2 Replies Latest reply: Jan 9, 2013 3:01 AM by zzTontozz
zzTontozz Level 1 Level 1 (0 points)

Folks,

 

I have installed the latest version of OS X Mountain Lion and the corresponding OSX Lion Server.

After quite a process I managed to update PHP to the latest 5.4.10 (albeit sans internationalisation).

 

However, I haven't found a detailed set of steps via Google on how to manually update the Apache web server on this type of system.

The installed version of Apache is 2.2.22. On 2012-09-13 Apache released 2.2.23 which fixes some potential security vulnerabilities.

Given that security is an important consideration for a server I would like to update the apache web server.

 

Could someone please post the ./configure steps etc to do this?

 

I am primarily using the server on a Mac Mini for an Intranet. So, would it be better to install Apache 2.4.3 (released 2012-08-21) instead of Apache 2.2.2?

Or are the differences to great that it would break the system? Why does Apache have two different versions for a product that does the same thing?

Please advise. Thanks,

 

Regards,

 

Tony


Mac mini, OS X Server
  • 1. Re: How to Update Apache on OS X Mountain Lion Server?
    Camelot Level 8 Level 8 (45,790 points)

    Given that security is an important consideration for a server I would like to update the apache web server.

     

    Maybe. Did you check the changelist to see what's new? It seems like a possible XSS flaw in mod_negotiation and MultiViews (both of which can be configured in httpd.cond) and a local path escalation issue (which isn't exploitable remotely).
    My point is that, yes, security is important, but that doesn't mean you have to jump all over every update.

     

    Could someone please post the ./configure steps etc to do this?

     

    Run:

     

    httpd -V

     

    This will show Apache's standard version data, including the compile options.

     

    You may be able to ./configure the latest Apache 2.2.x version as a drop-in replacement for Apple's version, but may have more trouble with 2.4.x

     

    If you really want 2.4.x then your best option is to install a parallel version in your own directory and run that, eschewing Apple's solution (including the GUI 'control').

     

    Or are the differences to great that it would break the system? Why does Apache have two different versions for a product that does the same thing?

     

    Apache have always maintained multiple versions/branches of httpd. 2.4 introduces new concepts and, potentially, incompatibilities. They maintain the previous version so that you can continue using (and trusting) it while newer versions are tested for compatibility. It's similar to how Apple continue to provide OS support for Lion even though Mountain Lion is the 'current' version.

  • 2. Re: How to Update Apache on OS X Mountain Lion Server?
    zzTontozz Level 1 Level 1 (0 points)

    Thanks. I was kinda hoping someone else had done the hard yards though as I am fairly new to this.

    Agreed, sticking to the 2.2.x versions sounds a better way to go.

     

    Doing a httpd -V reveals the following:

     

    Server version: Apache/2.2.22 (Unix)

    Server built:   Aug 28 2012 17:47:11

    Server's Module Magic Number: 20051115:30

    Server loaded:  APR 1.4.5, APR-Util 1.3.12

    Compiled using: APR 1.4.5, APR-Util 1.3.12

    Architecture:   64-bit

    Server MPM:     Prefork

      threaded:     no

        forked:     yes (variable process count)

    Server compiled with....

    -D APACHE_MPM_DIR="server/mpm/prefork"

    -D APR_HAS_SENDFILE

    -D APR_HAS_MMAP

    -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)

    -D APR_USE_FLOCK_SERIALIZE

    -D APR_USE_PTHREAD_SERIALIZE

    -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT

    -D APR_HAS_OTHER_CHILD

    -D AP_HAVE_RELIABLE_PIPED_LOGS

    -D DYNAMIC_MODULE_LIMIT=128

    -D HTTPD_ROOT="/usr"

    -D SUEXEC_BIN="/usr/bin/suexec"

    -D DEFAULT_PIDLOG="/private/var/run/httpd.pid"

    -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"

    -D DEFAULT_LOCKFILE="/private/var/run/accept.lock"

    -D DEFAULT_ERRORLOG="logs/error_log"

    -D AP_TYPES_CONFIG_FILE="/private/etc/apache2/mime.types"

    -D SERVER_CONFIG_FILE="/private/etc/apache2/httpd.conf"