Learn about Centmin Mod LEMP Stack today
Register Now

Security VestaCP ouch no HTTP/2 and outdated Apache !

Discussion in 'System Administration' started by eva2000, Jan 20, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,905
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,396
    Local Time:
    11:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    A client of mine is planning to switch from VestaCP on CentOS 7 to Centmin Mod LEMP stack o CentOS 7. VestaCP defaults to using Nginx as a reverse proxy to an Apache PHP backend.

    I haven't used VestaCP before, so had a quick look into it's building blocks and surprised to see:
    1. on CentOS 7, VestaCP installed Nginx 1.10.2 and Apache 2.4.6
    2. Nginx uses system openssl 1.0.1e so NO APLN protocol support and no openssl 1.0.2+ for HTTP/2 based HTTPS. So poorer performance for HTTPS based sites
    3. Apache 2.4.6 installed and is way out of date even for centos backported fixes. The change log was 30+ months older than latest apache 2.4.25 so there's like 30+ months of security updates missing ? Apache 2.4.25 change log http://www.apache.org/dist/httpd/CHANGES_2.4.25
    4. Apache using default prefork MPM instead of event MPM
    httpd 2.4.6-18 which is a custom installed built VestaCP package named 2.4.6-118. Redhat 7.3/CentOS 7.3's httpd package is 2.4.6-45
    Code (Text):
    yum list installed httpd -q | tr -s ' '
    Installed Packages
    httpd.x86_64 2.4.6-118.el7.centos @vesta
    

    Code (Text):
    httpd -V
    Server version: Apache/2.4.6 (CentOS)
    Server built:   Dec 15 2014 17:32:43
    Server's Module Magic Number: 20120211:23
    Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
    Compiled using: APR 1.4.8, APR-UTIL 1.5.2
    Architecture:   64-bit
    Server MPM:     prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=256
     -D HTTPD_ROOT="/etc/httpd"
     -D SUEXEC_BIN="/usr/sbin/suexec"
     -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"


    VestaCP's custom Apache rpm is installed from http://c.vestacp.com/rpms/7/httpd/x86_64/

    Code (Text):
    http://c.vestacp.com/rpms/7/httpd/x86_64/
    
      httpd-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 2.7M
      httpd-debuginfo-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 3.4M
      httpd-devel-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 180K
      httpd-manual-2.4.6-118.el7.centos.noarch.rpm  15-Dec-2014 17:44 1.3M
      httpd-tools-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 76K
      mod_ldap-2.4.6-118.el7.centos.x86_64.rpm  15-Dec-2014 17:44 57K
      mod_proxy_html-2.4.6-118.el7.centos.x86_64.rpm  15-Dec-2014 17:44 37K
      mod_session-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 46K
      mod_ssl-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 96K
    


    Yum history info for httpd package confirms it too
    Code (Text):
        Install     httpd-2.4.6-118.el7.centos.x86_64                    @vesta
        Dep-Install httpd-tools-2.4.6-118.el7.centos.x86_64              @vesta
    

    Code (Text):
    yum history info httpd
    Loaded plugins: fastestmirror
    Transaction ID : 5
    Begin time     : Fri Jan 20 14:58:50 2017
    Begin rpmdb    : 426:66a704bee0cd7de45d2a69895f2d604c062d7a45
    End time       :            15:00:02 2017 (72 seconds)
    End rpmdb      : 656:f3d1caccd5c1db832aa96a97aa816b32d8d4a001
    User           : root <root>
    Return-Code    : Success
    Command Line   : -y --disablerepo=* --enablerepo=base,updates,nginx,epel,vesta,remi* install nginx httpd mod_ssl mod_ruid2 mod_fcgid php php-common php-cli php-bcmath php-gd php-imap php-mbstring php-mcrypt php-mysql php-pdo php-soap php-tidy php-xml php-xmlrpc awstats webalizer vsftpd bind bind-utils bind-libs exim dovecot clamav-server clamav-update spamassassin roundcubemail mariadb mariadb-server phpMyAdmin e2fsprogs openssh-clients ImageMagick curl mc screen ftp zip unzip flex sqlite pcre sudo bc jwhois mailx lsof tar telnet rrdtool net-tools ntp GeoIP freetype fail2ban rsyslog iptables-services which vesta vesta-nginx vesta-php vim-common expect
    Transaction performed with:
        Installed     rpm-4.11.3-21.el7.x86_64                      @base
        Installed     yum-3.4.3-150.el7.centos.noarch               @base
        Installed     yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base
    Packages Altered:
        Install     ImageMagick-6.7.8.9-15.el7_2.x86_64                  @base
        Dep-Install OpenEXR-libs-1.7.1-7.el7.x86_64                      @base
        Dep-Install aspell-12:0.60.6.1-9.el7.x86_64                      @base
        Dep-Install autogen-libopts-5.18-5.el7.x86_64                    @base
        Install     awstats-7.4-1.el7.noarch                             @epel
        Install     bc-1.06.95-13.el7.x86_64                             @base
        Install     bind-32:9.9.4-38.el7_3.1.x86_64                      @updates
        Install     bind-libs-32:9.9.4-38.el7_3.1.x86_64                 @updates
        Install     bind-utils-32:9.9.4-38.el7_3.1.x86_64                @updates
        Dep-Install cairo-1.14.2-1.el7.x86_64                            @base
        Dep-Install clamav-data-0.99.2-1.el7.noarch                      @epel
        Dep-Install clamav-filesystem-0.99.2-1.el7.noarch                @epel
        Dep-Install clamav-lib-0.99.2-1.el7.x86_64                       @epel
        Install     clamav-server-0.99.2-1.el7.x86_64                    @epel
        Install     clamav-update-0.99.2-1.el7.x86_64                    @epel
        Dep-Install clucene-core-2.3.3.4-11.el7.x86_64                   @base
        Dep-Install cups-libs-1:1.6.3-26.el7.x86_64                      @base
        Dep-Install dejavu-fonts-common-2.33-6.el7.noarch                @base
        Dep-Install dejavu-sans-fonts-2.33-6.el7.noarch                  @base
        Dep-Install dejavu-sans-mono-fonts-2.33-6.el7.noarch             @base
        Install     dovecot-1:2.2.10-7.el7.x86_64                        @base
        Install     exim-4.84.2-2.el7.x86_64                             @epel
        Install     expect-5.45-14.el7_1.x86_64                          @base
        Install     fail2ban-0.9.5-3.el7.noarch                          @epel
        Dep-Install fail2ban-firewalld-0.9.5-3.el7.noarch                @epel
        Dep-Install fail2ban-sendmail-0.9.5-3.el7.noarch                 @epel
        Dep-Install fail2ban-server-0.9.5-3.el7.noarch                   @epel
        Dep-Install fontconfig-2.10.95-10.el7.x86_64                     @base
        Dep-Install fontpackages-filesystem-1.44-8.el7.noarch            @base
        Install     ftp-0.17-67.el7.x86_64                               @base
        Dep-Install gd-2.0.35-26.el7.x86_64                              @base
        Dep-Install gd-last-2.2.4-1.el7.remi.x86_64                      @remi
        Dep-Install gdbm-devel-1.10-8.el7.x86_64                         @base
        Dep-Install gdk-pixbuf2-2.31.6-3.el7.x86_64                      @base
        Dep-Install ghostscript-9.07-20.el7_3.1.x86_64                   @updates
        Dep-Install ghostscript-fonts-5.50-32.el7.noarch                 @base
        Dep-Install gnupg1-1.4.20-1.el7.remi.x86_64                      @remi
        Dep-Install gpm-libs-1.20.7-5.el7.x86_64                         @base
        Dep-Install graphite2-1.3.6-1.el7_2.x86_64                       @base
        Dep-Install harfbuzz-0.9.36-1.el7.x86_64                         @base
        Install     httpd-2.4.6-118.el7.centos.x86_64                    @vesta
        Dep-Install httpd-tools-2.4.6-118.el7.centos.x86_64              @vesta
        Dep-Install ilmbase-1.0.3-7.el7.x86_64                           @base
        Install     iptables-services-1.4.21-17.el7.x86_64               @base
        Dep-Install jasper-libs-1.900.1-29.el7.x86_64                    @base
        Dep-Install jbigkit-libs-2.0-11.el7.x86_64                       @base
