diff --git a/apache-20-22-upgrade b/apache-20-22-upgrade index 561c697..7fdd2ad 100644 --- a/apache-20-22-upgrade +++ b/apache-20-22-upgrade @@ -60,11 +60,19 @@ if a2enmod -q auth_ldap; then a2enmod mod_authnz_ldap fi -for module in mod_authn_default mod_authz_default mod_mem_cache; do +for module in mod_authn_default mod_authz_default mod_mem_cache authz_default; do if a2enmod -q "$module"; then echo "!!ATTENTION! $module was removed from apache version 2.4 or later, CHECK YOUR CONFIGURATION!!!" a2dismod "$module" fi done +if [ -x /usr/bin/systemd-notify ] && /usr/bin/systemd-notify --booted && ! a2enmod -q systemd; then + a2enmod systemd +fi + +if ! a2enmod -q authn_core; then + a2enmod authn_core +fi + echo 'Done.' diff --git a/apache2-implicit-pointer-decl.patch b/apache2-implicit-pointer-decl.patch new file mode 100644 index 0000000..ea8a771 --- /dev/null +++ b/apache2-implicit-pointer-decl.patch @@ -0,0 +1,34 @@ +--- httpd-2.4.4.orig/server/request.c ++++ httpd-2.4.4/server/request.c +@@ -46,10 +46,13 @@ + #include "util_script.h" + #include "ap_expr.h" + #include "mod_request.h" +- ++#include "http_connection.h" + #include "mod_core.h" + #include "mod_auth.h" + ++#include ++#include ++ + #if APR_HAVE_STDARG_H + #include + #endif +--- httpd-2.4.4.orig/server/config.c ++++ httpd-2.4.4/server/config.c +@@ -48,10 +48,14 @@ + #include "http_request.h" /* for default_handler (see invoke_handler) */ + #include "http_main.h" + #include "http_vhost.h" ++#include "http_connection.h" + #include "util_cfgtree.h" + #include "util_varbuf.h" + #include "mpm_common.h" + ++#include ++#include ++ + #define APLOG_UNSET (APLOG_NO_MODULE - 1) + /* we know core's module_index is 0 */ + #undef APLOG_MODULE_INDEX diff --git a/apache2-mod_ssl_npn.patch b/apache2-mod_ssl_npn.patch index 4213b95..64e0742 100644 --- a/apache2-mod_ssl_npn.patch +++ b/apache2-mod_ssl_npn.patch @@ -1,5 +1,5 @@ ---- httpd-2.4.3.orig/modules/ssl/mod_ssl.c -+++ httpd-2.4.3/modules/ssl/mod_ssl.c +--- httpd-2.4.4.orig/modules/ssl/mod_ssl.c ++++ httpd-2.4.4/modules/ssl/mod_ssl.c @@ -94,6 +94,15 @@ static const command_rec ssl_config_cmds SSL_CMD_SRV(PKCS7CertificateFile, TAKE1, "PKCS#7 file containing server certificate and chain" @@ -16,9 +16,9 @@ #ifdef HAVE_TLS_SESSION_TICKETS SSL_CMD_SRV(SessionTicketKeyFile, TAKE1, "TLS session ticket encryption/decryption key file (RFC 5077) " -@@ -148,6 +157,15 @@ static const command_rec ssl_config_cmds - SSL_CMD_SRV(StrictSNIVHostCheck, FLAG, - "Strict SNI virtual host checking") +@@ -157,6 +166,15 @@ static const command_rec ssl_config_cmds + "('some secret text')") + #endif +#ifndef OPENSSL_NO_SRP + SSL_CMD_SRV(SRPVerifierFile, TAKE1, @@ -32,7 +32,7 @@ /* * Proxy configuration for remote SSL connections */ -@@ -263,6 +281,18 @@ static const command_rec ssl_config_cmds +@@ -272,6 +290,18 @@ static const command_rec ssl_config_cmds AP_END_CMD }; @@ -51,8 +51,8 @@ /* * the various processing hooks */ ---- httpd-2.4.3.orig/modules/ssl/mod_ssl.h -+++ httpd-2.4.3/modules/ssl/mod_ssl.h +--- httpd-2.4.4.orig/modules/ssl/mod_ssl.h ++++ httpd-2.4.4/modules/ssl/mod_ssl.h @@ -63,5 +63,26 @@ APR_DECLARE_OPTIONAL_FN(int, ssl_proxy_e