Update to apache 2.4.27

- Updated to apache 2.4
- Updated the htpasswd generation to use the more secure bcrypt algorithm

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

config/httpd/httpd.conf

@@ -65,7 +65,6 @@ Include /etc/httpd/conf/global.conf
 
 # associate MIME types with filename extensions
 TypesConfig /etc/mime.types
-DefaultType text/plain
 
 # global (server-wide) SSL configuration, that is not specific to 
 # any virtual host
@@ -80,8 +79,7 @@ Include /etc/httpd/conf/ssl-global.conf
 AccessFileName .htaccess
 # and never show them
 <Files ~ "^\.ht">
-    Order allow,deny
-    Deny from all
+    Require all denied
 </Files>
 
 # List of resources to look for when the client requests a directory

config/httpd/loadmodule.conf

@@ -1,8 +1,11 @@
 LoadModule authn_file_module /usr/lib/apache/mod_authn_file.so
+LoadModule unixd_module /usr/lib/apache/mod_unixd.so
 #LoadModule authn_dbm_module /usr/lib/apache/mod_authn_dbm.so
 #LoadModule authn_anon_module /usr/lib/apache/mod_authn_anon.so
 #LoadModule authn_dbd_module /usr/lib/apache/mod_authn_dbd.so
 #LoadModule authn_default_module /usr/lib/apache/mod_authn_default.so
+LoadModule authn_core_module /usr/lib/apache/mod_authn_core.so
+LoadModule authz_core_module /usr/lib/apache/mod_authz_core.so
 LoadModule authz_host_module /usr/lib/apache/mod_authz_host.so
 #LoadModule authz_groupfile_module /usr/lib/apache/mod_authz_groupfile.so
 LoadModule authz_user_module /usr/lib/apache/mod_authz_user.so
@@ -10,7 +13,7 @@ LoadModule authz_user_module /usr/lib/apache/mod_authz_user.so
 #LoadModule authz_owner_module /usr/lib/apache/mod_authz_owner.so
 #LoadModule authz_default_module /usr/lib/apache/mod_authz_default.so
 LoadModule auth_basic_module /usr/lib/apache/mod_auth_basic.so
-LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so
+#LoadModule auth_digest_module /usr/lib/apache/mod_auth_digest.so
 #LoadModule dbd_module /usr/lib/apache/mod_dbd.so
 #LoadModule dumpio_module /usr/lib/apache/mod_dumpio.so
 #LoadModule ext_filter_module /usr/lib/apache/mod_ext_filter.so
@@ -33,10 +36,10 @@ LoadModule setenvif_module /usr/lib/apache/mod_setenvif.so
 LoadModule mime_module /usr/lib/apache/mod_mime.so
 #LoadModule dav_module /usr/lib/apache/mod_dav.so
 #LoadModule status_module /usr/lib/apache/mod_status.so
-LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so
+#LoadModule autoindex_module /usr/lib/apache/mod_autoindex.so
 #LoadModule asis_module /usr/lib/apache/mod_asis.so
 #LoadModule info_module /usr/lib/apache/mod_info.so
-LoadModule cgi_module /usr/lib/apache/mod_cgi.so
+LoadModule cgid_module /usr/lib/apache/mod_cgid.so
 #LoadModule dav_fs_module /usr/lib/apache/mod_dav_fs.so
 #LoadModule vhost_alias_module /usr/lib/apache/mod_vhost_alias.so
 #LoadModule negotiation_module /usr/lib/apache/mod_negotiation.so
@@ -47,5 +50,6 @@ LoadModule dir_module /usr/lib/apache/mod_dir.so
 #LoadModule userdir_module /usr/lib/apache/mod_userdir.so
 LoadModule alias_module /usr/lib/apache/mod_alias.so
 LoadModule rewrite_module /usr/lib/apache/mod_rewrite.so
+LoadModule socache_shmcb_module /usr/lib/apache/mod_socache_shmcb.so
 LoadModule ssl_module /usr/lib/apache/mod_ssl.so
 LoadModule php5_module /usr/lib/apache/libphp5.so

config/httpd/server-tuning.conf

@@ -17,10 +17,11 @@ MaxKeepAliveRequests 100
 #
 KeepAliveTimeout 15
 
-MinSpareServers 1
-MaxSpareServers 10
+MinSpareThreads 1
+MaxSpareThreads 20
 StartServers 2
-MaxClients 256
+MaxRequestWorkers 256
+ThreadsPerChild 16
 