        Install     jwhois-4.0-45.el7.x86_64                             @epel
        Dep-Install lcms2-2.6-3.el7.x86_64                               @base
        Dep-Install libICE-1.0.9-2.el7.x86_64                            @base
        Dep-Install libSM-1.2.2-2.el7.x86_64                             @base
        Dep-Install libX11-1.6.3-3.el7.x86_64                            @base
        Dep-Install libX11-common-1.6.3-3.el7.noarch                     @base
        Dep-Install libXau-1.0.8-2.1.el7.x86_64                          @base
        Dep-Install libXdamage-1.1.4-4.1.el7.x86_64                      @base
        Dep-Install libXext-1.3.3-3.el7.x86_64                           @base
        Dep-Install libXfixes-5.0.1-2.1.el7.x86_64                       @base
        Dep-Install libXfont-1.5.1-2.el7.x86_64                          @base
        Dep-Install libXft-2.3.2-2.el7.x86_64                            @base
        Dep-Install libXpm-3.5.11-3.el7.x86_64                           @base
        Dep-Install libXrender-0.9.8-2.1.el7.x86_64                      @base
        Dep-Install libXt-1.1.4-6.1.el7.x86_64                           @base
        Dep-Install libXxf86vm-1.1.3-2.1.el7.x86_64                      @base
        Dep-Install libc-client-2007f-4.el7.1.x86_64                     @epel
        Dep-Install libdb-devel-5.3.21-19.el7.x86_64                     @base
        Dep-Install libfontenc-1.1.2-3.el7.x86_64                        @base
        Dep-Install libgsasl-1.8.0-8.el7.x86_64                          @epel
        Dep-Install libicu-50.1.2-15.el7.x86_64                          @base
        Dep-Install libidn2-0.11-1.el7.x86_64                            @epel
        Dep-Install libmcrypt-2.5.8-13.el7.x86_64                        @epel
        Dep-Install libntlm-1.3-6.el7.x86_64                             @base
        Dep-Install libpng-2:1.5.13-7.el7_2.x86_64                       @base
        Dep-Install librsvg2-2.39.0-1.el7.x86_64                         @base
        Dep-Install libthai-0.1.14-9.el7.x86_64                          @base
        Dep-Install libtidy-0.99.0-31.20091203.el7.x86_64                @epel
        Dep-Install libtiff-4.0.3-25.el7_2.x86_64                        @base
        Dep-Install libtool-ltdl-2.4.2-21.el7_2.x86_64                   @base
        Dep-Install libusb-1:0.1.4-3.el7.x86_64                          @base
        Dep-Install libusbx-1.0.20-1.el7.x86_64                          @base
        Dep-Install libwebp-0.3.0-3.el7.x86_64                           @base
        Dep-Install libwmf-lite-0.2.8.4-41.el7_1.x86_64                  @base
        Dep-Install libxcb-1.11-4.el7.x86_64                             @base
        Dep-Install libxshmfence-1.2-1.el7.x86_64                        @base
        Dep-Install libxslt-1.1.28-5.el7.x86_64                          @base
        Dep-Install libzip-last-1.1.3-1.el7.remi.x86_64                  @remi
        Install     lsof-4.87-4.el7.x86_64                               @base
        Dep-Install mailcap-2.1.41-2.el7.noarch                          @base
        Install     mailx-12.5-12.el7_0.x86_64                           @base
        Install     mariadb-1:5.5.52-1.el7.x86_64                        @base
        Install     mariadb-server-1:5.5.52-1.el7.x86_64                 @base
        Install     mc-1:4.8.7-11.el7.x86_64                             @base
        Dep-Install mesa-libEGL-11.2.2-2.20160614.el7.x86_64             @base
        Dep-Install mesa-libGL-11.2.2-2.20160614.el7.x86_64              @base
        Dep-Install mesa-libgbm-11.2.2-2.20160614.el7.x86_64             @base
        Dep-Install mesa-libglapi-11.2.2-2.20160614.el7.x86_64           @base
        Install     mod_fcgid-2.3.9-4.el7.x86_64                         @base
        Install     mod_ruid2-0.9.8-2.el7.x86_64                         @epel
        Install     mod_ssl-1:2.4.6-118.el7.centos.x86_64                @vesta
        Install     net-tools-2.0-0.17.20131004git.el7.x86_64            @base
        Install     nginx-1:1.10.2-1.el7.ngx.x86_64                      @nginx
        Dep-Install nmap-ncat-2:6.40-7.el7.x86_64                        @base
        Install     ntp-4.2.6p5-25.el7.centos.x86_64                     @base
        Dep-Install ntpdate-4.2.6p5-25.el7.centos.x86_64                 @base
        Dep-Install pango-1.36.8-2.el7.x86_64                            @base
        Dep-Install perl-Archive-Tar-1.92-2.el7.noarch                   @base
        Dep-Install perl-Business-ISBN-2.06-2.el7.noarch                 @base
        Dep-Install perl-Business-ISBN-Data-20120719.001-2.el7.noarch    @base
        Dep-Install perl-CGI-3.63-4.el7.noarch                           @base
        Dep-Install perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64           @base
        Dep-Install perl-Compress-Raw-Zlib-1:2.061-4.el7.x86_64          @base
        Dep-Install perl-Crypt-OpenSSL-Bignum-0.04-18.el7.x86_64         @base
