Verified Commit 64fa904d authored by flussence's avatar flussence

www-servers/apache-2.4.29[brotli] from bug #622066

parent eb4b4480
DIST gentoo-apache-2.4.18-r1-20160303.tar.bz2 24505 SHA256 d81e32d876594b48a7ff6d9123bf776c5bea5453eddd2fe40f4a9b79c11537aa SHA512 68f0c4de38ae05c45839fe692cbb7de641e331ca133b8aaaf69f3659dec15833cda95e6e074edb3a5b6b6d59b3fc5a4ee3589fff810707fe27417a25cd8a4c4d WHIRLPOOL fb61224b2104e611237e1d09eb4dfb3d2b8f023348c9622f7f19434b6b77d63786c41af17a300d994c14d983676f3753ab6fa52f7a7fcd07b9cea3d7eeacc9b9
DIST httpd-2.4.29.tar.bz2 6567926 SHA256 777753a5a25568a2a27428b2214980564bc1c38c1abf9ccc7630b639991f7f00 SHA512 840982fd3d21463bc5c1747f211dfacf3abdf634d149e49bb49fd2e5deda140de602dbdf31e1bbe5337a48f718ab2261c408e83a8dd39a9291ee7b6b7a85639a WHIRLPOOL bd91e3baa3c2b25cb6a4e48062c38a97f9c941884be2e44805a3a08e1fdfb13bf18b37b6c7ab9e7656934f2d3b8c2893e79480ee119f073bfbb376b6c3e32a74
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
EAPI=6
# latest gentoo apache files
GENTOO_PATCHSTAMP="20160303"
GENTOO_DEVELOPER="polynomial-c"
GENTOO_PATCHNAME="gentoo-apache-2.4.18-r1"
# IUSE/USE_EXPAND magic
IUSE_MPMS_FORK="prefork"
IUSE_MPMS_THREAD="event worker"
# << obsolete modules:
# authn_default authz_default mem_cache
# mem_cache is replaced by cache_disk
# ?? buggy modules
# proxy_scgi: startup error: undefined symbol "ap_proxy_release_connection", no fix found
# >> added modules for reason:
# compat: compatibility with 2.2 access control
# authz_host: new module for access control
# authn_core: functionality provided by authn_alias in previous versions
# authz_core: new module, provides core authorization capabilities
# cache_disk: replacement for mem_cache
# lbmethod_byrequests: Split off from mod_proxy_balancer in 2.3
# lbmethod_bytraffic: Split off from mod_proxy_balancer in 2.3
# lbmethod_bybusyness: Split off from mod_proxy_balancer in 2.3
# lbmethod_heartbeat: Split off from mod_proxy_balancer in 2.3
# slotmem_shm: Slot-based shared memory provider (for lbmethod_byrequests).
# socache_shmcb: shared object cache provider. Default config with ssl needs it
# unixd: fixes startup error: Invalid command 'User'
IUSE_MODULES="access_compat actions alias asis auth_basic auth_digest
authn_alias authn_anon authn_core authn_dbd authn_dbm authn_file authz_core
authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex
brotli cache cache_disk cache_socache cern_meta charset_lite cgi cgid dav dav_fs dav_lock
dbd deflate dir dumpio env expires ext_filter file_cache filter headers http2
ident imagemap include info lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness
lbmethod_heartbeat log_config log_forensic logio macro mime mime_magic negotiation
proxy proxy_ajp proxy_balancer proxy_connect proxy_ftp proxy_html proxy_http proxy_scgi
proxy_fcgi proxy_wstunnel rewrite ratelimit remoteip reqtimeout setenvif
slotmem_shm speling socache_shmcb status substitute unique_id userdir usertrack
unixd version vhost_alias xml2enc"
