On Thu, Feb 20, 2014 at 12:28 PM, Joe Jensen (ConAgra Foods) < joe.jen...@conagrafoods.com> wrote:
> We are on a current patch version and being old software there are likely > few remaining security vulnerabilities or bugs for me to worry about in the > version we run. > > > > Joe Jensen > (402)-240-3645 > Application Hosting Services > > > > *From:* Curtis Maurand [mailto:cur...@maurand.com] > *Sent:* Thursday, February 20, 2014 12:25 PM > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] Apache major features > > > > > Google is your friend in this case. There are tons of books re: apache > and even hardening it. > > search term: apache books > > About 29,700,000 results (0.35 seconds) > > http://httpd.apache.org/docs/2.4/ > > > > > --Curtis > > On 2/20/2014 12:38 PM, Joe Jensen (ConAgra Foods) wrote: > > What major features have been released in the last 8 years for apache? > My apache infrastructure is quite dated and behind. I'd like to update and > improve it but am new to apache and don't know much more than that I have > nothing modern. > > > > Joe Jensen > (402)-240-3645 > Application Hosting Services > > > > *From:* Jeff Trawick [mailto:traw...@gmail.com <traw...@gmail.com>] > *Sent:* Wednesday, February 19, 2014 3:50 PM > *To:* users@httpd.apache.org > *Subject:* Re: [users@httpd] Available online Training/documentation > > > > On Wed, Feb 19, 2014 at 3:24 PM, Joe Jensen (ConAgra Foods) < > joe.jen...@conagrafoods.com> wrote: > > I'm looking for some advice on how to learn the intricacies of both apache > httpd and tomcat. I'm unlikely to get a paid training class, and failed to > find any overall training about it online. Considering it's popularity and > open source nature it strikes me as very odd that there isn't any good and > extensive "on your own" training to read through. If someone can point me > to something online it would be awesome! > > > > I'm charged with a series of apache/tomcat servers as part about 70% of my > job, but we run a ~3-4 year old setup largely unchanged from 7 years ago. > I'd like to learn what I don't know exists, and am hoping for more than > just the apache module and configuration manuals. If I have to though that > may be what I do learn from. > > > > Joe Jensen > (402)-240-3645 > Application Hosting Services > > > > Look at the User's Guide and Howto/Tutorials parts of the documentation. > > > > If it were me, I'd start with this: > > > > 1. Make sure you understand how httpd and Tomcat are installed on all > systems you support and how updates are obtained. > > 2. Check the versions of the software and confirm that they are supported > branches (e.g., 2.2.x or 2.4.x for httpd, whatever is currently supported > for Tomcat). > > 3. See how old the exact versions are (e.g., 2.2.15), and if they are > relatively old then ensure that you are getting updates regularly from a > vendor (e.g., Linux vendor) which applies security fixes to old versions. > > > > If there's a problem already (unsupported, vulnerable versions), work with > your team to find out how to deal with it. You may end up looking through > CHANGES logs for vulnerabilities and crossing out the ones in modules that > aren't used in your configuration, and then seeing what is a potential > concern. > > > > 4-98. (stuff I can't think of at the moment) > > > > 99. Try to identify the most common or most important use of httpd in your > environment (e.g., front-end to Tomcat) and get a fresh VM and set up httpd > with a sample application (or static site) that requires similar > configuration features. Use that to play around and experiment with things > in the product documentation. Even if you won't use a particular feature > in production, the experimentation gives you more insight into how the > server can be configured. > > > > -- > Born in Roswell... married an alien... > http://emptyhammock.com/ > > > Yes, having been through a similar experience in the past I can definitely say start small. VMs are your friend! Make *sure* you're okay right now so nothing is vulnerable (don't count on it being "old" as meaning it's not vulnerable to anything). I've found that if you are making a "big" leap (mostly 1.x -> 2.x) you're liable to run into trouble with modules. That big of a jump some have been absorbed into Apache core httpd, some don't exist any more, some have been replaced, some won't work with 2.x without patching or re-compiling, etc.