        Dep-Install perl-Crypt-OpenSSL-RSA-0.28-7.el7.x86_64             @base
        Dep-Install perl-Crypt-OpenSSL-Random-0.04-21.el7.x86_64         @base
        Dep-Install perl-DBD-MySQL-4.023-5.el7.x86_64                    @base
        Dep-Install perl-DBI-1.627-4.el7.x86_64                          @base
        Dep-Install perl-DB_File-1.830-6.el7.x86_64                      @base
        Dep-Install perl-Digest-1.17-245.el7.noarch                      @base
        Dep-Install perl-Digest-HMAC-1.03-5.el7.noarch                   @base
        Dep-Install perl-Digest-MD5-2.52-3.el7.x86_64                    @base
        Dep-Install perl-Digest-SHA-1:5.85-3.el7.x86_64                  @base
        Dep-Install perl-Encode-Detect-1.01-13.el7.x86_64                @base
        Dep-Install perl-Encode-Locale-1.03-5.el7.noarch                 @base
        Dep-Install perl-ExtUtils-Install-1.58-291.el7.noarch            @base
        Dep-Install perl-ExtUtils-MakeMaker-6.68-3.el7.noarch            @base
        Dep-Install perl-ExtUtils-Manifest-1.61-244.el7.noarch           @base
        Dep-Install perl-ExtUtils-ParseXS-1:3.18-2.el7.noarch            @base
        Dep-Install perl-FCGI-1:0.74-8.el7.x86_64                        @base
        Dep-Install perl-File-Listing-6.04-7.el7.noarch                  @base
        Dep-Install perl-Geo-IP-1.43-3.el7.x86_64                        @epel
        Dep-Install perl-HTML-Parser-3.71-4.el7.x86_64                   @base
        Dep-Install perl-HTML-Tagset-3.20-15.el7.noarch                  @base
        Dep-Install perl-HTTP-Cookies-6.01-5.el7.noarch                  @base
        Dep-Install perl-HTTP-Daemon-6.01-5.el7.noarch                   @base
        Dep-Install perl-HTTP-Date-6.02-8.el7.noarch                     @base
        Dep-Install perl-HTTP-Message-6.06-6.el7.noarch                  @base
        Dep-Install perl-HTTP-Negotiate-6.01-5.el7.noarch                @base
        Dep-Install perl-IO-Compress-2.061-2.el7.noarch                  @base
        Dep-Install perl-IO-HTML-1.00-2.el7.noarch                       @base
        Dep-Install perl-IO-Socket-INET6-2.69-5.el7.noarch               @base
        Dep-Install perl-IO-Socket-IP-0.21-4.el7.noarch                  @base
        Dep-Install perl-IO-Socket-SSL-1.94-5.el7.noarch                 @base
        Dep-Install perl-IO-Zlib-1:1.10-291.el7.noarch                   @base
        Dep-Install perl-LWP-MediaTypes-6.02-2.el7.noarch                @base
        Dep-Install perl-Mail-DKIM-0.39-8.el7.noarch                     @base
        Dep-Install perl-Mail-SPF-2.8.0-4.el7.noarch                     @base
        Dep-Install perl-MailTools-2.12-2.el7.noarch                     @base
        Dep-Install perl-Net-DNS-0.72-6.el7.x86_64                       @base
        Dep-Install perl-Net-Daemon-0.48-5.el7.noarch                    @base
        Dep-Install perl-Net-HTTP-6.06-2.el7.noarch                      @base
        Dep-Install perl-Net-IP-1.26-4.el7.noarch                        @epel
        Dep-Install perl-Net-LibIDN-0.12-15.el7.x86_64                   @base
        Dep-Install perl-Net-SMTP-SSL-1.01-13.el7.noarch                 @base
        Dep-Install perl-Net-SSLeay-1.55-4.el7.x86_64                    @base
        Dep-Install perl-NetAddr-IP-4.069-3.el7.x86_64                   @base
        Dep-Install perl-Package-Constants-1:0.02-291.el7.noarch         @base
        Dep-Install perl-PlRPC-0.2020-14.el7.noarch                      @base
        Dep-Install perl-Socket6-0.23-15.el7.x86_64                      @base
        Dep-Install perl-Switch-2.16-7.el7.noarch                        @base
        Dep-Install perl-Sys-Syslog-0.33-3.el7.x86_64                    @base
        Dep-Install perl-TimeDate-1:2.30-2.el7.noarch                    @base
        Dep-Install perl-URI-1.60-9.el7.noarch                           @base
        Dep-Install perl-WWW-RobotRules-6.02-5.el7.noarch                @base
        Dep-Install perl-devel-4:5.16.3-291.el7.x86_64                   @base
        Dep-Install perl-libwww-perl-6.05-2.el7.noarch                   @base
        Dep-Install perl-version-3:0.99.07-2.el7.x86_64                  @base
        Install     php-5.6.30-1.el7.remi.x86_64                         @remi-php56
        Install     php-bcmath-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-cli-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-common-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Dep-Install php-fedora-autoloader-0.2.1-2.el7.remi.noarch        @remi
        Install     php-gd-5.6.30-1.el7.remi.x86_64                      @remi-php56
        Dep-Install php-gmp-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-imap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-intl-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-kolab-net-ldap3-1.0.3-1.el7.remi.noarch          @remi
