diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..9969f1d
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+SOURCES/httpd-2.4.6.tar.bz2
diff --git a/.httpd.metadata b/.httpd.metadata
new file mode 100644
index 0000000..d335a99
--- /dev/null
+++ b/.httpd.metadata
@@ -0,0 +1 @@
+16d8ec72535ded65d035122b0d944b0e64eaa2a2 SOURCES/httpd-2.4.6.tar.bz2
diff --git a/SOURCES/00-base.conf b/SOURCES/00-base.conf
new file mode 100644
index 0000000..31d979f
--- /dev/null
+++ b/SOURCES/00-base.conf
@@ -0,0 +1,77 @@
+#
+# This file loads most of the modules included with the Apache HTTP
+# Server itself.
+#
+
+LoadModule access_compat_module modules/mod_access_compat.so
+LoadModule actions_module modules/mod_actions.so
+LoadModule alias_module modules/mod_alias.so
+LoadModule allowmethods_module modules/mod_allowmethods.so
+LoadModule auth_basic_module modules/mod_auth_basic.so
+LoadModule auth_digest_module modules/mod_auth_digest.so
+LoadModule authn_anon_module modules/mod_authn_anon.so
+LoadModule authn_core_module modules/mod_authn_core.so
+LoadModule authn_dbd_module modules/mod_authn_dbd.so
+LoadModule authn_dbm_module modules/mod_authn_dbm.so
+LoadModule authn_file_module modules/mod_authn_file.so
+LoadModule authn_socache_module modules/mod_authn_socache.so
+LoadModule authz_core_module modules/mod_authz_core.so
+LoadModule authz_dbd_module modules/mod_authz_dbd.so
+LoadModule authz_dbm_module modules/mod_authz_dbm.so
+LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
+LoadModule authz_host_module modules/mod_authz_host.so
+LoadModule authz_owner_module modules/mod_authz_owner.so
+LoadModule authz_user_module modules/mod_authz_user.so
+LoadModule autoindex_module modules/mod_autoindex.so
+LoadModule cache_module modules/mod_cache.so
+LoadModule cache_disk_module modules/mod_cache_disk.so
+LoadModule data_module modules/mod_data.so
+LoadModule dbd_module modules/mod_dbd.so
+LoadModule deflate_module modules/mod_deflate.so
+LoadModule dir_module modules/mod_dir.so
+LoadModule dumpio_module modules/mod_dumpio.so
+LoadModule echo_module modules/mod_echo.so
+LoadModule env_module modules/mod_env.so
+LoadModule expires_module modules/mod_expires.so
+LoadModule ext_filter_module modules/mod_ext_filter.so
+LoadModule filter_module modules/mod_filter.so
+LoadModule headers_module modules/mod_headers.so
+LoadModule include_module modules/mod_include.so
+LoadModule info_module modules/mod_info.so
+LoadModule log_config_module modules/mod_log_config.so
+LoadModule logio_module modules/mod_logio.so
+LoadModule mime_magic_module modules/mod_mime_magic.so
+LoadModule mime_module modules/mod_mime.so
+LoadModule negotiation_module modules/mod_negotiation.so
+LoadModule remoteip_module modules/mod_remoteip.so
+LoadModule reqtimeout_module modules/mod_reqtimeout.so
+LoadModule rewrite_module modules/mod_rewrite.so
+LoadModule setenvif_module modules/mod_setenvif.so
+LoadModule slotmem_plain_module modules/mod_slotmem_plain.so
+LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
+LoadModule socache_dbm_module modules/mod_socache_dbm.so
+LoadModule socache_memcache_module modules/mod_socache_memcache.so
+LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+LoadModule status_module modules/mod_status.so
+LoadModule substitute_module modules/mod_substitute.so
+LoadModule suexec_module modules/mod_suexec.so
+LoadModule unique_id_module modules/mod_unique_id.so
+LoadModule unixd_module modules/mod_unixd.so
+LoadModule userdir_module modules/mod_userdir.so
+LoadModule version_module modules/mod_version.so
+LoadModule vhost_alias_module modules/mod_vhost_alias.so
+
+#LoadModule buffer_module modules/mod_buffer.so
+#LoadModule watchdog_module modules/mod_watchdog.so
+#LoadModule heartbeat_module modules/mod_heartbeat.so
+#LoadModule heartmonitor_module modules/mod_heartmonitor.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule dialup_module modules/mod_dialup.so
+#LoadModule charset_lite_module modules/mod_charset_lite.so
+#LoadModule log_debug_module modules/mod_log_debug.so
+#LoadModule ratelimit_module modules/mod_ratelimit.so
+#LoadModule reflector_module modules/mod_reflector.so
+#LoadModule request_module modules/mod_request.so
+#LoadModule sed_module modules/mod_sed.so
+#LoadModule speling_module modules/mod_speling.so
+
diff --git a/SOURCES/00-dav.conf b/SOURCES/00-dav.conf
new file mode 100644
index 0000000..e6af8de
--- /dev/null
+++ b/SOURCES/00-dav.conf
@@ -0,0 +1,3 @@
+LoadModule dav_module modules/mod_dav.so
+LoadModule dav_fs_module modules/mod_dav_fs.so
+LoadModule dav_lock_module modules/mod_dav_lock.so
diff --git a/SOURCES/00-lua.conf b/SOURCES/00-lua.conf
new file mode 100644
index 0000000..9e0d0db
--- /dev/null
+++ b/SOURCES/00-lua.conf
@@ -0,0 +1 @@
+LoadModule lua_module modules/mod_lua.so
diff --git a/SOURCES/00-mpm.conf b/SOURCES/00-mpm.conf
new file mode 100644
index 0000000..7bfd1d4
--- /dev/null
+++ b/SOURCES/00-mpm.conf
@@ -0,0 +1,19 @@
+# Select the MPM module which should be used by uncommenting exactly
+# one of the following LoadModule lines:
+
+# prefork MPM: Implements a non-threaded, pre-forking web server
+# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
+LoadModule mpm_prefork_module modules/mod_mpm_prefork.so
+
+# worker MPM: Multi-Processing Module implementing a hybrid
+# multi-threaded multi-process web server
+# See: http://httpd.apache.org/docs/2.4/mod/worker.html
+#
+#LoadModule mpm_worker_module modules/mod_mpm_worker.so
+
+# event MPM: A variant of the worker MPM with the goal of consuming
+# threads only for connections with active processing
+# See: http://httpd.apache.org/docs/2.4/mod/event.html
+#
+#LoadModule mpm_event_module modules/mod_mpm_event.so
+
diff --git a/SOURCES/00-proxy.conf b/SOURCES/00-proxy.conf
new file mode 100644
index 0000000..cc0bca0
--- /dev/null
+++ b/SOURCES/00-proxy.conf
@@ -0,0 +1,16 @@
+# This file configures all the proxy modules:
+LoadModule proxy_module modules/mod_proxy.so
+LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
+LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
+LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
+LoadModule lbmethod_heartbeat_module modules/mod_lbmethod_heartbeat.so
+LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
+LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
+LoadModule proxy_connect_module modules/mod_proxy_connect.so
+LoadModule proxy_express_module modules/mod_proxy_express.so
+LoadModule proxy_fcgi_module modules/mod_proxy_fcgi.so
+LoadModule proxy_fdpass_module modules/mod_proxy_fdpass.so
+LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
+LoadModule proxy_http_module modules/mod_proxy_http.so
+LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
+LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
diff --git a/SOURCES/00-proxyhtml.conf b/SOURCES/00-proxyhtml.conf
new file mode 100644
index 0000000..9a9b107
--- /dev/null
+++ b/SOURCES/00-proxyhtml.conf
@@ -0,0 +1,3 @@
+# This file configures mod_proxy_html and mod_xml2enc:
+LoadModule xml2enc_module modules/mod_xml2enc.so
+LoadModule proxy_html_module modules/mod_proxy_html.so
diff --git a/SOURCES/00-ssl.conf b/SOURCES/00-ssl.conf
new file mode 100644
index 0000000..53235cd
--- /dev/null
+++ b/SOURCES/00-ssl.conf
@@ -0,0 +1 @@
+LoadModule ssl_module modules/mod_ssl.so
diff --git a/SOURCES/00-systemd.conf b/SOURCES/00-systemd.conf
new file mode 100644
index 0000000..b208c97
--- /dev/null
+++ b/SOURCES/00-systemd.conf
@@ -0,0 +1,2 @@
+# This file configures systemd module:
+LoadModule systemd_module modules/mod_systemd.so
diff --git a/SOURCES/01-cgi.conf b/SOURCES/01-cgi.conf
new file mode 100644
index 0000000..5b8b936
--- /dev/null
+++ b/SOURCES/01-cgi.conf
@@ -0,0 +1,14 @@
+# This configuration file loads a CGI module appropriate to the MPM
+# which has been configured in 00-mpm.conf. mod_cgid should be used
+# with a threaded MPM; mod_cgi with the prefork MPM.
+
+
+ LoadModule cgid_module modules/mod_cgid.so
+
+
+ LoadModule cgid_module modules/mod_cgid.so
+
+
+ LoadModule cgi_module modules/mod_cgi.so
+
+
diff --git a/SOURCES/01-ldap.conf b/SOURCES/01-ldap.conf
new file mode 100644
index 0000000..f2ac2a2
--- /dev/null
+++ b/SOURCES/01-ldap.conf
@@ -0,0 +1,3 @@
+# This file configures the LDAP modules:
+LoadModule ldap_module modules/mod_ldap.so
+LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
diff --git a/SOURCES/01-session.conf b/SOURCES/01-session.conf
new file mode 100644
index 0000000..f8d4d92
--- /dev/null
+++ b/SOURCES/01-session.conf
@@ -0,0 +1,6 @@
+LoadModule session_module modules/mod_session.so
+LoadModule session_cookie_module modules/mod_session_cookie.so
+LoadModule session_dbd_module modules/mod_session_dbd.so
+LoadModule auth_form_module modules/mod_auth_form.so
+
+#LoadModule session_crypto_module modules/mod_session_crypto.so
diff --git a/SOURCES/README.confd b/SOURCES/README.confd
new file mode 100644
index 0000000..f5e9661
--- /dev/null
+++ b/SOURCES/README.confd
@@ -0,0 +1,9 @@
+
+This directory holds configuration files for the Apache HTTP Server;
+any files in this directory which have the ".conf" extension will be
+processed as httpd configuration files. The directory is used in
+addition to the directory /etc/httpd/conf.modules.d/, which contains
+configuration files necessary to load modules.
+
+Files are processed in alphabetical order.
+
diff --git a/SOURCES/action-configtest.sh b/SOURCES/action-configtest.sh
new file mode 100644
index 0000000..26d2893
--- /dev/null
+++ b/SOURCES/action-configtest.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /sbin/apachectl configtest
diff --git a/SOURCES/action-graceful.sh b/SOURCES/action-graceful.sh
new file mode 100644
index 0000000..4976087
--- /dev/null
+++ b/SOURCES/action-graceful.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+exec /sbin/apachectl graceful
diff --git a/SOURCES/htcacheclean.service b/SOURCES/htcacheclean.service
new file mode 100644
index 0000000..2a0aa8e
--- /dev/null
+++ b/SOURCES/htcacheclean.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Disk Cache Cleaning Daemon for Apache HTTP Server
+After=httpd.service
+Documentation=man:htcacheclean(8)
+
+[Service]
+Type=forking
+User=apache
+PIDFile=/run/httpd/htcacheclean/pid
+EnvironmentFile=/etc/sysconfig/htcacheclean
+ExecStart=/usr/sbin/htcacheclean -P /run/httpd/htcacheclean/pid -d $INTERVAL -p $CACHE_ROOT -l $LIMIT $OPTIONS
diff --git a/SOURCES/htcacheclean.sysconf b/SOURCES/htcacheclean.sysconf
new file mode 100644
index 0000000..fffa17b
--- /dev/null
+++ b/SOURCES/htcacheclean.sysconf
@@ -0,0 +1,16 @@
+#
+# Configuration options for systemd service, htcacheclean.service.
+# See htcacheclean(8) for more information on available options.
+#
+
+# Interval between cache clean runs, in minutes
+INTERVAL=15
+
+# Default cache root.
+CACHE_ROOT=/var/cache/httpd/proxy
+
+# Cache size limit in bytes (K=Kbytes, M=Mbytes)
+LIMIT=100M
+
+# Any other options...
+OPTIONS=
diff --git a/SOURCES/httpd-2.4.1-apctl.patch b/SOURCES/httpd-2.4.1-apctl.patch
new file mode 100644
index 0000000..b31c3c5
--- /dev/null
+++ b/SOURCES/httpd-2.4.1-apctl.patch
@@ -0,0 +1,94 @@
+
+- fail gracefully if links is not installed on target system
+- source sysconfig/httpd for custom env. vars etc.
+- make httpd -t work even in SELinux
+- pass $OPTIONS to all $HTTPD invocation
+
+Upstream-HEAD: vendor
+Upstream-2.0: vendor
+Upstream-Status: Vendor-specific changes for better initscript integration
+
+--- httpd-2.4.1/support/apachectl.in.apctl
++++ httpd-2.4.1/support/apachectl.in
+@@ -44,19 +44,25 @@ ARGV="$@"
+ # the path to your httpd binary, including options if necessary
+ HTTPD='@exp_sbindir@/@progname@'
+ #
+-# pick up any necessary environment variables
+-if test -f @exp_sbindir@/envvars; then
+- . @exp_sbindir@/envvars
+-fi
+ #
+ # a command that outputs a formatted text version of the HTML at the
+ # url given on the command line. Designed for lynx, however other
+ # programs may work.
+-LYNX="@LYNX_PATH@ -dump"
++if [ -x "@LYNX_PATH@" ]; then
++ LYNX="@LYNX_PATH@ -dump"
++else
++ LYNX=none
++fi
+ #
+ # the URL to your server's mod_status status page. If you do not
+ # have one, then status and fullstatus will not work.
+ STATUSURL="http://localhost:@PORT@/server-status"
++
++# Source /etc/sysconfig/httpd for $HTTPD setting, etc.
++if [ -r /etc/sysconfig/httpd ]; then
++ . /etc/sysconfig/httpd
++fi
++
+ #
+ # Set this variable to a command that increases the maximum
+ # number of file descriptors allowed per child process. This is
+@@ -76,9 +82,27 @@ if [ "x$ARGV" = "x" ] ; then
+ ARGV="-h"
+ fi
+
++function checklynx() {
++if [ "$LYNX" = "none" ]; then
++ echo "The 'links' package is required for this functionality."
++ exit 8
++fi
++}
++
++function testconfig() {
++# httpd is denied terminal access in SELinux, so run in the
++# current context to get stdout from $HTTPD -t.
++if test -x /usr/sbin/selinuxenabled && /usr/sbin/selinuxenabled; then
++ runcon -- `id -Z` $HTTPD $OPTIONS -t
++else
++ $HTTPD $OPTIONS -t
++fi
++ERROR=$?
++}
++
+ case $ACMD in
+ start|stop|restart|graceful|graceful-stop)
+- $HTTPD -k $ARGV
++ $HTTPD $OPTIONS -k $ARGV
+ ERROR=$?
+ ;;
+ startssl|sslstart|start-SSL)
+@@ -88,17 +112,18 @@ startssl|sslstart|start-SSL)
+ ERROR=2
+ ;;
+ configtest)
+- $HTTPD -t
+- ERROR=$?
++ testconfig
+ ;;
+ status)
++ checklynx
+ $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+ ;;
+ fullstatus)
++ checklynx
+ $LYNX $STATUSURL
+ ;;
+ *)
+- $HTTPD "$@"
++ $HTTPD $OPTIONS "$@"
+ ERROR=$?
+ esac
+
diff --git a/SOURCES/httpd-2.4.1-corelimit.patch b/SOURCES/httpd-2.4.1-corelimit.patch
new file mode 100644
index 0000000..96f8486
--- /dev/null
+++ b/SOURCES/httpd-2.4.1-corelimit.patch
@@ -0,0 +1,35 @@
+
+Bump up the core size limit if CoreDumpDirectory is
+configured.
+
+Upstream-Status: Was discussed but there are competing desires;
+ there are portability oddities here too.
+
+--- httpd-2.4.1/server/core.c.corelimit
++++ httpd-2.4.1/server/core.c
+@@ -4433,6 +4433,25 @@ static int core_post_config(apr_pool_t *
+ }
+ apr_pool_cleanup_register(pconf, NULL, ap_mpm_end_gen_helper,
+ apr_pool_cleanup_null);
++
++#ifdef RLIMIT_CORE
++ if (ap_coredumpdir_configured) {
++ struct rlimit lim;
++
++ if (getrlimit(RLIMIT_CORE, &lim) == 0 && lim.rlim_cur == 0) {
++ lim.rlim_cur = lim.rlim_max;
++ if (setrlimit(RLIMIT_CORE, &lim) == 0) {
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++ "core dump file size limit raised to %lu bytes",
++ lim.rlim_cur);
++ } else {
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, errno, NULL,
++ "core dump file size is zero, setrlimit failed");
++ }
++ }
++ }
++#endif
++
+ return OK;
+ }
+
diff --git a/SOURCES/httpd-2.4.1-deplibs.patch b/SOURCES/httpd-2.4.1-deplibs.patch
new file mode 100644
index 0000000..b73c21d
--- /dev/null
+++ b/SOURCES/httpd-2.4.1-deplibs.patch
@@ -0,0 +1,19 @@
+
+Link straight against .la files.
+
+Upstream-Status: vendor specific
+
+--- httpd-2.4.1/configure.in.deplibs
++++ httpd-2.4.1/configure.in
+@@ -707,9 +707,9 @@ APACHE_HELP_STRING(--with-suexec-umask,u
+
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+- AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool --libs`"
++ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+ fi
+-AP_LIBS="$AP_LIBS `$apr_config --link-libtool --libs`"
++AP_LIBS="$AP_LIBS `$apr_config --link-libtool`"
+ APACHE_SUBST(AP_LIBS)
+ APACHE_SUBST(AP_BUILD_SRCLIB_DIRS)
+ APACHE_SUBST(AP_CLEAN_SRCLIB_DIRS)
diff --git a/SOURCES/httpd-2.4.1-selinux.patch b/SOURCES/httpd-2.4.1-selinux.patch
new file mode 100644
index 0000000..e97c5a4
--- /dev/null
+++ b/SOURCES/httpd-2.4.1-selinux.patch
@@ -0,0 +1,61 @@
+
+Log the SELinux context at startup.
+
+Upstream-Status: unlikely to be any interest in this upstream
+
+--- httpd-2.4.1/configure.in.selinux
++++ httpd-2.4.1/configure.in
+@@ -458,6 +458,11 @@ fopen64
+ dnl confirm that a void pointer is large enough to store a long integer
+ APACHE_CHECK_VOID_PTR_LEN
+
++AC_CHECK_LIB(selinux, is_selinux_enabled, [
++ AC_DEFINE(HAVE_SELINUX, 1, [Defined if SELinux is supported])
++ APR_ADDTO(AP_LIBS, [-lselinux])
++])
++
+ AC_CACHE_CHECK([for gettid()], ac_cv_gettid,
+ [AC_TRY_RUN(#define _GNU_SOURCE
+ #include
+--- httpd-2.4.1/server/core.c.selinux
++++ httpd-2.4.1/server/core.c
+@@ -58,6 +58,10 @@
+ #include
+ #endif
+
++#ifdef HAVE_SELINUX
++#include
++#endif
++
+ /* LimitRequestBody handling */
+ #define AP_LIMIT_REQ_BODY_UNSET ((apr_off_t) -1)
+ #define AP_DEFAULT_LIMIT_REQ_BODY ((apr_off_t) 0)
+@@ -4452,6 +4456,28 @@ static int core_post_config(apr_pool_t *
+ }
+ #endif
+
++#ifdef HAVE_SELINUX
++ {
++ static int already_warned = 0;
++ int is_enabled = is_selinux_enabled() > 0;
++
++ if (is_enabled && !already_warned) {
++ security_context_t con;
++
++ if (getcon(&con) == 0) {
++
++ ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, NULL,
++ "SELinux policy enabled; "
++ "httpd running as context %s", con);
++
++ already_warned = 1;
++
++ freecon(con);
++ }
++ }
++ }
++#endif
++
+ return OK;
+ }
+
diff --git a/SOURCES/httpd-2.4.2-icons.patch b/SOURCES/httpd-2.4.2-icons.patch
new file mode 100644
index 0000000..1341999
--- /dev/null
+++ b/SOURCES/httpd-2.4.2-icons.patch
@@ -0,0 +1,26 @@
+
+- Fix config for /icons/ dir to allow symlink to poweredby.png.
+- Avoid using coredump GIF for a directory called "core"
+
+Upstream-Status: vendor specific patch
+
+--- httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in.icons
++++ httpd-2.4.2/docs/conf/extra/httpd-autoindex.conf.in
+@@ -21,7 +21,7 @@ IndexOptions FancyIndexing HTMLTable Ver
+ Alias /icons/ "@exp_iconsdir@/"
+
+
+- Options Indexes MultiViews
++ Options Indexes MultiViews FollowSymlinks
+ AllowOverride None
+ Require all granted
+
+@@ -53,7 +53,7 @@ AddIcon /icons/dvi.gif .dvi
+ AddIcon /icons/uuencoded.gif .uu
+ AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
+ AddIcon /icons/tex.gif .tex
+-AddIcon /icons/bomb.gif core
++AddIcon /icons/bomb.gif core.
+
+ AddIcon /icons/back.gif ..
+ AddIcon /icons/hand.right.gif README
diff --git a/SOURCES/httpd-2.4.3-apctl-systemd.patch b/SOURCES/httpd-2.4.3-apctl-systemd.patch
new file mode 100644
index 0000000..5823aee
--- /dev/null
+++ b/SOURCES/httpd-2.4.3-apctl-systemd.patch
@@ -0,0 +1,45 @@
+
+Upstream-Status: vendor specific patch
+
+diff --git a/support/apachectl.in b/support/apachectl.in
+index c6ac3ea..2599386 100644
+--- a/support/apachectl.in
++++ b/support/apachectl.in
+@@ -100,9 +100,24 @@ fi
+ ERROR=$?
+ }
+
++if [ "x$2" != "x" ] ; then
++ echo Passing arguments to httpd using apachectl is no longer supported.
++ echo You can only start/stop/restart httpd using this script.
++ echo If you want to pass extra arguments to httpd, edit the
++ echo /etc/sysconfig/httpd config file.
