Best practices for packaging Apache HTTPD modules

This is for Debian Squeeze and Wheezy. For Jessie, look here

Meta-data

  • Name the binary package libapache2-mod-something

  • If your module supports threaded mpms, build-depend on apache2-threaded-dev and depend on apache2 | apache2-mpm

  • If your module does not support threaded mpms, build-depend on apache2-prefork-dev and depend on apache2-mpm-prefork | apache2-mpm-itk

  • Also depend on apache2.2-common

Configuration

  • Create /etc/apache2/mods-available/something.load with the LoadModule directive

  • If necessary, create /etc/apache2/mods-available/something.conf to define a reasonable default configuration. Document the configuration with comments.

Security considerations

  • Don't allow local users to execute arbitrary code through mod_userdir: If your module allows to execute code (e.g. a scripting language), make sure that it is not activated for the userdirs in the default configuration.

  • On the other hand, don't assume that the www-data user is safe: If your module allows privileged operations (e.g. switching userids like mod_suexec), don't assume that only Apache httpd can execute code as user www-data. You must have additional safe-guards in place to prevent privilege escalation by local users.

Maintainer scripts

Safe version

The safe way is to always restart Apache.

postinst
execute on install / upgrade 

 if [ "1ドル" = configure ] ; then
 # only enable on new installs, not on upgrades
 if [ -z "2ドル" ] ; then
 a2enmod -q something
 fi
 # only restart if mod_something is enabled
 if [ -e /etc/apache2/mods-enabled/something.load ] ; then
 invoke-rc.d apache2 restart
 fi
 fi
prerm
execute on removal 

 if [ "1ドル" = remove ] ; then
 a2dismod -q -f something || true
 invoke-rc.d apache2 restart
 fi

Advanced version

For some modules and in some cases, it is enough to do a reload instead of a restart. If you want to do this, be sure to actually test that

  • the module works and is activated correctly if you do only a reload during install

  • the new binary is loaded if you do only a reload during upgrade (use lsof to check!)

For some modules, reload works for upgrades but not install/remove. For some modules reload never works.

Other things

  • Put your module binary into /usr/lib/apache2/modules/

  • dpkg-shlibdeps will complain about the module containing unresolvable references. This is due to how libtool builds the module and can be ignored.

AltStyle によって変換されたページ (->オリジナル) /