Solved [SOLVED] Jailed Apache 2.4 modules are't working

pentago

pentago

Just set up a FreeBSD jail to run www/apache24 in it and all works good except these two, mod_rewrite and mod_proxy modules. These are error logs excerpts:

mod_rewrite error:
Code: 
[rewrite] [pid 43447] (13)Permission denied: AH00666: mod_rewrite: could not init rewrite_mapr_lock_acquire in child

mod_proxy error:
Code: 
[proxy] [pid 43447] (13)Permission denied: AH02479: could not init proxy_mutex in child

Not sure permissions of what are being denied? Files are being served just fine when these modules are disabled.

I tried googling but found nothing but rubbish. Same goes for Serverfault/ML.

Please help.
Thanks
 
Re: Jailed Apache 2.4 modules are't working

Maybe things changed a lot with 2.4 but I have no problems running 2.2 inside a jail. How is the jail set up?
 
Re: Jailed Apache 2.4 modules are't working

Very minimal, using sysutils/ezjail. Only Apache and PHP are installed.
Serving files from default /usr/local/www/apache24/data from within the jail.

Do you need any specific piece of information?
 
Re: Jailed Apache 2.4 modules are't working

It looks like mod_rewrite requires SystemV IPC.
 
Re: Jailed Apache 2.4 modules are't working

Yeah, seems so. So I'll have to enable SYSVIPC in order to use this, right? How easy is it for someone to break out of a jail with this stuff enabled?
 
Re: Jailed Apache 2.4 modules are't working

pentago said:
How easy is it for someone to break out of a jail with this stuff enabled?
Click to expand...
I don't think you can use it to break out of the jail. But because SystemV IPC uses the same namespace for all jails it is possible for one jail to access an other jail's (or the host's) shared memory.
 
Re: Jailed Apache 2.4 modules are't working

Funny thing is that I enabled IPC and raw sockets and listing sysctl's in jail shows that it's enabled but I'm still seeing those errors in Apache logs. I'm totally confused.
 
Re: Jailed Apache 2.4 modules are't working

To add to the confusion, there are the following sysctl values. What's the difference, which does what?

$ sysctl -a | grep jail
Code: 
security.jail.sysvipc_allowed
security.jail.allow_raw_sockets
security.jail.chflags_allowed

Code: 
security.jail.param.allow.sysvipc
security.jail.param.allow.raw_sockets
security.jail.param.allow.chflags
 
Re: Jailed Apache 2.4 modules are't working

$ sysctl -d security.jail.sysvipc_allowed
Code: 
security.jail.sysvipc_allowed: Processes in jail can use System V IPC primitives

$ sysctl -d security.jail.param.allow.sysvipc
Code: 
security.jail.param.allow.sysvipc: Jail may use SYSV IPC

What does this mean? Looks pretty much the same to me. Do I need both?
 
Re: Jailed Apache 2.4 modules are't working

Just tried www/apache22 and it works as it supposed to, no modules error logs. Performance is about 30-50% worse than www/apache24 in my case.

I totally wouldn't want to give up such performance gain if somehow possible. :/
 
Re: Jailed Apache 2.4 modules are't working

Apache 2.4 does perform a bit better but most people don't actually need the extra performance. One of the companies I work for easily pushes about 6000 concurrent connections with a sustained bandwidth of about 60 Mbit/s using just 3 FreeBSD/Apache 2.2 servers. We could even do it with just 2, but we have 3 actively running and another one as a backup. The whole thing is balanced using net/haproxy.

If you're pushing the limits of one Apache 2.2 server I would recommend setting up more servers instead. The added benefit is that you can easily take one server off-line, to do upgrades for example, while keeping the production websites online and available.
 
Re: Jailed Apache 2.4 modules are't working

I guess it depends on usage scenario. I'm building a VPS to host about 20-ish domains considering running each domain httpd jailed and want them to perform as good as possible and seems I'm condemned on 2.2.
I could try nginx but i never managed to set it up the way I like so I kinda lost interest in it.
 
Re: Jailed Apache 2.4 modules are't working

pentago said:
I could try nginx but I never managed to set it up the way I like so I kinda lost interest in it.
Click to expand...
Understandable. I never got it to work the way I wanted it too. It's a nice web server for static content but trying to run several different PHP sites is next to impossible to do in a safe and easy way.

Depending on the sites you could split up the static and dynamic content. The static content could be served with nginx while the dynamic content comes from Apache. Switching between them can be taken care of with net/haproxy (I'm a big fan of haproxy, can't you tell ;) ).
 
Re: Jailed Apache 2.4 modules are't working

Yeah i could tell that :)
Not sure if I should complicate the setup even more.

I never really gone in depth with load balancing and proxying, what stuff could I use it for in my setup for instance?
 
Re: Jailed Apache 2.4 modules are't working

I have a slightly over-complicated setup for myself running on a VPS. The host runs haproxy and I have several jails running different web applications. One jail is running nginx and two other jails are running Apache (each a different configuration). Because I only have 1 IP address and I didn't want to run the other sites on some other port. Now haproxy receives all incoming HTTP traffic and forwards it to the correct jail based on the Host: header. Perfect for me to test stuff on.
 
Re: Jailed Apache 2.4 modules are't working

Hmm, i used PF to redirect traffic to jails based on source ports. Does that avoids need for additional app like www/haproxy?
 
Re: Jailed Apache 2.4 modules are't working

A guy from #freebsd suggested to try sysutils/qjail so I did and modules are working now. Seems that sysutils/ezjail has some issues passing sysctl's to jails. Anyway, ditched ezjails completely. Jails are working just fine. Thanks for the support.
 
If this is a SysV IPC thing, for the record you can enable it in sysutils/ezjail by doing the following:

echo 'export jail_hostname_parameters="allow.sysvipc=1"' >> /usr/local/etc/ezjail/hostname

The result would be shown by sysctl security.jail.sysvipc_allowed with this output. You would have to run this command inside the jail that has SysV IPC enabled. I don't know about the other sysctl and what that does.
Code: 
security.jail.sysvipc_allowed: 1

If you allow SysV IPC in your jails, you would have to make some changes to how you do things if you have the same applications running in different jails. For example, PostgreSQL in jail1 running as the default UID 70 and PostgreSQL in jail2 running as the default UID 70 would be no good. However, change jail2 to run PostgreSQL as UID 7070 and you should be alright.
 
Awesome. But I doubt I'll switch back to sysutils/ezjail now that I figured it does exactly the same functionality like sysutils/qjail unless something really important pops out.
Thanks for UID's tip, didn't know that. Any way I could automate creating jails with httpd's all with random UID so I could avoid changing them one by one?
 
I suppose you can use the flavor scripts along with some combination of the jot() command to get a random number combined with pw() to change the www user when the jail first starts.
 
You must log in or register to reply here.
Back
Top