Best practices for packaging Apache HTTPD modules
This is for Debian Squeeze and Wheezy. For Jessie, look here
- Name the binary package libapache2-mod-something
If your module supports threaded mpms, build-depend on apache2-threaded-dev and depend on apache2 | apache2-mpm
If your module does not support threaded mpms, build-depend on apache2-prefork-dev and depend on apache2-mpm-prefork | apache2-mpm-itk
Also depend on apache2.2-common
Create /etc/apache2/mods-available/something.load with the LoadModule directive
If necessary, create /etc/apache2/mods-available/something.conf to define a reasonable default configuration. Document the configuration with comments.
Don't allow local users to execute arbitrary code through mod_userdir: If your module allows to execute code (e.g. a scripting language), make sure that it is not activated for the userdirs in the default configuration.
- On the other hand, don't assume that the www-data user is safe: If your module allows privileged operations (e.g. switching userids like mod_suexec), don't assume that only Apache httpd can execute code as user www-data. You must have additional safe-guards in place to prevent privilege escalation by local users.
The safe way is to always restart Apache.
- execute on install / upgrade
if [ "$1" = configure ] ; then # only enable on new installs, not on upgrades if [ -z "$2" ] ; then a2enmod -q something fi # only restart if mod_something is enabled if [ -e /etc/apache2/mods-enabled/something.load ] ; then invoke-rc.d apache2 restart fi fi
- execute on removal
if [ "$1" = remove ] ; then a2dismod -q -f something || true invoke-rc.d apache2 restart fi
For some modules and in some cases, it is enough to do a reload instead of a restart. If you want to do this, be sure to actually test that
- the module works and is activated correctly if you do only a reload during install
the new binary is loaded if you do only a reload during upgrade (use lsof to check!)
For some modules, reload works for upgrades but not install/remove. For some modules reload never works.
Put your module binary into /usr/lib/apache2/modules/
- dpkg-shlibdeps will complain about the module containing unresolvable references. This is due to how libtool builds the module and can be ignored.