Recent repo updates: ModSecurity, XCache, httpd

January 23, 2008 by · 55 Comments 

I've been a bit lax over the past week or so, but there's been a few packages I've updated since the last post. On January 8th I updated XCache to 1.2.2. On January 15th I updated mod_security to eliminate that config bug that affected some 32-bit users. Finally, yesterday, January 22nd, I updated Apache's httpd to 2.2.8.

On that last one, there were two versions of httpd posted yesterday: "jason.2" and "jason.3". If you've got "jason.2" then I'd suggest you run another "yum update" as I decided to make a last minute change to stomp out a possible initscript issue that may have affected some users. If you get a couple warning messages during the upgrade you can ignore them; they aren't important and they won't come back once you are on "jason.3".

For those that like to build things by hand, the source RPMs for those three packages are below.

Update (9/24/2009): Packages deleted, use the yum repository instead.

Comments

55 Responses to “Recent repo updates: ModSecurity, XCache, httpd”
  1. toby says:

    Hi Jason, thanks for keeping things up to date, I've set up 2 new CentOS 5 machines in the past couple days & you've saved me a lot of time! Have you considered putting a PayPal "tip jar" on your site?

    One question... is there a reason you include proxy_ajp in your httpd build? Seems like a pretty specialized module to turn on by default. (I wish Apache had far less modules included by default anyway, I always spend quite a while turning off stuff I don't need...)

  2. Jason says:

    @toby,

    Many of the packages I provide are based on the spec files from Fedora Development and teh Red Hat application stack. While there are a few exceptions, for the most part, if the upstream package has a feature, so does mine.

    As to the "tip jar", now that you mention it, I used to have one in the upper-right but it seems to have disappeared... Good catch!

  3. avtx30 says:

    Thanks, they work like a charm!

    avtx30 from http://www.nhatban.net

  4. iDaemon says:

    Hi, when I try to install RPM Xcache package it said

    [[email protected] tmp]# rpm -ivh php-xcache-1.2.2-jason.3.src.rpm
    1:php-xcache warning: user brewbuilder does not exist - using root
    warning: group brewbuilder does not exist - using root
    warning: user brewbuilder does not exist - using root
    warning: group brewbuilder does not exist - using root
    ########################################### [100%]
    warning: user brewbuilder does not exist - using root
    warning: group brewbuilder does not exist - using root

  5. iDaemon says:

    It work when I try #yum install php-xcache

    but when restart apache it's doesn't work because i have installed Zend 3.3.0 and it said it's not compatible with xcache.

    How can I solve this? thanks

  6. Jason says:

    @iDaemon,

    XCache 1.2.2 includes an update for dealing with uncachable content. Have you tried changing the load order? I would think that XCache would have to be loaded before ZendOptimizer and I don't believe that that would be the default.

  7. iDaemon says:

    Yes! thx Jason. It should be load xcache before Zend, but by default it created file in php.d so I must remove them and added them in to php.ini

  8. toby says:

    Hi Jason,

    First off, congrats on the engagement!

    I have a suggestion for your xcache package. Most RedHat packages I've seen that install web scripts (such as zabbix-web) do so under /var/www or /usr/share rather than /var/www/html, then include an httpd conf.d file to Alias that location.

    So for example, you could place the xcache web UI under /var/www/xcache or /usr/share/xcache (instead of /var/www/html/xcache), and then include /etc/httpd/conf.d/xcache.conf that contains "Alias /xcache /var/www/xcache".

    The reason for doing this is that DocumentRoot defaults to /var/www/html and placing the files underneath that directory could potentially interfere with the site's deployment. It also allows the sysadmin to modify the httpd .conf file to put the Alias on a different VirtualHost or whatever, in which case RPM won't overwrite it on updates.

    In my case, I don't want the xcache files under my main site in any way, so I've moved them and created an Alias in a separate VirtualHost that has additional security. But anytime yum updates that package it means I'll need to move the files again.

    Thanks,
    Toby

  9. Jason says:

    @toby,

    That's actually a really good idea as that would make the XCache admin section available to those using a control panel. I'll make that change in the next version.

  10. toby says:

    Glad to hear it, thanks!

  11. Andres says:

    Hey Jason,

    Thanks for all your work supporting a great repo. I'm running a tomcat cluster behind httpd and am having a few problems. I think I read that you compiled with the prefork MPM is that correct? I need the worker MPM and want to confirm that I need to build from source.

    Cheers,
    Andres

  12. Andres says:

    I just learned about /etc/sysctl/httpd, so I guess I won't need to recompile. Thx again.

