Aqui estão as minhas notas de campo para a atualização do Apache, Python e PHP. Inclui também mod_ssl
, mas falta mod_security
. Não consigo encontrar mod_security
no SCL.
##################################################
# https://access.redhat.com/solutions/527703
# https://www.hogarthuk.com/?q=node/15
# https://developers.redhat.com/blog/2014/03/19/permanently-enable-a-software-collection/
##################################################
# Enable SCL
##################################################
yum -y install centos-release-scl
yum-config-manager --enable rhel-server-rhscl-7-rpms
##################################################
# Python 2.7
##################################################
yum -y install python27
# Add enable-scl-python27.sh
cat /etc/profile.d/enable-scl-python27.sh
#!/usr/bin/env bash
source scl_source enable python27
##################################################
# PHP 7.1
##################################################
yum -y install rh-php71 rh-php71-php rh-php71-ssl rh-php71-php-mysqlnd
# Config at /etc/opt/rh/rh-php71/php.ini
# Add enable-scl-php71.sh
cat /etc/profile.d/enable-scl-php71.sh
#!/usr/bin/env bash
source scl_source enable rh-php71
##################################################
# Apache 2.4
##################################################
yum -y install httpd24
yum -y install httpd24-httpd-tools httpd24-mod_php httpd24-mod_ssl
# Add enable-scl-php71.sh
cat /etc/profile.d/enable-scl-httpd24.sh
#!/usr/bin/env bash
source scl_source enable httpd24
# Disable old, enable new
systemctl disable httpd.service
systemctl enable httpd24-httpd.service
# Config at /opt/rh/httpd24/root/etc/httpd/httpd.conf
# or /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf
# Config at /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
##################################################
# httpd-ssl-pass-dialog
# The original ssl.conf probably includes this:
# SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
# Change it to this:
# /opt/rh/httpd24/root/usr/libexec/httpd-ssl-pass-dialog
##################################################
# !!! TEST APACHE !!!
apachectl configtest
# ps -aux | egrep 'apache|http'
root 1424 0.1 1.2 319644 13376 ? Ss 00:54 0:00 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
apache 1425 0.0 0.8 361184 8400 ? Sl 00:54 0:00 /opt/rh/httpd24/root/usr/sbin/httpd -DFOREGROUND
...
##################################################
# Backup fresh CONF
##################################################
cp /etc/opt/rh/rh-php71/php.ini /etc/opt/rh/rh-php71/php.ini.bu
cp /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf.bu
cp /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf.bu
##################################################
# Copy old CONF to new CONF
##################################################
# Copy httpd.conf and ssl.conf from /etc/httpd to /opt/rh/httpd24/root/etc/httpd
# Change SERVER_ROOT from /etc/httpd to /opt/rh/httpd24/root/etc/httpd
# Leave DOCUMENT_ROOT unchanged. The new server can serve from the old location.
# Leave mod_ssl unchanged. The old and new mod_ssl use /etc/pki/tls/certs and /etc/pki/tls/private.
# php.ini is too different between version 5 and version 7. Manually copy the hardening.
##################################################
# Hardening
##################################################
# List unneeded functions from PHP in disable_functions
# Comment unneeded modules in /opt/rh/httpd24/root/etc/httpd/conf.modules.d
##################################################
# Important Diff's after cp
##################################################
diff /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf.bu /opt/rh/httpd24/root/etc/httpd/conf.d/ssl.conf
diff /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf.bu /opt/rh/httpd24/root/etc/httpd/conf/httpd.conf