# The following are also in the source as of this version, but are not available
# for user selection:
# bucketeer case_filter case_filter_in echo http isapi optional_fn_export
# optional_fn_import optional_hook_export optional_hook_import
# inter-module dependencies
# TODO: this may still be incomplete
MODULE_DEPENDS="
dav_fs:dav
dav_lock:dav
deflate:filter
brotli:filter
cache_disk:cache
ext_filter:filter
file_cache:cache
lbmethod_byrequests:proxy_balancer
lbmethod_byrequests:slotmem_shm
lbmethod_bytraffic:proxy_balancer
lbmethod_bybusyness:proxy_balancer
lbmethod_heartbeat:proxy_balancer
log_forensic:log_config
logio:log_config
cache_disk:cache
cache_socache:cache
mime_magic:mime
proxy_ajp:proxy
proxy_balancer:proxy
proxy_balancer:slotmem_shm
proxy_connect:proxy
proxy_ftp:proxy
proxy_html:proxy
proxy_html:xml2enc
proxy_http:proxy
proxy_scgi:proxy
proxy_fcgi:proxy
proxy_wstunnel:proxy
substitute:filter
"
# module<->define mappings
MODULE_DEFINES="
auth_digest:AUTH_DIGEST
authnz_ldap:AUTHNZ_LDAP
cache:CACHE
cache_disk:CACHE
cache_socache:CACHE
dav:DAV
dav_fs:DAV
dav_lock:DAV
file_cache:CACHE
http2:HTTP2
info:INFO
ldap:LDAP
proxy:PROXY
proxy_ajp:PROXY
proxy_balancer:PROXY
proxy_connect:PROXY
proxy_ftp:PROXY
proxy_html:PROXY
proxy_http:PROXY
proxy_fcgi:PROXY
proxy_scgi:PROXY
proxy_wstunnel:PROXY
socache_shmcb:SSL
ssl:SSL
status:STATUS
suexec:SUEXEC
userdir:USERDIR
"
# critical modules for the default config
MODULE_CRITICAL="
authn_core
authz_core
authz_host
dir
mime
unixd
"
inherit eutils apache-2 systemd toolchain-funcs
DESCRIPTION="The Apache Web Server"
HOMEPAGE="https://httpd.apache.org/"
# some helper scripts are Apache-1.1, thus both are here
LICENSE="Apache-2.0 Apache-1.1"
SLOT="2"
KEYWORDS="~amd64 ~x86"
DEPEND+="apache2_modules_http2? ( >=net-libs/nghttp2-1.2.1 )
apache2_modules_brotli? ( >=app-arch/brotli-0.6.0 )"
REQUIRED_USE="apache2_modules_http2? ( ssl )"
pkg_setup() {
# dependend critical modules which are not allowed in global scope due
# to USE flag conditionals (bug #499260)
use ssl && MODULE_CRITICAL+=" socache_shmcb"
use doc && MODULE_CRITICAL+=" alias negotiation setenvif"
apache-2_pkg_setup
}
src_configure() {
# Brain dead check.
tc-is-cross-compiler && export ap_cv_void_ptr_lt_long="no"
apache-2_src_configure
}
src_compile() {
if tc-is-cross-compiler; then
# This header is the same across targets, so use the build compiler.
pushd server >/dev/null
emake gen_test_char
tc-export_build_env BUILD_CC
${BUILD_CC} ${BUILD_CFLAGS} ${BUILD_CPPFLAGS} ${BUILD_LDFLAGS} \
gen_test_char.c -o gen_test_char $(apr-1-config --includes) || die
popd >/dev/null
fi
default
}
src_install() {
apache-2_src_install
for i in /usr/bin/{htdigest,logresolve,htpasswd,htdbm,ab,httxt2dbm}; do
rm "${ED}"/$i || die "Failed to prune apache-tools bits"
done
for i in /usr/share/man/man8/{rotatelogs.8,htcacheclean.8}; do
rm "${ED}"/$i || die "Failed to prune apache-tools bits"
done
for i in /usr/share/man/man1/{logresolve.1,htdbm.1,htdigest.1,htpasswd.1,dbmmanage.1,ab.1}; do
rm "${ED}"/$i || die "Failed to prune apache-tools bits"
done
for i in /usr/sbin/{checkgid,fcgistarter,htcacheclean,rotatelogs}; do
rm "${ED}/"$i || die "Failed to prune apache-tools bits"
