Re: Apache Directive Closure Problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





On Fri, Oct 11, 2024 at 4:32 AM Adam Mihai Gergely <admin@xxxxxxxxxx.invalid> wrote:

Hello,

I have a rather wierd question about Apache Directives Configuration.

I am running Ubuntu Linux Server and my Apache Tree looks like this:

server [/etc/apache2] # tree
.
├── apache2.conf
├── apache2.conf.dpkg-old
├── apache2.conf.in
├── conf-available
│   ├── charset.conf
│   ├── _javascript_-common.conf
│   ├── localized-error-pages.conf
│   ├── other-vhosts-access-log.conf
│   ├── phpmyadmin.conf -> ../../phpmyadmin/apache.conf
│   ├── security.conf
│   └── serve-cgi-bin.conf
├── conf-enabled
│   ├── charset.conf -> ../conf-available/charset.conf
│   ├── client-dirs.conf
│   ├── _javascript_-common.conf -> ../conf-available/_javascript_-common.conf
│   ├── localized-error-pages.conf -> ../conf-available/localized-error-pages.conf
│   ├── other-vhosts-access-log.conf -> ../conf-available/other-vhosts-access-log.conf
│   ├── phpmyadmin.conf -> ../conf-available/phpmyadmin.conf
│   ├── security.conf -> ../conf-available/security.conf
│   └── serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf
├── conf-local
│   ├── htdirs.conf
│   ├── htpasswd
│   ├── htpasswd4laszlo
│   └── htpasswd4project
├── envvars
├── magic
├── mods-available
│   ├── access_compat.load
│   ├── actions.conf
│   ├── actions.load
│   ├── alias.conf
│   ├── alias.load
│   ├── allowmethods.load
│   ├── asis.load
│   ├── auth_basic.load
│   ├── auth_digest.load
│   ├── auth_form.load
│   ├── authn_anon.load
│   ├── authn_core.load
│   ├── authn_dbd.load
│   ├── authn_dbm.load
│   ├── authn_file.load
│   ├── authn_socache.load
│   ├── authnz_fcgi.load
│   ├── authnz_ldap.load
│   ├── authz_core.load
│   ├── authz_dbd.load
│   ├── authz_dbm.load
│   ├── authz_groupfile.load
│   ├── authz_host.load
│   ├── authz_owner.load
│   ├── authz_user.load
│   ├── autoindex.conf
│   ├── autoindex.load
│   ├── buffer.load
│   ├── cache_disk.conf
│   ├── cache_disk.load
│   ├── cache.load
│   ├── cache_socache.load
│   ├── cgid.conf
│   ├── cgid.load
│   ├── cgi.load
│   ├── charset_lite.load
│   ├── data.load
│   ├── dav_fs.conf
│   ├── dav_fs.load
│   ├── dav.load
│   ├── dav_lock.load
│   ├── dbd.load
│   ├── deflate.conf
│   ├── deflate.load
│   ├── dialup.load
│   ├── dir.conf
│   ├── dir.load
│   ├── dump_io.load
│   ├── echo.load
│   ├── env.load
│   ├── expires.load
│   ├── ext_filter.load
│   ├── file_cache.load
│   ├── filter.load
│   ├── headers.load
│   ├── heartbeat.load
│   ├── heartmonitor.load
│   ├── ident.load
│   ├── include.load
│   ├── info.conf
│   ├── info.load
│   ├── lbmethod_bybusyness.load
│   ├── lbmethod_byrequests.load
│   ├── lbmethod_bytraffic.load
│   ├── lbmethod_heartbeat.load
│   ├── ldap.conf
│   ├── ldap.load
│   ├── log_debug.load
│   ├── log_forensic.load
│   ├── lua.load
│   ├── macro.load
│   ├── mime.conf
│   ├── mime.load
│   ├── mime_magic.conf
│   ├── mime_magic.load
│   ├── mpm_event.conf
│   ├── mpm_event.load
│   ├── mpm_prefork.conf
│   ├── mpm_prefork.load
│   ├── mpm_worker.conf
│   ├── mpm_worker.load
│   ├── negotiation.conf
│   ├── negotiation.load
│   ├── php5.6.conf
│   ├── php5.6.load
│   ├── php7.0.conf
│   ├── php7.0.load
│   ├── php7.1.conf
│   ├── php7.1.load
│   ├── php7.2.conf
│   ├── php7.2.load
│   ├── php7.3.conf
│   ├── php7.3.load
│   ├── php7.4.conf
│   ├── php7.4.load
│   ├── php8.0.conf
│   ├── php8.0.load
│   ├── proxy_ajp.load
│   ├── proxy_balancer.conf
│   ├── proxy_balancer.load
│   ├── proxy.conf
│   ├── proxy_connect.load
│   ├── proxy_express.load
│   ├── proxy_fcgi.load
│   ├── proxy_fdpass.load
│   ├── proxy_ftp.conf
│   ├── proxy_ftp.load
│   ├── proxy_html.conf
│   ├── proxy_html.load
│   ├── proxy_http.load
│   ├── proxy.load
│   ├── proxy_scgi.load
│   ├── proxy_wstunnel.load
│   ├── ratelimit.load
│   ├── reflector.load
│   ├── remoteip.load
│   ├── reqtimeout.conf
│   ├── reqtimeout.load
│   ├── request.load
│   ├── rewrite.load
│   ├── sed.load
│   ├── session_cookie.load
│   ├── session_crypto.load
│   ├── session_dbd.load
│   ├── session.load
│   ├── setenvif.conf
│   ├── setenvif.load
│   ├── slotmem_plain.load
│   ├── slotmem_shm.load
│   ├── socache_dbm.load
│   ├── socache_memcache.load
│   ├── socache_shmcb.load
│   ├── speling.load
│   ├── ssl.conf
│   ├── ssl.load
│   ├── status.conf
│   ├── status.load
│   ├── substitute.load
│   ├── suexec.load
│   ├── unique_id.load
│   ├── userdir.conf
│   ├── userdir.load
│   ├── usertrack.load
│   ├── vhost_alias.load
│   └── xml2enc.load
├── mods-enabled
│   ├── access_compat.load -> ../mods-available/access_compat.load
│   ├── alias.conf -> ../mods-available/alias.conf
│   ├── alias.load -> ../mods-available/alias.load
│   ├── auth_basic.load -> ../mods-available/auth_basic.load
│   ├── authn_core.load -> ../mods-available/authn_core.load
│   ├── authn_file.load -> ../mods-available/authn_file.load
│   ├── authz_core.load -> ../mods-available/authz_core.load
│   ├── authz_host.load -> ../mods-available/authz_host.load
│   ├── authz_user.load -> ../mods-available/authz_user.load
│   ├── autoindex.conf -> ../mods-available/autoindex.conf
│   ├── autoindex.load -> ../mods-available/autoindex.load
│   ├── deflate.conf -> ../mods-available/deflate.conf
│   ├── deflate.load -> ../mods-available/deflate.load
│   ├── dir.conf -> ../mods-available/dir.conf
│   ├── dir.load -> ../mods-available/dir.load
│   ├── env.load -> ../mods-available/env.load
│   ├── filter.load -> ../mods-available/filter.load
│   ├── headers.load -> ../mods-available/headers.load
│   ├── mime.conf -> ../mods-available/mime.conf
│   ├── mime.load -> ../mods-available/mime.load
│   ├── mpm_prefork.conf -> ../mods-available/mpm_prefork.conf
│   ├── mpm_prefork.load -> ../mods-available/mpm_prefork.load
│   ├── negotiation.conf -> ../mods-available/negotiation.conf
│   ├── negotiation.load -> ../mods-available/negotiation.load
│   ├── php5.6.conf -> ../mods-available/php5.6.conf
│   ├── php5.6.load -> ../mods-available/php5.6.load
│   ├── rewrite.load -> ../mods-available/rewrite.load
│   ├── setenvif.conf -> ../mods-available/setenvif.conf
│   ├── setenvif.load -> ../mods-available/setenvif.load
│   ├── socache_dbm.load -> ../mods-available/socache_dbm.load
│   ├── socache_memcache.load -> ../mods-available/socache_memcache.load
│   ├── socache_shmcb.load -> ../mods-available/socache_shmcb.load
│   ├── ssl.conf -> ../mods-available/ssl.conf
│   ├── ssl.load -> ../mods-available/ssl.load
│   ├── status.conf -> ../mods-available/status.conf
│   ├── status.load -> ../mods-available/status.load
│   ├── userdir.conf -> ../mods-available/userdir.conf
│   └── userdir.load -> ../mods-available/userdir.load
├── ports.conf
├── sites-available
│   ├── 000-default.conf
│   └── default-ssl.conf
└── sites-enabled
    ├── 000-default.conf -> ../sites-available/000-default.conf
    └── default-ssl.conf -> ../sites-available/default-ssl.conf

7 directories, 212 files

Now, the problem is:
One of my config files is /etc/apache2/mods-enabled/userdir.conf
It has this contents:

[Begin File contents]
<IfModule mod_userdir.c>
        UserDir public_html
        UserDir disabled root

        <Directory /home/adam/public_html>
                AllowOverride FileInfo AuthConfig Limit Indexes
                Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
                <Limit GET POST OPTIONS>
                        Require all granted
                </Limit>
                <LimitExcept GET POST OPTIONS>
                        Require all denied
                </LimitExcept>
                php_admin_value open_basedir /home/adam/public_html:/tmp
        </Directory>
[End File contents]

The problem I noticed is that "</IfModule>" was absent from this file.
So the <IfModule> at the beginning of this file was not properly closed.
The mod_userdir module is always loaded and running. This is the intended setting.

Restating the webserver (and retaining this configuration) did not yield any problems.

However, requesting a certificate with Let's Encrypt's certbot revealed this issue because certbot performed an analysis on Apache's configuration files before renewing this certificate and found this problem.

After I properly closed the IfModule with "</IfModule>" and restarted the webserver certbot worked again.
Of course, Apache also worked.

Now, my question is:
What could this have affected ? The lack of "</IfModule>" at the end of the "userdir" module.
(I am permanently using and loaded the UserDir Module because I needed. So the "IF" condition is a perfect TRUE, for my server.)
Could have impacted something else ?

I don't know how many other modules or directives loads Apache into memory on startup...
Is it possible that everything it loaded after this file could be "under the influence" of <IfModule mod_userdir.c>  because it was not properly closed ?
(In this case, perhaps Apache found another <IfModule> or <VirtualHost> along the way and nested it inside my unclosed <IfModule> ?)

I am concerned about security risks, not loading of other configs properly or some other wierd combination that messes up my configs.... I have htaccess statements and security measures I put in place in my configs, as this server is used by tens of users.

Also, Apache should have reported this unclosed <IfModule> on restart. I don't know why it didn't.

I know Apache reads configuration files in a specific order based on a combination of directories, filenames, and inclusion rules, however I don't know how a missing IfModule closure tag can affect other things...

If someone can help me... if an Apache developer or someone that understands these things perfectly knows what can I expect from this situation, please advise...

Thank you.

-- 
Cu stima,
Adam Mihai Gergely
Informatician
www.infosky.ro

What I would do first is create a simple test with an open <IfModule> block, and apachectl -f /path/to/config/file configtest, and see if there is an error. 

[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux