diff --git a/apache2-README b/apache2-README index 9e51ca2..402904c 100644 --- a/apache2-README +++ b/apache2-README @@ -48,14 +48,14 @@ The following nice article has a more in depth answer: http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html See -http://httpd.apache.org/docs-2.2/mpm.html and -http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime +http:///httpd.apache.org/docs/2.4/mpm.html and +http:///httpd.apache.org/docs/2.4/misc/perf-tuning.html#compiletime for more technical details. In general, using a threaded MPM (worker) requires that all libraries that are loaded into apache (and libraries loaded by them in turn) be threadsafe as well. See -http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on +http:///httpd.apache.org/docs/2.4/developer/thread_safety.html for a status on some libraries. diff --git a/apache2-default-server.conf b/apache2-default-server.conf index ce1c59d..599e244 100644 --- a/apache2-default-server.conf +++ b/apache2-default-server.conf @@ -17,7 +17,7 @@ DocumentRoot "/srv/www/htdocs" # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. Options None # AllowOverride controls what directives may be placed in .htaccess files. diff --git a/apache2-default-vhost-ssl.conf b/apache2-default-vhost-ssl.conf index 26c6f17..f504bcb 100644 --- a/apache2-default-vhost-ssl.conf +++ b/apache2-default-vhost-ssl.conf @@ -2,7 +2,7 @@ # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see +# directives see # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure diff --git a/apache2-default-vhost.conf b/apache2-default-vhost.conf index cdfeb7b..ace6f0b 100644 --- a/apache2-default-vhost.conf +++ b/apache2-default-vhost.conf @@ -92,7 +92,7 @@ # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options +Indexes +MultiViews +FollowSymLinks diff --git a/apache2-httpd.conf b/apache2-httpd.conf index d445209..7f03f7f 100644 --- a/apache2-httpd.conf +++ b/apache2-httpd.conf @@ -3,7 +3,7 @@ # # This is the main Apache server configuration file. It contains the # configuration directives that give the server its instructions. -# See for detailed information about +# See for detailed information about # the directives. # Based upon the default apache configuration file that ships with apache, @@ -193,7 +193,7 @@ Include /etc/apache2/sysconfig.d/include.conf # IP addresses. This is indicated by the asterisks in the directives below. # # Please see the documentation at -# +# # for further details before you try to setup virtual hosts. # # You may use the command line option '-S' to verify your virtual host diff --git a/apache2-listen.conf b/apache2-listen.conf index 4780a8d..9c0bea5 100644 --- a/apache2-listen.conf +++ b/apache2-listen.conf @@ -1,7 +1,7 @@ # Listen: Allows you to bind Apache to specific IP addresses and/or # ports. See also the directive. # -# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen +# http:///httpd.apache.org/docs/2.4/mod/mpm_common.html#listen # # Change this to Listen on specific IP addresses as shown below to # prevent Apache from glomming onto all bound IP addresses (0.0.0.0) diff --git a/apache2-mod_autoindex-defaults.conf b/apache2-mod_autoindex-defaults.conf index a78d8f2..e507501 100644 --- a/apache2-mod_autoindex-defaults.conf +++ b/apache2-mod_autoindex-defaults.conf @@ -1,7 +1,7 @@ # # Directives controlling the display of server-generated directory listings. # -# see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_autoindex.html # diff --git a/apache2-mod_info.conf b/apache2-mod_info.conf index 4c469ec..56472e2 100644 --- a/apache2-mod_info.conf +++ b/apache2-mod_info.conf @@ -2,7 +2,7 @@ # Allow remote server configuration reports, with the URL of # http://servername/server-info (requires that mod_info.c be loaded). # -# see http://httpd.apache.org/docs-2.2/mod/mod_info.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_info.html # diff --git a/apache2-mod_log_config.conf b/apache2-mod_log_config.conf index 709b487..7562d50 100644 --- a/apache2-mod_log_config.conf +++ b/apache2-mod_log_config.conf @@ -2,7 +2,7 @@ # The following directives define some format nicknames for use with # a CustomLog directive. # -# http://httpd.apache.org/docs-2.2/mod/mod_log_config.html +# http:///httpd.apache.org/docs/2.4/mod/mod_log_config.html # # diff --git a/apache2-mod_mime-defaults.conf b/apache2-mod_mime-defaults.conf index 46ac63a..829c816 100644 --- a/apache2-mod_mime-defaults.conf +++ b/apache2-mod_mime-defaults.conf @@ -2,7 +2,7 @@ # mod_mime configuration: # associate various bits of "meta information" with files by their filename extensions # -# see http://httpd.apache.org/docs-2.2/mod/mod_mime.