背景描述:
最近集團在做安全掃描,掃出了http的漏洞,一看是監控nagios涉及到的httpd,於是就考慮將httpd升級到最新的版本,在升級的過程中,真是遇到了很多的坑,弄了2天終於搞定了,現在梳理下相應的錯誤處理過程及解決的方法。
環境信息:
apache httpd版本:Apache/2.2.15
OS版本:Red Hat Enterprise Linux Server release 6.6 (Santiago)
httpd 2.2 升級到 2.4的過程【采用重新安裝一個最新版本,然后加載原配置的方法】:
1.下載最新的httpd軟件包,此處用的軟件包版本
httpd-2.4.39.tar.gz
下載地址:http://httpd.apache.org/download.cgi
2.將軟件上傳到服務器上(注意使用root用戶上傳)
3.解壓,檢查環境配置
[root@hadoop1 softwares]# tar -zxf httpd-2.4.39.tar.gz [root@hadoop1 softwares]# cd httpd-2.4.39 [root@hadoop1 httpd-2.4.39]# ./configure --prefix=/usr/local/httpd-2.4.39
有如下報錯信息:
[root@hadoop1 httpd-2.4.39]# ./configure --prefix=/usr/local/httpd-2.4.39 checking for chosen layout... Apache checking for working mkdir -p... yes checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking build system type... x86_64-pc-linux-gnu checking host system type... x86_64-pc-linux-gnu checking target system type... x86_64-pc-linux-gnu configure: configure: Configuring Apache Portable Runtime library... configure: checking for APR... configure: WARNING: APR version 1.4.0 or later is required, found 1.3.9 configure: WARNING: skipped APR at apr-1-config, version not acceptable no configure: error: APR not found. Please read the documentation.
通過以上的報錯信息知道,缺少apr的包,下載apr相關的包
4.下載apr對應軟件包,下載以下2個包
5.將apr及apr-util的包解壓到httpd解壓之后的目錄中,放到srclib目錄下
[root@hadoop1 httpd-2.4.39]# pwd /opt/softwares/httpd-2.4.39 [root@hadoop1 httpd-2.4.39]# ls ABOUT_APACHE apache_probes.d BuildBin.dsp config.layout configure.in httpd.dsp INSTALL libhttpd.dsp Makefile.win os ROADMAP test acinclude.m4 ap.d buildconf config.log docs httpd.mak InstallBin.dsp libhttpd.mak modules README server VERSIONING Apache-apr2.dsw build CHANGES config.nice emacs-style httpd.spec LAYOUT LICENSE NOTICE README.cmake srclib Apache.dsw BuildAll.dsp CMakeLists.txt configure httpd.dep include libhttpd.dep Makefile.in NWGNUmakefile README.platforms support [root@hadoop1 httpd-2.4.39]# cd srclib/ [root@hadoop1 srclib]# ll total 4 -rw-r--r-- 1 root dip 121 Feb 11 2005 Makefile.in
將apr及apr-util解壓到該目錄下
[root@hadoop1 softwares]# tar -zxf apr-1.7.0.tar.gz -C ./httpd-2.4.39/srclib/ [root@hadoop1 softwares]# tar -zxf apr-util-1.6.1.tar.gz -C ./httpd-2.4.39/srclib/ [root@hadoop1 softwares]# cd httpd-2.4.39/srclib/ [root@hadoop1 srclib]# ls apr-1.7.0 apr-util-1.6.1 Makefile.in [root@hadoop1 srclib]# mv apr-1.7.0/ apr [root@hadoop1 srclib]# mv apr-util-1.6.1/ apr-util [root@hadoop1 srclib]# ls apr apr-util Makefile.in
6.重新檢查httpd的配置
[root@hadoop1 httpd-2.4.39]# ./configure --prefix=/usr/local/httpd-2.4.39
出現以下結果:
... ...省略 configure: summary of build options: Server Version: 2.4.39 Install prefix: /usr/local/httpd-2.4.39 C compiler: gcc -std=gnu99 CFLAGS: -g -O2 -pthread CPPFLAGS: -DLINUX -D_REENTRANT -D_GNU_SOURCE LDFLAGS: LIBS: C preprocessor: gcc -E
以上提示,表示檢查配置沒有問題。
7.進行編譯,安裝
make
此處出現如下錯誤:
/apr-util/include -I/opt/softwares/httpd-2.4.39/srclib/apr-util/include/private -I/opt/softwares/httpd-2.4.39/srclib/apr/include -o xml/apr_xml.lo -c xml/apr_xml.c && touch xml/apr_xml.lo xml/apr_xml.c:35:19: error: expat.h: No such file or directory xml/apr_xml.c:66: error: expected specifier-qualifier-list before ‘XML_Parser’ xml/apr_xml.c: In function ‘cleanup_parser’: xml/apr_xml.c:364: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:365: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c: At top level: xml/apr_xml.c:384: error: expected ‘;’, ‘,’ or ‘)’ before ‘*’ token xml/apr_xml.c: In function ‘apr_xml_parser_create’: xml/apr_xml.c:401: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:402: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:410: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:411: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:412: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:424: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:424: error: ‘default_handler’ undeclared (first use in this function) xml/apr_xml.c:424: error: (Each undeclared identifier is reported only once xml/apr_xml.c:424: error: for each function it appears in.) xml/apr_xml.c: In function ‘do_parse’: xml/apr_xml.c:434: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:438: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c:442: error: ‘apr_xml_parser’ has no member named ‘xp_err’ xml/apr_xml.c:442: error: ‘apr_xml_parser’ has no member named ‘xp’ xml/apr_xml.c: In function ‘apr_xml_parser_geterror’: xml/apr_xml.c:500: error: ‘apr_xml_parser’ has no member named ‘xp_err’ xml/apr_xml.c:500: error: ‘apr_xml_parser’ has no member named ‘xp_err’ make[3]: *** [xml/apr_xml.lo] Error 1 make[3]: Leaving directory `/opt/softwares/httpd-2.4.39/srclib/apr-util' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/opt/softwares/httpd-2.4.39/srclib/apr-util' make[1]: *** [all-recursive] Error 1 make[1]: Leaving directory `/opt/softwares/httpd-2.4.39/srclib' make: *** [all-recursive] Error 1
解決方法,安裝expdat-devel包
[root@hadoop1 httpd-2.4.39]# yum install expat-devel
Loaded plugins: product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package expat-devel.x86_64 0:2.0.1-13.el6_8 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
===============================================================================================================================================================================================
Package Arch Version Repository Size
===============================================================================================================================================================================================
Installing:
expat-devel x86_64 2.0.1-13.el6_8 base 119 k
Transaction Summary
===============================================================================================================================================================================================
Install 1 Package(s)
Total download size: 119 k
Installed size: 476 k
Is this ok [y/N]: y
Downloading Packages:
expat-devel-2.0.1-13.el6_8.x86_64.rpm | 119 kB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
Installing : expat-devel-2.0.1-13.el6_8.x86_64 1/1
Verifying : expat-devel-2.0.1-13.el6_8.x86_64 1/1
Installed:
expat-devel.x86_64 0:2.0.1-13.el6_8
Complete!
再次進行編譯,出現以下信息,表示編譯成功
... ... 省略 mod_rewrite.lo make[4]: Leaving directory `/opt/softwares/httpd-2.4.39/modules/mappers' make[3]: Leaving directory `/opt/softwares/httpd-2.4.39/modules/mappers' make[2]: Leaving directory `/opt/softwares/httpd-2.4.39/modules' make[2]: Entering directory `/opt/softwares/httpd-2.4.39/support' make[2]: Leaving directory `/opt/softwares/httpd-2.4.39/support' make[1]: Leaving directory `/opt/softwares/httpd-2.4.39'
執行安裝
[root@hadoop1 httpd-2.4.39]# make install
8.創建配置文件目錄conf.d,並且將原httpd配置文件拷貝到新版本配置目錄下
[root@hadoop1 httpd-2.4.39]# cd /usr/local/httpd-2.4.39/ [root@hadoop1 httpd-2.4.39]# mkdir conf.d [root@hadoop1 httpd-2.4.39]# ls -l total 64 drwxr-xr-x 2 root root 4096 Jul 3 10:26 bin drwxr-xr-x 2 root root 4096 Jul 3 10:26 build drwxr-xr-x 2 root root 4096 Jul 3 10:26 cgi-bin drwxr-xr-x 4 root root 4096 Jul 3 10:26 conf drwxr-xr-x 2 root root 4096 Jul 3 10:27 conf.d drwxr-xr-x 3 root root 4096 Jul 3 10:26 error drwxr-sr-x 2 root root 4096 Mar 27 23:05 htdocs drwxr-xr-x 3 root root 4096 Jul 3 10:26 icons drwxr-xr-x 2 root root 4096 Jul 3 10:26 include drwxr-xr-x 3 root root 4096 Jul 3 10:26 lib drwxr-xr-x 2 root root 4096 Jul 3 10:26 logs drwxr-xr-x 4 root root 4096 Jul 3 10:26 man drwxr-sr-x 14 root root 12288 Mar 27 23:05 manual drwxr-xr-x 2 root root 4096 Jul 3 10:26 modules [root@hadoop1 httpd-2.4.39]# cd conf [root@hadoop1 conf]# cp httpd.conf httpd.conf.bak [root@hadoop1 conf]# cd ../conf.d/ [root@hadoop1 conf.d]# cp /etc/httpd/conf.d/nagios.conf .
