Update: To version Apache-2.4.18 and PHP-5.6-17.
mbox

Message ID 1456761186-4705-1-git-send-email-erik.kapfer@ipfire.org
State New
Headers show

Message

Erik Kapfer March 1, 2016, 2:53 a.m. UTC
Please DO NOT merge this, this version needs to be tested and optimized.

- Apache update to 2.4.18 requires PCRE with version 8.38 which has been also updated.
- PCRE-8.38 should have included all seurity patches from 8.37 --> http://www.pcre.org/original/changelog.txt .
- Changed bzip2 position cause new pcre version neededs bzlib.h.
- Added Apr-Util-1.5.4 which is required by new Apache version.
- Apr-Util uses currently sqlite3 since compiling with BDB support without the new BDB-6* version needs long compilation time cause Apr-Util searches for every version from 6.8 backwards until the current available 4.4 version.
- Added Apr-1.5.2 which is required by Apr-Util.
- Added both Apr-*version into Apache LFS and ROOTFILE.
- Added new mpm.conf for Apache Multi-Processing Modules and deleted old entries from httpd.conf.
- Added "--enable-mpms-shared=all" in Apache LFS so MPM mode should be changeable on the fly by editing loadmodule.conf.
- Enabled '--enable-mods-shared="all cgi' so fastcgi should be available too.
- Disable server and version signatur sending in httpd.conf.
- Added Modsecurity as an Addon, with outcommented Apache config parameters under loadmodules.conf and httpd.conf.
- Modsecurities install.sh will activate the entries in Apache configs, uninstall.sh will also deactivate them.
- Modsecurity default configuration from the source package are used.
- Added ICU support for PHP. Positioned ICU before boost cause newer boost versions might become also ICU support?
- Added new PHP module intl and deleted idn cause it has been merged into intl --> http://php.net/manual/de/ref.intl.idn.php, new modul will also be build like log in PHP LFS and ROOTFILE.
- Added PHP Patch for BerkleyDB-6.x.
- Added new php.ini.
- Added zend optimizer extension into PHP.
- FPM switch is activated in php.ini and should use nobody privileges per default.
- Disabled 'allow_url_fopen' and 'expose_php' in php.ini.

Signed-off-by: Erik Kapfer <erik.kapfer@ipfire.org>
---
 config/httpd/httpd.conf                            |   15 +-
 config/httpd/loadmodule.conf                       |  124 +-
 config/httpd/server-tuning.conf                    |    7 +-
 config/httpd/ssl-global.conf                       |    3 +-
 config/php/php.ini                                 | 1674 ++++++++++++++------
 config/rootfiles/common/apache2                    |  646 ++++++--
 config/rootfiles/common/pcre                       |  145 +-
 config/rootfiles/common/php                        |  158 +-
 lfs/apache2                                        |  105 +-
 lfs/pcre                                           |   33 +-
 lfs/php                                            |  131 +-
 make.sh                                            |    4 +-
 .../pcre-8.37-Fix-another-buffer-overflow.patch    |  110 --
 ...overflow-for-forward-reference-within-bac.patch |   68 -
 ...overflow-for-named-recursive-back-referen.patch |   87 -
 ...overflow-for-named-references-in-situatio.patch |  190 ---
 ...orward-reference-to-duplicate-group-numbe.patch |   98 --
 17 files changed, 2123 insertions(+), 1475 deletions(-)
 delete mode 100644 src/patches/pcre-8.37-Fix-another-buffer-overflow.patch
 delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-forward-reference-within-bac.patch
 delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-named-recursive-back-referen.patch
 delete mode 100644 src/patches/pcre-8.37-Fix-buffer-overflow-for-named-references-in-situatio.patch
 delete mode 100644 src/patches/pcre-8.37-Fix-named-forward-reference-to-duplicate-group-numbe.patch

Comments

Erik March 1, 2016, 4:14 a.m. UTC | #1
Hi all,
some files are missing and send-email won't deliver the amended version
fatal: /tmp/pQNGd3EHcp/0001-Update-To-version-Apache-2.4.18-and-PHP-5.6-17.patch: 627: patch contains a line longer than 998 characters
warning: no patches were sent

will push them soon again…

Sorry for that.

Greetings,

Erik
Michael Tremer March 3, 2016, 10:52 a.m. UTC | #2
Hi,

yes please break this up into individual patches that do small changes
at a time.

You can also use RFC instead of PATCH in the headline so you can ask
people to comment on the changes.

