You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Andrew Green <an...@article7.co.uk> on 2018/11/30 09:58:01 UTC
Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Hi,
The time has finally come for me to update my mod_perl CMS from Apache 2.2 to Apache 2.4, but I’m struggling to find documentation on the changes required.
The docs on perl.apache.org don’t seem to mention anything specific to Apache 2.4, and the Apache server documentation talks about its own API rather than the mod_perl interface to it, so it’s a bit high-level for me to properly grok.
Does anyone know of a summary of the changes to mod_perl application code required, like the ones that exist for porting mod_perl 1 applications to mod_perl 2?
Also, I’ll need to be able to run my app on both Apache 2.2 and Apache 2.4 servers. Is there anything in the API that would let me determine which one is in use, so that I can allow for both in my code?
Many thanks for any pointers!
Cheers,
Andrew.
--
Andrew Green
Article Seven Limited
http://www.article7.co.uk/
Article Seven Limited is a registered company in England and Wales. Registered number: 5703656. Registered office: 10 Hamilton Road, Sidcup, Kent, DA15 7HB.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Michael Schout <ms...@gkg.net>.
On 12/6/18 9:25 AM, Andrew Green wrote:
> As far as I can tell, I have to pre-declare the new Authz provider in my
> server config:
>
> PerlAddAuthzProvider myapp MyApp::Authz
Yes this is correct, authz providers must be declared globally under 2.4
I realize this thread is old by now, but for the record, there is a bit
of documentation about how things changed/work under 2.4 in my
Apache2::AuthCookie dist [1]. The way authentication and authorization
works under 2.4 is quite different.
> b. Wrapping the return value like this:
>
> sub authz_granted {
>
> my $self = shift;
>
> # So this compiles under old Apache
> no strict 'subs';
>
> if ($self->is_old_apache) {
> return Apache2::Const::OK;
> } else {
> return Apache2::Const::AUTHZ_GRANTED;
> }
>
> }
Note that under 2.4, your authz handler gets called twice per request.
The first time, no user will be set, and this is so you can handle
authorization of anonymous requests. You should return
AUTHZ_DENIED_NO_USER for these requests (unless of course you want to
authorize anonymous requests, in which case you can return AUTHZ_GRANTED
etc). So something like:
unless (defined $r->user) {
return Apache2::Const::AUTHZ_DENIED_NO_USER;
}
If $r->user *is* set, then you are expected to return one of:
AUTHZ_DENIED
AUTHZ_GRANTED
AUTHZ_GENERAL_ERROR
AUTHZ_NEUTRAL
Also of note, if all you are doing is "Require valid-user", or "Require
user foo" for example, Apache provides an authz provider that already
handles that (see mod_authz_user.c). So you only need to do this if you
are writing custom authz requirements.
1:
https://metacpan.org/pod/release/MSCHOUT/Apache-AuthCookie-3.27/README.apache-2.4.pod
Regards,
Michael Schout
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 07.12.2018 09:29, Andrew Green wrote:
> Hi William,
>
>> Ahhh, ok, just be aware the get_server_description call doesn't exist in 2.2, you need
>> to perform a little eval() magic to guard against that expected failure.
>
> That doesn’t seem right — it returns the following when I try it on a 2.2 box:
>
> /Apache/2.2.22 (Ubuntu) mod_apreq2-20090110/2.8.0/
>
> Perhaps it’s inconsistent across distributions?
>
Just for info : because of the kind of issues mentioned above, I used another solution :
On the 2.4+ boxes :
PerlSetVar AP_VERSION "20410"
then later :
my $ap_version = $r->dir_config('AP_VERSION');
Not subtle, but works for me.
What I did have more trouble with, are the new constants defined only in 2.4+, and which
are necessary for the authentication.
Apache2::Const::AUTHZ_DENIED_NO_USER etc..
and I have not found a clean way to "define" these under Apache 2.2, so that at least my
auth modules code *compiles* correctly (under both 2.2 and 2.4).
Other issues I encountered are more in the domain of combining my own auth/authz modules,
with other auth/authz add-ons like Shibboleth, LDAP etc..
The logic of Apache 2.4 (and of these modules) makes it much more confusing as to what is
called when and how many times..
I think I've mostly worked it out now, but it does not make for particularly clean code,
or clean Apache config files, or an easy way to document this for other people less-well
acquainted with the inner beauties of mod_perl.
I may also have a go in the future at trying the kind of "dynamic" config which Andrew
showed earlier in this thread.
(With probably the same for-others documentation issues)
It would also be a good idea to at least document this a little bit in the on-line
mod_perl docs, but I don't know who is in charge of that nowadays, or how to possibly
contribute to it.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Andrew Green <an...@article7.co.uk>.
Hi William,
> Ahhh, ok, just be aware the get_server_description call doesn't exist in 2.2, you need
> to perform a little eval() magic to guard against that expected failure.
That doesn’t seem right — it returns the following when I try it on a 2.2 box:
Apache/2.2.22 (Ubuntu) mod_apreq2-20090110/2.8.0
Perhaps it’s inconsistent across distributions?
Cheers,
Andrew.
--
Andrew Green
Article Seven Limited
http://www.article7.co.uk/ <http://www.article7.co.uk/>
Article Seven Limited is a registered company in England and Wales. Registered number: 5703656. Registered office: 10 Hamilton Road, Sidcup, Kent, DA15 7HB.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Dec 6, 2018 at 3:34 PM Andrew Green <an...@article7.co.uk> wrote:
> Hi William,
>
> But you are better off looking at;
>
> http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html#C_get_server_version_
>
> which returns nothing except exactly what you are asking.
>
>
> I did try this (and it worked fine) — but I kept seeing the following
> error pop up in the logs:
>
> *ap_get_server_version() is deprecated since httpd/2.3.0 try using
> ap_get_server_(description|banner)() instead*
>
> So I switched to banner. I’ll see about switching again to description.
>
Ahhh, ok, just be aware the get_server_description call doesn't exist in
2.2, you need
to perform a little eval() magic to guard against that expected failure.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Andrew Green <an...@article7.co.uk>.
Hi William,
> But you are better off looking at;
> http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html#C_get_server_version_ <http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html#C_get_server_version_>
>
> which returns nothing except exactly what you are asking.
I did try this (and it worked fine) — but I kept seeing the following error pop up in the logs:
ap_get_server_version() is deprecated since httpd/2.3.0 try using ap_get_server_(description|banner)() instead
So I switched to banner. I’ll see about switching again to description.
Cheers,
Andrew.
--
Andrew Green
Article Seven Limited
http://www.article7.co.uk/ <http://www.article7.co.uk/>
Article Seven Limited is a registered company in England and Wales. Registered number: 5703656. Registered office: 10 Hamilton Road, Sidcup, Kent, DA15 7HB.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by William A Rowe Jr <wr...@rowe-clan.net>.
On Thu, Dec 6, 2018 at 9:25 AM Andrew Green <an...@article7.co.uk> wrote:
> Hi all,
>
> Huge thanks to everyone for your replies on this. I’ve now been able to
> work through everything, and I thought I’d post a quick update with some
> additional notes in case there’s anyone else in the same boat searching the
> archives in the future!
>
> 1. I was able to use the following as a way of determining which version
> of Apache is in use at runtime:
>
> my $server_version = Apache2::ServerUtil::get_server_banner();
> my $is_old_apache = ($server_version =~ /Apache\/2\.2/) ? 1 : 0;
>
Just a little warning, the server_banner is controlled by the admin, and
may not include
the entire Apache/2.2 token. The server_description fleshed this out beyond
the control
of the admin, but isn't meant for transmission;
/**
* Get the server banner in a form suitable for sending over the
* network, with the level of information controlled by the
* ServerTokens directive.
* @return The server banner
*/
AP_DECLARE(const char *) ap_get_server_banner(void);
/**
* Get the server description in a form suitable for local displays,
* status reports, or logging. This includes the detailed server
* version and information about some modules. It is not affected
* by the ServerTokens directive.
* @return The server description
*/
AP_DECLARE(const char *) ap_get_server_description(void);
But you are better off looking at;
http://perl.apache.org/docs/2.0/api/Apache2/ServerUtil.html#C_get_server_version_
which returns nothing except exactly what you are asking.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Andrew Green <an...@article7.co.uk>.
Hi all,
Huge thanks to everyone for your replies on this. I’ve now been able to work through everything, and I thought I’d post a quick update with some additional notes in case there’s anyone else in the same boat searching the archives in the future!
1. I was able to use the following as a way of determining which version of Apache is in use at runtime:
my $server_version = Apache2::ServerUtil::get_server_banner();
my $is_old_apache = ($server_version =~ /Apache\/2\.2/) ? 1 : 0;
2. My app sets up authen and authz handlers dynamically, from a trans handler. André was right, this was by far the biggest pain point!