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_mime.html # # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) @@ -152,7 +152,7 @@ AddHandler type-map var # Guess the MIME type of a file by looking at a few bytes of its contents -# http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html +# http:///httpd.apache.org/docs/2.4/mod/mod_mime_magic.html MIMEMagicFile /etc/apache2/magic diff --git a/apache2-mod_reqtimeout.conf b/apache2-mod_reqtimeout.conf index 728516b..2eb04f0 100644 --- a/apache2-mod_reqtimeout.conf +++ b/apache2-mod_reqtimeout.conf @@ -7,7 +7,7 @@ # # mod_reqtimeout.c must be loaded. # -# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html +# see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # # Note: diff --git a/apache2-mod_ssl_npn.patch b/apache2-mod_ssl_npn.patch deleted file mode 100644 index 64e0742..0000000 --- a/apache2-mod_ssl_npn.patch +++ /dev/null @@ -1,353 +0,0 @@ ---- httpd-2.4.4.orig/modules/ssl/mod_ssl.c -+++ httpd-2.4.4/modules/ssl/mod_ssl.c -@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds - SSL_CMD_SRV(PKCS7CertificateFile, TAKE1, - "PKCS#7 file containing server certificate and chain" - " certificates ('/path/to/file' - PEM encoded)") -+ SSL_CMD_ALL(RSAAuthzFile, TAKE1, -+ "RFC 5878 Authz Extension file for RSA certificate " -+ "(`/path/to/file')") -+ SSL_CMD_ALL(DSAAuthzFile, TAKE1, -+ "RFC 5878 Authz Extension file for DSA certificate " -+ "(`/path/to/file')") -+ SSL_CMD_ALL(ECAuthzFile, TAKE1, -+ "RFC 5878 Authz Extension file for EC certificate " -+ "(`/path/to/file')") - #ifdef HAVE_TLS_SESSION_TICKETS - SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, - "TLS session ticket encryption/decryption key file (RFC 5077) " -@@ -157,6 +166,15 @@ static const command_rec ssl_config_cmds - "('some secret text')") - #endif - -+#ifndef OPENSSL_NO_SRP -+ SSL_CMD_SRV(SRPVerifierFile, TAKE1, -+ "SRP verifier file " -+ "('/path/to/file' - created by srptool)") -+ SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1, -+ "SRP seed for unknown users (to avoid leaking a user's existence) " -+ "('some secret text')") -+#endif -+ - /* - * Proxy configuration for remote SSL connections - */ -@@ -272,6 +290,18 @@ static const command_rec ssl_config_cmds - AP_END_CMD - }; - -+/* Implement 'modssl_run_npn_advertise_protos_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos), -+ (connection, protos), OK, DECLINED); -+ -+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */ -+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL( -+ modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len), -+ (connection, proto_name, proto_name_len), OK, DECLINED); -+ - /* - * the various processing hooks - */ ---- httpd-2.4.4.orig/modules/ssl/mod_ssl.h -+++ httpd-2.4.4/modules/ssl/mod_ssl.h -@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e - - APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); - -+/** The npn_advertise_protos optional hook allows other modules to add entries -+ * to the list of protocol names advertised by the server during the Next -+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is -+ * given the connection and an APR array; it should push one or more char*'s -+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto -+ * the array and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook, -+ (conn_rec *connection, apr_array_header_t *protos)); -+ -+/** The npn_proto_negotiated optional hook allows other modules to discover the -+ * name of the protocol that was chosen during the Next Protocol Negotiation -+ * (NPN) portion of the SSL handshake. Note that this may be the empty string -+ * (in which case modules should probably assume HTTP), or it may be a protocol -+ * that was never even advertised by the server. The hook callee is given the -+ * connection, a non-null-terminated string containing the protocol name, and -+ * the length of the string; it should do something appropriate (i.e. insert or -+ * remove filters) and return OK, or do nothing and return DECLINED. */ -+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook, -+ (conn_rec *connection, const char *proto_name, -+ apr_size_t proto_name_len)); -+ - #endif /* __MOD_SSL_H__ */ - /** @} */ ---- httpd-2.4.4.orig/modules/ssl/ssl_engine_config.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_config.c -@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t - mctx->crl_file = NULL; - mctx->crl_check_mode = SSL_CRLCHECK_UNSET; - -+ mctx->rsa_authz_file = NULL; -+ mctx->dsa_authz_file = NULL; -+ mctx->ec_authz_file = NULL; -+ - mctx->auth.ca_cert_path = NULL; - mctx->auth.ca_cert_file = NULL; - mctx->auth.cipher_suite = NULL; -@@ -155,6 +159,12 @@ static void modssl_ctx_init(modssl_ctx_t - mctx->srp_unknown_user_seed = NULL; - mctx->srp_vbase = NULL; - #endif -+ -+#ifndef OPENSSL_NO_SRP -+ mctx->srp_vfile = NULL; -+ mctx->srp_unknown_user_seed = NULL; -+ mctx->srp_vbase = NULL; -+#endif - } - - static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, -@@ -257,6 +267,10 @@ static void modssl_ctx_cfg_merge(modssl_ - cfgMerge(crl_file, NULL); - cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); - -+ cfgMergeString(rsa_authz_file); -+ cfgMergeString(dsa_authz_file); -+ cfgMergeString(ec_authz_file); -+ - cfgMergeString(auth.ca_cert_path); - cfgMergeString(auth.ca_cert_file); - cfgMergeString(auth.cipher_suite); -@@ -839,6 +853,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF - - return NULL; - } -+ -+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd, -+ void *dcfg, -+ const char *arg) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ const char *err; -+ -+ if ((err = ssl_cmd_check_file(cmd, &arg))) { -+ return err; -+ } -+ -+ sc->server->rsa_authz_file = arg; -+ -+ return NULL; -+} -+ -+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd, -+ void *dcfg, -+ const char *arg) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ const char *err; -+ -+ if ((err = ssl_cmd_check_file(cmd, &arg))) { -+ return err; -+ } -+ -+ sc->server->dsa_authz_file = arg; -+ -+ return NULL; -+} -+ -+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd, -+ void *dcfg, -+ const char *arg) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ const char *err; -+ -+ if ((err = ssl_cmd_check_file(cmd, &arg))) { -+ return err; -+ } -+ -+ sc->server->ec_authz_file = arg; -+ -+ return NULL; -+} - - #ifdef HAVE_TLS_SESSION_TICKETS - const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, ---- httpd-2.4.4.orig/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c -@@ -28,6 +28,7 @@ - core keeps dumping.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "apr_date.h" - - /* _________________________________________________________________ -@@ -297,6 +298,7 @@ typedef struct { - apr_pool_t *pool; - char buffer[AP_IOBUFSIZE]; - ssl_filter_ctx_t *filter_ctx; -+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */ - } bio_filter_in_ctx_t; - - /* -@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input( - APR_BRIGADE_INSERT_TAIL(bb, bucket); - } - -+#ifdef HAVE_TLS_NPN -+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if -+ * our version of OpenSSL supports it). If we haven't already, find out -+ * which protocol was decided upon and inform other modules by calling -+ * npn_proto_negotiated_hook. */ -+ if (!inctx->npn_finished) { -+ const unsigned char *next_proto = NULL; -+ unsigned next_proto_len = 0; -+ -+ SSL_get0_next_proto_negotiated( -+ inctx->ssl, &next_proto, &next_proto_len); -+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c, -+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'", -+ next_proto_len, (const char*)next_proto); -+ modssl_run_npn_proto_negotiated_hook( -+ f->c, (const char*)next_proto, next_proto_len); -+ inctx->npn_finished = 1; -+ } -+#endif -+ - return APR_SUCCESS; - } - -@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_ - inctx->block = APR_BLOCK_READ; - inctx->pool = c->pool; - inctx->filter_ctx = filter_ctx; -+ inctx->npn_finished = 0; - } - - /* The request_rec pointer is passed in here only to ensure that the ---- httpd-2.4.4.orig/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c -@@ -29,6 +29,7 @@ - time I was too famous.'' - -- Unknown */ - #include "ssl_private.h" -+#include "mod_ssl.h" - #include "util_md5.h" - - static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -@@ -320,6 +321,19 @@ int ssl_hook_Access(request_rec *r) - return HTTP_FORBIDDEN; - } - -+#ifndef OPENSSL_NO_SRP -+ /* -+ * Support for per-directory reconfigured SSL connection parameters -+ * -+ * We do not force any renegotiation if the user is already authenticated -+ * via SRP. -+ * -+ */ -+ if (SSL_get_srp_username(ssl)) { -+ return DECLINED; -+ } -+#endif -+ - /* - * Check to see whether SSL is in use; if it's not, then no - * further access control checks are relevant. (the test for -@@ -1397,7 +1411,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *ssl, i - - return (EC_KEY *)mc->pTmpKeys[idx]; - } --#endif -+#endif /* OPENSSL_NO_TLSEXT */ - - /* - * This OpenSSL callback function is called when OpenSSL ---- httpd-2.4.4.orig/modules/ssl/ssl_private.h -+++ httpd-2.4.4/modules/ssl/ssl_private.h -@@ -139,6 +139,11 @@ - #define HAVE_FIPS - #endif - -+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \ -+ && !defined(OPENSSL_NO_TLSEXT) -+#define HAVE_TLS_NPN -+#endif -+ - #if (OPENSSL_VERSION_NUMBER >= 0x10000000) - #define MODSSL_SSL_CIPHER_CONST const - #define MODSSL_SSL_METHOD_CONST const -@@ -194,6 +199,20 @@ - #endif - #endif - -+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ -+ && OPENSSL_VERSION_NUMBER < 0x00908000L -+#define OPENSSL_NO_COMP -+#endif -+ -+/* SRP support came in OpenSSL 1.0.1 */ -+#ifndef OPENSSL_NO_SRP -+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB -+#include -+#else -+#define OPENSSL_NO_SRP -+#endif -+#endif -+ - /* mod_ssl headers */ - #include "ssl_util_ssl.h" - -@@ -662,6 +681,11 @@ typedef struct { - SRP_VBASE *srp_vbase; - #endif - -+ /** RFC 5878 */ -+ const char *rsa_authz_file; -+ const char *dsa_authz_file; -+ const char *ec_authz_file; -+ - modssl_auth_ctx_t auth; - - BOOL ocsp_enabled; /* true if OCSP verification enabled */ -@@ -738,6 +762,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd - const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); - const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); -+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *); -+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *); -+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); - const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); -@@ -795,6 +822,11 @@ const char *ssl_cmd_SSLSRPVerifierFile(c - const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); - #endif - -+#ifndef OPENSSL_NO_SRP -+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); -+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); -+#endif -+ - const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); - - /** module initialization */ -@@ -840,6 +872,7 @@ int ssl_callback_ServerNameIndi - int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, - EVP_CIPHER_CTX *, HMAC_CTX *, int); - #endif -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg); - - /** Session Cache Support */ - void ssl_scache_init(server_rec *, apr_pool_t *); -@@ -873,6 +906,9 @@ int ssl_stapling_init_cert(serv - #endif - #ifndef OPENSSL_NO_SRP - int ssl_callback_SRPServerParams(SSL *, int *, void *); -+#endif -+#ifndef OPENSSL_NO_SRP -+int ssl_callback_SRPServerParams(SSL *, int *, void *); - #endif - - /** I/O */ diff --git a/apache2-mod_status.conf b/apache2-mod_status.conf index 5fd8487..56d4015 100644 --- a/apache2-mod_status.conf +++ b/apache2-mod_status.conf @@ -2,7 +2,7 @@ # Allow server status reports generated by mod_status, # with the URL of http://servername/server-status # -# see http://httpd.apache.org/docs-2.2/mod/mod_status.html +# see http:///httpd.apache.org/docs/2.4/mod/mod_status.html # diff --git a/apache2-server-tuning.conf b/apache2-server-tuning.conf index a528e40..5d5ba10 100644 --- a/apache2-server-tuning.conf +++ b/apache2-server-tuning.conf @@ -10,47 +10,47 @@ # prefork MPM # number of server processes to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 5 # minimum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers + # http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers MinSpareServers 5 # maximum number of server processes which are kept spare - # http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers + # http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers MaxSpareServers 10 # highest possible MaxClients setting for the lifetime of the Apache process. - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit ServerLimit 150 # maximum number of server processes allowed to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients MaxClients 150 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 # worker MPM # initial number of server processes to start - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers StartServers 3 # minimum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads MinSpareThreads 25 # maximum number of worker threads which are kept spare - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads MaxSpareThreads 75 # upper limit on the configurable number of threads per child process - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit ThreadLimit 64 # maximum number of simultaneous client connections - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients MaxClients 150 # number of worker threads created by each child process - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild ThreadsPerChild 25 # maximum number of requests a server process serves - # http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild + # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild MaxRequestsPerChild 10000 @@ -103,7 +103,7 @@ KeepAliveTimeout 15 # The default is on; turn this off if you serve from NFS-mounted # filesystems. On some systems, turning it off (regardless of # filesystem) can improve performance; for details, please see -# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap +# http:///httpd.apache.org/docs/2.4/mod/core.html#enablemmap # #EnableMMAP off @@ -112,7 +112,7 @@ KeepAliveTimeout 15 # used to deliver files (assuming that the OS supports it). # The default is on; turn this off if you serve from NFS-mounted # filesystems. Please see -# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile +# http:///httpd.apache.org/docs/2.4/mod/core.html#enablesendfile # EnableSendfile on diff --git a/apache2-ssl-global.conf b/apache2-ssl-global.conf index 5e1eed4..8c25507 100644 --- a/apache2-ssl-global.conf +++ b/apache2-ssl-global.conf @@ -7,7 +7,7 @@ # These are the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see +# directives see # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure @@ -70,6 +70,63 @@ #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/urandom 512 + # SSL protocols + # Supporting TLS only is adequate nowadays + SSLProtocol all -SSLv2 -SSLv3 + + # SSL Cipher Suite: + # List the ciphers that the client is permitted to negotiate. + # See the mod_ssl documentation for a complete list. + SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 + + # Server Certificate: + # Point SSLCertificateFile at a PEM encoded certificate. If + # the certificate is encrypted, then you will be prompted for a + # pass phrase. Note that a kill -HUP will prompt again. Keep + # in mind that if you have both an RSA and a DSA certificate you + # can configure both in parallel (to also allow the use of DSA + # ciphers, etc.) + #SSLCertificateFile /etc/apache2/ssl.crt/server.crt + #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt + + # Server Private Key: + # If the key is not combined with the certificate, use this + # directive to point at the key file. Keep in mind that if + # you've both a RSA and a DSA private key you can configure + # both in parallel (to also allow the use of DSA ciphers, etc.) + #SSLCertificateKeyFile /etc/apache2/ssl.key/server.key + #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key + + # Server Certificate Chain: + # Point SSLCertificateChainFile at a file containing the + # concatenation of PEM encoded intermediate CA + # certificates which form the certificate chain for the + # server certificate. Alternatively the referenced file + # can be the same as SSLCertificateFile when the CA + # certificates are directly appended to the server + # certificate for convinience. + #SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt + + # Certificate Authority (CA): + # Set the CA certificate verification path where to find CA + # certificates for client authentication or alternatively one + # huge file containing all of them (file must be PEM encoded) + # Note: Inside SSLCACertificatePath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCACertificatePath /etc/apache2/ssl.crt + #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt + + # Certificate Revocation Lists (CRL): + # Set the CA revocation path where to find CA CRLs for client + # authentication or alternatively one huge file containing all + # of them (file must be PEM encoded) + # Note: Inside SSLCARevocationPath you need hash symlinks + # to point to the certificate files. Use the provided + # Makefile to update the hash symlinks after changes. + #SSLCARevocationPath /etc/apache2/ssl.crl + #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl + diff --git a/apache2-vhost-ssl.template b/apache2-vhost-ssl.template index 118949a..e301a69 100644 --- a/apache2-vhost-ssl.template +++ b/apache2-vhost-ssl.template @@ -11,7 +11,7 @@ # This is the Apache server configuration file providing SSL support. # It contains the configuration directives to instruct the server how to # serve pages over an https connection. For detailing information about these -# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html +# directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html # # Do NOT simply read the instructions in here without understanding # what they do. They're here only as hints or reminders. If you are unsure @@ -38,167 +38,17 @@ # Enable/Disable SSL for this virtual host. SSLEngine on - # SSL protocols - # Supporting TLS only is adequate nowadays - SSLProtocol all -SSLv2 - - # SSL Cipher Suite: - # List the ciphers that the client is permitted to negotiate. - # See the mod_ssl documentation for a complete list. - SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5 - - # Speed-optimized SSL Cipher configuration: - # If speed is your main concern (on busy HTTPS servers e.g.), - # you might want to force clients to specific, performance - # optimized ciphers. In this case, prepend those ciphers - # to the SSLCipherSuite list, and enable SSLHonorCipherOrder. - # Caveat: by giving precedence to RC4-SHA and AES128-SHA - # (as in the example below), most connections will no longer - # have perfect forward secrecy - if the server's key is - # compromised, captures of past or future traffic must be - # considered compromised, too. - #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5 - #SSLHonorCipherOrder on - - # Server Certificate: - # Point SSLCertificateFile at a PEM encoded certificate. If - # the certificate is encrypted, then you will be prompted for a - # pass phrase. Note that a kill -HUP will prompt again. Keep - # in mind that if you have both an RSA and a DSA certificate you - # can configure both in parallel (to also allow the use of DSA - # ciphers, etc.) - SSLCertificateFile /etc/apache2/ssl.crt/server.crt - #SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt - - # Server Private Key: - # If the key is not combined with the certificate, use this - # directive to point at the key file. Keep in mind that if - # you've both a RSA and a DSA private key you can configure - # both in parallel (to also allow the use of DSA ciphers, etc.) - SSLCertificateKeyFile /etc/apache2/ssl.key/server.key - #SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key - - # Server Certificate Chain: - # Point SSLCertificateChainFile at a file containing the - # concatenation of PEM encoded CA certificates which form the - # certificate chain for the server certificate. Alternatively - # the referenced file can be the same as SSLCertificateFile - # when the CA certificates are directly appended to the server - # certificate for convinience. - #SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt - - # Certificate Authority (CA): - # Set the CA certificate verification path where to find CA - # certificates for client authentication or alternatively one - # huge file containing all of them (file must be PEM encoded) - # Note: Inside