Apache Http Server Version 2.2

30-04-2021
 |  [RAND-100] - Comments



The Apache HTTP Server can be downloaded from the Apache HTTP Server download site, which lists several mirrors. Most users of Apache HTTPd on unix-like systems will be better off downloading and compiling a source version. The build process (described below) is easy, and it allows you to customize your server to suit your needs. Apache HTTP Server Version 2.2. Apache HTTP Server Documentation. Apache HTTP Server Version 2.2 Documentation. Available Languages: de.

Upgrade Apache HTTP Server 2.2 to 2.4 in RHEL 6 or 7 and CentOS 6 or 7

Authored by: Rackspace Community

If you recently performed a compliance security scan, the results might looklike the following example:

Depending on the code base, Apache® HTTP Server might have alreadymitigated these security issues. The scan checks the version of Apache that isinstalled on the server to determine if the security issue is resolved.However, some compliance security scans only use the version of Apache todetermine if the server is vulnerable to Common Vulnerabilities and Exposures(CVE), rather than detecting vulnerabilities directly.

Such scans almost always generate a false positive. If automatic updates areenabled, the version might remain the same, even if the vulnerability ispatched in another release. As a result, the scan might mark the vulnerabilityas positive. This result might also be the case if your provider’s scans suddenlyshow that your server is no longer vulnerable to vulnerabilities that thescans have previously identified.

If your security audit reveals that your compliance security scans only usethe version of Apache to identify vulnerabilities on your Apache2 server, usethe following steps to edit the configuration file for your Hypertext TransferProtocol daemon (HTTPd):

  1. Open your /etc/apache2/conf.d/httpd.conf file in an editor.

  2. Add the following lines and remove the version information:

    Note: Your server shouldn’t provide a version signature, and yourpenetration testing company should recommend that you disable versions.

Perform the update from Apache 2.2 to Apache 2.4

Use the following steps to update Apache 2.2 to Apache 2.4:

  1. Run the following command to stop your HTTPd and any monitoring processessuch as Nimbus if you want to avoid alerts:

  2. Run the following commands to back up your virtual host configurations,ensuring that you include any additional directories that you addedyourself, such as vhost:

  3. Run the following command to install the yum-plugin-replace package,which is used to resolve package conflicts during package replacement:

    Note Before you proceed, run the following commands to check theversion that is installed and the version that you want to install:

    Your output should appear similar to the following example, which uses thecommand yum info httpd24u.x86_64:

  4. Install HTTPd 2.4 by running the following command:

  5. You must also install Lightweight Directory Access Protocol (LDAP) byrunning the following command:

  6. In Apache 2.4, you must now use Require directives for Internet Protocol(IP) access restriction instead of Order, Deny, and Allow. As aresult, you need to change the Order, Deny,and Allow statements in your /etc/httpd/conf.d/server-status.conf fileto use Require statements. Because you might have these in the.htaccess files for other websites, ensure that you check your documentroots carefully to avoid breaking your websites due to missing Requiredirectives.

    Your existing /etc/httpd/conf.d/server-status.conf file should appearsimilar to the following example:

    Replace the Order, Deny, and Allow statements with the configurationshown in the following example:

    Note: This syntax change also applies to the virtual hosts in yourconf.d and httpd.conf vhost configurations.

  7. Change the Order, Deny, and Allow statements in your conf.d file toRequire statements in the following way:

  8. In the same file, also change Options -Indexes FollowSymLinks toOptions -Indexes +FollowSymLinks.

  9. In your /etc/httpd/conf/httpd.conf file, change the Order, Deny, andAllow statements to Require statements, as shown in step 7.

  10. In the /etc/httpd/conf/httpd.conf file, also comment out theLoadModule directives for modules that are no longer used, as shownin the following example:

  11. Edit the /etc/httpd/conf/httpd.conf file to add the following line withthe other authz modules:

  12. Add the following lines of code to the bottom of the block of LoadModulestatements:

(Optional) Download a compatible version of the Adobe Experience Manager (AEM) Dispatcher module

If the HTTPd installation uses the Adobe® Experience Manager (AEM) Dispatchermodule, you must use the following steps to download the file that’scompatible with Apache HTTP Server 2.4:

  1. Run the following commands to extract thedispatcher-apache2.4-4.1.11.so file from the Tape ARchive (TAR) file into/etc/httpd/modules/. Only this file is used.

  2. Because SSL Mutex is deprecated, you need to edit the/etc/httpd/conf.d/ssl.conf file to change SSLMutex default toMutex default.

For more details, see the Apache documentation about the MutexDirective.

Critical: Restart the HTTPd

After you complete the steps in this guide, you must restart the HTTPd andverify that it is enabled and running by using the following steps:

  1. Run the following command to restart the HTTPd:

  2. Ensure that the service is enabled and running, and re-enable anymonitoring that was enabled before:

    • On CentOS® 7 or Red Hat® Enterprise Linux (RHEL) 7, run the followingcommands:

    • On CentOS 6 or RHEL 6, run the following commands:

©2020 Rackspace US, Inc.

Apache Http Server Version 2.2 Download

Server

Apache Http Server Version 2.2 Documentation

Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License