On Fri, Oct 11, 2024 at 4:32 AM Adam Mihai Gergely <ad...@infosky.ro.invalid> wrote:
> Hello, > > I have a rather wierd question about Apache Directives Configuration. > > I am running Ubuntu Linux Server and my Apache Tree looks like this: > > server [/etc/apache2] # tree > . > ├── apache2.conf > ├── apache2.conf.dpkg-old > ├── apache2.conf.in > ├── conf-available > │ ├── charset.conf > │ ├── javascript-common.conf > │ ├── localized-error-pages.conf > │ ├── other-vhosts-access-log.conf > │ ├── phpmyadmin.conf -> ../../phpmyadmin/apache.conf > │ ├── security.conf > │ └── serve-cgi-bin.conf > ├── conf-enabled > │ ├── charset.conf -> ../conf-available/charset.conf > │ ├── client-dirs.conf > │ ├── javascript-common.conf -> ../conf-available/javascript-common.conf > │ ├── localized-error-pages.conf -> > ../conf-available/localized-error-pages.conf > │ ├── other-vhosts-access-log.conf -> > ../conf-available/other-vhosts-access-log.conf > │ ├── phpmyadmin.conf -> ../conf-available/phpmyadmin.conf > │ ├── security.conf -> ../conf-available/security.conf > │ └── serve-cgi-bin.conf -> ../conf-available/serve-cgi-bin.conf > ├── conf-local > │ ├── htdirs.conf > │ ├── htpasswd > │ ├── htpasswd4laszlo > │ └── htpasswd4project > ├── envvars > ├── magic > ├── mods-available > │ ├── access_compat.load > │ ├── actions.conf > │ ├── actions.load > │ ├── alias.conf > │ ├── alias.load > │ ├── allowmethods.load > │ ├── asis.load > │ ├── auth_basic.load > │ ├── auth_digest.load > │ ├── auth_form.load > │ ├── authn_anon.load > │ ├── authn_core.load > │ ├── authn_dbd.load > │ ├── authn_dbm.load > │ ├── authn_file.load > │ ├── authn_socache.load > │ ├── authnz_fcgi.load > │ ├── authnz_ldap.load > │ ├── authz_core.load > │ ├── authz_dbd.load > │ ├── authz_dbm.load > │ ├── authz_groupfile.load > │ ├── authz_host.load > │ ├── authz_owner.load > │ ├── authz_user.load > │ ├── autoindex.conf > │ ├── autoindex.load > │ ├── buffer.load > │ ├── cache_disk.conf > │ ├── cache_disk.load > │ ├── cache.load > │ ├── cache_socache.load > │ ├── cgid.conf > │ ├── cgid.load > │ ├── cgi.load > │ ├── charset_lite.load > │ ├── data.load > │ ├── dav_fs.conf > │ ├── dav_fs.load > │ ├── dav.load > │ ├── dav_lock.load > │ ├── dbd.load > │ ├── deflate.conf > │ ├── deflate.load > │ ├── dialup.load > │ ├── dir.conf > │ ├── dir.load > │ ├── dump_io.load > │ ├── echo.load > │ ├── env.load > │ ├── expires.load > │ ├── ext_filter.load > │ ├── file_cache.load > │ ├── filter.load > │ ├── headers.load > │ ├── heartbeat.load > │ ├── heartmonitor.load > │ ├── ident.load > │ ├── include.load > │ ├── info.conf > │ ├── info.load > │ ├── lbmethod_bybusyness.load > │ ├── lbmethod_byrequests.load > │ ├── lbmethod_bytraffic.load > │ ├── lbmethod_heartbeat.load > │ ├── ldap.conf > │ ├── ldap.load > │ ├── log_debug.load > │ ├── log_forensic.load > │ ├── lua.load > │ ├── macro.load > │ ├── mime.conf > │ ├── mime.load > │ ├── mime_magic.conf > │ ├── mime_magic.load > │ ├── mpm_event.conf > │ ├── mpm_event.load > │ ├── mpm_prefork.conf > │ ├── mpm_prefork.load > │ ├── mpm_worker.conf > │ ├── mpm_worker.load > │ ├── negotiation.conf > │ ├── negotiation.load > │ ├── php5.6.conf > │ ├── php5.6.load > │ ├── php7.0.conf > │ ├── php7.0.load > │ ├── php7.1.conf > │ ├── php7.1.load > │ ├── php7.2.conf > │ ├── php7.2.load > │ ├── php7.3.conf > │ ├── php7.3.load > │ ├── php7.4.conf > │ ├── php7.4.load > │ ├── php8.0.conf > │ ├── php8.0.load > │ ├── proxy_ajp.load > │ ├── proxy_balancer.conf > │ ├── proxy_balancer.load > │ ├── proxy.conf > │ ├── proxy_connect.load > │ ├── proxy_express.load > │ ├── proxy_fcgi.load > │ ├── proxy_fdpass.load > │ ├── proxy_ftp.conf > │ ├── proxy_ftp.load > │ ├── proxy_html.conf > │ ├── proxy_html.load > │ ├── proxy_http.load > │ ├── proxy.load > │ ├── proxy_scgi.load > │ ├── proxy_wstunnel.load > │ ├── ratelimit.load > │ ├── reflector.load > │ ├── remoteip.load > │ ├── reqtimeout.conf > │ ├── reqtimeout.load > │ ├── request.load > │ ├── rewrite.load > │ ├── sed.load > │ ├── session_cookie.load > │ ├── session_crypto.load > │ ├── session_dbd.load > │ ├── session.load > │ ├── setenvif.conf > │ ├── setenvif.load > │ ├── slotmem_plain.load > │ ├── slotmem_shm.load > │ ├── socache_dbm.load > │ ├── socache_memcache.load > │ ├── socache_shmcb.load > │ ├── speling.load > │ ├── ssl.conf > │ ├── ssl.load > │ ├── status.conf > │ ├── status.load > │ ├── substitute.load > │ ├── suexec.load > │ ├── unique_id.load > │ ├── userdir.conf > │ ├── userdir.load > │ ├── usertrack.load > │ ├── vhost_alias.load > │ └── xml2enc.load > ├── mods-enabled > │ ├── access_compat.load -> ../mods-available/access_compat.load > │ ├── alias.conf -> ../mods-available/alias.conf > │ ├── alias.load -> ../mods-available/alias.load > │ ├── auth_basic.load -> ../mods-available/auth_basic.load > │ ├── authn_core.load -> ../mods-available/authn_core.load > │ ├── authn_file.load -> ../mods-available/authn_file.load > │ ├── authz_core.load -> ../mods-available/authz_core.load > │ ├── authz_host.load -> ../mods-available/authz_host.load > │ ├── authz_user.load -> ../mods-available/authz_user.load > │ ├── autoindex.conf -> ../mods-available/autoindex.conf > │ ├── autoindex.load -> ../mods-available/autoindex.load > │ ├── deflate.conf -> ../mods-available/deflate.conf > │ ├── deflate.load -> ../mods-available/deflate.load > │ ├── dir.conf -> ../mods-available/dir.conf > │ ├── dir.load -> ../mods-available/dir.load > │ ├── env.load -> ../mods-available/env.load > │ ├── filter.load -> ../mods-available/filter.load > │ ├── headers.load -> ../mods-available/headers.load > │ ├── mime.conf -> ../mods-available/mime.conf > │ ├── mime.load -> ../mods-available/mime.load > │ ├── mpm_prefork.conf -> ../mods-available/mpm_prefork.conf > │ ├── mpm_prefork.load -> ../mods-available/mpm_prefork.load > │ ├── negotiation.conf -> ../mods-available/negotiation.conf > │ ├── negotiation.load -> ../mods-available/negotiation.load > │ ├── php5.6.conf -> ../mods-available/php5.6.conf > │ ├── php5.6.load -> ../mods-available/php5.6.load > │ ├── rewrite.load -> ../mods-available/rewrite.load > │ ├── setenvif.conf -> ../mods-available/setenvif.conf > │ ├── setenvif.load -> ../mods-available/setenvif.load > │ ├── socache_dbm.load -> ../mods-available/socache_dbm.load > │ ├── socache_memcache.load -> ../mods-available/socache_memcache.load > │ ├── socache_shmcb.load -> ../mods-available/socache_shmcb.load > │ ├── ssl.conf -> ../mods-available/ssl.conf > │ ├── ssl.load -> ../mods-available/ssl.load > │ ├── status.conf -> ../mods-available/status.conf > │ ├── status.load -> ../mods-available/status.load > │ ├── userdir.conf -> ../mods-available/userdir.conf > │ └── userdir.load -> ../mods-available/userdir.load > ├── ports.conf > ├── sites-available > │ ├── 000-default.conf > │ └── default-ssl.conf > └── sites-enabled > ├── 000-default.conf -> ../sites-available/000-default.conf > └── default-ssl.conf -> ../sites-available/default-ssl.conf > > 7 directories, 212 files > > Now, the problem is: > One of my config files is */etc/apache2/mods-enabled/userdir.conf* > It has this contents: > > [Begin File contents] > <IfModule mod_userdir.c> > UserDir public_html > UserDir disabled root > > <Directory /home/adam/public_html> > AllowOverride FileInfo AuthConfig Limit Indexes > Options MultiViews Indexes SymLinksIfOwnerMatch > IncludesNoExec > <Limit GET POST OPTIONS> > Require all granted > </Limit> > <LimitExcept GET POST OPTIONS> > Require all denied > </LimitExcept> > php_admin_value open_basedir /home/adam/public_html:/tmp > </Directory> > [End File contents] > > The problem I noticed is that "</IfModule>" was absent from this file. > So the <IfModule> at the beginning of this file was not properly closed. > The mod_userdir module is always loaded and running. This is the intended > setting. > > Restating the webserver (and retaining this configuration) did not yield > any problems. > > However, requesting a certificate with Let's Encrypt's certbot revealed > this issue because certbot performed an analysis on Apache's configuration > files before renewing this certificate and found this problem. > > After I properly closed the IfModule with "</IfModule>" and restarted the > webserver certbot worked again. > Of course, Apache also worked. > > Now, my question is: > What could this have affected ? The lack of "</IfModule>" at the end of > the "userdir" module. > (I am permanently using and loaded the UserDir Module because I needed. So > the "IF" condition is a perfect TRUE, for my server.) > Could have impacted something else ? > > I don't know how many other modules or directives loads Apache into memory > on startup... > Is it possible that everything it loaded after this file could be "under > the influence" of <IfModule mod_userdir.c> because it was not properly > closed ? > (In this case, perhaps Apache found another <IfModule> or <VirtualHost> > along the way and nested it inside my unclosed <IfModule> ?) > > I am concerned about security risks, not loading of other configs properly > or some other wierd combination that messes up my configs.... I have > htaccess statements and security measures I put in place in my configs, as > this server is used by tens of users. > > Also, Apache should have reported this unclosed <IfModule> on restart. I > don't know why it didn't. > > I know Apache reads configuration files in a specific order based on a > combination of directories, filenames, and inclusion rules, however I don't > know how a missing IfModule closure tag can affect other things... > > If someone can help me... if an Apache developer or someone that > understands these things perfectly knows what can I expect from this > situation, please advise... > > Thank you. > > -- > Cu stima, > Adam Mihai Gergely > Informaticianwww.infosky.ro > > What I would do first is create a simple test with an open <IfModule> block, and apachectl -f /path/to/config/file configtest, and see if there is an error.
