1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
|
Notes for Apache for Debian
---------------------------
* We received many requests to explain why /var/lib/apache/mod-bandwidth/
permissions are set to 777.
From mod-bandwith.c:
* 3) Create the following directories with "rwx" permission to everybody :
* /var/lib/apache/mod-bandwidth/
* /var/lib/apache/mod-bandwidth/link
* /var/lib/apache/mod-bandwidth/master
*
* Note that if any of those directories doesn't exist, or if they can't
* be accessed by the server, the module is totaly disabled except for
* logging an error message in the logfile.
also refer to:
http://lists.debian.org/debian-apache/2004/02/msg00045.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257108
* AddDefaultCharset default setting is misleading
We received A LOT of bugs about the default setting for this directive.
Please be sure to read:
http://httpd.apache.org/info/css-security/encoding_examples.html
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211889&archive=yes
where you will find explanations and details on why we will not change
the default behaviour.
* mod_backtrace and mod_whatkilledus.
Apache 1.3.31 ships these brand new modules that MUST NOT be used in
production!! They are designed to be used ONLY for debugging
purposes. In short you need to know what you are doing before enabling
these modules.
* init.d script notes:
We face a chicken/egg problem with the behaviour of the restart
functionality.
One problem might be experienced by people using suexec, the other might
kill apache after a restart due a "socket still bound" error.
Since it is impossible to fix both cases at the same time, we agreed on
adding a note here with references to the relevant bugs:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=227491
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=158993
We choose to fix #158993 as default behaviour as discussed and explained
in details in #227491
* apache-ssl and mod_auth_ssl.
Since apache_1.3.29+ssl_1.53 upstream has changed behaviour.
People not using stardard Debian configuration tools have to take
care to correct their LoadModule sequence so that mod_auth_ssl
is loaded after libssl. Eg:
LoadModule apache_ssl_module /usr/lib/apache/1.3/libssl.so
LoadModule auth_module /usr/lib/apache/1.3/mod_auth_ssl.so
* libapache-mod-perl and authentication
After some investigation it seems that mod_perl provides an entire set
of Auth* directives that might clash with other authentication modules.
It is recommended that such a setup be tested very carefully.
A summary of a related problem can be found here:
http://bugs.debian.org/242985
* modules-config is now called apache-modconf
* Let other people know about your server
Netcraft (http://netcraft.com/) provides an interesting free
service for web site monitoring and statistic collection.
You can let them know about your server using their interface
(http://uptime.netcraft.com/).
Enabling the monitoring of your server will provide a better
global overview of who is using what and where, and it would
give Debian a better overview of the apache package usage.
* Authentication problems:
Some users have experienced some authentication problems recently.
We were able to spot the problem for apache installations that happened
between version 1.3.28 and 1.3.28.0 due to a wrong default setup.
By accident, mod_auth_sys was enabled by default. Unfortunately
we cannot automatically remove the module since it would affect users
that are actually using it.
* apache-ssl is now able to handle encrypted keys [0]. In order to use it
properly users have to configure apache-ssl NOT to start at boot time
(dpkg-reconfigure apache-ssl) since it would hang the boot process waiting
for the passphrases and run apache-sslctl start/stop/restart directly
from the command line.
NOTE: the support might slightly change in the future (we are coordinating
with upstream that is happy about the patch but wants a bit more features).
[0] there are several religions about this issue. The patch we have worked
out is only to accommodate users requests. As explained in other threads
(http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=136052) having the
key encrypted on the harddisk is not secure since the key is anyway
decrypted in ram. As pointed out the feeling about "security" is pretty
much illusory. This patch is only a worksaround since it needs to cache
the passphrase in ram in order to work.
-- Fabio M. Di Nitto <fabbione@fabbione.net> Mon, 27 Oct 2003 14:40:00 +0100
* modules-config is now more friendly with external modules and it recognize
automatically if a module is installed and enabled. This avoid useless
debconf questions, and it prompts for apache restarts only when required.
We now make use of an "internal" option to simplify the code but it is
not documented since noone other than apache pkgs can have any use of it.
* apacheconfig is now deprecated and it has been replaced by modules-config(8).
