Contributed by jj on from the puffy-vs-geronimo dept.
In a series of commits, Florian Obser (florian@) has unhooked Apache from the OpenBSD base build. This means you need to pay special attention when upgrading your systems:
/usr/sbin/httpd and the associated tools and files have been removed. Consider using nginx(8) for your http serving needs, but note that nginx is not a drop-in replacement. For people who need the old httpd(8) and cannot switch at this time, see the port www/apache-httpd-openbsd.
Packages are not yet available due to release engineering, but will follow. The following files and directories need to be removed:
rm -r /usr/lib/apache rm -r /usr/share/doc/html/httpd rm /usr/bin/{dbmmanage,htdigest,htpasswd} rm /usr/sbin/{apachectl,apxs,httpd,logresolve,rotatelogs,suexec} rm /usr/share/man/man1/{dbmmanage.1,htdigest.1,htpasswd.1} rm /usr/share/man/man8/{apachectl.8,apxs.8,httpd.8,logresolve.8} rm /usr/share/man/man8/{rotatelogs.8,suexec.8} rm /etc/rc.d/httpdThe following files are associated with httpd(8) and can be deleted in some cases, but may have been replaced with user content or configuration. Warning: On systems which currently or have previously used any http daemon, care must be taken and files analyzed case by case to avoid accidental deletion of user content or important configuration files. In particular, users moving to apache-httpd-openbsd will want to keep many of these files.
# rm -r /var/www/icons # rmdir /var/www/conf/{modules,modules.sample} # rmdir /var/www/users # rm /var/www/cgi-bin/{printenv,test-cgi} # rm /var/www/conf/{httpd.conf,magic,mime.types} # rm /var/www/htdocs/{apache_pb.gif,blowfish.jpg,bsd_small.gif,index.html} # rm /var/www/htdocs/{lock.gif,logo23.jpg,logo24.jpg,mod_ssl_sb.gif} # rm /var/www/htdocs/{openbsd_pb.gif,openbsdpower.gif,openssl_ics.gif} # rm /var/www/htdocs/smalltitle.gif
Emphasis in the original, so make sure you've run through what you need to do, take backups, sweat it out for a minute before hitting the enter key, make one final tarball of your data just in case, and then carefully go through the upgrade.
What, that's not your checklist?
(Comments are closed)
By jeanot (80.78.9.35) jeanot@gmail.com on
I'll miss you...
Adieu
By Laurence Rochfort (193.9.13.136) on
I'm pretty familiar with Apache, but haven't touched nginx at all.
Comments
By Anonymous Coward (81.200.189.1) on
>
> I'm pretty familiar with Apache, but haven't touched nginx at all.
Ngix is faster and, in a basic configuration, a lot more secure than Apache.
The other reason is that OpenBSD has maintained for many years its own branch of Apache 1.3.x (If I remember well - I may be wrong on the version number), with many additional patches, and that it was getting completely obsolete.
Moving to Nginx is, in my opinion, a very smart move.
By chronicdiscord (70.31.53.187) on
>
> I'm pretty familiar with Apache, but haven't touched nginx at all.
I see you've not read anything about Apache for the past four years. Basically the license and the code for the Apache 2 branch was kinda funky, then the license for the Apache 1 branch got funky too... So to avoid funk OpenBSD pretty much forked Apache 1.
So, not wanting to tie itself to Apache, OpenBSD went elsewhere. Only took a few years to happen.
What was OpenBSD's rationale for replacing sendmail? What was OpenBSD's rationale for replacing ipf? What rationales does OpenBSD ever have?
They remove bad code where and when they can, they remove bad licenses where and when they can... Cover it for ya?
And man pages should get you somewhere with regards to using it.
By Aleksei K (80.235.105.78) niemi@solo.ee on
Comments
By henning (180.42.49.96) on
Not Apache 2 because it's shit, basic design wrong, and not under a free license to begin with.
Not lighttpd because nginx is just better.
By Anonymous Coward (207.107.158.22) on
Because nginx is significantly better than either of those? Lighttpd has a history of being rather broken, including plenty of security holes that get quietly patched and no announcement made. And it is basically dead, as everyone who used it switched to nginx. Apache2 has a bad license.
By Sebastian Rother (srother) srother@ on https://www.mercenary-security.com
Since none of these tools comes with nginx.
