rpm/apache2
SHA256
1
0
Fork 0
forked from pool/apache2
Code Pull Requests Activity

Accepting request 254328 from Apache

Browse Source 
- the following unused patches were removed from the package:
  * apache2-mod_ssl_npn.patch
  * httpd-2.0.49-log_server_status.dif 

- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and
  /usr/sbin/start_apache2 [bnc#851627]

- allow only TCP ports in Yast2 firewall files

- more 2.2 -> 2.4 [bnc#862058]

- ServerSignature=Off and ServerTokens=Prod by request from 
  security team [bnc#716495]

- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)

- Update package Summary and Description. 
- version 2.4.10
* SECURITY: CVE-2014-0117 (cve.mitre.org)
* SECURITY: CVE-2014-3523 (cve.mitre.org)
* SECURITY: CVE-2014-0226 (cve.mitre.org)
* SECURITY: CVE-2014-0118 (cve.mitre.org)
* SECURITY: CVE-2014-0231 (cve.mitre.org)
* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua
* mod_proxy_fcgi supports unix sockets.

- provide httpd.service as alias for apache2.service for
  compatibility reasons (bnc#888093)

- move most ssl options to ssl-global.conf. There is usually no need

OBS-URL: https://build.opensuse.org/request/show/254328
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/apache2?expand=0&rev=84
This commit is contained in:
Stephan Kulow 2014-10-09 10:52:02 +00:00 committed by Git OBS Bridge
commit d7b1f84695
27 changed files with 183 additions and 625 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apache2-README
View File

@ -48,14 +48,14 @@ The following nice article has a more in depth answer:
http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html http://www.onlamp.com/pub/a/apache/2004/06/17/apacheckbk.html
See See
http://httpd.apache.org/docs-2.2/mpm.html and http:///httpd.apache.org/docs/2.4/mpm.html and
http://httpd.apache.org/docs-2.2/misc/perf-tuning.html#compiletime http:///httpd.apache.org/docs/2.4/misc/perf-tuning.html#compiletime
for more technical details. for more technical details.
In general, using a threaded MPM (worker) requires that all libraries that are In general, using a threaded MPM (worker) requires that all libraries that are
loaded into apache (and libraries loaded by them in turn) be threadsafe as well. loaded into apache (and libraries loaded by them in turn) be threadsafe as well.
See See
http://httpd.apache.org/docs-2.2/developer/thread_safety.html for a status on http:///httpd.apache.org/docs/2.4/developer/thread_safety.html for a status on
some libraries. some libraries.

2
apache2-default-server.conf
View File

@ -17,7 +17,7 @@ DocumentRoot "/srv/www/htdocs"
# doesn't give it to you. # doesn't give it to you.
# #
# The Options directive is both complicated and important. Please see # The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options # http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information. # for more information.
Options None Options None
# AllowOverride controls what directives may be placed in .htaccess files. # AllowOverride controls what directives may be placed in .htaccess files.

2
apache2-default-vhost-ssl.conf
View File

@ -2,7 +2,7 @@
# This is the Apache server configuration file providing SSL support. # This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to # It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these # serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html>
# #
# Do NOT simply read the instructions in here without understanding # Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure # what they do. They're here only as hints or reminders. If you are unsure

2
apache2-default-vhost.conf
View File

@ -92,7 +92,7 @@
# doesn't give it to you. # doesn't give it to you.
# #
# The Options directive is both complicated and important. Please see # The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options # http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information. # for more information.
# #
Options +Indexes +MultiViews +FollowSymLinks Options +Indexes +MultiViews +FollowSymLinks

4
apache2-httpd.conf
View File

@ -3,7 +3,7 @@
# #
# This is the main Apache server configuration file. It contains the # This is the main Apache server configuration file. It contains the
# configuration directives that give the server its instructions. # configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs-2.2/> for detailed information about # See <URL:http:///httpd.apache.org/docs/2.4/> for detailed information about
# the directives. # the directives.
# Based upon the default apache configuration file that ships with apache, # Based upon the default apache configuration file that ships with apache,
@ -193,7 +193,7 @@ Include /etc/apache2/sysconfig.d/include.conf
# IP addresses. This is indicated by the asterisks in the directives below. # IP addresses. This is indicated by the asterisks in the directives below.
# #
# Please see the documentation at # Please see the documentation at
# <URL:http://httpd.apache.org/docs-2.2/vhosts/> # <URL:http:///httpd.apache.org/docs/2.4/vhosts/>
# for further details before you try to setup virtual hosts. # for further details before you try to setup virtual hosts.
# #
# You may use the command line option '-S' to verify your virtual host # You may use the command line option '-S' to verify your virtual host

2
apache2-listen.conf
View File

@ -1,7 +1,7 @@
# Listen: Allows you to bind Apache to specific IP addresses and/or # Listen: Allows you to bind Apache to specific IP addresses and/or
# ports. See also the <VirtualHost> directive. # ports. See also the <VirtualHost> directive.
# #
# http://httpd.apache.org/docs-2.2/mod/mpm_common.html#listen # http:///httpd.apache.org/docs/2.4/mod/mpm_common.html#listen
# #
# Change this to Listen on specific IP addresses as shown below to # Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0) # prevent Apache from glomming onto all bound IP addresses (0.0.0.0)

2
apache2-mod_autoindex-defaults.conf
View File

@ -1,7 +1,7 @@
# #
# Directives controlling the display of server-generated directory listings. # Directives controlling the display of server-generated directory listings.
# #
# see http://httpd.apache.org/docs-2.2/mod/mod_autoindex.html # see http:///httpd.apache.org/docs/2.4/mod/mod_autoindex.html
# #
<IfModule mod_autoindex.c> <IfModule mod_autoindex.c>

