[users@httpd] using a vendor's apache

[Edward Quick <ed...@hotmail.com>]

Hi Apache Users,
The place where I work is embarking on a project to migrate custom apache builds to the RHEL6 build. Obviously that brings certain limitations (not being able to use the snazzy new Apache 2.4 version for example!!) I was curious whether anyone else had gone down this route, and what their experiences were like, and whether they were pleased with the end result. There are pros and cons to both approaches so I'm not really trying to argue one is better than the other.
One of the advantages of migrating to a RHEL6 build is having redhat support when vulnerabilities come out, at least from a large enterprise's point of view, where there may be in the region of 2000 or more supported apache servers. It means you have a ready tested and vendor approved rpm build which can be  quickly deployed through the yum channels saving time, costs, and give comfort of mind.
Certainly keeping everyone on the same Apache build/version, especially if it's provided by the vendor OS, makes life easier for the guys in support. One drawback might be having to patch/upgrade all Apache dependencies, eg libssl, on a host which might not suit other applications if they are sharing the host. Perhaps this means dedicating your RHEL6 hosts as web servers and nothing else. I suspect most large sized companies will not be so well architected, in which case perhaps support could have introduced a new problem/cost.
Those are two of the points I have been considering, but I'm really interested to hear other people's experiences or views.
On a final note, I do have just one technical question as well. Is there a tool which symlinks all apache libaries/scripts (or any kind of linux distro software) into one prefixed location? I'm sure I have seen something like that in the past but can't remember what it was.
Thanks for any replies.
Ed.



 		 	   		  

Re: [users@httpd] using a vendor's apache

[Jon Stanley <jo...@gmail.com>]

On Sat, Feb 25, 2012 at 11:04 AM, Edward Quick <ed...@hotmail.com> wrote:

> That hadn't even crossed my mind to be honest, and not wishing to state the
> obvious, I assume you have ServerSignature set to off.
> PCI is fundamental to most places these days. Are those compliancy checks
> carried out by a third party and if so, wouldn't it just be a case of
> telling them their checks are wrong?

Pretty much.

Also note that Red Hat in particular supports CVE and OVAL
vulnerability definitions very well. OVAL is a set of well-defined XML
that defines vulnerabilities and "fixed in" versions - it's consumable
by computers in order for things like the above not to happen. See
http://www.redhat.com/security/data/oval/ for the actual XML files.

You can also plug in any CVE number into a URL and get a statement on
it and any relevant errata, for example
https://access.redhat.com/security/cve/CVE-2011-3607

Hope that helps!
-Jon

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: [users@httpd] using a vendor's apache

[Edward Quick <ed...@hotmail.com>]

> Date: Sat, 25 Feb 2012 08:45:09 -0600
> From: bmillett@gmail.com
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] using a vendor's apache
> 
> On Sat, 25 Feb 2012 13:06:45 +0000
> Edward Quick <ed...@hotmail.com> wrote:
> 
> > 
> > Hi Apache Users,
> > The place where I work is embarking on a project to migrate custom apache
> > builds to the RHEL6 build. Obviously that brings certain limitations (not
> > being able to use the snazzy new Apache 2.4 version for example!!) I was
> > curious whether anyone else had gone down this route, and what their
> > experiences were like, and whether they were pleased with the end result.
> 
> My experience has to do with PCI compliancy.  Most of the compliancy checkers
> look for the version number, so the latest rhel version (even though it has
> all of the patches) fails due to having a lower rev than what it is looking
> for to be compliant.
> 
> -- 
> Brian Millett
> "If anyone asks, say it fell from the sky."
>    -- [ Delenn to Sinclair (re: Vorlon files), "The Gathering"]

Thanks Brian,
That hadn't even crossed my mind to be honest, and not wishing to state the obvious, I assume you have ServerSignature set to off.PCI is fundamental to most places these days. Are those compliancy checks carried out by a third party and if so, wouldn't it just be a case of telling them their checks are wrong? 		 	   		  

Re: [users@httpd] using a vendor's apache

[Brian Millett <bm...@gmail.com>]

On Sat, 25 Feb 2012 13:06:45 +0000
Edward Quick <ed...@hotmail.com> wrote:

> 
> Hi Apache Users,
> The place where I work is embarking on a project to migrate custom apache
> builds to the RHEL6 build. Obviously that brings certain limitations (not
> being able to use the snazzy new Apache 2.4 version for example!!) I was
> curious whether anyone else had gone down this route, and what their
> experiences were like, and whether they were pleased with the end result.

My experience has to do with PCI compliancy.  Most of the compliancy checkers
look for the version number, so the latest rhel version (even though it has
all of the patches) fails due to having a lower rev than what it is looking
for to be compliant.

-- 
Brian Millett
"If anyone asks, say it fell from the sky."
   -- [ Delenn to Sinclair (re: Vorlon files), "The Gathering"]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org