Cannot load modules/mod_fcgid.so into server: undefined symbol: ap_unixd_setup_child

I got the following error message after compiling apache against the latest OpenSSL version.
Cannot load modules/mod_fcgid.so into server: undefined symbol: ap_unixd_setup_child
It looks like a compiler error that happened, but it isn’t. In fact, there are two options why there is this error message appears.
One mod_unixd isn’t loaded or loaded after mod_fcgid. Two mod_fcgid can’t create a directory for the socket or the socket itself. aka file permissions.
That error message could be much better. It is misleading. This error does not happen on Windows. It comes from the old Unix philosophy: “Everything is a file”. This lead to a ton of code in the kernels. Even more, code exists for block devices in /dev. All that symlinks and magic directories. I wonder when “Everything is a file” will have exceptions everyone agrees on.

Wild card domain to localhost because development matters

I have an A record for *.local at my test domain to 127.0.0.1

For web development it is often required to have a domain name rather than a subfolder in localhost. A vhost for a (sub)domain is easy to set up on my local apache instllation. I can have even a free, valid SSL certificate for that vhost. Wait, what? How can I have a valid certificate for free for a local domain? I use Let’s encrypt with DNS chalange. Sure every time I have to update the certifacte I have to change a DNS txt record, but that is easy.

Another reason why I have a wild card record to 127.0.0.1 is that I can add as many vhosts for testing to apache and don’t have to add or change the DNS settings. Also I can use it on every computer as long as it can query the DNS server on the internet. I can even give my co worker my vhost config and it works without changes.

So *.local.apachehaus.de is free for development. But you can’t have a SSL certificate. If you want that, you can do the same trick with your domain.  Happy development.

htaccess if the host matches

It is a hassle to have different configurations in development and production. Often it is required to protect the new webpage with user and password. Publishing that config on production on the other hand would be fatal.
With Apache 2.4 that is pretty easy done

<If "%{HTTP_HOST} == 'stage.example.com'">
    AuthType basic
    AuthName "private"
    AuthUserFile /home/example/.htpasswd
    Require valid-user
</If>

http/2.0 sslciphersuites with 256 bit alias crypto wars part five A+ at SSL Test

At Qualys SLL Test labs tests I never had 100% for Key Exchange. Even adding a 4096 Diffie Hellman key did not do the trick.

Now I found adding

SSLOpenSSLConfCmd ECDHParameters secp384r1

to the config from Part 4 does the trick!

Now I can have all your bars on Qualys SSL Test at 100% without having an insane config no client can connect to.

http/2.0 sslciphersuites with 256 bit alias crypto wars part four

To get rid of 128 bit encryption I had to disable

ECDHE-RSA-AES128-GCM-SHA256

But then I got error messages from the popular browsers Server negotiated HTTP/2 with blacklisted suite. That is caused by DHE-RSA-AES256-SHA and ECDHE-RSA-AES256-SHA

With a lof of trial and error I came to the following

Listen 443
<If "%{SERVER_PORT} == '443'">
    <IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=15553000; preload"
    </IfModule>
</If>

ProtocolsHonorOrder On
Protocols h2c h2 http/1.1

SSLUseStapling off
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256 

However that has the negative effect that Android smaller than 7 and smaller than IE 11 can’t connect to the server. Also some older Firefox versions can’t connect. Depending on the application it might be worth to use such a config that doesn’t allow 128 bit encrypted connections.

Compling Apache 2.4 on Ubuntu or Debian

wget http://httpd.apache.org/dev/dist/httpd-2.4.2.tar.gz
wget http://httpd.apache.org/dev/dist/httpd-2.4.2-deps.tar.gz
tar xvfz httpd-2.4.2.tar.gz
tar xvfz httpd-2.4.2-deps.tar.gz
cd httpd-2.4.2/srclib
wget http://mirror.netcologne.de/apache.org//apr/apr-iconv-1.2.1.tar.gz
tar xvfz apr-iconv-1.2.1.tar.gz
mv apr-iconv-1.2.1 apr-iconv
wget http://zlib.net/zlib-1.2.6.tar.gz
tar xvfz zlib-1.2.7.tar.gz
mv zlib-1.2.7 zlib
wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.21.tar.gz
tar xvfz pcre-8.21.tar.gz
mv pcre-8.21 pcre
wget http://www.openssl.org/source/http://openssl.org/source/openssl-1.0.1.tar.gz
tar xfz openssl-1.0.1.tar.gz
cd openssl-*
./config --prefix=/usr zlib-dynamic --openssldir=/etc/ssl shared
make
make test
sudo make install
cd ../..
./buildconf
./configure --prefix=/opt/apache2 --enable-pie --enable-mods-shared=all --enable-so --disable-include --enable-deflate --enable-headers --enable-expires --enable-ssl=shared --enable-mpms-shared=all --with-mpm=event --enable-rewrite --with-z=/home/mario/apache24/httpd-2.4.2/srclib/zlib --enable-module=ssl --enable-fcgid --with-included-apr
make 
sudo make install
cd ..
wget http://www.trieuvan.com/apache//httpd/mod_fcgid/mod_fcgid-2.3.7.tar.gz
tar xvfz mod_fcgid-2.3.7.tar.gz
cd mod_fcgid-*
APXS=/opt/apache2/bin/apxs ./configure.apxs
make
sudo make install