2
apache2-mod_info.conf
View File

@ -2,7 +2,7 @@
# Allow remote server configuration reports, with the URL of # Allow remote server configuration reports, with the URL of
# http://servername/server-info (requires that mod_info.c be loaded). # http://servername/server-info (requires that mod_info.c be loaded).
# #
# see http://httpd.apache.org/docs-2.2/mod/mod_info.html # see http:///httpd.apache.org/docs/2.4/mod/mod_info.html
# #
<IfModule mod_info.c> <IfModule mod_info.c>
<Location /server-info> <Location /server-info>

2
apache2-mod_log_config.conf
View File

@ -2,7 +2,7 @@
# The following directives define some format nicknames for use with # The following directives define some format nicknames for use with
# a CustomLog directive. # a CustomLog directive.
# #
# http://httpd.apache.org/docs-2.2/mod/mod_log_config.html # http:///httpd.apache.org/docs/2.4/mod/mod_log_config.html
# #
# #

4
apache2-mod_mime-defaults.conf
View File

@ -2,7 +2,7 @@
# mod_mime configuration: # mod_mime configuration:
# associate various bits of "meta information" with files by their filename extensions # associate various bits of "meta information" with files by their filename extensions
# #
# see http://httpd.apache.org/docs-2.2/mod/mod_mime.html # see http:///httpd.apache.org/docs/2.4/mod/mod_mime.html
# #
# Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl) # Catalan (ca) - Croatian (hr) - Czech (cs) - Danish (da) - Dutch (nl)
@ -152,7 +152,7 @@ AddHandler type-map var
# Guess the MIME type of a file by looking at a few bytes of its contents # Guess the MIME type of a file by looking at a few bytes of its contents
# http://httpd.apache.org/docs-2.2/mod/mod_mime_magic.html # http:///httpd.apache.org/docs/2.4/mod/mod_mime_magic.html
<IfModule mod_mime_magic.c> <IfModule mod_mime_magic.c>
MIMEMagicFile /etc/apache2/magic MIMEMagicFile /etc/apache2/magic
</IfModule> </IfModule>

2
apache2-mod_reqtimeout.conf
View File

@ -7,7 +7,7 @@
# #
# mod_reqtimeout.c must be loaded. # mod_reqtimeout.c must be loaded.
# #
# see https://httpd.apache.org/docs/2.2/mod/mod_reqtimeout.html # see https://httpd.apache.org/docs/2.4/mod/mod_reqtimeout.html
# or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en # or /usr/share/apache2/manual/mod/mod_reqtimeout.html.en
# #
# Note: # Note:

353
apache2-mod_ssl_npn.patch
View File

@ -1,353 +0,0 @@
--- httpd-2.4.4.orig/modules/ssl/mod_ssl.c
+++ httpd-2.4.4/modules/ssl/mod_ssl.c
@@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds
SSL_CMD_SRV(PKCS7CertificateFile, TAKE1,
"PKCS#7 file containing server certificate and chain"
" certificates ('/path/to/file' - PEM encoded)")
+ SSL_CMD_ALL(RSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for RSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(DSAAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for DSA certificate "
+ "(`/path/to/file')")
+ SSL_CMD_ALL(ECAuthzFile, TAKE1,
+ "RFC 5878 Authz Extension file for EC certificate "
+ "(`/path/to/file')")
#ifdef HAVE_TLS_SESSION_TICKETS
SSL_CMD_SRV(SessionTicketKeyFile, TAKE1,
"TLS session ticket encryption/decryption key file (RFC 5077) "
@@ -157,6 +166,15 @@ static const command_rec ssl_config_cmds
"('some secret text')")
#endif
+#ifndef OPENSSL_NO_SRP
+ SSL_CMD_SRV(SRPVerifierFile, TAKE1,
+ "SRP verifier file "
+ "('/path/to/file' - created by srptool)")
+ SSL_CMD_SRV(SRPUnknownUserSeed, TAKE1,
+ "SRP seed for unknown users (to avoid leaking a user's existence) "
+ "('some secret text')")
+#endif
+
/*
* Proxy configuration for remote SSL connections
*/
@@ -272,6 +290,18 @@ static const command_rec ssl_config_cmds
AP_END_CMD
};
+/* Implement 'modssl_run_npn_advertise_protos_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos),
+ (connection, protos), OK, DECLINED);
+
+/* Implement 'modssl_run_npn_proto_negotiated_hook'. */
+APR_IMPLEMENT_OPTIONAL_HOOK_RUN_ALL(
+ modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name, apr_size_t proto_name_len),
+ (connection, proto_name, proto_name_len), OK, DECLINED);
+
/*
* the various processing hooks
*/
--- httpd-2.4.4.orig/modules/ssl/mod_ssl.h
+++ httpd-2.4.4/modules/ssl/mod_ssl.h
@@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e
APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *));
+/** The npn_advertise_protos optional hook allows other modules to add entries
+ * to the list of protocol names advertised by the server during the Next
+ * Protocol Negotiation (NPN) portion of the SSL handshake. The hook callee is
+ * given the connection and an APR array; it should push one or more char*'s
+ * pointing to null-terminated strings (such as "http/1.1" or "spdy/2") onto
+ * the array and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_advertise_protos_hook,
+ (conn_rec *connection, apr_array_header_t *protos));
+
+/** The npn_proto_negotiated optional hook allows other modules to discover the
+ * name of the protocol that was chosen during the Next Protocol Negotiation
+ * (NPN) portion of the SSL handshake. Note that this may be the empty string
+ * (in which case modules should probably assume HTTP), or it may be a protocol
+ * that was never even advertised by the server. The hook callee is given the
+ * connection, a non-null-terminated string containing the protocol name, and
+ * the length of the string; it should do something appropriate (i.e. insert or
+ * remove filters) and return OK, or do nothing and return DECLINED. */
+APR_DECLARE_EXTERNAL_HOOK(modssl, AP, int, npn_proto_negotiated_hook,
+ (conn_rec *connection, const char *proto_name,
+ apr_size_t proto_name_len));
+
#endif /* __MOD_SSL_H__ */
/** @} */
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_config.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_config.c
@@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->crl_file = NULL;
mctx->crl_check_mode = SSL_CRLCHECK_UNSET;
+ mctx->rsa_authz_file = NULL;
+ mctx->dsa_authz_file = NULL;
+ mctx->ec_authz_file = NULL;
+
mctx->auth.ca_cert_path = NULL;
mctx->auth.ca_cert_file = NULL;
mctx->auth.cipher_suite = NULL;
@@ -155,6 +159,12 @@ static void modssl_ctx_init(modssl_ctx_t
mctx->srp_unknown_user_seed = NULL;
mctx->srp_vbase = NULL;
#endif
+
+#ifndef OPENSSL_NO_SRP
+ mctx->srp_vfile = NULL;
+ mctx->srp_unknown_user_seed = NULL;
+ mctx->srp_vbase = NULL;
+#endif
}
static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc,
@@ -257,6 +267,10 @@ static void modssl_ctx_cfg_merge(modssl_
cfgMerge(crl_file, NULL);
cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET);
+ cfgMergeString(rsa_authz_file);
+ cfgMergeString(dsa_authz_file);
+ cfgMergeString(ec_authz_file);
+
cfgMergeString(auth.ca_cert_path);
cfgMergeString(auth.ca_cert_file);
cfgMergeString(auth.cipher_suite);
@@ -839,6 +853,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF
return NULL;
}
+
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->rsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->dsa_authz_file = arg;
+
+ return NULL;
+}
+
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *cmd,
+ void *dcfg,
+ const char *arg)
+{
+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server);
+ const char *err;
+
+ if ((err = ssl_cmd_check_file(cmd, &arg))) {
+ return err;
+ }
+
+ sc->server->ec_authz_file = arg;
+
+ return NULL;
+}
#ifdef HAVE_TLS_SESSION_TICKETS