My before code looked like this:
$r->push_handlers(PerlMapToStorageHandler => sub {
$r->add_config(['Require valid-user']);
$r->add_config(['AuthType cookie']);
});
$r->set_handlers(PerlAuthenHandler => [MyApp::Authen]);
$r->set_handlers(PerlAuthzHandler => [MyApp::Authz]);
As far as I can tell, I have to pre-declare the new Authz provider in my server config:
PerlAddAuthzProvider myapp MyApp::Authz
I didn’t find a way of doing that bit dynamically at runtime.
But I can still conditionally trigger the provider for individual requests from my trans handler, like this:
$r->push_handlers(PerlMapToStorageHandler => sub {
$r->add_config(['Require myapp']);
});
$r->set_handlers(PerlAuthenHandler => [MyApp::Authen]);
3. Combining #1 and #2 meant I’m able to have the same trans handler run under both Apache 2.2 and 2.4. I was also able to get my authz handler to run under both by:
a. Having the call to Apache2::Compat -compile happen in the server startup.pl, and not in my module.
b. Wrapping the return value like this:
sub authz_granted {
my $self = shift;
# So this compiles under old Apache
no strict 'subs';
if ($self->is_old_apache) {
return Apache2::Const::OK;
} else {
return Apache2::Const::AUTHZ_GRANTED;
}
}
Thanks again to you all for your help.
Cheers,
Andrew.
--
Andrew Green
Article Seven Limited
http://www.article7.co.uk/ <http://www.article7.co.uk/>
Article Seven Limited is a registered company in England and Wales. Registered number: 5703656. Registered office: 10 Hamilton Road, Sidcup, Kent, DA15 7HB.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by "André Warnier (tomcat)" <aw...@ice-sa.com>.
On 30.11.2018 10:58, Andrew Green wrote:
> Hi,
>
> The time has finally come for me to update my mod_perl CMS from Apache 2.2 to Apache 2.4, but I’m struggling to find documentation on the changes required.
>
> The docs on perl.apache.org don’t seem to mention anything specific to Apache 2.4, and the Apache server documentation talks about its own API rather than the mod_perl interface to it, so it’s a bit high-level for me to properly grok.
>
> Does anyone know of a summary of the changes to mod_perl application code required, like the ones that exist for porting mod_perl 1 applications to mod_perl 2?
>
> Also, I’ll need to be able to run my app on both Apache 2.2 and Apache 2.4 servers. Is there anything in the API that would let me determine which one is in use, so that I can allow for both in my code?
>
> Many thanks for any pointers!
>
1) The good news : we are running many many things under mod_perl, and all in all, we did
not have modify much to go from Apache 2.2 to 2.4.
And most of our unmodified code still works perfectly under both 2.2 and 2.4.
(With Apache in "prefork" MPM mode, can't speak of the others).
2) the bad news : ... EXCEPT if your mod_perl code does anything related to user
authentication.
That is not really due to perl or mod_perl, but the AAA logic has quite profoundly changed
under 2.4 compared to 2.2, and if you have any mod_perl code that deals with that, you are
probably in for a treat.
We do, and had to make some serious changes; and we have not found a "clean" way of making
the same AAA code work both under 2.2 and 2.4.
(Note : when I say that you are in for a treat, this is as much in terms of understanding
(anew) how Apache 2.4 handles AAA, as how to deal with it in mod_perl).
If you need a starter in that respect, I recommend reading this carefully :
https://metacpan.org/pod/Apache2_4::AuthCookie
in particular, the section named : FREQUENTLY ASKED QUESTIONS
Other than that, there is (as someone else mentioned) a difference in terms of getting the
client IP, but I do not remember much else, at the perl/mod_perl level.
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Adam Prime <ad...@utoronto.ca>.
Here's Everything stuff I ran into, not all of which have anything to do
with mod_perl:
I had to change all my 'Order' directives into the new 'Require' style
Related to that, I had to stop using 'require' as described here in my
auth stuff.
https://perl.apache.org/docs/2.0/api/Apache2/Access.html#C_requires_
httpd rejected the configuration, as far as i can remember. I switched
to using PerlSetVar to pass in the values that I used to pass in via
'require'.
I stopped using my custom XForwardedFor InitHandler, because there is
native support for this now.
https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html
Adam
On 2018-11-30 8:13 a.m., Adam Prime wrote:
> There isn’t currently any good documentation for this migration. I went
> through it myself a few months ago, and I ended up using the https
> changes doc to help me when I got strange errors.
>
> https://httpd.apache.org/docs/2.4/upgrading.html
>
> I was able to get everything working after some fooling around.
>
> I’ll go through my hit history and post something more detailed later.
>
> Adam
>
> On Nov 30, 2018, at 8:02 AM, John D Groenveld <groenveld@acm.org
> <ma...@acm.org>> wrote:
>
>> In message <C13C1BF5-E345-4E11-963D-EB8C1CDC393E@article7.co.uk
>> <ma...@article7.co.uk>>, Andrew
>> Green
>> writes:
>>> The time has finally come for me to update my mod_perl CMS from
>>> Apache 2.2 to
>>> Apache 2.4, but I'm struggling to find documentation on the changes
>>> required
>>
>> You must configure httpd-2.4 --with-mpm=prefork.
>>
>> John
>> groenveld@acm.org <ma...@acm.org>
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Adam Prime <ad...@utoronto.ca>.
There isn’t currently any good documentation for this migration. I went through it myself a few months ago, and I ended up using the https changes doc to help me when I got strange errors.
https://httpd.apache.org/docs/2.4/upgrading.html
I was able to get everything working after some fooling around.
I’ll go through my hit history and post something more detailed later.
Adam
> On Nov 30, 2018, at 8:02 AM, John D Groenveld <gr...@acm.org> wrote:
>
> In message <C1...@article7.co.uk>, Andrew Green
> writes:
>> The time has finally come for me to update my mod_perl CMS from Apache 2.2 to
>> Apache 2.4, but I'm struggling to find documentation on the changes required
>
> You must configure httpd-2.4 --with-mpm=prefork.
>
> John
> groenveld@acm.org
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by John D Groenveld <gr...@acm.org>.
In message <C1...@article7.co.uk>, Andrew Green
writes:
>The time has finally come for me to update my mod_perl CMS from Apache 2.2 to
>Apache 2.4, but I'm struggling to find documentation on the changes required
You must configure httpd-2.4 --with-mpm=prefork.
John
groenveld@acm.org
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Sujeeva Seneviratne <su...@yahoo.com>.
If you have an Authen handler, you may need this change:Debug Apache 2.4 PerlAuthenHandler
|
|
|
| | |
|
|
|
| |
Debug Apache 2.4 PerlAuthenHandler
I am trying to debug a problem that occured after an apache upgrade. I want to integrate redmine into my apache ... | |
|
|
I had to add: $r->user(''); in my authen methods.
From: Vincent Veyron <vv...@wanadoo.fr>
To: modperl@perl.apache.org
Sent: Friday, November 30, 2018 7:41 AM
Subject: Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
On Fri, 30 Nov 2018 09:58:01 +0000
Andrew Green <an...@article7.co.uk> wrote:
>
> Does anyone know of a summary of the changes to mod_perl application code required,
I had to :
-modify the configuration files of my virtual hosts to include the new 'Require all granted' directive, as explained in
http://httpd.apache.org/docs/2.4/upgrading.html
which Adam mentionned
-modify a couple lines of code using $c->client_ip(), because of a change of names in the Apache API and the connection object
-modify the configuration of mod_deflate, which post upgrade would run before my PerlOuputFilterHandler instead of after it (something changed in the processing order of the filter queue; the solution was found here :
https://github.com/h5bp/html5-boilerplate/issues/1012)
Other than that, everything went smoothly
--
Bien à vous, Vincent Veyron
https://compta.libremen.com
Logiciel libre de comptabilité générale en partie double
Re: Upgrading a mod_perl application from Apache 2.2 to Apache 2.4
Posted by Vincent Veyron <vv...@wanadoo.fr>.
On Fri, 30 Nov 2018 09:58:01 +0000
Andrew Green <an...@article7.co.uk> wrote:
>
> Does anyone know of a summary of the changes to mod_perl application code required,
I had to :
-modify the configuration files of my virtual hosts to include the new 'Require all granted' directive, as explained in
http://httpd.apache.org/docs/2.4/upgrading.html
which Adam mentionned
-modify a couple lines of code using $c->client_ip(), because of a change of names in the Apache API and the connection object
-modify the configuration of mod_deflate, which post upgrade would run before my PerlOuputFilterHandler instead of after it (something changed in the processing order of the filter queue; the solution was found here :
https://github.com/h5bp/html5-boilerplate/issues/1012)
Other than that, everything went smoothly
--
Bien à vous, Vincent Veyron
https://compta.libremen.com
Logiciel libre de comptabilité générale en partie double