For using PHP install php-cgi

add httpd.conf

FcgidMaxProcesses 50
FcgidFixPathinfo 1
FcgidProcessLifeTime 0
FcgidTimeScore 3
FcgidZombieScanInterval 20
FcgidMaxRequestsPerProcess 0
FcgidMaxRequestLen 33554432
FcgidIOTimeout 120

in each vhost

Options Indexes ExecCGI
AddHandler fcgid-script .php
FCGIWrapper /usr/lib/cgi-bin/php5 .php

build mod_geoip

Obtain GeoIP-1.4.6 from maxmind.com and built per included instructions.
Build Module against an IPv6 Enabled Apache Build

Obtain GeoIP-1.4.6 from maxmind.com and built per included instructions.
Build Module against an IPv6 Enabled Apache Build

del *.obj *.exp *.lib *.so
set APACHE=C:\Apache22
set GEOIPROOT=C:\Build\GeoIP-1.4.6
cl  /nologo /MD /O2 /LD /W3 -DWIN32 -D_WIN32 -I%GEOIPROOT%\libGeoIP -I%APACHE%\include /c /Fomod_geoip.obj mod_geoip.c
link /NODEFAULTLIB:LIBCMT kernel32.lib "%APACHE%\lib\libhttpd.lib" "%APACHE%\lib\libapr-1.lib" "%APACHE%\lib\libaprutil-1.lib" "%GEOIPROOT%\libGeoIP\GeoIP.lib" /nologo /subsystem:windows /dll /machine:I386 /out:mod_geoip.so mod_geoip.obj

reverse proxy for utorrent part 2

In my last post about utorrent (µtorrent) I was frustrated that I wasn’t able to change the url from /gui/ to /tor/
Woot! In apache 2.3 which will be apache 2.4 and I think it will be released in early 2011 the proxy module is much better and there it works to have a different URL :-) Even as ALPHA or BETA version the new apache rocks a lot and runs stable. In condition with mod_fcgid it is real cool technology e.g. running PHP separated form apache that allows to run different PHP version of the server in vhosts or directories. Also running a non thread safe PHP version. Speed! IPv6 would be fine, but the offered patches are not applied to trunk :-/There is an annoying bug in mod_fcgid. I’m glad I found a fix for it (help from Tom Donovan and Sob).

Disable AllowOverride (htaccess to httpd.conf)

AllowOverride is one of the things that slow down a lot. Disabling it makes apache faster. It is a horror to migrate all .htaccess files by hand. BUT here is a PHP script from Paul Reinheimer which makes it realy easy :-)

Get it htaccess.php

tune your server!

crashing fcgid 2.3.6 on windows

On Windows fcgid crashes apache when apache do a graceful restart (httpd -k restart). Here is a patch that should fix that. This patch in inspired from Tom Dovovan.

Index: modules/fcgid/fcgid_pm_main.c
===================================================================
--- modules/fcgid/fcgid_pm_main.c    (revision 1037552)
+++ modules/fcgid/fcgid_pm_main.c    (working copy)
@@ -375,7 +375,9 @@
 proc->diewhy = FCGID_DIE_SHUTDOWN;
 proc_print_exit_info(proc, exitcode, exitwhy,
 main_server);
-        apr_pool_destroy(proc->proc_pool);
+        #ifndef Win32
+            apr_pool_destroy(proc->proc_pool);
+        #endif
 proc->proc_pool = NULL;
 return 1;
 }
Index: modules/fcgid/fcgid_pm_win.c
===================================================================
--- modules/fcgid/fcgid_pm_win.c    (revision 1037552)
+++ modules/fcgid/fcgid_pm_win.c    (working copy)
@@ -123,7 +123,9 @@
 "mod_fcgid: can't create wake up thread");
 exit(1);
 }
-
+    apr_pool_cleanup_register(pconf, main_server,
+                              procmgr_stop_procmgr, apr_pool_cleanup_null);
+                              
 return APR_SUCCESS;
 }

@@ -249,8 +251,6 @@
 apr_status_t
 procmgr_child_init(server_rec * main_server, apr_pool_t * pchild)
 {
-    apr_pool_cleanup_register(pchild, main_server,
-                              procmgr_stop_procmgr, apr_pool_cleanup_null);
 return APR_SUCCESS;
 }

Download this patch

Posts Tagged httpd

Archives by Month: