Hello,
 
I need a little help on problem with chrooting apache via mod_security with SecChrootdir and ssl support via mod_ssl.
------------------------------------------------------------------------------------------------------------------------------------------
in httpd.conf :
 
LoadModule security_module    libexec/mod_security.so
LoadModule env_module         libexec/mod_env.so
LoadModule config_log_module  libexec/mod_log_config.so
LoadModule mime_module        libexec/mod_mime.so
LoadModule negotiation_module libexec/mod_negotiation.so
LoadModule status_module      libexec/mod_status.so
LoadModule includes_module    libexec/mod_include.so
LoadModule autoindex_module   libexec/mod_autoindex.so
LoadModule dir_module         libexec/mod_dir.so
LoadModule cgi_module         libexec/mod_cgi.so
LoadModule asis_module        libexec/mod_asis.so
LoadModule imap_module        libexec/mod_imap.so
LoadModule action_module      libexec/mod_actions.so
LoadModule userdir_module     libexec/mod_userdir.so
LoadModule alias_module       libexec/mod_alias.so
LoadModule rewrite_module     libexec/mod_rewrite.so
LoadModule access_module      libexec/mod_access.so
LoadModule auth_module        libexec/mod_auth.so
LoadModule setenvif_module    libexec/mod_setenvif.so
<IfDefine SSL>
LoadModule ssl_module         libexec/libssl.so
</IfDefine>
LoadModule php4_module        libexec/libphp4.so
LoadModule perl_module        libexec/libperl.so
ClearModuleList
AddModule mod_security.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_so.c
AddModule mod_setenvif.c
<IfDefine SSL>
AddModule mod_ssl.c
</IfDefine>
AddModule mod_php4.c
AddModule mod_perl.c

-----
&
-----
 
<IfModule mod_security.c>
SecFilterEngine On
SecServerSignature "Microsoft-IIS/4.0"
SecChrootdir /home/chroot/usr/local/apache/
SecFilterCheckURLEncoding On
SecFilterCheckUnicodeEncoding On
SecFilterForceByteRange 0 255
SecAuditEngine RelevantOnly
SecAuditLog logs/modsec_log
SecFilterDebugLog logs/modsec_debug_log
SecFilterDebugLevel 0
SecFilterScanPOST On
SecFilterDefaultAction "deny,log,status:401"
</IfModule>
------------------------------------------------------------------------------------------------------------------------------------------
 
# apachectl stop
/usr/local/apache/bin/apachectl stop: httpd stopped
# apachectl startssl
Apache/1.3.31 mod_ssl/2.8.18 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
 
Server www.test.com:443 (RSA)
Enter pass phrase:
 
Ok: Pass Phrase Dialog successful.
/usr/local/apache/bin/apachectl startssl: httpd started
# ps -auwx | grep httpd
root      2649  1.2  8.5  8344 5224 ?        S    23:42   0:00 /usr/local/apache/bin/httpd -DSSL
apache    2749  0.0  0.0     0    0 ?        Z    23:42   0:00 [httpd <defunct>]
root      2751  0.0  1.2  1976  792 pts/1    R    23:42   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
 
but
 
------------------------------------------------------------------------------------------------------------------------------------------
 
# apachectl start
/usr/local/apache/bin/apachectl start: httpd started
# ps -auwx | grep httpd
root     16086  1.1  6.4  6464 3904 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16087  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16088  0.1  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16089  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16090  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
apache   16091  0.0  6.4  6488 3928 ?        S    00:02   0:00 /usr/local/apache/bin/httpd
root     16103  0.0  1.2  1976  792 pts/1    R    00:03   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
in /usr/local/apache/error_log :
[Mon Jun 14 23:42:43 2004] [notice] mod_security: performed chroot, path=/home/chroot/usr/local/apache/
[Mon Jun 14 23:42:43 2004] [notice] Apache configured -- resuming normal operations
[Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem)
[Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst
em error follows)
[Mon Jun 14 23:42:43 2004] [error] System: Aucun fichier ou r\xe9pertoire de ce type (errno: 2)
------------------------------------------------------------------------------------------------------------------------------------------
When i comment the SecChrootdir /home/chroot/usr/local/apache/ line, everything's fine.
 
# ps -auwx | grep httpd
root     15992  1.5  8.5  8344 5220 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   15998  0.5  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   15999  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16000  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16001  0.5  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
apache   16002  0.0  8.5  8344 5228 ?        S    23:51   0:00 /usr/local/apache/bin/httpd -DSSL
root     16004  0.0  1.3  1976  800 pts/1    S    23:51   0:00 grep httpd
------------------------------------------------------------------------------------------------------------------------------------------
 
Directory /home/chroot/usr/local/apache/ exists :
 
# ls -l -R /home/chroot/
/home/chroot/:
total 4
drwxr-xr-x    3 root     root         4096 jun 14 01:31 usr/
 
/home/chroot/usr:
total 4
drwxr-xr-x    3 root     root         4096 jun 14 01:31 local/
 
/home/chroot/usr/local:
total 4
drwxr-xr-x    2 root     root         4096 jun 14 01:31 apache/
 
/home/chroot/usr/local/apache:
total 0

------------------------------------------------------------------------------------------------------------------------------------------
 
Is it possible that apache mod_security chrooting works fine with mod_ssl ?
Do you have ideas about that ?
am i obliged to pass from a chroot usual way ?
 
Thanks in advance
 
Fwd.