daytoncreative

Q: apache update

Apahce just updated again two days ago, When will Apple update this? It is getting very hard to stay PCI Compliante

when apple seems to be months behinde on there updates, It was never this way a few years ago. Does anyone

have a good step by step instustions on compliing apahce on OSX Server just as apple does.

Mac OS X (10.6.8)

Posted on Feb 2, 2012 10:34 AM

Close

Q: apache update

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by Camelot,

    Camelot Camelot Feb 2, 2012 11:19 AM in response to daytoncreative
    Level 8 (47,243 points)
    Mac OS X
    Feb 2, 2012 11:19 AM in response to daytoncreative

    When will Apple update this?

     

    No clue. No one outside of Apple (and maybe not within Apple, either) can predict when Apple will incorporate open source project updates in a Mac OS X sofware/security update, especially since they just released an OS update yesterday.

     

    If the updates are important to you (and, to be honest, I don't see anything in the release notes that scream UPDATE NOW!!!, but then again I don't have to deal with PCI compliance issues) then you should probably look to install (and maintain) your own Apache installation.

     

    As one of the most widely used open source products, it's pretty simple to download and build Apache. You can even build one that eliminates the cruft that Apple builds in.

     

    You can easily see the compile options that Apple used by simply running:

     

    httpd -V

     

    That will at least get you an equivalent version.

  • by daytoncreative,

    daytoncreative daytoncreative Feb 2, 2012 12:31 PM in response to Camelot
    Level 1 (0 points)
    Feb 2, 2012 12:31 PM in response to Camelot

    Yea I have been building my Apahce web servers running 10.5. Just have not

    attmepted it yet on 10.6.server, I just find it frustrating

    that the same day apple updated apahce to the lateset 2.2.21, the same day apahce issues 2.2.22.

    The only issue is some of my servers I must keep PCI Compliante and anytime apahce does a update

    that makes it Fail.

  • by Camelot,

    Camelot Camelot Feb 2, 2012 1:54 PM in response to daytoncreative
    Level 8 (47,243 points)
    Mac OS X
    Feb 2, 2012 1:54 PM in response to daytoncreative

    In general there's no difference between compiling Apache on 10.6 vs. 10.6.

     

    You might also want to go re-read the PCI specs. There's nothing in there that I'm aware of that says you have to update Apache within hours or days of an update from them. Indeed, if you take the specs literally, any updates would need to be implemented in a lab environment and re-tested/re-certified before moving to a production environment 'in a timely manner'. There's nothing to say whether that timely manner is hours, days, weeks or even months. I am not a PCI specialist, though, so what do I know?

  • by daytoncreative,

    daytoncreative daytoncreative Feb 2, 2012 2:39 PM in response to Camelot
    Level 1 (0 points)
    Feb 2, 2012 2:39 PM in response to Camelot

    I agree with you, The issue is the the website that all the banks and merchant acount holders use is

    www.securitymetrics.com And they litterly within a hour of apahce updateing already

    my servers are failing due to the updated apahce. So the very next day our customers

    are screaming to get it fixed becuase they will get charged more % on there transactions

    if it's not compliant. It just seems to get worse by the day. It would be helpful if I could find

    the exact ./config command that apple used so that everything mathces like my previos

    osx Servers. I am going to try it on a 10.6 server later tonight. I don't even use the server admin

    I do it all CML but I still don't want to brake anything.

  • by TAHNHS,

    TAHNHS TAHNHS Feb 28, 2012 3:31 PM in response to daytoncreative
    Level 1 (0 points)
    Feb 28, 2012 3:31 PM in response to daytoncreative

    I'm trying to solve the same problem. I used this configure command:

    ./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec

    After the make I compared the output from /usr/sbin/httpd -V and ./httpd -V and it is identical except for the version and build date. Is everything else the same? I don't know, but this may help you take the next step.

