Tags:
create new tag
view all tags

apacheconf component changes

Version 1 of the apacheconf component contains a large number of new features and improvements. This version is primarily targetted at supporting Apache 2.4 on EL7 but 2.2 is also supported on EL6, this is mainly intended to help with the upgrade process.

If you do not have any experience of using Apache 2.4 then you should start by reading the official Upgrading to 2.4 from 2.2 documentation.

General Configuration

The templates for the conf/httpd.conf file have been updated for both 2.4 on EL7 and 2.2 on EL6 to make them similar to the standard configurations provided by Redhat. A number of directives which were previously hardwired (see bug#397) have been removed so that the standard default values are used. If a directive needs to be set which is not supported directly via a resource that can easily be done using a verbatim line. This should make it easier to support new versions of Apache in the future.

The securehtaccess feature which protects access to .ht* files has been modified to only protect .htpasswd, .htgroup and .htaccess files. This means that the standard configuration does not conflict with the serving of RPM header files for updaterpms.

Support has been added for specifying additional custom log formats via the logformat resource.

The configuration of virtual hosts and modules has been moved out of the main configuration file, each site or module is now specified in a separate file and Include directives are used for all the required files. See the lcfg.sites.d and lcfg.modules.d sub-directories.

Many resources now have sensible default values so that it is easier to use the component "out of the box".

The Listen directive can now be set manually (fixes bug#680). If nothing is specified then a Listen statement is added for each port required by the set of virtual hosts. If there are no virtual hosts the daemon will be configured to listen on port 80 and also port 443 if the startssl resource is enabled.

The NameVirtualHost directive is no longer required with 2.4 so the automatic generation of those based on the virtual host resources is only supported on 2.2. This was always problematic in anything but the simplest cases and has been the biggest difficulty users have had with the previous version of the component. Closes: bug#83, bug#143, bug#344, bug#384.

When static configuration files are referenced using a relative path (e.g. any added to the configfiles resource) the component will first search in the server root (usually /etc/httpd) and, for backwards compatibility, also in the conf.d sub-directory. Previously the component always assumed the files were in the conf.d directory if they were not absolute paths.

The root directory has AllowOverride none and Require all denied, this is intentional for enhanced security. Directories which need to be accessible should be explicitly configured as such, see https://httpd.apache.org/docs/2.4/misc/security_tips.html.

Global SSL Settings

Resources have been added to support directly setting global values for the following commonly used SSL directives:

  • SSLCipherSuite - ssl_ciphersuite
  • SSLHonorCipherOrder - ssl_honorcipherorder
  • SSLProtocol - ssl_protocol
  • SSLPassPhraseDialog - ssl_passphrasedialog

This closes bug#789.

The contents of any SSL files (e.g. those referenced in the ssl_cert_file or ssl_cert_key_file resources) will now be checked for changes when the configure method is called. If any changes are detected then the daemon will be reloaded. This avoids the need to force a restart or reload if it's not known whether the files are being actively used.

Virtual Hosts

The most noticeable change for virtual hosts is that the configuration for each host is now in a separate file in the lcfg.sites.d sub-directory. The contents of that directory are managed by the component and any unknown files are removed. The configuration files are then individually included into the main configuration.

One new feature is that it is now possible to mark a virtual host as "inactive". If a host is not active the individual configuration file will be created but it will NOT be included in the main configuration and will have a comment at the top stating as much. This makes it possible to manually inspect a newly generated config before including it into the main server configuration. It also makes it possible to quickly disable a virtual host if a problem arises without losing the associated configuration which might be required to help diagnose the cause of a problem.

Loadable Modules

The configuration for each module is now in a separate file in the lcfg.modules.d sub-directory. The contents of that directory are managed by the component and any unknown files are removed. The configuration files are then individually included into the main configuration.

The configuration of loadable modules has been enhanced to add various new features.

Support has been added for marking a module as inactive. If a module is not active the individual configuration file will be created but it will NOT be included in the main configuration. This makes it possible to manually inspect a newly generated config before including it into the main server configuration. It also makes it possible to quickly disable a module if a problem arises without losing the associated configuration which might be required to help diagnose the cause of a problem.

Support has been added for disabling the addition of the LoadModule directive. Occasionally the loading of modules can be too complex to be easily expressed in a single statement in which case it is useful to disable the standard module loading support. For example, provided with the cgi module is a configuration file which will load the correct module for the desired MPM module.

Support has been added for including a list of static files. This might be to handle a complex module loading scenario or set default values for various options.

Support has been added for setting verbatim lines. These are added to the configuration after the inclusion of any static files so that it is possible to override default settings.

Much of this was previously possible by using the global configfiles and verbatim resources but that does not indicate any module associations for the configuration lines. This has the benefit that the config is only added when the module is active and if a module is disabled the config is also removed which reduces the potential for generating invalid configurations.

For EL7 the tags in the apacheconf.modules list of modules have been totally refreshed to more closely match the current module names, some of them were still refering to names from the Apache 1.3 era, this should help avoid confusion (closes: bug#658). Note that this might require tweaking of some site configurations for the mutations of the modules resource.

Daemon Control

Previously the component used apachectl directly to control the Apache daemon (e.g. when calling stop, start, restart, reload). That has been replaced with use of systemctl (via the Service ngeneric method) for all needs except testing the syntax of an updated configuration. This is necessary to avoid the component fighting with systemd for control of the daemon. Hopefully this will also fix bug#398.

Resource Changes

Added

  • listen - create Listen directives
  • logformat - add custom log formats
  • format_$
  • moduleactive_$ - (de)activate module
  • moduleload_$ - control loading of module
  • modulefile_$ - static config files for module
  • moduleverbatim_$ - verbatim config for module
  • moduleline_$_$
  • ssl_honorcipherorder
  • ssl_ciphersuite
  • ssl_passphrasedialog
  • ssl_protocol
  • vhostactive_$ - (de)activate module

Removed

All of these were deprecated when we moved from 1.3 to 2.0 and have not been supported for many years.

  • port
  • servertype
  • ssl_log
  • ssl_log_level

Deprecated

The following are not applicable for Apache 2.4 or in some cases EL7 which uses systemd.

  • defaulttype
  • httpd
  • lang
  • pidfile
  • logfiles

-- Main.squinney - 2016-02-10

Topic revision: r4 - 2017-03-30 - squinney
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2020 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback