Welcome to Centmin Mod Community
Become a Member

Security VestaCP ouch no HTTP/2 and outdated Apache !

Discussion in 'System Administration' started by eva2000, Jan 20, 2017.

  1. eva2000

    eva2000 Administrator Staff Member

    44,785
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:49 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    A client of mine is planning to switch from VestaCP on CentOS 7 to Centmin Mod LEMP stack o CentOS 7. VestaCP defaults to using Nginx as a reverse proxy to an Apache PHP backend.

    I haven't used VestaCP before, so had a quick look into it's building blocks and surprised to see:
    1. on CentOS 7, VestaCP installed Nginx 1.10.2 and Apache 2.4.6
    2. Nginx uses system openssl 1.0.1e so NO APLN protocol support and no openssl 1.0.2+ for HTTP/2 based HTTPS. So poorer performance for HTTPS based sites
    3. Apache 2.4.6 installed and is way out of date even for centos backported fixes. The change log was 30+ months older than latest apache 2.4.25 so there's like 30+ months of security updates missing ? Apache 2.4.25 change log http://www.apache.org/dist/httpd/CHANGES_2.4.25
    4. Apache using default prefork MPM instead of event MPM
    httpd 2.4.6-18 which is a custom installed built VestaCP package named 2.4.6-118. Redhat 7.3/CentOS 7.3's httpd package is 2.4.6-45
    Code (Text):
    yum list installed httpd -q | tr -s ' '
    Installed Packages
    httpd.x86_64 2.4.6-118.el7.centos @vesta
    

    Code (Text):
    httpd -V
    Server version: Apache/2.4.6 (CentOS)
    Server built:   Dec 15 2014 17:32:43
    Server's Module Magic Number: 20120211:23
    Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
    Compiled using: APR 1.4.8, APR-UTIL 1.5.2
    Architecture:   64-bit
    Server MPM:     prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=256
     -D HTTPD_ROOT="/etc/httpd"
     -D SUEXEC_BIN="/usr/sbin/suexec"
     -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"


    VestaCP's custom Apache rpm is installed from http://c.vestacp.com/rpms/7/httpd/x86_64/

    Code (Text):
    http://c.vestacp.com/rpms/7/httpd/x86_64/
    
      httpd-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 2.7M
      httpd-debuginfo-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 3.4M
      httpd-devel-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 180K
      httpd-manual-2.4.6-118.el7.centos.noarch.rpm  15-Dec-2014 17:44 1.3M
      httpd-tools-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 76K
      mod_ldap-2.4.6-118.el7.centos.x86_64.rpm  15-Dec-2014 17:44 57K
      mod_proxy_html-2.4.6-118.el7.centos.x86_64.rpm  15-Dec-2014 17:44 37K
      mod_session-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 46K
      mod_ssl-2.4.6-118.el7.centos.x86_64.rpm 15-Dec-2014 17:44 96K
    


    Yum history info for httpd package confirms it too
    Code (Text):
        Install     httpd-2.4.6-118.el7.centos.x86_64                    @vesta
        Dep-Install httpd-tools-2.4.6-118.el7.centos.x86_64              @vesta
    

