Differences between revisions 2 and 3
Revision 2 as of 2010-09-18 16:56:10
Size: 2567
Editor: ?StefanFritsch
Comment:
Revision 3 as of 2010-09-23 17:17:15
Size: 2718
Editor: ?StefanFritsch
Comment:
Deletions are marked like this. Additions are marked like this.
Line 62: Line 62:
 * dpkg-shlibdeps will complain about the module containing unresolvable references. This is due to how libtool builds the module and can be ignored.

Best practices for packaging Apache HTTPD modules

This is for Debian squeeze and later.

Meta-data

  • Name the binary package libapache2-mod-something
  • If your module supports threaded mpms, build-depend on apache2-threaded-dev and depend on apache2 | apache2-mpm

  • If your module does not support threaded mpms, build-depend on apache2-prefork-dev and depend on apache2-mpm-prefork | apache2-mpm-itk

  • Also depend on apache2.2-common

Configuration

  • Create /etc/apache2/mods-available/something.load with the LoadModule directive

  • If necessary, create /etc/apache2/mods-available/something.conf to define a reasonable default configuration. Document the configuration with comments.

Security considerations

  • Don't allow local users to execute arbitrary code through mod_userdir: If your module allows to execute code (e.g. a scripting language), make sure that it is not activated for the userdirs in the default configuration.

  • On the other hand, don't assume that the www-data user is safe: If your module allows privileged operations (e.g. switching userids like mod_suexec), don't assume that only Apache httpd can execute code as user www-data. You must have additional safe-guards in place to prevent privilege escalation by local users.

Maintainer scripts

Safe version

The safe way is to always restart Apache.

postinst
execute on install / upgrade

   if [ "$1" = configure ] ; then
       # only enable on new installs, not on upgrades
       if [ -z "$2" ] ; then
           a2enmod -q something
       fi
       # only restart if mod_something is enabled
       if [ -e /etc/apache2/mods-enabled/something.load ] ; then
           invoke-rc.d apache2 restart
       fi
   fi
prerm
execute on removal

   if [ "$1" = remove ] ; then
       a2dismod -q -f something || true
       invoke-rc.d apache2 restart
   fi

Advanced version

For some modules and in some cases, it is enough to do a reload instead of a restart. If you want to do this, be sure to actually test that

  • the module works and is activated correctly if you do only a reload during install
  • the new binary is loaded if you do only a reload during upgrade (use lsof to check!)

For some modules, reload works for upgrades but not install/remove. For some modules reload never works.

Other things

  • Put your module binary into /usr/lib/apache2/modules/

  • dpkg-shlibdeps will complain about the module containing unresolvable references. This is due to how libtool builds the module and can be ignored.