done
# install apxs in /usr/bin (bug #502384) and put a symlink into the
# old location until all ebuilds and eclasses have been modified to
# use the new location.
local apxs="/usr/bin/apxs"
cp "${S}"/support/apxs "${ED%/}/${apxs}" || die "Failed to install apxs"
ln -s ../bin/apxs "${ED%/}/usr/sbin/apxs" || die
chmod 0755 "${ED%/}${apxs}" || die
# Note: wait for mod_systemd to be included in some forthcoming release,
# Then apache2.4.service can be used and systemd support controlled
# through --enable-systemd
systemd_newunit "${FILESDIR}/apache2.2-hardened.service" "apache2.service"
systemd_dotmpfilesd "${FILESDIR}/apache.conf"
#insinto /etc/apache2/modules.d
#doins "${FILESDIR}/00_systemd.conf"
# Install http2 module config
insinto /etc/apache2/modules.d
doins "${FILESDIR}"/41_mod_http2.conf
}
pkg_postinst() {
apache-2_pkg_postinst || die "apache-2_pkg_postinst failed"
# warnings that default config might not work out of the box
for mod in $MODULE_CRITICAL; do
if ! use "apache2_modules_${mod}"; then
echo
ewarn "Warning: Critical module not installed!"
ewarn "Modules 'authn_core', 'authz_core' and 'unixd'"
ewarn "are highly recomended but might not be in the base profile yet."
ewarn "Default config for ssl needs module 'socache_shmcb'."
ewarn "Enabling the following flags is highly recommended:"
for cmod in $MODULE_CRITICAL; do
use "apache2_modules_${cmod}" || \
ewarn "+ apache2_modules_${cmod}"
done
echo
break
fi
done
# warning for proxy_balancer and missing load balancing scheduler
if use apache2_modules_proxy_balancer; then
local lbset=
for mod in lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat; do
if use "apache2_modules_${mod}"; then
lbset=1 && break
fi
done
if [ ! ${lbset} ] ; then
echo
ewarn "Info: Missing load balancing scheduler algorithm module"
ewarn "(They were split off from proxy_balancer in 2.3)"
ewarn "In order to get the ability of load balancing, at least"
ewarn "one of these modules has to be present:"
ewarn "lbmethod_byrequests lbmethod_bytraffic lbmethod_bybusyness lbmethod_heartbeat"
echo
fi
fi
}
<IfDefine SSL>
<IfModule http2_module>
# enable debugging for this module
#LogLevel http2:info
#Enable HTTP/2 support
Protocols h2 h2c http/1.1
</IfModule>
</IfDefine>
https://bugs.gentoo.org/589226
https://www.apache.org/security/asf-httpoxy-response.txt
--- server/util_script.c (revision 1752426)
+++ server/util_script.c (working copy)
@@ -186,6 +186,14 @@ AP_DECLARE(void) ap_add_common_vars(request_rec *r
else if (!strcasecmp(hdrs[i].key, "Content-length")) {
apr_table_addn(e, "CONTENT_LENGTH", hdrs[i].val);
}
+ /* HTTP_PROXY collides with a popular envvar used to configure
+ * proxies, don't let clients set/override it. But, if you must...
+ */
+#ifndef SECURITY_HOLE_PASS_PROXY
+ else if (!strcasecmp(hdrs[i].key, "Proxy")) {
+ ;
+ }
+#endif
/*
* You really don't want to disable this check, since it leaves you
* wide open to CGIs stealing passwords and people viewing them
d /run/apache2 710 root apache
d /run/apache_ssl_mutex
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
EnvironmentFile=/etc/conf.d/apache2
ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
#Hardening
PrivateTmp=true
CapabilityBoundingSet=CAP_CHOWN CAP_SETGID CAP_SETUID CAP_DAC_OVERRIDE CAP_KILL CAP_NET_BIND_SERVICE CAP_IPC_LOCK
SecureBits=noroot-locked
ProtectSystem=full
NoNewPrivileges=true
PrivateDevices=true
MemoryDenyWriteExecute=true
[Install]
WantedBy=multi-user.target
[Unit]
Description=The Apache HTTP Server
After=network.target remote-fs.target nss-lookup.target
[Service]
