Heads Up: Apache Removed from Base

Contributed by jj on from the puffy-vs-geronimo dept.

In a series of commits, Florian Obser (florian@) has unhooked Apache from the OpenBSD base build. This means you need to pay special attention when upgrading your systems:

/usr/sbin/httpd and the associated tools and files have been removed. Consider using nginx(8) for your http serving needs, but note that nginx is not a drop-in replacement. For people who need the old httpd(8) and cannot switch at this time, see the port www/apache-httpd-openbsd.

Packages are not yet available due to release engineering, but will follow. The following files and directories need to be removed:

    rm -r /usr/lib/apache
    rm -r /usr/share/doc/html/httpd
    rm /usr/bin/{dbmmanage,htdigest,htpasswd}
    rm /usr/sbin/{apachectl,apxs,httpd,logresolve,rotatelogs,suexec}
    rm /usr/share/man/man1/{dbmmanage.1,htdigest.1,htpasswd.1}
    rm /usr/share/man/man8/{apachectl.8,apxs.8,httpd.8,logresolve.8}
    rm /usr/share/man/man8/{rotatelogs.8,suexec.8}
    rm /etc/rc.d/httpd

The following files are associated with httpd(8) and can be deleted in some cases, but may have been replaced with user content or configuration. Warning: On systems which currently or have previously used any http daemon, care must be taken and files analyzed case by case to avoid accidental deletion of user content or important configuration files. In particular, users moving to apache-httpd-openbsd will want to keep many of these files.

    # rm -r /var/www/icons
    # rmdir /var/www/conf/{modules,modules.sample}
    # rmdir /var/www/users
    # rm /var/www/cgi-bin/{printenv,test-cgi}
    # rm /var/www/conf/{httpd.conf,magic,mime.types}
    # rm /var/www/htdocs/{apache_pb.gif,blowfish.jpg,bsd_small.gif,index.html}
    # rm /var/www/htdocs/{lock.gif,logo23.jpg,logo24.jpg,mod_ssl_sb.gif}
    # rm /var/www/htdocs/{openbsd_pb.gif,openbsdpower.gif,openssl_ics.gif}
    # rm /var/www/htdocs/smalltitle.gif

Emphasis in the original, so make sure you've run through what you need to do, take backups, sweat it out for a minute before hitting the enter key, make one final tarball of your data just in case, and then carefully go through the upgrade.

What, that's not your checklist?

(Comments are closed)


  1. By jeanot (80.78.9.35) jeanot@gmail.com on

    Dear HTTPd,
    I'll miss you...
    Adieu

  2. By Laurence Rochfort (193.9.13.136) on

    What's the OpenBSD rationale for replacing Apache with nginx?

    I'm pretty familiar with Apache, but haven't touched nginx at all.

    1. By Anonymous Coward (81.200.189.1) on

      > What's the OpenBSD rationale for replacing Apache with nginx?
      >
      > I'm pretty familiar with Apache, but haven't touched nginx at all.

      Ngix is faster and, in a basic configuration, a lot more secure than Apache.

      The other reason is that OpenBSD has maintained for many years its own branch of Apache 1.3.x (If I remember well - I may be wrong on the version number), with many additional patches, and that it was getting completely obsolete.

      Moving to Nginx is, in my opinion, a very smart move.

    2. By chronicdiscord (70.31.53.187) on

      > What's the OpenBSD rationale for replacing Apache with nginx?
      >
      > I'm pretty familiar with Apache, but haven't touched nginx at all.

      I see you've not read anything about Apache for the past four years. Basically the license and the code for the Apache 2 branch was kinda funky, then the license for the Apache 1 branch got funky too... So to avoid funk OpenBSD pretty much forked Apache 1.

      So, not wanting to tie itself to Apache, OpenBSD went elsewhere. Only took a few years to happen.

      What was OpenBSD's rationale for replacing sendmail? What was OpenBSD's rationale for replacing ipf? What rationales does OpenBSD ever have?

      They remove bad code where and when they can, they remove bad licenses where and when they can... Cover it for ya?

      And man pages should get you somewhere with regards to using it.

  3. By Aleksei K (80.235.105.78) niemi@solo.ee on

    Why not to upgrade apache to version 2.2.x or 2.4.x(with event) or try lighttpd server?

    1. By henning (180.42.49.96) on

      > Why not to upgrade apache to version 2.2.x or 2.4.x(with event) or try lighttpd server?

      Not Apache 2 because it's shit, basic design wrong, and not under a free license to begin with.

