diff --git a/a2enflag b/a2enflag index e232be4..347dbd6 100644 --- a/a2enflag +++ b/a2enflag @@ -8,20 +8,26 @@ # (at your option) any later version. -sysconf=/etc/sysconfig/apache2 -var=APACHE_SERVER_FLAGS -PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" - -debug=true - function usage() { - echo "$(basename $0): enable/disable a flag in $var in $sysconf" - echo + echo "$(basename $0): enable/disable a flag in $var in $sysconf" + echo echo "usage: $(basename $0) [-d] flag" - #echo " $(basename $0) -h runtests" + echo + echo "HTTPD_INSTANCE= environment variable can be used to specify" + echo "apache instance (see README-instances.txt); sysconfig file is expected" + echo "at /etc/sysconfig/apache2@ ." exit 1 } +unset instance_suffix +if [ -n "$HTTPD_INSTANCE" ]; then + instance_suffix="@$HTTPD_INSTANCE" +fi + +sysconf=/etc/sysconfig/apache2$instance_suffix +var=APACHE_SERVER_FLAGS +PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" + if [ $# -lt 1 ]; then usage fi diff --git a/a2enmod b/a2enmod index cfa493b..663d48a 100644 --- a/a2enmod +++ b/a2enmod @@ -8,22 +8,28 @@ # (at your option) any later version. -sysconf=/etc/sysconfig/apache2 -var=APACHE_MODULES -PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" - -debug=true - function usage() { - echo "$(basename $0): enable/disable an apache module in $var in $sysconf" - echo + echo "$(basename $0): enable/disable an apache module in $var in $sysconf" + echo echo "usage: $(basename $0) [-d] module" echo " $(basename $0) -l list modules" echo " $(basename $0) -q module query if module is installed" - #echo " $(basename $0) -h runtests" + echo + echo "HTTPD_INSTANCE= environment variable can be used to specify" + echo "apache instance (see README-instances.txt); sysconfig file is expected" + echo "at /etc/sysconfig/apache2@ ." exit 1 } +unset instance_suffix +if [ -n "$HTTPD_INSTANCE" ]; then + instance_suffix="@$HTTPD_INSTANCE" +fi + +sysconf=/etc/sysconfig/apache2$instance_suffix +var=APACHE_MODULES +PATH="$PATH:/usr/bin:/usr/sbin:/usr/share/apache2" + if [ $# -lt 1 ]; then usage fi diff --git a/apache2-README-instances.txt b/apache2-README-instances.txt index 518b417..3b7fe7b 100644 --- a/apache2-README-instances.txt +++ b/apache2-README-instances.txt @@ -27,4 +27,15 @@ NOTES: * /etc/sysconfig/apache2@ can hold any sysconfig variable /etc/sysconfig/apache2 can, including module loading and MPM setting, * default instance do not have to run when running other instances +* a2enmod, a2dismod and apachectl operates over default instance if + not specified otherwise via HTTPD_INSTANCE. For example, + + export HTTPD_INSTANCE=myweb.org + a2enmod access_compat + a2enmod status + apachectl start + + will add access_compat and status modules to APACHE_MODULES + variable of /etc/sysconfig/apache2@myweb.org and then starts + myweb.org instance. diff --git a/apache2-httpd.conf b/apache2-httpd.conf index 249e843..381e280 100644 --- a/apache2-httpd.conf +++ b/apache2-httpd.conf @@ -30,6 +30,8 @@ # |-- global.conf . . . . . . . . . . . . . [*] server-wide general settings # |-- mod_status.conf . . . . . . . . . . . restrict access to mod_status (server monitoring) # |-- mod_info.conf . . . . . . . . . . . . restrict access to mod_info +# |-- mod_reqtimeout.conf . . . . . . . . . set timeout and minimum data rate for receiving requests +# |-- mod_cgid-timeout.conf . . . . . . . . set CGIDScriptTimeout if mod_cgid is loaded/active # |-- mod_usertrack.conf . . . . . . . . . defaults for cookie-based user tracking # |-- mod_autoindex-defaults.conf . . . . . defaults for displaying of server-generated directory listings # |-- mod_mime-defaults.conf . . . . . . . defaults for mod_mime configuration @@ -107,7 +109,7 @@ Include /etc/apache2/server-tuning.conf # container, that host's errors will be logged there