 #
 # The following directives modify normal HTTP response behavior to

config/httpd/ssl-global.conf

@@ -39,11 +39,6 @@
 	SSLSessionCache         shmcb:/var/log/httpd/ssl_scache(512000)
 	SSLSessionCacheTimeout  900
 
-	#   Semaphore:
-	#   Configure the path to the mutual exclusion semaphore the
-	#   SSL engine uses internally for inter-process synchronization. 
-	SSLMutex  file:/var/log/httpd/ssl_mutex
-
 	#   Pseudo Random Number Generator (PRNG):
 	#   Configure one or more sources to seed the PRNG of the 
 	#   SSL library. The seed data should be of good random quality.

config/httpd/vhosts.d/ipfire-interface-ssl.conf

@@ -17,8 +17,7 @@
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
         AuthName "IPFire - Restricted"
@@ -34,13 +33,11 @@
         AuthType Basic
         AuthUserFile /var/ipfire/auth/users
         Require user admin
-         <Files chpasswd.cgi>
-            Satisfy Any
-            Allow from All
+        <Files chpasswd.cgi>
+            Require all granted
         </Files>
         <Files webaccess.cgi>
-            Satisfy Any
-            Allow from All
+            Require all granted
         </Files>
         <Files dial.cgi>
             Require user admin
@@ -71,16 +68,14 @@
 	<Directory /var/updatecache>
 		 Options ExecCGI
 		 AllowOverride None
-		 Order deny,allow
-		 Allow from all
+		 Require all granted
 	</Directory>
 
     Alias /repository/ /var/urlrepo/
 	<Directory /var/urlrepo>
 		 Options ExecCGI
 		 AllowOverride None
-		 Order deny,allow
-		 Allow from all
+		 Require all granted
 	</Directory>
 
     Alias /proxy-reports/ /var/log/sarg/

config/httpd/vhosts.d/ipfire-interface.conf

@@ -9,8 +9,7 @@
     <Directory /srv/web/ipfire/html>
         Options ExecCGI
         AllowOverride None
-        Order allow,deny
-        Allow from all
+        Require all granted
     </Directory>
     <DirectoryMatch "/srv/web/ipfire/html/(graphs|sgraph)">
         AuthName "IPFire - Restricted"
@@ -27,12 +26,10 @@
         AuthUserFile /var/ipfire/auth/users
         Require user admin
          <Files chpasswd.cgi>
-            Satisfy Any
-            Allow from All
+            Require all granted
         </Files>
         <Files webaccess.cgi>
-            Satisfy Any
-            Allow from All
+            Require all granted
         </Files>
         <Files dial.cgi>
             Require user admin
@@ -50,15 +47,13 @@
 	<Directory /var/updatecache>
 		 Options ExecCGI
 		 AllowOverride None
-		 Order deny,allow
-		 Allow from all
+		 Require all granted
 	</Directory>
     Alias /repository/ /var/urlrepo/
 	<Directory /var/urlrepo>
 		 Options ExecCGI
 		 AllowOverride None
-		 Order deny,allow
-		 Allow from all
+		 Require all granted
 	</Directory>
     Alias /wpad.dat /srv/web/ipfire/html/proxy.pac
 </VirtualHost>

config/httpd/vhosts.d/nagios.conf

@@ -16,11 +16,8 @@ ScriptAlias /nagios/cgi-bin "/usr/share/nagios/cgi-bin"
 #  SSLRequireSSL
    Options ExecCGI
    AllowOverride None
-   Order allow,deny
-   Allow from all
-#  Order deny,allow
-#  Deny from all
-#  Allow from 127.0.0.1
+#  Require all granted
+#  Require ip 127.0.0.1
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /etc/nagios/htpasswd.users
@@ -33,11 +30,8 @@ Alias /nagios "/usr/share/nagios"
 #  SSLRequireSSL
    Options None
    AllowOverride None
-   Order allow,deny
-   Allow from all
-#  Order deny,allow
-#  Deny from all
-#  Allow from 127.0.0.1
+#  Require all granted
+#  Require ip 127.0.0.1
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /etc/nagios/htpasswd.users

config/httpd/vhosts.d/openmailadmin.conf

@@ -9,8 +9,7 @@ Listen 1001
 	<Directory /srv/web/openmailadmin>
 		Options +FollowSymlinks
 		AllowOverride None
-		Order allow,deny
-		Allow from all
+		Require all granted
 	</Directory>
 	