const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd,
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_io.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_io.c
@@ -28,6 +28,7 @@
core keeps dumping.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "apr_date.h"
/* _________________________________________________________________
@@ -297,6 +298,7 @@ typedef struct {
apr_pool_t *pool;
char buffer[AP_IOBUFSIZE];
ssl_filter_ctx_t *filter_ctx;
+ int npn_finished; /* 1 if NPN has finished, 0 otherwise */
} bio_filter_in_ctx_t;
/*
@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input(
APR_BRIGADE_INSERT_TAIL(bb, bucket);
}
+#ifdef HAVE_TLS_NPN
+ /* By this point, Next Protocol Negotiation (NPN) should be completed (if
+ * our version of OpenSSL supports it). If we haven't already, find out
+ * which protocol was decided upon and inform other modules by calling
+ * npn_proto_negotiated_hook. */
+ if (!inctx->npn_finished) {
+ const unsigned char *next_proto = NULL;
+ unsigned next_proto_len = 0;
+
+ SSL_get0_next_proto_negotiated(
+ inctx->ssl, &next_proto, &next_proto_len);
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, APR_SUCCESS, f->c,
+ APLOGNO(02306) "SSL NPN negotiated protocol: '%*s'",
+ next_proto_len, (const char*)next_proto);
+ modssl_run_npn_proto_negotiated_hook(
+ f->c, (const char*)next_proto, next_proto_len);
+ inctx->npn_finished = 1;
+ }
+#endif
+
return APR_SUCCESS;
}
@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_
inctx->block = APR_BLOCK_READ;
inctx->pool = c->pool;
inctx->filter_ctx = filter_ctx;
+ inctx->npn_finished = 0;
}
/* The request_rec pointer is passed in here only to ensure that the
--- httpd-2.4.4.orig/modules/ssl/ssl_engine_kernel.c
+++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c
@@ -29,6 +29,7 @@
time I was too famous.''
-- Unknown */
#include "ssl_private.h"
+#include "mod_ssl.h"
#include "util_md5.h"
static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn);
@@ -320,6 +321,19 @@ int ssl_hook_Access(request_rec *r)
return HTTP_FORBIDDEN;
}
+#ifndef OPENSSL_NO_SRP
+ /*
+ * Support for per-directory reconfigured SSL connection parameters
+ *
+ * We do not force any renegotiation if the user is already authenticated
+ * via SRP.
+ *
+ */
+ if (SSL_get_srp_username(ssl)) {
+ return DECLINED;
+ }
+#endif
+
/*
* Check to see whether SSL is in use; if it's not, then no
* further access control checks are relevant. (the test for
@@ -1397,7 +1411,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *ssl, i
return (EC_KEY *)mc->pTmpKeys[idx];
}
-#endif
+#endif /* OPENSSL_NO_TLSEXT */
/*
* This OpenSSL callback function is called when OpenSSL
--- httpd-2.4.4.orig/modules/ssl/ssl_private.h
+++ httpd-2.4.4/modules/ssl/ssl_private.h
@@ -139,6 +139,11 @@
#define HAVE_FIPS
#endif
+#if OPENSSL_VERSION_NUMBER >= 0x10001000L && !defined(OPENSSL_NO_NEXTPROTONEG) \
+ && !defined(OPENSSL_NO_TLSEXT)
+#define HAVE_TLS_NPN
+#endif
+
#if (OPENSSL_VERSION_NUMBER >= 0x10000000)
#define MODSSL_SSL_CIPHER_CONST const
#define MODSSL_SSL_METHOD_CONST const
@@ -194,6 +199,20 @@
#endif
#endif
+#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \
+ && OPENSSL_VERSION_NUMBER < 0x00908000L
+#define OPENSSL_NO_COMP
+#endif
+
+/* SRP support came in OpenSSL 1.0.1 */
+#ifndef OPENSSL_NO_SRP
+#ifdef SSL_CTRL_SET_TLS_EXT_SRP_USERNAME_CB
+#include <openssl/srp.h>
+#else
+#define OPENSSL_NO_SRP
+#endif
+#endif
+
/* mod_ssl headers */
#include "ssl_util_ssl.h"
@@ -662,6 +681,11 @@ typedef struct {
SRP_VBASE *srp_vbase;
#endif
+ /** RFC 5878 */
+ const char *rsa_authz_file;
+ const char *dsa_authz_file;
+ const char *ec_authz_file;
+
modssl_auth_ctx_t auth;
BOOL ocsp_enabled; /* true if OCSP verification enabled */
@@ -738,6 +762,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd
const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *);
const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLDSAAuthzFile(cmd_parms *, void *, const char *);
+const char *ssl_cmd_SSLECAuthzFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *);
const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *);
@@ -795,6 +822,11 @@ const char *ssl_cmd_SSLSRPVerifierFile(c
const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
#endif
+#ifndef OPENSSL_NO_SRP
+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg);
+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg);
+#endif
+
const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
/** module initialization */
@@ -840,6 +872,7 @@ int ssl_callback_ServerNameIndi
int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *,
EVP_CIPHER_CTX *, HMAC_CTX *, int);
#endif
+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data, unsigned int *len, void *arg);
/** Session Cache Support */
void ssl_scache_init(server_rec *, apr_pool_t *);
@@ -873,6 +906,9 @@ int ssl_stapling_init_cert(serv
#endif
#ifndef OPENSSL_NO_SRP
int ssl_callback_SRPServerParams(SSL *, int *, void *);
+#endif
+#ifndef OPENSSL_NO_SRP
+int ssl_callback_SRPServerParams(SSL *, int *, void *);
#endif
/** I/O */

