I upgraded a server from 1.689 to 1.691 and then updated Apache to 2.4.66.
In doing so, mod_security was not enabled after the Apache recompiled. I had to remove some mod_security related directives from some included files to get Apache to restart and then I had to investigate why.
1.690 introduced a new modsecurity_enabled directive in the directadmin.conf file. I suspect that this is where the issue lays.
I especially like the description of this new directive:
This new configuration option controls if the web server templates should include the configuration directives for ModSecurity.
Server administrators do not really need to care about this option. The CustomBuild will automatically set this option to the correct value when ModSecurity is being used.
If there's no intervening required by the server administrator... why is it a configuration option?
At any rate, modsecurity_enabled was set to 1
# /usr/local/directadmin/directadmin config-get modsecurity_enabled
1
But mod_security was still not being enabled.
Looking at another server that is still on 1.689, I found that the file /etc/httpd/conf/extra/httpd-phpmodules.conf was including another file:
Include /etc/httpd/conf/extra/httpd-modsecurity.conf
And this line is missing in the /etc/httpd/conf/extra/httpd-phpmodules.conf file on the 1.691 server. So I added that back.
Then restarting Apache balked because /usr/local/lib/libxml2.so did not exist. And sure enough in /etc/httpd/conf/extra/httpd-modsecurity.conf was a reference to:
LoadFile /usr/local/lib/libxml2.so
I checked this on the 1.689 server and it has the path:
LoadFile /usr/lib64/libxml2.so
So I updated the /etc/httpd/conf/extra/httpd-modsecurity.conf file to load the proper libxml2.so library on the 1.691 server and Apache restarted with mod_security.
I haven't updated any of my other servers to 1.691 (they are all on 1.689 right now). So I don't know if this is just a one off issue with this particular server. Or if something isn't playing nice with the modsecurity_enabled setting. I have some reservations about updating other servers until I can get an explanation as to why mod_security is not being included in the Apache configuration.
Additionally, the /usr/local/directadmin/custombuild/options.conf file also has modsecurity as being enabled, with:
modsecurity=yes
So I don't really know how DirectAdmin is missing that mod_security is enabled.
If nobody else is having this problem, then where is mod_security suppose to be included in Apache? There's a maze of configuration files for Apache, so trying to track down where something is being included can be difficult. All I can go on is based on 1.689 servers that still have mod_security working with Apache.
In doing so, mod_security was not enabled after the Apache recompiled. I had to remove some mod_security related directives from some included files to get Apache to restart and then I had to investigate why.
1.690 introduced a new modsecurity_enabled directive in the directadmin.conf file. I suspect that this is where the issue lays.
I especially like the description of this new directive:
This new configuration option controls if the web server templates should include the configuration directives for ModSecurity.
Server administrators do not really need to care about this option. The CustomBuild will automatically set this option to the correct value when ModSecurity is being used.
If there's no intervening required by the server administrator... why is it a configuration option?
At any rate, modsecurity_enabled was set to 1
# /usr/local/directadmin/directadmin config-get modsecurity_enabled
1
But mod_security was still not being enabled.
Looking at another server that is still on 1.689, I found that the file /etc/httpd/conf/extra/httpd-phpmodules.conf was including another file:
Include /etc/httpd/conf/extra/httpd-modsecurity.conf
And this line is missing in the /etc/httpd/conf/extra/httpd-phpmodules.conf file on the 1.691 server. So I added that back.
Then restarting Apache balked because /usr/local/lib/libxml2.so did not exist. And sure enough in /etc/httpd/conf/extra/httpd-modsecurity.conf was a reference to:
LoadFile /usr/local/lib/libxml2.so
I checked this on the 1.689 server and it has the path:
LoadFile /usr/lib64/libxml2.so
So I updated the /etc/httpd/conf/extra/httpd-modsecurity.conf file to load the proper libxml2.so library on the 1.691 server and Apache restarted with mod_security.
I haven't updated any of my other servers to 1.691 (they are all on 1.689 right now). So I don't know if this is just a one off issue with this particular server. Or if something isn't playing nice with the modsecurity_enabled setting. I have some reservations about updating other servers until I can get an explanation as to why mod_security is not being included in the Apache configuration.
Additionally, the /usr/local/directadmin/custombuild/options.conf file also has modsecurity as being enabled, with:
modsecurity=yes
So I don't really know how DirectAdmin is missing that mod_security is enabled.
If nobody else is having this problem, then where is mod_security suppose to be included in Apache? There's a maze of configuration files for Apache, so trying to track down where something is being included can be difficult. All I can go on is based on 1.689 servers that still have mod_security working with Apache.