and not here. ErrorLog /var/log/apache2/error_log -# generated from APACHE_MODULES in /etc/sysconfig/apache2 +# generated from default value of APACHE_MODULES in /etc/sysconfig/apache2 Include /etc/apache2/loadmodule.conf @@ -118,7 +120,7 @@ Include /etc/apache2/listen.conf # predefined logging formats Include /etc/apache2/mod_log_config.conf -# generated from global settings in /etc/sysconfig/apache2 +# generated from default values of global settings in /etc/sysconfig/apache2 Include /etc/apache2/global.conf @@ -127,6 +129,20 @@ Include /etc/apache2/mod_log_config.conf Include /etc/apache2/mod_status.conf Include /etc/apache2/mod_info.conf +# mod_reqtimeout protects the server from the so-called "slowloris" +# attack: The server is not swamped with requests in fast succession, +# but with slowly transmitted request headers and body, thereby filling up +# the request slots until the server runs out of them. +# mod_reqtimeout is lightweight and should deliver good results +# with the configured default values. You shouldn't notice it at all. +Include /etc/apache2/mod_reqtimeout.conf + +# Fix for CVE-2014-0231 introduces new configuration parameter +# CGIDScriptTimeout. This directive and its effect prevent request +# workers to be eaten until starvation if cgi programs do not send +# output back to the server within the timout set by CGIDScriptTimeout. +Include /etc/apache2/mod_cgid-timeout.conf + # optional cookie-based user tracking # read the documentation before using it!! Include /etc/apache2/mod_usertrack.conf diff --git a/apache2-mod_cgid-timeout.conf b/apache2-mod_cgid-timeout.conf new file mode 100644 index 0000000..9c3c9e6 --- /dev/null +++ b/apache2-mod_cgid-timeout.conf @@ -0,0 +1,15 @@ +# +# The length of time in seconds to wait for more output +# from a CGI program. +# +# This will prevent a DoS if too many CGI's don't send their output quickly +# enough. +# The value for CGIDScriptTimeout defaults to the value of Timeout. +# CGIDScriptTimeout is used by mod_cgid only! +# + + + CGIDScriptTimeout 60 + + + diff --git a/apache2.changes b/apache2.changes index c7947b0..06aec16 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,65 @@ +------------------------------------------------------------------- +Tue Jul 14 07:32:00 UTC 2015 - pgajdos@suse.com + +- access_compat shared also for 11sp3 + +------------------------------------------------------------------- +Mon Jul 13 15:14:20 UTC 2015 - pgajdos@suse.com + +- apache2-implicit-pointer-decl.patch renamed to + httpd-implicit-pointer-decl.patch to align with other + patches names + +------------------------------------------------------------------- +Mon Jul 13 15:12:29 UTC 2015 - pgajdos@suse.com + +- apachectl is now wrapper to start_apache2; therefore, it honors + HTTPD_INSTANCE variable, see README-instances.txt for details + + httpd-apachectl.patch + - httpd-2.4.10-apachectl.patch + +------------------------------------------------------------------- +Mon Jul 13 13:37:53 UTC 2015 - pgajdos@suse.com + +- a2enmod/a2dismod and a2enflag/a2disflag now respect + HTTPD_INSTANCE= environment variable, which can be + used to specify apache instance name; sysconfig file is expected + at /etc/sysconfig/apache2@ + (see README-instances.txt for details) + +------------------------------------------------------------------- +Mon Jul 13 11:21:43 UTC 2015 - pgajdos@suse.com + +- provides suse_maintenance_mmn symbol [bnc#915666] (internal) + +------------------------------------------------------------------- +Mon Jul 13 10:05:17 UTC 2015 - pgajdos@suse.com + +- credits to Roman Drahtmueller: + * add reference to /etc/permissions.local to output of %post if + setting the permissions of suexec2 fails + * do not enable mod_php5 by default any longer + * httpd-2.0.49-log_server_status.dif obsoleted + * apache2-mod_ssl_npn.patch removed because not used + * include mod_reqtimeout.conf in httpd.conf + * added cgid-timeout.conf, include + it in httpd.conf +- fix default value APACHE_MODULES in sysconfig file +- %service_* macros for apache2@.service + +------------------------------------------------------------------- +Mon Jul 13 09:52:21 UTC 2015 - pgajdos@suse.com + +- reenable 690734.patch, it should be upstreamed by the author + (Adrian Schroeter) though + + httpd-2.4.9-bnc690734.patch + - httpd-2.2.x-bnc690734.patch + +------------------------------------------------------------------- +Mon Jul 13 09:51:34 UTC 2015 - pgajdos@suse.com + +- drop startssl from start_apache2 + ------------------------------------------------------------------- Wed Jul 1 09:41:31 UTC 2015 - pgajdos@suse.com diff --git a/apache2.spec b/apache2.spec index b9d996b..c0d8e2b 100644 --- a/apache2.spec +++ b/apache2.spec @@ -17,6 +17,7 @@ %define apache_mmn %(test -s %{SOURCE0} && { echo -n apache_mmn_; bzcat %{SOURCE0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; }) +%define suse_maintenance_mmn 0 %define default_mpm prefork %{!?prefork:%define prefork 1} %{!?worker:%define worker 1} @@ -46,7 +47,7 @@ %define mods_static unixd systemd %else %define runtimedir %{_localstatedir}/run -%define mods_static access_compat unixd +%define mods_static unixd %endif Name: apache2 Version: 2.4.12 @@ -98,6 +99,7 @@ Source114: apache2-mod_usertrack.conf Source115: apache2-mod_reqtimeout.conf Source116: apache2-loadmodule.conf Source117: apache2-global.conf +Source118: apache2-mod_cgid-timeout.conf Source130: apache2-vhost.template Source131: apache2-vhost-ssl.template Source140: apache2-check_forensic @@ -109,16 +111,12 @@ Source145: apache2-find-directives Source146: apache2@.service Source147: apache2-script-helpers Patch2: httpd-2.1.3alpha-layout.dif -Patch23: httpd-2.4.10-apachectl.patch -#Patch65: httpd-2.0.49-log_server_status.dif +Patch23: httpd-apachectl.patch Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.x.x-logresolve.patch -Patch69: httpd-2.2.x-bnc690734.patch -Patch70: apache2-implicit-pointer-decl.patch -# PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dimstar@opensuse.org -- Add npn support to mod_ssl (needed for spdy) -#Patch108: apache2-mod_ssl_npn.patch -#Provides: apache2(mod_ssl+npn) +Patch69: httpd-2.4.9-bnc690734.patch +Patch70: httpd-implicit-pointer-decl.patch # PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch @@ -151,6 +149,7 @@ Requires(post): sed Requires(post): textutils Recommends: apache2-%{default_mpm} Provides: %{apache_mmn} +Provides: suse_maintenance_mmn = %{suse_maintenance_mmn} Provides: http_daemon Provides: httpd Provides: suse_help_viewer @@ -294,14 +293,12 @@ to administrators of web servers in general. %prep %setup -q -n httpd-%{version} -a30 %patch2 -p1 -%patch23 -p1 -#%patch65 -p1 +%patch23 %patch66 -p1 %patch67 -p1 %patch68 -p1 -#%patch69 +%patch69 %patch70 -p1 -#%patch108 -p1 # Systemd module enabling patch %if 0%{?suse_version} >= 1210 %patch109 -p1 @@ -572,6 +569,8 @@ for i in default-server.conf \ mod_userdir.conf \ mod_usertrack.conf \ server-tuning.conf \ + mod_reqtimeout.conf \ + mod_cgid-timeout.conf \ ssl-global.conf do install -m 644 $RPM_SOURCE_DIR/apache2-$i %{buildroot}/%{sysconfdir}/$i @@ -1273,11 +1272,13 @@ exit 0 %pre %if 0%{?suse_version} >= 1210 %service_add_pre apache2.service +%service_add_pre apache2@.service %endif %preun %if 0%{?suse_version} >= 1210 %service_del_preun apache2.service +%service_del_preun apache2@.service %endif for i in %{_sbindir}/httpd \ %{installbuilddir}/config_vars.mk @@ -1289,6 +1290,7 @@ exit 0 %postun %if 0%{?suse_version} >= 1210 %service_del_postun apache2.service +%service_del_postun apache2@.service %else %insserv_cleanup %endif @@ -1297,7 +1299,7 @@ exit 0 %if 