++fi
++
+ case $ACMD in
+-start|stop|restart|graceful|graceful-stop)
+- $HTTPD $OPTIONS -k $ARGV
++start|stop|restart|status)
++ /usr/bin/systemctl $ACMD httpd.service
++ ERROR=$?
++ ;;
++graceful)
++ /usr/bin/systemctl reload httpd.service
++ ERROR=$?
++ ;;
++graceful-stop)
++ /usr/bin/systemctl stop httpd.service
+ ERROR=$?
+ ;;
+ startssl|sslstart|start-SSL)
+@@ -114,10 +129,6 @@ startssl|sslstart|start-SSL)
+ configtest)
+ testconfig
+ ;;
+-status)
+- checklynx
+- $LYNX $STATUSURL | awk ' /process$/ { print; exit } { print } '
+- ;;
+ fullstatus)
+ checklynx
+ $LYNX $STATUSURL
diff --git a/SOURCES/httpd-2.4.3-apxs.patch b/SOURCES/httpd-2.4.3-apxs.patch
new file mode 100644
index 0000000..f4d2a87
--- /dev/null
+++ b/SOURCES/httpd-2.4.3-apxs.patch
@@ -0,0 +1,56 @@
+--- httpd-2.4.3/support/apxs.in.apxs
++++ httpd-2.4.3/support/apxs.in
+@@ -25,7 +25,18 @@ package apxs;
+
+ my %config_vars = ();
+
+-my $installbuilddir = "@exp_installbuilddir@";
++# Awful hack to make apxs libdir-agnostic:
++my $pkg_config = "/usr/bin/pkg-config";
++if (! -x "$pkg_config") {
++ error("$pkg_config not found!");
++ exit(1);
++}
++
++my $libdir = `pkg-config --variable=libdir apr-1`;
++chomp $libdir;
++
++my $installbuilddir = $libdir . "/httpd/build";
++
+ get_config_vars("$installbuilddir/config_vars.mk",\%config_vars);
+
+ # read the configuration variables once
+@@ -275,7 +286,7 @@ if ($opt_g) {
+ $data =~ s|%NAME%|$name|sg;
+ $data =~ s|%TARGET%|$CFG_TARGET|sg;
+ $data =~ s|%PREFIX%|$prefix|sg;
+- $data =~ s|%INSTALLBUILDDIR%|$installbuilddir|sg;
++ $data =~ s|%LIBDIR%|$libdir|sg;
+
+ my ($mkf, $mods, $src) = ($data =~ m|^(.+)-=#=-\n(.+)-=#=-\n(.+)|s);
+
+@@ -453,11 +464,11 @@ if ($opt_c) {
+ my $ldflags = "$CFG_LDFLAGS";
+ if ($opt_p == 1) {
+
+- my $apr_libs=`$apr_config --cflags --ldflags --link-libtool --libs`;
++ my $apr_libs=`$apr_config --cflags --ldflags --link-libtool`;
+ chomp($apr_libs);
+ my $apu_libs="";
+ if ($apr_major_version < 2) {
+- $apu_libs=`$apu_config --ldflags --link-libtool --libs`;
++ $apu_libs=`$apu_config --ldflags --link-libtool`;
+ chomp($apu_libs);
+ }
+
+@@ -672,8 +683,8 @@ __DATA__
+
+ builddir=.
+ top_srcdir=%PREFIX%
+-top_builddir=%PREFIX%
+-include %INSTALLBUILDDIR%/special.mk
++top_builddir=%LIBDIR%/httpd
++include %LIBDIR%/httpd/build/special.mk
+
+ # the used tools
+ APXS=apxs
diff --git a/SOURCES/httpd-2.4.3-layout.patch b/SOURCES/httpd-2.4.3-layout.patch
new file mode 100644
index 0000000..f3ee9ec
--- /dev/null
+++ b/SOURCES/httpd-2.4.3-layout.patch
@@ -0,0 +1,34 @@
+
+Add layout for Fedora.
+
+--- httpd-2.4.3/config.layout.layout
++++ httpd-2.4.3/config.layout
+@@ -370,3 +370,28 @@
+ logfiledir: ${localstatedir}/log/httpd
+ proxycachedir: ${localstatedir}/cache/httpd
+
++
++# Fedora/RHEL layout
++
++ prefix: /usr
++ exec_prefix: ${prefix}
++ bindir: ${prefix}/bin
++ sbindir: ${prefix}/sbin
++ libdir: ${prefix}/lib
++ libexecdir: ${prefix}/libexec
++ mandir: ${prefix}/man
++ sysconfdir: /etc/httpd/conf
++ datadir: ${prefix}/share/httpd
++ installbuilddir: ${libdir}/httpd/build
++ errordir: ${datadir}/error
++ iconsdir: ${datadir}/icons
++ htdocsdir: /var/www/html
++ manualdir: ${datadir}/manual
++ cgidir: /var/www/cgi-bin
++ includedir: ${prefix}/include/httpd
++ localstatedir: /var
++ runtimedir: /run/httpd
++ logfiledir: ${localstatedir}/log/httpd
++ proxycachedir: ${localstatedir}/cache/httpd/proxy
++ davlockdb: ${localstatedir}/lib/dav/lockdb
++
diff --git a/SOURCES/httpd-2.4.3-mod_systemd.patch b/SOURCES/httpd-2.4.3-mod_systemd.patch
new file mode 100644
index 0000000..a9b1fd9
--- /dev/null
+++ b/SOURCES/httpd-2.4.3-mod_systemd.patch
@@ -0,0 +1,163 @@
+--- httpd-2.4.3/modules/arch/unix/config5.m4.systemd
++++ httpd-2.4.3/modules/arch/unix/config5.m4
+@@ -18,6 +18,19 @@ APACHE_MODULE(privileges, Per-virtualhos
+ fi
+ ])
+
++
++APACHE_MODULE(systemd, Systemd support, , , $unixd_mods_enabled, [
++ AC_CHECK_LIB(systemd-daemon, sd_notify, SYSTEMD_LIBS="-lsystemd-daemon")
++ AC_CHECK_HEADERS(systemd/sd-daemon.h, [ap_HAVE_SD_DAEMON_H="yes"], [ap_HAVE_SD_DAEMON_H="no"])
++ if test $ap_HAVE_SD_DAEMON_H = "no" || test -z "${SYSTEMD_LIBS}"; then
++ AC_MSG_WARN([Your system does not support systemd.])
++ enable_systemd="no"
++ else
++ APR_ADDTO(MOD_SYSTEMD_LDADD, [$SYSTEMD_LIBS])
++ enable_systemd="yes"
++ fi
++])
++
+ APR_ADDTO(INCLUDES, [-I\$(top_srcdir)/$modpath_current])
+
+ APACHE_MODPATH_FINISH
+--- httpd-2.4.3/modules/arch/unix/mod_systemd.c.systemd
++++ httpd-2.4.3/modules/arch/unix/mod_systemd.c
+@@ -0,0 +1,138 @@
++/* Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ *
++ */
++
++#include
++#include
++#include "ap_mpm.h"
++#include
++#include
++#include
++#include
++#include
++#include "unixd.h"
++#include "scoreboard.h"
++#include "mpm_common.h"
++
++#include "systemd/sd-daemon.h"
++
++#if APR_HAVE_UNISTD_H
++#include
++#endif
++
++#define KBYTE 1024
++
++static pid_t pid; /* PID of the main httpd instance */
++static int server_limit, thread_limit, threads_per_child, max_servers;
++static time_t last_update_time;
++static unsigned long last_update_access;
++static unsigned long last_update_kbytes;
++
++static int systemd_pre_mpm(apr_pool_t *p, ap_scoreboard_e sb_type)
++{
++ int rv;
++ last_update_time = time(0);
++
++ ap_mpm_query(AP_MPMQ_HARD_LIMIT_THREADS, &thread_limit);
++ ap_mpm_query(AP_MPMQ_HARD_LIMIT_DAEMONS, &server_limit);
++ ap_mpm_query(AP_MPMQ_MAX_THREADS, &threads_per_child);
++ /* work around buggy MPMs */
++ if (threads_per_child == 0)
++ threads_per_child = 1;
++ ap_mpm_query(AP_MPMQ_MAX_DAEMONS, &max_servers);
++
++ pid = getpid();
++
++ rv = sd_notifyf(0, "READY=1\n"
++ "STATUS=Processing requests...\n"
++ "MAINPID=%lu",
++ (unsigned long) pid);
++ if (rv < 0) {
++ ap_log_perror(APLOG_MARK, APLOG_ERR, 0, p,
++ "sd_notifyf returned an error %d", rv);
++ }
++
++ return OK;
++}
++
++static int systemd_monitor(apr_pool_t *p, server_rec *s)
++{
++ int i, j, res, rv;
++ process_score *ps_record;
++ worker_score *ws_record;
++ unsigned long access = 0;
++ unsigned long bytes = 0;
++ unsigned long kbytes = 0;
++ char bps[5];
++ time_t now = time(0);
++ time_t elapsed = now - last_update_time;
++
++ for (i = 0; i < server_limit; ++i) {
++ ps_record = ap_get_scoreboard_process(i);
++ for (j = 0; j < thread_limit; ++j) {
++ ws_record = ap_get_scoreboard_worker_from_indexes(i, j);
++ if (ap_extended_status && !ps_record->quiescing && ps_record->pid) {
++ res = ws_record->status;
++ if (ws_record->access_count != 0 ||
++ (res != SERVER_READY && res != SERVER_DEAD)) {
++ access += ws_record->access_count;
++ bytes += ws_record->bytes_served;
++ if (bytes >= KBYTE) {
++ kbytes += (bytes >> 10);
++ bytes = bytes & 0x3ff;
++ }
++ }
++ }
++ }
++ }
++
++ apr_strfsize((unsigned long)(KBYTE *(float) (kbytes - last_update_kbytes)
++ / (float) elapsed), bps);
++
++ rv = sd_notifyf(0, "READY=1\n"
++ "STATUS=Total requests: %lu; Current requests/sec: %.3g; "
++ "Current traffic: %sB/sec\n", access,
++ ((float)access - last_update_access) / (float) elapsed, bps);
++ if (rv < 0) {
++ ap_log_error(APLOG_MARK, APLOG_ERR, 0, s, APLOGNO(00000)
++ "sd_notifyf returned an error %d", rv);
++ }
++
++ last_update_access = access;
++ last_update_kbytes = kbytes;
++ last_update_time = now;
++
++ return DECLINED;
++}
++
++static void systemd_register_hooks(apr_pool_t *p)
++{
++ /* We know the PID in this hook ... */
++ ap_hook_pre_mpm(systemd_pre_mpm, NULL, NULL, APR_HOOK_LAST);
++ /* Used to update httpd's status line using sd_notifyf */
++ ap_hook_monitor(systemd_monitor, NULL, NULL, APR_HOOK_MIDDLE);
++}
++
++module AP_MODULE_DECLARE_DATA systemd_module =
++{
++ STANDARD20_MODULE_STUFF,
++ NULL,
++ NULL,
++ NULL,
++ NULL,
++ NULL,
++ systemd_register_hooks,
++};
diff --git a/SOURCES/httpd-2.4.3-sslsninotreq.patch b/SOURCES/httpd-2.4.3-sslsninotreq.patch
new file mode 100644
index 0000000..6e158c6
--- /dev/null
+++ b/SOURCES/httpd-2.4.3-sslsninotreq.patch
@@ -0,0 +1,83 @@
+diff --git a/modules/ssl/ssl_engine_config.c b/modules/ssl/ssl_engine_config.c
+index 15993f1..53ed6f1 100644
+--- a/modules/ssl/ssl_engine_config.c
++++ b/modules/ssl/ssl_engine_config.c
+@@ -55,6 +55,7 @@ SSLModConfigRec *ssl_config_global_create(server_rec *s)
+ mc = (SSLModConfigRec *)apr_palloc(pool, sizeof(*mc));
+ mc->pPool = pool;
+ mc->bFixed = FALSE;
++ mc->sni_required = FALSE;
+
+ /*
+ * initialize per-module configuration
+diff --git a/modules/ssl/ssl_engine_init.c b/modules/ssl/ssl_engine_init.c
+index bf1f0e4..a7523de 100644
+--- a/modules/ssl/ssl_engine_init.c
++++ b/modules/ssl/ssl_engine_init.c
+@@ -409,7 +409,7 @@ int ssl_init_Module(apr_pool_t *p, apr_pool_t *plog,
+ /*
+ * Configuration consistency checks
+ */
+- ssl_init_CheckServers(base_server, ptemp);
++ ssl_init_CheckServers(mc, base_server, ptemp);
+
+ /*
+ * Announce mod_ssl and SSL library in HTTP Server field
+@@ -1475,7 +1475,7 @@ void ssl_init_ConfigureServer(server_rec *s,
+ }
+ }
+
+-void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *base_server, apr_pool_t *p)
+ {
+ server_rec *s, *ps;
+ SSLSrvConfigRec *sc;
+@@ -1557,6 +1557,7 @@ void ssl_init_CheckServers(server_rec *base_server, apr_pool_t *p)
+ }
+
+ if (conflict) {
++ mc->sni_required = TRUE;
+ #ifdef OPENSSL_NO_TLSEXT
+ ap_log_error(APLOG_MARK, APLOG_WARNING, 0, base_server, APLOGNO(01917)
+ "Init: You should not use name-based "
+diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c
+index bc9e26b..2460f01 100644
+--- a/modules/ssl/ssl_engine_kernel.c
++++ b/modules/ssl/ssl_engine_kernel.c
+@@ -164,6 +164,7 @@ int ssl_hook_ReadReq(request_rec *r)
+ return DECLINED;
+ }
+ #ifndef OPENSSL_NO_TLSEXT
++ if (myModConfig(r->server)->sni_required) {
+ if ((servername = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name))) {
+ char *host, *scope_id;
+ apr_port_t port;
+@@ -206,6 +207,7 @@ int ssl_hook_ReadReq(request_rec *r)
+ " virtual host");
+ return HTTP_FORBIDDEN;
+ }
++ }
+ #endif
+ SSL_set_app_data2(ssl, r);
+
+diff --git a/modules/ssl/ssl_private.h b/modules/ssl/ssl_private.h
+index 75fc0e3..31dbfa9 100644
+--- a/modules/ssl/ssl_private.h
++++ b/modules/ssl/ssl_private.h
+@@ -554,6 +554,7 @@ typedef struct {
+ struct {
+ void *pV1, *pV2, *pV3, *pV4, *pV5, *pV6, *pV7, *pV8, *pV9, *pV10;
+ } rCtx;
