Apahce just updated again two days ago, When will Apple update this? It is getting very hard to stay PCI Compliante
when apple seems to be months behinde on there updates, It was never this way a few years ago. Does anyone
have a good step by step instustions on compliing apahce on OSX Server just as apple does.
Mac OS X (10.6.8)
When will Apple update this?
No clue. No one outside of Apple (and maybe not within Apple, either) can predict when Apple will incorporate open source project updates in a Mac OS X sofware/security update, especially since they just released an OS update yesterday.
If the updates are important to you (and, to be honest, I don't see anything in the release notes that scream UPDATE NOW!!!, but then again I don't have to deal with PCI compliance issues) then you should probably look to install (and maintain) your own Apache installation.
As one of the most widely used open source products, it's pretty simple to download and build Apache. You can even build one that eliminates the cruft that Apple builds in.
You can easily see the compile options that Apple used by simply running:
httpd -V
That will at least get you an equivalent version.
Yea I have been building my Apahce web servers running 10.5. Just have not
attmepted it yet on 10.6.server, I just find it frustrating
that the same day apple updated apahce to the lateset 2.2.21, the same day apahce issues 2.2.22.
The only issue is some of my servers I must keep PCI Compliante and anytime apahce does a update
that makes it Fail.
In general there's no difference between compiling Apache on 10.6 vs. 10.6.
You might also want to go re-read the PCI specs. There's nothing in there that I'm aware of that says you have to update Apache within hours or days of an update from them. Indeed, if you take the specs literally, any updates would need to be implemented in a lab environment and re-tested/re-certified before moving to a production environment 'in a timely manner'. There's nothing to say whether that timely manner is hours, days, weeks or even months. I am not a PCI specialist, though, so what do I know? 🙂
I agree with you, The issue is the the website that all the banks and merchant acount holders use is
www.securitymetrics.com And they litterly within a hour of apahce updateing already
my servers are failing due to the updated apahce. So the very next day our customers
are screaming to get it fixed becuase they will get charged more % on there transactions
if it's not compliant. It just seems to get worse by the day. It would be helpful if I could find
the exact ./config command that apple used so that everything mathces like my previos
osx Servers. I am going to try it on a 10.6 server later tonight. I don't even use the server admin
I do it all CML but I still don't want to brake anything.
I'm trying to solve the same problem. I used this configure command:
./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec
After the make I compared the output from /usr/sbin/httpd -V and ./httpd -V and it is identical except for the version and build date. Is everything else the same? I don't know, but this may help you take the next step.
I took the next step and did a make install. I started the Web service with Server Admin and got several errors in system.log of the following form:
org.apache.httpd[46203]: httpd: Syntax error on line 89 of /private/etc/apache2/httpd.conf: module authn_file_module is built-in and can't be loaded
I commented out all of the newly built-in modules in my httpd.conf file and now Apache/2.2.22 seems to be running.
#LoadModule authn_file_module libexec/apache2/mod_authn_file.so
#LoadModule authz_host_module libexec/apache2/mod_authz_host.so
#LoadModule include_module libexec/apache2/mod_include.so
#LoadModule filter_module libexec/apache2/mod_filter.so
#LoadModule log_config_module libexec/apache2/mod_log_config.so
#LoadModule env_module libexec/apache2/mod_env.so
#LoadModule setenvif_module libexec/apache2/mod_setenvif.so
#LoadModule mime_module libexec/apache2/mod_mime.so
#LoadModule status_module libexec/apache2/mod_status.so
#LoadModule autoindex_module libexec/apache2/mod_autoindex.so
#LoadModule asis_module libexec/apache2/mod_asis.so
#LoadModule cgi_module libexec/apache2/mod_cgi.so
#LoadModule negotiation_module libexec/apache2/mod_negotiation.so
#LoadModule dir_module libexec/apache2/mod_dir.so
#LoadModule actions_module libexec/apache2/mod_actions.so
#LoadModule alias_module libexec/apache2/mod_alias.so
OK, the previous step caused problems because the built-in modules don't do what Apple's loaded modules do. So I figured out how to make a build without the built-in modules. Do a make clean, then use the following configure command and then redo the make.