EnvironmentFile=/etc/conf.d/apache2
ExecStart=/usr/sbin/apache2 $APACHE2_OPTS -DFOREGROUND
ExecReload=/usr/sbin/apache2 $APACHE2_OPTS -k graceful
ExecStop=/usr/sbin/apache2 $APACHE2_OPTS -k graceful-stop
# We want systemd to give httpd some time to finish gracefully, but still want
# it to kill httpd after TimeoutStopSec if something went wrong during the
# graceful stop. Normally, Systemd sends SIGTERM signal right after the
# ExecStop, which would kill httpd. We are sending useless SIGCONT here to give
# httpd time to finish.
KillSignal=SIGCONT
PrivateTmp=true
[Install]
WantedBy=multi-user.target
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="person">
<email>polynomial-c@gentoo.org</email>
<name>Lars Wendler</name>
</maintainer>
<longdescription>
The Apache HTTP Server Project is an effort to develop and maintain an
open-source HTTP server for modern operating systems. The goal of this
project is to provide a secure, efficient and extensible server that
provides HTTP services in sync with the current HTTP standards.
</longdescription>
<use>
<flag name="suexec">Install suexec with apache</flag>
<flag name="static">Link in apache2 modules statically rather then plugins</flag>
<flag name="apache2_modules_access_compat">Group authorizations based on host (name or IP address). Available as a compatibility module with previous versions.</flag>
<flag name="apache2_modules_authn_core">Provides core authentication capabilities common to all authentication providers (functionality provided by authn_alias in previous versions).</flag>
<flag name="apache2_modules_authz_core">Provides core authorization capabilities to various authorization/authorization modules, such as authn_file and authz_user.</flag>
<flag name="apache2_modules_authz_dbd">Provides authorization capabilities via SQL database so that authenticated users can be allowed or denied access to portions of the web site by group membership.</flag>
<flag name="apache2_modules_cache_disk">Disk based storage module for the HTTP caching filter (similar to mem_cache in previous versions).</flag>
<flag name="apache2_modules_cache_socache">Shared object cache (socache) based storage module for the HTTP caching filter.</flag>
<flag name="apache2_modules_proxy_html">Module to rewrite links in html pages behind a reverse proxy</flag>
<flag name="apache2_modules_http2">Enable http2/alpn module</flag>
<flag name="apache2_modules_lbmethod_byrequests">Request counting load balancer scheduler algorithm for proxy_balancer.</flag>
<flag name="apache2_modules_lbmethod_bytraffic">Weighted traffic counting load balancer scheduler algorithm for proxy_balancer.</flag>
<flag name="apache2_modules_lbmethod_bybusyness">Pending request counting load balancer scheduler algorithm for proxy_balancer.</flag>
<flag name="apache2_modules_lbmethod_heartbeat">Heartbeat traffic counting load balancer scheduler algorithm for proxy_balancer.</flag>
<flag name="apache2_modules_macro">Macros for the Apache config file.</flag>
<flag name="apache2_modules_slotmem_shm">Slot-based shared memory provider.</flag>
<flag name="apache2_modules_socache_shmcb">A shared object cache provider using a high-performance cyclic buffer inside a shared memory segment.</flag>
<flag name="apache2_modules_unixd">Basic (required) security for Unix-family platforms.</flag>
<flag name="apache2_modules_proxy_fcgi">FCGI support module for mod_proxy.</flag>
<flag name="apache2_modules_proxy_wstunnel">Provides support for the tunnelling of web socket connections to a backend websockets server.</flag>
<flag name="apache2_modules_ratelimit">Ratelimit module for transfer rate management</flag>
<flag name="apache2_modules_remoteip">Remotip module for logging</flag>
<flag name="apache2_modules_watchdog">Provides infrastructure for other modules to periodically run tasks</flag>
<flag name="apache2_modules_xml2enc">Enable xml2 encoding module</flag>
</use>
</pkgmetadata>
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment