Issue when trying to run passenger on Apache - apache

I am getting this issue when running
httpd -t
httpd: Syntax error on line 545 of /private/etc/apache2/httpd.conf: Syntax error on line 1 of /private/etc/apache2/other/passenger.conf: Cannot load /Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/b
uildout/apache2/mod_passenger.so into server: dlopen(/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so, 10): no suitable image found. Did find:\n\t/Users/sbaidon/.rv
m/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so: code signature in (/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so) not valid for use in p
rocess using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.\n\t/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passen
ger.so: stat() failed with errno=22
Passenger installation is just fine.

I ran into this too: the issue is that the built-in httpd that comes with macOS Mojave has Library Validation turned on, which means any modules it loads must be properly signed. Unfortunately, mod_passenger.so is not signed, so loading fails. Actually, a lot of people are having this problem with loading Apache modules on macOS Mojave (especially during the beta), some example references:
https://github.com/GrahamDumpleton/mod_wsgi/issues/357
https://github.com/phpredis/phpredis/issues/1406
I believe it's possible to set up a plist somewhere to give an entitlement to httpd to disable library validation (com.apple.security.cs.disable-library-validation) as described at https://developer.apple.com/documentation/security/com_apple_security_cs_disable-library-validation. For instance, here's a recent WebKit patch where they add it to allow plugin loading: https://bugs.webkit.org/show_bug.cgi?id=183252. Similarly, here's the Mozilla people talking about how they need to enable this (and other) properties: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1470597.
Unfortunately, I don't do macOS development (I just do development on macOS) and I have absolutely no idea how to apply it to the built-in Apache, I'm sorry.
At this point I'm kind of sick of every major macOS update nerfing all my httpd settings and generally being a pain (it's infrequent but it's still annoying), so I'm doing what I should have done years ago: stop using the built-in httpd that comes with OS/X and just use Homebrew httpd.
Here's some instructions I found regarding setting up Homebrew httpd (and disabling the built-in macOS httpd), it's pretty straightforward and you don't have to follow all of the directions about multiple PHP versions etc: https://getgrav.org/blog/macos-mojave-apache-multiple-php-versions
If someone can figure out how to disable Library Validation in the built-in httpd, or if there is some way to provide signing on mod_passenger.so (seems unlikely since both the Homebrew and gem passenger need to be buildable from source), you don't need to junk the built-in httpd. But I personally think the best solution is to move away from it entirely and use the Homebrew version instead.

For anyone having this issue or any issue with library validation in macOS Mojave, I found an incredibly easy fix to disable it. https://github.com/mologie/macos-disable-library-validation

This is fixed in macOS 10.14.4

Related

imagemagick segmentation fault after apache graceful restart

We are using ImageMagick via imagick to generate a file containing many SVG files in it. The script tries to make them fit as much as possible in order to avoid large empty spaces so it is kind of a heavy task.
Everything went OK until we decided to install netdata on the server to monitor it, we can't say netdata is the cause of this 100% but we're pretty sure this started after installing it.
Now after every apache graceful restart we're getting segmentation fault errors but ONLY when trying to generate a file with "multi color" SVGs, everything works ok when generating a file with "plain color" SVGs.
The problem disappears if we restart apache (sudo service httpd restart).
Our theory is that restarting apache grafecully leaves an apache child thread hanging and crashes when trying to use it or something.
We tried reinstalling ImageMagick and imagick but nothing changed, we stopped netdata since we noticed this and tried to debug using gbd (it ended up slowing apache and making it difficult to restart it) and we could not find anything useful. I'm thinking in update libgomp (installed version is 4.8.5 4.el7 and with yum info I've seen the version 4.8.5 28.el7) but I'm not sure if it can cause problems in other parts of the system
Not sure if this is related to this site but any of you have seen anything like this?
Thanks
Server specifications:
CentOS 7.0.1406
Apache/2.4.6 (CentOS)
PHP/5.6.26
ImageMagick 6.7.8-9 2016-06-16 Q16
imagick 3.4.3

