#===============================================================================
2.2 -> 2.4
httpd -t #syntax check
httpd -S #virtual host syntax check
Require all granted
Require not ip 111.111.111.111
MaxConnectionsPerChild: This directive is used to replace the MaxRequestsPerChild. This change was made in order to better reflect what the directive actually is used for. Since the values actually limit the number of connections, this is a better name for the parameter.
MaxRequestWorkers: This directive was created to replace the MaxClients option. This is because with asynchronous multi-processing modules, the number of clients should not be assumed to be the same as the number of worker threads. This helps specify exactly the portion of this configuration that is affected by the directive.
AllowOverride Changes
The AllowOverride directive that is used to permit directory specific configuration files to alter default settings, has undergone a slight change that might affect your configurations.
By default, the value for this setting is now None. This will allow you to secure your server more easily by defaulting to a more locked-down state. It is still very simple to specify that .htaccess files should be read and processed in directories that require it, but you should need fewer global and large-scoped AllowOverride None declarations in order to achieve this.
The strategy of locking down the server by default and then overriding the security to allow specific instances of directory-based settings is something most users do already. This change will only help ensure that users are not open to attack as easily should they forget to implement these manually.
ServerAdmin webmaster@localhost
DocumentRoot /var/www
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
Virtual Host Settings Updates
You will have to make changes to your Apache 2.2 virtual hosts settings to make your websites work again with Apache 2.4. Blindly upgrading from Apache 2.2 to 2.4 will break for these reasons:
Ubuntu and Debian: Virtual host configuration files in the sites-available directory must now use the .conf extension
Virtual host configuration files must have the Require all granted line in an appropriate Directory block:
virtual host configuration file
Require all granted
Ubuntu and Debian users will need to make both changes. Users of other distributions will need to make the second change. We¿ll go into detail on how to make these changes in the next two sec
Follow these instructions at any time to update your virtual host configuration files. This change will work with Apache 2.2, so you can make it ahead of time. You can also do it right after you upgrade to Apache 2.4 to make your sites work again.
Use the mv command to rename each virtual host file in your /etc/apache2/sites-available/ directory to include the .conf extension:
mv /etc/apache2/sites-available/example.com /etc/apache2/sites-available/example.com.conf
Use the a2ensite command to add the virtual host. Make sure you include the .conf extension:
a2ensite example.com.conf
Use the a2dissite command to disable the old virtual host. Make sure you do not include the .conf extension:
a2dissite example.com
Repeat Steps 1-3 for all of your virtual hosts.
Reload Apache:
service apache2 reload
Your sites have now been added to Apache. Now follow the instructions in the next section to make your sites available.
Open your website¿s virtual host configuration file with your favorite text editor. For Ubuntu and Debian, this is typically a file like /etc/apache2/sites-available/example.com.conf. On CentOS and Fedora, this is typically /etc/httpd/conf.d/vhost.conf.
Ubuntu and Debian (replace example.com.conf with your own file name):
nano /etc/apache2/sites-available/example.com.conf
CentOS and Fedora:
nano /etc/httpd/conf.d/vhost.conf
Within the VirtualHost block for this website, locate or create the Directory block for your website¿s public directory. Add the line Require all granted. (If the line Require all denied is already there, update it to Require all granted). View a sample file below (replace /path/to/public/website/ with your website¿s public directory):
/etc/apache2/sites-available/example.com.conf or /etc/httpd/conf.d/vhost.conf
...
Require all granted
...
Save your changes.
Repeat Steps 1-3 for all of your virtual hosts.
Reload Apache.
Ubuntu and Debian:
service apache2 reload
RHEL: systemctl reload httpd.service
For more information on how you can enable or restrict access to your websites with various Require lines, see the Apache website. Most users will want to use the Require all granted line, but there may be exceptions.
Check your websites. If you have completed these steps correctly, they should now be working again.
Default Virtual Host
If your Apache configuration file is replaced during the upgrade, the location of your default virtual host will change from /var/www to /var/www/html. You may have to disable the default virtual host again, if you don¿t want it.
#===============================================================================
#===============================================================================
#
# get the version of apache
#
./httpd -v
./apachectl -V 4
Server version: IBM_HTTP_Server/6.1.0.11 Apache/2.0.47
Server built: Jun 28 2007 11:45:18
Build level: IHS60/webIHS0725.02
Server's Module Magic Number: 20020903:4
Architecture: 32-bit
Server compiled with....
-D APACHE_MPM_DIR="server/mpm/worker"
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D HTTPD_ROOT="/opt/IBMIHS"
-D SUEXEC_BIN="/opt/IBMIHS/bin/suexec"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
Apache vulnerability fixes included:
CVE-2002-1156 CVE-2002-0840 CVE-2003-0132 CVE-2003-0134
CVE-2003-0189 CVE-2003-0245 CVE-2003-0254 CVE-2003-0253
CVE-2003-0192 CVE-2003-0789 CVE-2003-0542 CVE-2004-0174
CVE-2004-0493 CVE-2004-0747 CVE-2004-0786 CVE-2004-0809
CVE-2004-0942 CVE-2003-0020 CVE-2005-2088 CVE-2005-2728
CVE-2005-2491 CVE-2005-2970 CVE-2005-3352 CVE-2006-3747
#===============================================================================
Apache 2.0
A Look Under the Hood
by Cliff Woolley
probably work, take a closer look or you might miss what Apache 2.0 is all about.
WHY 2.0?
architecture allows the administrator a good deal of flexibility, but modules aren't really able to work together. Apache 1.3 uses a separate process to handle each connection, which allows it to be extremely reliable but less scalable.
llowing them to interact in ways never before possible. In this article, we'll explore the changes under the hood that make Apache 2.0 what it is and the changes you'll have to make to your own Apache modules to make them work with 2.0.
COMPILING THE SERVER
uild.
Configuring an Apache Build
The parameters to the ./configure script for Apache 2.0 can be separated into three broad categories: directory structure, modules, and features.
Directory Structure
The two most important parameters for configuring how you want the directories for installation laid out are --prefix and --enable-layout.
You want to start with --enable- layout. In the root of the Apache 2.0 source tree, there should be a file named config.layout. In it, there are many layout styles to choose from. For example, to use the GNU directory layout, you would do:
./configure --enable-layout=GNU
Sometimes one of the predefined layouts is close to what you want, but not quite. If you liked the Apache directory layout but wanted everything to install under www instead of /usr/local, you could type:
./configure --enable-layout=Apache --prefix=/www
You can get more customizable than that, but this should suffice for most users.
Modules
Another important set of parameters of the ./configure script relates to which Apache modules to include (see Table One).
Features
om prefork, threaded, worker, perchild, and a bunch of others. To build a preforking Apache, you'd type:
./configure --with-mpm="prefork"
PORTABILITY (THE CLEAN WAY)
be done to use them, there are really only a handful of features needed to write most portable programs, and most operating systems provide them in some form.
t.
.
latform has to make sacrifices to fit into the mold of another.
ange a bit. To find these changed functions, you'll actually have to flip through the API documentation for APR; the documentation is relatively comprehensive and is being expanded all the time. It's available online at .
