Wow, I knew that I’d have to do some reconfiguring when I saw that the new apache 2.2 packages were about to remove libapache2-mod-security due to a dependency issue. What I didn’t know was that I’d have to redo all the configuration steps taken during the upgrade from 1.3 to 2 again.
You can find the rather boring story of my upgrade by reading the rest of this article. Oh and just in case you missed them, I’ve uploaded the WCG 2006 Grand Final pictures some time ago. Have fun browsing.
OK, now for my utterly exciting (NOT) Apache upgrade story: I let aptitude go about its job of installing packages. Once that was done, I checked for any remainders of mod-security’s configuration, found it enclosed nicely into ‘if’ statements, and decided to meld some of the new default config files with mine. Alas, after an Apache restart, I noticed quite a few things that were set differently to what I was expecting.
Problem #1: No SSL.
Trying to access my webserver, I noticed that I got no response from it on the SSL port (443 TCP). I thought that I’d probably removed the listening line somewhere and decided to add ‘Listen 443’ to /etc/apache2/ports.conf. A restart later, apache was happily listening to port 443, and my browser spat out an ulgy error message (something ending in “error code: 12263″ for those who care). In apache’s error log, it looked as if Firefox was requesting garbage from it and finally, I realized that while apache was listening to port 443, it wasn’t doing so in SSL mode. A deeper look into my ssl configuration pointed out that the ” condition, in which all of my SSL configuration was enclosed, was actually returning ‘false’. To make sure I never run into such an issue again, I removed the ‘IF’ part entirely as I’d rather have apache bailing out on configuration errors than silently starting up without any SSL support. (N.B. I actually had a ‘Listen’ line in the SSL config, so I had to remove the one I previously added to ports.conf again)
Problem #2: No Digest authentication.
With SSL happily serving pages through a secure channel again, I retried my previous test access, only to be hit by an ‘Internal Server Error’. A quick look at the error.log revealed that in fact statements responsible for forcing digest authentication in my .htaccess file, were unknown to the server. Turns out that ‘AuthDigestFile’ is now called ‘AuthUserFile’ and a line with ‘AuthDigestProvider file’ was required too.
Problem #3: Still no Digest authentication.
OK, that wasn’t it. While changing .htaccess did somehow make the authentication process start, I still couldn’t log in. Instead, the login prompt kept jumping into my face, eventually abandoning and making way for a lovely ‘Not authorized’ message. Apparently the authentication stuff in Apache 2.2 was split up into several modules, and the Debian packages forgot to enable them. Short side note: I’m using etch/testing, so I’m not really complaining about the packages. That’s what testing is for: Finding these issues and fixing them before everything goes stable. Anyway, after some playing around with a2moden and another Apache restart, I had authn_default and authz_user enabled and digest authentication was working again. (Not sure whether I actually need authn_default, but I figured it can’t hurt to leave it on.)
Note to self: Next time, read the release notes BEFORE upgrading something.