++ BOOL sni_required;
+ } SSLModConfigRec;
+
+ /** Structure representing configured filenames for certs and keys for
+@@ -786,7 +787,7 @@ const char *ssl_cmd_SSLFIPS(cmd_parms *cmd, void *dcfg, int flag);
+ int ssl_init_Module(apr_pool_t *, apr_pool_t *, apr_pool_t *, server_rec *);
+ void ssl_init_Engine(server_rec *, apr_pool_t *);
+ void ssl_init_ConfigureServer(server_rec *, apr_pool_t *, apr_pool_t *, SSLSrvConfigRec *);
+-void ssl_init_CheckServers(server_rec *, apr_pool_t *);
++void ssl_init_CheckServers(SSLModConfigRec *mc, server_rec *, apr_pool_t *);
+ STACK_OF(X509_NAME)
+ *ssl_init_FindCAList(server_rec *, apr_pool_t *, const char *, const char *);
+ void ssl_init_Child(apr_pool_t *, server_rec *);
diff --git a/SOURCES/httpd-2.4.4-cachehardmax.patch b/SOURCES/httpd-2.4.4-cachehardmax.patch
new file mode 100644
index 0000000..de360ce
--- /dev/null
+++ b/SOURCES/httpd-2.4.4-cachehardmax.patch
@@ -0,0 +1,82 @@
+diff --git a/modules/cache/cache_util.h b/modules/cache/cache_util.h
+index eec38f3..1a2d5ee 100644
+--- a/modules/cache/cache_util.h
++++ b/modules/cache/cache_util.h
+@@ -194,6 +194,9 @@ typedef struct {
+ unsigned int store_nostore_set:1;
+ unsigned int enable_set:1;
+ unsigned int disable_set:1;
++ /* treat maxex as hard limit */
++ unsigned int hardmaxex:1;
++ unsigned int hardmaxex_set:1;
+ } cache_dir_conf;
+
+ /* A linked-list of authn providers. */
+diff --git a/modules/cache/mod_cache.c b/modules/cache/mod_cache.c
+index 4f2d3e0..30c88f4 100644
+--- a/modules/cache/mod_cache.c
++++ b/modules/cache/mod_cache.c
+@@ -1299,6 +1299,11 @@ static apr_status_t cache_save_filter(ap_filter_t *f, apr_bucket_brigade *in)
+ exp = date + dconf->defex;
+ }
+ }
++ /* else, forcibly cap the expiry date if required */
++ else if (dconf->hardmaxex && (date + dconf->maxex) < exp) {
++ exp = date + dconf->maxex;
++ }
++
+ info->expire = exp;
+
+ /* We found a stale entry which wasn't really stale. */
+@@ -1717,7 +1722,9 @@ static void *create_dir_config(apr_pool_t *p, char *dummy)
+
+ /* array of providers for this URL space */
+ dconf->cacheenable = apr_array_make(p, 10, sizeof(struct cache_enable));
+-
++ /* flag; treat maxex as hard limit */
++ dconf->hardmaxex = 0;
++ dconf->hardmaxex_set = 0;
+ return dconf;
+ }
+
+@@ -1767,7 +1774,10 @@ static void *merge_dir_config(apr_pool_t *p, void *basev, void *addv) {
+ new->enable_set = add->enable_set || base->enable_set;
+ new->disable = (add->disable_set == 0) ? base->disable : add->disable;
+ new->disable_set = add->disable_set || base->disable_set;
+-
++ new->hardmaxex =
++ (add->hardmaxex_set == 0)
++ ? base->hardmaxex
++ : add->hardmaxex;
+ return new;
+ }
+
+@@ -2096,12 +2106,18 @@ static const char *add_cache_disable(cmd_parms *parms, void *dummy,
+ }
+
+ static const char *set_cache_maxex(cmd_parms *parms, void *dummy,
+- const char *arg)
++ const char *arg, const char *hard)
+ {
+ cache_dir_conf *dconf = (cache_dir_conf *)dummy;
+
+ dconf->maxex = (apr_time_t) (atol(arg) * MSEC_ONE_SEC);
+ dconf->maxex_set = 1;
++
++ if (hard && strcasecmp(hard, "hard") == 0) {
++ dconf->hardmaxex = 1;
++ dconf->hardmaxex_set = 1;
++ }
++
+ return NULL;
+ }
+
+@@ -2309,7 +2325,7 @@ static const command_rec cache_cmds[] =
+ "caching is enabled"),
+ AP_INIT_TAKE1("CacheDisable", add_cache_disable, NULL, RSRC_CONF|ACCESS_CONF,
+ "A partial URL prefix below which caching is disabled"),
+- AP_INIT_TAKE1("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
++ AP_INIT_TAKE12("CacheMaxExpire", set_cache_maxex, NULL, RSRC_CONF|ACCESS_CONF,
+ "The maximum time in seconds to cache a document"),
+ AP_INIT_TAKE1("CacheMinExpire", set_cache_minex, NULL, RSRC_CONF|ACCESS_CONF,
+ "The minimum time in seconds to cache a document"),
diff --git a/SOURCES/httpd-2.4.4-export.patch b/SOURCES/httpd-2.4.4-export.patch
new file mode 100644
index 0000000..eb670c6
--- /dev/null
+++ b/SOURCES/httpd-2.4.4-export.patch
@@ -0,0 +1,20 @@
+
+There is no need to "suck in" the apr/apr-util symbols when using
+a shared libapr{,util}, it just bloats the symbol table; so don't.
+
+Upstream-HEAD: needed
+Upstream-2.0: omit
+Upstream-Status: EXPORT_DIRS change is conditional on using shared apr
+
+--- httpd-2.4.4/server/Makefile.in.export
++++ httpd-2.4.4/server/Makefile.in
+@@ -57,9 +57,6 @@ export_files:
+ ( for dir in $(EXPORT_DIRS); do \
+ ls $$dir/*.h ; \
+ done; \
+- for dir in $(EXPORT_DIRS_APR); do \
+- ls $$dir/ap[ru].h $$dir/ap[ru]_*.h 2>/dev/null; \
+- done; \
+ ) | sed -e s,//,/,g | sort -u > $@
+
+ exports.c: export_files
diff --git a/SOURCES/httpd-2.4.4-malformed-host.patch b/SOURCES/httpd-2.4.4-malformed-host.patch
new file mode 100644
index 0000000..57975e5
--- /dev/null
+++ b/SOURCES/httpd-2.4.4-malformed-host.patch
@@ -0,0 +1,12 @@
+diff --git a/server/protocol.c b/server/protocol.c
+index e1ef204..d6d9165 100644
+--- a/server/protocol.c
++++ b/server/protocol.c
+@@ -1049,6 +1049,7 @@ request_rec *ap_read_request(conn_rec *conn)
+ * now read. may update status.
+ */
+ ap_update_vhost_from_headers(r);
++ access_status = r->status;
+
+ /* Toggle to the Host:-based vhost's timeout mode to fetch the
+ * request body and send the response body, if needed.
diff --git a/SOURCES/httpd-2.4.4-mod_unique_id.patch b/SOURCES/httpd-2.4.4-mod_unique_id.patch
new file mode 100644
index 0000000..30bdfe0
--- /dev/null
+++ b/SOURCES/httpd-2.4.4-mod_unique_id.patch
@@ -0,0 +1,239 @@
+--- trunk/modules/metadata/mod_unique_id.c 2011/12/02 23:02:04 1209766
++++ trunk/modules/metadata/mod_unique_id.c 2013/07/10 16:20:31 1501827
+@@ -31,14 +31,11 @@
+ #include "http_log.h"
+ #include "http_protocol.h" /* for ap_hook_post_read_request */
+
+-#if APR_HAVE_UNISTD_H
+-#include /* for getpid() */
+-#endif
++#define ROOT_SIZE 10
+
+ typedef struct {
+ unsigned int stamp;
+- unsigned int in_addr;
+- unsigned int pid;
++ char root[ROOT_SIZE];
+ unsigned short counter;
+ unsigned int thread_index;
+ } unique_id_rec;
+@@ -64,20 +61,15 @@
+ * gethostbyname (gethostname()) is unique across all the machines at the
+ * "site".