2
apache2-mod_status.conf
View File

@ -2,7 +2,7 @@
# Allow server status reports generated by mod_status, # Allow server status reports generated by mod_status,
# with the URL of http://servername/server-status # with the URL of http://servername/server-status
# #
# see http://httpd.apache.org/docs-2.2/mod/mod_status.html # see http:///httpd.apache.org/docs/2.4/mod/mod_status.html
# #
<IfModule mod_status.c> <IfModule mod_status.c>
<Location /server-status> <Location /server-status>

30
apache2-server-tuning.conf
View File

@ -10,47 +10,47 @@
# prefork MPM # prefork MPM
<IfModule prefork.c> <IfModule prefork.c>
# number of server processes to start # number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
StartServers 5 StartServers 5
# minimum number of server processes which are kept spare # minimum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#minspareservers # http://httpd.apache.org/docs/2.4/mod/prefork.html#minspareservers
MinSpareServers 5 MinSpareServers 5
# maximum number of server processes which are kept spare # maximum number of server processes which are kept spare
# http://httpd.apache.org/docs/2.2/mod/prefork.html#maxspareservers # http://httpd.apache.org/docs/2.4/mod/prefork.html#maxspareservers
MaxSpareServers 10 MaxSpareServers 10
# highest possible MaxClients setting for the lifetime of the Apache process. # highest possible MaxClients setting for the lifetime of the Apache process.
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#serverlimit # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#serverlimit
ServerLimit 150 ServerLimit 150
# maximum number of server processes allowed to start # maximum number of server processes allowed to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients
MaxClients 150 MaxClients 150
# maximum number of requests a server process serves # maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000 MaxRequestsPerChild 10000
</IfModule> </IfModule>
# worker MPM # worker MPM
<IfModule worker.c> <IfModule worker.c>
# initial number of server processes to start # initial number of server processes to start
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#startservers # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#startservers
StartServers 3 StartServers 3
# minimum number of worker threads which are kept spare # minimum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#minsparethreads # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#minsparethreads
MinSpareThreads 25 MinSpareThreads 25
# maximum number of worker threads which are kept spare # maximum number of worker threads which are kept spare
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxsparethreads # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxsparethreads
MaxSpareThreads 75 MaxSpareThreads 75
# upper limit on the configurable number of threads per child process # upper limit on the configurable number of threads per child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadlimit # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadlimit
ThreadLimit 64 ThreadLimit 64
# maximum number of simultaneous client connections # maximum number of simultaneous client connections
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxclients # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxclients
MaxClients 150 MaxClients 150
# number of worker threads created by each child process # number of worker threads created by each child process
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#threadsperchild # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#threadsperchild
ThreadsPerChild 25 ThreadsPerChild 25
# maximum number of requests a server process serves # maximum number of requests a server process serves
# http://httpd.apache.org/docs/2.2/mod/mpm_common.html#maxrequestsperchild # http://httpd.apache.org/docs/2.4/mod/mpm_common.html#maxrequestsperchild
MaxRequestsPerChild 10000 MaxRequestsPerChild 10000
</IfModule> </IfModule>
@ -103,7 +103,7 @@ KeepAliveTimeout 15
# The default is on; turn this off if you serve from NFS-mounted # The default is on; turn this off if you serve from NFS-mounted
# filesystems. On some systems, turning it off (regardless of # filesystems. On some systems, turning it off (regardless of
# filesystem) can improve performance; for details, please see # filesystem) can improve performance; for details, please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablemmap # http:///httpd.apache.org/docs/2.4/mod/core.html#enablemmap
# #
#EnableMMAP off #EnableMMAP off
@ -112,7 +112,7 @@ KeepAliveTimeout 15
# used to deliver files (assuming that the OS supports it). # used to deliver files (assuming that the OS supports it).
# The default is on; turn this off if you serve from NFS-mounted # The default is on; turn this off if you serve from NFS-mounted
# filesystems. Please see # filesystems. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#enablesendfile # http:///httpd.apache.org/docs/2.4/mod/core.html#enablesendfile
# #
EnableSendfile on EnableSendfile on

