Hey guys - just curious if there’s any specific plan for when Virtualmin plans to support httpd 2.2.4? I ask as I’m building a system to use mod_security, of which the modern versions (all of 2.5, out for about 2 years) make an API call that doesn’t exist pre-2.2.4 (ap_get_server_banner())
Currently, Virtualmin Pro is installing httpd-2.2.3-43.3.vm on my Centos 5.5 system…I suspect it’s not recommended to upgrade past that via other methods?
You could also try Ubuntu? May be this would be even “more secure”? Centos security updates seem to be delayed quite a lot according to:
While CentOS doesn’t ship with a newer Apache, other distros such as Debian and Ubuntu have more recent versions. For example, Ubuntu 10.04 (which Virtualmin supports) ships with Apache 2.2.14.
So, if you’re interested in using Apache 2.2.4, Virtualmin should work with that without a problem. It won’t be something you could download from the site here (Virtualmin will always offer the same version as provided by CentOS), but so long as you are building Apache yourself, or finding the RPM from another source, Virtualmin shouldn’t have a problem working with it.
CentOS is rather lagging behind then… on Ubuntu, Virtualmin installs Apache 2.2.14.
Guys - thanks for the comments.
So, on my system I’ve got a “httpd-2.2.3-43.3.vm” package - I’m presuming this came from Virtualmin’s repo based off the name. Looking at CentOS’s repository, I can see the httpd-2.2.3-43.el5 package as the latest, so that sorta makes sense.
I don’t use CentOS with the base repos, I usually add Utteramblings and/or EPEL. So I have easy access to newer versions of the server. Maybe I’ll just make a backup of the VM and try to force an upgrade, although I’m afraid virtualmin might override what I do…
I might have to consider Debian in the future…
Do note that if you go with a non-standard Apache version, and you’re planning to use suexec – you’d need to make sure suexec is compiled to work with /home, rather than /var/www.
It’s either that, or disable suexec, but that’s less secure (and may defeat the point of being able to use mod_security