-Michael

On Mon, 2016-02-29 at 18:14 +0100, ummeegge wrote:
> Hi all,
> some files are missing and send-email won't deliver the amended
> version
> fatal: /tmp/pQNGd3EHcp/0001-Update-To-version-Apache-2.4.18-and-PHP-
> 5.6-17.patch: 627: patch contains a line longer than 998 characters
> warning: no patches were sent
> 
> will push them soon again…
> 
> Sorry for that.
> 
> Greetings,
> 
> Erik
Erik March 4, 2016, 12:47 a.m. UTC | #3
Hi Michael,
yes sure if we go for a merge request we will split all the pieces in separated patches so it should be easier to overview and comment on them but in the moment there are configuration questions open but also more testings to do.
The first step in my opinion could be a kind of help to find a way for a proper, good operating mode with the new versions where we can find for the first a way for a moderate hardware consumption. The RAM usage seems to be currently a double of the existing apache/php installation which is in my opinion a no go especially for all the weak boards (256MB like e.g. the ALIX are a problem i think) out there. Unfortunatly the worker mpm mode has the lowest RAM consumption in my testings but it seems to be also the weakest in a security manner. Since the "worker" MPM uses threads and the question comes up if PHP are really thread save where i have in fact currently no deeper insights. The alternative might be to use prefork MPM which uses instead of threads processes and should therefor be more save but needs in my testings also more RAM. This situation is currently a dilemma where i´am not sure how to solve this but may also some other people in here have the time, knowhow and the muse to find a good solution with this.
Another section might be to try some more out with modsecurity (made a separated package) which is really in the beginning of testings and uses currently only default configs, so this can be seen as a playground for the first. There are also more possibilities with this versions where i made some switches in configure on but may too much or not the really useful ones, for this questions i hope to find some more testers which are interested to optimize this work so we can start at the end to make a working list of how we step further with the merge requests to deliver it step by step for a potential last overview.

I wanted to deliver for the first tries my working environment which works well on my testing machine. In here --> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=47e7534ec924da960610838b6d40549f50c94f56 all changes can be overviewed and be used.

Might be great if there comes some response. I´am on the way in the next 1-2 weeks so please be patient for response.

Greetings,

Erik


Am 03.03.2016 um 00:52 schrieb Michael Tremer <michael.tremer@ipfire.org>:

> Hi,
> 
> yes please break this up into individual patches that do small changes
> at a time.
> 
> You can also use RFC instead of PATCH in the headline so you can ask
> people to comment on the changes.
> 
> -Michael
> 
> On Mon, 2016-02-29 at 18:14 +0100, ummeegge wrote:
>> Hi all,
>> some files are missing and send-email won't deliver the amended
>> version
>> fatal: /tmp/pQNGd3EHcp/0001-Update-To-version-Apache-2.4.18-and-PHP-
>> 5.6-17.patch: 627: patch contains a line longer than 998 characters
>> warning: no patches were sent
>> 
>> will push them soon again…
>> 
>> Sorry for that.
>> 
>> Greetings,
>> 
>> Erik
Erik March 4, 2016, 2:07 a.m. UTC | #4
Have also uploaded an image --> http://people.ipfire.org/~ummeegge/Apache%2BPHP_update/  with all updated version and also modesecurity as package if someone wants to test it via VM or regular installation.

Erik

Am 03.03.2016 um 14:47 schrieb ummeegge <ummeegge@ipfire.org>:

> Hi Michael,
> yes sure if we go for a merge request we will split all the pieces in separated patches so it should be easier to overview and comment on them but in the moment there are configuration questions open but also more testings to do.
> The first step in my opinion could be a kind of help to find a way for a proper, good operating mode with the new versions where we can find for the first a way for a moderate hardware consumption. The RAM usage seems to be currently a double of the existing apache/php installation which is in my opinion a no go especially for all the weak boards (256MB like e.g. the ALIX are a problem i think) out there. Unfortunatly the worker mpm mode has the lowest RAM consumption in my testings but it seems to be also the weakest in a security manner. Since the "worker" MPM uses threads and the question comes up if PHP are really thread save where i have in fact currently no deeper insights. The alternative might be to use prefork MPM which uses instead of threads processes and should therefor be more save but needs in my testings also more RAM. This situation is currently a dilemma where i´am not sure how to solve this but may also some other people in here have the time, knowhow and the muse to find a good solution with this.
> Another section might be to try some more out with modsecurity (made a separated package) which is really in the beginning of testings and uses currently only default configs, so this can be seen as a playground for the first. There are also more possibilities with this versions where i made some switches in configure on but may too much or not the really useful ones, for this questions i hope to find some more testers which are interested to optimize this work so we can start at the end to make a working list of how we step further with the merge requests to deliver it step by step for a potential last overview.
> 
> I wanted to deliver for the first tries my working environment which works well on my testing machine. In here --> http://git.ipfire.org/?p=people/ummeegge/ipfire-2.x.git;a=commit;h=47e7534ec924da960610838b6d40549f50c94f56 all changes can be overviewed and be used.
> 
> Might be great if there comes some response. I´am on the way in the next 1-2 weeks so please be patient for response.
> 
> Greetings,
> 
> Erik
> 
> 
> Am 03.03.2016 um 00:52 schrieb Michael Tremer <michael.tremer@ipfire.org>:
> 
>> Hi,
>> 
>> yes please break this up into individual patches that do small changes
>> at a time.
>> 
>> You can also use RFC instead of PATCH in the headline so you can ask
>> people to comment on the changes.
>> 
>> -Michael
>> 
>> On Mon, 2016-02-29 at 18:14 +0100, ummeegge wrote:
>>> Hi all,
>>> some files are missing and send-email won't deliver the amended
>>> version
>>> fatal: /tmp/pQNGd3EHcp/0001-Update-To-version-Apache-2.4.18-and-PHP-
>>> 5.6-17.patch: 627: patch contains a line longer than 998 characters
>>> warning: no patches were sent
>>> 
>>> will push them soon again…
>>> 
>>> Sorry for that.
>>> 
>>> Greetings,
>>> 
>>> Erik
>
Michael Tremer March 4, 2016, 11:39 p.m. UTC | #5
On Thu, 2016-03-03 at 14:47 +0100, ummeegge wrote:
> Hi Michael,
> yes sure if we go for a merge request we will split all the pieces in
> separated patches so it should be easier to overview and comment on
> them but in the moment there are configuration questions open but
> also more testings to do.