SSLCACertificatePath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCACertificatePath /etc/apache2/ssl.crt - #SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt - - # Certificate Revocation Lists (CRL): - # Set the CA revocation path where to find CA CRLs for client - # authentication or alternatively one huge file containing all - # of them (file must be PEM encoded) - # Note: Inside SSLCARevocationPath you need hash symlinks - # to point to the certificate files. Use the provided - # Makefile to update the hash symlinks after changes. - #SSLCARevocationPath /etc/apache2/ssl.crl - #SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl - - # Client Authentication (Type): - # Client certificate verification type and depth. Types are - # none, optional, require and optional_no_ca. Depth is a - # number which specifies how deeply to verify the certificate - # issuer chain before deciding the certificate is not valid. - #SSLVerifyClient require - #SSLVerifyDepth 10 - - # Access Control: - # With SSLRequire you can do per-directory access control based - # on arbitrary complex boolean expressions containing server - # variable checks and other lookup directives. The syntax is a - # mixture between C and Perl. See the mod_ssl documentation - # for more details. - # - #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ - # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \ - # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \ - # and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \ - # and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \ - # or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ - # - - # SSL Engine Options: - # Set various options for the SSL engine. - # o FakeBasicAuth: - # Translate the client X.509 into a Basic Authorisation. This means that - # the standard Auth/DBMAuth methods can be used for access control. The - # user name is the `one line' version of the client's X.509 certificate. - # Note that no password is obtained from the user. Every entry in the user - # file needs this password: `xxj31ZMTZzkVA'. - # o ExportCertData: - # This exports two additional environment variables: SSL_CLIENT_CERT and - # SSL_SERVER_CERT. These contain the PEM-encoded certificates of the - # server (always existing) and the client (only existing when client - # authentication is used). This can be used to import the certificates - # into CGI scripts. - # o StdEnvVars: - # This exports the standard SSL/TLS related `SSL_*' environment variables. - # Per default this exportation is switched off for performance reasons, - # because the extraction step is an expensive operation and is usually - # useless for serving static content. So one usually enables the - # exportation for CGI and SSI requests only. - # o StrictRequire: - # This denies access when "SSLRequireSSL" or "SSLRequire" applied even - # under a "Satisfy any" situation, i.e. when it applies access is denied - # and no other module can change it. - # o OptRenegotiate: - # This enables optimized SSL connection renegotiation handling when SSL - # directives are used in per-directory context. - #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - - SSLOptions +StdEnvVars - - - SSLOptions +StdEnvVars - - - # SSL Protocol Adjustments: - # The safe and default but still SSL/TLS standard compliant shutdown - # approach is that mod_ssl sends the close notify alert but doesn't wait for - # the close notify alert from client. When you need a different shutdown - # approach you can use one of the following variables: - # o ssl-unclean-shutdown: - # This forces an unclean shutdown when the connection is closed, i.e. no - # SSL close notify alert is send or allowed to received. This violates - # the SSL/TLS standard but is needed for some brain-dead browsers. Use - # this when you receive I/O errors because of the standard approach where - # mod_ssl sends the close notify alert. - # o ssl-accurate-shutdown: - # This forces an accurate shutdown when the connection is closed, i.e. a - # SSL close notify alert is send and mod_ssl waits for the close notify - # alert of the client. This is 100% SSL/TLS standard compliant, but in - # practice often causes hanging connections with brain-dead browsers. Use - # this only for browsers where you know that their SSL implementation - # works correctly. - # Notice: Most problems of broken clients are also related to the HTTP - # keep-alive facility, so you usually additionally want to disable - # keep-alive for those clients, too. Use variable "nokeepalive" for this. - # Similarly, one has to force some clients to use HTTP/1.0 to workaround - # their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and - # "force-response-1.0" for this. - BrowserMatch "MSIE [2-5]" \ - nokeepalive ssl-unclean-shutdown \ - downgrade-1.0 force-response-1.0 + # You can use per vhost certificates if SNI is supported. + SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt + SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key + #SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /var/log/apache2/ssl_request_log ssl_combined - + diff --git a/apache2-vhost.template b/apache2-vhost.template index 02e2ed8..e0ca677 100644 --- a/apache2-vhost.template +++ b/apache2-vhost.template @@ -100,7 +100,7 @@ # doesn't give it to you. # # The Options directive is both complicated and important. Please see - # http://httpd.apache.org/docs-2.2/mod/core.html#options + # http:///httpd.apache.org/docs/2.4/mod/core.html#options # for more information. # Options Indexes FollowSymLinks diff --git a/apache2.changes b/apache2.changes index 2c8004b..9ed8122 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,63 @@ +------------------------------------------------------------------- +Mon Oct 6 12:30:07 UTC 2014 - kstreitova@suse.com + +- the following unused patches were removed from the package: + * apache2-mod_ssl_npn.patch + * httpd-2.0.49-log_server_status.dif + +------------------------------------------------------------------- +Mon Sep 29 11:57:40 UTC 2014 - pgajdos@suse.com + +- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and + /usr/sbin/start_apache2 [bnc#851627] + +------------------------------------------------------------------- +Wed Sep 26 15:38:17 UTC 2014 - oholecek@suse.com + +- allow only TCP ports in Yast2 firewall files + +------------------------------------------------------------------- +Fri Sep 26 15:00:45 UTC 2014 - pgajdos@suse.com + +- more 2.2 -> 2.4 [bnc#862058] + +------------------------------------------------------------------- +Thu Sep 25 14:39:05 UTC 2014 - pgajdos@suse.com + +- ServerSignature=Off and ServerTokens=Prod by request from + security team [bnc#716495] + +------------------------------------------------------------------- +Wed Sep 24 13:11:16 UTC 2014 - pgajdos@suse.com + +- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal) + +------------------------------------------------------------------- +Mon Jul 21 16:23:51 UTC 2014 - crrodriguez@opensuse.org + +- Update package Summary and Description. +- version 2.4.10 +* SECURITY: CVE-2014-0117 (cve.mitre.org) +* SECURITY: CVE-2014-3523 (cve.mitre.org) +* SECURITY: CVE-2014-0226 (cve.mitre.org) +* SECURITY: CVE-2014-0118 (cve.mitre.org) +* SECURITY: CVE-2014-0231 (cve.mitre.org) +* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua +* mod_proxy_fcgi supports unix sockets. + +------------------------------------------------------------------- +Mon Jul 21 07:21:21 UTC 2014 - mc@suse.com + +- provide httpd.service as alias for apache2.service for + compatibility reasons (bnc#888093) + +------------------------------------------------------------------- +Mon Apr 14 08:47:02 UTC 2014 - lnussel@suse.de + +- move most ssl options to ssl-global.conf. There is usually no need + for every vhost to re-define the ciphers for example (bnc#865582). + Drop some commented entries that only lead to confusion. + ------------------------------------------------------------------- Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org diff --git a/apache2.firewall b/apache2.firewall index ad286f5..8c5cd69 100644 --- a/apache2.firewall +++ b/apache2.firewall @@ -5,7 +5,7 @@ TCP="http" # space separated list of allowed UDP ports -UDP="http" +UDP="" # space separated list of allowed RPC services RPC="" diff --git a/apache2.service b/apache2.service index 572e9a6..20308f8 100644 --- a/apache2.service +++ b/apache2.service @@ -14,3 +14,4 @@ ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop [Install] WantedBy=multi-user.target +Alias=httpd.service diff --git a/apache2.spec b/apache2.spec index 59d7927..bf9d467 100644 --- a/apache2.spec +++ b/apache2.spec @@ -93,8 +93,8 @@ BuildRequires: expat-devel # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.9 -Version: 2.4.9 +%define realver 2.4.10 +Version: 2.4.10 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 Source0: httpd-%{realver}.tar.bz2 @@ -166,7 +166,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch Patch111: httpd-visibility.patch Url: http://httpd.apache.org/ Icon: Apache.xpm -Summary: The Apache Web Server Version 2.2 +Summary: The Apache Web Server Version 2.4 License: Apache-2.0 Group: Productivity/Networking/Web/Servers Provides: %{apache_mmn} @@ -198,36 +198,15 @@ Recommends: apache2-%default_mpm %endif %description -Apache 2, the successor to Apache 1. - -Apache is the most used Web server software worldwide. - -Some new features in Apache 2: - hybrid multiprocess, multithreaded - mode for improved scalability - -- multiprotocol support - -- stream filtering - -- IPv6 support - -- new module API - -New modules include: - mod_auth_db - -- mod_auth_digest - -- mod_charset_lite - -- mod_dav - -- mod_file_cache - -Mod_ssl is no longer a separate package, but is now included in the -Apache distribution. - -See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and -http://httpd.apache.org/docs-2.2/upgrading.html. +This version of httpd is a major release of the 2.4 stable branch, +and represents the best available version of Apache HTTP Server. +New features include Loadable MPMs, major improvements to OCSP support, +mod_lua, Dynamic Reverse