./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias
Remove the comments from these lines in httpd.conf to go back to using the loaded modules.
LoadModule authn_file_module libexec/apache2/mod_authn_file.so
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
LoadModule include_module libexec/apache2/mod_include.so
LoadModule filter_module libexec/apache2/mod_filter.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule env_module libexec/apache2/mod_env.so
LoadModule setenvif_module libexec/apache2/mod_setenvif.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule status_module libexec/apache2/mod_status.so
LoadModule autoindex_module libexec/apache2/mod_autoindex.so
LoadModule asis_module libexec/apache2/mod_asis.so
LoadModule cgi_module libexec/apache2/mod_cgi.so
LoadModule negotiation_module libexec/apache2/mod_negotiation.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule actions_module libexec/apache2/mod_actions.so
LoadModule alias_module libexec/apache2/mod_alias.so
Can anyone comment on when apple might release an update for 2.2.22? Weeks, months?
No one knows Apple's schedule for rolling open-source software updates into their Software Update schedule. Critical issues often get released earlier (via a Security Update), but general updates take unspecified amounts of time.
Hello TAHNHS,
I have a few questions. Hope you got the time to answer them. So you stopped the stock Apple Apache with apachectl stop and then:
1. Download the full Apache 2.2.22 from the apache web site into your /SourceCache directory?
2. untared it with tar xvzf httpd-2.2.22.tar.gz
3. cd httpd-2.2.22
4. ./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias
5. make
6. make install
7. Then you went to /etc/apache2 and opened the httpd.conf file and removed the comments from these lines in httpd.conf to go back to using the loaded modules.
LoadModule authn_file_module libexec/apache2/mod_authn_file.so
LoadModule authz_host_module libexec/apache2/mod_authz_host.so
LoadModule include_module libexec/apache2/mod_include.so
LoadModule filter_module libexec/apache2/mod_filter.so
LoadModule log_config_module libexec/apache2/mod_log_config.so
LoadModule env_module libexec/apache2/mod_env.so
LoadModule setenvif_module libexec/apache2/mod_setenvif.so
LoadModule mime_module libexec/apache2/mod_mime.so
LoadModule status_module libexec/apache2/mod_status.so
LoadModule autoindex_module libexec/apache2/mod_autoindex.so
LoadModule asis_module libexec/apache2/mod_asis.so
LoadModule cgi_module libexec/apache2/mod_cgi.so
LoadModule negotiation_module libexec/apache2/mod_negotiation.so
LoadModule dir_module libexec/apache2/mod_dir.so
LoadModule actions_module libexec/apache2/mod_actions.so
LoadModule alias_module libexec/apache2/mod_alias.so
Is that what you did?
Do you think this will work for OS X 10.6.8 server?
Do I have to recompile PHP?
I am really a novice and have never attempted to update the Apple built in stuff before. I don't want to give up Server Admin functionality but need to stay PCI compliant, and with Apple being behind with updates and most likely won't release this or future security update for 10.6.8 server I want to know how to update the stock, built in apache without breaking Server Admin.
Also I would like to know if there is a similar path for major version upgrades like Apache 2.4.1. Any advice is most welcome. Thank you,
One last question. If something goes wrong with the instructions as outlined above, especially if after the make install the server breaks, is there a simply way to revert this back, or do I have to restore the entire OS from Backup?
Martin
Martin,
1. /SourceCache is the directory I use for open source projects, DNS, DHCP, etc.; there is nothing special about it.
2. I downloaded httpd-2.2.22.tar.gz to /SourceCache, the tar -xzvf httpd-2.2.22.tar.gz creates the httpd-2.2.22 subdirectory
3. Change to the subdirectory created in step 2
4. Configure the environment. Be careful when copying the command so that line wrapping doesn't mess you up.
5. Compile
6. Install
7. No changes to /etc/apache2/httpd.conf are necessary; before I figured out all of the --disable-x-y options I did have to change it but once I had all of the options correctly set, no changes were necessary.
I compiled on 10.6.8 server, I did not recompile PHP. This version works fine with Server Admin, I have not seen any problems. All steps were performed as root via sudo.
