Using httpd 2.4 instead of 2.2 on centos 6 - apache

I use Centos 6.5, I've installed apache 2.2 on my server by yum, I want to upgrade my apache to 2.4, but yum not support that, so I download apache 2.4.7 and install it to opt/apache/httpd-2.4.7 follow the tutorial here: Apache 2.4.x Manual install on RHEL 6.4 - No apache modules will load on start . I want to change environment variables to new apache version to write apache 2.4 modules (change include folder for header file, change "modules" folder when build with apxs,...). I think I must install another httpd-devel for apache 2.4.7, because I still not install httpd-devel-2.4.7, but I don't know how to install and use it instead of httpd-devel-2.2 by yum. I can not describe my problems clearly in English, so I hope you can understand it. I'm a newbie and I really need your help. Thank you!

CentOS is image of RHEL, which stands for Red Hat Enterprise Linux. RHEL is designed to be an "Enterprise class" operating system, in which you rely on software packages that are delivered from controlled repositories where they are made available only after being thoroughly tested for Enterprise level use.
From that point of view, its generally not a good idea to install packages from source code, or using third party RPMs, because once you do, your OS is no longer "Enterprise" class.
If you're trying to upgrade for security reasons, you shouldn't. Critical security updates are always backported in previous RPM releases, so you only have to update your current package from the same yum repo from where you got it first. The binary will still say it is Apache 2.2, but it will have the latest security updates.
If you need an actual feature of 2.4, the smart move is to upgrade your CentOS. It may seem like the harder option initially, but it never is in the long run.

In my experience these reports can be fairly basic/binary:
Are you running the latest version of the software? If no flag as security risk.
However this fails to take into account package managers which back port fixes to older versions and so often have addressed potential security issues.
By moving away from the packaged version you are making security updates more difficult (as can't do a simple "yum update" to address them anymore).
Apache 2.2 is still maintained for security and bug fixes - though how long for remains to be seen and it is falling further and further behind in features.
So often you just need to explain (and prove!) you have a regular patching process and so the "version of Apache" you are reporting is not really accurate in terms of security patching.
See here for more details: https://serverfault.com/questions/731657/pci-compliance-apache-versions/
Saying all that we moved to Apache 2.4 on centos a while back for some extra features we wanted and just upgrade it to the latest version as part of regular patching cycle and are not finding it too inconvenient. Yes it's not quite as simple as "yum update" but it's a decision we've made because of some features we required. Not a decision to be taken lightly as Garreth states but it had the added side effect of this not getting highlighted anymore in these sorts of security scans :-)
We made this decision despite upgrading to a newer version of Red Hat as that was still on an older version of Apache (2.4.7 if memory serves me correctly) which still missed a few features we required. Sometimes it's frustrating how far behind some of these "enterprise" versions are, but that's the downside when there are plenty of upsides to using them too (stability, security... etc.).

Related

Run ColdFusion 9.02 on Apache 2.4 x64

I've inherited an application server which I need to maintain/upgrade.
It's currently running Windows Server 2008R2, ColdFusion 9.02 32-bit and Apache 2.4 32-bit.
Because I want to upgrade/debug/alter the CF source code, I want to use FusionReactor to help me, especially the (line)debugging part.
Unfortunately, FusionReactor only runs (well, the debugging part) on 64bit java. Because the CF application is quite old, it's not ready to run on a newer CF version yet (and I want to port it to Lucee eventually). So, that leaves me the option of CF 9.02 64bit. Problem there is, that it won't run out of the box on Apache 2.4 (only 2.2).
CF 9.02 32bit is currently running on Apache 2.4 because I compiled/patched an Apache 2.2 module (mod_jrun22.so) so it works on Apache 2.4 (with the help of this https://g0blin.co.uk/mod_jrun-on-apache-2-4-ubuntu-14-04-coldfusion-9/ )
Unfortunately, I'm unable to do the same for Apache 2.4 64bit, because there seems to be no apxs 64bit available.
I could downgrade Apache 2.4 -> 2.2, but that's only my last resort.
Now my question. Is somebody able to recompile this module for 64bit, or give me some guidelines to do so? Is apxs available for 64bit? If not, Is there a simple way to compile (custom) modules for Apache 2.4 64bit?
Thanks!
http://www.gpickin.com/index.cfm/blog/multi-cfml-engine-install-extracting-the-coldfusion-9-connector-for-apache
Run it by ./apache_connectors.sh
If you get a GCC not found error, you might have to install some development tools,
to allow you to build the connector.
yum groupinstall 'Development Tools'
You might reach out to Gavin, the author of that article to see if he has any further notes. It's been forever and a day since I had to deal w/ 32-bit CF. I know I managed to get CF 8 to run on 64-bit, which was never officially supported IIRC, but I don't have any of those notes anymore.
You might look to using CommandBox to run your server instead of Apache. It might make your conversion to Lucee easier too. The only reason to convert the engine depends on how much new code is being written for this application. You can get away with CF 9 without the effort of upgrading or converting.

