1

We have a need to run Apache 2.2 and Apache 2.4 web servers on the same VM. The need is created by:

  • A requirement to host an Oracle WebGate module, which doesn't support Apache 2.4 (we use the Red Hat provided 2.2 httpd for that)
  • A requirement to use Apache 2.4 native sessions, in association with the WebGate processing
  • A limitation on the number of VMs we can use (requiring that both web servers be in the same VM)

This all has to occur on a RHEL 5.8 VM (note there's no Red Hat RPM for Apache 2.4 for RHEL5 [nor 6, actually]). Our general intent is to have the 2.2 instance acting as a reverse proxy to a localhost-port-listening 2.4 instance (which is itself acting as a reverse proxy to our origin servers). Configuring to avoid port conflicts, to handle the proxying, etc. is not an issue, i'm well versed in such. It's the general approach to having both server versions installed and operational at the same time that I'm unsure of.

Has anyone done this before? And if so, what was your general approach? Did it work cleanly having both versions installed together, or did you have to e.g. chroot one to create separation between libraries? Or did you statically link in everything needed for the 2.4 binary, or what? We run SELinux in enforcing mode - are there any implications to be aware of on that front?

I've come up empty on googling for anyone who has done something similar, hoping someone here has.

Thank you!

user9517
  • 115,471
  • 20
  • 215
  • 297
daboochmeister
  • 23
  • 5
  • 2
    I can do that for sure, by downloading src.rpm, change build parameters, move/rename libraries, paths, create new init scripts etc, build new rpm. For selinux - I'll create new definitions per path. It's a pretty huge thing that i cannot tell in one post, also, i'm quite sure I'll need to update some dependencies/libraries (at least APR) and it won't be easy to not break it for old versions, so, will need to rename/move new ones too. – GioMac Aug 30 '13 at 10:40

1 Answers1

1

You can build httpd-2.4 from source, first of all you need to upgrade apr/apr-util to at least 1.3.0

checking for APR version 1.3.0 or later... yes
checking for APR-util version 1.3.0 or later... yes

Build and install apr-1.4.8

# ./configure --prefix=/opt/apr-1.4.8
# make
# make install

Build and install apr-util-1.5.2

# ./configure --prefix=/opt/apr-util-1.5.2 --with-apr=/opt/apr-1.4.8/ --with-crypto --with-openssl=/usr --with-ldap --with-ldap-include=/usr/include/ --with-ldap-lib=/usr/lib64/
# make
# make install

Build and install apache-2.4.6

# ./configure --prefix=/opt/httpd-2.4.6 --with-apr=/opt/apr-1.4.8/ --with-apr-util=/opt/apr-util-1.5.2/
# make
# make install

I would suggest do not touch system apr/apr-util packages

Some basic checks

# lsof -n -P -i tcp:8080
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   29268   root    4u  IPv4  57621      0t0  TCP 127.0.0.1:8080 (LISTEN)
httpd   29269 daemon    4u  IPv4  57621      0t0  TCP 127.0.0.1:8080 (LISTEN)
httpd   29270 daemon    4u  IPv4  57621      0t0  TCP 127.0.0.1:8080 (LISTEN)
httpd   29273 daemon    4u  IPv4  57621      0t0  TCP 127.0.0.1:8080 (LISTEN)

# cat /proc/29268/cmdline
/opt/httpd-2.4.6/bin/httpd

# /opt/httpd-2.4.6/bin/httpd -V
Server version: Apache/2.4.6 (Unix)
Server built:   Aug 30 2013 14:33:24
Server's Module Magic Number: 20120211:23
Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture:   64-bit
Server MPM:     event
  threaded:     yes (fixed thread count)
    forked:     yes (variable process count)
Server compiled with....
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=256
 -D HTTPD_ROOT="/opt/httpd-2.4.6"
 -D SUEXEC_BIN="/opt/httpd-2.4.6/bin/suexec"
 -D DEFAULT_PIDLOG="logs/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

# lsof -n -P -i tcp:80
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
httpd   29392   root    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29394 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29395 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29396 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29397 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29398 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29399 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29400 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)
httpd   29401 apache    4u  IPv4  58386      0t0  TCP *:80 (LISTEN)

 # cat /proc/29392/cmdline
/usr/sbin/httpd

# /usr/sbin/httpd -V
Server version: Apache/2.2.3
Server built:   Aug 13 2013 13:27:54
Server's Module Magic Number: 20051115:3
Server loaded:  APR 1.2.7, APR-Util 1.2.7
Compiled using: APR 1.2.7, APR-Util 1.2.7
Architecture:   64-bit
Server MPM:     Prefork
  threaded:     no
    forked:     yes (variable process count)
Server compiled with....
 -D APACHE_MPM_DIR="server/mpm/prefork"
 -D APR_HAS_SENDFILE
 -D APR_HAS_MMAP
 -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
 -D APR_USE_SYSVSEM_SERIALIZE
 -D APR_USE_PTHREAD_SERIALIZE
 -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
 -D APR_HAS_OTHER_CHILD
 -D AP_HAVE_RELIABLE_PIPED_LOGS
 -D DYNAMIC_MODULE_LIMIT=128
 -D HTTPD_ROOT="/etc/httpd"
 -D SUEXEC_BIN="/usr/sbin/suexec"
 -D DEFAULT_PIDLOG="run/httpd.pid"
 -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
 -D DEFAULT_LOCKFILE="logs/accept.lock"
 -D DEFAULT_ERRORLOG="logs/error_log"
 -D AP_TYPES_CONFIG_FILE="conf/mime.types"
 -D SERVER_CONFIG_FILE="conf/httpd.conf"

I know that build packages from source it's a bad idea, but sometimes it is the only way out

ALex_hha
  • 7,193
  • 1
  • 25
  • 40
  • Hm, I think this will need a lot of extra work to make SELinux work with it. – Michael Hampton Aug 30 '13 at 14:49
  • For what is worth (although I personally think this whole thing of running both servers in the same box is a _bad idea_), one could start by copying the original SELinux policy module for the `apache` web server and customize it. Definitely, not a simple task. You might end up punching a *BIG HOLE* in the mandatory access control. There is no support for apache-2.4 in RHEL as of now, by the way. – dawud Aug 31 '13 at 15:08
  • I marked this answer as correct - in general form, that turned out to be the most straightforward way to handle the situation. There was a conflict with the system apr and apr-utils, which the 2.2 instance was relying on, so it was most straightforward to download the newest apr and apr-util source, and use the --with-included-apr option. – daboochmeister Sep 17 '13 at 14:19
  • Btw, the SELinux config turned out not to be an issue - the profile for Apache 2.2 that Red Hat ships ported very easily to 2.4. The configure that was needed was: ./configure --with-included-apr --with-crypto --with-openssl=/usr --with-expat=builtin --enable-mods-shared=all I removed numerous modules that were not of use to our situation, but that's the most general form of what we did. On our RHEL 5.8, there were compatibility issues with libexpat, and hence the use of the builtin; and enabling the mod_session_crypto module requires we point the make at openssl for some reason. – daboochmeister Sep 17 '13 at 14:22