  • by TAHNHS,

    TAHNHS TAHNHS Feb 28, 2012 4:37 PM in response to TAHNHS
    Level 1 (0 points)
    Feb 28, 2012 4:37 PM in response to TAHNHS

    I took the next step and did a make install. I started the Web service with Server Admin and got several errors in system.log of the following form:

    org.apache.httpd[46203]: httpd: Syntax error on line 89 of /private/etc/apache2/httpd.conf: module authn_file_module is built-in and can't be loaded

     

    I commented out all of the newly built-in modules in my httpd.conf file and now Apache/2.2.22 seems to be running.

    #LoadModule authn_file_module libexec/apache2/mod_authn_file.so

    #LoadModule authz_host_module libexec/apache2/mod_authz_host.so

    #LoadModule include_module libexec/apache2/mod_include.so

    #LoadModule filter_module libexec/apache2/mod_filter.so

    #LoadModule log_config_module libexec/apache2/mod_log_config.so

    #LoadModule env_module libexec/apache2/mod_env.so

    #LoadModule setenvif_module libexec/apache2/mod_setenvif.so

    #LoadModule mime_module libexec/apache2/mod_mime.so

    #LoadModule status_module libexec/apache2/mod_status.so

    #LoadModule autoindex_module libexec/apache2/mod_autoindex.so

    #LoadModule asis_module libexec/apache2/mod_asis.so

    #LoadModule cgi_module libexec/apache2/mod_cgi.so

    #LoadModule negotiation_module libexec/apache2/mod_negotiation.so

    #LoadModule dir_module libexec/apache2/mod_dir.so

    #LoadModule actions_module libexec/apache2/mod_actions.so

    #LoadModule alias_module libexec/apache2/mod_alias.so

  • by TAHNHS,

    TAHNHS TAHNHS Mar 2, 2012 9:54 AM in response to TAHNHS
    Level 1 (0 points)
    Mar 2, 2012 9:54 AM in response to TAHNHS

    OK, the previous step caused problems because the built-in modules don't do what Apple's loaded modules do. So I figured out how to make a build without the built-in modules. Do a make clean, then use the following configure command and then redo the make.

     

    ./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias

     

    Remove the comments from these lines in httpd.conf to go back to using the loaded modules.

     

    LoadModule authn_file_module libexec/apache2/mod_authn_file.so

    LoadModule authz_host_module libexec/apache2/mod_authz_host.so

    LoadModule include_module libexec/apache2/mod_include.so

    LoadModule filter_module libexec/apache2/mod_filter.so

    LoadModule log_config_module libexec/apache2/mod_log_config.so

    LoadModule env_module libexec/apache2/mod_env.so

    LoadModule setenvif_module libexec/apache2/mod_setenvif.so

    LoadModule mime_module libexec/apache2/mod_mime.so

    LoadModule status_module libexec/apache2/mod_status.so

    LoadModule autoindex_module libexec/apache2/mod_autoindex.so

    LoadModule asis_module libexec/apache2/mod_asis.so

    LoadModule cgi_module libexec/apache2/mod_cgi.so

    LoadModule negotiation_module libexec/apache2/mod_negotiation.so

    LoadModule dir_module libexec/apache2/mod_dir.so

    LoadModule actions_module libexec/apache2/mod_actions.so

    LoadModule alias_module libexec/apache2/mod_alias.so

  • by FFIO,

    FFIO FFIO Mar 20, 2012 1:31 PM in response to daytoncreative
    Level 1 (0 points)
    Mar 20, 2012 1:31 PM in response to daytoncreative

    Can anyone comment on when apple might release an update for 2.2.22?  Weeks, months?

  • by Camelot,

    Camelot Camelot Mar 20, 2012 2:38 PM in response to FFIO
    Level 8 (47,243 points)
    Mac OS X
    Mar 20, 2012 2:38 PM in response to FFIO

    No one knows Apple's schedule for rolling open-source software updates into their Software Update schedule. Critical issues often get released earlier (via a Security Update), but general updates take unspecified amounts of time.

  • by Martin R. Lerch,

    Martin R. Lerch Martin R. Lerch Apr 6, 2012 7:40 AM in response to TAHNHS
    Level 1 (54 points)
    iTunes
    Apr 6, 2012 7:40 AM in response to TAHNHS

    Hello TAHNHS,

     

    I have a few questions. Hope you got the time to answer them. So you stopped the stock Apple Apache with apachectl stop and then:

     

    1. Download the full Apache 2.2.22 from the apache web site into your /SourceCache directory?

    2. untared it with tar xvzf httpd-2.2.22.tar.gz

    3. cd httpd-2.2.22

    4. ./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias

    5. make

    6. make install

    7. Then you went to /etc/apache2 and opened the httpd.conf file and removed the comments from these lines in httpd.conf to go back to using the loaded modules.

     

    LoadModule authn_file_module libexec/apache2/mod_authn_file.so

    LoadModule authz_host_module libexec/apache2/mod_authz_host.so

    LoadModule include_module libexec/apache2/mod_include.so

    LoadModule filter_module libexec/apache2/mod_filter.so

    LoadModule log_config_module libexec/apache2/mod_log_config.so

    LoadModule env_module libexec/apache2/mod_env.so

    LoadModule setenvif_module libexec/apache2/mod_setenvif.so

    LoadModule mime_module libexec/apache2/mod_mime.so

    LoadModule status_module libexec/apache2/mod_status.so

    LoadModule autoindex_module libexec/apache2/mod_autoindex.so

    LoadModule asis_module libexec/apache2/mod_asis.so

    LoadModule cgi_module libexec/apache2/mod_cgi.so

    LoadModule negotiation_module libexec/apache2/mod_negotiation.so

    LoadModule dir_module libexec/apache2/mod_dir.so

    LoadModule actions_module libexec/apache2/mod_actions.so

    LoadModule alias_module libexec/apache2/mod_alias.so

     

     

    Is that what you did?

    Do you think this will work for OS X 10.6.8 server?

    Do I have to recompile PHP?

     

    I am really a novice and have never attempted to update the Apple built in stuff before. I don't want to give up Server Admin functionality but need to stay PCI compliant, and with Apple being behind with updates and most likely won't release this or future security update for 10.6.8 server I want to know how to update the stock, built in apache without breaking Server Admin.

     

    Also I would like to know if there is a similar path for major version upgrades like Apache 2.4.1. Any advice is most welcome. Thank you,

     

    One last question. If something goes wrong with the instructions as outlined above, especially if after the make install the server breaks, is there a simply way to revert this back, or do I have to restore the entire OS from Backup?

     

    Martin

  • by TAHNHS,

    TAHNHS TAHNHS Apr 10, 2012 2:56 PM in response to Martin R. Lerch
    Level 1 (0 points)
    Apr 10, 2012 2:56 PM in response to Martin R. Lerch

    Martin,

     

    1. /SourceCache is the directory I use for open source projects, DNS, DHCP, etc.; there is nothing special about it.

    2. I downloaded httpd-2.2.22.tar.gz to /SourceCache, the tar -xzvf httpd-2.2.22.tar.gz creates the httpd-2.2.22 subdirectory

    3. Change to the subdirectory created in step 2

    4. Configure the environment. Be careful when copying the command so that line wrapping doesn't mess you up.

    5. Compile

    6. Install

    7. No changes to /etc/apache2/httpd.conf are necessary; before I figured out all of the --disable-x-y options I did have to change it but once I had all of the options correctly set, no changes were necessary.

     

    I compiled on 10.6.8 server, I did not recompile PHP. This version works fine with Server Admin, I have not seen any problems. All steps were performed as root via sudo.

     

    The make install updates the following files in /usr/sbin

    ab, apachectl, apxs, checkgid, dbmmanage, htcacheclean, htdbm, htdigest, htpasswd, httpd, httxt2dbm, logresolve, rotatelogs

    There were no changes to /usr/libexec/apache2.

    There were multiple updates to /usr/include/apache2.

    To be safe, you could backup the listed files in /usr/sbin and all files in /usr/libexec/apache2  and /usr/include/apache2 and restore them if you have problems with the new version.

     

    I have not looked into Apache 2.4.1 yet.

