EA4: mod_php (dso) / mod_security2 + mod_ruid2

[mhofer]

After trying out EasyApache 4 and its functionality, I have ran into the following issue:
When enabling the DSO php handler, it is working but fails to load any module due to all modules being compiled as non-thread-safe, see the startup-errors below:

[27-Oct-2015 17:12:52 UTC] PHP Warning:  PHP Startup: bcmath: Unable to initialize module
Module compiled with build ID=API20131226,NTS
PHP    compiled with build ID=API20131226,TS
These options need to match
in Unknown on line 0
[27-Oct-2015 17:12:52 UTC] PHP Warning:  PHP Startup: bz2: Unable to initialize module
Module compiled with build ID=API20131226,NTS
PHP    compiled with build ID=API20131226,TS
These options need to match
in Unknown on line 0

this goes on and lists the same error for every php-module.

In addition:
- switching the PHP version which should be used with DSO does not work. I got it to work by manually changing the symlink of /etc/apache2/modules/libphp5.so and restarting apache.
- I was able to enable the DSO handler even when using MPM event, as far as i know this should not be possible due to incompatibility.

My questions are:
1. Is there any way to enable mod_php (dso) with all available modules?
2. Why is mod_security2 not compatible with mod_ruid2 or MPM ITK? Is there any way to get this to work? Or is it possible to use mod_php (running as the user) and mod_security2 in any other way?

Thanks in advance for anyone being able to help me here.

 

[JacobPerkins]

Hi,

We're having a bit of trouble with DSO at the moment due to the naming schema with Apache internals. We have an open case on this (EA-3711) and we're got this on our task board at the moment and are working on this.

In regards to mod_security and ruid2/ITK, these are not compatible. ModSec generally works with these, however it cannot read nor write to the DBM files that are required for tracking. Due to this, we've added RPM conflicts until we have time to look into making this compatible.

Let me know if this answers your questions. Also, Thanks for trying out EA4 and providing feedback!

 

[mhofer]

Hi Jacob, this indeed answers all of my questions. Thank you very much.

 

[dalem]

I noticed it to when messing with a DEV box
we work around the "cannot read nor write to the DBM" with some custom scripts to clean up the DBM mess.

I did not test ea4 extensively as it seems its not production ready is there a work around to install Modsecuity with Mod Ruid2

 

[cPanelMichael]

is there a work around to install Modsecuity with Mod Ruid2

There's no workaround at this time. Discussion about this topic is found at:

Mod RUID 2 and ModSecurity

Thank you.

 

[sonicthoughts]

If modruid2 is not going to work, then please get ITK to work with EA3 + EA4 and latest apache 2.4.

 

[cPanelMichael]

If modruid2 is not going to work, then please get ITK to work with EA3 + EA4 and latest apache 2.4.

Is mod_mpm_itk for Apache 2.4 not working with EasyApache 4 on your system?

Thank you.

 

[quizknows]

In regards to mod_security and ruid2/ITK, these are not compatible. ModSec generally works with these, however it cannot read nor write to the DBM files that are required for tracking. Due to this, we've added RPM conflicts until we have time to look into making this compatible.

At the risk of sounding rude, most rules don't use DBM files anyway. You still get the majority of protections from the major rule sets even without being able to use collections. Hopefully this is resolved quickly regardless

 

[JacobPerkins]

Hello,

I wanted to let you know we've removed the conflict and adjusted configurations to get both RUID2 and ModSec2 working. This doesn't solve the DBM issues, but the conflict is gone. I'm syncing these packages to the mirrors now. In an hour or two yum update and you'll get the updates.

Thanks!