While working on getting PHP unmasked, I had to upgrade to the new apache of course. It was quite a bit of work, and I made a list of the troubles related to the new configuration file. 1. LockFile and ScoreBoardFile should somewhere more likely to be mounted as read-write. / and /usr are mounted read-only in some systems. #LockFile "/etc/apache2/apache2.lock" #ScoreBoardFile /etc/apache2/apache_runtime_status These should be in /var. 2. All mod_access stuff should be wrapped with the IfModule statement. Order allow,deny Allow from all 3. DirectoryIndex should be wrapped with IfModule. What was the consensus on the syntax to add stuff to DirectoryIndex in the modules.d configs? This breaks a lot of PHP packages, as they have an index.php file and expect that to be loaded automatically. 4. (Low priority) Re-add the log Config Lines for LogFormat "%{User-agent}i" agent LogFormat "%v %h %l %u %t \"%r\" %>s %b %T" script LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" VLOG=%{VLOG}e" vhost 5. IfModule for "LogFormat ... combinedio" 6. IfModule for Alias stuff 7. (Low priority) Provide /usr/share/doc! 8. Expansion failure in configuration file: @rel_runtimedir@ @exp_cgidir@ @exp_errordir@ @rel_logfiledir@ 9. (Low priority) IndexOptions NameWidth=* 10. IndexIgnore of README* hides too many files, as lots of files on gentoo are installed as README.foobar 11. AddLanguage/AddEncoding need IfModule mod_mime 12. LanguagePriority/ForceLanguagePriority needs IfModule mod_negotiation 13. "AddHandler cgi-script .cgi" should be re-enabled by default, or at least have a -D option in conf.d/apache2 Perhaps in the conf.d, all of the config options offered by Apache should be documented. 14. As #12, but for SHTML. 15. As #12, but for imap-file 16. (Low priority) Provide the manual! <Location /manual> Options Multiviews ErrorDocument 404 "The document you requested has not been installed on your system." </Location> 17. IfModule for /server-status and /server-info 18. For server-status and /server-info, there should be mod_access limitations. All from localhost by default, for lynx access 19. IfModule around ExtendedStatus 20. No security on /protected-cgi-bin Should be limited to localhost. 21. "NameVirtualHost *:80" This should be "NameVirtualHost *", as users may specifically be offering on high number ports to get around ISPs that blocking incoming traffic to port 80.
2: Are you not loading mod_access? I think that most users will want it enabled, it is considered a standard module. If you want to disable a standard module, you will need to change many things. 3, 6, 11, 12: mod_autoindex, mod_alias, mod_mime and mod_negotiation are Standard Modules, see #2. 13, 14, 15: Enabled dynamic content generation by default is bad. That is how you get remote exploits and worms. Adding conf.d wrappers for each would be Acceptable, but turning them on by default is not. 16: The manual should be configured like any other webapp. 21: If you change the Listen Directive, you will need to change the Virtual Host Configuration. For the Others, I am either agnostic or agree.
2, 3(a), 6, 11, 12: If a certain set of modules is always expected to be there, could you instead add a comment along the lines of: # The following modules are considered as the default configuration. # If you wish to disable one of them, you may have to alter other # configuration directives. 3(b): What about the second part here? I consider this a definate backwards step. 13, 14, 15: I'm fine with conf.d wrappers (and a little documentation snippet in conf.d/apache{,2}). 16: Ok, no qualms with that. I also didn't see the 00_apache_manual.conf file, which makes more sense. 21. If NameVirtualHost is '*', and the VirtualHost definitions are '*' instead of '*:80', then only the Listen directive needs to be changed for everything to work. Additionally, '*:80' cannot be mixed with '*', as you get this error: "VirtualHost *:80 -- mixing * ports and non-* ports with a NameVirtualHost address is not supported, proceeding with undefined results".
1 - agreed 2 and 3 are addressed in bug 50611 5(maybe?), 6, 11, 12 are implied by the same - apache should fail if those modules aren't loaded. A comment stating as much is a good idea though. 4 - agreed 7 - please be more specific... checking my CONTENTs file there is quite a lot of stuff in /usr/share/doc... 13, 14, 15, 17 - maybe. we'll have to dicuss it, though it will probably be no, as the more IfDefine lines we add, the further we move away from the upstream default. 16 - I believe this is already done... see if /etc/apache2/modules.d/00_apache_manual.conf exists. 18, 19 - I agree... working config by default is good... even if the working config is commented out (and for sure if #17 is implemented) 20 - this should probably be removed completely... I don't see the point to it... 21 - This was discussed somewhere (a bug maybe?) and found that there were unwanted side effects of this (don't remember them off the top of my head).
re: 7. the previous apache had support to serve up /usr/share/doc, which made it really handy to browse documentation on a machine.
Final decisions on these: 1,4,8 Fixed in SVN 2,6,11,12 Won't fix. If a user breaks their apache by removing core modules, then they get to deal with it. We can't protect every user from themselves, and won't add a ton of cruft to do so. (I did however change the comments just above there to reflect your suggestions) 3. Fixed with the AddDirectoryIndex and RemoveDirectoryIndex patch that we added. IIRC mod_php now uses this correctly. 5. The format is commented out and has instructions about the needed module. Won't fix. 7,9,10,13,14,15 It's easy enough that any user who wants that available can add it 16,17,18: Fixed long ago 19: Fixed in SVN 20: Removed from configuration (no point to it) 21: Won't fix due to side effects with SSL (which requires *:443 or a specific IP address)