        Dep-Install php-ldap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Install     php-mbstring-5.6.30-1.el7.remi.x86_64                @remi-php56
        Install     php-mcrypt-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-mysqlnd-5.6.30-1.el7.remi.x86_64                 @remi-php56
        Install     php-pdo-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Dep-Install php-pear-1:1.10.1-8.el7.remi.noarch                  @remi
        Dep-Install php-pear-Auth-SASL-1.0.6-5.el7.noarch                @epel
        Dep-Install php-pear-Console-CommandLine-1.2.2-1.el7.remi.noarch @remi
        Dep-Install php-pear-Mail-Mime-1.10.0-1.el7.remi.noarch          @remi
        Dep-Install php-pear-Net-IDNA2-0.1.1-10.el7.noarch               @epel
        Dep-Install php-pear-Net-LDAP2-2.2.0-1.el7.remi.noarch           @remi
        Dep-Install php-pear-Net-SMTP-1.7.3-1.el7.remi.noarch            @remi
        Dep-Install php-pear-Net-Sieve-1.3.4-4.el7.remi.noarch           @remi
        Dep-Install php-pear-Net-Socket-1.0.14-1.el7.noarch              @epel
        Dep-Install php-pear-crypt-gpg-1.4.3-1.el7.remi.noarch           @remi
        Dep-Install php-pecl-jsonc-1.3.10-1.el7.remi.5.6.x86_64          @remi-php56
        Dep-Install php-pecl-zip-1.13.5-1.el7.remi.5.6.x86_64            @remi-php56
        Dep-Install php-php-gettext-1.0.12-1.el7.remi.noarch             @remi
        Dep-Install php-phpseclib-2.0.4-1.el7.remi.noarch                @remi
        Dep-Install php-process-5.6.30-1.el7.remi.x86_64                 @remi-php56
        Dep-Install php-pspell-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Dep-Install php-recode-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-soap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-symfony-class-loader-2.8.16-1.el7.remi.noarch    @remi
        Dep-Install php-symfony-common-2.8.16-1.el7.remi.noarch          @remi
        Dep-Install php-tcpdf-6.2.13-1.el7.remi.noarch                   @remi
        Dep-Install php-tcpdf-dejavu-sans-fonts-6.2.13-1.el7.remi.noarch @remi
        Install     php-tidy-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-udan11-sql-parser-3.4.16-1.el7.remi.noarch       @remi
        Install     php-xml-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-xmlrpc-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     phpMyAdmin-4.6.5.2-1.el7.remi.noarch                 @remi
        Dep-Install pixman-0.34.0-1.el7.x86_64                           @base
        Dep-Install poppler-data-0.4.6-3.el7.noarch                      @base
        Dep-Install portreserve-0.0.5-11.el7.x86_64                      @base
        Dep-Install procmail-3.22-35.el7.x86_64                          @base
        Dep-Install pyparsing-1.5.6-9.el7.noarch                         @base
        Dep-Install recode-3.6-38.el7.x86_64                             @base
        Install     roundcubemail-1.2.3-1.el7.remi.noarch                @remi
        Install     rrdtool-1.4.8-9.el7.x86_64                           @base
        Install     screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64     @base
        Install     spamassassin-3.4.0-2.el7.x86_64                      @base
        Dep-Install systemd-python-219-30.el7_3.6.x86_64                 @updates
        Dep-Install systemtap-sdt-devel-3.0-7.el7.x86_64                 @base
        Dep-Install t1lib-5.1.2-14.el7.x86_64                            @base
        Dep-Install tcl-1:8.5.13-8.el7.x86_64                            @base
        Install     telnet-1:0.17-60.el7.x86_64                          @base
        Dep-Install urw-fonts-2.4-16.el7.noarch                          @base
        Install     vesta-0.9.8-17.x86_64                                @vesta
        Install     vesta-nginx-0.9.8-17.x86_64                          @vesta
        Install     vesta-php-0.9.8-17.x86_64                            @vesta
        Install     vim-common-2:7.4.160-1.el7_3.1.x86_64                @updates
        Dep-Install vim-filesystem-2:7.4.160-1.el7_3.1.x86_64            @updates
        Install     vsftpd-3.0.2-21.el7.x86_64                           @base
        Install     webalizer-2.23_08-5.el7.x86_64                       @epel
        Dep-Install xorg-x11-font-utils-1:7.5-20.el7.x86_64              @base
    Scriptlet output:
       1 ----------------------------------------------------------------------
       2
       3 Thanks for using nginx!
       4
       5 Please find the official documentation for nginx here:
       6 * http://nginx.org/en/docs/
       7
       8 Commercial subscriptions for nginx are available on:
       9 * http://nginx.com/products/
      10
      11 ----------------------------------------------------------------------
      12
      13 WARNING : These php-* RPMs are not official Fedora / Red Hat build and
      14 overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.
      15
      16 Use dedicated forum at http://forum.remirepo.net/
      17
    history info
    


    CentOS 7 VestaCP custom provided Apache 2.4.6 change log's last change was July 23, 2014 with server build date Dec 15, 2014. Compare to Apache 2.4.25 latest change log http://www.apache.org/dist/httpd/CHANGES_2.4.25
    Code (Text):
     rpm -qa --changelog httpd | head -n30
    * Wed Jul 23 2014 Johnny Hughes <johnny@centos.org> - 2.4.6-18.el7.centos
    - Roll in CentOS Branding
    
    * Thu Jul 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-18
    - mod_cgid: add security fix for CVE-2014-0231 (#1120607)
    - mod_proxy: add security fix for CVE-2014-0117 (#1120607)
    - mod_deflate: add security fix for CVE-2014-0118 (#1120607)
    - mod_status: add security fix for CVE-2014-0226 (#1120607)
    - mod_cache: add secutiry fix for CVE-2013-4352 (#1120607)
    
    * Thu Mar 20 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-17
    - mod_dav: add security fix for CVE-2013-6438 (#1077907)
    - mod_log_config: add security fix for CVE-2014-0098 (#1077907)
    
    * Wed Mar 05 2014 Joe Orton <jorton@redhat.com> - 2.4.6-16
    - mod_ssl: improve DH temp key handling (#1057687)
    
    * Wed Mar 05 2014 Joe Orton <jorton@redhat.com> - 2.4.6-15
    - mod_ssl: use 2048-bit RSA key with SHA-256 signature in dummy certificate (#1071276)
    
    * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.6-14
    - Mass rebuild 2014-01-24
    
    * Mon Jan 13 2014 Joe Orton <jorton@redhat.com> - 2.4.6-13
    - mod_ssl: sanity-check use of "SSLCompression" (#1036666)
    - mod_proxy_http: fix brigade memory usage (#1040447)
    
    * Fri Jan 10 2014 Joe Orton <jorton@redhat.com> - 2.4.6-12
    - rebuild

    and compared to CentOS 7.3 and Redhat 7.3 default 2.4.6-45 yum package which has last update Nov 3, 2016 and build date of Nov 14, 2016
    Code (Text):
    httpd -V
    Server version: Apache/2.4.6 (CentOS)
    Server built:   Nov 14 2016 18:04:44
    Server's Module Magic Number: 20120211:24
    Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
    Compiled using: APR 1.4.8, APR-UTIL 1.5.2
    Architecture:   64-bit
    Server MPM:     prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=256
     -D HTTPD_ROOT="/etc/httpd"
     -D SUEXEC_BIN="/usr/sbin/suexec"
     -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"
    

    Code (Text):
    rpm -qa --changelog httpd | head -n30
    * Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 2.4.6-45.el7.centos
    - Remove index.html, add centos-noindex.tar.gz
    - change vstring
    - change symlink for poweredby.png
    - update welcome.conf with proper aliases
    