+ *
+- * We also further assume that pids fit in 32-bits. If something uses more
+- * than 32-bits, the fix is trivial, but it requires the unrolled uuencoding
+- * loop to be extended. * A similar fix is needed to support multithreaded
+- * servers, using a pid/tid combo.
+- *
+- * Together, the in_addr and pid are assumed to absolutely uniquely identify
+- * this one child from all other currently running children on all servers
+- * (including this physical server if it is running multiple httpds) from each
++ * The root is assumed to absolutely uniquely identify this one child
++ * from all other currently running children on all servers (including
++ * this physical server if it is running multiple httpds) from each
+ * other.
+ *
+- * The stamp and counter are used to distinguish all hits for a particular
+- * (in_addr,pid) pair. The stamp is updated using r->request_time,
+- * saving cpu cycles. The counter is never reset, and is used to permit up to
+- * 64k requests in a single second by a single child.
++ * The stamp and counter are used to distinguish all hits for a
++ * particular root. The stamp is updated using r->request_time,
++ * saving cpu cycles. The counter is never reset, and is used to
++ * permit up to 64k requests in a single second by a single child.
+ *
+ * The 144-bits of unique_id_rec are encoded using the alphabet
+ * [A-Za-z0-9@-], resulting in 24 bytes of printable characters. That is then
+@@ -92,7 +84,7 @@
+ * module change.
+ *
+ * It is highly desirable that identifiers exist for "eternity". But future
+- * needs (such as much faster webservers, moving to 64-bit pids, or moving to a
++ * needs (such as much faster webservers, or moving to a
+ * multithreaded server) may dictate a need to change the contents of
+ * unique_id_rec. Such a future implementation should ensure that the first
+ * field is still a time_t stamp. By doing that, it is possible for a site to
+@@ -100,7 +92,15 @@
+ * wait one entire second, and then start all of their new-servers. This
+ * procedure will ensure that the new space of identifiers is completely unique
+ * from the old space. (Since the first four unencoded bytes always differ.)
++ *
++ * Note: previous implementations used 32-bits of IP address plus pid
++ * in place of the PRNG output in the "root" field. This was
++ * insufficient for IPv6-only hosts, required working DNS to determine
++ * a unique IP address (fragile), and needed a [0, 1) second sleep
++ * call at startup to avoid pid reuse. Use of the PRNG avoids all
++ * these issues.
+ */
++
+ /*
+ * Sun Jun 7 05:43:49 CEST 1998 -- Alvaro
+ * More comments:
+@@ -116,8 +116,6 @@
+ * htonl/ntohl. Well, this shouldn't be a problem till year 2106.
+ */
+
+-static unsigned global_in_addr;
+-
+ /*
+ * XXX: We should have a per-thread counter and not use cur_unique_id.counter
+ * XXX: in all threads, because this is bad for performance on multi-processor
+@@ -129,7 +127,7 @@
+ /*
+ * Number of elements in the structure unique_id_rec.
+ */
+-#define UNIQUE_ID_REC_MAX 5
++#define UNIQUE_ID_REC_MAX 4
+
+ static unsigned short unique_id_rec_offset[UNIQUE_ID_REC_MAX],
+ unique_id_rec_size[UNIQUE_ID_REC_MAX],
+@@ -138,113 +136,32 @@
+
+ static int unique_id_global_init(apr_pool_t *p, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *main_server)
+ {
+- char str[APRMAXHOSTLEN + 1];
+- apr_status_t rv;
+- char *ipaddrstr;
+- apr_sockaddr_t *sockaddr;
+-
+ /*
+ * Calculate the sizes and offsets in cur_unique_id.
+ */
+ unique_id_rec_offset[0] = APR_OFFSETOF(unique_id_rec, stamp);
+ unique_id_rec_size[0] = sizeof(cur_unique_id.stamp);
+- unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, in_addr);
+- unique_id_rec_size[1] = sizeof(cur_unique_id.in_addr);
+- unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, pid);
+- unique_id_rec_size[2] = sizeof(cur_unique_id.pid);
+- unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, counter);
+- unique_id_rec_size[3] = sizeof(cur_unique_id.counter);
+- unique_id_rec_offset[4] = APR_OFFSETOF(unique_id_rec, thread_index);
+- unique_id_rec_size[4] = sizeof(cur_unique_id.thread_index);
++ unique_id_rec_offset[1] = APR_OFFSETOF(unique_id_rec, root);
++ unique_id_rec_size[1] = sizeof(cur_unique_id.root);
++ unique_id_rec_offset[2] = APR_OFFSETOF(unique_id_rec, counter);
++ unique_id_rec_size[2] = sizeof(cur_unique_id.counter);
++ unique_id_rec_offset[3] = APR_OFFSETOF(unique_id_rec, thread_index);
++ unique_id_rec_size[3] = sizeof(cur_unique_id.thread_index);
+ unique_id_rec_total_size = unique_id_rec_size[0] + unique_id_rec_size[1] +
+- unique_id_rec_size[2] + unique_id_rec_size[3] +
+- unique_id_rec_size[4];
++ unique_id_rec_size[2] + unique_id_rec_size[3];
+
+ /*
+ * Calculate the size of the structure when encoded.
+ */
+ unique_id_rec_size_uu = (unique_id_rec_total_size*8+5)/6;
+
+- /*
+- * Now get the global in_addr. Note that it is not sufficient to use one
+- * of the addresses from the main_server, since those aren't as likely to
+- * be unique as the physical address of the machine
+- */
+- if ((rv = apr_gethostname(str, sizeof(str) - 1, p)) != APR_SUCCESS) {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01563)
+- "unable to find hostname of the server");
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET, 0, 0, p)) == APR_SUCCESS) {
+- global_in_addr = sockaddr->sa.sin.sin_addr.s_addr;
+- }
+- else {
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01564)
+- "unable to find IPv4 address of \"%s\"", str);
+-#if APR_HAVE_IPV6
+- if ((rv = apr_sockaddr_info_get(&sockaddr, str, AF_INET6, 0, 0, p)) == APR_SUCCESS) {
+- memcpy(&global_in_addr,
+- (char *)sockaddr->ipaddr_ptr + sockaddr->ipaddr_len - sizeof(global_in_addr),
+- sizeof(global_in_addr));
+- ap_log_error(APLOG_MARK, APLOG_ALERT, rv, main_server, APLOGNO(01565)
+- "using low-order bits of IPv6 address "
+- "as if they were unique");
+- }
+- else
+-#endif
+- return HTTP_INTERNAL_SERVER_ERROR;
+- }
+-
+- apr_sockaddr_ip_get(&ipaddrstr, sockaddr);
+- ap_log_error(APLOG_MARK, APLOG_INFO, 0, main_server, APLOGNO(01566) "using ip addr %s",
+- ipaddrstr);
+-
+- /*
+- * If the server is pummelled with restart requests we could possibly end
+- * up in a situation where we're starting again during the same second
+- * that has been used in previous identifiers. Avoid that situation.
+- *
+- * In truth, for this to actually happen not only would it have to restart
+- * in the same second, but it would have to somehow get the same pids as
+- * one of the other servers that was running in that second. Which would
+- * mean a 64k wraparound on pids ... not very likely at all.
+- *
+- * But protecting against it is relatively cheap. We just sleep into the
+- * next second.
+- */
+- apr_sleep(apr_time_from_sec(1) - apr_time_usec(apr_time_now()));
+ return OK;
+ }
+
+ static void unique_id_child_init(apr_pool_t *p, server_rec *s)
+ {
+- pid_t pid;
+-
+- /*
+- * Note that we use the pid because it's possible that on the same
+- * physical machine there are multiple servers (i.e. using Listen). But
+- * it's guaranteed that none of them will share the same pids between
+- * children.