    Code (Text):
    yum history info httpd
    Loaded plugins: fastestmirror
    Transaction ID : 5
    Begin time     : Fri Jan 20 14:58:50 2017
    Begin rpmdb    : 426:66a704bee0cd7de45d2a69895f2d604c062d7a45
    End time       :            15:00:02 2017 (72 seconds)
    End rpmdb      : 656:f3d1caccd5c1db832aa96a97aa816b32d8d4a001
    User           : root <root>
    Return-Code    : Success
    Command Line   : -y --disablerepo=* --enablerepo=base,updates,nginx,epel,vesta,remi* install nginx httpd mod_ssl mod_ruid2 mod_fcgid php php-common php-cli php-bcmath php-gd php-imap php-mbstring php-mcrypt php-mysql php-pdo php-soap php-tidy php-xml php-xmlrpc awstats webalizer vsftpd bind bind-utils bind-libs exim dovecot clamav-server clamav-update spamassassin roundcubemail mariadb mariadb-server phpMyAdmin e2fsprogs openssh-clients ImageMagick curl mc screen ftp zip unzip flex sqlite pcre sudo bc jwhois mailx lsof tar telnet rrdtool net-tools ntp GeoIP freetype fail2ban rsyslog iptables-services which vesta vesta-nginx vesta-php vim-common expect
    Transaction performed with:
        Installed     rpm-4.11.3-21.el7.x86_64                      @base
        Installed     yum-3.4.3-150.el7.centos.noarch               @base
        Installed     yum-plugin-fastestmirror-1.1.31-40.el7.noarch @base
    Packages Altered:
        Install     ImageMagick-6.7.8.9-15.el7_2.x86_64                  @base
        Dep-Install OpenEXR-libs-1.7.1-7.el7.x86_64                      @base
        Dep-Install aspell-12:0.60.6.1-9.el7.x86_64                      @base
        Dep-Install autogen-libopts-5.18-5.el7.x86_64                    @base
        Install     awstats-7.4-1.el7.noarch                             @epel
        Install     bc-1.06.95-13.el7.x86_64                             @base
        Install     bind-32:9.9.4-38.el7_3.1.x86_64                      @updates
        Install     bind-libs-32:9.9.4-38.el7_3.1.x86_64                 @updates
        Install     bind-utils-32:9.9.4-38.el7_3.1.x86_64                @updates
        Dep-Install cairo-1.14.2-1.el7.x86_64                            @base
        Dep-Install clamav-data-0.99.2-1.el7.noarch                      @epel
        Dep-Install clamav-filesystem-0.99.2-1.el7.noarch                @epel
        Dep-Install clamav-lib-0.99.2-1.el7.x86_64                       @epel
        Install     clamav-server-0.99.2-1.el7.x86_64                    @epel
        Install     clamav-update-0.99.2-1.el7.x86_64                    @epel
        Dep-Install clucene-core-2.3.3.4-11.el7.x86_64                   @base
        Dep-Install cups-libs-1:1.6.3-26.el7.x86_64                      @base
        Dep-Install dejavu-fonts-common-2.33-6.el7.noarch                @base
        Dep-Install dejavu-sans-fonts-2.33-6.el7.noarch                  @base
        Dep-Install dejavu-sans-mono-fonts-2.33-6.el7.noarch             @base
        Install     dovecot-1:2.2.10-7.el7.x86_64                        @base
        Install     exim-4.84.2-2.el7.x86_64                             @epel
        Install     expect-5.45-14.el7_1.x86_64                          @base
        Install     fail2ban-0.9.5-3.el7.noarch                          @epel
        Dep-Install fail2ban-firewalld-0.9.5-3.el7.noarch                @epel
        Dep-Install fail2ban-sendmail-0.9.5-3.el7.noarch                 @epel
        Dep-Install fail2ban-server-0.9.5-3.el7.noarch                   @epel
        Dep-Install fontconfig-2.10.95-10.el7.x86_64                     @base
        Dep-Install fontpackages-filesystem-1.44-8.el7.noarch            @base
        Install     ftp-0.17-67.el7.x86_64                               @base
        Dep-Install gd-2.0.35-26.el7.x86_64                              @base
        Dep-Install gd-last-2.2.4-1.el7.remi.x86_64                      @remi
        Dep-Install gdbm-devel-1.10-8.el7.x86_64                         @base
        Dep-Install gdk-pixbuf2-2.31.6-3.el7.x86_64                      @base
        Dep-Install ghostscript-9.07-20.el7_3.1.x86_64                   @updates
        Dep-Install ghostscript-fonts-5.50-32.el7.noarch                 @base
        Dep-Install gnupg1-1.4.20-1.el7.remi.x86_64                      @remi
        Dep-Install gpm-libs-1.20.7-5.el7.x86_64                         @base
        Dep-Install graphite2-1.3.6-1.el7_2.x86_64                       @base
        Dep-Install harfbuzz-0.9.36-1.el7.x86_64                         @base
        Install     httpd-2.4.6-118.el7.centos.x86_64                    @vesta
        Dep-Install httpd-tools-2.4.6-118.el7.centos.x86_64              @vesta
        Dep-Install ilmbase-1.0.3-7.el7.x86_64                           @base
        Install     iptables-services-1.4.21-17.el7.x86_64               @base
        Dep-Install jasper-libs-1.900.1-29.el7.x86_64                    @base
        Dep-Install jbigkit-libs-2.0-11.el7.x86_64                       @base
        Install     jwhois-4.0-45.el7.x86_64                             @epel
