From 5bd4fb47d6a233b2f9c916d075822c123a965eb0 Mon Sep 17 00:00:00 2001 From: Joe Orton Date: Mar 29 2018 16:00:55 +0000 Subject: Merge branch 'f28' into f27 --- diff --git a/00-proxy.conf b/00-proxy.conf index 448eb63..f0f84c2 100644 --- a/00-proxy.conf +++ b/00-proxy.conf @@ -14,4 +14,5 @@ LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_hcheck_module modules/mod_proxy_hcheck.so LoadModule proxy_scgi_module modules/mod_proxy_scgi.so +LoadModule proxy_uwsgi_module modules/mod_proxy_uwsgi.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so diff --git a/01-md.conf b/01-md.conf new file mode 100644 index 0000000..2739202 --- /dev/null +++ b/01-md.conf @@ -0,0 +1 @@ +LoadModule md_module modules/mod_md.so diff --git a/httpd-2.4.17-sslciphdefault.patch b/httpd-2.4.17-sslciphdefault.patch deleted file mode 100644 index 8efc461..0000000 --- a/httpd-2.4.17-sslciphdefault.patch +++ /dev/null @@ -1,33 +0,0 @@ - -https://bugzilla.redhat.com/show_bug.cgi?id=1109119 - -Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. - ---- httpd-2.4.17/modules/ssl/ssl_engine_config.c.sslciphdefault -+++ httpd-2.4.17/modules/ssl/ssl_engine_config.c -@@ -708,8 +708,10 @@ const char *ssl_cmd_SSLCipherSuite(cmd_p - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; - -- /* always disable null and export ciphers */ -- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); -+ /* Disable null and export ciphers by default, except for PROFILE= -+ * configs where the parser doesn't cope. */ -+ if (strncmp(arg, "PROFILE=", 8) != 0) -+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); - - if (cmd->path) { - dc->szCipherSuite = arg; -@@ -1428,8 +1430,10 @@ const char *ssl_cmd_SSLProxyCipherSuite( - { - SSLSrvConfigRec *sc = mySrvConfig(cmd->server); - -- /* always disable null and export ciphers */ -- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); -+ /* Disable null and export ciphers by default, except for PROFILE= -+ * configs where the parser doesn't cope. */ -+ if (strncmp(arg, "PROFILE=", 8) != 0) -+ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); - - sc->proxy->auth.cipher_suite = arg; - diff --git a/httpd-2.4.25-r1738878.patch b/httpd-2.4.25-r1738878.patch deleted file mode 100644 index e4b46cc..0000000 --- a/httpd-2.4.25-r1738878.patch +++ /dev/null @@ -1,140 +0,0 @@ -diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h -index c119a7e..267150a 100644 ---- a/modules/proxy/ajp.h -+++ b/modules/proxy/ajp.h -@@ -413,12 +413,14 @@ apr_status_t ajp_ilink_receive(apr_socket_t *sock, ajp_msg_t *msg); - * @param sock backend socket - * @param r current request - * @param buffsize max size of the AJP packet. -+ * @param secret authentication secret - * @param uri requested uri - * @return APR_SUCCESS or error - */ - apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri); -+ apr_uri_t *uri, -+ const char *secret); - - /** - * Read the ajp message and return the type of the message. -diff --git a/modules/proxy/ajp_header.c b/modules/proxy/ajp_header.c -index 67353a7..680a8f3 100644 ---- a/modules/proxy/ajp_header.c -+++ b/modules/proxy/ajp_header.c -@@ -213,7 +213,8 @@ AJPV13_REQUEST/AJPV14_REQUEST= - - static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, - request_rec *r, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - int method; - apr_uint32_t i, num_headers = 0; -@@ -293,17 +294,15 @@ static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, - i, elts[i].key, elts[i].val); - } - --/* XXXX need to figure out how to do this -- if (s->secret) { -+ if (secret) { - if (ajp_msg_append_uint8(msg, SC_A_SECRET) || -- ajp_msg_append_string(msg, s->secret)) { -+ ajp_msg_append_string(msg, secret)) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) -- "Error ajp_marshal_into_msgb - " -+ "ajp_marshal_into_msgb: " - "Error appending secret"); - return APR_EGENERAL; - } - } -- */ - - if (r->user) { - if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || -@@ -671,7 +670,8 @@ static apr_status_t ajp_unmarshal_response(ajp_msg_t *msg, - apr_status_t ajp_send_header(apr_socket_t *sock, - request_rec *r, - apr_size_t buffsize, -- apr_uri_t *uri) -+ apr_uri_t *uri, -+ const char *secret) - { - ajp_msg_t *msg; - apr_status_t rc; -@@ -683,7 +683,7 @@ apr_status_t ajp_send_header(apr_socket_t *sock, - return rc; - } - -- rc = ajp_marshal_into_msgb(msg, r, uri); -+ rc = ajp_marshal_into_msgb(msg, r, uri, secret); - if (rc != APR_SUCCESS) { - ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) - "ajp_send_header: ajp_marshal_into_msgb failed"); -diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c -index f6fb473..f693f63 100644 ---- a/modules/proxy/mod_proxy.c -+++ b/modules/proxy/mod_proxy.c -@@ -314,6 +314,12 @@ static const char *set_worker_param(apr_pool_t *p, - (int)sizeof(worker->s->upgrade)); - } - } -+ else if (!strcasecmp(key, "secret")) { -+ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { -+ return apr_psprintf(p, "Secret length must be < %d characters", -+ (int)sizeof(worker->s->secret)); -+ } -+ } - else { - if (set_worker_hc_param_f) { - return set_worker_hc_param_f(p, s, worker, key, val, NULL); -diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h -index 8a0ad10..f92c185 100644 ---- a/modules/proxy/mod_proxy.h -+++ b/modules/proxy/mod_proxy.h -@@ -352,6 +352,7 @@ PROXY_WORKER_HC_FAIL ) - #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 - #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE - #define PROXY_BALANCER_MAX_STICKY_SIZE 64 -+#define PROXY_WORKER_MAX_SECRET_SIZE 64 - - /* RFC-1035 mentions limits of 255 for host-names and 253 for domain-names, - * dotted together(?) this would fit the below size (+ trailing NUL). -@@ -443,6 +444,7 @@ typedef struct { - hcmethod_t method; /* method to use for health check */ - apr_interval_time_t interval; - char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */ -+ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ - } proxy_worker_shared; - - #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) -diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c -index 051724e..e706518 100644 ---- a/modules/proxy/mod_proxy_ajp.c -+++ b/modules/proxy/mod_proxy_ajp.c -@@ -193,6 +193,7 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, - apr_off_t content_length = 0; - int original_status = r->status; - const char *original_status_line = r->status_line; -+ const char *secret = NULL; - - if (psf->io_buffer_size_set) - maxsize = psf->io_buffer_size; -@@ -202,12 +203,15 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, - maxsize = AJP_MSG_BUFFER_SZ; - maxsize = APR_ALIGN(maxsize, 1024); - -+ if (*conn->worker->s->secret) -+ secret = conn->worker->s->secret; -+ - /* - * Send the AJP request to the remote server - */ - - /* send request headers */ -- status = ajp_send_header(conn->sock, r, maxsize, uri); -+ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); - if (status != APR_SUCCESS) { - conn->close = 1; - ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) diff --git a/httpd-2.4.33-export.patch b/httpd-2.4.33-export.patch new file mode 100644 index 0000000..9adf398 --- /dev/null +++ b/httpd-2.4.33-export.patch @@ -0,0 +1,20 @@ + +There is no need to "suck in" the apr/apr-util symbols when using +a shared libapr{,util}, it just bloats the symbol table; so don't. + +Upstream-HEAD: needed +Upstream-2.0: omit +Upstream-Status: EXPORT_DIRS change is conditional on using shared apr + +--- httpd-2.4.33/server/Makefile.in.export ++++ httpd-2.4.33/server/Makefile.in +@@ -60,9 +60,6 @@ + ls $$dir/*.h ; \ + done; \ + echo "$(top_srcdir)/server/mpm_fdqueue.h"; \ +- for dir in $(EXPORT_DIRS_APR); do \ +- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \ +- done; \ + ) | sed -e s,//,/,g | sort -u > $@ + + exports.c: export_files diff --git a/httpd-2.4.33-mddefault.patch b/httpd-2.4.33-mddefault.patch new file mode 100644 index 0000000..9e82fb8 --- /dev/null +++ b/httpd-2.4.33-mddefault.patch @@ -0,0 +1,21 @@ + +Override default. + +--- httpd-2.4.33/modules/md/mod_md_config.c.mddefault ++++ httpd-2.4.33/modules/md/mod_md_config.c +@@ -54,10 +54,14 @@ + + #define DEF_VAL (-1) + ++#ifndef MD_DEFAULT_STORE_DIR ++#define MD_DEFAULT_STORE_DIR "state/md" ++#endif ++ + /* Default settings for the global conf */ + static md_mod_conf_t defmc = { + NULL, +- "md", ++ MD_DEFAULT_STORE_DIR, + NULL, + NULL, + 80, diff --git a/httpd-2.4.33-r1738878.patch b/httpd-2.4.33-r1738878.patch new file mode 100644 index 0000000..d7ef42f --- /dev/null +++ b/httpd-2.4.33-r1738878.patch @@ -0,0 +1,137 @@ +diff --git a/modules/proxy/ajp.h b/modules/proxy/ajp.h +index c119a7e..267150a 100644 +diff -uap httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 httpd-2.4.33/modules/proxy/ajp_header.c +--- httpd-2.4.33/modules/proxy/ajp_header.c.r1738878 ++++ httpd-2.4.33/modules/proxy/ajp_header.c +@@ -213,7 +213,8 @@ + + static apr_status_t ajp_marshal_into_msgb(ajp_msg_t *msg, + request_rec *r, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + int method; + apr_uint32_t i, num_headers = 0; +@@ -293,17 +294,15 @@ + i, elts[i].key, elts[i].val); + } + +-/* XXXX need to figure out how to do this +- if (s->secret) { ++ if (secret) { + if (ajp_msg_append_uint8(msg, SC_A_SECRET) || +- ajp_msg_append_string(msg, s->secret)) { ++ ajp_msg_append_string(msg, secret)) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(03228) +- "Error ajp_marshal_into_msgb - " ++ "ajp_marshal_into_msgb: " + "Error appending secret"); + return APR_EGENERAL; + } + } +- */ + + if (r->user) { + if (ajp_msg_append_uint8(msg, SC_A_REMOTE_USER) || +@@ -671,7 +670,8 @@ + apr_status_t ajp_send_header(apr_socket_t *sock, + request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri) ++ apr_uri_t *uri, ++ const char *secret) + { + ajp_msg_t *msg; + apr_status_t rc; +@@ -683,7 +683,7 @@ + return rc; + } + +- rc = ajp_marshal_into_msgb(msg, r, uri); ++ rc = ajp_marshal_into_msgb(msg, r, uri, secret); + if (rc != APR_SUCCESS) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(00988) + "ajp_send_header: ajp_marshal_into_msgb failed"); +diff -uap httpd-2.4.33/modules/proxy/ajp.h.r1738878 httpd-2.4.33/modules/proxy/ajp.h +--- httpd-2.4.33/modules/proxy/ajp.h.r1738878 ++++ httpd-2.4.33/modules/proxy/ajp.h +@@ -413,12 +413,14 @@ + * @param sock backend socket + * @param r current request + * @param buffsize max size of the AJP packet. ++ * @param secret authentication secret + * @param uri requested uri + * @return APR_SUCCESS or error + */ + apr_status_t ajp_send_header(apr_socket_t *sock, request_rec *r, + apr_size_t buffsize, +- apr_uri_t *uri); ++ apr_uri_t *uri, ++ const char *secret); + + /** + * Read the ajp message and return the type of the message. +diff -uap httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy_ajp.c +--- httpd-2.4.33/modules/proxy/mod_proxy_ajp.c.r1738878 ++++ httpd-2.4.33/modules/proxy/mod_proxy_ajp.c +@@ -193,6 +193,7 @@ + apr_off_t content_length = 0; + int original_status = r->status; + const char *original_status_line = r->status_line; ++ const char *secret = NULL; + + if (psf->io_buffer_size_set) + maxsize = psf->io_buffer_size; +@@ -202,12 +203,15 @@ + maxsize = AJP_MSG_BUFFER_SZ; + maxsize = APR_ALIGN(maxsize, 1024); + ++ if (*conn->worker->s->secret) ++ secret = conn->worker->s->secret; ++ + /* + * Send the AJP request to the remote server + */ + + /* send request headers */ +- status = ajp_send_header(conn->sock, r, maxsize, uri); ++ status = ajp_send_header(conn->sock, r, maxsize, uri, secret); + if (status != APR_SUCCESS) { + conn->close = 1; + ap_log_rerror(APLOG_MARK, APLOG_ERR, status, r, APLOGNO(00868) +diff -uap httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.c +--- httpd-2.4.33/modules/proxy/mod_proxy.c.r1738878 ++++ httpd-2.4.33/modules/proxy/mod_proxy.c +@@ -318,6 +318,12 @@ + (int)sizeof(worker->s->upgrade)); + } + } ++ else if (!strcasecmp(key, "secret")) { ++ if (PROXY_STRNCPY(worker->s->secret, val) != APR_SUCCESS) { ++ return apr_psprintf(p, "Secret length must be < %d characters", ++ (int)sizeof(worker->s->secret)); ++ } ++ } + else { + if (set_worker_hc_param_f) { + return set_worker_hc_param_f(p, s, worker, key, val, NULL); +diff -uap httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 httpd-2.4.33/modules/proxy/mod_proxy.h +--- httpd-2.4.33/modules/proxy/mod_proxy.h.r1738878 ++++ httpd-2.4.33/modules/proxy/mod_proxy.h +@@ -353,6 +353,7 @@ + #define PROXY_WORKER_MAX_HOSTNAME_SIZE 64 + #define PROXY_BALANCER_MAX_HOSTNAME_SIZE PROXY_WORKER_MAX_HOSTNAME_SIZE + #define PROXY_BALANCER_MAX_STICKY_SIZE 64 ++#define PROXY_WORKER_MAX_SECRET_SIZE 64 + + #define PROXY_RFC1035_HOSTNAME_SIZE 256 + +@@ -447,6 +448,7 @@ + apr_interval_time_t interval; + char upgrade[PROXY_WORKER_MAX_SCHEME_SIZE];/* upgrade protocol used by mod_proxy_wstunnel */ + char hostname_ex[PROXY_RFC1035_HOSTNAME_SIZE]; /* RFC1035 compliant version of the remote backend address */ ++ char secret[PROXY_WORKER_MAX_SECRET_SIZE]; /* authentication secret (e.g. AJP13) */ + } proxy_worker_shared; + + #define ALIGNED_PROXY_WORKER_SHARED_SIZE (APR_ALIGN_DEFAULT(sizeof(proxy_worker_shared))) diff --git a/httpd-2.4.33-sslciphdefault.patch b/httpd-2.4.33-sslciphdefault.patch new file mode 100644 index 0000000..f2919b8 --- /dev/null +++ b/httpd-2.4.33-sslciphdefault.patch @@ -0,0 +1,33 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=1109119 + +Don't prepend !aNULL etc if PROFILE= is used with SSLCipherSuite. + +--- httpd-2.4.33/modules/ssl/ssl_engine_config.c.sslciphdefault ++++ httpd-2.4.33/modules/ssl/ssl_engine_config.c +@@ -758,8 +758,10 @@ + SSLSrvConfigRec *sc = mySrvConfig(cmd->server); + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); + + if (cmd->path) { + dc->szCipherSuite = arg; +@@ -1502,8 +1504,10 @@ + { + SSLDirConfigRec *dc = (SSLDirConfigRec *)dcfg; + +- /* always disable null and export ciphers */ +- arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); ++ /* Disable null and export ciphers by default, except for PROFILE= ++ * configs where the parser doesn't cope. */ ++ if (strncmp(arg, "PROFILE=", 8) != 0) ++ arg = apr_pstrcat(cmd->pool, arg, ":!aNULL:!eNULL:!EXP", NULL); + + dc->proxy->auth.cipher_suite = arg; + diff --git a/httpd-2.4.4-export.patch b/httpd-2.4.4-export.patch deleted file mode 100644 index eb670c6..0000000 --- a/httpd-2.4.4-export.patch +++ /dev/null @@ -1,20 +0,0 @@ - -There is no need to "suck in" the apr/apr-util symbols when using -a shared libapr{,util}, it just bloats the symbol table; so don't. - -Upstream-HEAD: needed -Upstream-2.0: omit -Upstream-Status: EXPORT_DIRS change is conditional on using shared apr - ---- httpd-2.4.4/server/Makefile.in.export -+++ httpd-2.4.4/server/Makefile.in -@@ -57,9 +57,6 @@ export_files: - ( for dir in $(EXPORT_DIRS); do \ - ls $$dir/*.h ; \ - done; \ -- for dir in $(EXPORT_DIRS_APR); do \ -- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \ -- done; \ - ) | sed -e s,//,/,g | sort -u > $@ - - exports.c: export_files diff --git a/httpd.service.xml b/httpd.service.xml index b8fe7b3..8008b16 100644 --- a/httpd.service.xml +++ b/httpd.service.xml @@ -167,6 +167,20 @@ Wants=network-online.target + Automated service restarts + + System packages (including the httpd package itself) may + restart the httpd service automatically after packages are + upgraded, installed, or removed. This is done using the + systemctl reload httpd.service, which + produces a graceful restart by default as + described above. + + To suppress automatic reloads entirely, create the file + /etc/sysconfig/httpd-disable-posttrans. + + + Changing the default MPM (Multi-Processing Module) httpd offers a choice of multi-processing modules (MPMs), diff --git a/httpd.spec b/httpd.spec index 25f543b..0ba512a 100644 --- a/httpd.spec +++ b/httpd.spec @@ -12,8 +12,8 @@ Summary: Apache HTTP Server Name: httpd -Version: 2.4.29 -Release: 2%{?dist} +Version: 2.4.33 +Release: 1%{?dist} URL: https://httpd.apache.org/ Source0: https://www.apache.org/dist/httpd/httpd-%{version}.tar.bz2 Source1: index.html @@ -42,6 +42,7 @@ Source25: 01-session.conf Source26: 10-listen443.conf Source27: httpd.socket Source28: 00-optional.conf +Source29: 01-md.conf # Documentation Source30: README.confd Source31: README.confmod @@ -59,7 +60,7 @@ Patch6: httpd-2.4.3-apctl-systemd.patch # Needed for socket activation and mod_systemd patch Patch19: httpd-2.4.25-detect-systemd.patch # Features/functional changes -Patch23: httpd-2.4.4-export.patch +Patch23: httpd-2.4.33-export.patch Patch24: httpd-2.4.1-corelimit.patch Patch25: httpd-2.4.25-selinux.patch Patch26: httpd-2.4.4-r1337344+.patch @@ -68,15 +69,16 @@ Patch29: httpd-2.4.27-systemd.patch Patch30: httpd-2.4.4-cachehardmax.patch Patch31: httpd-2.4.18-sslmultiproxy.patch Patch34: httpd-2.4.17-socket-activation.patch -Patch35: httpd-2.4.17-sslciphdefault.patch +Patch35: httpd-2.4.33-sslciphdefault.patch # Bug fixes # https://bugzilla.redhat.com/show_bug.cgi?id=1397243 -Patch58: httpd-2.4.25-r1738878.patch +Patch58: httpd-2.4.33-r1738878.patch + +# Security fixes License: ASL 2.0 Group: System Environment/Daemons -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root BuildRequires: autoconf, perl-interpreter, perl-generators, pkgconfig, findutils, xmlto BuildRequires: zlib-devel, libselinux-devel, lua-devel, brotli-devel BuildRequires: apr-devel >= 1.5.0, apr-util-devel >= 1.5.0, pcre-devel >= 5.0 @@ -160,6 +162,19 @@ The mod_ssl module provides strong cryptography for the Apache Web server via the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols. +%package -n mod_md +Group: System Environment/Daemons +Summary: Certificate provisioning using ACME for the Apache HTTP Server +Requires: httpd = 0:%{version}-%{release}, httpd-mmn = %{mmnisa} +BuildRequires: jansson-devel, libcurl-devel + +%description -n mod_md +This module manages common properties of domains for one or more +virtual hosts. Specifically it can use the ACME protocol (RFC Draft) +to automate certificate provisioning. These will be configured for +managed domains and their virtual hosts automatically. This includes +renewal of certificates before they expire. + %package -n mod_proxy_html Group: System Environment/Daemons Summary: HTML and XML content filters for the Apache HTTP Server @@ -208,7 +223,7 @@ interface for storing and accessing per-user session data. %patch27 -p1 -b .icons %patch29 -p1 -b .systemd %patch30 -p1 -b .cachehardmax -%patch31 -p1 -b .sslmultiproxy +#patch31 -p1 -b .sslmultiproxy %patch34 -p1 -b .socketactivation %patch35 -p1 -b .sslciphdefault %patch58 -p1 -b .r1738878 @@ -313,7 +328,8 @@ install -m 644 $RPM_SOURCE_DIR/README.confmod \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/README for f in 00-base.conf 00-mpm.conf 00-lua.conf 01-cgi.conf 00-dav.conf \ 00-proxy.conf 00-ssl.conf 01-ldap.conf 00-proxyhtml.conf \ - 01-ldap.conf 00-systemd.conf 01-session.conf 00-optional.conf; do + 01-ldap.conf 00-systemd.conf 01-session.conf 00-optional.conf \ + 01-md.conf; do install -m 644 -p $RPM_SOURCE_DIR/$f \ $RPM_BUILD_ROOT%{_sysconfdir}/httpd/conf.modules.d/$f done @@ -361,6 +377,7 @@ install -m 644 -p $RPM_SOURCE_DIR/httpd.tmpfiles \ # Other directories mkdir -p $RPM_BUILD_ROOT%{_localstatedir}/lib/dav \ + $RPM_BUILD_ROOT%{_localstatedir}/lib/httpd \ $RPM_BUILD_ROOT/run/httpd/htcacheclean # Substitute in defaults which are usually done (badly) by "make install" @@ -420,6 +437,7 @@ ln -s ../../pixmaps/poweredby.png \ # symlinks for /etc/httpd ln -s ../..%{_localstatedir}/log/httpd $RPM_BUILD_ROOT/etc/httpd/logs +ln -s ../..%{_localstatedir}/lib/httpd $RPM_BUILD_ROOT/etc/httpd/state ln -s /run/httpd $RPM_BUILD_ROOT/etc/httpd/run ln -s ../..%{_libdir}/httpd/modules $RPM_BUILD_ROOT/etc/httpd/modules @@ -539,9 +557,6 @@ done set -x exit $rv -%clean -rm -rf $RPM_BUILD_ROOT - %files %defattr(-,root,root) @@ -550,6 +565,7 @@ rm -rf $RPM_BUILD_ROOT %{_sysconfdir}/httpd/modules %{_sysconfdir}/httpd/logs +%{_sysconfdir}/httpd/state %{_sysconfdir}/httpd/run %dir %{_sysconfdir}/httpd/conf %config(noreplace) %{_sysconfdir}/httpd/conf/httpd.conf @@ -587,6 +603,7 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/modules/mod*.so %exclude %{_libdir}/httpd/modules/mod_auth_form.so %exclude %{_libdir}/httpd/modules/mod_ssl.so +%exclude %{_libdir}/httpd/modules/mod_md.so %exclude %{_libdir}/httpd/modules/mod_*ldap.so %exclude %{_libdir}/httpd/modules/mod_proxy_html.so %exclude %{_libdir}/httpd/modules/mod_xml2enc.so @@ -605,6 +622,7 @@ rm -rf $RPM_BUILD_ROOT %attr(0700,apache,apache) %dir /run/httpd/htcacheclean %attr(0700,root,root) %dir %{_localstatedir}/log/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/lib/dav +%attr(0700,apache,apache) %dir %{_localstatedir}/lib/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd %attr(0700,apache,apache) %dir %{_localstatedir}/cache/httpd/proxy @@ -669,6 +687,11 @@ rm -rf $RPM_BUILD_ROOT %{_libdir}/httpd/modules/mod_auth_form.so %config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/01-session.conf +%files -n mod_md +%defattr(-,root,root) +%{_libdir}/httpd/modules/mod_md.so +%config(noreplace) %{_sysconfdir}/httpd/conf.modules.d/01-md.conf + %files devel %defattr(-,root,root) %{_includedir}/httpd @@ -680,6 +703,29 @@ rm -rf $RPM_BUILD_ROOT %{_rpmconfigdir}/macros.d/macros.httpd %changelog +* Wed Mar 28 2018 Joe Orton - 2.4.33-1 +- rebase to 2.4.33 (#1560174) +- add mod_md subpackage; load mod_proxy_uwsgi by default + +* Mon Mar 05 2018 Jitka Plesnikova - 2.4.29-8 +- Rebuilt with brotli 1.0.3 + +* Mon Feb 26 2018 Joe Orton - 2.4.29-7 +- simplify liblua detection in configure + +* Wed Feb 07 2018 Fedora Release Engineering - 2.4.29-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 27 2018 Joe Orton - 2.4.29-5 +- link mod_lua against -lcrypt (#1538992) + +* Fri Jan 26 2018 Paul Howarth - 2.4.29-4 +- Rebuild with updated flags to work around compiler issues on i686 + (#1538648, #1538693) + +* Sat Jan 20 2018 Björn Esser - 2.4.29-3 +- Rebuilt for switch to libxcrypt + * Thu Nov 23 2017 Joe Orton - 2.4.29-2 - build and load mod_brotli @@ -716,12 +762,8 @@ rm -rf $RPM_BUILD_ROOT - use sscg defaults; append CA cert to generated cert - document httpd-init.service in httpd-init.service(8) -* Thu Sep 21 2017 Jeroen van Meeuwen - 2.4.27-8 -- Address CVE-2017-9798 by applying patch from upstream (#1490344) - * Wed Sep 20 2017 Stephen Gallagher - 2.4.27-8.1 - Generate SSL certificates on service start, not %%posttrans -- Generate SSL certificates on service start, not %%posttrans * Tue Sep 19 2017 Joe Orton - 2.4.27-8 - move httpd.service.d, httpd.socket.d dirs to -filesystem diff --git a/sources b/sources index 6978287..e8c3a89 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (httpd-2.4.29.tar.bz2) = 840982fd3d21463bc5c1747f211dfacf3abdf634d149e49bb49fd2e5deda140de602dbdf31e1bbe5337a48f718ab2261c408e83a8dd39a9291ee7b6b7a85639a +SHA512 (httpd-2.4.33.tar.bz2) = e74b2b3346d67be45a8bc8a7cbb8eabf5c403a5cfe5797a976f94a539529843fbcdf03b9ca0548816b2cf37f4ce0eb301f8d5af25b1270fdf8dd9f5bf0585269