I got the following error message after compiling apache against the latest OpenSSL version.
Cannot load modules/mod_fcgid.so into server: undefined symbol: ap_unixd_setup_child
It looks like a compiler error that happened, but it isn’t. In fact, there are two options why there is this error message appears.
One mod_unixd isn’t loaded or loaded after mod_fcgid. Two mod_fcgid can’t create a directory for the socket or the socket itself. aka file permissions.
That error message could be much better. It is misleading. This error does not happen on Windows. It comes from the old Unix philosophy: “Everything is a file”. This lead to a ton of code in the kernels. Even more, code exists for block devices in /dev. All that symlinks and magic directories. I wonder when “Everything is a file” will have exceptions everyone agrees on.
Tag: httpd
Wild card domain to localhost because development matters
I have an A record for *.local at my test domain to 127.0.0.1
For web development it is often required to have a domain name rather than a subfolder in localhost. A vhost for a (sub)domain is easy to set up on my local apache instllation. I can have even a free, valid SSL certificate for that vhost. Wait, what? How can I have a valid certificate for free for a local domain? I use Let’s encrypt with DNS chalange. Sure every time I have to update the certifacte I have to change a DNS txt record, but that is easy.
Another reason why I have a wild card record to 127.0.0.1 is that I can add as many vhosts for testing to apache and don’t have to add or change the DNS settings. Also I can use it on every computer as long as it can query the DNS server on the internet. I can even give my co worker my vhost config and it works without changes.
So *.local.apachehaus.de is free for development. But you can’t have a SSL certificate. If you want that, you can do the same trick with your domain. Happy development.
htaccess if the host matches
It is a hassle to have different configurations in development and production. Often it is required to protect the new webpage with user and password. Publishing that config on production on the other hand would be fatal.
With Apache 2.4 that is pretty easy done
<If "%{HTTP_HOST} == 'stage.example.com'"> AuthType basic AuthName "private" AuthUserFile /home/example/.htpasswd Require valid-user </If>
http/2.0 sslciphersuites with 256 bit alias crypto wars part five A+ at SSL Test
At Qualys SLL Test labs tests I never had 100% for Key Exchange. Even adding a 4096 Diffie Hellman key did not do the trick.
Now I found adding
SSLOpenSSLConfCmd ECDHParameters secp384r1
to the config from Part 4 does the trick!
Now I can have all your bars on Qualys SSL Test at 100% without having an insane config no client can connect to.
http/2.0 sslciphersuites with 256 bit alias crypto wars part four
To get rid of 128 bit encryption I had to disable
ECDHE-RSA-AES128-GCM-SHA256
But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA
With a lof of trial and error I came to the following
Listen 443 <If "%{SERVER_PORT} == '443'"> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=15553000; preload" </IfModule> </If> ProtocolsHonorOrder On Protocols h2c h2 http/1.1 SSLUseStapling off SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000) SSLOptions +StrictRequire +StdEnvVars -ExportCertData SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2 SSLCompression Off SSLHonorCipherOrder On SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256
However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.
Compling Apache 2.4 on Ubuntu or Debian
wget http://httpd.apache.org/dev/dist/httpd-2.4.2.tar.gz wget http://httpd.apache.org/dev/dist/httpd-2.4.2-deps.tar.gz tar xvfz httpd-2.4.2.tar.gz tar xvfz httpd-2.4.2-deps.tar.gz cd httpd-2.4.2/srclib wget http://mirror.netcologne.de/apache.org//apr/apr-iconv-1.2.1.tar.gz tar xvfz apr-iconv-1.2.1.tar.gz mv apr-iconv-1.2.1 apr-iconv wget http://zlib.net/zlib-1.2.6.tar.gz tar xvfz zlib-1.2.7.tar.gz mv zlib-1.2.7 zlib wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.21.tar.gz tar xvfz pcre-8.21.tar.gz mv pcre-8.21 pcre wget http://www.openssl.org/source/http://openssl.org/source/openssl-1.0.1.tar.gz tar xfz openssl-1.0.1.tar.gz cd openssl-* ./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared make make test sudo make install cd ../.. ./buildconf ./configure --prefix=/opt/apache2 --enable-pie --enable-mods-shared=all --enable-so --disable-include --enable-deflate --enable-headers --enable-expires --enable-ssl=shared --enable-mpms-shared=all --with-mpm=event --enable-rewrite --with-z=/home/mario/apache24/httpd-2.4.2/srclib/zlib --enable-module=ssl --enable-fcgid --with-included-apr make sudo make install cd .. wget http://www.trieuvan.com/apache//httpd/mod_fcgid/mod_fcgid-2.3.7.tar.gz tar xvfz mod_fcgid-2.3.7.tar.gz cd mod_fcgid-* APXS=/opt/apache2/bin/apxs ./configure.apxs make sudo make install
For using PHP install php-cgi
add httpd.conf
FcgidMaxProcesses 50 FcgidFixPathinfo 1 FcgidProcessLifeTime 0 FcgidTimeScore 3 FcgidZombieScanInterval 20 FcgidMaxRequestsPerProcess 0 FcgidMaxRequestLen 33554432 FcgidIOTimeout 120
in each vhost
Options Indexes ExecCGI AddHandler fcgid-script .php FCGIWrapper /usr/lib/cgi-bin/php5 .php
build mod_geoip
Obtain GeoIP-1.4.6 from maxmind.com and built per included instructions.