 </VirtualHost>

config/icinga/icinga.conf

@@ -15,9 +15,6 @@ Listen 1010
 		AuthType Basic
 		AuthUserFile /etc/icinga/htpasswd.users
 
-		Order allow,deny
-		Allow from all
-
 		Require valid-user
 	</Directory>
 
@@ -29,9 +26,6 @@ Listen 1010
 		AuthType Basic
 		AuthUserFile /etc/icinga/htpasswd.users
 
-		Order allow,deny
-		Allow from all
-
 		Require valid-user
 	</Directory>
 </VirtualHost>

config/nagiosql/nagios.conf

@@ -16,11 +16,8 @@ ScriptAlias /nagios/cgi-bin "/usr/share/nagios/cgi-bin"
 #  SSLRequireSSL
    Options ExecCGI
    AllowOverride None
-   Order allow,deny
-   Allow from all
-#  Order deny,allow
-#  Deny from all
-#  Allow from 127.0.0.1
+#  Require all granted
+#  Require ip 127.0.0.1
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /etc/nagios/htpasswd.users
@@ -33,11 +30,8 @@ Alias /nagios "/usr/share/nagios"
 #  SSLRequireSSL
    Options None
    AllowOverride None
-   Order allow,deny
-   Allow from all
-#  Order deny,allow
-#  Deny from all
-#  Allow from 127.0.0.1
+#  Require all granted
+#  Require ip 127.0.0.1
    AuthName "Nagios Access"
    AuthType Basic
    AuthUserFile /etc/nagios/htpasswd.users
@@ -50,8 +44,7 @@ Alias /nagiosql "/usr/share/nagiosql"
    include /etc/httpd/conf/conf.d/php*.conf
    Options None
    AllowOverride None
-   Order allow,deny
-   Allow from all
+   Require all granted
 </Directory>
 
 </VirtualHost>

config/owncloud/owncloud.conf

@@ -15,7 +15,6 @@ Listen 1011
 	<Directory /srv/web/owncloud>
 		Options Indexes FollowSymlinks MultiViews
 		AllowOverride ALL
-		Order allow,deny
-		Allow from all
+		Require all granted
 	</Directory>
 </VirtualHost>

config/php/php.ini

@@ -533,7 +533,7 @@ doc_root =
 user_dir =
 
 ; Directory in which the loadable extensions (modules) reside.
-extension_dir = "/usr/lib/php/extensions/no-debug-non-zts-20090626/"
+extension_dir = "/usr/lib/php/extensions/no-debug-zts-20090626/"
 
 ; Whether or not to enable the dl() function.  The dl() function does NOT work
 ; properly in multithreaded servers, such as IIS or Zeus, and is automatically

config/phpSANE/phpSANE.conf

@@ -9,8 +9,7 @@ Listen 1003
 	<Directory /srv/web/phpSANE>
 		Options None
 		AllowOverride None
-		Order allow,deny
-		Allow from all
+		Require all granted
 	</Directory>
 	
 </VirtualHost>

config/rootfiles/common/php

@@ -522,9 +522,9 @@ usr/lib/php/XML/Util.php
 usr/lib/php/doc/XML_Util/examples/example.php
 usr/lib/php/doc/XML_Util/examples/example2.php
 #usr/lib/php/extensions
-#usr/lib/php/extensions/no-debug-non-zts-20090626
-usr/lib/php/extensions/no-debug-non-zts-20090626/dba.so
-usr/lib/php/extensions/no-debug-non-zts-20090626/idn.so
+#usr/lib/php/extensions/no-debug-zts-20090626
+usr/lib/php/extensions/no-debug-zts-20090626/dba.so
+usr/lib/php/extensions/no-debug-zts-20090626/idn.so
 #usr/lib/php/pearcmd.php
 #usr/lib/php/peclcmd.php
 #usr/lib/php/test
@@ -557,4 +557,3 @@ usr/lib/php/extensions/no-debug-non-zts-20090626/idn.so
 #usr/man/man1/php-config.1
 #usr/man/man1/php.1
 #usr/man/man1/phpize.1
-etc/httpd/conf/conf.d/php5.conf

lfs/apache2

@@ -25,27 +25,30 @@
 
 include Config
 
-VER        = 2.2.29
+VER        = 2.4.27
 
 THISAPP    = httpd-$(VER)
 DL_FILE    = $(THISAPP).tar.bz2
-DL_FROM    = $(URL_IPFIRE)
+DL_FROM    = https://archive.apache.org/dist/httpd
+
 DIR_APP    = $(DIR_SRC)/$(THISAPP)
 
