From 86a94b34f9b9d8391bb2260171d7ca54b55c0f06 Mon Sep 17 00:00:00 2001 From: Luboš Uhliarik Date: Jun 28 2017 11:07:57 +0000 Subject: new version 2.4.26 --- diff --git a/.gitignore b/.gitignore index c4c6257..e51254b 100644 --- a/.gitignore +++ b/.gitignore @@ -24,3 +24,6 @@ x86_64 /httpd-2.4.18.tar.bz2 /httpd-2.4.23.tar.bz2 /httpd-2.4.25.tar.bz2 +/httpd.socket.8 +/httpd.service.8 +/httpd-2.4.26.tar.bz2 diff --git a/00-base.conf b/00-base.conf index e99ff0e..ec9acf1 100644 --- a/00-base.conf +++ b/00-base.conf @@ -37,7 +37,6 @@ LoadModule expires_module modules/mod_expires.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule filter_module modules/mod_filter.so LoadModule headers_module modules/mod_headers.so -LoadModule http2_module modules/mod_http2.so LoadModule include_module modules/mod_include.so LoadModule info_module modules/mod_info.so LoadModule log_config_module modules/mod_log_config.so diff --git a/httpd-2.4.1-selinux.patch b/httpd-2.4.1-selinux.patch deleted file mode 100644 index e97c5a4..0000000 --- a/httpd-2.4.1-selinux.patch +++ /dev/null @@ -1,61 +0,0 @@ - -Log the SELinux context at startup. - -Upstream-Status: unlikely to be any interest in this upstream - ---- httpd-2.4.1/configure.in.selinux -+++ httpd-2.4.1/configure.in -@@ -458,6 +458,11 @@ fopen64 - dnl confirm that a void pointer is large enough to store a long integer - APACHE_CHECK_VOID_PTR_LEN - -+AC_CHECK_LIB(selinux, is_selinux_enabled, [ -+ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) -+ APR_ADDTO(AP_LIBS, [-lselinux]) -+]) -+ - AC_CACHE_CHECK([for gettid()], ac_cv_gettid, - [AC_TRY_RUN(#define _GNU_SOURCE - #include ---- httpd-2.4.1/server/core.c.selinux -+++ httpd-2.4.1/server/core.c -@@ -58,6 +58,10 @@ - #include - #endif - -+#ifdef HAVE_SELINUX -+#include -+#endif -+ - /* LimitRequestBody handling */ - #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) - #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) -@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * - } - #endif - -+#ifdef HAVE_SELINUX -+ { -+ static int already_warned = 0; -+ int is_enabled = is_selinux_enabled() > 0; -+ -+ if (is_enabled && !already_warned) { -+ security_context_t con; -+ -+ if (getcon(&con) == 0) { -+ -+ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, -+ "SELinux policy enabled; " -+ "httpd running as context %s", con); -+ -+ already_warned = 1; -+ -+ freecon(con); -+ } -+ } -+ } -+#endif -+ - return OK; - } - diff --git a/httpd-2.4.10-detect-systemd.patch b/httpd-2.4.10-detect-systemd.patch deleted file mode 100644 index a22178b..0000000 --- a/httpd-2.4.10-detect-systemd.patch +++ /dev/null @@ -1,48 +0,0 @@ -diff --git a/acinclude.m4 b/acinclude.m4 -index 580eb4a..bd7e2c9 100644 ---- a/acinclude.m4 -+++ b/acinclude.m4 -@@ -594,6 +594,30 @@ AC_DEFUN(APACHE_CHECK_OPENSSL,[ - fi - ]) - -+AC_DEFUN(APACHE_CHECK_SYSTEMD, [ -+dnl Check for systemd support for listen.c's socket activation. -+case $host in -+*-linux-*) -+ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` -+ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then -+ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon` -+ else -+ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") -+ fi -+ if test -n "$SYSTEMD_LIBS"; then -+ AC_CHECK_HEADERS(systemd/sd-daemon.h) -+ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then -+ AC_MSG_WARN([Your system does not support systemd.]) -+ else -+ APR_ADDTO(LIBS, [$SYSTEMD_LIBS]) -+ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) -+ fi -+ fi -+ ;; -+esac -+]) -+ - dnl - dnl APACHE_EXPORT_ARGUMENTS - dnl Export (via APACHE_SUBST) the various path-related variables that -diff --git a/configure.in b/configure.in -index 19a5f88..f096de3 100644 ---- a/configure.in -+++ b/configure.in -@@ -509,6 +509,8 @@ if test "$ac_cv_struct_tm_gmtoff" = "yes"; then - AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field]) - fi - -+APACHE_CHECK_SYSTEMD -+ - dnl ## Set up any appropriate OS-specific environment variables for apachectl - - case $host in diff --git a/httpd-2.4.10-sigint.patch b/httpd-2.4.10-sigint.patch index 7574a9c..ecdd82e 100644 --- a/httpd-2.4.10-sigint.patch +++ b/httpd-2.4.10-sigint.patch @@ -1,24 +1,10 @@ -From 20656c3b77cc548b59fea3bde5e2b7705d71c427 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jan=20Kalu=C5=BEa?= -Date: Mon, 18 Aug 2014 07:43:43 +0000 -Subject: [PATCH] prefork: Ignore SIGINT in child. This fixes race-condition in - signals handling when httpd is runnning on foreground and user hits ctrl+c. - In this case, SIGINT is sent to all children followed by SIGTERM from the - main process, which interrupts the SIGINT handler and leads to inconsistency - (process freezes or crashes). - -git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1618555 13f79535-47bb-0310-9956-ffa450edef68 ---- - server/mpm/prefork/prefork.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - diff --git a/server/mpm/prefork/prefork.c b/server/mpm/prefork/prefork.c -index 8790ec0..d6c038b 100644 +index 559f90a..a386a75 100644 --- a/server/mpm/prefork/prefork.c +++ b/server/mpm/prefork/prefork.c -@@ -222,6 +222,9 @@ static void clean_child_exit(int code) +@@ -220,6 +220,9 @@ static void clean_child_exit(int code) { - mpm_state = AP_MPMQ_STOPPING; + retained->mpm->mpm_state = AP_MPMQ_STOPPING; + apr_signal(SIGHUP, SIG_IGN); + apr_signal(SIGTERM, SIG_IGN); @@ -26,7 +12,7 @@ index 8790ec0..d6c038b 100644 if (pchild) { apr_pool_destroy(pchild); } -@@ -817,6 +820,13 @@ static int make_child(server_rec *s, int slot) +@@ -699,6 +702,13 @@ static int make_child(server_rec *s, int slot, int bucket) */ apr_signal(SIGHUP, just_die); apr_signal(SIGTERM, just_die); @@ -40,6 +26,3 @@ index 8790ec0..d6c038b 100644 /* The child process just closes listeners on AP_SIG_GRACEFUL. * The pod is used for signalling the graceful restart. */ --- -2.0.4 - diff --git a/httpd-2.4.25-detect-systemd.patch b/httpd-2.4.25-detect-systemd.patch new file mode 100644 index 0000000..f8e302b --- /dev/null +++ b/httpd-2.4.25-detect-systemd.patch @@ -0,0 +1,75 @@ +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +diff -uap httpd-2.4.25/acinclude.m4.detectsystemd httpd-2.4.25/acinclude.m4 +--- httpd-2.4.25/acinclude.m4.detectsystemd ++++ httpd-2.4.25/acinclude.m4 +@@ -604,6 +604,30 @@ + fi + ]) + ++AC_DEFUN(APACHE_CHECK_SYSTEMD, [ ++dnl Check for systemd support for listen.c's socket activation. ++case $host in ++*-linux-*) ++ if test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd; then ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd` ++ elif test -n "$PKGCONFIG" && $PKGCONFIG --exists libsystemd-daemon; then ++ SYSTEMD_LIBS=`$PKGCONFIG --libs libsystemd-daemon` ++ else ++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon") ++ fi ++ if test -n "$SYSTEMD_LIBS"; then ++ AC_CHECK_HEADERS(systemd/sd-daemon.h) ++ if test "${ac_cv_header_systemd_sd_daemon_h}" = "no" || test -z "${SYSTEMD_LIBS}"; then ++ AC_MSG_WARN([Your system does not support systemd.]) ++ else ++ APR_ADDTO(HTTPD_LIBS, [$SYSTEMD_LIBS]) ++ AC_DEFINE(HAVE_SYSTEMD, 1, [Define if systemd is supported]) ++ fi ++ fi ++ ;; ++esac ++]) ++ + dnl + dnl APACHE_EXPORT_ARGUMENTS + dnl Export (via APACHE_SUBST) the various path-related variables that +diff -uap httpd-2.4.25/configure.in.detectsystemd httpd-2.4.25/configure.in +--- httpd-2.4.25/configure.in.detectsystemd ++++ httpd-2.4.25/configure.in +@@ -234,6 +234,7 @@ + AC_MSG_NOTICE([Using external PCRE library from $PCRE_CONFIG]) + APR_ADDTO(PCRE_INCLUDES, [`$PCRE_CONFIG --cflags`]) + APR_ADDTO(PCRE_LIBS, [`$PCRE_CONFIG --libs`]) ++ APR_ADDTO(HTTPD_LIBS, [\$(PCRE_LIBS)]) + else + AC_MSG_ERROR([pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/]) + fi +@@ -504,6 +510,8 @@ + AC_DEFINE(HAVE_GMTOFF, 1, [Define if struct tm has a tm_gmtoff field]) + fi + ++APACHE_CHECK_SYSTEMD ++ + dnl ## Set up any appropriate OS-specific environment variables for apachectl + + case $host in +@@ -668,6 +676,7 @@ + APACHE_SUBST(BUILTIN_LIBS) + APACHE_SUBST(SHLIBPATH_VAR) + APACHE_SUBST(OS_SPECIFIC_VARS) ++APACHE_SUBST(HTTPD_LIBS) + + PRE_SHARED_CMDS='echo ""' + POST_SHARED_CMDS='echo ""' +--- httpd-2.4.25/Makefile.in.detectsystemd ++++ httpd-2.4.25/Makefile.in +@@ -4,7 +4,7 @@ + + PROGRAM_NAME = $(progname) + PROGRAM_SOURCES = modules.c +-PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(PCRE_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) ++PROGRAM_LDADD = buildmark.o $(HTTPD_LDFLAGS) $(PROGRAM_DEPENDENCIES) $(HTTPD_LIBS) $(EXTRA_LIBS) $(AP_LIBS) $(LIBS) + PROGRAM_PRELINK = $(COMPILE) -c $(top_srcdir)/server/buildmark.c + PROGRAM_DEPENDENCIES = \ + server/libmain.la \ diff --git a/httpd-2.4.25-r1738878.patch b/httpd-2.4.25-r1738878.patch new file mode 100644 index 0000000..e4b46cc --- /dev/null +++ b/httpd-2.4.25-r1738878.patch @@ -0,0 +1,140 @@ +diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h +index c119a7e..267150a 100644 +--- a/modules/proxy/ajp.h ++++ b/modules/proxy/ajp.h +@@ -413,12 +413,14 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg); + * @param sock backend socket + * @param r current request + * @param buffsize max size of the AJP packet. ++ * @param secret authentication secret + * @param uri requested uri + * @return APR_SUCCESS or error + */ + apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri); ++ apr_uri_t *uri, ++ const char *secret); + + /** + * Read the ajp message and return the type of the message. +diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c +index 67353a7..680a8f3 100644 +--- a/modules/proxy/ajp_header.c ++++ b/modules/proxy/ajp_header.c +@@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST= + + static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + request_rec *r, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + int method; + apr_uint32_t i, num_headers = 0; +@@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + i, elts[i].key, elts[i].val); + } + +-/* XXXX need to figure out how to do this +- if (s->secret) { ++ if (secret) { + if (ajp_msg_append_uint8(msg, SC_A_SECRET) || +- ajp_msg_append_string(msg, s->secret)) { ++ ajp_msg_append_string(msg, secret)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) +- "Error ajp_marshal_into_msgb - " ++ "ajp_marshal_into_msgb: " + "Error appending secret"); + return APR_EGENERAL; + } + } +- */ + + if (r->user) { + if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || +@@ -671,7 +670,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, + apr_status_t ajp_send_header(apr_socket_t *sock, + request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + ajp_msg_t *msg; + apr_status_t rc; +@@ -683,7 +683,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock, + return rc; + } + +- rc = ajp_marshal_into_msgb(msg, r, uri); ++ rc = ajp_marshal_into_msgb(msg, r, uri, secret); + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) + "ajp_send_header: ajp_marshal_into_msgb failed"); +diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c +index f6fb473..f693f63 100644 +--- a/modules/proxy/mod_proxy.c ++++ b/modules/proxy/mod_proxy.c +@@ -314,6 +314,12 @@ static const char *set_worker_param(apr_pool_t *p, + (int)sizeof(worker->s->upgrade)); + } + } ++ else if (!strcasecmp(key, "secret")) { ++ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { ++ return apr_psprintf(p, "Secret length must be < %d characters", ++ (int)sizeof(worker->s->secret)); ++ } ++ } + else { + if (set_worker_hc_param_f) { + return set_worker_hc_param_f(p, s, worker, key, val, NULL); +diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h +index 8a0ad10..f92c185 100644 +--- a/modules/proxy/mod_proxy.h ++++ b/modules/proxy/mod_proxy.h +@@ -352,6 +352,7 @@ PROXY_WORKER_HC_FAIL ) + #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 + #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE + #define PROXY_BALANCER_MAX_STICKY_SIZE 64 ++#define PROXY_WORKER_MAX_SECRET_SIZE 64 + + /* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names, + * dotted together(?) this would fit the below size (+ trailing NUL). +@@ -443,6 +444,7 @@ typedef struct { + hcmethod_t method; /* method to use for health check */ + apr_interval_time_t interval; + char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */ ++ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ + } proxy_worker_shared; + + #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) +diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c +index 