59
apache2-ssl-global.conf
View File

@ -7,7 +7,7 @@
# These are the configuration directives to instruct the server how to # These are the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these # serve pages over an https connection. For detailing information about these
# directives see <URL:http://httpd.apache.org/docs-2.2/mod/mod_ssl.html> # directives see <URL:http:///httpd.apache.org/docs/2.4/mod/mod_ssl.html>
# #
# Do NOT simply read the instructions in here without understanding # Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure # what they do. They're here only as hints or reminders. If you are unsure
@ -70,6 +70,63 @@
#SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/urandom 512
# SSL protocols
# Supporting TLS only is adequate nowadays
SSLProtocol all -SSLv2 -SSLv3
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
#SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
#SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded intermediate CA
# certificates which form the certificate chain for the
# server certificate. Alternatively the referenced file
# can be the same as SSLCertificateFile when the CA
# certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/chain.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
</IfModule> </IfModule>
</IfDefine> </IfDefine>
</IfDefine> </IfDefine>

162
apache2-vhost-ssl.template
View File

@ -11,7 +11,7 @@
# This is the Apache server configuration file providing SSL support. # This is the Apache server configuration file providing SSL support.
# It contains the configuration directives to instruct the server how to # It contains the configuration directives to instruct the server how to
# serve pages over an https connection. For detailing information about these # serve pages over an https connection. For detailing information about these
# directives see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html # directives see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
# #
# Do NOT simply read the instructions in here without understanding # Do NOT simply read the instructions in here without understanding
# what they do. They're here only as hints or reminders. If you are unsure # what they do. They're here only as hints or reminders. If you are unsure
@ -38,167 +38,17 @@
# Enable/Disable SSL for this virtual host. # Enable/Disable SSL for this virtual host.
SSLEngine on SSLEngine on
# SSL protocols # You can use per vhost certificates if SNI is supported.
# Supporting TLS only is adequate nowadays SSLCertificateFile /etc/apache2/ssl.crt/vhost-example.crt
SSLProtocol all -SSLv2 SSLCertificateKeyFile /etc/apache2/ssl.key/vhost-example.key
#SSLCertificateChainFile /etc/apache2/ssl.crt/vhost-example-chain.crt
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate.
# See the mod_ssl documentation for a complete list.
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
# Speed-optimized SSL Cipher configuration:
# If speed is your main concern (on busy HTTPS servers e.g.),
# you might want to force clients to specific, performance
# optimized ciphers. In this case, prepend those ciphers
# to the SSLCipherSuite list, and enable SSLHonorCipherOrder.
# Caveat: by giving precedence to RC4-SHA and AES128-SHA
# (as in the example below), most connections will no longer
# have perfect forward secrecy - if the server's key is
# compromised, captures of past or future traffic must be
# considered compromised, too.
#SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
#SSLHonorCipherOrder on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# the certificate is encrypted, then you will be prompted for a
# pass phrase. Note that a kill -HUP will prompt again. Keep
# in mind that if you have both an RSA and a DSA certificate you
# can configure both in parallel (to also allow the use of DSA
# ciphers, etc.)
SSLCertificateFile /etc/apache2/ssl.crt/server.crt
#SSLCertificateFile /etc/apache2/ssl.crt/server-dsa.crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# directive to point at the key file. Keep in mind that if
# you've both a RSA and a DSA private key you can configure
# both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile /etc/apache2/ssl.key/server.key
#SSLCertificateKeyFile /etc/apache2/ssl.key/server-dsa.key
# Server Certificate Chain:
# Point SSLCertificateChainFile at a file containing the
# concatenation of PEM encoded CA certificates which form the
# certificate chain for the server certificate. Alternatively
# the referenced file can be the same as SSLCertificateFile
# when the CA certificates are directly appended to the server
# certificate for convinience.
#SSLCertificateChainFile /etc/apache2/ssl.crt/ca.crt
# Certificate Authority (CA):
# Set the CA certificate verification path where to find CA
# certificates for client authentication or alternatively one
# huge file containing all of them (file must be PEM encoded)
# Note: Inside SSLCACertificatePath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCACertificatePath /etc/apache2/ssl.crt
#SSLCACertificateFile /etc/apache2/ssl.crt/ca-bundle.crt
# Certificate Revocation Lists (CRL):
# Set the CA revocation path where to find CA CRLs for client
# authentication or alternatively one huge file containing all
# of them (file must be PEM encoded)
# Note: Inside SSLCARevocationPath you need hash symlinks
# to point to the certificate files. Use the provided
# Makefile to update the hash symlinks after changes.
#SSLCARevocationPath /etc/apache2/ssl.crl
#SSLCARevocationFile /etc/apache2/ssl.crl/ca-bundle.crl
# Client Authentication (Type):
# Client certificate verification type and depth. Types are
# none, optional, require and optional_no_ca. Depth is a
# number which specifies how deeply to verify the certificate
# issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth 10
# Access Control:
# With SSLRequire you can do per-directory access control based
# on arbitrary complex boolean expressions containing server
# variable checks and other lookup directives. The syntax is a
# mixture between C and Perl. See the mod_ssl documentation
# for more details.
#<Location />
#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
# and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
# and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
# and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
# and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
# or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>
# SSL Engine Options:
# Set various options for the SSL engine.
# o FakeBasicAuth:
# Translate the client X.509 into a Basic Authorisation. This means that
# the standard Auth/DBMAuth methods can be used for access control. The
# user name is the `one line' version of the client's X.509 certificate.
# Note that no password is obtained from the user. Every entry in the user
# file needs this password: `xxj31ZMTZzkVA'.
# o ExportCertData:
# This exports two additional environment variables: SSL_CLIENT_CERT and
# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
# server (always existing) and the client (only existing when client
# authentication is used). This can be used to import the certificates
# into CGI scripts.
# o StdEnvVars:
# This exports the standard SSL/TLS related `SSL_*' environment variables.
# Per default this exportation is switched off for performance reasons,
# because the extraction step is an expensive operation and is usually
# useless for serving static content. So one usually enables the
# exportation for CGI and SSI requests only.
# o StrictRequire:
# This denies access when "SSLRequireSSL" or "SSLRequire" applied even
# under a "Satisfy any" situation, i.e. when it applies access is denied
# and no other module can change it.
# o OptRenegotiate:
# This enables optimized SSL connection renegotiation handling when SSL
# directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/srv/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
# SSL Protocol Adjustments:
# The safe and default but still SSL/TLS standard compliant shutdown
# approach is that mod_ssl sends the close notify alert but doesn't wait for
# the close notify alert from client. When you need a different shutdown
# approach you can use one of the following variables:
# o ssl-unclean-shutdown:
# This forces an unclean shutdown when the connection is closed, i.e. no
# SSL close notify alert is send or allowed to received. This violates
# the SSL/TLS standard but is needed for some brain-dead browsers. Use
# this when you receive I/O errors because of the standard approach where
# mod_ssl sends the close notify alert.
# o ssl-accurate-shutdown:
# This forces an accurate shutdown when the connection is closed, i.e. a
# SSL close notify alert is send and mod_ssl waits for the close notify
# alert of the client. This is 100% SSL/TLS standard compliant, but in
# practice often causes hanging connections with brain-dead browsers. Use
# this only for browsers where you know that their SSL implementation
# works correctly.
# Notice: Most problems of broken clients are also related to the HTTP
# keep-alive facility, so you usually additionally want to disable
# keep-alive for those clients, too. Use variable "nokeepalive" for this.
# Similarly, one has to force some clients to use HTTP/1.0 to workaround
# their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
# "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
# Per-Server Logging: # Per-Server Logging:
# The home of a custom SSL log file. Use this when you want a # The home of a custom SSL log file. Use this when you want a
# compact non-error SSL logfile on a virtual host basis. # compact non-error SSL logfile on a virtual host basis.
CustomLog /var/log/apache2/ssl_request_log ssl_combined CustomLog /var/log/apache2/ssl_request_log ssl_combined
</VirtualHost> </VirtualHost>
</IfDefine> </IfDefine>
</IfDefine> </IfDefine>

2
apache2-vhost.template
View File

@ -100,7 +100,7 @@
# doesn't give it to you. # doesn't give it to you.
# #
# The Options directive is both complicated and important. Please see # The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs-2.2/mod/core.html#options # http:///httpd.apache.org/docs/2.4/mod/core.html#options
# for more information. # for more information.
# #
Options Indexes FollowSymLinks Options Indexes FollowSymLinks

