Additional Apache2 Modules 11 February 2008 1. Summary and motivation 1.1. Introduction This project delivers Apache modules mod_jk, mod_fcgid, mod_security and mod_dtrace to the Apache2 (PSARC/2007/586) in OpenSolaris. Modules allow Apache to integrate and provide functionality during runtime that were not available during compile time. 1.1.1 mod_security From modsecurity.org[3] "ModSecurity is a web application firewall (WAF). With over 70% of all attacks now carried out over the web application level, organisations need every help they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications. It provides protection from a range of attacks against web applications and allows for HTTP traffic monitoring and real-time analysis with little or no changes to existing infrastructure." 1.1.2 mod_jk From tomcat.apache.org "mod_jk is a replacement to the elderly mod_jserv. It is a completely new Tomcat-Apache plug-in that handles the communication between Tomcat and Apache." 1.1.3 mod_fcgid From fastcgi.coremail.cn "It is a binary compatibility alternative to Apache module mod_fastcgi." mod_fcgid is an apache module that allows CGIs to be deployed on apache that make use of the FastCGI mechanism. From www.fastcgi.com "FastCGI is a language independent, scalable, open extension to CGI that provides high performance without the limitations of server specific APIs." 1.1.4 mod_dtrace From prefetch.net "The Apache DTrace module (mod_dtrace) utilizes the hook framework to add DTrace probes to the Apache web server. These probes can be used to observe and correlate web server and system behavior, and allow easy access to numerous pieces of realtime Apache data. This project integrates the most recent stable releases of mod_jk[1] tomcat-connectors-1.2.25, mod_fcgid[2] 2.2, mod_security[3] 2.1.5 and mod_dtrace[4] 0.3a This case seeks Minor Release Binding. 2. Technical issues 2.1. Key objects /usr/apache2/2.2/libexec/mod_jk.so /usr/apache2/2.2/libexec/mod_fcgid.so /usr/apache2/2.2/libexec/mod_security2.so /usr/apache2/2.2/libexec/mod_dtrace.so /usr/apache2/2.2/libexec/${ISAINFO}/mod_jk.so /usr/apache2/2.2/libexec/${ISAINFO}/mod_fcgid.so /usr/apache2/2.2/libexec/${ISAINFO}/mod_security2.so /usr/apache2/2.2/libexec/${ISAINFO}/mod_dtrace.so 2.2 Versioning mod_jk, mod_fcgid, mod_security and mod_dtrace have a single active release. (There was a module named mod_jk2 which was deprecated. It was not the successor to mod_jk.) It is not possible to query the modules to find out their versions. The only way to do that is to look at the package description for the package including it. 2.2 Directory Naming and Structure This project delivers the shared libraries of 32 bit and 64 bit into /usr/apache2/2.2/libexec and /usr/apache2/2.2/libexec/${ISAINFO}/ directories of apache. This is in keeping with the approach taken by the Apache2 integration project for OpenSolaris (PSARC/2007/586). 3. Documentation The modules mod_jk, mod_fcgid, mod_security and mod_dtrace do not install documentation into apache though they come with some documentation in their source. The recommended way to access their documentation is to look at their websites (mod_fcgid[5] ,mod_jk[6], mod_security[7] and mod_dtrace[8] ). A list of external apache modules that has been added and their corresponding sites will be part of the release document. 4. Packaging and Delivery The modules will be delivered under the cluster SUNWCapch22m. This cluster consists of SUNWapch22m-fcgid, SUNWapch22m-jk, SUNWapch22m-security and SUNWapch22m-dtrace respectively. 5. Interfaces 5.1. Interface Stability The interface stability of most of these modules is Volatile as these are controlled by external organisations over which Sun has no control. The specific researches regarding stability of each module are captured below. 5.1.1 mod_jk The mod_jk developers will try to keep the releases of 1.2.X line compatible with each other. But this is not guaranteed in case of new features that may need to be retracted due to some bugs or vulnerabilities. The interface of mod_jk (its configuration) is presented as Addendum 2. The complete list of directives and their explanation as supplied by tomcat.apache.org is available as mod_jk_interface.html. 5.1.2 mod_security The mod_security developers will keep the compatibility between releases of the same major number. (ie 2.y.z with 2 being the major number.) But there is no guarantee that meaning of a rule set (configuration directive) would be exactly the same across any two releases. The interface of mod_security (its configuration) is presented in Addendum 1. The complete list of directives and their explanation (as provided by modsecurity.org) is available as mod_security_interface.html. 5.1.3 mod_fcgid There were no commitments from mod_fcgid developers in this regard. (The mod_fcgid does not seem to have broken the configuration compatibility with any of its earlier releases yet [9] but is in very active development). The interface of mod_fcgid (its configuration options) is presented as Addendum 3. The complete list of directives and their explanation as provided by fastcgi.coremail.cn is available as mod_fcgid_interface.html 5.1.4 mod_dtrace The mod_dtrace has had just two releases (0.2a and 0.3a) and is possibly very unstable. The interface of dtrace module consists of the apache functions it is hooking into. This is provided as Addendum 4. 