A security sweep of my network (using Nessus) revealed that my mac is running a version of Apache (2.4.46) with a few critical vulnerabilities. I've been told I need to upgrade to at least 2.4.47. I'm having issues getting MacOS to use the upgraded version over the default one:
The default httpd is located at /usr/sbin/, which is read only even as root. As far as I'm aware upgrading the default Mac OS version is not a possibility.
Installed a newer version of Apache (v2.4.48) using Homebrew. The homebrew version is located in /usr/local/bin/httpd and as long as /usr/local/bin is before /usr/sbin in the env path it should be the preferred version.
Running httpd -v in the terminal returns v2.4.48, but the vulnerability scan is still picking up the old version of Apache
What am I missing? Why is the OS picking up the old version? Do I simply have to wait for Apple to patch it? Is it even possible to upgrade /usr/sbin/httpd?
Two things here, how to set the default apache version, and whether your machine is vulnerable.
firstly, you can have multiple versions of apache installed, and even running simultaneously (listening on different ports). Installing homebrew apache, doesn't necessarily start the server automatically, or deactivate the default (apple) apache install.
You can see which versions of apache are running on your system by using the ps command, for example on my machine:
$ ps auxw | grep httpd
_www 782 0.0 0.0 34153280 1476 ?? S 26May22 0:00.83 /usr/sbin/httpd -D FOREGROUND
and check the version:
$ /usr/sbin/httpd -v
Server version: Apache/2.4.53 (Unix)
The apple httpd service is started by launchctl, and you can stop the apple httpd service from automatically starting up as follows:
$ sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist
To automatically start homebrew apache on system startup (assuming you have already installed it - brew install httpd), run brew services start httpd
Remember that the apache configuration files will be in a different location - apple conf file is /etc/apache2/httpd.conf, whereas homebrew's is in /usr/local/etc/httpd/httpd.conf. Also the default port may well be different - apple defaults to port 80 whereas homebrew httpd listens on port 8080 by default.
Secondly, does this security issue actually matter? By default apache listens on all network interface, but unless you need to access the web server from another machine, it is safer to configure it to only listen on localhost. You can do this in the httpd.conf file, as follows:
Listen 127.0.0.1:80
This page has a good walkthrough of the various steps: https://wpbeaches.com/installing-configuring-apache-on-macos-using-homebrew/
Related
Helo everyone, my lap is undergoing some conflict in case of internal apache (mac provide built in apache server) and home brew installed apache.. So that I cant access my localhost. Can anyone fix this?
Which -a httpd (terminal command) result two output ,
/usr/local/bin/httpd (home brew installed apache
/usr/sbin/httpd (default apache)
Whereis httpd (terminal command) results
/usr/sbin/httpd (it seems default apache)
But when I check httpd -V in terminal it gives path of homebrew intalled apache
I don't know which server is running internal or homebrew installed apache. I want to uninstall this homebrew installed apache and use default apache...
After the weekend, AMPPS Apache stopped running on Mac Mojave.
I've run the command lsof -nP -i4TCP:80 | grep LISTEN and received nothing back, I believe that means nothing is running on port 80.
There is nothing in the Apache error log.
I've restored Apache & PHP to default configuration through the AMPPS control panel and the issue remains.
I've reinstalled the latest version of AMPPS for Mac and the issue remains.
Help appreciated.
This was solved by installing the most recent version of AMPPS, 3.9, which is compatible with the latest version of macOS.
apache use port 80, in my case another app used port 80 i killed it by following command:
kill -kill `lsof -t -i tcp:80`
This is the error image
I have installed latest version of xampp first and then installed previous version.But it is not working now
I think you've Apache server installed explicitly (ie as a separate service). Apache server starts while system boot and thus this is preventing XAMPP from starting Apache again.
So, you either need to stop Apache server on CMD as:
cd C:\Apache24\bin
httpd -k -restart
Then, restart Apache on XAMPP.
Or, you'll have to uninstall Apache as a service completely as is given in this post: apache 2.4 - remove | delete | uninstall
I've recently upgraded to Mac OS X Sierra and it has totally shafted my apache/PHP setup. Having wasted most of the morning, I've finally found the actual httpd.conf file that is being referenced at /usr/local/etc/apache2/2.2/httpd.conf, whereas the file I need to be using is at /etc/apache2/httpd.conf.
How can I tell Apache to use the version I was successfully using before the update?
Not sure about MacOS version, but with any binary of httpd you use the parameter -f, as in:
httpd -k start -f /path/to/conf
In most cases you need to load envvars file in your environment, this file is in bin directory in an official install of httpd and generally adds HTTPD lib directory to LD_LIBRARY_PATH.
So briefly
. /path/to/httpd/bin/envvars
httpd -k start -f /path/to/conf
Or apachectl which is an official script which refers to both to make your life easier.
There is another version of apache running on my system.
When in run sudo apachectl stop I still get the "It Works" page
So I found the location of the other version that is still running and it looks to be an older version which probably came pre-installed and is located in /opt/local/apache2/.
I tested this file /opt/local/apache2/htdocs/index.html.sample by just changing the text and then checked the browser again.
Server: Apache/2.2.29 (Unix)
I want to remove that one and keep the latest version which is located in private/etc/apache2
Server version: Apache/2.4.9 (Unix)
How can I do this safely.
I managed to fix this
I ran ps aux | grep apache to see the apache processes
I then ran sudo apachectl stop
Then sudo killall -9 httpd to kill all apache processes
Then sudo apachectl restart
I went to the browser and typed localhost~/username/sitename
Bingo it works again, my system is using the correct version of apache again!