APR_DECLARE_OPTIONAL_FN(int, ssl_engine_disable, (conn_rec *)); @@ -80,8 +80,8 @@ + #endif /* __MOD_SSL_H__ */ /** @} */ ---- httpd-2.4.3.orig/modules/ssl/ssl_engine_config.c -+++ httpd-2.4.3/modules/ssl/ssl_engine_config.c +--- httpd-2.4.4.orig/modules/ssl/ssl_engine_config.c ++++ httpd-2.4.4/modules/ssl/ssl_engine_config.c @@ -125,6 +125,10 @@ static void modssl_ctx_init(modssl_ctx_t mctx->crl_file = NULL; mctx->crl_check_mode = SSL_CRLCHECK_UNSET; @@ -93,9 +93,9 @@ mctx->auth.ca_cert_path = NULL; mctx->auth.ca_cert_file = NULL; mctx->auth.cipher_suite = NULL; -@@ -149,6 +153,12 @@ static void modssl_ctx_init(modssl_ctx_t - mctx->stapling_responder_timeout = UNSET; - mctx->stapling_force_url = NULL; +@@ -155,6 +159,12 @@ static void modssl_ctx_init(modssl_ctx_t + mctx->srp_unknown_user_seed = NULL; + mctx->srp_vbase = NULL; #endif + +#ifndef OPENSSL_NO_SRP @@ -106,7 +106,7 @@ } static void modssl_ctx_init_proxy(SSLSrvConfigRec *sc, -@@ -251,6 +264,10 @@ static void modssl_ctx_cfg_merge(modssl_ +@@ -257,6 +267,10 @@ static void modssl_ctx_cfg_merge(modssl_ cfgMerge(crl_file, NULL); cfgMerge(crl_check_mode, SSL_CRLCHECK_UNSET); @@ -117,22 +117,11 @@ cfgMergeString(auth.ca_cert_path); cfgMergeString(auth.ca_cert_file); cfgMergeString(auth.cipher_suite); -@@ -274,6 +291,11 @@ static void modssl_ctx_cfg_merge(modssl_ - cfgMergeInt(stapling_responder_timeout); - cfgMerge(stapling_force_url, NULL); - #endif -+ -+#ifndef OPENSSL_NO_SRP -+ cfgMergeString(srp_vfile); -+ cfgMergeString(srp_unknown_user_seed); -+#endif - } +@@ -839,6 +853,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF - static void modssl_ctx_cfg_merge_proxy(modssl_ctx_t *base, -@@ -829,6 +871,54 @@ const char *ssl_cmd_SSLPKCS7CertificateF return NULL; } - ++ +const char *ssl_cmd_SSLRSAAuthzFile(cmd_parms *cmd, + void *dcfg, + const char *arg) @@ -180,45 +169,11 @@ + + return NULL; +} -+ + #ifdef HAVE_TLS_SESSION_TICKETS const char *ssl_cmd_SSLSessionTicketKeyFile(cmd_parms *cmd, - void *dcfg, -@@ -1782,6 +1872,32 @@ const char *ssl_cmd_SSLStaplingForceURL( - - #endif /* HAVE_OCSP_STAPLING */ - -+#ifndef OPENSSL_NO_SRP -+ -+const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, -+ const char *arg) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ const char *err; -+ -+ if ((err = ssl_cmd_check_file(cmd, &arg))) -+ return err; -+ /* SRP_VBASE_init takes char*, not const char* */ -+ sc->server->srp_vfile = apr_pstrdup(cmd->pool, arg); -+ return NULL; -+} -+ -+const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, -+ const char *arg) -+{ -+ SSLSrvConfigRec *sc = mySrvConfig(cmd->server); -+ /* SRP_VBASE_new takes char*, not const char* */ -+ sc->server->srp_unknown_user_seed = apr_pstrdup(cmd->pool, arg); -+ return NULL; -+} -+ -+#endif /* OPENSSL_NO_SRP */ -+ - void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s) - { - apr_file_t *out = NULL; ---- httpd-2.4.3.orig/modules/ssl/ssl_engine_io.c -+++ httpd-2.4.3/modules/ssl/ssl_engine_io.c +--- httpd-2.4.4.orig/modules/ssl/ssl_engine_io.c ++++ httpd-2.4.4/modules/ssl/ssl_engine_io.c @@ -28,6 +28,7 @@ core keeps dumping.'' -- Unknown */ @@ -235,7 +190,7 @@ } bio_filter_in_ctx_t; /* -@@ -1374,6 +1376,26 @@ static apr_status_t ssl_io_filter_input( +@@ -1385,6 +1387,26 @@ static apr_status_t ssl_io_filter_input( APR_BRIGADE_INSERT_TAIL(bb, bucket); } @@ -262,7 +217,7 @@ return APR_SUCCESS; } -@@ -1855,6 +1877,7 @@ static void ssl_io_input_add_filter(ssl_ +@@ -1866,6 +1888,7 @@ static void ssl_io_input_add_filter(ssl_ inctx->block = APR_BLOCK_READ; inctx->pool = c->pool; inctx->filter_ctx = filter_ctx; @@ -270,8 +225,8 @@ } /* The request_rec pointer is passed in here only to ensure that the ---- httpd-2.4.3.orig/modules/ssl/ssl_engine_kernel.c -+++ httpd-2.4.3/modules/ssl/ssl_engine_kernel.c +--- httpd-2.4.4.orig/modules/ssl/ssl_engine_kernel.c ++++ httpd-2.4.4/modules/ssl/ssl_engine_kernel.c @@ -29,6 +29,7 @@ time I was too famous.'' -- Unknown */ @@ -280,8 +235,8 @@ #include "util_md5.h" static void ssl_configure_env(request_rec *r, SSLConnRec *sslconn); -@@ -329,6 +330,19 @@ int ssl_hook_Access(request_rec *r) - return DECLINED; +@@ -320,6 +321,19 @@ int ssl_hook_Access(request_rec *r) + return HTTP_FORBIDDEN; } +#ifndef OPENSSL_NO_SRP @@ -298,167 +253,19 @@ +#endif + /* - * Support for per-directory reconfigured SSL connection parameters. - * -@@ -1088,6 +1102,10 @@ static const char *ssl_hook_Fixup_vars[] - "SSL_SERVER_A_SIG", - "SSL_SESSION_ID", - "SSL_SESSION_RESUMED", -+#ifndef OPENSSL_NO_SRP -+ "SSL_SRP_USER", -+ "SSL_SRP_USERINFO", -+#endif - NULL - }; + * Check to see whether SSL is in use; if it's not, then no + * further access control checks are relevant. (the test for +@@ -1397,7 +1411,7 @@ EC_KEY *ssl_callback_TmpECDH(SSL *ssl, i -@@ -2072,7 +2090,7 @@ static int ssl_find_vhost(void *serverna - - return 0; + return (EC_KEY *)mc->pTmpKeys[idx]; } -#endif +#endif /* OPENSSL_NO_TLSEXT */ - #ifdef HAVE_TLS_SESSION_TICKETS /* -@@ -2142,4 +2160,114 @@ int ssl_callback_SessionTicket(SSL *ssl, - /* OpenSSL is not expected to call us with modes other than 1 or 0 */ - return -1; - } --#endif -+#endif /* HAVE_TLS_SESSION_TICKETS */ -+ -+#ifdef HAVE_TLS_NPN -+/* -+ * This callback function is executed when SSL needs to decide what protocols -+ * to advertise during Next Protocol Negotiation (NPN). It must produce a -+ * string in wire format -- a sequence of length-prefixed strings -- indicating -+ * the advertised protocols. Refer to SSL_CTX_set_next_protos_advertised_cb -+ * in OpenSSL for reference. -+ */ -+int ssl_callback_AdvertiseNextProtos(SSL *ssl, const unsigned char **data_out, -+ unsigned int *size_out, void *arg) -+{ -+ conn_rec *c = (conn_rec*)SSL_get_app_data(ssl); -+ apr_array_header_t *protos; -+ int num_protos; -+ unsigned int size; -+ int i; -+ unsigned char *data; -+ unsigned char *start; -+ -+ *data_out = NULL; -+ *size_out = 0; -+ -+ /* If the connection object is not available, then there's nothing for us -+ * to do. */ -+ if (c == NULL) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Invoke our npn_advertise_protos hook, giving other modules a chance to -+ * add alternate protocol names to advertise. */ -+ protos = apr_array_make(c->pool, 0, sizeof(char*)); -+ modssl_run_npn_advertise_protos_hook(c, protos); -+ num_protos = protos->nelts; -+ -+ /* We now have a list of null-terminated strings; we need to concatenate -+ * them together into a single string, where each protocol name is prefixed -+ * by its length. First, calculate how long that string will be. */ -+ size = 0; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ unsigned int length = strlen(string); -+ /* If the protocol name is too long (the length must fit in one byte), -+ * then log an error and skip it. */ -+ if (length > 255) { -+ ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(02307) -+ "SSL NPN protocol name too long (length=%u): %s", -+ length, string); -+ continue; -+ } -+ /* Leave room for the length prefix (one byte) plus the protocol name -+ * itself. */ -+ size += 1 + length; -+ } -+ -+ /* If there is nothing to advertise (either because no modules added -+ * anything to the protos array, or because all strings added to the array -+ * were skipped), then we're done. */ -+ if (size == 0) { -+ return SSL_TLSEXT_ERR_OK; -+ } -+ -+ /* Now we can build the string. Copy each protocol name string into the -+ * larger string, prefixed by its length. */ -+ data = apr_palloc(c->pool, size * sizeof(unsigned char)); -+ start = data; -+ for (i = 0; i < num_protos; ++i) { -+ const char *string = APR_ARRAY_IDX(protos, i, const char*); -+ apr_size_t length = strlen(string); -+ if (length > 255) -+ continue; -+ *start = (unsigned char)length; -+ ++start; -+ memcpy(start, string, length * sizeof(unsigned char)); -+ start += length; -+ } -+ -+ /* Success. */ -+ *data_out = data; -+ *size_out = size; -+ return SSL_TLSEXT_ERR_OK; -+} -+ -+#endif /* HAVE_TLS_NPN */ -+ -+#ifndef OPENSSL_NO_SRP -+ -+int ssl_callback_SRPServerParams(SSL *ssl, int *ad, void *arg) -+{ -+ modssl_ctx_t *mctx = (modssl_ctx_t *)arg; -+ char *username = SSL_get_srp_username(ssl); -+ SRP_user_pwd *u; -+ -+ if (username == NULL -+ || (u = SRP_VBASE_get_by_user(mctx->srp_vbase, username)) == NULL) { -+ *ad = SSL_AD_UNKNOWN_PSK_IDENTITY; -+ return SSL3_AL_FATAL; -+ } -+ -+ if (SSL_set_srp_server_param(ssl, u->N, u->g, u->s, u->v, u->info) < 0) { -+ *ad = SSL_AD_INTERNAL_ERROR; -+ return SSL3_AL_FATAL; -+ } -+ -+ /* reset all other options */ -+ SSL_set_verify(ssl, SSL_VERIFY_NONE, ssl_callback_SSLVerify); -+ return SSL_ERROR_NONE; -+} -+ -+#endif /* OPENSSL_NO_SRP */ ---- httpd-2.4.3.orig/modules/ssl/ssl_engine_vars.c -+++ httpd-2.4.3/modules/ssl/ssl_engine_vars.c -@@ -395,6 +395,18 @@ static char *ssl_var_lookup_ssl(apr_pool - #endif - result = apr_pstrdup(p, flag ? "true" : "false"); - } -+#ifndef OPENSSL_NO_SRP -+ else if (ssl != NULL && strcEQ(var, "SRP_USER")) { -+ if ((result = SSL_get_srp_username(ssl)) != NULL) { -+ result = apr_pstrdup(p, result); -+ } -+ } -+ else if (ssl != NULL && strcEQ(var, "SRP_USERINFO")) { -+ if ((result = SSL_get_srp_userinfo(ssl)) != NULL) { -+ result = apr_pstrdup(p, result); -+ } -+ } -+#endif - - return result; - } ---- httpd-2.4.3.orig/modules/ssl/ssl_private.h -+++ httpd-2.4.3/modules/ssl/ssl_private.h + * This OpenSSL callback function is called when OpenSSL +--- httpd-2.4.4.orig/modules/ssl/ssl_private.h ++++ httpd-2.4.4/modules/ssl/ssl_private.h @@ -139,6 +139,11 @@ #define HAVE_FIPS #endif @@ -471,8 +278,8 @@ #if (OPENSSL_VERSION_NUMBER >= 0x10000000) #define MODSSL_SSL_CIPHER_CONST const #define MODSSL_SSL_METHOD_CONST const -@@ -185,6 +190,20 @@ - #define OPENSSL_NO_COMP +@@ -194,6 +199,20 @@ + #endif #endif +#if !defined(OPENSSL_NO_COMP) && !defined(SSL_OP_NO_COMPRESSION) \ @@ -492,16 +299,10 @@ /* mod_ssl headers */ #include "ssl_util_ssl.h" -@@ -647,6 +666,17 @@ typedef struct { - const char *stapling_force_url; +@@ -662,6 +681,11 @@ typedef struct { + SRP_VBASE *srp_vbase; #endif -+#ifndef OPENSSL_NO_SRP -+ char *srp_vfile; -+ char *srp_unknown_user_seed; -+ SRP_VBASE *srp_vbase; -+#endif -+ + /** RFC 5878 */ + const char *rsa_authz_file; + const char *dsa_authz_file; @@ -510,7 +311,7 @@ modssl_auth_ctx_t auth; BOOL ocsp_enabled; /* true if OCSP verification enabled */ -@@ -723,6 +756,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd +@@ -738,6 +762,9 @@ const char *ssl_cmd_SSLCryptoDevice(cmd const char *ssl_cmd_SSLRandomSeed(cmd_parms *, void *, const char *, const char *, const char *); const char *ssl_cmd_SSLEngine(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCipherSuite(cmd_parms *, void *, const char *); @@ -520,9 +321,9 @@ const char *ssl_cmd_SSLCertificateFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateKeyFile(cmd_parms *, void *, const char *); const char *ssl_cmd_SSLCertificateChainFile(cmd_parms *, void *, const char *); -@@ -775,6 +811,11 @@ const char *ssl_cmd_SSLOCSPResponseMaxAg - const char *ssl_cmd_SSLOCSPResponderTimeout(cmd_parms *cmd, void *dcfg, const char *arg); - const char *ssl_cmd_SSLOCSPEnable(cmd_parms *cmd, void *dcfg, int flag); +@@ -795,6 +822,11 @@ const char *ssl_cmd_SSLSRPVerifierFile(c + const char *ssl_cmd_SSLSRPUnknownUserSeed(cmd_parms *cmd, void *dcfg, const char *arg); + #endif +#ifndef OPENSSL_NO_SRP +const char *ssl_cmd_SSLSRPVerifierFile(cmd_parms *cmd, void *dcfg, const char *arg); @@ -532,7 +333,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag); /** module initialization */ -@@ -820,6 +861,7 @@ int ssl_callback_ServerNameIndi +@@ -840,6 +872,7 @@ int ssl_callback_ServerNameIndi int ssl_callback_SessionTicket(SSL *, unsigned char *, unsigned char *, EVP_CIPHER_CTX *, HMAC_CTX *, int); #endif @@ -540,13 +341,13 @@ /** Session Cache Support */ void ssl_scache_init(server_rec *, apr_pool_t *); -@@ -851,6 +893,9 @@ void modssl_init_stapling(server - void ssl_stapling_ex_init(void); - int ssl_stapling_init_cert(server_rec *s, modssl_ctx_t *mctx, X509 *x); +@@ -873,6 +906,9 @@ int ssl_stapling_init_cert(serv #endif + #ifndef OPENSSL_NO_SRP + int ssl_callback_SRPServerParams(SSL *, int *, void *); ++#endif +#ifndef OPENSSL_NO_SRP +int ssl_callback_SRPServerParams(SSL *, int *, void *); -+#endif + #endif /** I/O */ - void ssl_io_filter_init(conn_rec *, request_rec *r, SSL *); diff --git a/apache2.changes b/apache2.changes index d51fa11..61613b0 100644 --- a/apache2.changes +++ b/apache2.changes @@ -1,3 +1,43 @@ +------------------------------------------------------------------- +Tue Jun 18 07:41:36 UTC 2013 - crrodriguez@opensuse.org + +- apache-20-22-upgrade: still no cookie, module authn_file + is ok and must not be disabled on update. + authn_core must however be enabled too. + +------------------------------------------------------------------- +Tue Jun 18 06:42:33 UTC 2013 - crrodriguez@opensuse.org + +- fix apache_mmn spec macro, otherwise all modules down + the chain will have broken dependencies + +------------------------------------------------------------------- +Tue Jun 18 05:53:31 UTC 2013 - crrodriguez@opensuse.org + +- remove After=mysql.service php-fpm.service postgresql.service + which were added in the previous change, those must be added + as Before=apache2.service in the respective services. + +------------------------------------------------------------------- +Fri Jun 14 21:51:09 UTC 2013 - crrodriguez@opensuse.org + +- Include mod_systemd for more complete integration with + systemd, turn the service to Typé=notify as required + +- Disable SSL NPN patch for now, it is required for mod_spdy + but mod_spdy does not support apache 2.4 + +------------------------------------------------------------------- +Sat Jun 1 03:54:50 UTC 2013 - crrodriguez@opensuse.org + +- apache 2.4.4 +* fix for CVE-2012-3499 +* fix for the CRIME attack (disable ssl compression by default) +* many other bugfies + +* build access_compat amd unixd as static modules and solve + some other upgrade quirks (bnc#813705) + ------------------------------------------------------------------- Mon Feb 25 08:19:41 UTC 2013 - mlin@suse.com diff --git a/apache2.service b/apache2.service index e339ca0..3515877 100644 --- a/apache2.service +++ b/apache2.service @@ -1,9 +1,11 @@ [Unit] Description=The Apache Webserver -After=network.target remote-fs.target nss-lookup.target +Wants=network.target nss-lookup.target +After=network.target nss-lookup.target Before=getty@tty1.service [Service] +Type=notify PrivateTmp=true EnvironmentFile=/etc/sysconfig/apache2 ExecStart=/usr/sbin/start_apache2 -D SYSTEMD -DNO_DETACH -k start diff --git a/apache2.spec b/apache2.spec index 8ef99ec..14ea4d3 100644 --- a/apache2.spec +++ b/apache2.spec @@ -33,7 +33,8 @@ BuildRequires: libcap BuildRequires: libcap-devel %endif %if 0%{?suse_version} >= 1210 -BuildRequires: systemd +BuildRequires: pkgconfig(systemd) +BuildRequires: pkgconfig(libsystemd-daemon) %endif %if %{?suse_version:1}0 @@ -48,7 +49,7 @@ BuildRequires: expat-devel %define pname apache2 %define vers 2 %define httpd httpd2 -%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; xzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; }) +%define apache_mmn %(test -s %{S:0} && { echo -n apache_mmn_; bzcat %{S:0} | awk '/^#define MODULE_MAGIC_NUMBER_MAJOR/ {printf "%d", $3}'; }) %define default_mpm prefork %{!?prefork:%define prefork 1} %{!?worker:%define worker 1} @@ -80,11 +81,11 @@ BuildRequires: expat-devel # "Server:" header %define VENDOR SUSE %define platform_string Linux/%VENDOR -%define realver 2.4.3 -Version: 2.4.3 +%define realver 2.4.4 +Version: 2.4.4 Release: 0 #Source0: http://www.apache.org/dist/httpd-%{version}.tar.bz2 -Source0: httpd-%{realver}.tar.xz +Source0: httpd-%{realver}.tar.bz2 # Add file to take mtime from it in prep section Source1: apache2.changes