Re: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
Re: [mod-security-users] mod_ssl: Child could not open SSLMutex lockfile
|
From: Ivan R. <iv...@we...> - 2005-05-23 09:42:07
|
Thai Duong wrote: > Hi guys, > > When I chroot my Apache 1.3.x with mod_security, it kept reporting that > error. I have searched through this list and found that this error had > been reported one but still there is no solution rite? > > It seems that this problem only occurs in Apache 1.3, I have sucessfully > chroot Apache 2.0 with mod_ssl without any problem before. Here is my > modsec.conf which is included at the end of httpd.conf > > -----------snip------------- > > # Yes, we want to use mod_security > ClearModuleList > AddModule mod_security.c > AddModule mod_env.c > AddModule mod_log_config.c > AddModule mod_mime.c > AddModule mod_negotiation.c > AddModule mod_access.c > AddModule mod_auth.c > AddModule mod_setenvif.c > AddModule mod_ssl.c > AddModule mod_php4.c > > SecFilterEngine On > > SecServerSignature "Microsoft IIS/5.0" > > SecChrootDir /chroot/jail > > ---snip------------ > > Any suggestion? Use strace to find out what is mod_ssl trying to do. How does your directory structure look like? Show us both, the one outside jail and the one in /chroot/jail. > Anyway, I found a solution, just set SSLMutex directive to none, it > works like a charm. FYI with SSLMutex set to none the SSL session cache can become corrupted from time to time. > FYI, I encountered a lot of problems when using mod_security as a > static module of both apache 1.3.x and httpd 2.x. Most of the problems > are with the mod_ssl module (also compiled statically). mod_ssl > complained that it could not open its SSLMutex, and when I set > SSLMutext to none, it continued complained that it could not write to > the scache directory, which I have created both in the chroot jail and > the original path. I also chowned these directories to apache but > still no luck. It seems that mod_security is not made to use as a > static module/in a static server (I meant a server that all modules > are compiled statically), rite? In my experience, it does not matter if Apache is compiled statically or the modules are loaded at runtime. It is only the order of initialisation that matters. Consequently, mod_security should work equally well in both cases. The problems you are experiencing are due to the fact mod_ssl needs to work with certain files (the cache files and the mutex) after chroot takes place. You simply need a correct directory structure for that to happen. Again, the use of strace would pinpoint the problem. -- Ivan Ristic Apache Security (O'Reilly) - http://www.apachesecurity.net Open source web application firewall - http://www.modsecurity.org |
