FreeBSD, Apache 2.x and itk mpm
mpm-itk is a working alternative to the b0rked perchild mpm, but in prefork mode. It’s currently maintained by Steinar H. Gunderson. Please see: http://home.samfundet.no/~sesse/mpm-itk/ for more details. It has been developed for apache 2.0.x and been ported to apache 2.2 recently.Since I enjoy apache 2.2 this little howto is made under apache 2.2.x but works for apache 2.0.x too.
First of all CVSup your ports tree. Go to apache22 port and build apache with “itk” as MPM :
$ cd /usr/ports/www/apache22 $ sudo make WITH_MPM=itk <...build output...> $ sudo make install clean
Let’s check we have te good MPM.
$ /usr/local/sbin/httpd -V | grep MPM Server MPM: ITK -D APACHE_MPM_DIR="server/mpm/experimental/itk"
Nice! We can now see how our apache22 reacts :)
$ sudo /usr/local/etc/rc.d/apache22 forcestart Performing sanity check on apache22 configuration: Syntax OK Starting apache22. $ ps auxwww | grep httpd root 92484 0.0 0.7 73452 7116 ?? Ss 4:18PM 0:00.09 /usr/local/sbin/httpd -DNOHTTPACCEPT root 92485 0.0 0.7 73484 7132 ?? S 4:18PM 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT root 92486 0.0 0.7 73484 7132 ?? S 4:18PM 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT root 92487 0.0 0.7 73484 7132 ?? S 4:18PM 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT root 92488 0.0 0.7 73484 7132 ?? S 4:18PM 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT root 92489 0.0 0.7 73484 7132 ?? S 4:18PM 0:00.00 /usr/local/sbin/httpd -DNOHTTPACCEPT
Ohoh! apache is owned by root. No I didn’t put a backdoor ;) apache runs as root because until the request get parsed, we don’t know which virtual host is required and, so, the final user. Security risk exists: Any bug before request parsing can lead to root compromise. If there is a major flaw in mod_ssl, pray and update ASAP.
Still here? Not scared? you should be :) mpm-itk uses 2 Directives: AssignUserID, UID/GID assigned to child process and MaxClientsVHost, the maximum number of children alive at the same time for this virtual host
Don’t uncomment ‘#Include etc/apache22/extra/httpd-vhosts.conf’ in ${PREFIX}/etc/apache22/httpd.conf, the config file is b0rked (it’s on my ToDo list).
Instead edit ${PREFIX}/etc/apache22/Includes/100.NameVirtualHost.conf and put:
NameVirtualHost *:80
(I usually leave 0xx for modules configurations)
Add something like this to ${PREFIX}/etc/apache22/Includes/101.DefaultVirtualHost
<VirtualHost *:80>
DocumentRoot /usr/local/www/apache22/data
AssignUserID nobody nogroup
MaxClientsVHost 10
</VirtualHost>
Now add a different vhost. My vhost is “poubelle.cultdeadsheep.org”, So in ${PREFIX}/etc/apache22/Includes/poubelle.cultdeadsheep.org.conf I have:
<VirtualHost *:80>
ServerAdmin
DocumentRoot /home/www/poubelle.cultdeadsheep.org
ServerName poubelle.cultdeadsheep.org
AssignUserID clement clement
MaxClientsVHost 50
<Directory /home/www/poubelle.cultdeadsheep.org>
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
I’ve also install PHP5 to perform some basic testing. Let’s restat apache.
$ sudo /usr/local/etc/rc.d/apache22 forcerestart
I run this simple script:
<?system("id");?>
We run the basic test…
$ fetch -q -o - http://192.168.0.6/test.php uid=65534(nobody) gid=65534(nobody) egid=65533(nogroup) groups=65533(nogroup) $ fetch -q -o - http://poubelle.cultdeadsheep.org/test.php uid=1000(clement) gid=1000(clement) groups=1000(clement)
And it works! I don’t even have to keep the o+x bit on directories :)
Have fun!