      Not lighttpd because nginx is just better.

    2. By Anonymous Coward (207.107.158.22) on

      > Why not to upgrade apache to version 2.2.x or 2.4.x(with event) or try lighttpd server?

      Because nginx is significantly better than either of those? Lighttpd has a history of being rather broken, including plenty of security holes that get quietly patched and no announcement made. And it is basically dead, as everyone who used it switched to nginx. Apache2 has a bad license.

  4. By Sebastian Rother (srother) srother@ on https://www.mercenary-security.com

    You might could consider to keep "logresolve" + "htpasswd"...
    Since none of these tools comes with nginx.

    Except this you can replace Apache with nginx flawlessly. :-)

    1. By Anonymous Coward (95.76.6.245) on

      > You might could consider to keep "logresolve" + "htpasswd"...
      > Since none of these tools comes with nginx.
      >
      > Except this you can replace Apache with nginx flawlessly. :-)

      I wrote a htpasswd replacement in perl specifically for this purpose. The switches and CLI are identical to the apache version.
      https://gist.github.com/ggl/4966699

    2. By Anonymous Coward (2001:470:89e9:1:1a:46b3:235a:19a4) on

      > You might could consider to keep "logresolve" + "htpasswd"...
      > Since none of these tools comes with nginx.
      >


      There is a split-logfile program available as well, to replace the perl script of the same name that sometimes is bundled with apache httpd.

      http://archive.mgm51.com/sources/split-logfile.html

  5. By TuxLyn (184.166.186.66) on http://gotux.net/

    This is actually very good. Apache is way too bloated, Nginx is so much superior. As for htpasswd you can easily generate password using perl <b>perl -le 'print crypt("password", "salt")' > /etc/nginx/htpasswd</b> or ruby by running irb command then typing <b>"password".crypt("salt")</b>

    1. By Anonymous Coward (91.154.66.65) on

      People keep calling Apache bloated but how many of you actually looked at the code that ships with OpenBSD?

      Fact: the nginx code base is more than 60% larger.

      https://news.ycombinator.com/item?id=7404092

      1. By Philip Guenther (166.137.208.36) guenther@openbsd.org on

        > People keep calling Apache bloated but how many of you actually looked at the code that ships with OpenBSD?
        >
        > Fact: the nginx code base is more than 60% larger.

        It would help if everyone used version numbers when referring to apache, as I suspect you're responding to a complaint about apache 2.x

        apache 1.3
        + small
        + includes openbsd security fixes
        + good license
        - local fork, no active development
        - old module API means extensions in ports don't use it

        apache 2.x
        + module API supports extensions in ports
        + active development
        - big
        - doesn't include local security work
        - bad license

        nginx
        + module API supports extensions in ports (IIRC)
        + active development
        + good license
        + not big
        + developers receptive to patches from OpenBSD
        + no need to fork

        Those last points are important, as they mean we get the benefit of staying with the main stream, and the fixes get pushed into the main stream to help everyone out there. For example, when we did an audit of the tree to fix ENFILE/EMFILE DoS attacks on daemon, the nginx goes "got it" and pulled in the fixes quickly without any "that won't ever happen!" push back. I want all the websites I visit to be robust and secure, not just those running OpenBSD!

      2. By Anonymous Coward (2001:470:b01e:3:214:51ff:fe67:4efb) on

        > People keep calling Apache bloated but how many of you actually looked at the code that ships with OpenBSD?
        >
        > Fact: the nginx code base is more than 60% larger.
        >
        > https://news.ycombinator.com/item?id=7404092


        The original comment is referring to issues such as how much memory Apache consumes which for most setups is way more than should be necessary or the poor performance. Most common setups with static pages or even PHP and with the use of event driven web servers consume a tiny fraction of the memory and are are able to attain performance levels between 2-4 times that of Apache.

    2. By Anonymous Coward (2001:8b0:648e:cc01:f2de:f1ff:fef9:a752) on

      > This is actually very good. Apache is way too bloated, Nginx is so much superior. As for htpasswd you can easily generate password using perl <b>perl -le 'print crypt("password", "salt")' > /etc/nginx/htpasswd</b> or ruby by running irb command then typing <b>"password".crypt("salt")</b>

      You can just use encrypt(1) to generate a crypted password. The default setting is to use bcrypt, which works just fine in an .htpasswd file for nginx (or for lighttpd or httpd) and you don't need to generate the salt yourself, removing another possible way that it can be misused.

