• Apache Server 2.2 Vs 2.4
• Upgrade Apache Http Server 2.2 To 2.4
• Apache Http Server 2.2.25
• Apache Server 2.2 Vs 2.4

The Apache Software Foundation and the Apache HTTP Server Project have announced the release of version 2.2.22 of the Apache HTTP Server (“Apache”). The Apache HTTP Project considers this release to be the best version of Apache available, and encourage users of all prior versions to upgrade. The most popular Web server today is Apache (HTTP Server). Here is what you should do to download Apache 2.2.25 binary distribution for Windows: 1. If you have an older version of Apache (HTTP Server) running on your computer, uninstall it first. Go to Apache HTTP Server Web site. Go to the 'Apache 2.2. Apache Http Server version 2.2: Security vulnerabilities Security vulnerabilities of Apache Http Server version 2.2 You can filter results by cvss scores, years and months. This page provides a sortable list of security vulnerabilities. The normal Apache OS/2 binary distribution contains all the standard modules. You can also load third party modules as they become available. Also available is Apache HTTP Server v2.0 which was released for general availability on the 5th April 2002. Other items of interest to Apache for OS/2 users.

Apache Server 2.2 Vs 2.4

Throughout the book, I explain various techniques for controlling access to web pages. For example, if you are getting hit with an attack from a specific range of IP addresses, you can add directives to block them based on the host address or other variables. It is a common technique that I've discussednumeroustimes. With Apache 2.4, there are changes to the directives that are used for access control. This tutorial explains the changes and then shares some examples to help you implement the best solution for your site.

Note: this topic is covered in the book on page 147, 'Allow/Deny directives for Apache 2.4+' (in Chapter 7: Tighten Security).

Changes in Apache 2.4

Summary:

Apache 2.2 uses the authz_host_module to control access using directives like Deny, Allow, and Order.

Apache 2.4 uses also the authz_host_module for access control, but also uses the authz_core_module, which provides the new Require directive.

So basically, the rules to control access are different depending on your version of Apache. To help with this, I've provided numerous examples below.

Code Examples

Here are some examples that compare the different syntax required depending on your version of Apache.

Important! Do not use 2.2 and 2.4 directives on the same server; it may cause issues and/or errors. A workaround for this is to use Conditional Directives, as explained below.

Deny all requests

Allow all requests

Deny access based on host name

Notice that <RequireAll> and Require all granted are required when doing anything more than either Require all granted or Require all denied (as shown in the above examples). Here a couple more examples to further illustrate the concept using Require/All.

Deny access based on IP address

Deny access to specific file

Reminder: Do not use both 2.2 and 2.4 directives on the same server. Doing so may cause errors. Use only the code that applies to your version of Apache. Or, if you want to create a modular, plug-n-play snippet that can be added to any Apache version 2.2 or 2.4+, check out the conditional directives technique in the next section.

Example: Conditional Directives

In some cases, you may not know which version of Apache you are using. In such case, the following conditional directives should give you a better idea. You can use the following code on any Apache server version 2.2 or 2.4+.

When included via .htaccess or Apache configuration file, this code will detect the correct version of Apache and use the proper directives for access control. Here's how it works:

If the server is Apache 2.2 then we know that authz_core_module does not exist. So any directives included inside of the first<IfModule> container will be executed only on Apache 2.2.

Or if the server is Apache 2.4+ we know that authz_core_module exists. So any directives included inside of the second<IfModule> container will be executed only on Apache 2.4 and better.

Of course, these are just examples to show how to implement the correct access-control directives. You will want to consult the Apachedocs and modify the code to suit your specific needs.

Migrating an IHS configuration file from a previous release

The preferred method of migration is to apply your customizations over the new default configuration. If this is prohibitively complicated, it is possible to manually migrate a configuration from a prior release.

Upgrade Apache Http Server 2.2 To 2.4

The following are steps to change an IHS 7.0, 8.0, or 8.5 httpd.conf such that it is useable on an IHS 9.0. This procedure assumes the installation paths of the old and new releases differ.

Apache Http Server 2.2.25

1. Copy your prior releases configuration file(s) to the new installation path.
2. Update paths if the install root has changed. Many absolute paths within the configuration contain the install root. Replacing old paths can be done quickly using the sed command, e.g. This command copies httpd.conf from the prior releases installation directory to the new installation directory, and replaces all instances of /opt/IBM/IHSv8/ with /opt/IBM/IHSv9/.
3. Remove <IfModule worker.c> and the </IfModule> that follows it, leaving the contained directives. On Linux, IHS uses the 'event' MPM and this <IfModule worker.c> would hide the MPM configuration.
4. Replace authz_default_module with authz_core_module; i.e. replace with If the module is not replaced, you will receive an error similar to the following:
5. Update access control. Take only one of the following actions:
   • Replace the old access control directives Order, Allow, and Deny with the new Require directive. Refer to the Access Control section below. This is preferred.
   • Otherwise, load the mod_access_compat module by adding the following line to the configuration:
   • Remove AuthSAFAuthoritative if present (see information at the bottom of this document for more details)
   If neither step is taken, the resulting error message resembles the following:
6. Load the mod_unixd security module by adding the following line to the configuration: Otherwise, the following error occurs:
7. Update the WAS plugin by changing the LoadModule line from: to:
8. Update third-party modules to their Apache 2.4 versions. There are no general instructions for this step; contact the third-party module's vendor for explicit instructions.

   If modules are not compatible with Apache 2.4, you can receive one of two types of error messages. The examples below are how the message is reported on z/OS -- the operative parts of the message are problems with symbols similar to 'ap_my_generation' or 'ap_log_error'.

   The first form resembles this: To figure out which module is causing the problem, start the server with the -e debug option, e.g. This should partially output your configuration file, and then output the error. The line of the configuration after the last line which is printed should be a LoadModule directive containing the name of the failing module. The other type of error message that may be shown when a module is incompatible with Apache 2.4/IHS version 9.0 looks like this: The problematic module's name is contained within the error message - in this case, myapp22_module.
9. Search your configuration for directives such as Include, AuthUserFile, AuthGroupFile, and KeyFile. These directives may either point to files under the old installation root that need to be copied.
10. If using the 'BFlagEscapeAllNonAlnum' parameter to RewriteOptions, remove it. It's the default and only behavior in this and future releases.
11. Linux only: Add a line to dynamically load the Event MPM, e.g. 'LoadModule mpm_event_module modules/mod_mpm_event.so'?
12. Attempt to start the server with the updated configuration. Review the output of the start command and the error_log to make sure no errors were reported. If a directive has been removed or has moved to a new module, you may see an error resemlbing this message:

    Consult the rest of this document for informaton about the specific directive, then check http://publib.boulder.ibm.com/httpserv/manual24/mod/directives.html to find the proper module to load.

    This step will likely require a number of rounds of iteration, as only 1 error is detected at a time.

13. Optional: Review and apply other changes to the default configuration (httpd.conf.default) in the new release:
    • ReportInterval has been reduced to 300 seconds.
    • TrackModules On, TrackHooks allhooks, SlowThreshold 60, TrackHooksOptions logslow have been added.
    • mod_backtrace is now loaded on some platforms where it was unintentionally omitted in previous releases.
    • The default 'LogFormat' now has additional columns appended for serviceability.
    • The default config has been updated to deny access to all directories by default and then explicitly allow access to the document root, icons, CGI-BIN, etc.

Apache Server 2.2 Vs 2.4

After taking all the above steps, the configuration should be ready to be loaded by IHSv9.0. The remainder of the document serves as a reference for what has changed between Apache 2.2 and 2.4.