From 3383664c3dfec710b37695603382ded98af8c99d Mon Sep 17 00:00:00 2001 From: jorton Date: Fri, 9 Jul 2010 13:00:51 +0000 Subject: [PATCH] - default config tweaks: harden httpd.conf w.r.t. .htaccess restriction (#591293) load mod_substitute, mod_version by default drop proxy_ajp.conf, load mod_proxy_ajp in httpd.conf add commented list of shipped-but-unloaded modules bump up worker defaults a little drop KeepAliveTimeout to 5 secs per upstream - fix LSB compliance in init script (#522074) - bundle NOTICE in -tools - use init script in logrotate postrotate to pick up PIDFILE - drop some old Obsoletes/Conflicts --- .cvsignore | 2 ++ httpd.conf | 27 +++++++++++++++++++++------ httpd.init | 12 ++++++++---- httpd.logrotate | 2 +- httpd.spec | 26 +++++++++++++++++--------- proxy_ajp.conf | 20 -------------------- 6 files changed, 49 insertions(+), 40 deletions(-) delete mode 100644 proxy_ajp.conf diff --git a/.cvsignore b/.cvsignore index ec480fa..0a9107f 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1,3 @@ httpd-2.2.15.tar.gz +httpd-2.2.15 +clog diff --git a/httpd.conf b/httpd.conf index b57e80e..78cdc37 100644 --- a/httpd.conf +++ b/httpd.conf @@ -58,14 +58,16 @@ ServerRoot "/etc/httpd" # # PidFile: The file in which the server should record its process -# identification number when it starts. +# identification number when it starts. Note the PIDFILE variable in +# /etc/sysconfig/httpd must be set appropriately if this location is +# changed. # PidFile run/httpd.pid # # Timeout: The number of seconds before receives and sends time out. # -Timeout 120 +Timeout 60 # # KeepAlive: Whether or not to allow persistent connections (more than @@ -84,7 +86,7 @@ MaxKeepAliveRequests 100 # KeepAliveTimeout: Number of seconds to wait for the next request from the # same client on the same connection. # -KeepAliveTimeout 15 +KeepAliveTimeout 5 ## ## Server-Pool Size Regulation (MPM specific) @@ -114,8 +116,8 @@ MaxRequestsPerChild 4000 # ThreadsPerChild: constant number of worker threads in each server process # MaxRequestsPerChild: maximum number of requests a server process serves -StartServers 2 -MaxClients 150 +StartServers 4 +MaxClients 300 MinSpareThreads 25 MaxSpareThreads 75 ThreadsPerChild 25 @@ -184,22 +186,34 @@ LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so +LoadModule substitute_module modules/mod_substitute.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so +LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule cgi_module modules/mod_cgi.so +LoadModule version_module modules/mod_version.so # # The following modules are not loaded by default: # -#LoadModule cern_meta_module modules/mod_cern_meta.so #LoadModule asis_module modules/mod_asis.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule cgid_module modules/mod_cgid.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule filter_module modules/mod_filter.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule unique_id_module modules/mod_unique_id.so +# # # Load config files from the config directory "/etc/httpd/conf.d". @@ -401,6 +415,7 @@ AccessFileName .htaccess Order allow,deny Deny from all + Satisfy All # diff --git a/httpd.init b/httpd.init index 2c3836c..597eeb8 100755 --- a/httpd.init +++ b/httpd.init @@ -72,12 +72,16 @@ stop() { reload() { echo -n $"Reloading $prog: " if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then - RETVAL=$? + RETVAL=6 echo $"not reloading due to configuration syntax error" failure $"not reloading $httpd due to configuration syntax error" else - killproc -p ${pidfile} $httpd -HUP + # Force LSB behaviour from killproc + LSB=1 killproc -p ${pidfile} $httpd -HUP RETVAL=$? + if [ $RETVAL -eq 7 ]; then + failure $"httpd shutdown" + fi fi echo } @@ -112,8 +116,8 @@ case "$1" in RETVAL=$? ;; *) - echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}" - RETVAL=3 + echo $"Usage: $prog {start|stop|restart|condrestart|try-restart|force-reload|reload|status|fullstatus|graceful|help|configtest}" + RETVAL=2 esac