Apache on SL5 (FC6)
Since about Redhat 9/FC3, Apache 1.3 stopped being shipped with the
distribution. Instead Apache 2.0 and now 2.2 are the default shipped
Apache. However due to a requirement for some of our web services to
use kx509 for authentication, which is only available for Apache 1.3,
we've been rolling our own dice-apache-1.3 RPMs. These RPMs
have only been installed
on the web services requiring Apache 1.3. Other
machines have been getting the default distribution versions.
Now that we have Cosign to replace kx509, then plan is
not to
continue to build our own Apache 1.3 RPMS (and the associated PHP,
modssl, etc RPMS). This will mean we benefit from security fixes and
reduce the time we spend on maintaining our own versions of the RPMs.
So for SL5 (and FC6), any Apache 1.3 web service will have to be migrated to
Apache 2.2, and if it was a kx509 authenticated site, then it will
have to migrate to Cosign as well.
Migrating from 1.3 to 2.2
So far any migration from Apache 1.3 to 2.2 has been fairly straight
forward. This does not include migrating from kx509 to Cosign.
The issues are:
- Obsoleted configuration directives.
- New names/locations of apache modules.
- The conf.d directory
1. The shipped
/etc/init.d/httpd
script does a simple grep of
/etc/httpd/conf/httpd.conf
for obsoleted configuration
directives. I've taken that function and turned it into a script that
you can point at any file e.g.
neilb> ~neilb/bin/share/checkapache13 main.conf
Apache 1.3 configuration directives found on lines:
12:ServerType standalone
127:ClearModuleList
...
To find out what to do with these, see
http://httpd.apache.org/docs/2.0/upgrading.html#run-time
Also the docs in
file:///usr/share/doc/httpd-2.2.6/migration.html (FC6)
file:///usr/share/doc/httpd-2.2.3/migration.html (SL5)
2. To solve the module problem, I just deleted all the old
LoadModule
and
AddModule
directives and pasted in the ones from
the default, RPM shipped
/etc/httpd/conf/httpd.conf
file.
3. Whereas in Apache 1.3 some of the extra modules and directives
they provide were specified in the main httpd.conf, but
conditionally, the default now is to include all the files in
/etc/httpd/conf.d/*.conf
- e.g. PHP, SSL, Mailman, etc. Now some of
these you will want, but not all, e.g. mailman. One way to solve it
would be to uninstall the RPMS that provide the irrelevant .conf
files, but I just replaced the:
Include conf.d/*.conf
with the the parts I want e.g.
Include conf.d/ssl.conf
Include conf.d/php.conf
Include conf.d/authz_ldap.conf
Once you think you've replaced all the old directives, etc. remember
you can test your config with
apachectl
i.e.
/usr/sbin/apachectl configtest
This assumes that
/etc/sysconfig/httpd
is pointing at your apache
configuration files, which it will be if you use the
apache
component.
kx509 to Cosign
If you have a web service that used kx509 for authentication, then if it basically relied on the REMOTE_USER environment variable being set appropriately, then switching to Cosign should be fairly straight forward. See
CosignClient for more information on how to Cosign a web service. Note that if your service just assumes that if REMOTE_USER is set then they must be a DICE user, then this isn't the case with Cosign, as iFriend accounts will also set REMOTE_USER. You may want to use the
mod_authz_ldap
module to restrict your service to people with the necessary capability.
Also see
Simon's blog post about Cosigning web.
More technical things
While upgrading some systems to Apache 2.2, some other things have come to light:
- Tests using the variable ${ENV:HTTPS} now fail, as it is always the empty string, use ${HTTPS} instead.
- It seems that the default for "AllowOverride" has changed from "all" to "none" (despite what the docs say), breaking some .htaccess files. So assuming you still want this, then you may want to add:
<Directory /your/doc/root/ >
AllowOverride All
</Directory>
to your main server config.
- You can't check for Capabilities with Simon's mod_authssl, as it doesn't exist anymore, so on www.inf you can do:
AuthGroupFile /liveroot/conf/access/group.capabilities
Require group web/wwwinf/irm
--
NeilBrown - 22 Feb 2008