9.關閉原有httpd服務,啟動新的服務
[root@hadoop1 httpd-2.4.39]# service httpd stop Stopping httpd: [ OK ] [root@hadoop1 httpd-2.4.39]# bin/apachectl -f conf/httpd.conf AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.10. Set the 'ServerName' directive globally to suppress this message
10.通過頁面進行訪問最新的服務
發現無法訪問,出現以下的錯誤:
就沒有這個nagios路徑,說明沒有加載到配置文件,查看發現沒有include,增加以下配置
include conf.d/*.conf
重啟服務,再次刷新頁面,變成是沒有權限訪問了,如下:
查看日志,報如下的錯誤:
以上信息顯示沒有正常的生產索引,但是該目錄下php的文件,應該能顯示才對,
檢查httpd中是否加載了php模塊,發現沒有php模塊
[root@hadoop1 httpd-2.4.39]# bin/apachectl -t -D DUMP_MODULES | grep php AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.10. Set the 'ServerName' directive globally to suppress this message
然后又找了相應的解決方案,發現是需要單獨進行編譯,然后在httpd中配置模塊信息
--1.上傳php包
[root@hadoop1 softwares]# ls -l php-7.3.6.tar.gz -rw-r--r-- 1 root root 19449322 Jul 1 14:09 php-7.3.6.tar.gz
--2.解壓,檢查配置,編譯
[root@hadoop1 softwares]# tar -zxf php-7.3.6.tar.gz [root@hadoop1 softwares]# cd php-7.3.6 [root@hadoop1 php-7.3.6]# ./configure --prefix=/usr/local/php7 --with-apxs2=/usr/local/httpd-2.4.39/bin/apxs
發現有如下報錯:
Configuring extensions checking for strings.h... (cached) yes checking io.h usability... no checking io.h presence... no checking for io.h... no checking for strtoll... yes checking for atoll... yes checking whether to enable LIBXML support... yes checking libxml2 install dir... no checking for xml2-config path... checking for pkg-config... /usr/bin/pkg-config configure: error: libxml2 not found. Please check your libxml2 installation.
安裝libxml2包
[root@hadoop1 php-7.3.6]# yum install -y libxml2 libxml2-devel
再次進行配置檢查,檢查通過
執行編譯
[root@hadoop1 php-7.3.6]# make && make install
編譯之后,在httpd目錄modules中生產php模塊文件
[root@hadoop1 modules]# ls -l libphp7.so -rwxr-xr-x 1 root root 35060633 Jul 3 11:42 libphp7.so
--3.將php模塊加入到http配置中
LoadModule php7_module modules/libphp7.so
檢查配置是否加載
[root@hadoop1 httpd-2.4.39]# bin/apachectl -t -D DUMP_MODULES | grep php AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.10. Set the 'ServerName' directive globally to suppress this message php7_module (shared)
顯示,已經加載了。在實驗中發下,模塊信息,在php make install之后會自動將配置加載到httpd.conf文件中,並且動態加載。
再次通過頁面進行訪問
仍然訪問不了,報了相同的錯誤。
繼續修改httpd.conf,支持php
AddType application/x-httpd-php .php <IfModule dir_module> DirectoryIndex index.html index.php index.htm </IfModule>
重新啟動http服務,再次訪問頁面
主頁是可以訪問的了,但是點擊其他的頁面,就是下載cgi文件,無法執行
查看是否有cgi模塊
[root@hadoop1 httpd-2.4.39]# bin/apachectl -t -D DUMP_MODULES | grep cgi AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.10. Set the 'ServerName' directive globally to suppress this message
無該模塊,繼續修改httpd配置文件開啟cgi模塊支持
LoadModule cgid_module modules/mod_cgid.so
取消注釋之后,再次檢查,已經加載,無需重啟
[root@hadoop1 httpd-2.4.39]# bin/apachectl -t -D DUMP_MODULES | grep cgi AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.30.10. Set the 'ServerName' directive globally to suppress this message cgid_module (shared)
經過驗證,需要重啟,才能生效,再次訪問頁面
正常,可以訪問。升級完成。
另外,在升級中如果遇到以下報錯:
[Mon Jul 01 12:27:38.516704 2019] [core:error] [pid 7454:tid 139726203901696] (13)Permission denied: [client 10.253.7.100:59831] AH00035: access to /nagios/ denied (filesystem path '/mnt/aiprd/app') because search permissions are missing on a component of the path [Mon Jul 01 12:27:45.786697 2019] [core:error] [pid 7454:tid 139726172432128] (13)Permission denied: [client 10.191.36.37:33553] AH00035: access to / denied (filesystem path '/mnt/aiprd/app') because search permissions are missing on a component of the path
解決:
修改cgisocket文件路徑,顯示給個路徑:
ScriptSock /var/run/cgid.sock
原因:主要還是安全的問題考慮,2.4之后對安全有很多的考慮。相關問題可以參考下http的安全提示:
Security Tips - Apache HTTP Server Version 2.4
文檔創建時間:2019年7月3日12:40:52