exit $RETVAL diff --git a/httpd.logrotate b/httpd.logrotate index d233e9c..794b9d7 100644 --- a/httpd.logrotate +++ b/httpd.logrotate @@ -4,6 +4,6 @@ sharedscripts delaycompress postrotate - /bin/kill -HUP `cat /var/run/httpd/httpd.pid 2>/dev/null` 2> /dev/null || true + /sbin/service httpd reload > /dev/null 2>/dev/null || true endscript } diff --git a/httpd.spec b/httpd.spec index 258040d..5cab677 100644 --- a/httpd.spec +++ b/httpd.spec @@ -7,7 +7,7 @@ Summary: Apache HTTP Server Name: httpd Version: 2.2.15 -Release: 1%{?dist} +Release: 3%{?dist} URL: http://httpd.apache.org/ Source0: http://www.apache.org/dist/httpd/httpd-%{version}.tar.gz Source1: index.html @@ -18,7 +18,6 @@ Source10: httpd.conf Source11: ssl.conf Source12: welcome.conf Source13: manual.conf -Source14: proxy_ajp.conf # Documentation Source33: README.confd # build/scripts patches @@ -50,9 +49,6 @@ Requires(post): chkconfig Provides: webserver Provides: mod_dav = %{version}-%{release}, httpd-suexec = %{version}-%{release} Provides: httpd-mmn = %{mmn} -Obsoletes: apache, secureweb, mod_dav, mod_gzip, stronghold-apache -Obsoletes: stronghold-htdocs, mod_put, mod_roaming -Conflicts: pcre < 4.0 Requires: httpd-tools = %{version}-%{release}, apr-util-ldap %description @@ -100,7 +96,7 @@ Group: System Environment/Daemons Summary: SSL/TLS module for the Apache HTTP Server Epoch: 1 BuildRequires: openssl-devel, distcache-devel -Requires(post): openssl >= 0.9.7f-4, /bin/cat +Requires(post): openssl, /bin/cat Requires(pre): httpd Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmn} Obsoletes: stronghold-mod_ssl @@ -227,7 +223,7 @@ done mkdir $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d install -m 644 $RPM_SOURCE_DIR/README.confd \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/README -for f in ssl.conf welcome.conf manual.conf proxy_ajp.conf; do +for f in ssl.conf welcome.conf manual.conf; do install -m 644 -p $RPM_SOURCE_DIR/$f \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.d/$f done @@ -414,7 +410,6 @@ rm -rf $RPM_BUILD_ROOT %dir %{_sysconfdir}/httpd/conf %config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf %config(noreplace) %{_sysconfdir}/httpd/conf.d/welcome.conf -%config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy_ajp.conf %config(noreplace) %{_sysconfdir}/httpd/conf/magic %config(noreplace) %{_sysconfdir}/logrotate.d/httpd @@ -459,7 +454,7 @@ rm -rf $RPM_BUILD_ROOT %defattr(-,root,root) %{_bindir}/* %{_mandir}/man1/* -%doc LICENSE +%doc LICENSE NOTICE %files manual %defattr(-,root,root) @@ -485,6 +480,19 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/build/*.sh %changelog +* Fri Jul 9 2010 Joe Orton - 2.2.15-3 +- default config tweaks: + * harden httpd.conf w.r.t. .htaccess restriction (#591293) + * load mod_substitute, mod_version by default + * drop proxy_ajp.conf, load mod_proxy_ajp in httpd.conf + * add commented list of shipped-but-unloaded modules + * bump up worker defaults a little + * drop KeepAliveTimeout to 5 secs per upstream +- fix LSB compliance in init script (#522074) +- bundle NOTICE in -tools +- use init script in logrotate postrotate to pick up PIDFILE +- drop some old Obsoletes/Conflicts + * Sun Apr 04 2010 Robert Scheck - 2.2.15-1 - update to 2.2.15 (#572404, #579311) diff --git a/proxy_ajp.conf b/proxy_ajp.conf deleted file mode 100644 index 9347aab..0000000 --- a/proxy_ajp.conf +++ /dev/null @@ -1,20 +0,0 @@ - -LoadModule proxy_ajp_module modules/mod_proxy_ajp.so - -# -# When loaded, the mod_proxy_ajp module adds support for -# proxying to an AJP/1.3 backend server (such as Tomcat). -# To proxy to an AJP backend, use the "ajp://" URI scheme; -# Tomcat is configured to listen on port 8009 for AJP requests -# by default. -# - -# -# Uncomment the following lines to serve the ROOT webapp -# under the /tomcat/ location, and the jsp-examples webapp -# under the /examples/ location. -# -#ProxyPass /tomcat/ ajp://localhost:8009/ -#ProxyPass /examples/ ajp://localhost:8009/jsp-examples/ - -