Table One: Modules for Apache 2.0
Environment Creation
(+) mod_env Set environment variables for CGI/SSI scripts
(+) mod_setenvif Set environment variables based on HTTP headers
(¡) mod_unique_id Generate unique identifiers for request
Directory Handling
(+) mod_dir Directory and directory default file handling
(+) mod_autoindex Automated directory index file generation
Access Control and Authentication
(+) mod_access Access Control (user, host, network)
(+) mod_auth HTTP Basic Authentication (user, passwd)
(¡) mod_auth_dbm HTTP Basic Authentication via Unix NDBM files
(¡) mod_auth_db HTTP Basic Authentication via Berkeley-DB files
(¡) mod_auth_anon HTTP Basic Authentication for Anonymous-style users
(¡) mod_digest HTTP Digest Authentication
HTTP response
(¡) mod_headers Arbitrary HTTP response headers (configured)
(¡) mod_cern_meta Arbitrary HTTP response headers (CERN-style files)
¡) mod_expires Expires HTTP responses
(+) mod_asis Raw HTTP responses
Content Type Decisions
(+) mod_mime Content type/encoding determination (configured)
(¡) mod_mime_magic Content type/encoding determination (automatic)
(+) mod_negotiation Content selection based on the HTTP Accept* headers
Cache
(¡) mod_file_cache Caching of open handles to frequently served pages
Scripting
(+) mod_include Server Side Includes (SSI) support
(+) mod_cgi Common Gateway Interface (CGI) support
(+) mod_cgid Common Gateway Interface (CGI) support for multi-threaded MPMs
(+) mod_actions Map CGI scripts to act as internal `handlers'
Internal Content Handlers
(+) mod_status Content handler for server run-time status
(¡) mod_info Content handler for server configuration summary
Request Logging
(+) mod_log_config Customizable logging of requests
(¡) mod_usertrack Logging of user click-trails via HTTP Cookies
Content Management
(¡) mod_dav WebDAV (RFC 2518) support for Apache
(¡) mod_dav_fs mod_dav backend to managing filesystem content
SSL
(¡) mod_ssl SSL/TLS encryption support
Miscellaneous
(+) mod_imap Server-side Image Map support
(¡) mod_proxy Caching Proxy Module (HTTP, HTTPS, FTP)
(¡) mod_so Dynamic Shared Object (DSO) bootstrapping
Development
(¡) mod_example Apache API demonstration (developers only)
URL Mapping
(+) mod_alias Simple URL translation and redirection
(¡) mod_rewrite Advanced URL translation and redirection
(+) mod_userdir Selection of resource directories by username
(¡) mod_spelling Correction of misspelled URLs
(¡) mod_vhost_alias Dynamically configured mass virtual hosting
let you rerun ./configure with all the same parameters you used the last time.
tication modules) might work under multiple protocols, it is useful to have modules split out into separate directories based on their purpose. So under the modules/ directory, you will now find subdirectories.
ACHIEVING SCALABILITY
equests can eat up a relatively large amount of system resources, particularly memory.
Apache Figure 1
tailored to a particular platform to take advantage of low-level process-management or service-management features of the OS that just don't quite fit well into APR (see Figure One, .
ds and in the choice of a constant or variable number of these worker threads in each process. It's also quite likely that third-party vendors will write custom MPMs for Apache 2.0 to implement proprietary performance enhancements.
ng connection before they can realize they need to terminate.
hreads as they become available. The perchild MPM throws away all preconceived notions of how connections should be handled. It uses a fixed number of processes with a variable number of threads per process to handle connections.
t for PHP and SSI pages and other module-generated responses as well. That's sure to be a useful feature for ISPs and other hosting services.
ACHIEVING SCALABILITY
FILTERED I/O
decision of which filters to insert in the stack can happen at request time.
n strung together into a list called a brigade. Individual buckets in a brigade can be split up, copied, rearranged, inserted, and deleted, without ever copying their contents around in memory.
the next filter in the stack.
Apache Figure 2
the HTTP filter, for example.
Apache Figure 3
ter," which is responsible for dumping the data out to the network in the most efficient manner possible.
n't both participate in the request-handling process.
INTER-MODULE COOPERATION
as quite a headache in 1.3. To fill this void, two extra mechanisms were added to 2.0 -- hooks and optional functions.
which the modules were loaded into the server. Now the set of callback functions associated with each hook can be ordered independently, and the modules can take care of this ordering on their own without the intervention of the administrator.
gistered, retrieving a pointer to it if so.
looking up mod_include's optional function for tag registration. So any module can now define its own SSI tags without having to re-implement the parsing engine, a level of cooperation that was not feasible in version 1.3.
FUTURE DIRECTIONS
throw out ideas for things that would be nice to have in versions beyond 2.0; more tightly tuned performance is certainly a goal for 2.1.
ing model, have also been proposed, though changes of that magnitude are likely more distant than 2.1.
will be found!
_____
Cliff Woolley is a graduate student in computer science and a developer on the Apache HTTP Server and Apache Portable Runtime projects. He can be reached at jwoolley@apache.org
#===============================================================================
#SELINUX
chcon -Rv --type=httpd_sys_content_t *
#===============================================================================