IBM HTTP Server 7 (Apache2) vs mod_security

Alapbol nincs mod_security az IHS-ben, ezert ha szukseg van ra, le kell forditani.
Valoszinuleg egy sima apache2-vel is megy a build, en az IHS-t hasznaltam, mert amugy is azon lesz uzemeltetve a modul.

Kornyezet:

- AIX 6.1 TL5
- IBM xlC compiler 10.1
- IBM HTTP Server v7.0
- open source library-k: perzl.org
- mod_security 2.5.12

1.) Tegyuk fel a build hostra az IBM HTTP Servert (vagy az apache-ot), vagy legalabbis az apxs binarist. Az IHS installt lehet a Java GUI nelkul is csinalni, ehhez kell egy response file (az installerhez jaro minta is atszerkesztheto, mintegy 10-15 sor az egesz), majd:

java -Djava.awt.headless -jar /path/to/setup.jar -silent -options /path/to/responsefile.txt

2.) Tegyuk fel a forditashoz szukseges toolokat. En a perzl.org RPM csomagjait hasznaltam a -devel parjukkal es a fuggosegeikkel egyutt: libxml2, apr, apr-util, opcionalisan curl, esetleg Lua. Ezutan hozza kell adni a 3rd party binarisok utvonalat a PATH-hez, valamint az apxs-t, ami jelen esetben az IBM altal szallitott program. Ha minden megvan, a configure az alabbi eredmenyt adja, keszen allunk a forditasra.

$ PATH=$PATH:/opt/freeware/bin ./configure --with-apxs=/usr/IBM/HTTPServer/bin/apxs
...
configure: looking for Apache module support via DSO through APXS
configure: found apxs at /usr/IBM/HTTPServer/bin/apxs
configure: checking httpd version
configure: httpd is recent enough
checking for libpcre config script... /usr/bin/pcre-config
configure: using '-L/opt/freeware/lib -lpcre' for pcre Library
checking for libapr config script... /usr/bin/apr-1-config
configure: using ' -lpthread' for apr Library
checking for libapu config script... /usr/bin/apu-1-config
configure: using '     -lexpat -liconv' for apu Library
checking for libxml2 config script... /usr/bin/xml2-config
configure: using '-L/opt/freeware/lib -lxml2 -lz -lpthread -liconv -lm' for libxml2
checking for liblua config script... no
checking for lua install... no
configure: optional lua library not found
checking for libcurl config script... /usr/bin/curl-config
checking if libcurl is at least v7.15.1... yes
checking if libcurl is linked with gnutls... no
configure: using '-L/opt/freeware/lib -lcurl -L/opt/freeware/lib -Wl,-bmaxdata:0x80000000 -L/opt/freeware/lib -lidn -lssh2 -lssl -lcrypto -lssl -lcrypto -lz' for curl Library
configure: creating ./config.status
...

3.) Forditas: A make alapbol elszall, de semmi gond, csak a -Wall -t nem ismeri a compiler:

$ make
/usr/IBM/HTTPServer/build/libtool --silent --mode=compile xlc_r -prefer-pic -O2 -qmaxmem=8192  -U__STR__ -D_THREAD_SAFE -D_USE_IRS -D_LARGEFILE64_SOURCE -qHALT=E -I/usr/IBM/HTTPServer/include  -I/usr/IBM/HTTPServer/include   -I/usr/IBM/HTTPServer/include   -O2 -g -Wall -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500
-I/usr/IBM/HTTPServer/include -I/usr/IBM/HTTPServer/include -I. -I/opt/freeware/include -I/opt/freeware/include/libxml2  -c -o mod_security2.lo mod_security2.c && touch mod_security2.slo
xlc_r: 1501-210 (S) command option Wall contains an incorrect subargument
apxs:Error: Command failed with rc=65536
.
make: 1254-004 The error code from the last command is 1.

Haha. Szedjuk ki a -Wall opciot a Makefile-bol:

$ cp Makefile Makefile.orig
$ vi Makefile

Ezutan mar lefordul a modul.

4.) Innen nincs mas dolgunk, mint betolteni az IBM HTTP Servernek (miutan tetszolegesen atnevezve elhelyeztuk a $httpd_install_root/modules konyvtarban):

$ vi /usr/IBM/HTTPServer/conf/httpd.conf
 ...
 LoadModule security2_module modules/mod_security.so
 ...

Restart utan, ha minden rendben van, a modult betoltve lathatjuk:

# /usr/IBM/HTTPServer/bin/apachectl -t -D DUMP_MODULES 2>&1 | grep sec
 security2_module (shared)

Vegre nekiallhatunk konfiguralni a mod_security beallitasait.