It's usage is extremely simple and everyone (including modules maintainers)
should switch to it. Maintainers can look at mod_perl prerm and postinst for
a very simple example on how to use it, or simply read the man page.
Remember that there are 3 apache out there! I noticed that most of the modules
only consider apache and/or apache-ssl. apache-perl deserve the same love!
Due to this major change a lot of things has been done. All the basic
configuration options are now done via debconf and i repeat BASIC.. meaning
that we will not add any fancy stuff in it more that what it's in there
now. People will notice that apache-ssl does NOT ask for Port. This is
done because the default server has to run on port 443. I did test
different configs/versions changing the port without any success.
(remeber this is only valid for the default server. virtual host will
keep working as-is).
apacheconfig was used to correct some common configuration errors.
This behaviour has been moved in the postinstall phase of the package
and only critical errors will be automatically modified (if any).
All small details will be only notified to the administrator via
/etc/apache{-ssl,-perl}/suggested_correction. The reason why we decided
to switch to this new nehaviour is because the complexity of users
configs has been growing too much and it is more and more difficult
to correct without breaking users customizations.
-- Fabio M. Di Nitto <fabbione@fabbione.net> Mon, 06 Oct 2003 07:58:37 +0200
* Logfiles are now rotated/created with 644 permissions; but this may be made
configurable.
* mod_auth_system needs www-data to be in the shadow group to work correctly.
mod_auth_system itself is *BAD BAD BAD BAD* since it sends system passwords
over http. use SSL encryption if you have to do this, otherwise don't!
* the languages fix follow the standard available at:
http://www.loc.gov/standards/iso639-2/englangn.html
-- Fabio M. Di Nitto <fabbione@fabbione.net>, Sun, 11 May 2003 19:49:45 +0200
* IMPORTANT NOTE FOR mod_auth_dbm users
When the user specify: AuthDBMUserFile <filename>
the real file should be called <filename>.db
* If you start to see errors similar to:
[Fri Sep 20 14:27:16 2002] [error] [client xxx.xxx.xxx.xxx] Premature end of
script headers: /home/matthew/cgi-bin/test.cgi
with no other errors in your error.log, make sure you check suexec.log - this
is often a symptom of your settings not being correct for an suexec
environment.
* MultiViews can be a security risk if they are enabled for ScriptAliased
directories. It is wise to explicitly disable them for any and all
ScriptAliases you have set up.
* Suexec's document root is set to /var/www ; its log file is
/var/log/apache/suexec.log; and its caller is set to www-data.
Should you need to change this currently the only way is to get the source
for apache and to rebuild, but we're looking into a more extensive solution.
-- Fabio M. Di Nitto <fabbione@fabbione.net>, Sat, 26 Apr 2003 13:32:31 +0200
* The logfiles are created by /etc/logrotate.d/apache with default owner
root.adm, permissions 640. If this breaks your favourite web-analysing
program, you may change it. Security above convenience. Johnie
actually made this change, but I agree with it.
-- Matthew Wilcox <willy@debian.org>, Sun, 20 Jan 2002 23:27:16 -0700
* The default webpages are owned by root.root by default (*not*
www-data.www-data), so hackers will have a harder time defacing the
site.
-- Johnie Ingram <johnie@netgod.net>, Thu, 10 Aug 2000 09:47:11 -0700
* This apache does not pass the HTTP_AUTHORIZATION CGI header
(i.e. -DSECURITY_HOLE_PASS_AUTHORIZATION was not defined), but
if you really need it this can be simulated with mod_rewrite:
RewriteEngine On
RewriteCond %{HTTP:Authorization} ^(.*)$ [NC]
RewriteRule /.* - [E=HTTP_AUTHORIZATION:%1]
[Thanks to Miquel van Smoorenburg for this tip.]
-- Johnie Ingram <johnie@netgod.net>, Fri, 20 Aug 1999 23:57:39 -0500
* This apache uses a modified regex ABI:
<drow> the problem is... posix says regoff_t == int
<drow> apache says it's an off_t
<drow> but off_t... off_t BAD!
<drow> off_t == changes size with LFS on
<drow> thus, bewm
-- Johnie Ingram <johnie@netgod.net>, Wed, 6 Dec 2000 15:18:14 -0800
|