  • by Martin R. Lerch,

    Martin R. Lerch Martin R. Lerch Apr 10, 2012 3:47 PM in response to TAHNHS
    Level 1 (54 points)
    iTunes
    Apr 10, 2012 3:47 PM in response to TAHNHS

    Thank you TAHNHS,

     

    That's great stuff! I can't wait to try it out. I hope that it will work on OS X 10.7.3 server just as well. Now once more to step 4. Is this the configure command that you want me to use?

     

    ./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias

     

    There are of course no line breaks anywhere in this command when I copy/paste it into the command line. Please confirm if you can.

     

    Thank you.

     

    Sincererly,

     

    Martin

  • by TAHNHS,

    TAHNHS TAHNHS Apr 11, 2012 2:30 PM in response to Martin R. Lerch
    Level 1 (0 points)
    Apr 11, 2012 2:30 PM in response to Martin R. Lerch

    Martin,

     

    You've got it; but make sure that extra spaces don't get inserted. For instance its --disable-authn-default (2nd and 3rd lines) and --disable-auth-basic (5th and 6th lines).

     

    I've only compiled this on 10.6.8, I haven't tried it on 10.7.3.

     

    Ross

  • by Martin R. Lerch,

    Martin R. Lerch Martin R. Lerch Apr 12, 2012 5:04 PM in response to TAHNHS
    Level 1 (54 points)
    iTunes
    Apr 12, 2012 5:04 PM in response to TAHNHS

    Ok.. so I did a few other things because I needed to insert mcrypt into the 5.3.8 stock PHP. Good thing that I did, because I learned a good deal from it. Here is what I have discovered:

     

    1. Download Xcode from App store
    2. Start Xcode.app, go to preference, downloads tab and install command line tools (http://www.macobserver.com/tmo/article/install_the_command_line_c_compilers_in_o s_x_lion/)
    3. download and install m4 (m4-1.4.16.tar.gz) and autoconf (autoconf-2.68.tar.gz) -- great tutorial here (http://www.spiration.co.uk/post/1385/Cannot-find-autoconf.-Please-check-your-aut oconf-installation)
    4. Then I downloaded, expanded and installed libmcrypt (libmcrypt-2.5.8.tar.gz)
    5. Then I downloaded, expanded and re-built PHP from PHP 5.3.8 source (PHP 5.3.8 (tar.gz))
    6. There is a great tutorial that you should follow here (http://remonpel.nl/2012/01/adding-mcrypt-to-your-osx-lion-php-install).

     

     

    After all that was said and done I went ahead and backed up all the files that TAHNHS recommended. Then downloaded and followed THANHS's instructions for compiling Apache 2.2.22 but on OS X 10.7.3 Server.

     

     

    All done I got an error message when I tried stopping/restarting/graceful apache2:

    httpd: Syntax error on line 90 of /private/etc/apache2/httpd.conf: module version_module is built-in and can't be loaded

     

     

    So I was a bit concerned about that. Wen't into /private/etc/apache2 and opened httpd.conf, found that line that loads version_module and commented it out.

     

     

    Tried to start apache2 and was told that it was running?

    Checked and loaded a page in Safari and it worked. Server running, Apache on 2.2.22, all seems ok for now.

     

     

    I can do an apachectl graceful without issues, but for some reason apachectl stop does not stop the server. When I try to type apachectl start I am told that: httpd (pid 8781) already running

     

    If you have any ideas how I can make apachectl stop start commands work properly again please let me know. Also if you have any idea why I had to comment out that line in httpd.conf file please let me know.

     

    It seems that Apache is still working with Server.app as well.

     

     

    Now if I could only figure out why whenever I edit or create a vhost with Server.app and make it run on port 443 with SSL cert I get a bunch of shadow.conf files that really mess up everything. I manually have to go in and delete these shadow.conf files and then things are back to normal. Anybody knows how to turn off the generation of the shadow.conf files? I know this is a new problem, but just in case someone knows

     

    Thank you very, very much and hope that this will help someone else.

     

    Martin

Page 1 of 3 last Next