    * Wed Aug 03 2016 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-45
    - RFE: run mod_rewrite external mapping program as non-root (#1316900)
    
    * Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.4.6-44
    - add security fix for CVE-2016-5387
    
    * Tue Jul 05 2016 Joe Orton <jorton@redhat.com> - 2.4.6-43
    - add 451 (Unavailable For Legal Reasons) response status-code (#1343582)
    
    * Fri Jun 17 2016 Joe Orton <jorton@redhat.com> - 2.4.6-42
    - mod_cache: treat cache as valid with changed Expires in 304 (#1331341)
    
    * Wed Feb 24 2016 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-41
    - mod_cache: merge r->err_headers_out into r->headers when the response
      is cached for the first time (#1264989)
    - mod_ssl: Do not send SSL warning when SNI hostname is not found as per
      RFC 6066 (#1298148)
    - mod_proxy_fcgi: Ignore body data from backend for 304 responses (#1263038)
    - fix apache user creation when apache group already exists (#1299889)
    - fix apache user creation when USERGROUPS_ENAB is set to 'no' (#1288757)
    - mod_proxy: fix slow response time for reponses with error status code
      when using ProxyErrorOverride (#1283653)
    - mod_ldap: Respect LDAPConnectionPoolTTL for authn connections (#1300149)
    - mod_ssl: use "localhost" in the dummy SSL cert for long FQDNs (#1240495)
    

    some security CVE fixes in CentOS 7.3 official Apache 2.4.6-45 yum package
    Code (Text):
    rpm -qa --changelog httpd | grep CVE
    - add security fix for CVE-2016-5387
    - core: fix chunk header parsing defect (CVE-2015-3183)
      and ap_force_authn hook (CVE-2015-3185)
    - core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
    - mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
    - mod_cgid: add security fix for CVE-2014-0231 (#1120608)
    - mod_proxy: add security fix for CVE-2014-0117 (#1120608)
    - mod_deflate: add security fix for CVE-2014-0118 (#1120608)
    - mod_status: add security fix for CVE-2014-0226 (#1120608)
    - mod_cache: add secutiry fix for CVE-2013-4352 (#1120608)
    - mod_dav: add security fix for CVE-2013-6438 (#1077907)
    - mod_log_config: add security fix for CVE-2014-0098 (#1077907)
    

    Okay not that bad with only 6 later CVE security related entries for CVE-2016-5387, CVE-2015-3183 and CVE-2015-3185, CVE-2014-3581, CVE-2014-3581 and CVE-2014-3581 missing from VestaCP provided custom Apache 2.4.6-18 build. Though it's not the quantity but the severity of the security flaws that matters !

    What if you filter for 2015 and 2016 updates in CentOS 7.3 Apache 2.4.6-45
    Code (Text):
    rpm -qa --changelog httpd | egrep -C10 '2015|2016'
    * Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 2.4.6-45.el7.centos
    - Remove index.html, add centos-noindex.tar.gz
    - change vstring
    - change symlink for poweredby.png
    - update welcome.conf with proper aliases
    
    * Wed Aug 03 2016 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-45
    - RFE: run mod_rewrite external mapping program as non-root (#1316900)
    
    * Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.4.6-44
    - add security fix for CVE-2016-5387
    
    * Tue Jul 05 2016 Joe Orton <jorton@redhat.com> - 2.4.6-43
    - add 451 (Unavailable For Legal Reasons) response status-code (#1343582)
    
    * Fri Jun 17 2016 Joe Orton <jorton@redhat.com> - 2.4.6-42
    - mod_cache: treat cache as valid with changed Expires in 304 (#1331341)
    
    * Wed Feb 24 2016 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-41
    - mod_cache: merge r->err_headers_out into r->headers when the response
      is cached for the first time (#1264989)
    - mod_ssl: Do not send SSL warning when SNI hostname is not found as per
      RFC 6066 (#1298148)
    - mod_proxy_fcgi: Ignore body data from backend for 304 responses (#1263038)
    - fix apache user creation when apache group already exists (#1299889)
    - fix apache user creation when USERGROUPS_ENAB is set to 'no' (#1288757)
    - mod_proxy: fix slow response time for reponses with error status code
      when using ProxyErrorOverride (#1283653)
    - mod_ldap: Respect LDAPConnectionPoolTTL for authn connections (#1300149)
    - mod_ssl: use "localhost" in the dummy SSL cert for long FQDNs (#1240495)
    - rotatelogs: improve support for localtime (#1244545)
    - ab: fix read failure when targeting SSL server (#1255331)
    - mod_log_debug: fix LogMessage example in documentation (#1279465)
    - mod_authz_dbd, mod_authn_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
      of DB lookup entries independently of the selected DB engine (#1287844)
    - mod_ssl: fix hardware crypto support with custom DH parms (#1291865)
    - mod_proxy_fcgi: fix SCRIPT_FILENAME when a balancer is used (#1302797)
    
    * Thu Sep 17 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-40
    - mod_dav: follow up fix for previous commit (#1263975)
    
    * Wed Aug 26 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-39
    - mod_dav: treat dav_resource uri as escaped (#1255480)
    
    * Wed Aug 19 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-38
    - mod_ssl: add support for User Principal Name in SSLUserName  (#1242503)
    
    * Mon Aug 10 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-37
    - core: fix chunk header parsing defect (CVE-2015-3183)
    - core: replace of ap_some_auth_required with ap_some_authn_required
      and ap_force_authn hook (CVE-2015-3185)
    
    * Tue Jul 14 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-36
    - Revert fix for #1162152, it is not needed in RHEL7
    - mod_proxy_ajp: fix settings ProxyPass parameters for AJP backends (#1242416)
    
    * Wed Jul 01 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-35
    - mod_remoteip: correct the trusted proxy match test (#1179306)
    - mod_dav: send complete response when resource is created (#1235383)
    - apachectl: correct the apachectl status man page (#1231924)
    
    * Wed Jun 03 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-34
    - mod_proxy_fcgi: honor Timeout / ProxyTimeout (#1222328)
    - do not show all vhosts twice in httpd -D DUMP_VHOSTS output (#1225820)
    - fix -D[efined] or <Define>[d] variables lifetime accross restarts (#1227219)
    - mod_ssl: do not send NPN extension with not configured (#1226015)
    
    * Mon May 18 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-33
    - mod_authz_dbm: fix crash when using "Require dbm-file-group" (#1221575)
    
    * Wed Apr 15 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-32
    - mod_authn_dbd: fix use-after-free bug with postgresql (#1188779)
    - mod_remoteip: correct the trusted proxy match test (#1179306)
    - mod_status: honor remote_ip as documented (#1169081)
    - mod_deflate: fix decompression of files larger than 4GB (#1170214)
    - core: improve error message for inaccessible DocumentRoot (#1170220)
    - ab: try all addresses instead of failing on first one when not available (#1125276)
    - mod_proxy_wstunnel: add support for SSL (#1180745)
    - mod_proxy_wstunnel: load this module by default (#1180745)
    - mod_rewrite: add support for WebSockets (#1180745)
    - mod_rewrite: do not search for directory if a URL will be rewritten (#1210091)
    


    From CentOS / Redhat 7.3 official Apache 2.4.6-45 change log at Red Hat Customer Portal
    this one in particular very relevant for Apache 2.4 + php-fpm setups
    and missing CVE-2016-5387 is a big one CVE-2016-5387 - Red Hat Customer Portal
    and https://httpoxy.org/
    Guess you need to be careful for VestaCP on CentOS 7 as Apache 2.4.6-18 built rpm is very insecure with 30+ months of security updates and alot of bug fixes missing ! :eek:
     
    Last edited: Jan 30, 2017
    • Like Like x 1
  2. Revenge

    Revenge Active Member

    289
    64
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +228
    Local Time:
    1:25 PM
    1.9.x
    10.1.x
    You can install VestaCP with nginx + php-fpm. VestaCP install the default things that are in the repos. Apache 2.4.6 is the one in Centos repo, so it installs that one.

    [​IMG]
    I think most people that uses VestaCP, is just for the panel thing, where its easy to make full backups for example, and all of them automated, and a bit more things.
    Conf files are all to be changed changed of course, along with the repos it uses.
     
    • Informative Informative x 1
  3. eva2000

    eva2000 Administrator Staff Member

    30,850
    6,905
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,396
    Local Time:
    11:25 PM
    Nginx 1.13.x
    MariaDB 5.5
    Yeah saw that configurator for custom install commands :) Though i think most folks just do the default install ? CentOS 7's VestaCP Apache 2.4.6 isn't from CentOS 7 official repo though as you can see above, it's a custom older package built by VestaCP dated back to Dec, 2014 ! If they're going to build and use their own Apache 2.4.6 rpms, I would of thought they's use Apache 2.4.25 latest at least or base it on CentOS 7.3 newer 2.4.6-45 packages !
     
    Last edited: Jan 21, 2017