        Dep-Install lcms2-2.6-3.el7.x86_64                               @base
        Dep-Install libICE-1.0.9-2.el7.x86_64                            @base
        Dep-Install libSM-1.2.2-2.el7.x86_64                             @base
        Dep-Install libX11-1.6.3-3.el7.x86_64                            @base
        Dep-Install libX11-common-1.6.3-3.el7.noarch                     @base
        Dep-Install libXau-1.0.8-2.1.el7.x86_64                          @base
        Dep-Install libXdamage-1.1.4-4.1.el7.x86_64                      @base
        Dep-Install libXext-1.3.3-3.el7.x86_64                           @base
        Dep-Install libXfixes-5.0.1-2.1.el7.x86_64                       @base
        Dep-Install libXfont-1.5.1-2.el7.x86_64                          @base
        Dep-Install libXft-2.3.2-2.el7.x86_64                            @base
        Dep-Install libXpm-3.5.11-3.el7.x86_64                           @base
        Dep-Install libXrender-0.9.8-2.1.el7.x86_64                      @base
        Dep-Install libXt-1.1.4-6.1.el7.x86_64                           @base
        Dep-Install libXxf86vm-1.1.3-2.1.el7.x86_64                      @base
        Dep-Install libc-client-2007f-4.el7.1.x86_64                     @epel
        Dep-Install libdb-devel-5.3.21-19.el7.x86_64                     @base
        Dep-Install libfontenc-1.1.2-3.el7.x86_64                        @base
        Dep-Install libgsasl-1.8.0-8.el7.x86_64                          @epel
        Dep-Install libicu-50.1.2-15.el7.x86_64                          @base
        Dep-Install libidn2-0.11-1.el7.x86_64                            @epel
        Dep-Install libmcrypt-2.5.8-13.el7.x86_64                        @epel
        Dep-Install libntlm-1.3-6.el7.x86_64                             @base
        Dep-Install libpng-2:1.5.13-7.el7_2.x86_64                       @base
        Dep-Install librsvg2-2.39.0-1.el7.x86_64                         @base
        Dep-Install libthai-0.1.14-9.el7.x86_64                          @base
        Dep-Install libtidy-0.99.0-31.20091203.el7.x86_64                @epel
        Dep-Install libtiff-4.0.3-25.el7_2.x86_64                        @base
        Dep-Install libtool-ltdl-2.4.2-21.el7_2.x86_64                   @base
        Dep-Install libusb-1:0.1.4-3.el7.x86_64                          @base
        Dep-Install libusbx-1.0.20-1.el7.x86_64                          @base
        Dep-Install libwebp-0.3.0-3.el7.x86_64                           @base
        Dep-Install libwmf-lite-0.2.8.4-41.el7_1.x86_64                  @base
        Dep-Install libxcb-1.11-4.el7.x86_64                             @base
        Dep-Install libxshmfence-1.2-1.el7.x86_64                        @base
        Dep-Install libxslt-1.1.28-5.el7.x86_64                          @base
        Dep-Install libzip-last-1.1.3-1.el7.remi.x86_64                  @remi
        Install     lsof-4.87-4.el7.x86_64                               @base
        Dep-Install mailcap-2.1.41-2.el7.noarch                          @base
        Install     mailx-12.5-12.el7_0.x86_64                           @base
        Install     mariadb-1:5.5.52-1.el7.x86_64                        @base
        Install     mariadb-server-1:5.5.52-1.el7.x86_64                 @base
        Install     mc-1:4.8.7-11.el7.x86_64                             @base
        Dep-Install mesa-libEGL-11.2.2-2.20160614.el7.x86_64             @base
        Dep-Install mesa-libGL-11.2.2-2.20160614.el7.x86_64              @base
        Dep-Install mesa-libgbm-11.2.2-2.20160614.el7.x86_64             @base
        Dep-Install mesa-libglapi-11.2.2-2.20160614.el7.x86_64           @base
        Install     mod_fcgid-2.3.9-4.el7.x86_64                         @base
        Install     mod_ruid2-0.9.8-2.el7.x86_64                         @epel
        Install     mod_ssl-1:2.4.6-118.el7.centos.x86_64                @vesta
        Install     net-tools-2.0-0.17.20131004git.el7.x86_64            @base
        Install     nginx-1:1.10.2-1.el7.ngx.x86_64                      @nginx
        Dep-Install nmap-ncat-2:6.40-7.el7.x86_64                        @base
        Install     ntp-4.2.6p5-25.el7.centos.x86_64                     @base
        Dep-Install ntpdate-4.2.6p5-25.el7.centos.x86_64                 @base
        Dep-Install pango-1.36.8-2.el7.x86_64                            @base
        Dep-Install perl-Archive-Tar-1.92-2.el7.noarch                   @base
        Dep-Install perl-Business-ISBN-2.06-2.el7.noarch                 @base
        Dep-Install perl-Business-ISBN-Data-20120719.001-2.el7.noarch    @base
        Dep-Install perl-CGI-3.63-4.el7.noarch                           @base
        Dep-Install perl-Compress-Raw-Bzip2-2.061-3.el7.x86_64           @base
        Dep-Install perl-Compress-Raw-Zlib-1:2.061-4.el7.x86_64          @base
        Dep-Install perl-Crypt-OpenSSL-Bignum-0.04-18.el7.x86_64         @base
        Dep-Install perl-Crypt-OpenSSL-RSA-0.28-7.el7.x86_64             @base
        Dep-Install perl-Crypt-OpenSSL-Random-0.04-21.el7.x86_64         @base
        Dep-Install perl-DBD-MySQL-4.023-5.el7.x86_64                    @base
        Dep-Install perl-DBI-1.627-4.el7.x86_64                          @base
        Dep-Install perl-DB_File-1.830-6.el7.x86_64                      @base
        Dep-Install perl-Digest-1.17-245.el7.noarch                      @base
        Dep-Install perl-Digest-HMAC-1.03-5.el7.noarch                   @base
        Dep-Install perl-Digest-MD5-2.52-3.el7.x86_64                    @base
        Dep-Install perl-Digest-SHA-1:5.85-3.el7.x86_64                  @base
        Dep-Install perl-Encode-Detect-1.01-13.el7.x86_64                @base
        Dep-Install perl-Encode-Locale-1.03-5.el7.noarch                 @base
        Dep-Install perl-ExtUtils-Install-1.58-291.el7.noarch            @base
        Dep-Install perl-ExtUtils-MakeMaker-6.68-3.el7.noarch            @base
        Dep-Install perl-ExtUtils-Manifest-1.61-244.el7.noarch           @base
        Dep-Install perl-ExtUtils-ParseXS-1:3.18-2.el7.noarch            @base
        Dep-Install perl-FCGI-1:0.74-8.el7.x86_64                        @base
        Dep-Install perl-File-Listing-6.04-7.el7.noarch                  @base
        Dep-Install perl-Geo-IP-1.43-3.el7.x86_64                        @epel
        Dep-Install perl-HTML-Parser-3.71-4.el7.x86_64                   @base
        Dep-Install perl-HTML-Tagset-3.20-15.el7.noarch                  @base
        Dep-Install perl-HTTP-Cookies-6.01-5.el7.noarch                  @base
        Dep-Install perl-HTTP-Daemon-6.01-5.el7.noarch                   @base
        Dep-Install perl-HTTP-Date-6.02-8.el7.noarch                     @base
        Dep-Install perl-HTTP-Message-6.06-6.el7.noarch                  @base
        Dep-Install perl-HTTP-Negotiate-6.01-5.el7.noarch                @base
        Dep-Install perl-IO-Compress-2.061-2.el7.noarch                  @base
        Dep-Install perl-IO-HTML-1.00-2.el7.noarch                       @base
        Dep-Install perl-IO-Socket-INET6-2.69-5.el7.noarch               @base
        Dep-Install perl-IO-Socket-IP-0.21-4.el7.noarch                  @base
        Dep-Install perl-IO-Socket-SSL-1.94-5.el7.noarch                 @base
        Dep-Install perl-IO-Zlib-1:1.10-291.el7.noarch                   @base
        Dep-Install perl-LWP-MediaTypes-6.02-2.el7.noarch                @base
        Dep-Install perl-Mail-DKIM-0.39-8.el7.noarch                     @base
        Dep-Install perl-Mail-SPF-2.8.0-4.el7.noarch                     @base
        Dep-Install perl-MailTools-2.12-2.el7.noarch                     @base
        Dep-Install perl-Net-DNS-0.72-6.el7.x86_64                       @base
        Dep-Install perl-Net-Daemon-0.48-5.el7.noarch                    @base
        Dep-Install perl-Net-HTTP-6.06-2.el7.noarch                      @base
        Dep-Install perl-Net-IP-1.26-4.el7.noarch                        @epel
        Dep-Install perl-Net-LibIDN-0.12-15.el7.x86_64                   @base
        Dep-Install perl-Net-SMTP-SSL-1.01-13.el7.noarch                 @base
        Dep-Install perl-Net-SSLeay-1.55-4.el7.x86_64                    @base
        Dep-Install perl-NetAddr-IP-4.069-3.el7.x86_64                   @base
        Dep-Install perl-Package-Constants-1:0.02-291.el7.noarch         @base
        Dep-Install perl-PlRPC-0.2020-14.el7.noarch                      @base
        Dep-Install perl-Socket6-0.23-15.el7.x86_64                      @base
        Dep-Install perl-Switch-2.16-7.el7.noarch                        @base
        Dep-Install perl-Sys-Syslog-0.33-3.el7.x86_64                    @base
        Dep-Install perl-TimeDate-1:2.30-2.el7.noarch                    @base
        Dep-Install perl-URI-1.60-9.el7.noarch                           @base
        Dep-Install perl-WWW-RobotRules-6.02-5.el7.noarch                @base
        Dep-Install perl-devel-4:5.16.3-291.el7.x86_64                   @base
        Dep-Install perl-libwww-perl-6.05-2.el7.noarch                   @base
        Dep-Install perl-version-3:0.99.07-2.el7.x86_64                  @base
        Install     php-5.6.30-1.el7.remi.x86_64                         @remi-php56
        Install     php-bcmath-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-cli-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-common-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Dep-Install php-fedora-autoloader-0.2.1-2.el7.remi.noarch        @remi
        Install     php-gd-5.6.30-1.el7.remi.x86_64                      @remi-php56
        Dep-Install php-gmp-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-imap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-intl-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-kolab-net-ldap3-1.0.3-1.el7.remi.noarch          @remi
        Dep-Install php-ldap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Install     php-mbstring-5.6.30-1.el7.remi.x86_64                @remi-php56