60
apache2.changes
View File

@ -1,3 +1,63 @@
-------------------------------------------------------------------
Mon Oct 6 12:30:07 UTC 2014 - kstreitova@suse.com
- the following unused patches were removed from the package:
* apache2-mod_ssl_npn.patch
* httpd-2.0.49-log_server_status.dif
-------------------------------------------------------------------
Mon Sep 29 11:57:40 UTC 2014 - pgajdos@suse.com
- 700 permissions for /usr/sbin/apache2-systemd-ask-pass and
/usr/sbin/start_apache2 [bnc#851627]
-------------------------------------------------------------------
Wed Sep 26 15:38:17 UTC 2014 - oholecek@suse.com
- allow only TCP ports in Yast2 firewall files
-------------------------------------------------------------------
Fri Sep 26 15:00:45 UTC 2014 - pgajdos@suse.com
- more 2.2 -> 2.4 [bnc#862058]
-------------------------------------------------------------------
Thu Sep 25 14:39:05 UTC 2014 - pgajdos@suse.com
- ServerSignature=Off and ServerTokens=Prod by request from
security team [bnc#716495]
-------------------------------------------------------------------
Wed Sep 24 13:11:16 UTC 2014 - pgajdos@suse.com
- fix documentation links 2.2 -> 2.4 [bnc#888163] (internal)
-------------------------------------------------------------------
Mon Jul 21 16:23:51 UTC 2014 - crrodriguez@opensuse.org
- Update package Summary and Description.
- version 2.4.10
* SECURITY: CVE-2014-0117 (cve.mitre.org)
* SECURITY: CVE-2014-3523 (cve.mitre.org)
* SECURITY: CVE-2014-0226 (cve.mitre.org)
* SECURITY: CVE-2014-0118 (cve.mitre.org)
* SECURITY: CVE-2014-0231 (cve.mitre.org)
* Multiple bugfixes to mod_ssl, mod_cache, mod_deflate, mod_lua
* mod_proxy_fcgi supports unix sockets.
-------------------------------------------------------------------
Mon Jul 21 07:21:21 UTC 2014 - mc@suse.com
- provide httpd.service as alias for apache2.service for
compatibility reasons (bnc#888093)
-------------------------------------------------------------------
Mon Apr 14 08:47:02 UTC 2014 - lnussel@suse.de
- move most ssl options to ssl-global.conf. There is usually no need
for every vhost to re-define the ciphers for example (bnc#865582).
Drop some commented entries that only lead to confusion.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org Thu Mar 27 16:18:27 UTC 2014 - crrodriguez@opensuse.org

2
apache2.firewall
View File

@ -5,7 +5,7 @@
TCP="http" TCP="http"
# space separated list of allowed UDP ports # space separated list of allowed UDP ports
UDP="http" UDP=""
# space separated list of allowed RPC services # space separated list of allowed RPC services
RPC="" RPC=""

1
apache2.service
View File

@ -14,3 +14,4 @@ ExecStop=/usr/sbin/start_apache2 -D SYSTEMD -DFOREGROUND -k graceful-stop
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
Alias=httpd.service

53
apache2.spec
View File

@ -93,8 +93,8 @@ BuildRequires: expat-devel
# "Server:" header # "Server:" header
%define VENDOR SUSE %define VENDOR SUSE
%define platform_string Linux/%VENDOR %define platform_string Linux/%VENDOR
%define realver 2.4.9 %define realver 2.4.10
Version: 2.4.9 Version: 2.4.10
Release: 0 Release: 0
#Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2
Source0: httpd-%{realver}.tar.bz2 Source0: httpd-%{realver}.tar.bz2
@ -166,7 +166,7 @@ Patch109: httpd-2.4.3-mod_systemd.patch
Patch111: httpd-visibility.patch Patch111: httpd-visibility.patch
Url: http://httpd.apache.org/ Url: http://httpd.apache.org/
Icon: Apache.xpm Icon: Apache.xpm
Summary: The Apache Web Server Version 2.2 Summary: The Apache Web Server Version 2.4
License: Apache-2.0 License: Apache-2.0
Group: Productivity/Networking/Web/Servers Group: Productivity/Networking/Web/Servers
Provides: %{apache_mmn} Provides: %{apache_mmn}
@ -198,36 +198,15 @@ Recommends: apache2-%default_mpm
%endif %endif
%description %description
Apache 2, the successor to Apache 1. This version of httpd is a major release of the 2.4 stable branch,
and represents the best available version of Apache HTTP Server.
Apache is the most used Web server software worldwide. New features include Loadable MPMs, major improvements to OCSP support,
mod_lua, Dynamic Reverse Proxy configuration, Improved Authentication/
Some new features in Apache 2: - hybrid multiprocess, multithreaded Authorization, FastCGI Proxy, New Expression Parser, and a Small Object
mode for improved scalability Caching API.
- multiprotocol support See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
http://httpd.apache.org/docs-2.4/upgrading.html.
- stream filtering
- IPv6 support
- new module API
New modules include: - mod_auth_db
- mod_auth_digest
- mod_charset_lite
- mod_dav
- mod_file_cache
Mod_ssl is no longer a separate package, but is now included in the
Apache distribution.
See /usr/share/doc/packages/apache2/, http://httpd.apache.org/, and
http://httpd.apache.org/docs-2.2/upgrading.html.
%if %worker %if %worker
@ -316,7 +295,7 @@ See http://mpm-itk.sesse.net/
%endif %endif
%package devel %package devel
Summary: Apache 2.2 Header and Include Files Summary: Apache 2 Header and Include Files
Group: Development/Libraries/C and C++ Group: Development/Libraries/C and C++
Requires: %{name} = %{version} Requires: %{name} = %{version}
Requires: %{pname}-MPM Requires: %{pname}-MPM
@ -332,7 +311,7 @@ for development using the Apache API.
%package doc %package doc
Summary: Additional Package Documentation. Summary: Additional Package Documentation
Group: Documentation/Other Group: Documentation/Other
%if 0%{?suse_version} >= 901 && 0%{?sles_version} != 9 %if 0%{?suse_version} >= 901 && 0%{?sles_version} != 9
Provides: apache-doc Provides: apache-doc
@ -643,10 +622,10 @@ tar xjf %{SOURCE29} -C $RPM_BUILD_ROOT/%{sysconfdir}
# init script and friends # init script and friends
mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/etc/init.d
install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname} install -m 744 $RPM_SOURCE_DIR/rc.%{pname} $RPM_BUILD_ROOT/etc/init.d/%{pname}
install -m 744 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2 install -m 700 $RPM_SOURCE_DIR/start_apache2 $RPM_BUILD_ROOT/usr/sbin/start_apache2
%if 0%{?suse_version} >= 1210 %if 0%{?suse_version} >= 1210
mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/ mkdir -p $RPM_BUILD_ROOT%{_unitdir}/system/
install -m 744 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass install -m 700 $RPM_SOURCE_DIR/apache2-systemd-ask-pass $RPM_BUILD_ROOT/usr/sbin/apache2-systemd-ask-pass
install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service install -m 644 $RPM_SOURCE_DIR/apache2.service $RPM_BUILD_ROOT%{_unitdir}/system/apache2.service
%endif %endif
ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname} ln -sf ../../etc/init.d/%{pname} $RPM_BUILD_ROOT/%{_sbindir}/rc%{pname}