 TARGET     = $(DIR_INFO)/$(THISAPP)
 
+DEPS       = "aprutil pcre"
+
 ###############################################################################
 # Top-level Rules
 ###############################################################################
 
 objects = $(DL_FILE) \
-	httpd-2.2.2-config-1.patch
+	PR61382-Fix.patch
 
 $(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-httpd-2.2.2-config-1.patch = $(DL_FROM)/httpd-2.2.2-config-1.patch
+PR61382-Fix.patch = ${DL_FROM}/patches/apply_to_2.4.27/PR61382-Fix.patch
 
-$(DL_FILE)_MD5 = 579342fdeaa7b8b68d17fee91f8fab6e
-httpd-2.2.2-config-1.patch_MD5 = e02a3ec5925eb9e111400b9aa229f822
+$(DL_FILE)_MD5 = 97b6bbfa83c866dbe20ef317e3afd108
+PR61382-Fix.patch_MD5 = 5c1107bb1f399419574d983ce103c99a
 
 install : $(TARGET)
 
@@ -75,7 +78,7 @@ $(subst %,%_MD5,$(objects)) :
 $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	@$(PREBUILD)
 	@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar jxf $(DIR_DL)/$(DL_FILE)
-	cd $(DIR_APP) && patch -Np1 -i $(DIR_DL)/httpd-2.2.2-config-1.patch
+	cd $(DIR_APP) && patch -Np0 -i $(DIR_DL)/PR61382-Fix.patch
 
 	### Add IPFire's layout, too
 	echo "# IPFire layout" >> $(DIR_APP)/config.layout
@@ -103,14 +106,15 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	echo "</Layout>" >> $(DIR_APP)/config.layout
 
 	cd $(DIR_APP) && ./configure --enable-layout=IPFire \
-				--enable-ssl --enable-mods-shared=all --enable-proxy --with-apr=/usr --with-apr-util=/usr
+				--enable-ssl --enable-mods-shared=all --enable-proxy --with-mpm=event
 	cd $(DIR_APP) && make $(MAKETUNING)
 	cd $(DIR_APP) && make install
 	chown -v root:root /usr/lib/apache/httpd.exp \
-	    /usr/sbin/{apxs,apachectl,dbmmanage,envvars{,-std}} \
-	    /usr/share/man/man1/{dbmmanage,ht{dbm,digest,passwd,txt2dbm}}.1 \
-	    /usr/share/man/man8/{ab,apachectl,apxs,htcacheclean,httpd}.8 \
-	    /usr/share/man/man8/{logresolve,rotatelogs,suexec}.8
+	    /usr/bin/{apxs,dbmmanage} \
+	    /usr/sbin/apachectl \
+	    /usr/share/man/man1/{ab,apxs,dbmmanage,ht{dbm,digest,passwd,txt2dbm},logresolve}.1 \
+	    /usr/share/man/man8/{apachectl,htcacheclean,httpd}.8 \
+	    /usr/share/man/man8/{rotatelogs,suexec}.8
 
 	# Install apache config
 	cp -rf $(DIR_CONF)/httpd/* /etc/httpd/conf

src/setup/passwords.c

@@ -56,7 +56,7 @@ int handleadminpassword(void)
 		return 0;
 	
 	snprintf(commandstring, STRING_SIZE,
-		"/usr/sbin/htpasswd -c -m -b " CONFIG_ROOT "/auth/users admin '%s'", password);
+		"/usr/bin/htpasswd -c -B -C 7 -b " CONFIG_ROOT "/auth/users admin '%s'", password);
 	sprintf(message, _("Setting %s 'admin' user password..."), NAME);
 	if (runhiddencommandwithstatus(commandstring, _("Setting password"), message, NULL)) {
 		sprintf(message, _("Problem setting %s 'admin' user password."), NAME);