        Install     php-mcrypt-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-mysqlnd-5.6.30-1.el7.remi.x86_64                 @remi-php56
        Install     php-pdo-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Dep-Install php-pear-1:1.10.1-8.el7.remi.noarch                  @remi
        Dep-Install php-pear-Auth-SASL-1.0.6-5.el7.noarch                @epel
        Dep-Install php-pear-Console-CommandLine-1.2.2-1.el7.remi.noarch @remi
        Dep-Install php-pear-Mail-Mime-1.10.0-1.el7.remi.noarch          @remi
        Dep-Install php-pear-Net-IDNA2-0.1.1-10.el7.noarch               @epel
        Dep-Install php-pear-Net-LDAP2-2.2.0-1.el7.remi.noarch           @remi
        Dep-Install php-pear-Net-SMTP-1.7.3-1.el7.remi.noarch            @remi
        Dep-Install php-pear-Net-Sieve-1.3.4-4.el7.remi.noarch           @remi
        Dep-Install php-pear-Net-Socket-1.0.14-1.el7.noarch              @epel
        Dep-Install php-pear-crypt-gpg-1.4.3-1.el7.remi.noarch           @remi
        Dep-Install php-pecl-jsonc-1.3.10-1.el7.remi.5.6.x86_64          @remi-php56
        Dep-Install php-pecl-zip-1.13.5-1.el7.remi.5.6.x86_64            @remi-php56
        Dep-Install php-php-gettext-1.0.12-1.el7.remi.noarch             @remi
        Dep-Install php-phpseclib-2.0.4-1.el7.remi.noarch                @remi
        Dep-Install php-process-5.6.30-1.el7.remi.x86_64                 @remi-php56
        Dep-Install php-pspell-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Dep-Install php-recode-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     php-soap-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-symfony-class-loader-2.8.16-1.el7.remi.noarch    @remi
        Dep-Install php-symfony-common-2.8.16-1.el7.remi.noarch          @remi
        Dep-Install php-tcpdf-6.2.13-1.el7.remi.noarch                   @remi
        Dep-Install php-tcpdf-dejavu-sans-fonts-6.2.13-1.el7.remi.noarch @remi
        Install     php-tidy-5.6.30-1.el7.remi.x86_64                    @remi-php56
        Dep-Install php-udan11-sql-parser-3.4.16-1.el7.remi.noarch       @remi
        Install     php-xml-5.6.30-1.el7.remi.x86_64                     @remi-php56
        Install     php-xmlrpc-5.6.30-1.el7.remi.x86_64                  @remi-php56
        Install     phpMyAdmin-4.6.5.2-1.el7.remi.noarch                 @remi
        Dep-Install pixman-0.34.0-1.el7.x86_64                           @base
        Dep-Install poppler-data-0.4.6-3.el7.noarch                      @base
        Dep-Install portreserve-0.0.5-11.el7.x86_64                      @base
        Dep-Install procmail-3.22-35.el7.x86_64                          @base
        Dep-Install pyparsing-1.5.6-9.el7.noarch                         @base
        Dep-Install recode-3.6-38.el7.x86_64                             @base
        Install     roundcubemail-1.2.3-1.el7.remi.noarch                @remi
        Install     rrdtool-1.4.8-9.el7.x86_64                           @base
        Install     screen-4.1.0-0.23.20120314git3c2946.el7_2.x86_64     @base
        Install     spamassassin-3.4.0-2.el7.x86_64                      @base
        Dep-Install systemd-python-219-30.el7_3.6.x86_64                 @updates
        Dep-Install systemtap-sdt-devel-3.0-7.el7.x86_64                 @base
        Dep-Install t1lib-5.1.2-14.el7.x86_64                            @base
        Dep-Install tcl-1:8.5.13-8.el7.x86_64                            @base
        Install     telnet-1:0.17-60.el7.x86_64                          @base
        Dep-Install urw-fonts-2.4-16.el7.noarch                          @base
        Install     vesta-0.9.8-17.x86_64                                @vesta
        Install     vesta-nginx-0.9.8-17.x86_64                          @vesta
        Install     vesta-php-0.9.8-17.x86_64                            @vesta
        Install     vim-common-2:7.4.160-1.el7_3.1.x86_64                @updates
        Dep-Install vim-filesystem-2:7.4.160-1.el7_3.1.x86_64            @updates
        Install     vsftpd-3.0.2-21.el7.x86_64                           @base
        Install     webalizer-2.23_08-5.el7.x86_64                       @epel
        Dep-Install xorg-x11-font-utils-1:7.5-20.el7.x86_64              @base
    Scriptlet output:
       1 ----------------------------------------------------------------------
       2
       3 Thanks for using nginx!
       4
       5 Please find the official documentation for nginx here:
       6 * http://nginx.org/en/docs/
       7
       8 Commercial subscriptions for nginx are available on:
       9 * http://nginx.com/products/
      10
      11 ----------------------------------------------------------------------
      12
      13 WARNING : These php-* RPMs are not official Fedora / Red Hat build and
      14 overrides the official ones. Don't file bugs on Fedora Project nor Red Hat.
      15
      16 Use dedicated forum at http://forum.remirepo.net/
      17
    history info
    


    CentOS 7 VestaCP custom provided Apache 2.4.6 change log's last change was July 23, 2014 with server build date Dec 15, 2014. Compare to Apache 2.4.25 latest change log http://www.apache.org/dist/httpd/CHANGES_2.4.25
    Code (Text):
     rpm -qa --changelog httpd | head -n30
    * Wed Jul 23 2014 Johnny Hughes <johnny@centos.org> - 2.4.6-18.el7.centos
    - Roll in CentOS Branding
    
    * Thu Jul 17 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-18
    - mod_cgid: add security fix for CVE-2014-0231 (#1120607)
    - mod_proxy: add security fix for CVE-2014-0117 (#1120607)
    - mod_deflate: add security fix for CVE-2014-0118 (#1120607)
    - mod_status: add security fix for CVE-2014-0226 (#1120607)
    - mod_cache: add secutiry fix for CVE-2013-4352 (#1120607)
    
    * Thu Mar 20 2014 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-17
    - mod_dav: add security fix for CVE-2013-6438 (#1077907)
    - mod_log_config: add security fix for CVE-2014-0098 (#1077907)
    
    * Wed Mar 05 2014 Joe Orton <jorton@redhat.com> - 2.4.6-16
    - mod_ssl: improve DH temp key handling (#1057687)
    
    * Wed Mar 05 2014 Joe Orton <jorton@redhat.com> - 2.4.6-15
    - mod_ssl: use 2048-bit RSA key with SHA-256 signature in dummy certificate (#1071276)
    
    * Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.6-14
    - Mass rebuild 2014-01-24
    
    * Mon Jan 13 2014 Joe Orton <jorton@redhat.com> - 2.4.6-13
    - mod_ssl: sanity-check use of "SSLCompression" (#1036666)
    - mod_proxy_http: fix brigade memory usage (#1040447)
    
    * Fri Jan 10 2014 Joe Orton <jorton@redhat.com> - 2.4.6-12
    - rebuild

    and compared to CentOS 7.3 and Redhat 7.3 default 2.4.6-45 yum package which has last update Nov 3, 2016 and build date of Nov 14, 2016
    Code (Text):
    httpd -V
    Server version: Apache/2.4.6 (CentOS)
    Server built:   Nov 14 2016 18:04:44
    Server's Module Magic Number: 20120211:24
    Server loaded:  APR 1.4.8, APR-UTIL 1.5.2
    Compiled using: APR 1.4.8, APR-UTIL 1.5.2
    Architecture:   64-bit
    Server MPM:     prefork
      threaded:     no
        forked:     yes (variable process count)
    Server compiled with....
     -D APR_HAS_SENDFILE
     -D APR_HAS_MMAP
     -D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
     -D APR_USE_SYSVSEM_SERIALIZE
     -D APR_USE_PTHREAD_SERIALIZE
     -D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
     -D APR_HAS_OTHER_CHILD
     -D AP_HAVE_RELIABLE_PIPED_LOGS
     -D DYNAMIC_MODULE_LIMIT=256
     -D HTTPD_ROOT="/etc/httpd"
     -D SUEXEC_BIN="/usr/sbin/suexec"
     -D DEFAULT_PIDLOG="/run/httpd/httpd.pid"
     -D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
     -D DEFAULT_ERRORLOG="logs/error_log"
     -D AP_TYPES_CONFIG_FILE="conf/mime.types"
     -D SERVER_CONFIG_FILE="conf/httpd.conf"
    

    Code (Text):
    rpm -qa --changelog httpd | head -n30
    * Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 2.4.6-45.el7.centos
    - Remove index.html, add centos-noindex.tar.gz
    - change vstring
    - change symlink for poweredby.png
    - update welcome.conf with proper aliases
    
    * Wed Aug 03 2016 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-45
    - RFE: run mod_rewrite external mapping program as non-root (#1316900)
    
    * Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.4.6-44
    - add security fix for CVE-2016-5387
    
    * Tue Jul 05 2016 Joe Orton <jorton@redhat.com> - 2.4.6-43
    - add 451 (Unavailable For Legal Reasons) response status-code (#1343582)
    
    * Fri Jun 17 2016 Joe Orton <jorton@redhat.com> - 2.4.6-42
    - mod_cache: treat cache as valid with changed Expires in 304 (#1331341)
    
