Wednesday, January 10, 2007

AJP proxy enabled by default for Apache 2.2.3 on Fedora Core 6

As part of hardening an Apache instance on a new Fedora Core 6 Linux server, I commented out all _proxy_ modules in the main httpd.conf. When checking for syntax, however, I got
# /etc/init.d/httpd configtest
httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 2 of /etc/httpd/conf.d/proxy_ajp.conf: Cannot load /etc/httpd/modules/mod_proxy_ajp.so into server: /etc/httpd/modules/mod_proxy_ajp.so: undefined symbol: proxy_module

Surprised by the something actually required proxy_module, I took a look at the proxy_ajp.conf.
#cat proxy_ajp.conf

LoadModule proxy_ajp_module modules/mod_proxy_ajp.so

#
# When loaded, the mod_proxy_ajp module adds support for
# proxying to an AJP/1.3 backend server (such as Tomcat).
# To proxy to an AJP backend, use the "ajp://" URI scheme;
# Tomcat is configured to listen on port 8009 for AJP requests

This surely is nice. The building of mod_jk for Apache 2.0 on CentOS 4 has got old pretty fast. From a security standpoint, I'd  think this comes off some httpd-tomcat package. Not exactly!
# rpm -qf proxy_ajp.conf
httpd-2.2.3-5

For my purpose, I just commented out the LoadModule directive inside proxy_ajp.conf. However, it'd make more sense, if
  • it comes off an optional module package, something like httpd-tomcat or httpd-ajp. Or,
  • disabled by default.

No comments: