$OPTARG;; e) email=$OPTARG;; y) srvdays=$OPTARG;; Y) CAdays=$OPTARG;; d) set -x;; h) usage; exit 2;; *) echo unrecognized option: $OPT; usage; exit 2;; esac done GO_LEFT="\033[80D" GO_MIDDLE="$GO_LEFT\033[15C" for i in comment name C ST L U O CN email srvdays CAdays; do eval "echo -e $i\"$GO_MIDDLE\" \$$i;" done openssl=$r/usr/bin/openssl sslcrtdir=$r/etc/apache2/ssl.crt sslcsrdir=$r/etc/apache2/ssl.csr sslkeydir=$r/etc/apache2/ssl.key sslprmdir=$r/etc/apache2/ssl.prm # # CA # echo;myecho creating CA key ... (umask 0377 ; $openssl genrsa -rand $r/var/log/y2log:$r/var/log/messages -out $sslkeydir/${name}ca.key 2048 || myexit $LINENO $?) cat >$r/root/.mkcert.cfg <<EOT [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = CA CN = $CN emailAddress = $email [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating CA request/certificate ... (umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -x509 -days $CAdays -key $sslkeydir/${name}ca.key -out $sslcrtdir/${name}ca.crt || myexit $LINENO $?) cp -pv $sslcrtdir/${name}ca.crt $r/srv/www/htdocs/$(echo $name | tr 'a-z' 'A-Z')CA.crt # # Server CERT # echo;myecho creating server key ... (umask 0377 ; $openssl genrsa -rand $r/etc/rc.config:$r/var/log/messages -out $sslkeydir/${name}server.key 1024 || myexit $LINENO $?) cat >$r/root/.mkcert.cfg <<EOT [ req ] default_bits = 1024 default_keyfile = keyfile.pem distinguished_name = req_distinguished_name attributes = req_attributes prompt = no output_password = mypass [ req_distinguished_name ] C = $C ST = $ST L = $L O = $O OU = $U CN = $CN emailAddress = $email [ req_attributes ] challengePassword = $RANDOM$RANDOMA challenge password EOT echo;myecho creating server request ... (umask 0377 ; $openssl req -config $r/root/.mkcert.cfg -new -key $sslkeydir/${name}server.key -out $sslcsrdir/${name}server.csr || myexit $LINENO $?) cat >$r/root/.mkcert.cfg <<EOT extensions = x509v3 [ x509v3 ] subjectAltName = email:copy nsComment = $comment nsCertType = server EOT test -f $r/root/.mkcert.serial || echo 01 >$r/root/.mkcert.serial myecho "creating server certificate ..." (umask 0377 ; $openssl x509 \ -extfile $r/root/.mkcert.cfg \ -days $srvdays \ -CAserial $r/root/.mkcert.serial \ -CA $sslcrtdir/${name}ca.crt \ -CAkey $sslkeydir/${name}ca.key \ -in $sslcsrdir/${name}server.csr -req \ -out $sslcrtdir/${name}server.crt || myexit $LINENO $?) rm -f $r/root/.mkcert.cfg echo;myecho "Verify: matching certificate & key modulus" modcrt=`$openssl x509 -noout -modulus -in $sslcrtdir/${name}server.crt | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` modkey=`$openssl rsa -noout -modulus -in $sslkeydir/${name}server.key | sed -e 's;.*Modulus=;;' || myexit $LINENO $?` if [ ".$modcrt" != ".$modkey" ]; then error "mkcert.sh:Error: Failed to verify modulus on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi echo;myecho Verify: matching certificate signature $openssl verify -CAfile $sslcrtdir/${name}ca.crt $sslcrtdir/${name}server.crt || myexit $LINENO $? if [ $? -ne 0 ]; then error "mkcert.sh:Error: Failed to verify signature on resulting X.509 certificate" 1>&2 myexit $LINENO $? fi exit 0 ++++++ get_includes ++++++ #!/bin/bash pname=apache2 : ${sysconfdir:=/etc/$pname} : ${sysconfig_apache:=/etc/sysconfig/$pname} test -z "$APACHE_MODULES" && . /usr/share/$pname/load_configuration apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) APACHE_MPM=${apache_bin##*-} if [ -z "$APACHE_MPM" ]; then echo >&2 Warning: no MPM found. Some modules are dependant on the type of MPM. fi #echo -n writing sysconfig.d/include.conf exec 3>$sysconfdir/sysconfig.d/include.conf echo >&3 "# # This file is created at apache start time by /usr/sbin/rc$pname. Do not edit it! # # as listed in APACHE_INCLUDE_* ($sysconfig_apache) " for file in $APACHE_CONF_INCLUDE_FILES; do test ${file:0:1} = / || file=$sysconfdir/$file if [ -e $file ]; then echo >&3 Include $file else echo >&2 File $file from APACHE_CONF_INCLUDE_FILES not found. Ignored. fi done # here, we do not want to use globbing. apache will do it set -o noglob for dir in $APACHE_CONF_INCLUDE_DIRS; do test ${dir:0:1} = / || dir=$sysconfdir/$dir if [ -d $dir -o -d /$(dirname $dir) ]; then echo >&3 Include $dir else echo >&2 Directory $dir from APACHE_CONF_INCLUDE_DIRS not found. Ignored. fi done set +o noglob echo >&3 -e "#\n" exec 3<&- #echo -n ". " ++++++ get_module_list ++++++ #!/bin/bash pname=apache2 : ${sysconfdir:=/etc/$pname} : ${sysconfig_apache:=/etc/sysconfig/$pname} default_APACHE_DOCUMENT_ROOT=/srv/www/htdocs test -z "$APACHE_MODULES" && . /usr/share/$pname/load_configuration apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) APACHE_MPM=${apache_bin##*-} if [ -z "$APACHE_MPM" ]; then echo >&2 Warning: no MPM found. Some modules are dependant on the type of MPM. fi if [ "$1" = -q ]; then quiet=true else quiet=false fi #echo -n writing sysconfig.d/loadmodule.conf TMPFILE=`/bin/mktemp /tmp/$pname.XXXXXXXXXXXX` if [ -z "$TMPFILE" ]; then echo >&2 Error: could not create temporary file for writing loadmodules.conf. exit 1 fi exec 3>$TMPFILE echo >&3 "# # Files in this directory are created at apache start time by /usr/sbin/rc$pname # Do not edit them! # # as listed in APACHE_MODULES ($sysconfig_apache) " test -z "$APACHE_MODULES" && APACHE_MODULES=$LOADMODULES # see whether APACHE_MODULES is declared as array (it was so, in the past) # if it is not an array, we convert it to one. if [[ -z ${APACHE_MODULES[1]} ]]; then # strip leading and trailing parens... since it might erroneously be written as # APACHE_MODULES="(asdf 1234)" APACHE_MODULES=${APACHE_MODULES/(}; APACHE_MODULES=${APACHE_MODULES/)} APACHE_MODULES=($APACHE_MODULES) fi for i in ${APACHE_MODULES[*]}; do unset module_path module_id case $i in mod_cgid|cgid) case $APACHE_MPM in prefork|leader|itk) i=${i%d};; esac;; esac case $i in mod_cgi|cgi) case $APACHE_MPM in event|worker) i=${i}d;; esac;; esac module_id=${i##*/} module_id=${module_id#mod_} module_id=${module_id#lib} module_id=${module_id%.so}_module # special case case $module_id in auth_mysql_module) module_id=mysql_auth_module;; esac case $i in /*) module_path=$i ;; *) for j in /usr/lib/$pname-$APACHE_MPM/mod_$i.so \ /usr/lib/$pname-$APACHE_MPM/$i.so \ /usr/lib/$pname-$APACHE_MPM/mod_$i \ /usr/lib/$pname-$APACHE_MPM/$i \ /usr/lib/$pname-$APACHE_MPM/${i/mod_}.so \ /usr/lib/$pname-$APACHE_MPM/${i/mod_} \ /usr/lib/$pname-$APACHE_MPM/lib${i/mod_}.so \ /usr/lib/$pname-$APACHE_MPM/lib${i/mod_} \ /usr/lib/$pname-$APACHE_MPM/lib$i.so \ /usr/lib/$pname-$APACHE_MPM/lib$i \ /usr/lib/$pname/mod_$i.so \ /usr/lib/$pname/$i.so \ /usr/lib/$pname/mod_$i \ /usr/lib/$pname/$i \ /usr/lib/$pname/${i/mod_}.so \ /usr/lib/$pname/${i/mod_} \ /usr/lib/$pname/lib${i/mod_}.so \ /usr/lib/$pname/lib${i/mod_} \ /usr/lib/$pname/lib$i.so \ /usr/lib/$pname/lib$i do if [ -f $j ]; then module_path=$j break fi done ;; esac if [[ -f $module_path ]]; then printf "LoadModule %-30s %s\n" $module_id $module_path >&3 else # print a warning? # php modules are in the list by default, so we don't warn about it [#66729] if ! $quiet && [ $i != "php4" -a $i != "php5" ]; then echo >&2 "Module \"$i\" is not installed, ignoring." echo >&2 "Check the APACHE_MODULES setting in /etc/sysconfig/$pname." fi fi done echo >&3 -e "#\n" exec 3<&- chmod 644 $TMPFILE mv $TMPFILE $sysconfdir/sysconfig.d/loadmodule.conf #echo -n ". " #echo -n writing sysconfig.d/global.conf exec 3>$sysconfdir/sysconfig.d/global.conf echo >&3 "# # Files in this directory are created at apache start time by /usr/sbin/rc$pname # Do not edit them! # # see $sysconfig_apache " if [[ -n $APACHE_DOCUMENT_ROOT ]]; then echo >&3 "DocumentRoot $APACHE_DOCUMENT_ROOT" # else # if ! grep -q "^DocumentRoot" $sysconfdir/httpd.conf 2>/dev/null; then # echo >&3 "DocumentRoot $default_APACHE_DOCUMENT_ROOT" # fi fi [[ -n $APACHE_TIMEOUT ]] && echo >&3 "Timeout $APACHE_TIMEOUT" if [[ -n $APACHE_SERVERSIGNATURE ]]; then case $APACHE_SERVERSIGNATURE in no) APACHE_SERVERSIGNATURE=off;; yes) APACHE_SERVERSIGNATURE=on;; esac echo >&3 "ServerSignature $APACHE_SERVERSIGNATURE" fi [[ -n $APACHE_SERVERADMIN ]] && echo >&3 "ServerAdmin $APACHE_SERVERADMIN" [[ -n $APACHE_SERVERNAME ]] && echo >&3 "ServerName $APACHE_SERVERNAME" [[ -n $APACHE_USE_CANONICAL_NAME ]] && echo >&3 "UseCanonicalName $APACHE_USE_CANONICAL_NAME" [[ -n $APACHE_SERVERTOKENS ]] && echo >&3 "ServerTokens $APACHE_SERVERTOKENS" [[ $APACHE_EXTENDED_STATUS = on ]] && echo -e >&3 "<IfModule mod_status.c>\n ExtendedStatus on\n</IfModule>" [[ $APACHE_BUFFERED_LOGS = on ]] && echo >&3 "BufferedLogs on" [[ -n $APACHE_LOGLEVEL ]] && echo >&3 "LogLevel $APACHE_LOGLEVEL" if [[ -n $APACHE_ACCESS_LOG ]]; then # split multiple entries APACHE_ACCESS_LOG=($APACHE_ACCESS_LOG) for ((i=0; $i<${#APACHE_ACCESS_LOG[*]}; i=i+2)); do filename=${APACHE_ACCESS_LOG[$i]} format=${APACHE_ACCESS_LOG[$i+1]} echo >&3 "CustomLog $filename ${format/%,}" done fi exec 3<&- #echo -n ". " ++++++ httpd-2.0.49-log_server_status.dif ++++++ --- httpd-2.0.49.orig/support/log_server_status.in 2004-02-09 21:59:49.000000000 +0100 +++ httpd-2.0.49/support/log_server_status2 2004-06-18 11:34:37.000000000 +0200 @@ -24,18 +24,18 @@ # it to a file. Make sure the directory $wherelog is writable by the # user who runs this script. # -require 'sys/socket.ph'; +use Socket; -$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312" +$wherelog = "/var/log/apache2/status/"; # Logs will be like "/var/log/apache2/status/19960312" $server = "localhost"; # Name of server, could be "www.foo.com" $port = "80"; # Port on server -$request = "/status/?auto"; # Request to send +$request = "/server-status/?auto"; # Request to send sub tcp_connect { local($host,$port) =@_; $sockaddr='S n a4 x8'; - chop($hostname=`hostname`); + chop($hostname='localhost'); $port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/; $me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]); $them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]); @@ -66,8 +66,8 @@ } print S "GET $request\n"; while (<S>) { - $requests=$1 if ( m|^BusyServers:\ (\S+)|); - $idle=$1 if ( m|^IdleServers:\ (\S+)|); + $requests=$1 if ( m|^BusyWorkers:\ (\S+)|); + $idle=$1 if ( m|^IdleWorkers:\ (\S+)|); $number=$1 if ( m|sses:\ (\S+)|); $cpu=$1 if (m|^CPULoad:\ (\S+)|); } ++++++ httpd-2.0.54-envvars.dif ++++++ diff -uNr httpd-2.0.54.orig/support/envvars-std.in httpd-2.0.54/support/envvars-std.in --- httpd-2.0.54.orig/support/envvars-std.in 2005-02-04 21:21:18.000000000 +0100 +++ httpd-2.0.54/support/envvars-std.in 2005-10-07 13:56:49.223546288 +0200 @@ -19,6 +19,6 @@ # This file is generated from envvars-std.in # -@SHLIBPATH_VAR@="@exp_libdir@:$@SHLIBPATH_VAR@" +@SHLIBPATH_VAR@="@exp_libdir@${@SHLIBPATH_VAR@+:$@SHLIBPATH_VAR@}" export @SHLIBPATH_VAR@ # @OS_SPECIFIC_VARS@ ++++++ httpd-2.1.3alpha-layout.dif ++++++ --- httpd-2.1.3-alpha.orig/config.layout +++ httpd-2.1.3-alpha/config.layout @@ -202,6 +202,54 @@ proxycachedir: /var/cache/httpd </Layout> +# SuSE >= 8.1 layout (32 bit system) +<Layout SuSE81> + prefix: /srv/www + exec_prefix: /usr + bindir: ${exec_prefix}/bin + sbindir: ${exec_prefix}/sbin + libdir: ${exec_prefix}/lib + libexecdir: ${exec_prefix}/lib/apache2${mpm_suffix} + mandir: ${exec_prefix}/share/man + sysconfdir: /etc/apache2 + datadir: ${prefix} + installbuilddir: ${exec_prefix}/share/apache2/build + errordir: ${exec_prefix}/share/apache2/error + iconsdir: ${exec_prefix}/share/apache2/icons + htdocsdir: ${datadir}/htdocs + manualdir: ${exec_prefix}/share/apache2/manual + cgidir: ${datadir}/cgi-bin + includedir: ${exec_prefix}/include/apache2${mpm_suffix} + localstatedir: /var/lib/apache2 + runtimedir: /var/run + logfiledir: /var/log/apache2 + proxycachedir: /var/cache/apache2 +</Layout> + +# SuSE >= 8.1 layout (64 bit system) +<Layout SuSE81_64> + prefix: /srv/www + exec_prefix: /usr + bindir: ${exec_prefix}/bin + sbindir: ${exec_prefix}/sbin + libdir: ${exec_prefix}/lib64 + libexecdir: ${exec_prefix}/lib64/apache2${mpm_suffix} + mandir: ${exec_prefix}/share/man + sysconfdir: /etc/apache2 + datadir: ${prefix} + installbuilddir: ${exec_prefix}/share/apache2/build + errordir: ${exec_prefix}/share/apache2/error + iconsdir: ${exec_prefix}/share/apache2/icons + htdocsdir: ${datadir}/htdocs + manualdir: ${exec_prefix}/share/apache2/manual + cgidir: ${datadir}/cgi-bin + includedir: ${exec_prefix}/include/apache2${mpm_suffix} + localstatedir: /var/lib/apache2 + runtimedir: /var/run + logfiledir: /var/log/apache2 + proxycachedir: /var/cache/apache2 +</Layout> + # BSD/OS layout <Layout BSDI> prefix: /var/www ++++++ httpd-2.1.9-apachectl.dif ++++++ diff -uNr httpd-2.1.3-alpha.orig/support/apachectl.in httpd-2.1.3-alpha/support/apachectl.in --- httpd-2.1.3-alpha.orig/support/apachectl.in 2005-02-04 21:28:49.000000000 +0100 +++ httpd-2.1.3-alpha/support/apachectl.in 2005-02-25 02:52:49.203566813 +0100 @@ -41,17 +41,32 @@ # -------------------- -------------------- # # the path to your httpd binary, including options if necessary -HTTPD='@exp_sbindir@/@progname@' +HTTPD='@exp_sbindir@/httpd2' # # pick up any necessary environment variables if test -f @exp_sbindir@/envvars; then . @exp_sbindir@/envvars fi + +pname=apache2 +sysconfig_apache=/etc/sysconfig/$pname +sysconfdir=/etc/$pname + +test -s $sysconfig_apache && source $sysconfig_apache +httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} + # # a command that outputs a formatted text version of the HTML at the # url given on the command line. Designed for lynx, however other # programs may work. -LYNX="@LYNX_PATH@ -dump" + +if [ -x "`which w3m`" ]; then + LYNX="w3m -dump -cols ${COLUMNS:-80}" +elif [ -x "`which lynx`" ]; then + LYNX="lynx -dump -width=${COLUMNS:-80}" +fi + + # # the URL to your server's mod_status status page. If you do not # have one, then status and fullstatus will not work. @@ -77,7 +92,7 @@ case $ARGV in start|stop|restart|graceful|graceful-stop) - $HTTPD -k $ARGV + $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV ERROR=$? ;; startssl|sslstart|start-SSL) @@ -87,7 +102,7 @@ ERROR=2 ;; configtest) - $HTTPD -t + $HTTPD ${httpd_conf+-f $httpd_conf} -t ERROR=$? ;; status) @@ -97,7 +112,7 @@ $LYNX $STATUSURL ;; *) - $HTTPD $ARGV + $HTTPD ${httpd_conf+-f $httpd_conf} $ARGV ERROR=$? esac ++++++ httpd-2.2.0-apxs-a2enmod.dif ++++++ Index: httpd-2.2.16/support/apxs.in =================================================================== --- httpd-2.2.16.orig/support/apxs.in +++ httpd-2.2.16/support/apxs.in @@ -526,108 +526,14 @@ if ($opt_i or $opt_e) { # activate module via LoadModule/AddModule directive if ($opt_a or $opt_A) { - if (not -f "$CFG_SYSCONFDIR/$CFG_TARGET.conf") { - error("Config file $CFG_SYSCONFDIR/$CFG_TARGET.conf not found"); - exit(1); - } - - open(FP, "<$CFG_SYSCONFDIR/$CFG_TARGET.conf") || die; - my $content = join('', <FP>); - close(FP); - - if ($content !~ m|\n#?\s*LoadModule\s+|) { - error("Activation failed for custom $CFG_SYSCONFDIR/$CFG_TARGET.conf file."); - error("At least one `LoadModule' directive already has to exist."); - exit(1); - } my $lmd; my $c = ''; $c = '#' if ($opt_A); foreach $lmd (@lmd) { - my $what = $opt_A ? "preparing" : "activating"; - my $lmd_re = $lmd; - $lmd_re =~ s/\s+/\\s+/g; - - if ($content !~ m|\n#?\s*$lmd_re|) { - # check for open <containers>, so that the new LoadModule - # directive always appears *outside* of an <container>. - - my $before = ($content =~ m|^(.*\n)#?\s*LoadModule\s+[^\n]+\n|s)[0]; - - # the '()=' trick forces list context and the scalar - # assignment counts the number of list members (aka number - # of matches) then - my $cntopen = () = ($before =~ m|^\s*<[^/].*$|mg); - my $cntclose = () = ($before =~ m|^\s*</.*$|mg); - - if ($cntopen == $cntclose) { - # fine. Last LoadModule is contextless. - $content =~ s|^(.*\n#?\s*LoadModule\s+[^\n]+\n)|$1$c$lmd\n|s; - } - elsif ($cntopen < $cntclose) { - error('Configuration file is not valid. There are sections' - . ' closed before opened.'); - exit(1); - } - else { - # put our cmd after the section containing the last - # LoadModule. - my $found = - $content =~ s!\A ( # string and capture start - (?:(?: - ^\s* # start of conf line with a - (?:[^<]|<[^/]) # directive which does not - # start with '</' - - .*(?:$)\n # rest of the line. - # the '$' is in parentheses - # to avoid misinterpreting - # the string "$\" as - # perl variable. - - )* # catch as much as possible - # of such lines. (including - # zero) - - ^\s*</.*(?:$)\n? # after the above, we - # expect a config line with - # a closing container (</) - - ) {$cntopen} # the whole pattern (bunch - # of lines that end up with - # a closing directive) must - # be repeated $cntopen - # times. That's it. - # Simple, eh? ;-) - - ) # capture end - !$1$c$lmd\n!mx; - - unless ($found) { - error('Configuration file is not valid. There are ' - . 'sections opened and not closed.'); - exit(1); - } - } - } else { - # replace already existing LoadModule line - $content =~ s|^(.*\n)#?\s*$lmd_re[^\n]*\n|$1$c$lmd\n|s; - } - $lmd =~ m|LoadModule\s+(.+?)_module.*|; - notice("[$what module `$1' in $CFG_SYSCONFDIR/$CFG_TARGET.conf]"); + print "activating " . $name . "\n"; + system("a2enmod " . $name); } - if (@lmd) { - if (open(FP, ">$CFG_SYSCONFDIR/$CFG_TARGET.conf.new")) { - print FP $content; - close(FP); - system("cp $CFG_SYSCONFDIR/$CFG_TARGET.conf $CFG_SYSCONFDIR/$CFG_TARGET.conf.bak && " . - "cp $CFG_SYSCONFDIR/$CFG_TARGET.conf.new $CFG_SYSCONFDIR/$CFG_TARGET.conf && " . - "rm $CFG_SYSCONFDIR/$CFG_TARGET.conf.new"); - } else { - notice("unable to open configuration file"); - } - } } } ++++++ httpd-2.2.19-linux3.patch ++++++ --- configure.in.orig +++ configure.in @@ -274,13 +274,7 @@ case $host in APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) ;; *-linux-*) - case `uname -r` in - 2.[[2-9]]* ) - APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) - ;; - * ) - ;; - esac + APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) ;; *486-*-bsdi* | *-netbsd* | *-freebsd* | *-apple-darwin* | *-dec-osf* | *-qnx) APR_SETVAR(SINGLE_LISTEN_UNSERIALIZED_ACCEPT, [1]) ++++++ httpd-2.2.x-CVE-2011-3368-server_protocl_c.diff ++++++ diff -rNU 20 ../httpd-2.2.21-o/server/protocol.c ./server/protocol.c --- ../httpd-2.2.21-o/server/protocol.c 2011-05-07 13:39:29.000000000 +0200 +++ ./server/protocol.c 2011-10-07 17:10:46.000000000 +0200 @@ -623,40 +623,64 @@ #if 0 /* XXX If we want to keep track of the Method, the protocol module should do * it. That support isn't in the scoreboard yet. Hopefully next week * sometime. rbb */ ap_update_connection_status(AP_CHILD_THREAD_FROM_ID(conn->id), "Method", r->method); #endif uri = ap_getword_white(r->pool, &ll); /* Provide quick information about the request method as soon as known */ r->method_number = ap_method_number_of(r->method); if (r->method_number == M_GET && r->method[0] == 'H') { r->header_only = 1; } ap_parse_uri(r, uri); +/* + https://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?r1=1178566&r2=1179239&pathrev=1179239&view=patch + This is the fix for CVE-2011-3368; via bnc#722545. + */ + + /* RFC 2616: + * Request-URI = "*" | absoluteURI | abs_path | authority + * + * authority is a special case for CONNECT. If the request is not + * using CONNECT, and the parsed URI does not have scheme, and + * it does not begin with '/', and it is not '*', then, fail + * and give a 400 response. */ + if (r->method_number != M_CONNECT + && !r->parsed_uri.scheme + && uri[0] != '/' + && !(uri[0] == '*' && uri[1] == '\0')) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, + "invalid request-URI %s", uri); + r->args = NULL; + r->hostname = NULL; + r->status = HTTP_BAD_REQUEST; + r->uri = apr_pstrdup(r->pool, uri); + } + if (ll[0]) { r->assbackwards = 0; pro = ll; len = strlen(ll); } else { r->assbackwards = 1; pro = "HTTP/0.9"; len = 8; } r->protocol = apr_pstrmemdup(r->pool, pro, len); /* XXX ap_update_connection_status(conn->id, "Protocol", r->protocol); */ /* Avoid sscanf in the common case */ if (len == 8 && pro[0] == 'H' && pro[1] == 'T' && pro[2] == 'T' && pro[3] == 'P' && pro[4] == '/' && apr_isdigit(pro[5]) && pro[6] == '.' && apr_isdigit(pro[7])) { r->proto_num = HTTP_VERSION(pro[5] - '0', pro[7] - '0'); } ++++++ httpd-2.2.x-bnc690734.patch ++++++ diff -ruN ../httpd-2.2.17-o/server/util_script.c ./server/util_script.c --- ../httpd-2.2.17-o/server/util_script.c 2009-01-12 14:59:56.000000000 +0100 +++ ./server/util_script.c 2011-07-26 15:39:50.000000000 +0200 @@ -406,6 +406,7 @@ { char x[MAX_STRING_LEN]; char *w, *l; + int wlen; int p; int cgi_status = HTTP_UNSET; apr_table_t *merge; @@ -414,7 +415,14 @@ if (buffer) { *buffer = '\0'; } - w = buffer ? buffer : x; + + if (r->server->limit_req_fieldsize + 2 > MAX_STRING_LEN) { + w = apr_palloc(r->pool, r->server->limit_req_fieldsize + 2); + wlen = r->server->limit_req_fieldsize + 2; + } else { + w = buffer ? buffer : x; + wlen = MAX_STRING_LEN; + } /* temporary place to hold headers to merge in later */ merge = apr_table_make(r->pool, 10); @@ -430,7 +438,7 @@ while (1) { - int rv = (*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data); + int rv = (*getsfunc) (w, wlen - 1, getsfunc_data); if (rv == 0) { ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, "Premature end of script headers: %s", @@ -537,9 +545,12 @@ if (!buffer) { /* Soak up all the script output - may save an outright kill */ - while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) { + while ((*getsfunc) (w, wlen - 1, getsfunc_data)) { continue; } + } else if (w != buffer) { + strncpy(buffer, w, MAX_STRING_LEN - 1); + buffer[MAX_STRING_LEN - 1] = 0; } ap_log_rerror(APLOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, ++++++ httpd-2.2.x-bnc777260-CVE-2012-2687-mod_negotiation_filename_xss.diff ++++++ diff -rNU 20 ../httpd-2.2.22-o/modules/mappers/mod_negotiation.c ./modules/mappers/mod_negotiation.c --- ../httpd-2.2.22-o/modules/mappers/mod_negotiation.c 2011-09-08 17:59:38.000000000 +0200 +++ ./modules/mappers/mod_negotiation.c 2013-01-28 15:09:56.000000000 +0100 @@ -2641,43 +2641,43 @@ * fill it with the variant list, and then concatenate the entire array. */ arr = apr_array_make(r->pool, max_vlist_array, sizeof(char *)); *((const char **) apr_array_push(arr)) = "Available variants:\n<ul>\n"; for (i = 0; i < neg->avail_vars->nelts; ++i) { var_rec *variant = &((var_rec *) neg->avail_vars->elts)[i]; const char *filename = variant->file_name ? variant->file_name : ""; apr_array_header_t *languages = variant->content_languages; const char *description = variant->description ? variant->description : ""; /* The format isn't very neat, and it would be nice to make * the tags human readable (eg replace 'language en' with 'English'). * Note that if you change the number of substrings pushed, you also * need to change the calculation of max_vlist_array above. */ *((const char **) apr_array_push(arr)) = "<li><a href=\""; - *((const char **) apr_array_push(arr)) = filename; + *((const char **) apr_array_push(arr)) = ap_escape_path_segment(r->pool, filename); *((const char **) apr_array_push(arr)) = "\">"; - *((const char **) apr_array_push(arr)) = filename; + *((const char **) apr_array_push(arr)) = ap_escape_html(r->pool, filename); *((const char **) apr_array_push(arr)) = "</a> "; *((const char **) apr_array_push(arr)) = description; if (variant->mime_type && *variant->mime_type) { *((const char **) apr_array_push(arr)) = ", type "; *((const char **) apr_array_push(arr)) = variant->mime_type; } if (languages && languages->nelts) { *((const char **) apr_array_push(arr)) = ", language "; *((const char **) apr_array_push(arr)) = apr_array_pstrcat(r->pool, languages, ','); } if (variant->content_charset && *variant->content_charset) { *((const char **) apr_array_push(arr)) = ", charset "; *((const char **) apr_array_push(arr)) = variant->content_charset; } if (variant->content_encoding) { *((const char **) apr_array_push(arr)) = ", encoding "; *((const char **) apr_array_push(arr)) = variant->content_encoding; } ++++++ httpd-2.2.x-bnc798733-SNI_ignorecase.diff ++++++ diff -rNU 20 ../httpd-2.2.22-o/modules/ssl/ssl_engine_kernel.c ./modules/ssl/ssl_engine_kernel.c --- ../httpd-2.2.22-o/modules/ssl/ssl_engine_kernel.c 2013-01-28 14:59:57.000000000 +0100 +++ ./modules/ssl/ssl_engine_kernel.c 2013-01-28 15:02:47.000000000 +0100 @@ -119,41 +119,41 @@ #ifndef OPENSSL_NO_TLSEXT if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) { char *host, *scope_id; apr_port_t port; apr_status_t rv; /* * The SNI extension supplied a hostname. So don't accept requests * with either no hostname or a different hostname. */ if (!r->hostname) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "Hostname %s provided via SNI, but no hostname" " provided in HTTP request", servername); return HTTP_BAD_REQUEST; } rv = apr_parse_addr_port(&host, &scope_id, &port, r->hostname, r->pool); if (rv != APR_SUCCESS || scope_id) { return HTTP_BAD_REQUEST; } - if (strcmp(host, servername)) { + if (strcasecmp(host, servername)) { ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "Hostname %s provided via SNI and hostname %s provided" " via HTTP are different", servername, host); return HTTP_BAD_REQUEST; } } else if ((((mySrvConfig(r->server))->strict_sni_vhost_check == SSL_ENABLED_TRUE) || (mySrvConfig(sslconn->server))->strict_sni_vhost_check == SSL_ENABLED_TRUE) && r->connection->vhost_lookup_data) { /* * We are using a name based configuration here, but no hostname was * provided via SNI. Don't allow that if are requested to do strict * checking. Check wether this strict checking was setup either in the * server config we used for handshaking or in our current server. * This should avoid insecure configuration by accident. */ ap_log_error(APLOG_MARK, APLOG_ERR, 0, r->server, "No hostname was provided via SNI for a name based" ++++++ httpd-2.x.x-logresolve.patch ++++++ diff -Naur ../httpd-2.2.4.orig/support/logresolve.pl.in ./support/logresolve.pl.in --- ../httpd-2.2.4.orig/support/logresolve.pl.in 2006-07-12 05:38:44.000000000 +0200 +++ ./support/logresolve.pl.in 2007-10-23 13:59:27.000000000 +0200 @@ -57,6 +57,7 @@ use FileHandle; use Socket; +use File::Temp; use strict; no strict 'refs'; @@ -71,11 +72,13 @@ my %hash = (); my $parent = $$; +my $tempdir = File::Temp::tempdir("logresolve.pl2.sockets.XXXXXX", CLEANUP => 1); + my @children = (); for (my $child = 1; $child <=$CHILDREN; $child++) { my $f = fork(); if (!$f) { - $filename = "./.socket.$parent.$child"; + $filename = "$tempdir/socket.$parent.$child"; if (-e $filename) { unlink($filename) || warn "$filename .. $!\n";} &child($child); exit(0); @@ -91,9 +94,9 @@ # die kiddies, die kill(15, @children); for (my $child = 1; $child <=$CHILDREN; $child++) { - if (-e "./.socket.$parent.$child") { - unlink("./.socket.$parent.$child") - || warn ".socket.$parent.$child $!"; + if (-e "$tempdir/socket.$parent.$child") { + unlink("$tempdir/socket.$parent.$child") + || warn "$tempdir/socket.$parent.$child $!"; } } } @@ -113,7 +116,7 @@ if (!socket($CHILDSOCK{$child}, AF_UNIX, SOCK_STREAM, $PROTOCOL)) { warn "parent socket to child failed $!"; } - $filename = "./.socket.$parent.$child"; + $filename = "$tempdir/socket.$parent.$child"; my $response; do { $response = connect($CHILDSOCK{$child}, sockaddr_un($filename)); @@ -176,7 +179,7 @@ # create a socket to communicate with parent socket(INBOUND, AF_UNIX, SOCK_STREAM, $PROTOCOL) || die "Error with Socket: !$\n"; - $filename = "./.socket.$parent.$me"; + $filename = "$tempdir/socket.$parent.$me"; bind(INBOUND, sockaddr_un($filename)) || die "Error Binding $filename: $!\n"; listen(INBOUND, 5) || die "Error Listening: $!\n"; ++++++ httpd-keepalivetimeout-millisecs.patch ++++++ --- modules/http/http_core.c.orig +++ modules/http/http_core.c @@ -47,12 +47,15 @@ static int ap_process_http_connection(co static const char *set_keep_alive_timeout(cmd_parms *cmd, void *dummy, const char *arg) { + apr_interval_time_t timeout; const char *err = ap_check_cmd_context(cmd, NOT_IN_DIR_LOC_FILE|NOT_IN_LIMIT); if (err != NULL) { return err; } - - cmd->server->keep_alive_timeout = apr_time_from_sec(atoi(arg)); + /* Stolen from mod_proxy.c */ + if (ap_timeout_parameter_parse(arg, &timeout, "s") != APR_SUCCESS) + return "KeepAliveTimeout has wrong format"; + cmd->server->keep_alive_timeout = timeout; return NULL; } ++++++ httpd-mod_deflate_head.patch ++++++ --- modules/filters/mod_deflate.c.orig +++ modules/filters/mod_deflate.c @@ -582,6 +582,20 @@ static apr_status_t deflate_out_filter(a apr_bucket *b; apr_size_t len; + /* + * Optimization: If we are a HEAD request and bytes_sent is not zero + * it means that we have passed the content-length filter once and + * have more data to sent. This means that the content-length filter + * could not determine our content-length for the response to the + * HEAD request anyway (the associated GET request would deliver the + * body in chunked encoding) and we can stop compressing. + */ + if (r->header_only && r->bytes_sent) { + ap_remove_output_filter(f); + return ap_pass_brigade(f->next, bb); + } + + e = APR_BRIGADE_FIRST(bb); if (APR_BUCKET_IS_EOS(e)) { ++++++ httpd-new_pcre.patch ++++++ Index: server/util_pcre.c =================================================================== --- server/util_pcre.c.orig 2012-02-11 10:07:31.000000000 +0100 +++ server/util_pcre.c 2012-02-11 10:08:23.062838133 +0100 @@ -128,6 +128,7 @@ AP_DECLARE(int) ap_regcomp(ap_regex_t *p const char *errorptr; int erroffset; int options = 0; +int nsub; if ((cflags & AP_REG_ICASE) != 0) options |= PCRE_CASELESS; if ((cflags & AP_REG_NEWLINE) != 0) options |= PCRE_MULTILINE; @@ -137,7 +138,9 @@ preg->re_erroffset = erroffset; if (preg->re_pcre == NULL) return AP_REG_INVARG; -preg->re_nsub = pcre_info((const pcre *)preg->re_pcre, NULL, NULL); +pcre_fullinfo((const pcre *)preg->re_pcre, NULL, + PCRE_INFO_CAPTURECOUNT, &nsub); +preg->re_nsub = nsub; return 0; } ++++++ load_configuration ++++++ #!/bin/bash : ${sysconfig_apache:=/etc/sysconfig/apache2} # # load the configuration, but only if it hasn't been done already # if [ -z "$APACHE_MODULES" ]; then . $sysconfig_apache fi ++++++ permissions.apache2 ++++++ /usr/sbin/suexec2 root:root 4755 ++++++ rc.apache2 ++++++ #!/bin/sh # # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002, 2003, (2004?) SuSE Linux AG # Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker <apache@suse.de>, 2001 # Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011. # Roman Drahtmueller <draht@suse.de>, 2010, 2011, 2012. # # # /etc/init.d/apache2 # ### BEGIN INIT INFO # Provides: apache apache2 httpd # Required-Start: $local_fs $remote_fs $network # Should-Start: $named $time postgresql sendmail mysql ypclient dhcp radiusd # Should-Stop: $named $time postgresql sendmail mysql ypclient dhcp radiusd # Required-Stop: $local_fs $remote_fs $network # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # X-Interactive: true # Short-Description: Apache 2.2 HTTP Server # Description: Start the Apache HTTP daemon ### END INIT INFO pname=apache2 : ${sysconfdir:=/etc/$pname} : ${apache_link:=/usr/sbin/httpd2} : ${sysconfig_apache:=/etc/sysconfig/$pname} : ${pidfile:=/var/run/httpd2.pid} : ${logdir:=/var/log/$pname} : ${homedir:=/var/lib/$pname} # # load the configuration # # # Note about ulimits: # if you want to set ulimits, e.g. to increase the max number of open file handle, # or to allow core files, you can do so by editing /etc/sysconfig/apache2 and # simply write the ulimit commands into that file. # Example: # ulimit -n 16384 # ulimit -H -n 16384 # ulimit -c unlimited # See the output of "help ulimit" in the bash, or "man 1 ulimit". # test -s /etc/rc.status && . /etc/rc.status && rc_reset . /usr/share/$pname/load_configuration export ${!APACHE_*} httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) test -L $apache_link && apache_bin=$(readlink $apache_link) if [ -z "$APACHE_MPM" ]; then APACHE_MPM=${apache_bin##*-} fi if ! [ -x $apache_bin ]; then echo >&2 ${warn}$apache_bin-$APACHE_MPM is not a valid httpd2 binary. echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname. $norm rc_failed 5 rc_status -v1 rc_exit fi # a proper home should be set, otherwise the server might end up # with HOME=/root and some script might try to use that HOME=$homedir get_server_flags() { unset server_flags case "$action" in startssl) server_flags="-DSSL";; esac for i in $APACHE_SERVER_FLAGS; do case $i in -D) ;; -D*) server_flags="$server_flags $i";; *) server_flags="$server_flags -D$i";; esac done } action="$1" case "$action" in stop|try-restart|*status*|probe) ;; *) shift; get_server_flags ${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true ${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true ;; esac # # main part # case "$action" in start*) if [ -e $pidfile ]; then $0 status &>/dev/null ret=$? if [ $ret = 1 ]; then echo "Warning: found stale pidfile (unclean shutdown?)" elif [ $ret = 0 ]; then echo "Apache is already running ($pidfile)" rc_failed $ret rc_status -v1 rc_exit fi fi echo -n "Starting httpd2 (${APACHE_MPM:-${apache_bin#*-}}) " cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t > $logdir/rc$pname.out 2>&1 ; then export -n ${!APACHE_*} eval startproc -f -t ${APACHE_START_TIMEOUT:-2} $cmdline ret=$? if test -t 1 && stty -a 2>/dev/null | grep -q -- -echo\ ; then # this means that apache was still waiting for a passphrase to be entered stty echo 2>/dev/null echo;echo echo >&2 An SSL passphrase has not been entered within ${APACHE_START_TIMEOUT:-<not set>} seconds. echo >&2 To increase this timeout, adjust APACHE_START_TIMEOUT in $sysconfig_apache . # this surely means that apache won't start, despite it looked good to startproc killall $apache_bin echo >&2 "Trying to start the server without SSL (-D NOSSL)." $0 start "$@" -D NOSSL # rc_failed 1 # rc_status -v1 # rc_exit else rc_failed $ret rc_status -v fi else if [ "$link" = "$base" ] ; then cat $logdir/rc$pname.out echo >&2 echo >&2 The command line was: echo >&2 $cmdline echo >&2 else echo -e -n "\nsee $logdir/rc$pname.out for details\n"; fi rc_failed 1 rc_status -v1 fi ;; stop) echo -n "Shutting down httpd2 " if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi if ! [ -f $pidfile ]; then echo -n "(not running)" else pid=$(<$pidfile) # re-read exe symlink, it could be (deleted) in the meanwhile. apache_bin=$(readlink /proc/$pid/exe 2>/dev/null) kill -TERM $pid 2>/dev/null case $? in 1) echo -n "(not running)";; 0) # wait until the processes are gone (the parent is the last one) echo -n "(waiting for all children to terminate) " for ((wait=0; wait<120; wait++)); do if test -f $pidfile; then usleep 500000 continue fi if ! test -f /proc/$pid/exe; then break fi if test "$(readlink /proc/$pid/exe 2>/dev/null)" = "$apache_bin"; then usleep 500000 else break fi done ;; esac fi rc_status -v ;; stop-graceful) echo "Shutting down httpd2 gracefully (SIGWINCH)" if ! [ -f $pidfile ]; then echo -n "(not running)" else pid=$(<$pidfile) kill -WINCH $pid 2>/dev/null case $? in 1) echo -n "(not running)";; 0) # wait until the pidfile is gone. The parent stays there, but closes the listen ports. echo -n "(waiting for parent to close listen ports and remove pidfile) " for ((wait=0; wait<120; wait++)); do if test -f $pidfile; then usleep 500000 continue else break fi done ;; esac fi rc_status -v ;; try-restart) ## Do a restart only if the service was active before. ## Note: try-restart is now part of LSB (as of 1.9). ## RH has a similar command named condrestart. $0 status if test $? = 0; then $0 restart else rc_reset # Not running is not a failure. fi # Remember status and be quiet rc_status ;; restart) $0 configtest "$@" || { rc_failed $?; rc_exit; } if $0 status &>/dev/null; then $0 stop fi $0 start "$@" # Remember status and be quiet rc_status ;; restart-hup) $0 configtest "$@" || { rc_failed $?; rc_exit; } if $0 status &>/dev/null; then echo -n "Restarting httpd2 (SIGHUP)" kill -HUP $(<$pidfile) || return=$rc_failed else $0 start "$@" fi # Remember status and be quiet rc_status -v ;; restart-graceful) $0 configtest "$@" || { rc_failed $?; rc_exit; } if $0 status &>/dev/null; then $0 stop-graceful "$@" $0 start "$@" else $0 start "$@" fi # Remember status and be quiet rc_status ;; reload|force-reload|graceful) # check if there is a deleted binary. If there is, then logrotate # or other occasions will fail to reload, as dlopen(3) of apache # modules is prone to fail due to symbol mismatches. # in this case, we only complain and fail. if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi executable=$( readlink /proc/$(cat $pidfile)/exe 2> /dev/null ) case "$executable" in *httpd*delete*) echo -n "Reload httpd2 after package update: ignoring request. Please do a manual restart explicitly! " rc_failed 1 rc_status -v rc_exit ;; *) ;; esac echo -n "Reload httpd2 (graceful restart)" cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") if eval $cmdline -t &> $logdir/rc$pname.out; then killproc -USR1 $apache_bin || return=$rc_failed rc_status -v else if [ "$link" = "$base" ] ; then echo -e -n "\n\n" cat $logdir/rc$pname.out echo >&2 echo >&2 The command line was: echo >&2 $cmdline echo >&2 else echo -e -n "\nsee $logdir/rc$pname.out for details\n"; fi rc_failed 6 rc_status -v1 fi ;; status) if [ ! -f $pidfile -a -f $pidfile.rpmsave ]; then mv $pidfile.rpmsave $pidfile; fi echo -n "Checking for httpd2: " # we don't use checkproc here since it is confused when we exchange the binaries if ! [ -f $pidfile ]; then # not running rc_failed 3 elif [ -s $pidfile -a -d /proc/$(<$pidfile) ]; then # running : else # stale pid file rc_failed 1 #rm -f $pidfile fi rc_status -v ;; probe) ## Optional: Probe for the necessity of a reload, ## give out the argument which is required for a reload. for i in $httpd_conf \ $APACHE_CONF_INCLUDE_FILES \ $APACHE_CONF_INCLUDE_DIRS do if [ $i -nt $pidfile ]; then echo reload break fi done ;; conf*|test|syntax|check) cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") eval $cmdline -t rc_failed $? rc_exit ;; extr*) cmdline=$(echo $apache_bin -f $httpd_conf $server_flags "$@") out=$(su - nobody -c "$cmdline" 2>&1) case $out in *make_sock:\ could\ not\ bind\ to\ address*) echo Syntax: OK; rc_failed=0;; *) echo Syntax: NOT OK:; echo $out; rc_failed=1;; esac rc_exit ;; server-status) apache2ctl status ;; full-server-status|fullstatus) apache2ctl fullstatus ;; *) cat >&2 <<-EOF Usage: $0 <command> <server flags> where <command> is one of: start - start httpd startssl - start httpd with -DSSL stop - stop httpd (sending SIGTERM to parent) try-restart - stop httpd and if this succeeds (i.e. if it was running before), start it again. status - check whether httpd is running restart - stop httpd if running; start httpd restart-graceful - stop httpd gracefully if running; start httpd reload|graceful - do a graceful restart by sending a SIGUSR1, or start if not running stop-graceful - stop httpd (sending SIGWINCH to parent) configtest - do a configuration syntax test extreme-configtest - try to run httpd as nobody (detects more errors by actually loading the configuration, but cannot read SSL certificates) probe - probe for the necessity of a reload, give out the argument which is required for a reload. (by comparing conf files with pidfile timestamp) full-server-status - dump a full status screen; requires lynx or w3m and mod_status enabled server-status - dump a short status screen; requires lynx or w3m and mod_status enabled help - this screen optional server flags are passed through to httpd. EOF exit 1 esac # Inform the caller not only verbosely and set an exit status. rc_exit ++++++ robots.txt ++++++ # exclude help system from robots User-agent: * Disallow: /manual/ Disallow: /doc/ Disallow: /gif/ # but allow htdig to index our doc-tree User-agent: susedig Disallow: # disallow stress test user-agent: stress-agent Disallow: / ++++++ ssl-mode-release-buffers.patch ++++++ --- modules/ssl/ssl_engine_init.c.orig +++ modules/ssl/ssl_engine_init.c @@ -482,7 +482,9 @@ static void ssl_init_ctx_protocol(server } mctx->ssl_ctx = ctx; - +#ifdef SSL_MODE_RELEASE_BUFFERS + SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS); +#endif SSL_CTX_set_options(ctx, SSL_OP_ALL); if (!(protocol & SSL_PROTOCOL_SSLV2)) { ++++++ start_apache2 ++++++ #!/bin/sh # # Copyright (c) 1996, 1997, 1998 S.u.S.E. GmbH # Copyright (c) 1998, 1999, 2000, 2001 SuSE GmbH # Copyright (c) 2002, 2003, (2004?) SuSE Linux AG # Copyright (c) 2004(?), 2005, 2006, 2007, 2008 SUSE Linux Products GmbH # # Authors: Rolf Haberrecker <apache@suse.de>, 2001 # Peter Poeml <apache@suse.de>, 2002, 2003, 2004, 2005, 2006, 2007, # 2008, 2009, 2010 # # pname=apache2 . /usr/share/$pname/load_configuration export ${!APACHE_*} apache_link=/usr/sbin/httpd2 apache_bin=$(/usr/share/$pname/find_mpm 2>/dev/null) httpd_conf=${APACHE_HTTPD_CONF:-/etc/apache2/httpd.conf} test -L $apache_link && apache_bin=$(readlink $apache_link) if [ -z "$APACHE_MPM" ]; then APACHE_MPM=${apache_bin##*-} fi if ! [ -x $apache_bin ]; then echo >&2 $apache_bin-$APACHE_MPM is not a valid httpd2 binary. echo >&2 Check your APACHE_MPM setting in /etc/sysconfig/$pname. exit 5 fi # a proper home should be set, otherwise the server might end up # with HOME=/root and some script might try to use that HOME=/var/lib/apache2 unset server_flags case "$action" in startssl) server_flags="-DSSL";; esac for i in $APACHE_SERVER_FLAGS; do case $i in -D) ;; -D*) server_flags="$server_flags $i";; *) server_flags="$server_flags -D$i";; esac done ${get_module_list_done:=false} || /usr/share/$pname/get_module_list && export get_module_list_done=true ${get_includes:=false} || /usr/share/$pname/get_includes && export get_includes_done=true export -n ${!APACHE_*} exec $apache_bin -f $httpd_conf $server_flags $@ ++++++ sysconf_addword ++++++ #!/bin/bash # Copyright 2005 Peter Poeml <apache@suse.de>. All Rights Reserved. # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. debug=false function usage() { cat <<-EOF usage: $(basename $0) [-r] FILE VAR WORD Add word WORD to variable VAR in file FILE, or remove it if the -r option is given. Example: $(basename $0) /etc/sysconfig/apache2 APACHE_SERVER_FLAGS asdf leads to the change: -APACHE_SERVER_FLAGS="SSL STATUS ruby" +APACHE_SERVER_FLAGS="SSL STATUS ruby asdf" If multiple lines matching ^VAR= are found (which happens to be a habit of mine), only the last one is manipulated. It does not work for WORD starting with characters like a dash which prevent word boundary matching. EOF } function find_last_occurrence () { # takes two arguments, FILE and VAR # and return the number of the last line where # VAR occurs in FILE (not commented) grep -n -- "^[[:space:]]*$1" $2 | tail -n 1 | cut -d: -f1 } function word_present () { . $file case " ${!var} " in *" $word "*) true;; *) false;; esac } function add_word() { local word=$1 local word_quoted=$2 if ! word_present; then $debug && cp $file $tmpf sed -i -e "${lineno} { s/^[[:space:]]*\($var=\".*\)\(\".*\)/\1 $word_quoted\2/; s/=\" /=\"/ }" $file $debug && diff -u $tmpf $file else echo \"$word\" already present fi # some balancing for vim"s syntax highlighting } function remove_word() { local word=$1 local word_quoted=$2 if word_present; then $debug && cp $file $tmpf sed -i -e "${lineno} { s/\(['\" ]\)$word_quoted\(['\" ]\)/\1 \2/g s/ / /g }" $file $debug && diff -u $tmpf $file else echo \"$word\" not present fi # some balancing for vim"s syntax highlighting } # poor man's option parsing case "$1" in -h) usage; exit 0;; esac if [ $# -lt 3 ]; then echo not enough arguments echo usage; exit 1 fi action=add case "$1" in -r) action=remove; shift;; esac file=$1; shift var=$1; shift word=$1 word_quoted=${1//\//\\\/} if $debug; then echo FILE: $file echo VAR: $var echo WORD: $word echo current content: grep "^$var=" $file | tail -n 1 echo fi if ! [ -r $file ]; then echo ${0##*/}: file $file is not a readable file exit 1 fi lineno=$(find_last_occurrence $var $file) if [ -z $lineno ]; then echo ${0##*/}: variable $var does not occur in $file exit 1 fi $debug && tmpf=$(mktemp /tmp/$(basename $0).XXXXXX) if [ $action = add ]; then add_word $word $word_quoted $lineno else remove_word $word $word_quoted $lineno fi $debug && rm -f $tmpf exit 0 ++++++ sysconfig.apache2 ++++++ ## Path: Network/WWW/Apache2 ## Description: Configuration for Apache 2 ## Type: string ## Default: "" ## ServiceRestart: apache2 # # Here you can name files, separated by spaces, that should be Include'd from # httpd.conf. # # This allows you to add e.g. VirtualHost statements without touching # /etc/apache2/httpd.conf itself, which makes upgrading easier. # APACHE_CONF_INCLUDE_FILES="" ## Type: string ## Default: "" ## ServiceRestart: apache2 # # Here you can name directories, separated by spaces, that should be Include'd # from httpd.conf. # # All files contained in these directories will be recursively included by apache. # If a pattern like *.conf is appended, apache will use it. # # Examples: "/etc/apache2/my_conf/" # "/etc/apache2/virtual_hosts/*.conf" # "local/*.conf /srv/www/virtual/" # APACHE_CONF_INCLUDE_DIRS="" ## Type: string ## Default: "actions alias auth_basic authz_host authn_file authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5" ## ServiceRestart: apache2 # # [It might look silly to not simply edit httpd.conf for the LoadModule statements. # However, since the LoadModule statements might need an absolute path to the modules, # switching between MPMs can be quite a hassle. It's easier to just give the names here.] # # * list of all modules shipped with the base distribution: # @@all_modules@@ # # see http://httpd.apache.org/docs-2.2/mod/ ! # # * It pays to use IfDefine statements... like # <IfModule mod_xyz.c> # .... # </IfModule> # # * In the APACHE_MODULES variable, you can use mod_xyz or just xyz syntax. # You may also name an absolute path if you like. # # * NOTE ON SSL: before you can use mod_ssl, you need a server certificate. # A test certificate can be created by entering # 'cd /usr/share/doc/packages/apache2; ./certificate.sh' as root. # Also, you need to set the ServerName inside the <VirtualHost _default_:443> # block to the fully qualified domain name (see /etc/HOSTNAME). # * if your server certificate is protected by a passphrase you should increase the # APACHE_START_TIMEOUT (see above) # * to finally enable ssl support, you need to add 'SSL' to APACHE_SERVER_FLAGS # below. # # * modules listed here will be ignored if they are not installed # # # EXAMPLES: # # fairly minimal # APACHE_MODULES="authz_host alias auth dir log_config mime setenvif" # # apache's default installation # APACHE_MODULES="authz_host actions alias asis auth autoindex cgi dir imap include log_config mime negotiation setenvif status userdir" # your settings APACHE_MODULES="actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 reqtimeout" ## Type: string ## Default: "" ## ServiceRestart: apache2 # # Additional server flags: # # Put here any server flags ("Defines") that you want to hand over to # httpd at start time, or other command line flags. # # Background: Any directives within an <IfDefine flag>...</IfDefine> # section are only processed if the flag is defined. # This allows to write configuration which is active only in a # special cases, like during server maintenance, or for testing # something temporarily. # # Notably, to enable ssl support, 'SSL' needs to be added here. # To enable the server-status, 'STATUS' needs to be added here. # # It does not matter if you write flag1, -D flag1 or -Dflag1. # Multiple flags can be given as "-D flag1 -D flag2" or simply "flag1 flag2". # # Specifying such flags here is equivalent to giving them on the commandline. # (e.g. via rcapache2 start -DReverseProxy) # # Example: # "SSL STATUS AWSTATS SVN_VIEWCVS no_subversion_today" # APACHE_SERVER_FLAGS="" ## Type: string ## Default: "" ## ServiceRestart: apache2 # # Which config file do you want to use? # (if not set, /etc/apache2/httpd.conf is used.) # It is unusual to need to use this setting. # # Note about ulimits: # if you want to set ulimits, e.g. to increase the max number of open file handle, # or to allow core files, you can do so by editing /etc/sysconfig/apache2 and # simply write the ulimit commands into that file. # Example: # ulimit -n 16384 # ulimit -H -n 16384 # ulimit -c unlimited # See the output of "help ulimit" in the bash, or "man 1 ulimit". # APACHE_HTTPD_CONF="" ## Type: list(prefork,worker,event,itk) ## Default: "" ## ServiceRestart: apache2 # # MPM (multi-processing module) to use. # # Needed to determine with which MPM apache will run, as well as # against which header files modules will be built. # # If not set, the system will simply pick one of the installed MPMs. # # The implementation of the logic is in /usr/share/apache2/find_mpm, # a script which can be used standalone as well if needed. # APACHE_MPM="" ## Type: string ## Default: "" ## ServiceReload: apache2 # # email address of the server administrator (ServerAdmin directive) # This address is added to the server's responses if APACHE_SERVERSIGNATURE # is set to "email". # # If empty ("") it defaults to webmaster@$FQHOSTNAME, where FQHOSTNAME is # taken from /etc/HOSTNAME. # # Note that ServerAdmin directives inside VirtualHost statements are not # changed, even not the one in the stock SSL virtual host block. # APACHE_SERVERADMIN="" ## Type: string ## Default: "" ## ServiceReload: apache2 # # ServerName gives the name and port that the server uses to identify itself. # This can often be determined automatically, but we recommend you specify # it explicitly to prevent problems during startup. # # If this is not set to valid DNS name for your host, server-generated # redirections will not work. See also the UseCanonicalName directive. # # If your host doesn't have a registered DNS name, enter its IP address here. # You will have to access it by its address anyway, and this will make # redirections work in a sensible way. # APACHE_SERVERNAME="" ## Type: integer ## Default: 2 # # timeout during server startup (seconds) # after this time, the start script decides wether the httpd process started without error. # # Increase it, if you use mod_ssl and your certificate is passphrase protected! # APACHE_START_TIMEOUT="2" ## Type: list(on,off,email) ## Default: "on" ## ServiceReload: apache2 # # Configures the footer on server-generated documents # This correlates to the ServerSignature directive. # APACHE_SERVERSIGNATURE="on" ## Type: list(debug,info,notice,warn,error,crit,alert,emerg) ## Default: "warn" ## ServiceReload: apache2 # # LogLevel: Control the number of messages logged to the error_log. # APACHE_LOGLEVEL="warn" ## Type: string ## Default: "/var/log/apache2/access_log combined" ## ServiceRestart: apache2 # # The location and format of the access logfile (Common Logfile Format). # If you do not define any access logfiles within a <VirtualHost> # container, they will be logged here. Contrarywise, if you *do* # define per-<VirtualHost> access logfiles, transactions will be # logged therein and *not* in this file. # # Simply set it to empty, if you configure it yourself somewhere else. # # Examples: # # If you would like to have agent and referer logfiles: # # setting it to "/var/log/apache2/referer_log referer, /var/log/apache2/agent_log agent" # corresponds to # CustomLog /var/log/apache2/referer_log referer # CustomLog /var/log/apache2/agent_log agent # # If you prefer a single logfile with access, agent, and referer information # (Combined Logfile Format): # # setting it to "/var/log/apache2/access_log combined" # corresponds to # CustomLog /var/log/apache2/access_log combined # APACHE_ACCESS_LOG="/var/log/apache2/access_log combined" ## Type: list(On,Off,DNS) ## Default: "Off" ## ServiceReload: apache2 # # UseCanonicalName: Determines how Apache constructs self-referencing # URLs and the SERVER_NAME and SERVER_PORT variables. # When set "Off", Apache will use the Hostname and Port supplied # by the client. When set "On", Apache will use the value of the # ServerName directive. # APACHE_USE_CANONICAL_NAME="off" ## Type: list(Major,Minor,Minimal,ProductOnly,OS,Full) ## Default: "OS" ## ServiceReload: apache2 # # How much information the server response header field contains about the server. # (installed modules, versions, etc.) # see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens # APACHE_SERVERTOKENS="OS" ## Type: list(on,off) ## Default: "off" ## ServiceReload: apache2 # # If mod_status is used, include extended information about the server, like # CPU usage, in the status report. It is a server-wide setting, and it can cost # some performance! # APACHE_EXTENDED_STATUS="off" -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org