我正在Oracle Linux 9上配置一个新的Apache网络服务器(根据Oracle与RedHat/CentOS相当)。httpd
的版本是2.4.51
,php
的版本是8.0.13
。但是,服务无法启动,出现以下错误(journalctl -xeu
):
httpd.service: Failed with result 'exit-code'.
我抬头看,出现了许多与配置文件相关的类似错误。但是apachectl configtest
返回Syntax OK
,httpd --help
没有给出任何输出。
所以我试图在http.conf
注释掉一些配置,在注释掉mod-security
相关行后,它会抛出新的错误消息:
httpd.service: Failed with result 'protocol'.
无法从journalctl
中检索到其他有用的错误消息。
注释掉php
相关行也无济于事。此外,我发现要安装mod_security2
我还有其他几个"模块"要安装,但我从 aap 流下载此mod_security2
。为了确保问题不是来自此模块,我安装了其文档中所需的模块(除了libapr
和 libapr-utilbecause error occurs on building, the
rpmbuildcannot find
doxygen'),即使我安装了它)。
—————更新————
error_log
:
[core:notice] [pid 4944:tid 4944] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)AH00016: Configuration Failed
[core:notice] [pid 4963:tid 4963] SELinux policy enabled; httpd running as context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[suexec:notice] - - AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[-:notice] - - ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[:notice] [pid 4963:tid 4963] ModSecurity: APR compiled version="1.7.0"; loaded version="1.7.0"
[:notice] [pid 4963:tid 4963] ModSecurity: PCRE compiled version="8.44 "; loaded version="8.44 2020-02-12"
[:notice] [pid 4963:tid 4963] ModSecurity: LUA compiled version="Lua 5.4"
[:notice] [pid 4963:tid 4963] ModSecurity: YAJL compiled version="2.1.0"
[:notice] [pid 4963:tid 4963] ModSecurity: LIBXML compiled version="2.9.12"
[-:notice] - - ModSecurity: Original server signature: Apache
[:notice] [pid 4963:tid 4963] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[lbmethod_heartbeat:notice] - - AH02282: No slotmem from mod_heartmonitor
[-:error] - - SecServerSignature: original signature too short. Please set ServerTokens to Full.
[core:notice] - - AH00094: Command line: 'httpd'
AH00016
似乎与 SSL 证书有关,所以我还附上了 SSL 的错误日志。
ssl_error_log
:
[ssl:emerg] - - AH02562: Failed to configure certificate www.example.com:443:0 (with chain), check /etc/pki/tls/certs/example-wildcard.crt
[ssl:emerg] - - SSL Library Error: error:8000000D:system library::Permission denied (calling fopen(/etc/pki/tls/certs/example-wildcard.crt, r))
[ssl:emerg] - - SSL Library Error: error:10080002:BIO routines::system lib
[ssl:emerg] - - SSL Library Error: error:0A080002:SSL routines::system lib
我发现读取我的通配符证书的权限被拒绝错误,我注意到这是因为我的所有权错误。我改成了它应该的样子,有644
权.
顺便说一句,httpd -t
也返回Syntax OK
. 现在我重新运行没有根权限的httpd -t
返回文件权限错误(通过将所有权更改为apache
来解决):
# sudo -u apache httpd -t
AH00526: Syntax error on line 39 of /etc/httpd/conf.d/mod_security.conf:
ModSecurity: Failed to open debug log file: /etc/httpd/logs/modsec_debug.log
奇怪的是,当我检查端口侦听器时,我看到:
$ sudo netstat -punta | grep LISTEN
tcp6 0 0 :::443 :::* LISTEN 4964/httpd
tcp6 0 0 :::80 :::* LISTEN 4964/httpd
httpd
在无法启动时正在侦听?
也许 SELinux 拒绝访问,请探测一下:
restorecon -vF /etc/pki/tls/certs/example-wildcard.crt