Apache version 2.2 and security vulnerabilities

A penetration test has recently identified that one of our RHEL(6.7) servers running Apache 2.2.15 is vulnerable on a number of points and needs to be updated to the latest version 2.4. I have run yum update and it says that there are no packages marked for update. I understand that I will need to download the updates manually. There are a few questions I have around the requirement to upgrade Apache.
I am up to date on the 2.2 version tree. Does this mean that any security patches made to version 2.4 will be back patched to version 2.2.X as well?
I am running PHP (version 5.3.3) and MySQL (version 5.1.73) - will these be affected by upgrading the Apache version (Google tells me that there is no problem on both fronts - but I thought I'd ask before I started down this route).
If you experts tell me that I have no other choice but to upgrade, then I'm planning on using the instruction set here: https://unix.stackexchange.com/questions/138899/centos-install-using-yum-apache-2-4
Thank you in advance for your advice.
You could download the 2.4 source code from the Apache site and compile it. There's a setting which will configure for RedHat:
--enable-layout=RedHat
This setting will configure the paths for executables, configuration files, libraries etc in one go.
The following should be a reasonable starting point for a configuration line:
sh ./configure --enable-layout=RedHat --enable-mods-shared=all
then perform a make and make install
Do the same with a newer version of PHP (5.3.29 is available in the "old downloads" section, but try a newer version. Check the changes first though) and your problems should be lessened. Finally, MySQL or MariaDB is available for download and compilation too
Obviously, try all of this on a test machine first and back everything up. Your test machine should be as close as possible to your production machine. If you use something like VirtualBox to try it, you can take a snapshot at each point of the process and rollback if something goes wrong

Using httpd 2.4 instead of 2.2 on centos 6

I use Centos 6.5, I've installed apache 2.2 on my server by yum, I want to upgrade my apache to 2.4, but yum not support that, so I download apache 2.4.7 and install it to opt/apache/httpd-2.4.7 follow the tutorial here: Apache 2.4.x Manual install on RHEL 6.4 - No apache modules will load on start . I want to change environment variables to new apache version to write apache 2.4 modules (change include folder for header file, change "modules" folder when build with apxs,...). I think I must install another httpd-devel for apache 2.4.7, because I still not install httpd-devel-2.4.7, but I don't know how to install and use it instead of httpd-devel-2.2 by yum. I can not describe my problems clearly in English, so I hope you can understand it. I'm a newbie and I really need your help. Thank you!
CentOS is image of RHEL, which stands for Red Hat Enterprise Linux. RHEL is designed to be an "Enterprise class" operating system, in which you rely on software packages that are delivered from controlled repositories where they are made available only after being thoroughly tested for Enterprise level use.
From that point of view, its generally not a good idea to install packages from source code, or using third party RPMs, because once you do, your OS is no longer "Enterprise" class.
If you're trying to upgrade for security reasons, you shouldn't. Critical security updates are always backported in previous RPM releases, so you only have to update your current package from the same yum repo from where you got it first. The binary will still say it is Apache 2.2, but it will have the latest security updates.
If you need an actual feature of 2.4, the smart move is to upgrade your CentOS. It may seem like the harder option initially, but it never is in the long run.
In my experience these reports can be fairly basic/binary:
Are you running the latest version of the software? If no flag as security risk.
However this fails to take into account package managers which back port fixes to older versions and so often have addressed potential security issues.
By moving away from the packaged version you are making security updates more difficult (as can't do a simple "yum update" to address them anymore).
Apache 2.2 is still maintained for security and bug fixes - though how long for remains to be seen and it is falling further and further behind in features.
So often you just need to explain (and prove!) you have a regular patching process and so the "version of Apache" you are reporting is not really accurate in terms of security patching.
See here for more details: https://serverfault.com/questions/731657/pci-compliance-apache-versions/
Saying all that we moved to Apache 2.4 on centos a while back for some extra features we wanted and just upgrade it to the latest version as part of regular patching cycle and are not finding it too inconvenient. Yes it's not quite as simple as "yum update" but it's a decision we've made because of some features we required. Not a decision to be taken lightly as Garreth states but it had the added side effect of this not getting highlighted anymore in these sorts of security scans :-)
We made this decision despite upgrading to a newer version of Red Hat as that was still on an older version of Apache (2.4.7 if memory serves me correctly) which still missed a few features we required. Sometimes it's frustrating how far behind some of these "enterprise" versions are, but that's the downside when there are plenty of upsides to using them too (stability, security... etc.).

Troubles with Xdebug 2.1.0, XAMPP 1.7.3, Win7 32bit

Looking for some help with getting xdebug to behave with my setup. My goal is to be able to debug Joomla code.
First let me preface saying that about a year ago I was able to get a version xdebug to work with Eclipse PDT 2.1 with xampp under Vista 32bit. However, now I'm on a new machine, and I wanted to get everything working with the latest versions. I did so by following through this walk-through. Now, trying to do the same thing I can't get it to work.
First, as per the walk-through, I downloaded php_xdebug-2.0.0-5.2.2.dll. Quickly realized that I needed an xdebug for php 5.3. So, I found the xdebugs Tailored Installation Instructions and followed that. My php.ini section looks as thus:
[XDebug]
;; Only Zend OR (!) XDebug
zend_extension = "D:\xampp\php\ext\php_xdebug-2.1.0-5.3-vc6.dll"
xdebug.remote_enable=true
xdebug.remote_host=localhost
xdebug.remote_port=10000
xdebug.remote_handler=dbgp
xdebug.profiler_enable=1
xdebug.profiler_output_dir="D:\xampp\tmp"
So this got the xdebug to actually show up in the phpinfo(). But, in Eclipse when I Debug As Php Webpage, it at first appears to connect, however if I step to the next line of code the debugger just sits there saying it is stepping, indefinitely. Sometimes apache will crash. I tried ports 9000, and 10000 with no avail.
What I did find out is, if I use the the php_xdebug.dll that comes with XAMPP 1.7.3, I actually can connect and step without any issues, EXCEPT, that version of xdebug apparently has a major bug in it that causes all my variables to be listed as 'Uninitialized'. So it is basically useless, however, it does give some hope that I have some of this stuff set up correctly.
So, my current setup thus: Win7 32bit, XAMPP 1.7.3 (PHP 5.3.1, Apache 2.2.14), Eclipse PDT 2.2
I have very limited experience with basically all the tools here so I'm kinda at a loss of what to do. Any help would be greatly appreciated. I searched some of the other posts here with similar issue but most of them appear to be for older versions of these components.
your report is somewhat confusing. As far as I understand you, your setup works as soon as you replace the XDebug-dll. Then your (primary) problem cannot be related to your settings, as far as you also adjusted zend_extension, of course.
Though xdebug.remote_port=10000 seems odd. Std is 9000. If you use 9000, the you have to tell Eclipse in Window/Preferences/PHP/Debug/Debuggers to also listen to that port for XDebug.
Best
Raffael

How can I run VisualWorks under OpenBSD?

Has anyone gotten VisualWorks running under OpenBSD? It's not an officially supported platform, but one of the Cincom guys was telling me that it should be able to run under a linux compatibility mode. How did you set it up?
I already have Squeak running without a problem, so I'm not looking for an alternative. I specifically need to run VisualWorks's Web Velocity for a project.
Thanks,
if you're wondering about setting up linux compatibility mode and you're running the GENERIC kernel:
# sysctl kern.emul.linux=1
to enable at boot uncomment the kern.emul.linux=1 line in /etc/sysctl.conf
See the OpenBSD FAQ, specifically section 9.4 - Running Linux Binaries on OpenBSD.
Typically there are more steps needed then just kern.emul.linux=1 unless you have statically linked (i.e. completely stand-alone) binaries. The good news is that packages exist that contain Linux libs, and they are easy to install. This is all detailed in the above link.