Build Module against an IPv6 Enabled Apache Build
Obtain GeoIP-1.4.6 from maxmind.com and built per included instructions. Build Module against an IPv6 Enabled Apache Build del *.obj *.exp *.lib *.so set APACHE=C:\Apache22 set GEOIPROOT=C:\Build\GeoIP-1.4.6 cl /nologo /MD /O2 /LD /W3 -DWIN32 -D_WIN32 -I%GEOIPROOT%\libGeoIP -I%APACHE%\include /c /Fomod_geoip.obj mod_geoip.c link /NODEFAULTLIB:LIBCMT kernel32.lib "%APACHE%\lib\libhttpd.lib" "%APACHE%\lib\libapr-1.lib" "%APACHE%\lib\libaprutil-1.lib" "%GEOIPROOT%\libGeoIP\GeoIP.lib" /nologo /subsystem:windows /dll /machine:I386 /out:mod_geoip.so mod_geoip.obj
reverse proxy for utorrent part 2
In my last post about utorrent (µtorrent) I was frustrated that I wasn’t able to change the url from /gui/ to /tor/
Woot! In apache 2.3 which will be apache 2.4 and I think it will be released in early 2011 the proxy module is much better and there it works to have a different URL :-) Even as ALPHA or BETA version the new apache rocks a lot and runs stable. In condition with mod_fcgid it is real cool technology e.g. running PHP separated form apache that allows to run different PHP version of the server in vhosts or directories. Also running a non thread safe PHP version. Speed! IPv6 would be fine, but the offered patches are not applied to trunk :-/There is an annoying bug in mod_fcgid. I’m glad I found a fix for it (help from Tom Donovan and Sob).
Disable AllowOverride (htaccess to httpd.conf)
AllowOverride is one of the things that slow down a lot. Disabling it makes apache faster. It is a horror to migrate all .htaccess files by hand. BUT here is a PHP script from Paul Reinheimer which makes it realy easy :-)
Get it htaccess.php
tune your server!
crashing fcgid 2.3.6 on windows
On Windows fcgid crashes apache when apache do a graceful restart (httpd -k restart). Here is a patch that should fix that. This patch in inspired from Tom Dovovan.
Index: modules/fcgid/fcgid_pm_main.c =================================================================== --- modules/fcgid/fcgid_pm_main.c (revision 1037552) +++ modules/fcgid/fcgid_pm_main.c (working copy) @@ -375,7 +375,9 @@ proc->diewhy = FCGID_DIE_SHUTDOWN; proc_print_exit_info(proc, exitcode, exitwhy, main_server); - apr_pool_destroy(proc->proc_pool); + #ifndef Win32 + apr_pool_destroy(proc->proc_pool); + #endif proc->proc_pool = NULL; return 1; } Index: modules/fcgid/fcgid_pm_win.c =================================================================== --- modules/fcgid/fcgid_pm_win.c (revision 1037552) +++ modules/fcgid/fcgid_pm_win.c (working copy) @@ -123,7 +123,9 @@ "mod_fcgid: can't create wake up thread"); exit(1); } - + apr_pool_cleanup_register(pconf, main_server, + procmgr_stop_procmgr, apr_pool_cleanup_null); + return APR_SUCCESS; } @@ -249,8 +251,6 @@ apr_status_t procmgr_child_init(server_rec * main_server, apr_pool_t * pchild) { - apr_pool_cleanup_register(pchild, main_server, - procmgr_stop_procmgr, apr_pool_cleanup_null); return APR_SUCCESS; }
Download this patch
Posts Tagged httpd
Archives by Month:
- December 2024
- November 2024
- October 2024
- August 2024
- April 2024
- January 2024
- December 2023
- November 2023
- July 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023
- December 2022
- October 2022
- September 2022
- August 2022
- July 2022
- May 2022
- March 2022
- February 2022
- November 2021
- October 2021
- September 2021
- August 2021
- July 2021
- June 2021
- May 2021
- February 2021
- January 2021
- August 2020
- July 2020
- June 2020
- April 2020
- January 2020
- December 2019
- November 2019
- October 2019
- May 2019
- April 2019
- March 2019
- January 2019
- October 2018
- August 2018
- June 2018
- April 2018
- March 2018
- February 2018
- November 2017
- June 2017
- April 2017
- February 2017
- January 2017
- November 2016
- September 2016
- May 2016
- February 2016
- September 2015
- August 2015
- July 2015
- May 2015
- April 2015
- March 2015
- February 2015
- January 2015
- December 2014
- November 2014
- July 2014
- June 2014
- April 2014
- January 2014
- December 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- August 2012
- July 2012
- June 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009