Apache on SL5 (FC6)

Since about Redhat 9/FC3 Apache 1.3 stopped being shipped with the distribution. Instead Apache 2.0 and now 2.2 are the default shipped Apache. However due to a requirement for some of our web services to use kx509 for authentication, which is only available for Apache 1.3, we've been rolling our own dice-apache-1.3 RPMs. These RPMs have only been installed on the web services requiring Apache 1.3. Other machines have been getting the default distribution versions.

Now that we have Cosign to replace kx509, then plan is not to continue to build our own Apache 1.3 RPMS (and the associated PHP, modssl, etc RPMS). This will mean we benefit from security fixes and reduce the time we spend on maintaining our own versions of the RPMs.

So for SL5 (and FC6), any Apache 1.3 web service will have to be migrated to Apache 2.2, and if it was a kx509 authenticated site, then it will have to migrate to Cosign as well.

Migrating from 1.3 to 2.2

So far any migration from Apache 1.3 to 2.2 has been fairly straight forward. This does not include migrating from kx509 to Cosign. The issues are:

  1. Obsoleted configuration directives.
  2. New names/locations of apache modules.
  3. The conf.d directory

1. The shipped /etc/init.d/httpd script does a simple grep of /etc/httpd/conf/httpd.conf for obsoleted configuration directives. I've taken that function and turned it into a script that you can point at any file eg.

neilb> ~neilb/bin/share/checkapache13 main.conf

 Apache 1.3 configuration directives found on lines:

12:ServerType           standalone

To find out what to do with these, see http://httpd.apache.org/docs/2.0/upgrading.html#run-time Also the docs in file:///usr/share/doc/httpd-2.2.6/migration.html (FC6) file:///usr/share/doc/httpd-2.2.3/migration.html (SL5)

2. To solve the module problem, I just deleted all the old LoadModule and AddModule directives and pasted in the ones from the default, RPM shipped /etc/httpd/conf/httpd.conf file.

3. Where as in Apache 1.3 some of the extra modules and directives they provide were specified in the main httpd.conf, but conditionally. Now the default is to include all the files in =/etc/httpd/conf.d/*.conf, eg PHP, SSL, Mailman, etc. Now some of these you will want, but not all, eg mailman. One way to solve it would be to uninstall the RPMS that provide the irrelevant .conf files, but I just replaced the:

  Include conf.d/*.conf
with the the parts I want eg
  Include conf.d/ssl.conf
  Include conf.d/php.conf
  Include conf.d/authz_ldap.conf

Once you think you've replaced all the old directives, etc. remember you can test your config with apachectl ie

  /usr/sbin/apachectl configtest

This assumes that /etc/sysconfig/httpd is pointing at your apache configuration files, which it will be if you use the apache component.

kx509 to Cosign

If you have a web service that used kx509 for authentication, then if it basically relied on the REMOTE_USER environment variable being set appropriately, then switching to Cosign should be fairly straight forward. See CosignClient for more information on how to Cosign a web service. Note that if your service just assumes that if REMOTE_USER is set then they must be a DICE user, then this isn't the case with Cosign, as iFriend accounts will also set REMOTE_USER. You may want to use the mod_authz_ldap [ to protect your service to people with the necessary capability.

Also see Simon's blog post about Cosigning web.

-- NeilBrown - 22 Feb 2008

Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions...
Topic revision: r2 - 26 Feb 2008 - 16:53:33 - NeilBrown
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback
This Wiki uses Cookies