It is a good idea to do this right from the beginning. That saves a lot
of work later.

I can't and won't review these large patches because there is really no
point in it. They usually raise more questions than they should and
commenting inline is messy and leads into many separate conversations
about different issues. So: It will save us all loads of work.

> The first step in my opinion could be a kind of help to find a way
> for a proper, good operating mode with the new versions where we can
> find for the first a way for a moderate hardware consumption. The RAM
> usage seems to be currently a double of the existing apache/php
> installation which is in my opinion a no go especially for all the
> weak boards (256MB like e.g. the ALIX are a problem i think) out
> there.

I actually do not care that much about these. They are way below the
minimum hardware requirements and even further below under the
recommended hardware requirements.

We should not waste the memory, but when it is needed to run apache,
what else can we do?

> Unfortunatly the worker mpm mode has the lowest RAM consumption in my
> testings but it seems to be also the weakest in a security manner.
> Since the "worker" MPM uses threads and the question comes up if PHP
> are really thread save where i have in fact currently no deeper
> insights. The alternative might be to use prefork MPM which uses
> instead of threads processes and should therefor be more save but
> needs in my testings also more RAM. This situation is currently a
> dilemma where i´am not sure how to solve this but may also some other
> people in here have the time, knowhow and the muse to find a good
> solution with this.

I think we must stick with the old way. The web user interface will
fork any way, so the MPM approach will give us no advantage what so
ever.

Leaving things as they are should be the safest.

> Another section might be to try some more out with modsecurity (made
> a separated package) which is really in the beginning of testings and
> uses currently only default configs, so this can be seen as a
> playground for the first. There are also more possibilities with this
> versions where i made some switches in configure on but may too much
> or not the really useful ones, for this questions i hope to find some
> more testers which are interested to optimize this work so we can
> start at the end to make a working list of how we step further with
> the merge requests to deliver it step by step for a potential last
> overview.

I do not really get why mod_security is a thing. What are you going to
achieve with this in IPFire?

> 
> I wanted to deliver for the first tries my working environment which
> works well on my testing machine. In here --> http://git.ipfire.org/?
> p=people/ummeegge/ipfire-
> 2.x.git;a=commit;h=47e7534ec924da960610838b6d40549f50c94f56 all
> changes can be overviewed and be used.
> 
> Might be great if there comes some response. I´am on the way in the
> next 1-2 weeks so please be patient for response.
> 
> Greetings,
> 
> Erik

Best,
-Michael

> 
> 
> Am 03.03.2016 um 00:52 schrieb Michael Tremer <michael.tremer@ipfire.
> org>:
> 
> > Hi,
> > 
> > yes please break this up into individual patches that do small
> > changes
> > at a time.
> > 
> > You can also use RFC instead of PATCH in the headline so you can
> > ask
> > people to comment on the changes.
> > 
> > -Michael
> > 
> > On Mon, 2016-02-29 at 18:14 +0100, ummeegge wrote:
> > > Hi all,
> > > some files are missing and send-email won't deliver the amended
> > > version
> > > fatal: /tmp/pQNGd3EHcp/0001-Update-To-version-Apache-2.4.18-and-
> > > PHP-
> > > 5.6-17.patch: 627: patch contains a line longer than 998
> > > characters
> > > warning: no patches were sent
> > > 
> > > will push them soon again…
> > > 
> > > Sorry for that.
> > > 
> > > Greetings,
> > > 
> > > Erik
>