The make install updates the following files in /usr/sbin
ab, apachectl, apxs, checkgid, dbmmanage, htcacheclean, htdbm, htdigest, htpasswd, httpd, httxt2dbm, logresolve, rotatelogs
There were no changes to /usr/libexec/apache2.
There were multiple updates to /usr/include/apache2.
To be safe, you could backup the listed files in /usr/sbin and all files in /usr/libexec/apache2 and /usr/include/apache2 and restore them if you have problems with the new version.
I have not looked into Apache 2.4.1 yet.
Thank you TAHNHS,
That's great stuff! I can't wait to try it out. I hope that it will work on OS X 10.7.3 server just as well. Now once more to step 4. Is this the configure command that you want me to use?
./configure --enable-layout=Darwin --sysconfdir=/private/etc/apache2 --localstatedir=/private/var --with-suexec-bin=/usr/bin/suexec --disable-authn-file --disable-authn-dbm --disable-authn-anon --disable-authn-dbd --disable-authn-default --disable-authz-host --disable-authz-groupfile --disable-authz-user --disable-authz-dbm --disable-authz-owner --disable-authz-default --disable-auth-basic --disable-include --disable-filter --disable-log-config --disable-env --disable-setenvif --disable-mime --disable-status --disable-autoindex --disable-asis --disable-cgi --disable-negotiation --disable-dir --disable-actions --disable-alias
There are of course no line breaks anywhere in this command when I copy/paste it into the command line. Please confirm if you can.
Thank you.
Sincererly,
Martin
Martin,
You've got it; but make sure that extra spaces don't get inserted. For instance its --disable-authn-default (2nd and 3rd lines) and --disable-auth-basic (5th and 6th lines).
I've only compiled this on 10.6.8, I haven't tried it on 10.7.3.
Ross
Ok.. so I did a few other things because I needed to insert mcrypt into the 5.3.8 stock PHP. Good thing that I did, because I learned a good deal from it. Here is what I have discovered:
After all that was said and done I went ahead and backed up all the files that TAHNHS recommended. Then downloaded and followed THANHS's instructions for compiling Apache 2.2.22 but on OS X 10.7.3 Server.
All done I got an error message when I tried stopping/restarting/graceful apache2:
httpd: Syntax error on line 90 of /private/etc/apache2/httpd.conf: module version_module is built-in and can't be loaded
So I was a bit concerned about that. Wen't into /private/etc/apache2 and opened httpd.conf, found that line that loads version_module and commented it out.
Tried to start apache2 and was told that it was running?
Checked and loaded a page in Safari and it worked. Server running, Apache on 2.2.22, all seems ok for now.
I can do an apachectl graceful without issues, but for some reason apachectl stop does not stop the server. When I try to type apachectl start I am told that: httpd (pid 8781) already running
If you have any ideas how I can make apachectl stop start commands work properly again please let me know. Also if you have any idea why I had to comment out that line in httpd.conf file please let me know.
It seems that Apache is still working with Server.app as well.
Now if I could only figure out why whenever I edit or create a vhost with Server.app and make it run on port 443 with SSL cert I get a bunch of shadow.conf files that really mess up everything. I manually have to go in and delete these shadow.conf files and then things are back to normal. Anybody knows how to turn off the generation of the shadow.conf files? I know this is a new problem, but just in case someone knows 🙂
Thank you very, very much and hope that this will help someone else.
Martin
Martin,
1) Rerun configure with --disable-version added to the end of the list of options
2) Stop apache
3) make clean
4) make
5) make install
6) Remove comment in httpd.conf from loading of version_module
7) Start apache
On 10.6.8, /usr/sbin/apachectl appears to be a stock script with no Apple specific knowledge, in particular it doesn't use launchctl to start and stop apache. On 10.7.3, apachectl is Apple specific in that it does use launchctl. You could copy apachectl from 10.7.3 to 10.6.8 and use that or use serveradmin to start and stop apache.
serveradmin stop web
serveradmin start web
serveradmin status web
I've got no info on the shadow.conf files.
Ross
apache update