Issue when trying to run passenger on Apache

I am getting this issue when running
httpd -t
httpd: Syntax error on line 545 of /private/etc/apache2/httpd.conf: Syntax error on line 1 of /private/etc/apache2/other/passenger.conf: Cannot load /Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/b
uildout/apache2/mod_passenger.so into server: dlopen(/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so, 10): no suitable image found. Did find:\n\t/Users/sbaidon/.rv
m/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so: code signature in (/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passenger.so) not valid for use in p
rocess using Library Validation: mapped file has no cdhash, completely unsigned? Code has to be at least ad-hoc signed.\n\t/Users/sbaidon/.rvm/gems/ruby-2.2.5/gems/passenger-5.3.5/buildout/apache2/mod_passen
ger.so: stat() failed with errno=22
Passenger installation is just fine.
I ran into this too: the issue is that the built-in httpd that comes with macOS Mojave has Library Validation turned on, which means any modules it loads must be properly signed. Unfortunately, mod_passenger.so is not signed, so loading fails. Actually, a lot of people are having this problem with loading Apache modules on macOS Mojave (especially during the beta), some example references:
https://github.com/GrahamDumpleton/mod_wsgi/issues/357
https://github.com/phpredis/phpredis/issues/1406
I believe it's possible to set up a plist somewhere to give an entitlement to httpd to disable library validation (com.apple.security.cs.disable-library-validation) as described at https://developer.apple.com/documentation/security/com_apple_security_cs_disable-library-validation. For instance, here's a recent WebKit patch where they add it to allow plugin loading: https://bugs.webkit.org/show_bug.cgi?id=183252. Similarly, here's the Mozilla people talking about how they need to enable this (and other) properties: https://bugzilla.mozilla.org/show_bug.cgi?format=default&id=1470597.
Unfortunately, I don't do macOS development (I just do development on macOS) and I have absolutely no idea how to apply it to the built-in Apache, I'm sorry.
At this point I'm kind of sick of every major macOS update nerfing all my httpd settings and generally being a pain (it's infrequent but it's still annoying), so I'm doing what I should have done years ago: stop using the built-in httpd that comes with OS/X and just use Homebrew httpd.
Here's some instructions I found regarding setting up Homebrew httpd (and disabling the built-in macOS httpd), it's pretty straightforward and you don't have to follow all of the directions about multiple PHP versions etc: https://getgrav.org/blog/macos-mojave-apache-multiple-php-versions
If someone can figure out how to disable Library Validation in the built-in httpd, or if there is some way to provide signing on mod_passenger.so (seems unlikely since both the Homebrew and gem passenger need to be buildable from source), you don't need to junk the built-in httpd. But I personally think the best solution is to move away from it entirely and use the Homebrew version instead.
For anyone having this issue or any issue with library validation in macOS Mojave, I found an incredibly easy fix to disable it. https://github.com/mologie/macos-disable-library-validation
This is fixed in macOS 10.14.4

Apache upgrade from 2.4.6 to 2.4.29

Currently, we are planning to upgrade our complete web-server node in production.
Platform is RHEL 7.1 and currently apache 2.4.6 is running there.
I also got to know from red-hat that apache 2.4.6 is directly shipped with RHEL7 and for 2.4.26 or 2.4.29, they can't comment regarding it's technical feasibility part along with it's stability on RHEL platform.
I have few concerns now :
Is going ahead with apache 2.4.26 or 2.4.29 in production would be a good option or should i get stuck with the current one ? I am doubtful whether 2.4.26 or 2.4.29 are been tested on RHEL 7 series and is technically compatible.
I tried to install apache 2.4.26 and 2.4.29 on my test-bed first ( which is a RHEL 7.4 platform ) and i came across package dependency issues which proved out to be a blocker for me. I am afraid that i might face these issues on production as well which would be very dangerous. Have you ever faced this on your system too ?
Looking out for your kind support and feedback here ... !!!
Best Regards,
looking at : httpd direct rpm download
it seems that the last supported version is httpd-2.4.6-80.el7.x86_64.rpm
so do not try update your production environment with unsupported software, stick to releases !
upgrading to RHEL7.4 seems to be trouble-maker (as far as i heard : [source required !] )
i got no feedback about RHEL7.5

Discovering dependencies of mod_jk

We are running a large amount of old EC2 instances which are based on Amazon Linux AMI 2014.09, a pretty old version.
We have recently built mod_jk on one of them that so that we can front Tomcat with Apache Web server 2.4.
We are in the process of identifying the dependencies of this mod_jk module. Can we re-use the mod_jk.so library that we just built with newer versions of the OS? We are running a large number of instances, so we would like to cut out the whole "building binaries from sources" step, so our ideal setup would be to take the current mod_jk.so binary and deploy it in all other EC2 instances.
The question is: can we safely do it? If not, when do we need to rebuild it? For example:
Do we need to rebuild it if we decide to launch EC2 instances with the latest Amazon Linux AMI, which is 3 years newer?
Do we need to rebuild it if the Apache's version is different?
Thank you in advance,
Meletis
I have a couple of precompiled mod_jk's in order to avoid just this cases. As per my own experience, I must recompile it in this scenarios:
Different Apache version (2.2/2.4)
Apache 32/64bits
As I stated before, according to this, you should have no more than 4 built mod_jk binaries to choose the right one from.
I could not tell you wether this is a best practice (probably not), but I have use this already built mod_jk in different Linux distributions and versions of Fedora, CentOS, Red Hat and Debian.

Apache version 2.2 and security vulnerabilities

A penetration test has recently identified that one of our RHEL(6.7) servers running Apache 2.2.15 is vulnerable on a number of points and needs to be updated to the latest version 2.4. I have run yum update and it says that there are no packages marked for update. I understand that I will need to download the updates manually. There are a few questions I have around the requirement to upgrade Apache.
I am up to date on the 2.2 version tree. Does this mean that any security patches made to version 2.4 will be back patched to version 2.2.X as well?
I am running PHP (version 5.3.3) and MySQL (version 5.1.73) - will these be affected by upgrading the Apache version (Google tells me that there is no problem on both fronts - but I thought I'd ask before I started down this route).
If you experts tell me that I have no other choice but to upgrade, then I'm planning on using the instruction set here: https://unix.stackexchange.com/questions/138899/centos-install-using-yum-apache-2-4
Thank you in advance for your advice.
You could download the 2.4 source code from the Apache site and compile it. There's a setting which will configure for RedHat:
--enable-layout=RedHat
This setting will configure the paths for executables, configuration files, libraries etc in one go.
The following should be a reasonable starting point for a configuration line:
sh ./configure --enable-layout=RedHat --enable-mods-shared=all
then perform a make and make install
Do the same with a newer version of PHP (5.3.29 is available in the "old downloads" section, but try a newer version. Check the changes first though) and your problems should be lessened. Finally, MySQL or MariaDB is available for download and compilation too
Obviously, try all of this on a test machine first and back everything up. Your test machine should be as close as possible to your production machine. If you use something like VirtualBox to try it, you can take a snapshot at each point of the process and rollback if something goes wrong