Differences between revisions 4 and 5
Revision 4 as of 2012-03-20 20:56:22
Size: 2756
Editor: ?StefanFritsch
Comment:
Revision 5 as of 2013-05-23 12:25:56
Size: 2767
Editor: XTaran
Comment: 2.4 didn't make it to Wheezy, but will make it to Jessie
Deletions are marked like this. Additions are marked like this.
Line 3: Line 3:
This is for Debian squeeze. For wheezy, look [[Apache/PackagingFor24|here]] This is for Debian Squeeze and Wheezy. For Jessie, look [[Apache/PackagingFor24|here]]

Best practices for packaging Apache HTTPD modules

This is for Debian Squeeze and Wheezy. For Jessie, look here

Meta-data

  • Name the binary package libapache2-mod-something
  • If your module supports threaded mpms, build-depend on apache2-threaded-dev and depend on apache2 | apache2-mpm

  • If your module does not support threaded mpms, build-depend on apache2-prefork-dev and depend on apache2-mpm-prefork | apache2-mpm-itk

  • Also depend on apache2.2-common

Configuration

  • Create /etc/apache2/mods-available/something.load with the LoadModule directive

  • If necessary, create /etc/apache2/mods-available/something.conf to define a reasonable default configuration. Document the configuration with comments.

Security considerations

  • Don't allow local users to execute arbitrary code through mod_userdir: If your module allows to execute code (e.g. a scripting language), make sure that it is not activated for the userdirs in the default configuration.

  • On the other hand, don't assume that the www-data user is safe: If your module allows privileged operations (e.g. switching userids like mod_suexec), don't assume that only Apache httpd can execute code as user www-data. You must have additional safe-guards in place to prevent privilege escalation by local users.

Maintainer scripts

Safe version

The safe way is to always restart Apache.

postinst
execute on install / upgrade

   if [ "$1" = configure ] ; then
       # only enable on new installs, not on upgrades
       if [ -z "$2" ] ; then
           a2enmod -q something
       fi
       # only restart if mod_something is enabled
       if [ -e /etc/apache2/mods-enabled/something.load ] ; then
           invoke-rc.d apache2 restart
       fi
   fi
prerm
execute on removal

   if [ "$1" = remove ] ; then
       a2dismod -q -f something || true
       invoke-rc.d apache2 restart
   fi

Advanced version

For some modules and in some cases, it is enough to do a reload instead of a restart. If you want to do this, be sure to actually test that

  • the module works and is activated correctly if you do only a reload during install
  • the new binary is loaded if you do only a reload during upgrade (use lsof to check!)

For some modules, reload works for upgrades but not install/remove. For some modules reload never works.

Other things

  • Put your module binary into /usr/lib/apache2/modules/

  • dpkg-shlibdeps will complain about the module containing unresolvable references. This is due to how libtool builds the module and can be ignored.