    * Wed Feb 24 2016 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-41
    - mod_cache: merge r->err_headers_out into r->headers when the response
      is cached for the first time (#1264989)
    - mod_ssl: Do not send SSL warning when SNI hostname is not found as per
      RFC 6066 (#1298148)
    - mod_proxy_fcgi: Ignore body data from backend for 304 responses (#1263038)
    - fix apache user creation when apache group already exists (#1299889)
    - fix apache user creation when USERGROUPS_ENAB is set to 'no' (#1288757)
    - mod_proxy: fix slow response time for reponses with error status code
      when using ProxyErrorOverride (#1283653)
    - mod_ldap: Respect LDAPConnectionPoolTTL for authn connections (#1300149)
    - mod_ssl: use "localhost" in the dummy SSL cert for long FQDNs (#1240495)
    

    some security CVE fixes in CentOS 7.3 official Apache 2.4.6-45 yum package
    Code (Text):
    rpm -qa --changelog httpd | grep CVE
    - add security fix for CVE-2016-5387
    - core: fix chunk header parsing defect (CVE-2015-3183)
      and ap_force_authn hook (CVE-2015-3185)
    - core: fix bypassing of mod_headers rules via chunked requests (CVE-2013-5704)
    - mod_cache: fix NULL pointer dereference on empty Content-Type (CVE-2014-3581)
    - mod_cgid: add security fix for CVE-2014-0231 (#1120608)
    - mod_proxy: add security fix for CVE-2014-0117 (#1120608)
    - mod_deflate: add security fix for CVE-2014-0118 (#1120608)
    - mod_status: add security fix for CVE-2014-0226 (#1120608)
    - mod_cache: add secutiry fix for CVE-2013-4352 (#1120608)
    - mod_dav: add security fix for CVE-2013-6438 (#1077907)
    - mod_log_config: add security fix for CVE-2014-0098 (#1077907)
    

    Okay not that bad with only 6 later CVE security related entries for CVE-2016-5387, CVE-2015-3183 and CVE-2015-3185, CVE-2014-3581, CVE-2014-3581 and CVE-2014-3581 missing from VestaCP provided custom Apache 2.4.6-18 build. Though it's not the quantity but the severity of the security flaws that matters !

    What if you filter for 2015 and 2016 updates in CentOS 7.3 Apache 2.4.6-45
    Code (Text):
    rpm -qa --changelog httpd | egrep -C10 '2015|2016'
    * Thu Nov 03 2016 CentOS Sources <bugs@centos.org> - 2.4.6-45.el7.centos
    - Remove index.html, add centos-noindex.tar.gz
    - change vstring
    - change symlink for poweredby.png
    - update welcome.conf with proper aliases
    
    * Wed Aug 03 2016 LuboŇ° Uhliarik <luhliari@redhat.com> - 2.4.6-45
    - RFE: run mod_rewrite external mapping program as non-root (#1316900)
    
    * Tue Jul 12 2016 Joe Orton <jorton@redhat.com> - 2.4.6-44
    - add security fix for CVE-2016-5387
    
    * Tue Jul 05 2016 Joe Orton <jorton@redhat.com> - 2.4.6-43
    - add 451 (Unavailable For Legal Reasons) response status-code (#1343582)
    
    * Fri Jun 17 2016 Joe Orton <jorton@redhat.com> - 2.4.6-42
    - mod_cache: treat cache as valid with changed Expires in 304 (#1331341)
    
    * Wed Feb 24 2016 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-41
    - mod_cache: merge r->err_headers_out into r->headers when the response
      is cached for the first time (#1264989)
    - mod_ssl: Do not send SSL warning when SNI hostname is not found as per
      RFC 6066 (#1298148)
    - mod_proxy_fcgi: Ignore body data from backend for 304 responses (#1263038)
    - fix apache user creation when apache group already exists (#1299889)
    - fix apache user creation when USERGROUPS_ENAB is set to 'no' (#1288757)
    - mod_proxy: fix slow response time for reponses with error status code
      when using ProxyErrorOverride (#1283653)
    - mod_ldap: Respect LDAPConnectionPoolTTL for authn connections (#1300149)
    - mod_ssl: use "localhost" in the dummy SSL cert for long FQDNs (#1240495)
    - rotatelogs: improve support for localtime (#1244545)
    - ab: fix read failure when targeting SSL server (#1255331)
    - mod_log_debug: fix LogMessage example in documentation (#1279465)
    - mod_authz_dbd, mod_authn_dbd, mod_session_dbd, mod_rewrite: Fix lifetime
      of DB lookup entries independently of the selected DB engine (#1287844)
    - mod_ssl: fix hardware crypto support with custom DH parms (#1291865)
    - mod_proxy_fcgi: fix SCRIPT_FILENAME when a balancer is used (#1302797)
    
    * Thu Sep 17 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-40
    - mod_dav: follow up fix for previous commit (#1263975)
    
    * Wed Aug 26 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-39
    - mod_dav: treat dav_resource uri as escaped (#1255480)
    
    * Wed Aug 19 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-38
    - mod_ssl: add support for User Principal Name in SSLUserName  (#1242503)
    
    * Mon Aug 10 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-37
    - core: fix chunk header parsing defect (CVE-2015-3183)
    - core: replace of ap_some_auth_required with ap_some_authn_required
      and ap_force_authn hook (CVE-2015-3185)
    
    * Tue Jul 14 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-36
    - Revert fix for #1162152, it is not needed in RHEL7
    - mod_proxy_ajp: fix settings ProxyPass parameters for AJP backends (#1242416)
    
    * Wed Jul 01 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-35
    - mod_remoteip: correct the trusted proxy match test (#1179306)
    - mod_dav: send complete response when resource is created (#1235383)
    - apachectl: correct the apachectl status man page (#1231924)
    
    * Wed Jun 03 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-34
    - mod_proxy_fcgi: honor Timeout / ProxyTimeout (#1222328)
    - do not show all vhosts twice in httpd -D DUMP_VHOSTS output (#1225820)
    - fix -D[efined] or <Define>[d] variables lifetime accross restarts (#1227219)
    - mod_ssl: do not send NPN extension with not configured (#1226015)
    
    * Mon May 18 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-33
    - mod_authz_dbm: fix crash when using "Require dbm-file-group" (#1221575)
    
    * Wed Apr 15 2015 Jan Kaluza <jkaluza@redhat.com> - 2.4.6-32
    - mod_authn_dbd: fix use-after-free bug with postgresql (#1188779)
    - mod_remoteip: correct the trusted proxy match test (#1179306)
    - mod_status: honor remote_ip as documented (#1169081)
    - mod_deflate: fix decompression of files larger than 4GB (#1170214)
    - core: improve error message for inaccessible DocumentRoot (#1170220)
    - ab: try all addresses instead of failing on first one when not available (#1125276)
    - mod_proxy_wstunnel: add support for SSL (#1180745)
    - mod_proxy_wstunnel: load this module by default (#1180745)
    - mod_rewrite: add support for WebSockets (#1180745)
    - mod_rewrite: do not search for directory if a URL will be rewritten (#1210091)
    


    From CentOS / Redhat 7.3 official Apache 2.4.6-45 change log at Red Hat Customer Portal
    this one in particular very relevant for Apache 2.4 + php-fpm setups
    and missing CVE-2016-5387 is a big one CVE-2016-5387 - Red Hat Customer Portal
    and https://httpoxy.org/
    Guess you need to be careful for VestaCP on CentOS 7 as Apache 2.4.6-18 built rpm is very insecure with 30+ months of security updates and alot of bug fixes missing ! :eek:
     
    Last edited: Jan 30, 2017
  2. Revenge

    Revenge Active Member

    454
    93
    28
    Feb 21, 2016
    Portugal
    Ratings:
    +343
    Local Time:
    6:49 PM
    1.9.x
    10.1.x
    You can install VestaCP with nginx + php-fpm. VestaCP install the default things that are in the repos. Apache 2.4.6 is the one in Centos repo, so it installs that one.

    [​IMG]
    I think most people that uses VestaCP, is just for the panel thing, where its easy to make full backups for example, and all of them automated, and a bit more things.
    Conf files are all to be changed changed of course, along with the repos it uses.
     
  3. eva2000

    eva2000 Administrator Staff Member

    44,785
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:49 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
    Yeah saw that configurator for custom install commands :) Though i think most folks just do the default install ? CentOS 7's VestaCP Apache 2.4.6 isn't from CentOS 7 official repo though as you can see above, it's a custom older package built by VestaCP dated back to Dec, 2014 ! If they're going to build and use their own Apache 2.4.6 rpms, I would of thought they's use Apache 2.4.25 latest at least or base it on CentOS 7.3 newer 2.4.6-45 packages !
     
    Last edited: Jan 21, 2017
  4. Dali

    Dali New Member

    2
    0
    1
    Apr 4, 2019
    Ratings:
    +1
    Local Time:
    7:49 PM
  5. eva2000

    eva2000 Administrator Staff Member

    44,785
    10,212
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +15,828
    Local Time:
    3:49 AM
    Nginx 1.17.x
    MariaDB 5.5/10.x
  6. nofun

    nofun New Member

    20
    5
    3
    May 2, 2015
    Latvia
    Ratings:
    +7
    Local Time:
    8:49 PM
    1.9.x
    10.x
    If you can stay away from VestaCP, as far as you can ) It can become secure in a long run, but it's not now for sure. I think they need more folks for testing and debugging, but they prefer to have their own team to handle it. Everything is imho of course.