[mod-security-users] problem chroot/mod_security apache with mod_ssl
Brought to you by:
victorhora,
zimmerletw
From: fwd <for...@if...> - 2004-06-14 22:29:13
|
Hello, I need a little help on problem with chrooting apache via mod_security with SecChrootdir and ssl support via mod_ssl. ---------------------------------------------------------------------------- -------------------------------------------------------------- in httpd.conf : LoadModule security_module libexec/mod_security.so LoadModule env_module libexec/mod_env.so LoadModule config_log_module libexec/mod_log_config.so LoadModule mime_module libexec/mod_mime.so LoadModule negotiation_module libexec/mod_negotiation.so LoadModule status_module libexec/mod_status.so LoadModule includes_module libexec/mod_include.so LoadModule autoindex_module libexec/mod_autoindex.so LoadModule dir_module libexec/mod_dir.so LoadModule cgi_module libexec/mod_cgi.so LoadModule asis_module libexec/mod_asis.so LoadModule imap_module libexec/mod_imap.so LoadModule action_module libexec/mod_actions.so LoadModule userdir_module libexec/mod_userdir.so LoadModule alias_module libexec/mod_alias.so LoadModule rewrite_module libexec/mod_rewrite.so LoadModule access_module libexec/mod_access.so LoadModule auth_module libexec/mod_auth.so LoadModule setenvif_module libexec/mod_setenvif.so <IfDefine SSL> LoadModule ssl_module libexec/libssl.so </IfDefine> LoadModule php4_module libexec/libphp4.so LoadModule perl_module libexec/libperl.so ClearModuleList AddModule mod_security.c AddModule mod_env.c AddModule mod_log_config.c AddModule mod_mime.c AddModule mod_negotiation.c AddModule mod_status.c AddModule mod_include.c AddModule mod_autoindex.c AddModule mod_dir.c AddModule mod_cgi.c AddModule mod_asis.c AddModule mod_imap.c AddModule mod_actions.c AddModule mod_userdir.c AddModule mod_alias.c AddModule mod_rewrite.c AddModule mod_access.c AddModule mod_auth.c AddModule mod_so.c AddModule mod_setenvif.c <IfDefine SSL> AddModule mod_ssl.c </IfDefine> AddModule mod_php4.c AddModule mod_perl.c ----- & ----- <IfModule mod_security.c> SecFilterEngine On SecServerSignature "Microsoft-IIS/4.0" SecChrootdir /home/chroot/usr/local/apache/ SecFilterCheckURLEncoding On SecFilterCheckUnicodeEncoding On SecFilterForceByteRange 0 255 SecAuditEngine RelevantOnly SecAuditLog logs/modsec_log SecFilterDebugLog logs/modsec_debug_log SecFilterDebugLevel 0 SecFilterScanPOST On SecFilterDefaultAction "deny,log,status:401" </IfModule> ---------------------------------------------------------------------------- -------------------------------------------------------------- # apachectl stop /usr/local/apache/bin/apachectl stop: httpd stopped # apachectl startssl Apache/1.3.31 mod_ssl/2.8.18 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server www.test.com <http://www.test.com:443> :443 (RSA) Enter pass phrase: Ok: Pass Phrase Dialog successful. /usr/local/apache/bin/apachectl startssl: httpd started # ps -auwx | grep httpd root 2649 1.2 8.5 8344 5224 ? S 23:42 0:00 /usr/local/apache/bin/httpd -DSSL apache 2749 0.0 0.0 0 0 ? Z 23:42 0:00 [httpd <defunct>] root 2751 0.0 1.2 1976 792 pts/1 R 23:42 0:00 grep httpd ---------------------------------------------------------------------------- -------------------------------------------------------------- but ---------------------------------------------------------------------------- -------------------------------------------------------------- # apachectl start /usr/local/apache/bin/apachectl start: httpd started # ps -auwx | grep httpd root 16086 1.1 6.4 6464 3904 ? S 00:02 0:00 /usr/local/apache/bin/httpd apache 16087 0.0 6.4 6488 3928 ? S 00:02 0:00 /usr/local/apache/bin/httpd apache 16088 0.1 6.4 6488 3928 ? S 00:02 0:00 /usr/local/apache/bin/httpd apache 16089 0.0 6.4 6488 3928 ? S 00:02 0:00 /usr/local/apache/bin/httpd apache 16090 0.0 6.4 6488 3928 ? S 00:02 0:00 /usr/local/apache/bin/httpd apache 16091 0.0 6.4 6488 3928 ? S 00:02 0:00 /usr/local/apache/bin/httpd root 16103 0.0 1.2 1976 792 pts/1 R 00:03 0:00 grep httpd ---------------------------------------------------------------------------- -------------------------------------------------------------- in /usr/local/apache/error_log : [Mon Jun 14 23:42:43 2004] [notice] mod_security: performed chroot, path=/home/chroot/usr/local/apache/ [Mon Jun 14 23:42:43 2004] [notice] Apache configured -- resuming normal operations [Mon Jun 14 23:42:43 2004] [notice] Accept mutex: sysvsem (Default: sysvsem) [Mon Jun 14 23:42:43 2004] [error] mod_ssl: Child could not open SSLMutex lockfile /usr/local/apache/logs/ssl_mutex.2648 (Syst em error follows) [Mon Jun 14 23:42:43 2004] [error] System: Aucun fichier ou r\xe9pertoire de ce type (errno: 2) ---------------------------------------------------------------------------- -------------------------------------------------------------- When i comment the SecChrootdir /home/chroot/usr/local/apache/ line, everything's fine. # ps -auwx | grep httpd root 15992 1.5 8.5 8344 5220 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL apache 15998 0.5 8.5 8344 5228 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL apache 15999 0.0 8.5 8344 5228 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL apache 16000 0.0 8.5 8344 5228 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL apache 16001 0.5 8.5 8344 5228 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL apache 16002 0.0 8.5 8344 5228 ? S 23:51 0:00 /usr/local/apache/bin/httpd -DSSL root 16004 0.0 1.3 1976 800 pts/1 S 23:51 0:00 grep httpd ---------------------------------------------------------------------------- -------------------------------------------------------------- Directory /home/chroot/usr/local/apache/ exists : # ls -l -R /home/chroot/ /home/chroot/: total 4 drwxr-xr-x 3 root root 4096 jun 14 01:31 usr/ /home/chroot/usr: total 4 drwxr-xr-x 3 root root 4096 jun 14 01:31 local/ /home/chroot/usr/local: total 4 drwxr-xr-x 2 root root 4096 jun 14 01:31 apache/ /home/chroot/usr/local/apache: total 0 ---------------------------------------------------------------------------- -------------------------------------------------------------- Is it possible that apache mod_security chrooting works fine with mod_ssl ? Do you have ideas about that ? am i obliged to pass from a chroot usual way ? Thanks in advance Fwd. |