Proxy configuration, Improved Authentication/ +Authorization, FastCGI Proxy, New Expression Parser, and a Small Object +Caching API. + + See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and +http://httpd.apache.org/docs-2.4/upgrading.html. %if %worker @@ -316,7 +295,7 @@ See http://mpm-itk.sesse.net/ %endif %package devel -Summary: Apache 2.2 Header and Include Files +Summary: Apache 2 Header and Include Files Group: Development/Libraries/C and C++ Requires: %{name} = %{version} Requires: %{pname}-MPM @@ -332,7 +311,7 @@ for development using the Apache API. %package doc -Summary: Additional Package Documentation. +Summary: Additional Package Documentation Group: Documentation/Other %if 0%{?suse_version} >= 901 && 0%{?sles_version} != 9 Provides: apache-doc @@ -643,10 +622,10 @@ tar xjf %{SOURCE29} -C $RPM_BUILD_ROOT/%{sysconfdir} # init script and friends mkdir -p $RPM_BUILD_ROOT/etc/init.d install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname} -install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 +install -m 700 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 %if 0%{?suse_version} >= 1210 mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/ -install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass +install -m 700 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service %endif ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname} diff --git a/apache2.ssl-firewall b/apache2.ssl-firewall index 87b9064..fe679f4 100644 --- a/apache2.ssl-firewall +++ b/apache2.ssl-firewall @@ -5,7 +5,7 @@ TCP="https" # space separated list of allowed UDP ports -UDP="https" +UDP="" # space separated list of allowed RPC services RPC="" diff --git a/httpd-2.0.49-log_server_status.dif b/httpd-2.0.49-log_server_status.dif deleted file mode 100644 index 1b07d68..0000000 --- a/httpd-2.0.49-log_server_status.dif +++ /dev/null @@ -1,36 +0,0 @@ ---- httpd-2.0.49.orig/support/log_server_status.in 2004-02-09 21:59:49.000000000 +0100 -+++ httpd-2.0.49/support/log_server_status2 2004-06-18 11:34:37.000000000 +0200 -@@ -24,18 +24,18 @@ - # it to a file. Make sure the directory $wherelog is writable by the - # user who runs this script. - # --require 'sys/socket.ph'; -+use Socket; - --$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312" -+$wherelog = "/var/log/apache2/status/"; # Logs will be like "/var/log/apache2/status/19960312" - $server = "localhost"; # Name of server, could be "www.foo.com" - $port = "80"; # Port on server --$request = "/status/?auto"; # Request to send -+$request = "/server-status/?auto"; # Request to send - - sub tcp_connect - { - local($host,$port) =@_; - $sockaddr='S n a4 x8'; -- chop($hostname=`hostname`); -+ chop($hostname='localhost'); - $port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/; - $me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]); - $them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]); -@@ -66,8 +66,8 @@ - } - print S "GET $request\n"; - while () { -- $requests=$1 if ( m|^BusyServers:\ (\S+)|); -- $idle=$1 if ( m|^IdleServers:\ (\S+)|); -+ $requests=$1 if ( m|^BusyWorkers:\ (\S+)|); -+ $idle=$1 if ( m|^IdleWorkers:\ (\S+)|); - $number=$1 if ( m|sses:\ (\S+)|); - $cpu=$1 if (m|^CPULoad:\ (\S+)|); - } diff --git a/httpd-2.4.10.tar.bz2 b/httpd-2.4.10.tar.bz2 new file mode 100644 index 0000000..53aa858 --- /dev/null +++ b/httpd-2.4.10.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a +size 5031834 diff --git a/httpd-2.4.9.tar.bz2 b/httpd-2.4.9.tar.bz2 deleted file mode 100644 index c78e9f1..0000000 --- a/httpd-2.4.9.tar.bz2 +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:f78cc90dfa47caf3d83ad18fd6b4e85f237777c1733fc9088594b70ce2847603 -size 4994460 diff --git a/rc.apache2 b/rc.apache2 index a83f564..ba3807b 100644 --- a/rc.apache2 +++ b/rc.apache2 @@ -21,7 +21,7 @@ # Default-Start: 3 5 # Default-Stop: 0 1 2 6 # X-Interactive: true -# Short-Description: Apache 2.2 HTTP Server +# Short-Description: Apache 2 HTTP Server # Description: Start the Apache HTTP daemon ### END INIT INFO diff --git a/sysconfig.apache2 b/sysconfig.apache2 index f47bc50..33221f6 100644 --- a/sysconfig.apache2 +++ b/sysconfig.apache2 @@ -41,7 +41,7 @@ APACHE_CONF_INCLUDE_DIRS="" # @@all_modules@@ # -# see http://httpd.apache.org/docs-2.2/mod/ ! +# see http:///httpd.apache.org/docs/2.4/mod/ ! # # * It pays to use IfDefine statements... like # @@ -191,7 +191,7 @@ APACHE_START_TIMEOUT="2" # Configures the footer on server-generated documents # This correlates to the ServerSignature directive. # -APACHE_SERVERSIGNATURE="on" +APACHE_SERVERSIGNATURE="off" ## Type: list(debug,info,notice,warn,error,crit,alert,emerg) ## Default: "warn" @@ -249,9 +249,9 @@ APACHE_USE_CANONICAL_NAME="off" # # How much information the server response header field contains about the server. # (installed modules, versions, etc.) -# see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens +# see http:///httpd.apache.org/docs/2.4/mod/core.html#servertokens # -APACHE_SERVERTOKENS="OS" +APACHE_SERVERTOKENS="ProductOnly" ## Type: list(on,off) ## Default: "off"