2
apache2.ssl-firewall
View File

@ -5,7 +5,7 @@
TCP="https" TCP="https"
# space separated list of allowed UDP ports # space separated list of allowed UDP ports
UDP="https" UDP=""
# space separated list of allowed RPC services # space separated list of allowed RPC services
RPC="" RPC=""

36
httpd-2.0.49-log_server_status.dif
View File

@ -1,36 +0,0 @@
--- httpd-2.0.49.orig/support/log_server_status.in 2004-02-09 21:59:49.000000000 +0100
+++ httpd-2.0.49/support/log_server_status2 2004-06-18 11:34:37.000000000 +0200
@@ -24,18 +24,18 @@
# it to a file. Make sure the directory $wherelog is writable by the
# user who runs this script.
#
-require 'sys/socket.ph';
+use Socket;
-$wherelog = "/var/log/graph/"; # Logs will be like "/var/log/graph/19960312"
+$wherelog = "/var/log/apache2/status/"; # Logs will be like "/var/log/apache2/status/19960312"
$server = "localhost"; # Name of server, could be "www.foo.com"
$port = "80"; # Port on server
-$request = "/status/?auto"; # Request to send
+$request = "/server-status/?auto"; # Request to send
sub tcp_connect
{
local($host,$port) =@_;
$sockaddr='S n a4 x8';
- chop($hostname=`hostname`);
+ chop($hostname='localhost');
$port=(getservbyname($port, 'tcp'))[2] unless $port =~ /^\d+$/;
$me=pack($sockaddr,&AF_INET,0,(gethostbyname($hostname))[4]);
$them=pack($sockaddr,&AF_INET,$port,(gethostbyname($host))[4]);
@@ -66,8 +66,8 @@
}
print S "GET $request\n";
while (<S>) {
- $requests=$1 if ( m|^BusyServers:\ (\S+)|);
- $idle=$1 if ( m|^IdleServers:\ (\S+)|);
+ $requests=$1 if ( m|^BusyWorkers:\ (\S+)|);
+ $idle=$1 if ( m|^IdleWorkers:\ (\S+)|);
$number=$1 if ( m|sses:\ (\S+)|);
$cpu=$1 if (m|^CPULoad:\ (\S+)|);
}

3
httpd-2.4.10.tar.bz2 Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:176c4dac1a745f07b7b91e7f4fd48f9c48049fa6f088efe758d61d9738669c6a
size 5031834

3
httpd-2.4.9.tar.bz2
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f78cc90dfa47caf3d83ad18fd6b4e85f237777c1733fc9088594b70ce2847603
size 4994460

2
rc.apache2
View File

@ -21,7 +21,7 @@
# Default-Start: 3 5 # Default-Start: 3 5
# Default-Stop: 0 1 2 6 # Default-Stop: 0 1 2 6
# X-Interactive: true # X-Interactive: true
# Short-Description: Apache 2.2 HTTP Server # Short-Description: Apache 2 HTTP Server
# Description: Start the Apache HTTP daemon # Description: Start the Apache HTTP daemon
### END INIT INFO ### END INIT INFO

8
sysconfig.apache2
View File

@ -41,7 +41,7 @@ APACHE_CONF_INCLUDE_DIRS=""
# #
@@all_modules@@ @@all_modules@@
# #
# see http://httpd.apache.org/docs-2.2/mod/ ! # see http:///httpd.apache.org/docs/2.4/mod/ !
# #
# * It pays to use IfDefine statements... like # * It pays to use IfDefine statements... like
# <IfModule mod_xyz.c> # <IfModule mod_xyz.c>
@ -191,7 +191,7 @@ APACHE_START_TIMEOUT="2"
# Configures the footer on server-generated documents # Configures the footer on server-generated documents
# This correlates to the ServerSignature directive. # This correlates to the ServerSignature directive.
# #
APACHE_SERVERSIGNATURE="on" APACHE_SERVERSIGNATURE="off"
## Type: list(debug,info,notice,warn,error,crit,alert,emerg) ## Type: list(debug,info,notice,warn,error,crit,alert,emerg)
## Default: "warn" ## Default: "warn"
@ -249,9 +249,9 @@ APACHE_USE_CANONICAL_NAME="off"
# #
# How much information the server response header field contains about the server. # How much information the server response header field contains about the server.
# (installed modules, versions, etc.) # (installed modules, versions, etc.)
# see http://httpd.apache.org/docs-2.2/mod/core.html#servertokens # see http:///httpd.apache.org/docs/2.4/mod/core.html#servertokens
# #
APACHE_SERVERTOKENS="OS" APACHE_SERVERTOKENS="ProductOnly"
## Type: list(on,off) ## Type: list(on,off)
## Default: "off" ## Default: "off"