compile-upgrade-apache-to-2-4-52-version-to-fix-the-dos-vulnerability-in
需要在yum上面設定prxoy,
所以這邊就稍微紀錄一下。
設定路徑在/etc/yum.conf
#vim /etc/yum.conf
添加一行,這樣就可以了。
proxy=http://[proxyServer Link/IP]:port
其他指令參考這篇
https://linux.incomeself.com/yum%E5%AF%A6%E7%94%A8%E5%91%BD%E4%BB%A4%E7%B8%BD%E6%95%B4%E7%90%86/
wget強制使用proxy
wget -e use_proxy=yes -e http_proxy=http://sproxy.cht.com.tw:8080 url
原本apachectl -V
[root@pr1 ~]# apachectl -V
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.0.101. Set the 'ServerName' directive globally to suppress this message
Server version: Apache/2.4.6 (CentOS)
Server built: Nov 5 2018 01:47:09
Server's Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/usr/sbin/suexec"
-D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
這次要修的漏洞,基本上參考下面這篇,但是編譯參數不同。
https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/upgrade-apache-to-2-4-52-version-to-fix-the-dos-vulnerability-in/m-p/436226
解決方法: 安裝最新版本apache,目前官方是2.4.52,yum跟rpm包都沒有,要自己comile,依存套件主要有四個 apr、apr-util、expat、連同 apache httpd source一起下載。
https://dlcdn.apache.org//apr/apr-1.7.0.tar.gz
https://dlcdn.apache.org//apr/apr-util-1.6.1.tar.gz
https://dlcdn.apache.org//httpd/httpd-2.4.52.tar.gz
https://github.com/libexpat/libexpat/releases/download/R_2_2_9/expat-2.2.9.tar.bz2
以上四包下載後編譯,
tar zxvf apr-1.7.0.tar.gz
tar zxvf apr-util-1.6.1.tar.gz
tar zxvf httpd-2.4.52.tar.gz
mkdir /opt/apache_files;tar xvjf expat-2.2.9.tar.bz2 -C /opt/apache_files
apr跟 apr-util只能放在/usr/local,否則編譯會有錯誤訊息,就算在configure定也是一樣。
configure最後以一個指令找不到無法刪除,好像不影響編譯,所以不管他。
mv apr-1.7.0 /usr/local/apr
mv apr-util-1.6.1 /usr/local/apr-util
pcre 跟 GCC 用yum安裝
yum -y install pcre-devel gcc編譯要多執行make clean比較不會出問題
cd /usr/local/apr
./configure --prefix=/usr/local/apr
make clean
make
make install
# /bin/install -c -m 755 apr-config.out /usr/local/apr/bin/apr-1-config編譯apr-util之前要先編譯expat,否則會出現嚴重錯誤:expat.h:沒有此一檔案或目錄。
cd /opt/apache_files/expat-2.2.9
./configure --prefix=/opt/apache_files/ make make install
再來就可以編譯apr-util
cd /usr/local/apr-util
./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr --with-expat=/opt/apache_files
make clean
make
make install下三個參數就可以編譯,另外,會強制倒srclib去找apr跟apr-util,就算參數指定也沒有用,所以只好再複製一份。
cd ~/apache/httpd-2.4.52/
./configure --with-included-apr --prefix=/etc/httpd --with-expat=/opt/apache_files 不過在 /etc/httpd/conf.modules.d/00-mpm.conf的內容如下
# Select the MPM module which should be used by uncommenting exactly# one of the following LoadModule lines:# prefork MPM: Implements a non-threaded, pre-forking web server# See: http://httpd.apache.org/docs/2.4/mod/prefork.htmlLoadModule mpm_prefork_module modules/mod_mpm_prefork.so# worker MPM: Multi-Processing Module implementing a hybrid# multi-threaded multi-process web server# See: http://httpd.apache.org/docs/2.4/mod/worker.html##LoadModule mpm_worker_module modules/mod_mpm_worker.so# event MPM: A variant of the worker MPM with the goal of consuming# threads only for connections with active processing# See: http://httpd.apache.org/docs/2.4/mod/event.html##LoadModule mpm_event_module modules/mod_mpm_event.so
cd /root/apache/httpd-2.4.52/srclib
cp -R /usr/local/apr .
cp -R /usr/local/apr-util/ .cd ~/apache/httpd-2.4.52/
./configure --with-included-apr --prefix=/etc/httpd --with-expat=/opt/apache_files --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/bin/pcre-config --enable-modules=most --enable-mods-shared=all --with-mpm=prefork
make clean
make
make install用這個方法編譯,無法使用systemctl restart httpd來重啟,有好幾個modules說不支援。% systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.有時候第一個方法可以執行,有事後第二個,搞不太清楚,但是都可編譯,另一個系統的編譯方式供參考
./configure --prefix=/etc/httpd --enable-rewrite=shared --enable-speling=shared --enable-proxy=shared --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util --with-pcre=/usr/bin/pcre-config
服務重啟,登入PR後如出現PR系統未設定完成,就是ps_ctl.sh未跑。systemctl stop httpd cd /opt/aps/bin ./ps_ctl.sh stop ./ps_ctl.sh start /etc/httpd/bin/apachectl restart 或 /etc/httpd/bin/httpd restart 或 systemctl restart httpd
/etc/httpd/bin/apachectl -V
Server version: Apache/2.4.52 (Unix)
Server built: Jan 27 2022 11:07:42
Server's Module Magic Number: 20120211:121
Server loaded: APR 1.7.0, APR-UTIL 1.6.1
Compiled using: APR 1.7.0, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: event
threaded: yes (fixed thread count)
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_PROC_PTHREAD_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/httpd"
-D SUEXEC_BIN="/etc/httpd/bin/suexec"
-D DEFAULT_PIDLOG="logs/httpd.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="conf/mime.types"
-D SERVER_CONFIG_FILE="conf/httpd.conf"
[root@pr1 httpd-2.4.52]# /etc/httpd/bin/apachectl -v Server version: Apache/2.4.52 (Unix) Server built: Jan 27 2022 10:47:25
apache mpm的定義參考這篇
https://dotblogs.com.tw/grayyin/2020/03/15/115350
https://dotblogs.com.tw/grayyin/2020/03/15/115350
留言
張貼留言