      1. By Anonymous Coward (80.153.96.240) on

        > > This is actually very good. Apache is way too bloated, Nginx is so much superior. As for htpasswd you can easily generate password using perl <b>perl -le 'print crypt("password", "salt")' > /etc/nginx/htpasswd</b> or ruby by running irb command then typing <b>"password".crypt("salt")</b>
        >
        > You can just use encrypt(1) to generate a crypted password. The default setting is to use bcrypt, which works just fine in an .htpasswd file for nginx (or for lighttpd or httpd) and you don't need to generate the salt yourself, removing another possible way that it can be misused.

        And what's about logresolve? :-)

  6. By Anonymous Coward (80.53.251.245) on

    I've just checked default sources from 5.4/i386 and it seems that included nginx is vulnerable to CVE-2014-0088. The errata for 5.4 fixes only CVE-2013-4547.

    1. By Anonymous Coward (anon) on

      > I've just checked default sources from 5.4/i386 and it seems that included nginx is vulnerable to CVE-2014-0088. The errata for 5.4 fixes only CVE-2013-4547.

      CVE-2014-0088 relates to SPDY support in nginx 1.5.10 on 32-bit systems.

      The version of nginx included in OpenBSD base is using the 1.4 branch, and SPDY has not been enabled in any OpenBSD release (it was enabled in -current for about 3 weeks but disabled again; "Disable SPDY until we have a better understanding about code and protocol within OpenBSD"), so it doesn't apply to base nginx.

      An alternative version of nginx is in ports with more modules enabled; SPDY is enabled and a release from the 1.5 branch is available there, however it's 1.5.7 which pre-dates this bug.

      1. By Anonymous Coward (anon) on

        > > I've just checked default sources from 5.4/i386 and it seems that included nginx is vulnerable to CVE-2014-0088. The errata for 5.4 fixes only CVE-2013-4547.
        >
        > CVE-2014-0088 relates to SPDY support in nginx 1.5.10 on 32-bit systems.

        The new CVE-2014-0133 however does affect all versions of nginx that have SPDY enabled before today's two releases.

  7. By Blake (93.158.32.94) blake at two one one two dot net on 2112.net

    Found a nice tool the other day:

    https://github.com/nhnc-nginx/apache2nginx

    little Python tool to convert Apache config files to Nginx configs...

    HtH

    1. By Anonymous Coward (23.242.254.17) on

      > Found a nice tool the other day:
      >
      > https://github.com/nhnc-nginx/apache2nginx
      >
      > little Python tool to convert Apache config files to Nginx configs...
      >
      > HtH

      WOOT THANKS!

  8. By robertss (98.126.3.26) on

    The success rate of cheap Ralph Lauren Outlet has been 100%. After earning huge success and popularity in the markets of US, this brand is now concentrating to capture the markets of Europe and Asia.Ralph Lauren shirts are manufactured with best quality fabric. There are different styles and designs in which the shirts are being sold in the outlets of Ralph Lauren. The basic aim of this brand is to provide quality products to the customers and so far, it has been successful in doing so.Men wear Ralph Lauren polo shirts on daily basis. The reason behind it is the comfort and relaxed feeling, which men get to avail by wearing them on. It means cheap Ralph Lauren has not been designing the polo shirts only for polo players, but these are suitable to the men belonging from various walks of life.When you will visit Ralph Lauren outlet, then you will get to select from a wide range of polo shirts, which will Ralph Lauren Outlet be available in different colors, designs and styles. In this way, you can easily pick up your most loved one. All the polo shirts for men at http://www.cheapralph.co.uk are being sold under the most famous category of, Blue Label.

  9. By mxffiles (218.11.246.179) on

    This is a very good post which I really enjoy reading. It is not every day that I have the possibility to see something like this. Software mxf Software mxf converter free download to convert HD camcorder files. ts converter convert ts video files to avi, mp4, wmv, mov mts to avi mp4 mov mkv iMovie, FCP/FCE with mts converter, so to convert mts files for your PC and mobiles. mod converter and convert tod files just free download mod video converter. m2ts

  10. By Felicity KeFith (keFith520) zlgigr114@sina.com on

    Luckily, I have never had to bare witness to this child using such fine language. A few friends of mine are yet to been so fortunate. The problem anyone, the earliest reaction to be able to assume that these people could be unhealthy parents. How could they be teaching their kids to use body language of desire? The reality of the situation is that youngsters are like parrots. It always seems as when they pick through the very words that folks don't would like them to residual. Then it's like a broken record.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]