+- *
+- * XXX: for multithread this needs to use a pid/tid combo and probably
+- * needs to be expanded to 32 bits
+- */
+- pid = getpid();
+- cur_unique_id.pid = pid;
+-
+- /*
+- * Test our assumption that the pid is 32-bits. It's possible that
+- * 64-bit machines will declare pid_t to be 64 bits but only use 32
+- * of them. It would have been really nice to test this during
+- * global_init ... but oh well.
+- */
+- if ((pid_t)cur_unique_id.pid != pid) {
+- ap_log_error(APLOG_MARK, APLOG_CRIT, 0, s, APLOGNO(01567)
+- "oh no! pids are greater than 32-bits! I'm broken!");
+- }
+-
+- cur_unique_id.in_addr = global_in_addr;
++ ap_random_insecure_bytes(&cur_unique_id.root,
++ sizeof(cur_unique_id.root));
+
+ /*
+ * If we use 0 as the initial counter we have a little less protection
+@@ -253,13 +170,6 @@
+ */
+ ap_random_insecure_bytes(&cur_unique_id.counter,
+ sizeof(cur_unique_id.counter));
+-
+- /*
+- * We must always use network ordering for these bytes, so that
+- * identifiers are comparable between machines of different byte
+- * orderings. Note in_addr is already in network order.
+- */
+- cur_unique_id.pid = htonl(cur_unique_id.pid);
+ }
+
+ /* NOTE: This is *NOT* the same encoding used by base64encode ... the last two
+@@ -291,10 +201,8 @@
+ unsigned short counter;
+ int i,j,k;
+
+- new_unique_id.in_addr = cur_unique_id.in_addr;
+- new_unique_id.pid = cur_unique_id.pid;
++ memcpy(&new_unique_id.root, &cur_unique_id.root, ROOT_SIZE);
+ new_unique_id.counter = cur_unique_id.counter;
+-
+ new_unique_id.stamp = htonl((unsigned int)apr_time_sec(r->request_time));
+ new_unique_id.thread_index = htonl((unsigned int)r->connection->id);
+
diff --git a/SOURCES/httpd-2.4.4-r1337344+.patch b/SOURCES/httpd-2.4.4-r1337344+.patch
new file mode 100644
index 0000000..6e5c3e7
--- /dev/null
+++ b/SOURCES/httpd-2.4.4-r1337344+.patch
@@ -0,0 +1,250 @@
+# ./pullrev.sh 1337344 1341905 1342065 1341930
+
+suexec enhancements:
+
+1) use syslog for logging
+2) use capabilities not setuid/setgid root binary
+
+http://svn.apache.org/viewvc?view=revision&revision=1337344
+http://svn.apache.org/viewvc?view=revision&revision=1341905
+http://svn.apache.org/viewvc?view=revision&revision=1342065
+http://svn.apache.org/viewvc?view=revision&revision=1341930
+
+--- httpd-2.4.4/configure.in.r1337344+
++++ httpd-2.4.4/configure.in
+@@ -734,7 +734,24 @@ APACHE_HELP_STRING(--with-suexec-gidmin,
+
+ AC_ARG_WITH(suexec-logfile,
+ APACHE_HELP_STRING(--with-suexec-logfile,Set the logfile),[
+- AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file] ) ] )
++ if test "x$withval" = "xyes"; then
++ AC_DEFINE_UNQUOTED(AP_LOG_EXEC, "$withval", [SuExec log file])
++ fi
++])
++
++AC_ARG_WITH(suexec-syslog,
++APACHE_HELP_STRING(--with-suexec-syslog,Set the logfile),[
++ if test $withval = "yes"; then
++ if test "x${with_suexec_logfile}" != "xno"; then
++ AC_MSG_NOTICE([hint: use "--without-suexec-logfile --with-suexec-syslog"])
++ AC_MSG_ERROR([suexec does not support both logging to file and syslog])
++ fi
++ AC_CHECK_FUNCS([vsyslog], [], [
++ AC_MSG_ERROR([cannot support syslog from suexec without vsyslog()])])
++ AC_DEFINE(AP_LOG_SYSLOG, 1, [SuExec log to syslog])
++ fi
++])
++
+
+ AC_ARG_WITH(suexec-safepath,
+ APACHE_HELP_STRING(--with-suexec-safepath,Set the safepath),[
+@@ -744,6 +761,15 @@ AC_ARG_WITH(suexec-umask,
+ APACHE_HELP_STRING(--with-suexec-umask,umask for suexec'd process),[
+ AC_DEFINE_UNQUOTED(AP_SUEXEC_UMASK, 0$withval, [umask for suexec'd process] ) ] )
+
++INSTALL_SUEXEC=setuid
++AC_ARG_ENABLE([suexec-capabilities],
++APACHE_HELP_STRING(--enable-suexec-capabilities,Use Linux capability bits not setuid root suexec), [
++INSTALL_SUEXEC=caps
++AC_DEFINE(AP_SUEXEC_CAPABILITIES, 1,
++ [Enable if suexec is installed with Linux capabilities, not setuid])
++])
++APACHE_SUBST(INSTALL_SUEXEC)
++
+ dnl APR should go after the other libs, so the right symbols can be picked up
+ if test x${apu_found} != xobsolete; then
+ AP_LIBS="$AP_LIBS `$apu_config --avoid-ldap --link-libtool`"
+--- httpd-2.4.4/docs/manual/suexec.html.en.r1337344+
++++ httpd-2.4.4/docs/manual/suexec.html.en
+@@ -372,6 +372,21 @@
+ together with the --enable-suexec
option to let
+ APACI accept your request for using the suEXEC feature.
+
++ --enable-suexec-capabilities
++
++ Linux specific: Normally,
++ the suexec
binary is installed "setuid/setgid
++ root", which allows it to run with the full privileges of the
++ root user. If this option is used, the suexec
++ binary will instead be installed with only the setuid/setgid
++ "capability" bits set, which is the subset of full root
++ priviliges required for suexec operation. Note that
++ the suexec
binary may not be able to write to a log
++ file in this mode; it is recommended that the
++ --with-suexec-syslog --without-suexec-logfile
++ options are used in conjunction with this mode, so that syslog
++ logging is used instead.
++
+ --with-suexec-bin=PATH
+
+ The path to the suexec
binary must be hard-coded
+@@ -433,6 +448,12 @@
+ "suexec_log
" and located in your standard logfile
+ directory (--logfiledir
).
+
++ --with-suexec-syslog
++
++ If defined, suexec will log notices and errors to syslog
++ instead of a logfile. This option must be combined
++ with --without-suexec-logfile
.
++
+ --with-suexec-safepath=PATH
+
+ Define a safe PATH environment to pass to CGI
+@@ -550,9 +571,12 @@ Group webgroup
+
+ The suEXEC wrapper will write log information
+ to the file defined with the --with-suexec-logfile
+- option as indicated above. If you feel you have configured and
+- installed the wrapper properly, have a look at this log and the
+- error_log for the server to see where you may have gone astray.
++ option as indicated above, or to syslog if --with-suexec-syslog
++ is used. If you feel you have configured and
++ installed the wrapper properly, have a look at the log and the
++ error_log for the server to see where you may have gone astray.
++ The output of "suexec -V"
will show the options
++ used to compile suexec, if using a binary distribution.
+
+
+
+@@ -640,4 +664,4 @@ if (typeof(prettyPrint) !== 'undefined')
+ prettyPrint();
+ }
+ //-->
+-