0%{?suse_version} <= 1130 %run_permissions %else -%set_permissions %{_sbindir}/suexec +%set_permissions %{_sbindir}/suexec || echo "Please check /etc/permissions.local for settings of /usr/sbin/suexec2 ." %endif # wwwadmin group existed in past remove after openSUSE-13.2 out of support scope if grep -q "^wwwadmin:" %{_sysconfdir}/group; then @@ -1314,6 +1316,7 @@ fi %{fillup_only apache2} %if 0%{?suse_version} >= 1210 %service_add_post apache2.service +%service_add_post apache2@.service %else %{fillup_and_insserv apache2} %endif diff --git a/httpd-2.4.10-apachectl.patch b/httpd-2.4.10-apachectl.patch deleted file mode 100644 index 16e9bdd..0000000 --- a/httpd-2.4.10-apachectl.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -Ndurp httpd-2.4.10/support/apachectl.in httpd-2.4.10-apachectl/support/apachectl.in ---- httpd-2.4.10/support/apachectl.in 2012-02-01 05:47:28.000000000 +0200 -+++ httpd-2.4.10-apachectl/support/apachectl.in 2014-10-18 19:18:51.203692588 +0300 -@@ -42,17 +42,32 @@ ARGV="$@" - # -------------------- -------------------- - # - # the path to your httpd binary, including options if necessary --HTTPD='@exp_sbindir@/@progname@' -+HTTPD='@exp_sbindir@/httpd' - # - # pick up any necessary environment variables - if test -f @exp_sbindir@/envvars; then - . @exp_sbindir@/envvars - fi -+ -+pname=apache2 -+sysconfig_apache=/etc/sysconfig/$pname -+sysconfdir=/etc/$pname -+ -+test -s $sysconfig_apache && . $sysconfig_apache -+httpd_conf=${APACHE_HTTPD_CONF:-$sysconfdir/httpd.conf} -+ - # - # a command that outputs a formatted text version of the HTML at the - # url given on the command line. Designed for lynx, however other - # programs may work. --LYNX="@LYNX_PATH@ -dump" -+ -+if [ -x "`which w3m`" ]; then -+ LYNX="w3m -dump -cols ${COLUMNS:-80}" -+elif [ -x "`which lynx`" ]; then -+ LYNX="lynx -dump -width=${COLUMNS:-80}" -+fi -+ -+ - # - # the URL to your server's mod_status status page. If you do not - # have one, then status and fullstatus will not work. -@@ -78,7 +93,7 @@ fi - - case $ACMD in - start|stop|restart|graceful|graceful-stop) -- $HTTPD -k $ARGV -+ $HTTPD ${httpd_conf+-f $httpd_conf} -k $ARGV - ERROR=$? - ;; - startssl|sslstart|start-SSL) -@@ -88,7 +103,7 @@ startssl|sslstart|start-SSL) - ERROR=2 - ;; - configtest) -- $HTTPD -t -+ $HTTPD ${httpd_conf+-f $httpd_conf} -t - ERROR=$? - ;; - status) diff --git a/httpd-2.2.x-bnc690734.patch b/httpd-2.4.9-bnc690734.patch similarity index 64% rename from httpd-2.2.x-bnc690734.patch rename to httpd-2.4.9-bnc690734.patch index 87ce840..b1381cf 100644 --- a/httpd-2.2.x-bnc690734.patch +++ b/httpd-2.4.9-bnc690734.patch @@ -1,14 +1,13 @@ ---- server/util_script.c.orig -+++ server/util_script.c -@@ -415,6 +415,7 @@ AP_DECLARE(int) ap_scan_script_header_er - { - char x[MAX_STRING_LEN]; - char *w, *l; +Index: server/util_script.c +=================================================================== +--- server/util_script.c.orig 2015-06-25 09:15:54.539638460 +0200 ++++ server/util_script.c 2015-06-25 09:20:48.554424220 +0200 +@@ -422,11 +422,20 @@ + apr_table_t *cookie_table; + int trace_log = APLOG_R_MODULE_IS_LEVEL(r, module_index, APLOG_TRACE1); + int first_header = 1; + int wlen; - int p; - int cgi_status = HTTP_UNSET; - apr_table_t *merge; -@@ -425,7 +426,14 @@ AP_DECLARE(int) ap_scan_script_header_er + if (buffer) { *buffer = '\0'; } @@ -21,10 +20,11 @@ + w = buffer ? buffer : x; + wlen = MAX_STRING_LEN; + } ++ /* temporary place to hold headers to merge in later */ merge = apr_table_make(r->pool, 10); -@@ -441,7 +449,7 @@ AP_DECLARE(int) ap_scan_script_header_er +@@ -442,7 +451,7 @@ while (1) { @@ -33,17 +33,19 @@ if (rv == 0) { const char *msg = "Premature end of script headers"; if (first_header) -@@ -553,9 +561,12 @@ AP_DECLARE(int) ap_scan_script_header_er +@@ -555,10 +564,13 @@ if (!(l = strchr(w, ':'))) { if (!buffer) { /* Soak up all the script output - may save an outright kill */ -- while ((*getsfunc) (w, MAX_STRING_LEN - 1, getsfunc_data)) { +- while ((*getsfunc)(w, MAX_STRING_LEN - 1, getsfunc_data) > 0) { + while ((*getsfunc) (w, wlen - 1, getsfunc_data)) { continue; } -+ } else if (w != buffer) { +- } ++ } else if (w != buffer) { + strncpy(buffer, w, MAX_STRING_LEN - 1); + buffer[MAX_STRING_LEN - 1] = 0; - } ++ } ap_log_rerror(SCRIPT_LOG_MARK, APLOG_ERR|APLOG_TOCLIENT, 0, r, + "malformed header from script '%s': Bad header: %.30s", diff --git a/httpd-apachectl.patch b/httpd-apachectl.patch new file mode 100644 index 0000000..b65813e --- /dev/null +++ b/httpd-apachectl.patch @@ -0,0 +1,27 @@ + +Index: support/apachectl.in +=================================================================== +--- support/apachectl.in.orig 2012-02-01 04:47:28.000000000 +0100 ++++ support/apachectl.in 2015-07-13 17:09:06.651280087 +0200 +@@ -42,7 +42,7 @@ + # -------------------- -------------------- + # + # the path to your httpd binary, including options if necessary +-HTTPD='@exp_sbindir@/@progname@' ++HTTPD='@exp_sbindir@/start_apache2' + # + # pick up any necessary environment variables + if test -f @exp_sbindir@/envvars; then +@@ -52,7 +52,11 @@ + # a command that outputs a formatted text version of the HTML at the + # url given on the command line. Designed for lynx, however other + # programs may work. +-LYNX="@LYNX_PATH@ -dump" ++if [ -x "`which w3m`" ]; then ++ LYNX="w3m -dump -cols ${COLUMNS:-80}" ++elif [ -x "`which lynx`" ]; then ++ LYNX="lynx -dump -width=${COLUMNS:-80}" ++fi + # + # the URL to your server's mod_status status page. If you do not + # have one, then status and fullstatus will not work. diff --git a/apache2-implicit-pointer-decl.patch b/httpd-implicit-pointer-decl.patch similarity index 100% rename from apache2-implicit-pointer-decl.patch rename to httpd-implicit-pointer-decl.patch diff --git a/start_apache2 b/start_apache2 index 9861e5b..71c0da3 100644 --- a/start_apache2 +++ b/start_apache2 @@ -31,13 +31,11 @@ load_sysconfig unset server_flags # -# server_flags: -DSSL and -DSYSCONFIG +# server_flags: -DSYSCONFIG # if [ -f "$SYSCONFIG_FILE" ]; then server_flags="$server_flags -DSYSCONFIG" fi -case "$action" in startssl) server_flags="-DSSL";; esac - # # figure out correct apache2 binary (/usr/sbin/httpd-prefork, @@ -72,10 +70,11 @@ done httpd_conf=${APACHE_HTTPD_CONF:-/etc/apache2${instance_suffix}/httpd.conf} # -# default values for some directives that should depend on instance +# set PidFile to this file name; PidFile should not +# be used in the configuration to change this, otherwise +# stopping will not work # -# PidFile -default_pid_file=/var/run/httpd${instance_suffix}.pid +pid_file=/var/run/httpd${instance_suffix}.pid unset sysconfig_setting # @@ -141,12 +140,8 @@ HOME=/var/lib/apache2${instance_suffix} # run Apache # -echo Running $apache_bin -f $httpd_conf $server_flags \ - -C "PidFile $default_pid_file" \ - "${sysconfig_setting[@]}" \ - $@ exec $apache_bin -f $httpd_conf $server_flags \ - -C "PidFile $default_pid_file" \ + -C "PidFile $pid_file" \ "${sysconfig_setting[@]}" \ $@ diff --git a/sysconfig.apache2 b/sysconfig.apache2 index 14e9ef9..6ec8184 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -30,7 +30,7 @@ APACHE_CONF_INCLUDE_FILES="" APACHE_CONF_INCLUDE_DIRS="" ## Type: string -## Default: "actions alias auth_basic authz_host authn_file authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl suexec userdir php5" +## Default: "actions alias auth_basic authn_file authz_host authz_groupfile authz_core authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl socache_shmcb userdir reqtimeout" ## ServiceRestart: apache2 # # [It might look silly to not simply edit httpd.conf for the LoadModule statements.