Apache on SL5 (FC6)

Since about Redhat 9/FC3, Apache 1.3 stopped being shipped with the distribution. Instead Apache 2.0 and now 2.2 are the default shipped Apache. However due to a requirement for some of our web services to use kx509 for authentication, which is only available for Apache 1.3, we've been rolling our own dice-apache-1.3 RPMs. These RPMs have only been installed on the web services requiring Apache 1.3. Other machines have been getting the default distribution versions.

Now that we have Cosign to replace kx509, then plan is not to continue to build our own Apache 1.3 RPMS (and the associated PHP, modssl, etc RPMS). This will mean we benefit from security fixes and reduce the time we spend on maintaining our own versions of the RPMs.

So for SL5 (and FC6), any Apache 1.3 web service will have to be migrated to Apache 2.2, and if it was a kx509 authenticated site, then it will have to migrate to Cosign as well.

Migrating from 1.3 to 2.2

So far any migration from Apache 1.3 to 2.2 has been fairly straight forward. This does not include migrating from kx509 to Cosign. The issues are:

1. Obsoleted configuration directives.
2. New names/locations of apache modules.
3. The conf.d directory

1. The shipped /etc/init.d/httpd script does a simple grep of /etc/httpd/conf/httpd.conf for obsoleted configuration directives. I've taken that function and turned it into a script that you can point at any file e.g.

  neilb> ~neilb/bin/share/checkapache13 main.conf

  Apache 1.3 configuration directives found on lines:

  12:ServerType           standalone
  127:ClearModuleList
  ...

To find out what to do with these, see http://httpd.apache.org/docs/2.0/upgrading.html#run-time Also the docs in file:///usr/share/doc/httpd-2.2.6/migration.html (FC6) file:///usr/share/doc/httpd-2.2.3/migration.html (SL5)

2. To solve the module problem, I just deleted all the old LoadModule and AddModule directives and pasted in the ones from the default, RPM shipped /etc/httpd/conf/httpd.conf file.

3. Whereas in Apache 1.3 some of the extra modules and directives they provide were specified in the main httpd.conf, but conditionally, the default now is to include all the files in /etc/httpd/conf.d/*.conf - e.g. PHP, SSL, Mailman, etc. Now some of these you will want, but not all, e.g. mailman. One way to solve it would be to uninstall the RPMS that provide the irrelevant .conf files, but I just replaced the:

  Include conf.d/*.conf

  Include conf.d/ssl.conf
  Include conf.d/php.conf
  Include conf.d/authz_ldap.conf

Once you think you've replaced all the old directives, etc. remember you can test your config with apachectl i.e.

  /usr/sbin/apachectl configtest

This assumes that /etc/sysconfig/httpd is pointing at your apache configuration files, which it will be if you use the apache component.

kx509 to Cosign

If you have a web service that used kx509 for authentication, then if it basically relied on the REMOTE_USER environment variable being set appropriately, then switching to Cosign should be fairly straight forward. See CosignClient for more information on how to Cosign a web service. Note that if your service just assumes that if REMOTE_USER is set then they must be a DICE user, then this isn't the case with Cosign, as iFriend accounts will also set REMOTE_USER. You may want to use the mod_authz_ldap module to restrict your service to people with the necessary capability.

Also see Simon's blog post about Cosigning web.

More technical things

While upgrading some systems to Apache 2.2, some other things have come to light:

• Tests using the variable ${ENV:HTTPS} now fail, as it is always the empty string, use ${HTTPS} instead.
• It seems that the default for "AllowOverride" has changed from "all" to "none" (despite what the docs say), breaking some .htaccess files. So assuming you still want this, then you may want to add:

  <Directory /your/doc/root/ >
     AllowOverride All
  </Directory>

• You can't check for Capabilities with Simon's mod_authssl, as it doesn't exist anymore, so on www.inf you can do:

  AuthGroupFile /liveroot/conf/access/group.capabilities
  Require group web/wwwinf/irm

-- NeilBrown - 22 Feb 2008