rpm/apache2
SHA256
1
0
Fork 0
forked from pool/apache2
Code Pull Requests Activity

Accepting request 254328 from Apache

Browse Source 
- the following unused patches were removed from the package:
  * apache2-mod_ssl_npn.patch
  * httpd-2.0.49-log_server_status.dif 

- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and
  /usr/sbin/start_apache2 [bnc#851627]

- allow only TCP ports in Yast2 firewall files

- more 2.2 -> 2.4 [bnc#862058]

- ServerSignature=Off and ServerTokens=Prod by request from 
  security team [bnc#716495]

- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)

- Update package Summary and Description. 
- version 2.4.10
* SECURITY: CVE-2014-0117 (cve.mitre.org)
* SECURITY: CVE-2014-3523 (cve.mitre.org)
* SECURITY: CVE-2014-0226 (cve.mitre.org)
* SECURITY: CVE-2014-0118 (cve.mitre.org)
* SECURITY: CVE-2014-0231 (cve.mitre.org)
* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua
* mod_proxy_fcgi supports unix sockets.

- provide httpd.service as alias for apache2.service for
  compatibility reasons (bnc#888093)

- move most ssl options to ssl-global.conf. There is usually no need

OBS-URL: https://build.opensuse.org/request/show/254328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=84
This commit is contained in:
Stephan Kulow 2014-10-09 10:52:02 +00:00 committed by Git OBS Bridge
commit d7b1f84695
27 changed files with 183 additions and 625 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apache2-README
View File

@ -48,14 +48,14 @@ The following nice article has a more in depth answer:
http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html
See
http://httpd.apache.org/docs-2.2/mpm.html and
http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime
http:///httpd.apache.org/docs/2.4/mpm.html and
http:///httpd.apache.org/docs/2.4/misc/perf-tuning.html#compiletime
for more technical details.
In general, using a threaded MPM (worker) requires that all libraries that are
loaded into apache (and libraries loaded by them in turn) be threadsafe as well.
See
http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on
http:///httpd.apache.org/docs/2.4/developer/thread_safety.html for a status on
some libraries.

2
apache2-default-server.conf
View File

@ -17,7 +17,7 @@ DocumentRoot "/srv/www/htdocs"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
Options None
# AllowOverride controls what directives may be placed in .htaccess files.

2
apache2-default-vhost-ssl.conf
View File

@ -2,7 +2,7 @@
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
# directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure

2
apache2-default-vhost.conf
View File

@ -92,7 +92,7 @@
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options +Indexes +MultiViews +FollowSymLinks

4
apache2-httpd.conf
View File

@ -3,7 +3,7 @@
#
# This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about
# See <URL:http:///httpd.apache.org/docs/2.4/> for detailed information about
# the directives.
# Based upon the default apache configuration file that ships with apache,
@ -193,7 +193,7 @@ Include /etc/apache2/sysconfig.d/include.conf
# IP addresses. This is indicated by the asterisks in the directives below.
#
# Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.2/vhosts/>
# <URL:http:///httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts.
#
# You may use the command line option '-S' to verify your virtual host

2
apache2-listen.conf
View File

@ -1,7 +1,7 @@
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive.
#
# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen
# http:///httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)

2
apache2-mod_autoindex-defaults.conf
View File

@ -1,7 +1,7 @@
#
# Directives controlling the display of server-generated directory listings.
#
# see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html
# see http:///httpd.apache.org/docs/2.4/mod/mod_autoindex.html
#
<IfModule mod_autoindex.c>

2
apache2-mod_info.conf
View File

@ -2,7 +2,7 @@
# Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded).
#
# see http://httpd.apache.org/docs-2.2/mod/mod_info.html
# see http:///httpd.apache.org/docs/2.4/mod/mod_info.html
#
<IfModule mod_info.c>
<Location /server-info>

2
apache2-mod_log_config.conf
View File

@ -2,7 +2,7 @@
# The following directives define some format nicknames for use with
# a CustomLog directive.
#
# http://httpd.apache.org/docs-2.2/mod/mod_log_config.html
# http:///httpd.apache.org/docs/2.4/mod/mod_log_config.html
#
#

4
apache2-mod_mime-defaults.conf
View File

@ -2,7 +2,7 @@
# mod_mime configuration:
# associate various bits of "meta information" with files by their filename extensions
#
# see http://httpd.apache.org/docs-2.2/mod/mod_mime.html
# see http:///httpd.apache.org/docs/2.4/mod/mod_mime.html
#
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
@ -152,7 +152,7 @@ AddHandler type-map var
# Guess the MIME type of a file by looking at a few bytes of its contents
# http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html
# http:///httpd.apache.org/docs/2.4/mod/mod_mime_magic.html
<IfModule mod_mime_magic.c>
MIMEMagicFile /etc/apache2/magic
</IfModule>

2
apache2-mod_reqtimeout.conf
View File

@ -7,7 +7,7 @@
#
# mod_reqtimeout.c must be loaded.
#
# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html
# see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en
#
# Note:

353
apache2-mod_ssl_npn.patch
View File

@ -1,353 +0,0 @@
--- httpd-2.4.4.orig/modules/ssl/mod_ssl.c
+++ httpd-2.4.4/modules/ssl/mod_ssl.c
@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
+ SSL_CMD_ALL(RSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for RSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(DSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for DSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(ECAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for EC certificate "
+ "(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "
@@ -157,6 +166,15 @@ static const command_rec ssl_config_cmds
"('some secret text')")
#endif
+#ifndef OPENSSL_NO_SRP
+ SSL_CMD_SRV(SRPVerifierFile, TAKE1,
+ "SRP verifier file "
+ "('/path/to/file' - created by srptool)")
+ SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
+ "SRP seed for unknown users (to avoid leaking a user's existence) "
+ "('some secret text')")
+#endif
+
/*
* Proxy configuration for remote SSL connections
*/
@@ -272,6 +290,18 @@ static const command_rec ssl_config_cmds
AP_END_CMD
};
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
--- httpd-2.4.4.orig/modules/ssl/mod_ssl.h
+++ httpd-2.4.4/modules/ssl/mod_ssl.h
@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name,
+ apr_size_t proto_name_len));
+
#endif /* __MOD_SSL_H__ */
/** @} */
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_config.c
@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
+ mctx->rsa_authz_file = NULL;
+ mctx->dsa_authz_file = NULL;
+ mctx->ec_authz_file = NULL;
+
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -155,6 +159,12 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL;
#endif
+
+#ifndef OPENSSL_NO_SRP
+ mctx->srp_vfile = NULL;
+ mctx->srp_unknown_user_seed = NULL;
+ mctx->srp_vbase = NULL;
+#endif
}
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -257,6 +267,10 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
+ cfgMergeString(rsa_authz_file);
+ cfgMergeString(dsa_authz_file);
+ cfgMergeString(ec_authz_file);
+
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -839,6 +853,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF
return NULL;
}
+
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->rsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->dsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->ec_authz_file = arg;
+
+ return NULL;
+}
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_io.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
@@ -28,6 +28,7 @@
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "apr_date.h"
/* _________________________________________________________________
@@ -297,6 +298,7 @@ typedef struct {
apr_pool_t *pool;
char buffer[AP_IOBUFSIZE];
ssl_filter_ctx_t *filter_ctx;
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;
/*
@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
+#ifdef HAVE_TLS_NPN
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+ * our version of OpenSSL supports it). If we haven't already, find out
+ * which protocol was decided upon and inform other modules by calling
+ * npn_proto_negotiated_hook. */
+ if (!inctx->npn_finished) {
+ const unsigned char *next_proto = NULL;
+ unsigned next_proto_len = 0;
+
+ SSL_get0_next_proto_negotiated(
+ inctx->ssl, &next_proto, &next_proto_len);
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
+ next_proto_len, (const char*)next_proto);
+ modssl_run_npn_proto_negotiated_hook(
+ f->c, (const char*)next_proto, next_proto_len);
+ inctx->npn_finished = 1;
+ }
+#endif
+
return APR_SUCCESS;
}
@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
inctx->block = APR_BLOCK_READ;
inctx->pool = c->pool;
inctx->filter_ctx = filter_ctx;
+ inctx->npn_finished = 0;
}
/* The request_rec pointer is passed in here only to ensure that the
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_kernel.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
@@ -29,6 +29,7 @@
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
@@ -320,6 +321,19 @@ int ssl_hook_Access(request_rec *r)
return HTTP_FORBIDDEN;
}
+#ifndef OPENSSL_NO_SRP
+ /*
+ * Support for per-directory reconfigured SSL connection parameters
+ *
+ * We do not force any renegotiation if the user is already authenticated
+ * via SRP.
+ *
+ */
+ if (SSL_get_srp_username(ssl)) {
+ return DECLINED;
+ }
+#endif
+
/*
* Check to see whether SSL is in use; if it's not, then no
* further access control checks are relevant. (the test for
@@ -1397,7 +1411,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *ssl, i
return (EC_KEY *)mc->pTmpKeys[idx];
}
-#endif
+#endif /* OPENSSL_NO_TLSEXT */
/*
* This OpenSSL callback function is called when OpenSSL
--- httpd-2.4.4.orig/modules/ssl/ssl_private.h
+++ httpd-2.4.4/modules/ssl/ssl_private.h
@@ -139,6 +139,11 @@
#define HAVE_FIPS
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
@@ -194,6 +199,20 @@
#endif
#endif
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+ && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
+/* SRP support came in OpenSSL 1.0.1 */
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
+#include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -662,6 +681,11 @@ typedef struct {
SRP_VBASE *srp_vbase;
#endif
+ /** RFC 5878 */
+ const char *rsa_authz_file;
+ const char *dsa_authz_file;
+ const char *ec_authz_file;
+
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -738,6 +762,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -795,6 +822,11 @@ const char *ssl_cmd_SSLSRPVerifierFile(c
const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
+#ifndef OPENSSL_NO_SRP
+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
+#endif
+
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
/** module initialization */
@@ -840,6 +872,7 @@ int ssl_callback_ServerNameIndi
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
EVP_CIPHER_CTX *, HMAC_CTX *, int);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
@@ -873,6 +906,9 @@ int ssl_stapling_init_cert(serv
#endif
#ifndef OPENSSL_NO_SRP
int ssl_callback_SRPServerParams(SSL *, int *, void *);
+#endif
+#ifndef OPENSSL_NO_SRP
+int ssl_callback_SRPServerParams(SSL *, int *, void *);
#endif
/** I/O */

2
apache2-mod_status.conf
View File

@ -2,7 +2,7 @@
# Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status
#
# see http://httpd.apache.org/docs-2.2/mod/mod_status.html
# see http:///httpd.apache.org/docs/2.4/mod/mod_status.html
#
<IfModule mod_status.c>
<Location /server-status>

30
apache2-server-tuning.conf
View File

@ -10,47 +10,47 @@
# prefork MPM
<IfModule prefork.c>
# number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
StartServers 5
# minimum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers
# http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers
MinSpareServers 5
# maximum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers
# http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers
MaxSpareServers 10
# highest possible MaxClients setting for the lifetime of the Apache process.
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit
ServerLimit 150
# maximum number of server processes allowed to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients
MaxClients 150
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
# worker MPM
<IfModule worker.c>
# initial number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
StartServers 3
# minimum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads
MinSpareThreads 25
# maximum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads
MaxSpareThreads 75
# upper limit on the configurable number of threads per child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit
ThreadLimit 64
# maximum number of simultaneous client connections
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients
MaxClients 150
# number of worker threads created by each child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild
ThreadsPerChild 25
# maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild
# http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000
</IfModule>
@ -103,7 +103,7 @@ KeepAliveTimeout 15
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap
# http:///httpd.apache.org/docs/2.4/mod/core.html#enablemmap
#
#EnableMMAP off
@ -112,7 +112,7 @@ KeepAliveTimeout 15
# used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile
# http:///httpd.apache.org/docs/2.4/mod/core.html#enablesendfile
#
EnableSendfile on

59
apache2-ssl-global.conf
View File

@ -7,7 +7,7 @@
# These are the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html>
# directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html>
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
@ -70,6 +70,63 @@
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/urandom 512
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded intermediate CA
# certificates which form the certificate chain for the
# server certificate. Alternatively the referenced file
# can be the same as SSLCertificateFile when the CA
# certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
</IfModule>
</IfDefine>
</IfDefine>

162
apache2-vhost-ssl.template
View File

@ -11,7 +11,7 @@
# This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
# directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
#
# Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure
@ -38,167 +38,17 @@
# Enable/Disable SSL for this virtual host.
SSLEngine on
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# You can use per vhost certificates if SNI is supported.
SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost>
</VirtualHost>
</IfDefine>
</IfDefine>

2
apache2-vhost.template
View File

@ -100,7 +100,7 @@
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options
# http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks

60
apache2.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Mon Oct 6 12:30:07 UTC 2014 - kstreitova@suse.com
- the following unused patches were removed from the package:
* apache2-mod_ssl_npn.patch
* httpd-2.0.49-log_server_status.dif
-------------------------------------------------------------------
Mon Sep 29 11:57:40 UTC 2014 - pgajdos@suse.com
- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and
/usr/sbin/start_apache2 [bnc#851627]
-------------------------------------------------------------------
Wed Sep 26 15:38:17 UTC 2014 - oholecek@suse.com
- allow only TCP ports in Yast2 firewall files
-------------------------------------------------------------------
Fri Sep 26 15:00:45 UTC 2014 - pgajdos@suse.com
- more 2.2 -> 2.4 [bnc#862058]
-------------------------------------------------------------------
Thu Sep 25 14:39:05 UTC 2014 - pgajdos@suse.com
- ServerSignature=Off and ServerTokens=Prod by request from
security team [bnc#716495]
-------------------------------------------------------------------
Wed Sep 24 13:11:16 UTC 2014 - pgajdos@suse.com
- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)
-------------------------------------------------------------------
Mon Jul 21 16:23:51 UTC 2014 - crrodriguez@opensuse.org
- Update package Summary and Description.
- version 2.4.10
* SECURITY: CVE-2014-0117 (cve.mitre.org)
* SECURITY: CVE-2014-3523 (cve.mitre.org)
* SECURITY: CVE-2014-0226 (cve.mitre.org)
* SECURITY: CVE-2014-0118 (cve.mitre.org)
* SECURITY: CVE-2014-0231 (cve.mitre.org)
* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua
* mod_proxy_fcgi supports unix sockets.
-------------------------------------------------------------------
Mon Jul 21 07:21:21 UTC 2014 - mc@suse.com
- provide httpd.service as alias for apache2.service for
compatibility reasons (bnc#888093)
-------------------------------------------------------------------
Mon Apr 14 08:47:02 UTC 2014 - lnussel@suse.de
- move most ssl options to ssl-global.conf. There is usually no need
for every vhost to re-define the ciphers for example (bnc#865582).
Drop some commented entries that only lead to confusion.
-------------------------------------------------------------------
Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org

2
apache2.firewall
View File

@ -5,7 +5,7 @@
TCP="http"
# space separated list of allowed UDP ports
UDP="http"
UDP=""
# space separated list of allowed RPC services
RPC=""

1
apache2.service
View File

@ -14,3 +14,4 @@ ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop
[Install]
WantedBy=multi-user.target
Alias=httpd.service

53
apache2.spec
View File

@ -93,8 +93,8 @@ BuildRequires: expat-devel
# "Server:" header
%define VENDOR SUSE
%define platform_string Linux/%VENDOR
%define realver 2.4.9
Version: 2.4.9
%define realver 2.4.10
Version: 2.4.10
Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: httpd-%{realver}.tar.bz2
@ -166,7 +166,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch
Patch111: httpd-visibility.patch
Url: http://httpd.apache.org/
Icon: Apache.xpm
Summary: The Apache Web Server Version 2.2
Summary: The Apache Web Server Version 2.4
License: Apache-2.0
Group: Productivity/Networking/Web/Servers
Provides: %{apache_mmn}
@ -198,36 +198,15 @@ Recommends: apache2-%default_mpm
%endif
%description
Apache 2, the successor to Apache 1.
Apache is the most used Web server software worldwide.
Some new features in Apache 2: - hybrid multiprocess, multithreaded
mode for improved scalability
- multiprotocol support
- stream filtering
- IPv6 support
- new module API
New modules include: - mod_auth_db
- mod_auth_digest
- mod_charset_lite
- mod_dav
- mod_file_cache
Mod_ssl is no longer a separate package, but is now included in the
Apache distribution.
See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
http://httpd.apache.org/docs-2.2/upgrading.html.
This version of httpd is a major release of the 2.4 stable branch,
and represents the best available version of Apache HTTP Server.
New features include Loadable MPMs, major improvements to OCSP support,
mod_lua, Dynamic Reverse Proxy configuration, Improved Authentication/
Authorization, FastCGI Proxy, New Expression Parser, and a Small Object
Caching API.
See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
http://httpd.apache.org/docs-2.4/upgrading.html.
%if %worker
@ -316,7 +295,7 @@ See http://mpm-itk.sesse.net/
%endif
%package devel
Summary: Apache 2.2 Header and Include Files
Summary: Apache 2 Header and Include Files
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}
Requires: %{pname}-MPM
@ -332,7 +311,7 @@ for development using the Apache API.
%package doc
Summary: Additional Package Documentation.
Summary: Additional Package Documentation
Group: Documentation/Other
%if 0%{?suse_version} >= 901 && 0%{?sles_version} != 9
Provides: apache-doc
@ -643,10 +622,10 @@ tar xjf %{SOURCE29} -C $RPM_BUILD_ROOT/%{sysconfdir}
# init script and friends
mkdir -p $RPM_BUILD_ROOT/etc/init.d
install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname}
install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2
install -m 700 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2
%if 0%{?suse_version} >= 1210
mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/
install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass
install -m 700 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass
install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service
%endif
ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname}

2
apache2.ssl-firewall
View File

@ -5,7 +5,7 @@
TCP="https"
# space separated list of allowed UDP ports
UDP="https"
UDP=""
# space separated list of allowed RPC services
RPC=""

36
httpd-2.0.49-log_server_status.dif
View File

@ -1,36 +0,0 @@
--- httpd-2.0.49.orig/support/log_server_status.in 2004-02-09 21:59:49.000000000 +0100
+++ httpd-2.0.49/support/log_server_status2 2004-06-18 11:34:37.000000000 +0200
@@ -24,18 +24,18 @@
# it to a file. Make sure the directory $wherelog is writable by the
# user who runs this script.
#
-require 'sys/socket.ph';
+use Socket;
-$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312"
+$wherelog = "/var/log/apache2/status/"; # Logs will be like "/var/log/apache2/status/19960312"
$server = "localhost"; # Name of server, could be "www.foo.com"
$port = "80"; # Port on server
-$request = "/status/?auto"; # Request to send
+$request = "/server-status/?auto"; # Request to send
sub tcp_connect
{
local($host,$port) =@_;
$sockaddr='S n a4 x8';
- chop($hostname=`hostname`);
+ chop($hostname='localhost');
$port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/;
$me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]);
$them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]);
@@ -66,8 +66,8 @@
}
print S "GET $request\n";
while (<S>) {
- $requests=$1 if ( m|^BusyServers:\ (\S+)|);
- $idle=$1 if ( m|^IdleServers:\ (\S+)|);
+ $requests=$1 if ( m|^BusyWorkers:\ (\S+)|);
+ $idle=$1 if ( m|^IdleWorkers:\ (\S+)|);
$number=$1 if ( m|sses:\ (\S+)|);
$cpu=$1 if (m|^CPULoad:\ (\S+)|);
}

3
httpd-2.4.10.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a
size 5031834

3
httpd-2.4.9.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f78cc90dfa47caf3d83ad18fd6b4e85f237777c1733fc9088594b70ce2847603
size 4994460

2
rc.apache2
View File

@ -21,7 +21,7 @@
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# X-Interactive: true
# Short-Description: Apache 2.2 HTTP Server
# Short-Description: Apache 2 HTTP Server
# Description: Start the Apache HTTP daemon
### END INIT INFO

8
sysconfig.apache2
View File

@ -41,7 +41,7 @@ APACHE_CONF_INCLUDE_DIRS=""
#
@@all_modules@@
#
# see http://httpd.apache.org/docs-2.2/mod/ !
# see http:///httpd.apache.org/docs/2.4/mod/ !
#
# * It pays to use IfDefine statements... like
# <IfModule mod_xyz.c>
@ -191,7 +191,7 @@ APACHE_START_TIMEOUT="2"
# Configures the footer on server-generated documents
# This correlates to the ServerSignature directive.
#
APACHE_SERVERSIGNATURE="on"
APACHE_SERVERSIGNATURE="off"
## Type: list(debug,info,notice,warn,error,crit,alert,emerg)
## Default: "warn"
@ -249,9 +249,9 @@ APACHE_USE_CANONICAL_NAME="off"
#
# How much information the server response header field contains about the server.
# (installed modules, versions, etc.)
# see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens
# see http:///httpd.apache.org/docs/2.4/mod/core.html#servertokens
#
APACHE_SERVERTOKENS="OS"
APACHE_SERVERTOKENS="ProductOnly"
## Type: list(on,off)
## Default: "off"