Date: Sat, 7 Jun 2014 18:58:51 -0500 From: Mark Felder <feld@FreeBSD.org> To: olli hauer <ohauer@gmx.de> Cc: freebsd-apache@freebsd.org Subject: Re: Mass cleansing of Apache module POLA violations Message-ID: <BDBA5CA7-A3EB-4F8C-B34E-248B4E58ACDE@FreeBSD.org> In-Reply-To: <53937F05.2010402@gmx.de> References: <cc98dc4842b81154e98740ffb43d60bc@mail.feld.me> <53937F05.2010402@gmx.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Jun 7, 2014, at 16:07, olli hauer <ohauer@gmx.de> wrote: > On 2014-06-02 19:25, Mark Felder wrote: >> Hi all, >>=20 >> Thanks for maintaining Apache and friends. >>=20 >> I have a request. With my sysadmin hat on, I find maintaining Apache = on FreeBSD to be the most frustrating Apache experience on the planet. = Some Apache modules insert LoadModule into your httpd.conf automatically,= some insert with it commented out (#LoadModule), and some tell you in = pkg-message what you need to do to activate the module. The inconsistency= here is embarrassing. >>=20 >> Can we please stop trying to outsmart the sysadmin? >>=20 >> - I do *NOT* want every installed Apache module automatically = activated on every server. That's bloat and potential security hole. I = might not actually need it activated. >> - I do *NOT* want pkg automatically manipulating my httpd.conf. It = puts entries in the wrong spot, sometimes under custom comment sections = where other LoadModules live. >> - I do *NOT* want pkg and Apache to outsmart me and break my systems. >> - I *do* want kind, helpful instructions in pkg-message or perhaps = samples that aren't loaded by default waiting for me in %%ETCDIR%%/module= s.d/ >>=20 >> As of today you can expect the following: >>=20 >> Upgrade or reinstall mod_perl. Restart Apache. Your Apache is broken. = Why, you ask? Because mod_perl installs this: >>=20 >> #LoadModule perl_module libexec/apache22/mod_perl.so >>=20 >> And helpfully *DELETES* my uncommented version of the line upon = deinstall for upgrade, and re-inserts it commented again! >>=20 >> There are several other offenders like this; I do not have a complete = list. But the point is: this behavior makes it impossible to reliably = administer large numbers of servers. Why should I have to deploy updates = and then fix my httpd.conf every single time? This is just bizarre = behavior. A port or package should never automatically modify a productio= n configuration file. Let the sysadmin handle the insertion or removal = of configuration. >>=20 >> If we can come up with a standardized mechanism I will *gladly* = assist in testing and fixing all ... 101 or so Apache modules so we have = some sort of consistency here. >>=20 >=20 > On my road-map is the rewrite of bsd.apache.mk (should be used in = future only for the www/apache ports) plus an addition for Uses/apache.mk= . >=20 > It is planned that modules place a sample '#LoadModule ...' into = etc/apache2(2|4)/modules.d/ (see modules.d/README_modules.d) > This way the file can contain instructions how to use the module and = once the file is modified (module enable) it will stay until the user = wipes it from the system. > Since the instructions to include configs from this directory are = already in the httpd.conf you already start using it for per default = disabled modules. >=20 > Since lack of time the work is not finished, apache@ is searching new = members (only one active member around since a long time, so fresh blood = is welcome ;) >=20 This roadmap is perfect; exactly what I was hoping for. I'm not an = apache fan personally, but must use it at work regardless. If there is a = rewrite in progress somewhere I would be willing to take a look and test = or assist as time permits.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BDBA5CA7-A3EB-4F8C-B34E-248B4E58ACDE>