5.2. Imported Interfaces These Apache modules imports interfaces from NAME STABILITY NOTES ------------------------------------------------------------ Apache2 Uncommitted PSARC/2007/586/ LDAP Evolving PSARC/2000/362/ PCRE Uncommitted PSARC/2007/164/ SUNWlxml Committed PSARC/2001/175/ Dtrace Uncommitted PSARC/2001/466/ 5.3. Exported Interfaces NAME STABILITY --------------------------------------------------------------- /usr/apache2/2.2/libexec/mod_jk.so Volatile /usr/apache2/2.2/libexec/mod_fcgid.so Volatile /usr/apache2/2.2/libexec/mod_security.so Uncommitted /usr/apache2/2.2/libexec/mod_dtrace.so Volatile /usr/apache2/2.2/libexec/${ISAINFO}/mod_jk.so Volatile /usr/apache2/2.2/libexec/${ISAINFO}/mod_fcgid.so Volatile /usr/apache2/2.2/libexec/${ISAINFO}/mod_security.so Uncommitted /usr/apache2/2.2/libexec/${ISAINFO}/mod_dtrace.so Volatile 6. References 1. http://fastcgi.coremail.cn/ 2. http://tomcat.apache.org/connectors-doc/ 3. http://www.modsecurity.org/projects/modsecurity/apache/index.html 4. http://prefetch.net/projects/apache_modtrace/index.html 5. http://fastcgi.coremail.cn/doc.htm 6. http://tomcat.apache.org/connectors-doc/generic_howto/quick.html 7. http://www.modsecurity.org/documentation/index.html 8. http://prefetch.net/projects/apache_modtrace/mod_dtrace.c 9. http://fastcgi.coremail.cn/download.htm ============================================================================== Addendum 1 ---------- mod_security interfaces: It includes the configuration directives, exposed variables, library functions (transformation functions), operators and actions to be taken on the URI Configuration Directives SecAction SecArgumentSeparator SecAuditEngine SecAuditLog SecAuditLog2 SecAuditLogParts SecAuditLogRelevantStatus SecAuditLogStorageDir SecAuditLogType SecChrootDir SecCookieFormat SecDataDir SecDebugLog SecDebugLogLevel SecDefaultAction SecGuardianLog SecRequestBodyAccess SecRequestBodyLimit SecRequestBodyInMemoryLimit SecResponseBodyLimit SecResponseBodyMimeType SecResponseBodyMimeTypesClear SecResponseBodyAccess SecRule SecRuleInheritance SecRuleEngine SecRuleRemoveById SecRuleRemoveByMsg SecServerSignature SecTmpDir SecUploadDir SecUploadKeepFiles SecWebAppId Variables ARGS ARGS_COMBINED_SIZE ARGS_NAMES AUTH_TYPE ENV FILES FILES_COMBINED_SIZE FILES_NAMES FILES_SIZES FILES_TMPNAMES HTTP_ MULTIPART_CRLF_LF_LINES MULTIPART_STRICT_ERROR MULTIPART_UNMATCHED_BOUNDARY PATH_INFO QUERY_STRING REMOTE_ADDR REMOTE_HOST REMOTE_PORT REMOTE_USER REQBODY_PROCESSOR REQBODY_PROCESSOR_ERROR REQBODY_PROCESSOR_ERROR_MSG REQUEST_BASENAME REQUEST_BODY REQUEST_COOKIES REQUEST_COOKIES_NAMES REQUEST_FILENAME REQUEST_HEADERS REQUEST_HEADERS_NAMES REQUEST_LINE REQUEST_METHOD REQUEST_PROTOCOL REQUEST_URI REQUEST_URI_RAW RESPONSE_BODY RESPONSE_HEADERS RESPONSE_HEADERS_NAMES RESPONSE_PROTOCOL RESPONSE_STATUS RULE SCRIPT_BASENAME SCRIPT_FILENAME SCRIPT_GID SCRIPT_GROUPNAME SCRIPT_MODE SCRIPT_UID SCRIPT_USERNAME SERVER_ADDR SERVER_NAME SERVER_PORT SESSION SESSIONID TIME TIME_DAY TIME_EPOCH TIME_HOUR TIME_MIN TIME_MON TIME_SEC TIME_WDAY TIME_YEAR TX USERID WEBAPPID WEBSERVER_ERROR_LOG XML Transformation functions base64Decode base64Encode compressWhitespace escapeSeqDecode hexDecode hexEncode htmlEntityDecode lowercase md5 none normalisePath normalisePathWin removeNulls removeWhitespace replaceComments replaceNulls urlDecode urlDecodeUni urlEncode sha1 Actions allow auditlog capture chain ctl deny deprecatevar drop exec expirevar id initcol log msg multiMatch noauditlog nolog pass pause phase proxy redirect rev sanitiseArg sanitiseMatched sanitiseRequestHeader sanitiseResponseHeader severity setuid setsid setenv setvar skip status t xmlns Operators eq ge gt inspectFile le lt rbl rx validateByteRange validateDTD validateSchema validateUrlEncoding validateUtf8Encoding ============================================================================== Addendum 2: ----------- Apache directives exposed by mod_jk JkWorkersFile JkWorkerProperty JkShmFile JkShmSize JkMountFile JkMountFileReload JkMount JkUnMount JkAutoAlias JkMountCopy JkWorkerIndicator JkLogFile JkLogLevel JkLogStampFormat JkRequestLogFormat JkExtractSSL JkHTTPSIndicator JkCERTSIndicator JkCIPHERIndicator JkCERTCHAINPrefix JkSESSIONIndicator JkKEYSIZEIndicator JkOptions JkEnvVar JkStripSession ============================================================================== Addendum 3: ----------- Apache directives exposed by mod_fcgid IdleTimeout IdleScanInterval BusyTimeout BusyScanInterval ErrorScanInterval ZombieScanInterval ProcessLifeTime SocketPath SpawnScoreUpLimit SpawnScore TerminationScore MaxProcessCount DefaultMaxClassProcessCount DefaultMinClassProcessCount DefaultInitEnv IPCConnectTimeout IPCCommTimeout OutputBufferSize PHP_Fix_Pathinfo_Enable ============================================================================== Addendum 4: ----------- Probe names exported by mod_dtrace receive-request log-request create-child accept-connection check-user-credentials check-access check-authorization