EA4: mod_php (dso) / mod_security2 + mod_ruid2

mhofer

Member
May 10, 2013
16
0
1
cPanel Access Level
Root Administrator
After trying out EasyApache 4 and its functionality, I have ran into the following issue:
When enabling the DSO php handler, it is working but fails to load any module due to all modules being compiled as non-thread-safe, see the startup-errors below:
Code:
[27-Oct-2015 17:12:52 UTC] PHP Warning:  PHP Startup: bcmath: Unable to initialize module
Module compiled with build ID=API20131226,NTS
PHP    compiled with build ID=API20131226,TS
These options need to match
in Unknown on line 0
[27-Oct-2015 17:12:52 UTC] PHP Warning:  PHP Startup: bz2: Unable to initialize module
Module compiled with build ID=API20131226,NTS
PHP    compiled with build ID=API20131226,TS
These options need to match
in Unknown on line 0
this goes on and lists the same error for every php-module.

In addition:
- switching the PHP version which should be used with DSO does not work. I got it to work by manually changing the symlink of /etc/apache2/modules/libphp5.so and restarting apache.
- I was able to enable the DSO handler even when using MPM event, as far as i know this should not be possible due to incompatibility.

My questions are:
1. Is there any way to enable mod_php (dso) with all available modules?
2. Why is mod_security2 not compatible with mod_ruid2 or MPM ITK? Is there any way to get this to work? Or is it possible to use mod_php (running as the user) and mod_security2 in any other way?

Thanks in advance for anyone being able to help me here.
 

JacobPerkins

Well-Known Member
May 2, 2014
617
97
103
cPanel Access Level
DataCenter Provider
Twitter
Hi,

We're having a bit of trouble with DSO at the moment due to the naming schema with Apache internals. We have an open case on this (EA-3711) and we're got this on our task board at the moment and are working on this.

In regards to mod_security and ruid2/ITK, these are not compatible. ModSec generally works with these, however it cannot read nor write to the DBM files that are required for tracking. Due to this, we've added RPM conflicts until we have time to look into making this compatible.

Let me know if this answers your questions. Also, Thanks for trying out EA4 and providing feedback!
 

dalem

Well-Known Member
PartnerNOC
Oct 24, 2003
2,983
159
368
SLC
cPanel Access Level
DataCenter Provider
I noticed it to when messing with a DEV box
we work around the "cannot read nor write to the DBM" with some custom scripts to clean up the DBM mess.

I did not test ea4 extensively as it seems its not production ready is there a work around to install Modsecuity with Mod Ruid2
 

sonicthoughts

Well-Known Member
Apr 4, 2011
61
3
58
If modruid2 is not going to work, then please get ITK to work with EA3 + EA4 and latest apache 2.4.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,880
2,256
463
If modruid2 is not going to work, then please get ITK to work with EA3 + EA4 and latest apache 2.4.
Is mod_mpm_itk for Apache 2.4 not working with EasyApache 4 on your system?

Thank you.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
In regards to mod_security and ruid2/ITK, these are not compatible. ModSec generally works with these, however it cannot read nor write to the DBM files that are required for tracking. Due to this, we've added RPM conflicts until we have time to look into making this compatible.
At the risk of sounding rude, most rules don't use DBM files anyway. You still get the majority of protections from the major rule sets even without being able to use collections. Hopefully this is resolved quickly regardless :)
 

JacobPerkins

Well-Known Member
May 2, 2014
617
97
103
cPanel Access Level
DataCenter Provider
Twitter
Hello,

I wanted to let you know we've removed the conflict and adjusted configurations to get both RUID2 and ModSec2 working. This doesn't solve the DBM issues, but the conflict is gone. I'm syncing these packages to the mirrors now. In an hour or two yum update and you'll get the updates.

Thanks!