051724e..e706518 100644 +--- a/modules/proxy/mod_proxy_ajp.c ++++ b/modules/proxy/mod_proxy_ajp.c +@@ -193,6 +193,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + apr_off_t content_length = 0; + int original_status = r->status; + const char *original_status_line = r->status_line; ++ const char *secret = NULL; + + if (psf->io_buffer_size_set) + maxsize = psf->io_buffer_size; +@@ -202,12 +203,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, + maxsize = AJP_MSG_BUFFER_SZ; + maxsize = APR_ALIGN(maxsize, 1024); + ++ if (*conn->worker->s->secret) ++ secret = conn->worker->s->secret; ++ + /* + * Send the AJP request to the remote server + */ + + /* send request headers */ +- status = ajp_send_header(conn->sock, r, maxsize, uri); ++ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); + if (status != APR_SUCCESS) { + conn->close = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) diff --git a/httpd-2.4.25-r1778319+.patch b/httpd-2.4.25-r1778319+.patch new file mode 100644 index 0000000..3f0bee2 --- /dev/null +++ b/httpd-2.4.25-r1778319+.patch @@ -0,0 +1,34 @@ +# ./pullrev.sh 1778319 1778331 + +https://bugzilla.redhat.com/show_bug.cgi?id=1410883 + +http://svn.apache.org/viewvc?view=revision&revision=1778319 +http://svn.apache.org/viewvc?view=revision&revision=1778331 + +--- httpd-2.4.6/modules/core/mod_watchdog.c ++++ httpd-2.4.6/modules/core/mod_watchdog.c +@@ -436,19 +436,19 @@ + { + apr_status_t rv; + const char *pk = "watchdog_init_module_tag"; +- apr_pool_t *pproc = s->process->pool; ++ apr_pool_t *ppconf = pconf; + const apr_array_header_t *wl; + + if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) + /* First time config phase -- skip. */ + return OK; + +- apr_pool_userdata_get((void *)&wd_server_conf, pk, pproc); ++ apr_pool_userdata_get((void *)&wd_server_conf, pk, ppconf); + if (!wd_server_conf) { +- if (!(wd_server_conf = apr_pcalloc(pproc, sizeof(wd_server_conf_t)))) ++ if (!(wd_server_conf = apr_pcalloc(ppconf, sizeof(wd_server_conf_t)))) + return APR_ENOMEM; +- apr_pool_create(&wd_server_conf->pool, pproc); +- apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, pproc); ++ apr_pool_create(&wd_server_conf->pool, ppconf); ++ apr_pool_userdata_set(wd_server_conf, pk, apr_pool_cleanup_null, ppconf); + } + wd_server_conf->s = s; + if ((wl = ap_list_provider_names(pconf, AP_WATCHDOG_PGROUP, diff --git a/httpd-2.4.25-selinux.patch b/httpd-2.4.25-selinux.patch new file mode 100644 index 0000000..fa4614a --- /dev/null +++ b/httpd-2.4.25-selinux.patch @@ -0,0 +1,61 @@ + +Log the SELinux context at startup. + +Upstream-Status: unlikely to be any interest in this upstream + +--- httpd-2.4.1/configure.in.selinux ++++ httpd-2.4.1/configure.in +@@ -458,6 +458,11 @@ fopen64 + dnl confirm that a void pointer is large enough to store a long integer + APACHE_CHECK_VOID_PTR_LEN + ++AC_CHECK_LIB(selinux, is_selinux_enabled, [ ++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported]) ++ APR_ADDTO(HTTPD_LIBS, [-lselinux]) ++]) ++ + AC_CACHE_CHECK([for gettid()], ac_cv_gettid, + [AC_TRY_RUN(#define _GNU_SOURCE + #include +--- httpd-2.4.1/server/core.c.selinux ++++ httpd-2.4.1/server/core.c +@@ -58,6 +58,10 @@ + #include + #endif + ++#ifdef HAVE_SELINUX ++#include ++#endif ++ + /* LimitRequestBody handling */ + #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1) + #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0) +@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t * + } + #endif + ++#ifdef HAVE_SELINUX ++ { ++ static int already_warned = 0; ++ int is_enabled = is_selinux_enabled() > 0; ++ ++ if (is_enabled && !already_warned) { ++ security_context_t con; ++ ++ if (getcon(&con) == 0) { ++ ++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL, ++ "SELinux policy enabled; " ++ "httpd running as context %s", con); ++ ++ already_warned = 1; ++ ++ freecon(con); ++ } ++ } ++ } ++#endif ++ + return OK; + } + diff --git a/httpd.service b/httpd.service index 0b87ec0..1f707e8 100644 --- a/httpd.service +++ b/httpd.service @@ -1,10 +1,13 @@ -# It is not recommended to modify this file in-place, because it will be -# overwritten during package upgrades. If