I would like to update the arc case with the following updates.
1) Include a blurb for each of the modules explaining what they do
2) Add an addendum explaining briefly the interfaces (In this case the
configuration directives they support)
3) Provide a complete reference for these configuration directives for each of
the modules as supplied by the respective upstream communities.
4) Update mod_security to 2.1.5
rahul
-------------- next part --------------
Additional Apache Modules
13 December 2007
1. Summary and motivation
1.1. Introduction
This FastTrack delivers Apache modules mod_jk, mod_fcgid,
mod_security and mod_dtrace to the Apache2 in OpenSolaris.
Modules allow Apache to integrate and provide functionality
during runtime that were not available during compile time.
1.1.1 mod_security
From modsecurity.org[3] "ModSecurity is a web application
firewall (WAF). With over 70% of all attacks now carried out
over the web application level, organisations need every help
they can get in making their systems secure. WAFs are deployed
to establish an external security layer that increases security,
detects, and prevents attacks before they reach web applications.
It provides protection from a range of attacks against web
applications and allows for HTTP traffic monitoring and real-time
analysis with little or no changes to existing infrastructure."
1.1.2 mod_jk
From tomcat.apache.org "mod_jk is a replacement to the elderly
mod_jserv. It is a completely new Tomcat-Apache plug-in that
handles the communication between Tomcat and Apache."
1.1.3 mod_fcgid
From fastcgi.coremail.cn "It is a binary compatibility alternative
to Apache module mod_fastcgi." mod_fcgid is an apache module that
allows CGIs to be deployed on apache that make use of the FastCGI
mechanism. From www.fastcgi.com "FastCGI is a language independent,
scalable, open extension to CGI that provides high performance
without the limitations of server specific APIs."
1.1.4 mod_dtrace
From prefetch.net "The Apache DTrace module (mod_dtrace) utilizes
the hook framework to add DTrace probes to the Apache web server.
These probes can be used to observe and correlate web server and
system behavior, and allow easy access to numerous pieces of
realtime Apache data.
This project integrates the most recent stable releases of
mod_jk[1] tomcat-connectors-1.2.25, mod_fcgid[2] 2.2,
mod_security[3] 2.1.5 and mod_dtrace[4] 0.3a
This case seeks Minor Release Binding.
2. Technical issues
2.1. Key objects
/usr/apache2/2.2/libexec/mod_jk.so
/usr/apache2/2.2/libexec/mod_fcgid.so
/usr/apache2/2.2/libexec/mod_security2.so
/usr/apache2/2.2/libexec/mod_dtrace.so
/usr/apache2/2.2/libexec/${ISAINFO}/mod_jk.so
/usr/apache2/2.2/libexec/${ISAINFO}/mod_fcgid.so
/usr/apache2/2.2/libexec/${ISAINFO}/mod_security2.so
/usr/apache2/2.2/libexec/${ISAINFO}/mod_dtrace.so
2.2 Versioning
mod_jk, mod_fcgid, mod_security and mod_dtrace have a single active
release. (There was a module named mod_jk2 which was deprecated. It
was not the successor to mod_jk.)
It is not possible to query the modules to find out their
versions. The only way to do that is to look at the package
description for the package including it.
2.2 Directory Naming and Structure
This project delivers the shared libraries of 32 bit and 64 bit
into /usr/apache2/2.2/libexec and /usr/apache2/2.2/libexec/${ISAINFO}/
directories of apache. This is in keeping with the approach taken
by the Apache2 integration project for OpenSolaris (PSARC/2007/586).
3. Documentation
The modules mod_jk, mod_fcgid, mod_security and mod_dtrace do not
install documentation into apache though they come with some
documentation in their source. The recommended way to access their
documentation is to look at their websites (mod_fcgid[5] ,mod_jk[6],
mod_security[7] and mod_dtrace[8] ). A list of external apache modules
that has been added and their corresponding sites will be part of the
release document.
4. Packaging and Delivery
The modules will be delivered under the cluster SUNWCapch22m. This
cluster consists of SUNWapch22m-fcgid, SUNWapch22m-jk,
SUNWapch22m-security and SUNWapch22m-dtrace respectively.
5. Interfaces
5.1. Interface Stability
The interface stability of each component is described as Volatile
as these are controled by external organizations over which Sun
has no control. The specific researches regarding stability of
each module are captured below.
5.1.1 mod_jk
The mod_jk developers will try to keep the releases of 1.2.X
line compatible with each other. But this is not guaranteed in
case of new features that may need to be retracted due to some
bugs or vulnerabilities. The interface of mod_jk (it configuration)
is presented as Addendum 2. The complete list of directives and
their explanation as supplied by tomcat.apache.org is available
as mod_jk_interface.html.
5.1.2 mod_security
The mod_security developers will keep the compatibility
between releases of the same major number. (ie 2.y.z with 2 being
the major number.) But there is no guarantee that meaning of a
rule set (configuration directive) would be exactly the same
across any two releases. The interface of mod_security (its
configuration) is presented in Addendum 1. The complete list of
dirctives and their explanation (as provided by modsecurity.org)
is available as mod_security_interface.html.
5.1.3 mod_fcgid
There were no commitments from mod_fcgid developers in this
regard. (The mod_fcgid does not seem to have broken the
configuration compatibility with any of its earlier releases
yet [9] but is in very active developement). The interface of
mod_fcgid (its configuration options) is presented as
Addendum 3. The complete list of directives and their explanation
as provided by fastcgi.coremail.cn is available as
mod_fcgid_interface.html
5.1.4 mod_dtrace
The mod_dtrace has had just two releases (0.2a and 0.3a) and
is possibly very unstable. The interface of dtrace module consists
of the apache functions it is hooking into. This is provided as
Addendum 4.
5.2. Imported Interfaces
These Apache modules imports interfaces from
NAME STABILITY NOTES
Apache2 Uncommitted PSARC/2007/586/
LDAP Evolving PSARC/2000/362/
PCRE Uncommitted PSARC/2007/164/
SUNWlxml Committed PSARC/2001/175/
Dtrace Uncommitted PSARC/2001/466/
5.3. Exported Interfaces
NAME STABILITY
/usr/apache2/2.2/libexec/mod_jk.so Volatile
/usr/apache2/2.2/libexec/mod_fcgid.so Volatile
/usr/apache2/2.2/libexec/mod_security.so Uncommitted
/usr/apache2/2.2/libexec/mod_dtrace.so Volatile
/usr/apache2/2.2/libexec/${ISAINFO}/mod_jk.so Volatile
/usr/apache2/2.2/libexec/${ISAINFO}/mod_fcgid.so Volatile
/usr/apache2/2.2/libexec/${ISAINFO}/mod_security.so Uncommitted
/usr/apache2/2.2/libexec/${ISAINFO}/mod_dtrace.so Volatile
6. References
1. http://fastcgi.coremail.cn/
2. http://tomcat.apache.org/connectors-doc/
3. http://www.modsecurity.org/projects/modsecurity/apache/index.html
4. http://prefetch.net/projects/apache_modtrace/index.html
5. http://fastcgi.coremail.cn/doc.htm
6. http://tomcat.apache.org/connectors-doc/generic_howto/quick.html
7. http://www.modsecurity.org/documentation/index.html
8. http://prefetch.net/projects/apache_modtrace/mod_dtrace.c
9. http://fastcgi.coremail.cn/download.htm
Addendum 1
mod_security interfaces:
It includes the configuration directives, exposed variables, library
functions (transformation functions), operators and actions to be taken on
the URI
Configuration Directives
SecAction
SecArgumentSeparator
SecAuditEngine
SecAuditLog
SecAuditLog2
SecAuditLogParts
SecAuditLogRelevantStatus
SecAuditLogStorageDir
SecAuditLogType
SecChrootDir
SecCookieFormat
SecDataDir
SecDebugLog
SecDebugLogLevel
SecDefaultAction
SecGuardianLog
SecRequestBodyAccess
SecRequestBodyLimit
SecRequestBodyInMemoryLimit
SecResponseBodyLimit
SecResponseBodyMimeType
SecResponseBodyMimeTypesClear
SecResponseBodyAccess
SecRule
SecRuleInheritance
SecRuleEngine
SecRuleRemoveById
SecRuleRemoveByMsg
SecServerSignature
SecTmpDir
SecUploadDir
SecUploadKeepFiles
SecWebAppId
Variables
ARGS
ARGS_COMBINED_SIZE
ARGS_NAMES
AUTH_TYPE
ENV
FILES
FILES_COMBINED_SIZE
FILES_NAMES
FILES_SIZES
FILES_TMPNAMES
HTTP_
MULTIPART_CRLF_LF_LINES
MULTIPART_STRICT_ERROR
MULTIPART_UNMATCHED_BOUNDARY
PATH_INFO
QUERY_STRING
REMOTE_ADDR
REMOTE_HOST
REMOTE_PORT
REMOTE_USER
REQBODY_PROCESSOR
REQBODY_PROCESSOR_ERROR
REQBODY_PROCESSOR_ERROR_MSG
REQUEST_BASENAME
REQUEST_BODY
REQUEST_COOKIES
REQUEST_COOKIES_NAMES
REQUEST_FILENAME
REQUEST_HEADERS
REQUEST_HEADERS_NAMES
REQUEST_LINE
REQUEST_METHOD
REQUEST_PROTOCOL
REQUEST_URI
REQUEST_URI_RAW
RESPONSE_BODY
RESPONSE_HEADERS
RESPONSE_HEADERS_NAMES
RESPONSE_PROTOCOL
RESPONSE_STATUS
RULE
SCRIPT_BASENAME
SCRIPT_FILENAME
SCRIPT_GID
SCRIPT_GROUPNAME
SCRIPT_MODE
SCRIPT_UID
SCRIPT_USERNAME
SERVER_ADDR
SERVER_NAME
SERVER_PORT
SESSION
SESSIONID
TIME
TIME_DAY
TIME_EPOCH
TIME_HOUR
TIME_MIN
TIME_MON
TIME_SEC
TIME_WDAY
TIME_YEAR
TX
USERID
WEBAPPID
WEBSERVER_ERROR_LOG
XML
Transformation functions
base64Decode
base64Encode
compressWhitespace
escapeSeqDecode
hexDecode
hexEncode
htmlEntityDecode
lowercase
md5
none
normalisePath
normalisePathWin
removeNulls
removeWhitespace
replaceComments
replaceNulls
urlDecode
urlDecodeUni
urlEncode
sha1
Actions
allow
auditlog
capture
chain
ctl
deny
deprecatevar
drop
exec
expirevar
id
initcol
log
msg
multiMatch
noauditlog
nolog
pass
pause
phase
proxy
redirect
rev
sanitiseArg
sanitiseMatched
sanitiseRequestHeader
sanitiseResponseHeader
severity
setuid
setsid
setenv
setvar
skip
status
t
xmlns
Operators
eq
ge
gt
inspectFile
le
lt
rbl
rx
validateByteRange
validateDTD
validateSchema
validateUrlEncoding
validateUtf8Encoding
Addendum 2:
Apache directives exposed by mod_jk
JkWorkersFile
JkWorkerProperty
JkShmFile
JkShmSize
JkMountFile
JkMountFileReload
JkMount
JkUnMount
JkAutoAlias
JkMountCopy
JkWorkerIndicator
JkLogFile
JkLogLevel
JkLogStampFormat
JkRequestLogFormat
JkExtractSSL
JkHTTPSIndicator
JkCERTSIndicator
JkCIPHERIndicator
JkCERTCHAINPrefix
JkSESSIONIndicator
JkKEYSIZEIndicator
JkOptions
JkEnvVar
JkStripSession
Addendum 3:
Apache directives exposed by mod_fcgid
IdleTimeout
IdleScanInterval
BusyTimeout
BusyScanInterval
ErrorScanInterval
ZombieScanInterval
ProcessLifeTime
SocketPath
SpawnScoreUpLimit
SpawnScore
TerminationScore
MaxProcessCount
DefaultMaxClassProcessCount
DefaultMinClassProcessCount
DefaultInitEnv
IPCConnectTimeout
IPCCommTimeout
OutputBufferSize
PHP_Fix_Pathinfo_Enable
Addendum 4:
Apache methods hooked into by mod_dtrace:
apache_receive_request
apache_log_request
apache_create_child
apache_accept_connection
apache_check_user
apache_check_access
apache_check_authorization
dtrace_register_hooks
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/webstack-discuss/attachments/20080211/b9916e1f/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/webstack-discuss/attachments/20080211/b9916e1f/attachment-0001.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.opensolaris.org/pipermail/webstack-discuss/attachments/20080211/b9916e1f/attachment-0002.html>