Except this you can replace Apache with nginx flawlessly. :-)
Comments
By Anonymous Coward (95.76.6.245) on
> Since none of these tools comes with nginx.
>
> Except this you can replace Apache with nginx flawlessly. :-)
I wrote a htpasswd replacement in perl specifically for this purpose. The switches and CLI are identical to the apache version.
https://gist.github.com/ggl/4966699
By Anonymous Coward (2001:470:89e9:1:1a:46b3:235a:19a4) on
> Since none of these tools comes with nginx.
>
There is a split-logfile program available as well, to replace the perl script of the same name that sometimes is bundled with apache httpd.
http://archive.mgm51.com/sources/split-logfile.html
By TuxLyn (184.166.186.66) on http://gotux.net/
Comments
By Anonymous Coward (91.154.66.65) on
Fact: the nginx code base is more than 60% larger.
https://news.ycombinator.com/item?id=7404092
Comments
By Philip Guenther (166.137.208.36) guenther@openbsd.org on
>
> Fact: the nginx code base is more than 60% larger.
It would help if everyone used version numbers when referring to apache, as I suspect you're responding to a complaint about apache 2.x
apache 1.3
+ small
+ includes openbsd security fixes
+ good license
- local fork, no active development
- old module API means extensions in ports don't use it
apache 2.x
+ module API supports extensions in ports
+ active development
- big
- doesn't include local security work
- bad license
nginx
+ module API supports extensions in ports (IIRC)
+ active development
+ good license
+ not big
+ developers receptive to patches from OpenBSD
+ no need to fork
Those last points are important, as they mean we get the benefit of staying with the main stream, and the fixes get pushed into the main stream to help everyone out there. For example, when we did an audit of the tree to fix ENFILE/EMFILE DoS attacks on daemon, the nginx goes "got it" and pulled in the fixes quickly without any "that won't ever happen!" push back. I want all the websites I visit to be robust and secure, not just those running OpenBSD!
By Anonymous Coward (2001:470:b01e:3:214:51ff:fe67:4efb) on
>
> Fact: the nginx code base is more than 60% larger.
>
> https://news.ycombinator.com/item?id=7404092
The original comment is referring to issues such as how much memory Apache consumes which for most setups is way more than should be necessary or the poor performance. Most common setups with static pages or even PHP and with the use of event driven web servers consume a tiny fraction of the memory and are are able to attain performance levels between 2-4 times that of Apache.
By Anonymous Coward (2001:8b0:648e:cc01:f2de:f1ff:fef9:a752) on
You can just use encrypt(1) to generate a crypted password. The default setting is to use bcrypt, which works just fine in an .htpasswd file for nginx (or for lighttpd or httpd) and you don't need to generate the salt yourself, removing another possible way that it can be misused.
Comments
By Anonymous Coward (80.153.96.240) on
>
> You can just use encrypt(1) to generate a crypted password. The default setting is to use bcrypt, which works just fine in an .htpasswd file for nginx (or for lighttpd or httpd) and you don't need to generate the salt yourself, removing another possible way that it can be misused.
And what's about logresolve? :-)
By Anonymous Coward (80.53.251.245) on
Comments
By Anonymous Coward (anon) on
CVE-2014-0088 relates to SPDY support in nginx 1.5.10 on 32-bit systems.
The version of nginx included in OpenBSD base is using the 1.4 branch, and SPDY has not been enabled in any OpenBSD release (it was enabled in -current for about 3 weeks but disabled again; "Disable SPDY until we have a better understanding about code and protocol within OpenBSD"), so it doesn't apply to base nginx.
An alternative version of nginx is in ports with more modules enabled; SPDY is enabled and a release from the 1.5 branch is available there, however it's 1.5.7 which pre-dates this bug.
Comments
By Anonymous Coward (anon) on
>
> CVE-2014-0088 relates to SPDY support in nginx 1.5.10 on 32-bit systems.
The new CVE-2014-0133 however does affect all versions of nginx that have SPDY enabled before today's two releases.
By Blake (93.158.32.94) blake at two one one two dot net on 2112.net
https://github.com/nhnc-nginx/apache2nginx
little Python tool to convert Apache config files to Nginx configs...
HtH
Comments
By Anonymous Coward (23.242.254.17) on
>
> https://github.com/nhnc-nginx/apache2nginx
>
> little Python tool to convert Apache config files to Nginx configs...
>
> HtH
WOOT THANKS!