you want to customize, the best -# way is to use the "systemctl edit" command to create an override unit. +# See httpd.service(8) for more information on using the httpd service. -# For example, to pass additional options (for instance, -D -# definitions) to the httpd binary at startup, create an override unit -# (as is done by systemctl edit) and enter the following: +# Modifying this file in-place is not recommended, because changes +# will be overwritten during package upgrades. If you want to +# customize the behaviour, the best way is to use "systemctl edit" +# command to create an override unit. + +# For example, to pass additional options (such as -D definitions) to +# the httpd binary at startup, create an override unit (as is done by +# systemctl edit) and enter the following: # [Service] # Environment=OPTIONS=-DMY_DEFINE @@ -12,6 +15,7 @@ [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target +Documentation=man:httpd.service(8) [Service] Type=notify diff --git a/httpd.service.xml b/httpd.service.xml new file mode 100644 index 0000000..d03e133 --- /dev/null +++ b/httpd.service.xml @@ -0,0 +1,209 @@ + + + + + + + httpd systemd units + httpd + AuthorOrtonJoejorton@redhat.com + + + + httpd.service + 8 + + + + httpd.service + httpd.socket + httpd unit files for systemd + + + + + /usr/lib/systemd/system/httpd.service, + /usr/lib/systemd/system/httpd.socket + + + + + Description + + This manual page describes the systemd + unit files used to integrate the httpd daemon + with systemd. Two unit files are available: + httpd.service allows the + httpd daemon to be run as a system service, and + httpd.socket allows httpd to be started via + socket-based activation. Most systems will use + httpd.service. + + The apachectl command has been modified + to invoke systemctl for most uses, so for + example, running apachectl start is equivalent + to running systemctl start httpd.service. This + ensures that the running httpd daemon is tracked and managed by + systemd. In contrast, running + httpd directly from a root shell will start the + service outside of systemd; in this case, + default security restrictions described below (including, but not + limited to, SELinux) will not be enforced. + + + Changing default behaviour + + To change the default behaviour of the httpd service, an + over-ride file should be created, rather + than changing + /usr/lib/systemd/system/httpd.service + directly, since such changes would be lost over package + upgrades. Running systemctl edit + httpd.service or systemctl edit + httpd.socket as root will create a drop-in file in + /etc/systemd/system/httpd.service.d which + over-rides the system defaults. + + For example, to set the + environment variable for the daemon, run systemctl edit + httpd.service and enter: + + [Service] +Environment=LD_LIBRARY_PATH=/opt/vendor/lib + + + + Starting the service at boot time + + The httpd.service and httpd.socket units are + disabled by default. To start the httpd + service at boot time, run: systemctl enable + httpd.service. In the default configuration, the + httpd daemon will accept connections on port 80 (and, if mod_ssl + is installed, TLS connections on port 443) for any configured + IPv4 or IPv6 address. + + If httpd is configured to depend on any specific IP + address (for example, with a "Listen" directive) which may only + become available during startup, or if httpd depends on other + services (such as a database daemon), the service + must be configured to ensure correct + startup ordering. + + For example, to ensure httpd is only running after all + configured network interfaces are configured, create a drop-in + file (as described above) with the following section: + + [Unit] +After=network-online.target +Wants=network-online.target + + See + for more information on startup ordering with systemd. + + + + + Reloading and stopping the service + + When running systemctl reload + httpd.service, a graceful + restart is used, which sends a signal to the httpd parent + process to reload the configuration and re-open log files. Any + children with open connections at the time of reload will + terminate only once they have completed serving requests. This + prevents users of the server seeing errors (or potentially + losing data) due to the reload, but means some there is some + delay before any configuration changes take effect for all + users. + + Similarly, a graceful stop is used + when systemctl stop httpd.service is run, + which terminates the server only once active connections have + been processed. + + + + + systemd integration and mod_systemd + + The httpd service uses the systemd + service type. The mod_systemd module must be + loaded (as in the default configuration) for this to work + correctly - the service will fail if this module is not + loaded. mod_systemd also makes worker and + request statistics available when running systemctl status + httpd. See + systemd.exec5 + for more information on systemd service types. + + + + Security and SELinux + + The default SELinux policy restricts the httpd service in + various ways. For example, the default policy limits the ports + to which httpd can bind (using the Listen + directive), which parts of the filesystem can be accessed, and + whether outgoing TCP connections are possible. Many of these + restrictions can be adjusted using semanage + to change booleans or other types. See + httpd_selinux8 + for more information. + + The httpd service enables PrivateTmp + by default. The /tmp and + /var/tmp directories available within the + httpd process (and CGI scripts, etc) are not shared by other + processes. See + systemd.exec5 + for more information. + + + + + + + Files + + /usr/lib/systemd/system/httpd.service, + /usr/lib/systemd/system/httpd.socket, + /etc/systemd/systemd/httpd.service.d + + + + See also + + + httpd8, + systemd1, + systemctl1, + systemd.service5, + systemd.exec5, + httpd_selinux8, + semanage8 + + + + diff --git a/httpd.socket b/httpd.socket index 705c4e5..074695e 100644 --- a/httpd.socket +++ b/httpd.socket @@ -1,5 +1,8 @@ +# See httpd.socket(8) for more information on using the httpd service. + [Unit] Description=Apache httpd Server Socket +Documentation=man:httpd.socket(8) [Socket] ListenStream=80 diff --git a/httpd.spec b/httpd.spec index 836c9a9..654a7b9 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,13 +7,12 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.25 +Version: 2.4.26 Release: 1%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html Source2: httpd.logrotate -Source3: httpd.sysconf Source4: httpd-ssl-pass-dialog Source5: httpd.tmpfiles Source6: httpd.service @@ -41,6 +40,7 @@ Source28: 00-optional.conf # Documentation Source30: README.confd Source31: README.confmod +Source32: httpd.service.xml Source40: htcacheclean.service Source41: htcacheclean.sysconf # build/scripts patches @@ -50,11 +50,11 @@ Patch3: httpd-2.4.1-deplibs.patch Patch5: httpd-2.4.3-layout.patch Patch6: httpd-2.4.3-apctl-systemd.patch # Needed for socket activation and mod_systemd patch -Patch19: httpd-2.4.10-detect-systemd.patch +Patch19: httpd-2.4.25-detect-systemd.patch # Features/functional changes Patch23: httpd-2.4.4-export.patch Patch24: httpd-2.4.1-corelimit.patch -Patch25: httpd-2.4.1-selinux.patch +Patch25: httpd-2.4.25-selinux.patch Patch26: httpd-2.4.4-r1337344+.patch Patch27: httpd-2.4.2-icons.patch Patch29: httpd-2.4.10-mod_systemd.patch @@ -65,6 +65,8 @@ Patch35: httpd-2.4.17-sslciphdefault.patch # Bug fixes Patch56: httpd-2.4.4-mod_unique_id.patch Patch57: httpd-2.4.10-sigint.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1397243 +Patch58: httpd-2.4.25-r1738878.patch # Security fixes License: ASL 2.0 @@ -73,7 +75,7 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf, perl, perl-generators, pkgconfig, findutils, xmlto BuildRequires: zlib-devel, libselinux-devel, lua-devel BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0 -BuildRequires: systemd-devel, libnghttp2-devel +BuildRequires: systemd-devel Requires: /etc/mime.types, system-logos-httpd Obsoletes: httpd-suexec Provides: webserver @@ -81,6 +83,7 @@ Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn}, httpd-mmn = %{mmnisa} Requires: httpd-tools = %{version}-%{release} Requires: httpd-filesystem = %{version}-%{release} +Requires: nghttp2 >= 1.5.0 Requires(pre): httpd-filesystem Requires(preun): systemd-units Requires(postun): systemd-units @@ -209,7 +212,7 @@ interface for storing and accessing per-user session data. %patch56 -p1 -b .uniqueid %patch57 -p1 -b .sigint - +%patch58 -p1 -b .r1738878 # Patch in the vendor string sed -i '/^#define PLATFORM/s/Unix/%{vstring}/' os/unix/os.h @@ -224,6 +227,8 @@ if test "x${vmmn}" != "x%{mmn}"; then exit 1 fi +xmlto man $RPM_SOURCE_DIR/httpd.service.xml + : Building with MMN %{mmn}, MMN-ISA %{mmnisa} and vendor string '%{vstring}' %build @@ -277,7 +282,8 @@ export LYNX_PATH=/usr/bin/links --enable-ldap --enable-authnz-ldap \ --enable-cgid --enable-cgi \ --enable-authn-anon --enable-authn-alias \ - --disable-imagemap --disable-file-cache + --disable-imagemap --disable-file-cache \ + --disable-http2 \ $* make %{?_smp_mflags} @@ -335,10 +341,8 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.conf \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf/httpd.conf mkdir $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig -for s in httpd htcacheclean; do - install -m 644 -p $RPM_SOURCE_DIR/${s}.sysconf \ - $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/${s} -done +install -m 644 -p $RPM_SOURCE_DIR/htcacheclean.sysconf \ + $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/htcacheclean # tmpfiles.d configuration mkdir -p $RPM_BUILD_ROOT%{_prefix}/lib/tmpfiles.d @@ -426,6 +430,10 @@ mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d install -m 644 -p $RPM_SOURCE_DIR/httpd.logrotate \ $RPM_BUILD_ROOT/etc/logrotate.d/httpd +# Install systemd service man pages +install -m 644 -p httpd.service.8 httpd.socket.8 \ + $RPM_BUILD_ROOT%{_mandir}/man8 + # fix man page paths sed -e "s|/usr/local/apache2/conf/httpd.conf|/etc/httpd/conf/httpd.conf|" \ -e "s|/usr/local/apache2/conf/mime.types|/etc/mime.types|" \ @@ -544,6 +552,7 @@ for m in $mods; do rv=1 fi done +set -x exit $rv %clean @@ -681,12 +690,51 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Mon Jun 19 2017 Luboš Uhliarik - 2.4.26-1 +- new version 2.4.26 + +* Mon Jun 5 2017 Joe Orton - 2.4.25-10 +- move unit man pages to section 8, add as Documentation= in units + +* Fri May 19 2017 Joe Orton - 2.4.25-9 +- add httpd.service(5) and httpd.socket(5) man pages + +* Tue May 16 2017 Joe Orton - 2.4.25-8 +- require mod_http2, now packaged separately + +* Wed Mar 29 2017 Luboš Uhliarik - 2.4.25-7 +- Resolves: #1397243 - Backport Apache Bug 53098 - mod_proxy_ajp: + patch to set worker secret passed to tomcat + +* Tue Mar 28 2017 Luboš Uhliarik - 2.4.25-6 +- Resolves: #1434916 - httpd.service: Failed with result timeout + +* Fri Mar 24 2017 Joe Orton - 2.4.25-5 +- link only httpd, not support/* against -lselinux -lsystemd + +* Fri Feb 10 2017 Fedora Release Engineering - 2.4.25-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Thu Jan 12 2017 Joe Orton - 2.4.25-3 +- mod_watchdog: restrict thread lifetime (#1410883) + +* Thu Dec 22 2016 Luboš Uhliarik - 2.4.25-2 +- Resolves: #1358875 - require nghttp2 >= 1.5.0 + * Thu Dec 22 2016 Luboš Uhliarik - 2.4.25-1 - new version 2.4.25 -* Mon Dec 05 2016 Luboš Uhliarik - 2.4.23-5 -- Resolves: #1401528 - CVE-2016-8740 httpd: Incomplete handling - of LimitRequestFields directive in mod_http2 +* Mon Dec 05 2016 Luboš Uhliarik - 2.4.23-7 +- Resolves: #1401530 - CVE-2016-8740 httpd: Incomplete handling of + LimitRequestFields directive in mod_http2 + +* Mon Nov 14 2016 Joe Orton - 2.4.23-6 +- fix build with OpenSSL 1.1 (#1392900) +- fix typos in ssl.conf (josef randinger, #1379407) + +* Wed Nov 2 2016 Joe Orton - 2.4.23-5 +- no longer package /etc/sysconfig/httpd +- synch ssl.conf with upstream * Mon Jul 18 2016 Joe Orton - 2.4.23-4 - add security fix for CVE-2016-5387 diff --git a/httpd.sysconf b/httpd.sysconf deleted file mode 100644 index 44a8246..0000000 --- a/httpd.sysconf +++ /dev/null @@ -1,30 +0,0 @@ -# -# This file is no longer used to configure additional environment variables -# for the httpd process. -# -# It has been replaced by systemd. If you want to customize, the best -# way is to create a file "/etc/systemd/system/httpd.service", -# containing -# .include /lib/systemd/system/httpd.service -# ...make your changes here... -# For more info about custom unit files, see -# http://fedoraproject.org/wiki/Systemd#How_do_I_customize_a_unit_file.2F_add_a_custom_unit_file.3F - - -# To set OPTIONS environment variable which was set in this file -# in older versions, you need to create a file named -# "/etc/systemd/system/httpd.service" containing: -# .include /lib/systemd/system/httpd.service -# [Service] -# # -# # To pass additional options (for instance, -D definitions) to the -# # httpd binary at startup, set OPTIONS here. -# # -# Environment=OPTIONS=-DMY_DEFINE - -# Note: With previous versions of httpd, the MPM could be changed by -# editing an "HTTPD" variable here. With the current version, that -# variable is now ignored. The MPM is a loadable module, and the -# choice of MPM can be changed by editing the configuration file -# /etc/httpd/conf.modules.d/00-mpm.conf. -# diff --git a/pullrev.sh b/pullrev.sh index a4e1421..2b2fef9 100755 --- a/pullrev.sh +++ b/pullrev.sh @@ -7,7 +7,7 @@ fi repo="https://svn.apache.org/repos/asf/httpd/httpd/trunk" repo="https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x" -ver=2.4.6 +ver=2.4.25 prefix="httpd-${ver}" suffix="r$1${2:++}" fn="${prefix}-${suffix}.patch" diff --git a/sources b/sources index f90dcc6..4f174e0 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (httpd-2.4.25.tar.bz2) = 6ba4ce1dcef71416cf1c0de2468c002767b5637a75744daf5beb0edd045749a751b3826c4132f594c48e4b33ca8e1b25ebfb63ac4c8b759ca066a89d3261fb22 +SHA512 (httpd-2.4.26.tar.bz2) = 4b32f01f17c912011f24bf3991430d474be13836af41b26c072e3c1eab2b45a3c52851eb00423e046c59fc16e1f501d64daaee3f2469b2745857ec1982966c9a diff --git a/ssl.conf b/ssl.conf index e8e6c97..a07bd8f 100644 --- a/ssl.conf +++ b/ssl.conf @@ -1,6 +1,6 @@ # # When we also provide SSL we have to listen to the -# the HTTPS port in addition. +# standard HTTPS port in addition. # Listen 443 https @@ -90,11 +90,15 @@ SSLHonorCipherOrder on SSLCipherSuite PROFILE=SYSTEM SSLProxyCipherSuite PROFILE=SYSTEM -# Server Certificate: -# Point SSLCertificateFile at a PEM encoded certificate. If -# the certificate is encrypted, then you will be prompted for a -# pass phrase. Note that a kill -HUP will prompt again. A new -# certificate can be generated using the genkey(1) command. +# Point SSLCertificateFile at a PEM encoded certificate. If +# the certificate is encrypted, then you will be prompted for a +# pass phrase. Note that restarting httpd will prompt again. Keep +# in mind that if you have both an RSA and a DSA certificate you +# can configure both in parallel (to also allow the use of DSA +# ciphers, etc.) +# Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt) +# require an ECC certificate which can also be configured in +# parallel. SSLCertificateFile /etc/pki/tls/certs/localhost.crt # Server Private Key: @@ -102,6 +106,7 @@ SSLCertificateFile /etc/pki/tls/certs/localhost.crt # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) +# ECC keys, when in use, can also be configured in parallel SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # Server Certificate Chain: @@ -110,7 +115,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server -# certificate for convinience. +# certificate for convenience. #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt # Certificate Authority (CA): @@ -170,9 +175,9 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire - + SSLOptions +StdEnvVars - + SSLOptions +StdEnvVars @@ -184,13 +189,13 @@ SSLCertificateKeyFile /etc/pki/tls/private/localhost.key # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no -# SSL close notify alert is send or allowed to received. This violates +# SSL close notify alert is sent or allowed to be received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a -# SSL close notify alert is send and mod_ssl waits for the close notify +# SSL close notify alert is sent and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation @@ -211,5 +216,5 @@ BrowserMatch "MSIE [2-5]" \ CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" - +