  13. Andres says:

    actually that's /etc/sysconfig/httpd for others that need to change the mpm

  14. Jason says:

    @Andres,

    Yes, as you already found out, the default MPM is 'prefork' but that can be changed to 'worker'. You'll be fine if you're only using httpd to proxy for back-end servers but I wouldn't suggest anyone switch if this is their only server as PHP (as compiled) is not thread-safe.

  15. skaffen says:

    Hi Jason

    I upgraded your apache and mod_ssl packages from 2.2.6 to 2.2.8 with yum, on Centos 5 a few days ago. Everything appeared to go smoothly, however it now seems that somehow the CA chain was broken by the update.

    We have a script that communicates via curl with a secure website. We now know the script started to fail after the update because it wasn't recognising the secure websites certificate as valid any more. Forcing curl to not check the validity of the cert made it work again. (BTW their cert *is* definitely valid!) At the moment my working hypothesis is that the updates somehow broke the CA chain for the SSL infrastructure, which is also used by curl.

    Reverting the updates with rpm -uvh --oldpackage did not fix the problem.

    I notice from rpm -qpl mod_ssl-2.2.8-jason.3.x86_64.rpm that the package touchs /etc/httpd/cond.d/ssl.conf

    however a diff with a backup shows that post upgrade file to be identical to a known working copy.

    I'm really stumped. I don't see how your package could cause this breakage, but broken it definitely is. Do you have any thoughts?

  16. Jason says:

    I'm assuming that you've tested it with your browser and that it's valid, right?

    In any case, were you using the generic cert or a commercial one? If the generic then it may have been regenerated and is now no longer recognised. If commercial, check and see if it's still there.

  17. skaffen says:

    Hi Jason,

    Thanks for your response. The problem was not with our cert. We do have a commercial cert in place. That was uneffected. The problem is that someone elses perfectly valid cert is now being recognised as INvalid after updating httpd & mod_ssl 2.2.6 -> 2.2.8.

    Our working hypothesis is that somehow the CA chain has been broken by your package though it is now clear how, so I wondered if you had any thoughts :)

    best wishes
    greg.

  18. Sam says:

    Hi Jason,

    Thanks for this excellent service! Any plans to include mod-security 2.5?

    Sam

  19. Jason says:

    @Sam,

    Yeah, I just haven't gotten around to it yet. I built packages this past week but haven't done what I would consider an acceptable level of testing. Hopefully early this week...

  20. I'm getting:
    Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: S yntax error on line 5 of /etc/httpd/conf.d/mod_security.conf: Cannot load /etc/h ttpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: undefined symbol: ap_get_server_banner

    Install mod_perl but still can't resolve this issue. Running centos 5 - any ideas?>

  21. Jason says:

    @Ryan,

    Run "yum update mod_security" and make sure you get the version labeled 'jason.2'. The 'jason.1' version was up there for about 30 minutes and had a config bug for 64-bit systems.

  22. Hi!

    Thanks for the prompt reply. I sorted it by giving your REPO a higher priority and then running a yum update

    I have some priority system setup for different repositories you see.

    Thank you!!!

  23. paul says:

    There are several problems with your PHP, mod_security and Xcache
    1, mod_security-2.5.0 is not compatible with PHP 5.1, so for PHP5.1 you need to install mod_security-2.1.4-1.

    2, I think PHP 5.2.5 has a bug with SSL, so if you have a shopping cart (Zen Cart) on your web site it will break your shopping cart.

    3, php-xcache is not compatible with zend optimizer, so if you want to install CubeCart with xcache, nothing will work.

    see: http://www.my-whiteboard.com/linux-admin/protect-your-web-server-from-security-attacks-using-modsecurity.html

  24. I have a Centos 5 machine which and I clone the hard drive every week. When I tested the clone machine it will no longer load my website. I get;
    "Bad Request

    Your browser sent a request that this server could not understand."

    When I remove this line from the mod_security configuration file "LoadModule unique_id_module modules/mod_unique_id.so" everything starts working again. I've updated to the latest version of mod_rewrite today from your repo but the same is happening.

    Again, please be aware this only happens on my cloned box, can you advise?

    Cheers
    Ryan

  25. Jason says:

    @paul,

    I do not use or distribute PHP 5.1.x so a lack of compatibility is not an issue to me. My packages are not designed to be used stand-alone so anyone using my mod_security 2.5 package should also be using my mysql 5.0.x, php 5.2.x, and httpd 2.2.x packages.

    As to an SSL bug, I don't know what you're talking about. If you can provide a link to the bug ticket or to a patch then I'll respin.

    Finally, as to compatibility with Zend Optimizer, ZO is trash and I don't recommend that people buy scripts that use it; Ioncube is better. To say though that XCache is not compatible is simply not true. They just need to be loaded in a specific order.

    @Ryan,

    That is really odd. Are both boxes identical? Those two files, are those identical on both boxes?

  26. Yes, it's an image of the original virtual image. The only thing different is when it gets its IP from DHCP. The 2nd machine, the one that is a copy of the original, obtains a different IP. Do you know anything more about the "mod_unique_id.so" module, maybe I need to regenerate something once the new IP has been attained?

    Thanks for the prompt response.

    Ryan

  27. it's because mod_unique_id.so does not allow you to browse a website by IP address, my second, imaged drive was accessible only via http://111.222.333.444 and that's what I was getting a bad request.

    Workaround, request http://111.222.333.444:80 and the page loads

    thanks guys
    Ryan

  28. Lord Matt says:

    I too got the "...undefined symbol: ap_get_server_banner" error. All I want to do is stop son SOB from bringing my server to its knees with a DDoS designed to deliver comment and trackback spam that my php scripts filter out anyway. After 3 full days of a dead server I was starting to get desperate and saw this mod_security as a golden bullet... my bad.

    Is there anywhere I can get an unbroken version where I don't have to install a custom version of everything on the server?

    Cheers.

  29. Sheen Austin says:

    Hi Jason,
    Been trying to install mod_security on Centos 5.
    Here's my uname -a Linux 2.6.18-53.1.14.el5 #1 SMP Wed Mar 5 11:36:49 EST 2008 i686 i686 i386 GNU/Linux.
    However, when i try restarting apache after installing mod_security it fails with this error:
    "Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/httpd.conf: Syntax error on line 5 of /etc/httpd/conf.d/mod_security.conf: Cannot load /etc/httpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: undefined symbol: ap_get_server_banner"
    Would you know why this happens?

    Sheen.

  30. Jason says:

    @"Lord" Matt,

    The version of mod_security I provide is not "broken", it is simply compiled against a newer version of httpd than is installed on your system. If you want to use it on your system without updating httpd then download my source rpm and build it yourself.

    @Sheen Austin,

    You cannot install just my mod_security package as it is compiled against a newer version of httpd than comes with CentOS 5. You can either use my yum repo to update httpd, php, and mysql on your system or download the Source RPM for mod_security and rebuild it for your version of httpd.

  31. Sheen Austin says:

    Hi Jason,
    You were right. I installed the older version of mod_security and all is well.

    Thanks!

    Sheen.

  32. DerFalk says:

    Hi, what about the new mod_security 2.5.3? will there be an update soon?
    Thanx and great work!!!

  33. Jason says:

    @DerFalk,

    I'll take a look at that tomorrow. I like to run them myself before kicking them out to others so you can expect it Friday or Monday.

  34. Sheen,

    You said that you installed an older version. Where did you get it?

    Slava

  35. mdkerman says:

    Jason,

    Installed httpd-2.2.8-jason.3.i386.rpm and mod_security-2.5.0-jason.2.i386.rpm and it is up and working, THANKS.

    Did you build modsecurity-2.5 wtih the mlogc option / module?

    Also is httpd-devel-2.2.8-jason.3.i386.rpm required for modsecurity to run? To compile from source?

    Thanks again for making the rpm's available.

    Mark

  36. Jeff says:

    I am running RHEL4 and want to update the stock httpd.
    Will updating to your repos via up2date destroy the custom settings I have done in the httpd.conf file?

  37. lordbarron says:

    Hi dude, i installed yum updated my php with your repository and I did the usual box restart and to my horror it turned off my apache web server and I am unable to restart it through plesk. It keeps giving me a file not found error. something like this:

    Failed to restart the "httpd" service.
    Cannot start/stop/restart service: Stopping httpd: [FAILED]
    Starting httpd: httpd: Syntax error on line 147 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_access.so into server: /etc/httpd/modules/mod_access.so: cannot open shared object file: No such file or directory
    [FAILED]

    I am clueless, any advice would go down a treat.

  38. Jeff says:

    lordbarron, it seems like the updates here are a package deal. You need to update httpd/php/mysql all together with the files here, to get them working. The packages all rely on something the other provides. Try updating httpd and php from the jasonlitka repository. If that does not work, try to rollback the updates.

  39. lordbarron says:

    Hi Jeff, so i updated the other apps and things took a turn for the worse. my plesk control panel wont load properly, and im often not being allowed access to the ssh via root.
    my jooomla sites seem to be working fine but my ihtelevision.com site has crashed and burned,, ive checked and double checked the addresses to the directory extensions it reports as broke but they are there both physically and pointed to in the php.ini

    anyways i did not know you could roll back on yum, i have since discovered how this is done but alass you need to, crucially, know this before you update.

    my apache is running anything upto 12 instances of itself, is this right? my limit is 250 simuletanous connections, so 250 X 12 is ALOT.. i know my site would struggle to muster up 250 visitors at anyone time.

    your advice has been gold thus far, I hope you can continue to help me out here.

    Regards,

    lb

  40. linuxamp says:

    Do you still recommend xcache 1.0.x for PHP4 or does this 1.2.2 update resolve the issues you mentioned here:
    http://www.jasonlitka.com/2007/01/30/how-to-compiling-xcache-from-source/

  41. James says:

    Jeff, Thanks for doing what you do it's made my life so much easier. Anyways i have a question for you cause i'm confused on a issue. I'm running centos 5.2 which was fully updated by the Centos repo as of monday july 7th then i switched to your repo and did a full yum. When i run a scan "PCI which i hate but thats another story" everything went smooth without any problems until i got my results. When i look at the applications and ports section of the report for port 80 it shows "Apache 2.1.1 - 2.2.3 HTTP" but for 443 i get "Apache 2.2.8 HTTP" should'nt they both show 2.2.8 or am i wrong.

  42. T says:

    Hey Jason -
    I'm using your latest php and httpd rpms on a pretty fresh centos5 machine. I've been noticing a lot "...Segmentation fault (11)" in the error log. Wondering if you've come across this. I only ask because I'm using your rpms... I just thought I would see if there was anything to be aware of before I go debugging things.
    Thanks!

  43. Hi, what about the new mod_security 2.5.3 ?
    Will there be an update soon ?
    Thanx and great work !!!

  44. Greg says:

    Hi Jason,

    Thanks a bunch for these updates, they seem to work great. I had one question about mod_security though: while I was able to install it successfully, I need to configure it as it is not letting me upload files to my site via http. I tried looking for some type of config file on my server, but didn't have any luck. That being said, where would one find the mod_security config file(s) so I can allow http file uploads?

  45. Greg says:

    Nevermind, I found the configuration file and the part that is being problematic with my file uploads. Now I just need to figure out how to make a rule to allow the files without commenting the whole thing out :).

  46. flaco says:

    Very useful repository!
    I wait for httpd-2.2.9, which fix several bugs.

    Bye

  47. Rudy says:

    I've been trying to debug a problem on my web server for a while and I found that the problem is in the httpd package you supply. the http server can't do resolving, I have double and triple check my setting (resolv.conf, dns, ext) it work with 2.2.3 default of centos and not with yours. it could be because of a wrong switch on the configuration or missing bind headers on the compile machine, but basically the httpd cant do resolving using dns api but if I put the hosts in the /etc/hosts it can. the problem manifest itself when using php fsockopen of when using reverse proxy and the proxy is a hostname and not an IP.

    hope you can reproduce it and fix the problem.
    sorry I have posted it here as a comment but I couldn't find a link to a bug report system...

    Thanks in advance,

    Rudy

  48. Asai says:

    Hi Jason,

    Thank you for all your hard work. Do you think we will have a RPM of 2.2.9 soon?

    Thanks.

  49. bdobyns says:

    Jason, great work here.

    In your reply to LordMatt, you suggested "If you want to use it on your system without updating httpd then download my source rpm and build it yourself" which is always sane advice.

    Like Asai, I need 2.2.9 (has some fixes that our application stack needs). So I was going to start with your 2.2.8 spec ...

    However, I can't find your source rpms to download. I'm sure I'm just being exceptionally dense this morning.

  50. Andrew says:

    Jason,

    I reinstalled mod_security a few times, bu cannot get rid of this error:

    /usr/local/psa/admin/sbin/websrvmng -a -v

    httpd: Syntax error on line 201 of /etc/httpd/conf/httpd.conf: Cannot load /etc/httpd/modules/mod_security2.so into server: /etc/httpd/modules/mod_security2.so: undefined symbol: ap_get_server_banner

    any ideas how to fix this?

Trackbacks

Check out what others are saying about this post...
  1. Protect Your Web Server from Security Attacks using ModSecurity | my-whiteboard says:

    [...] http://www.jasonlitka.com/2008/01/23/recent-repo-updates-modsecurity-xcache-httpd/ [...]



Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.