Source6: 60C5442D.key @@ -144,11 +145,14 @@ Patch66: httpd-2.0.54-envvars.dif Patch67: httpd-2.2.0-apxs-a2enmod.dif Patch68: httpd-2.x.x-logresolve.patch Patch69: httpd-2.2.x-bnc690734.patch +Patch70: apache2-implicit-pointer-decl.patch Patch100: apache2.4-mpm-itk-2.4.2-01.patch Patch101: httpd-2.2.19-linux3.patch # PATCH-FEATURE-UPSTREAM apache2-mod_ssl_npn.patch dimstar@opensuse.org -- Add npn support to mod_ssl (needed for spdy) -Patch108: apache2-mod_ssl_npn.patch -Provides: apache2(mod_ssl+npn) +#Patch108: apache2-mod_ssl_npn.patch +#Provides: apache2(mod_ssl+npn) +# PATCH-FEATURE-UPSTREAM httpd-2.4.3-mod_systemd.patch crrodriguez@opensuse.org simple module provides systemd integration. +Patch109: httpd-2.4.3-mod_systemd.patch Url: http://httpd.apache.org/ Icon: Apache.xpm Summary: The Apache Web Server Version 2.2 @@ -367,9 +371,11 @@ to administrators of web servers in general. %patch67 -p1 %patch68 -p1 #%patch69 +%patch70 -p1 %patch100 -p1 %patch101 -%patch108 -p1 +#%patch108 -p1 +%patch109 -p1 # cat $RPM_SOURCE_DIR/SUSE-NOTICE >> NOTICE @@ -429,6 +435,7 @@ function configure { --enable-pie \ %endif --enable-mods-shared=all \ + --enable-mods-static="access_compat unixd" \ --enable-ssl=shared \ \ --disable-isapi \ @@ -723,7 +730,7 @@ EOF # ln -sf ../mime.types $RPM_BUILD_ROOT/%{sysconfdir}/mime.types -mv $RPM_BUILD_ROOT/%{cgidir}/printenv . +mv $RPM_BUILD_ROOT/%{cgidir}/printenv* . mv $RPM_BUILD_ROOT/%{cgidir}/test-cgi . pushd $RPM_BUILD_ROOT/%{_mandir} for i in $(find . -type f); do diff --git a/httpd-2.4.3-mod_systemd.patch b/httpd-2.4.3-mod_systemd.patch new file mode 100644 index 0000000..8b3c52c --- /dev/null +++ b/httpd-2.4.3-mod_systemd.patch @@ -0,0 +1,163 @@ +--- httpd-2.4.3/modules/arch/unix/config5.m4.systemd ++++ httpd-2.4.3/modules/arch/unix/config5.m4 +@@ -18,6 +18,19 @@ APACHE_MODULE(privileges, Per-virtualhos + fi + ]) + ++ ++APACHE_MODULE(systemd, Systemd support, , , $unixd_mods_enabled, [ ++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") ++ AC_CHECK_HEADERS(systemd/sd-daemon.h, [ap_HAVE_SD_DAEMON_H="yes"], [ap_HAVE_SD_DAEMON_H="no"]) ++ if test $ap_HAVE_SD_DAEMON_H = "no" || test -z "${SYSTEMD_LIBS}"; then ++ AC_MSG_WARN([Your system does not support systemd.]) ++ enable_systemd="no" ++ else ++ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS]) ++ enable_systemd="yes" ++ fi ++]) ++ + APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current]) + + APACHE_MODPATH_FINISH +--- httpd-2.4.3/modules/arch/unix/mod_systemd.c.systemd ++++ httpd-2.4.3/modules/arch/unix/mod_systemd.c +@@ -0,0 +1,138 @@ ++/* Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ * ++ */ ++ ++#include ++#include ++#include "ap_mpm.h" ++#include ++#include ++#include ++#include ++#include ++#include "unixd.h" ++#include "scoreboard.h" ++#include "mpm_common.h" ++ ++#include "systemd/sd-daemon.h" ++ ++#if APR_HAVE_UNISTD_H ++#include ++#endif ++ ++#define KBYTE 1024 ++ ++static pid_t pid; /* PID of the main httpd instance */ ++static int server_limit, thread_limit, threads_per_child, max_servers; ++static time_t last_update_time; ++static unsigned long last_update_access; ++static unsigned long last_update_kbytes; ++ ++static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type) ++{ ++ int rv; ++ last_update_time = time(0); ++ ++ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit); ++ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit); ++ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threads_per_child); ++ /* work around buggy MPMs */ ++ if (threads_per_child == 0) ++ threads_per_child = 1; ++ ap_mpm_query(AP_MPMQ_MAX_DAEMONS, &max_servers); ++ ++ pid = getpid(); ++ ++ rv = sd_notifyf(0, "READY=1\n" ++ "STATUS=Processing requests...\n" ++ "MAINPID=%lu", ++ (unsigned long) pid); ++ if (rv < 0) { ++ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p, ++ "sd_notifyf returned an error %d", rv); ++ } ++ ++ return OK; ++} ++ ++static int systemd_monitor(apr_pool_t *p, server_rec *s) ++{ ++ int i, j, res, rv; ++ process_score *ps_record; ++ worker_score *ws_record; ++ unsigned long access = 0; ++ unsigned long bytes = 0; ++ unsigned long kbytes = 0; ++ char bps[5]; ++ time_t now = time(0); ++ time_t elapsed = now - last_update_time; ++ ++ for (i = 0; i < server_limit; ++i) { ++ ps_record = ap_get_scoreboard_process(i); ++ for (j = 0; j < thread_limit; ++j) { ++ ws_record = ap_get_scoreboard_worker_from_indexes(i, j); ++ if (ap_extended_status && !ps_record->quiescing && ps_record->pid) { ++ res = ws_record->status; ++ if (ws_record->access_count != 0 || ++ (res != SERVER_READY && res != SERVER_DEAD)) { ++ access += ws_record->access_count; ++ bytes += ws_record->bytes_served; ++ if (bytes >= KBYTE) { ++ kbytes += (bytes >> 10); ++ bytes = bytes & 0x3ff; ++ } ++ } ++ } ++ } ++ } ++ ++ apr_strfsize((unsigned long)(KBYTE *(float) (kbytes - last_update_kbytes) ++ / (float) elapsed), bps); ++ ++ rv = sd_notifyf(0, "READY=1\n" ++ "STATUS=Total requests: %lu; Current requests/sec: %.3g; " ++ "Current traffic: %sB/sec\n", access, ++ ((float)access - last_update_access) / (float) elapsed, bps); ++ if (rv < 0) { ++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00000) ++ "sd_notifyf returned an error %d", rv); ++ } ++ ++ last_update_access = access; ++ last_update_kbytes = kbytes; ++ last_update_time = now; ++ ++ return DECLINED; ++} ++ ++static void systemd_register_hooks(apr_pool_t *p) ++{ ++ /* We know the PID in this hook ... */ ++ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST); ++ /* Used to update httpd's status line using sd_notifyf */ ++ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE); ++} ++ ++module AP_MODULE_DECLARE_DATA systemd_module = ++{ ++ STANDARD20_MODULE_STUFF, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ NULL, ++ systemd_register_hooks, ++}; diff --git a/httpd-2.4.3.tar.xz b/httpd-2.4.3.tar.xz deleted file mode 100644 index e57db9b..0000000 --- a/httpd-2.4.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:89ba3db446faa929206ed3f5a1bef7133e034ad8f8abfc5e8f8eb41f3cc61074 -size 4032716 diff --git a/httpd-2.4.4.tar.bz2 b/httpd-2.4.4.tar.bz2 new file mode 100644 index 0000000..4d4f082 --- /dev/null +++ b/httpd-2.4.4.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:92aabddeca76a4ac7330b143df1407bbf35574c7291c15172238ac598d97655c +size 4780289