Merge pull request #85043 from aanderse/httpd-2020

nixos/httpd: modernize module standards

nixos/doc/manual/release-notes/rl-2009.xml

@@ -266,6 +266,25 @@ environment.systemPackages = [
 </programlisting>
     </para>
    </listitem>
+   <listitem>
+    <para>
+     The httpd web server previously started its main process as root
+     privileged, then ran worker processes as a less privileged identity user.
+     This was changed to start all of httpd as a less privileged user (defined by
+     <xref linkend="opt-services.httpd.user"/> and
+     <xref linkend="opt-services.httpd.group"/>). As a consequence, all files that
+     are needed for httpd to run (included configuration fragments, SSL
+     certificates and keys, etc.) must now be readable by this less privileged
+     user/group.
+    </para>
+    <para>
+     The default value for <xref linkend="opt-services.httpd.mpm"/>
+     has been changed from <literal>prefork</literal> to <literal>event</literal>. Along with
+     this change the default value for
+     <link linkend="opt-services.httpd.virtualHosts">services.httpd.virtualHosts.&lt;name&gt;.http2</link>
+     has been set to <literal>true</literal>.
+    </para>
+   </listitem>
   </itemizedlist>
  </section>
 

nixos/modules/services/web-servers/apache-httpd/default.nix

@@ -41,9 +41,9 @@ let
       "mime" "autoindex" "negotiation" "dir"
       "alias" "rewrite"
       "unixd" "slotmem_shm" "socache_shmcb"
-      "mpm_${cfg.multiProcessingModule}"
+      "mpm_${cfg.mpm}"
     ]
-    ++ (if cfg.multiProcessingModule == "prefork" then [ "cgi" ] else [ "cgid" ])
+    ++ (if cfg.mpm == "prefork" then [ "cgi" ] else [ "cgid" ])
     ++ optional enableHttp2 "http2"
     ++ optional enableSSL "ssl"
     ++ optional enableUserDir "userdir"
@@ -264,7 +264,7 @@ let
 
     PidFile ${runtimeDir}/httpd.pid
 
-    ${optionalString (cfg.multiProcessingModule != "prefork") ''
+    ${optionalString (cfg.mpm != "prefork") ''
       # mod_cgid requires this.
       ScriptSock ${runtimeDir}/cgisock
     ''}
@@ -350,6 +350,7 @@ in
   imports = [
     (mkRemovedOptionModule [ "services" "httpd" "extraSubservices" ] "Most existing subservices have been ported to the NixOS module system. Please update your configuration accordingly.")
     (mkRemovedOptionModule [ "services" "httpd" "stateDir" ] "The httpd module now uses /run/httpd as a runtime directory.")
+    (mkRenamedOptionModule [ "services" "httpd" "multiProcessingModule" ] [ "services" "httpd" "mpm" ])
 
     # virtualHosts options
     (mkRemovedOptionModule [ "services" "httpd" "documentRoot" ] "Please define a virtual host using `services.httpd.virtualHosts`.")
@@ -454,7 +455,13 @@ in
         type = types.str;
         default = "wwwrun";
         description = ''
-          User account under which httpd runs.
+          User account under which httpd children processes run.
+
+          If you require the main httpd process to run as
+          <literal>root</literal> add the following configuration:
+          <programlisting>
+          systemd.services.httpd.serviceConfig.User = lib.mkForce "root";
+          </programlisting>
         '';
       };
 
@@ -462,7 +469,7 @@ in
         type = types.str;
         default = "wwwrun";
         description = ''
-          Group under which httpd runs.
+          Group under which httpd children processes run.
         '';
       };
 
@@ -539,20 +546,19 @@ in
         '';
       };
 
-      multiProcessingModule = mkOption {
+      mpm = mkOption {
         type = types.enum [ "event" "prefork" "worker" ];
-        default = "prefork";
+        default = "event";
         example = "worker";
         description =
           ''
             Multi-processing module to be used by Apache. Available
-            modules are <literal>prefork</literal> (the default;
+            modules are <literal>prefork</literal> (handles each
-            handles each request in a separate child process),
+            request in a separate child process), <literal>worker</literal>
-            <literal>worker</literal> (hybrid approach that starts a
+            (hybrid approach that starts a number of child processes
-            number of child processes each running a number of
+            each running a number of threads) and <literal>event</literal>
-            threads) and <literal>event</literal> (a recent variant of
+            (the default; a recent variant of <literal>worker</literal>
-            <literal>worker</literal> that handles persistent
+            that handles persistent connections more efficiently).
-            connections more efficiently).
           '';
       };
 
@@ -652,7 +658,7 @@ in
     services.httpd.phpOptions =
       ''
         ; Needed for PHP's mail() function.
-        sendmail_path = sendmail -t -i
+        sendmail_path = ${pkgs.system-sendmail}/bin/sendmail -t -i
 
         ; Don't advertise PHP
         expose_php = off
@@ -703,9 +709,7 @@ in
         wants = concatLists (map (hostOpts: [ "acme-${hostOpts.hostName}.service" "acme-selfsigned-${hostOpts.hostName}.service" ]) vhostsACME);
         after = [ "network.target" "fs.target" ] ++ map (hostOpts: "acme-selfsigned-${hostOpts.hostName}.service") vhostsACME;
 
-        path =
+        path = [ pkg pkgs.coreutils pkgs.gnugrep ];
-          [ pkg pkgs.coreutils pkgs.gnugrep ]
-          ++ optional cfg.enablePHP pkgs.system-sendmail; # Needed for PHP's mail() function.
 
         environment =
           optionalAttrs cfg.enablePHP { PHPRC = phpIni; }
@@ -725,7 +729,7 @@ in
           ExecStart = "@${pkg}/bin/httpd httpd -f ${httpdConf}";
           ExecStop = "${pkg}/bin/httpd -f ${httpdConf} -k graceful-stop";
           ExecReload = "${pkg}/bin/httpd -f ${httpdConf} -k graceful";
-          User = "root";
+          User = cfg.user;
           Group = cfg.group;
           Type = "forking";
           PIDFile = "${runtimeDir}/httpd.pid";
@@ -733,6 +737,7 @@ in
           RestartSec = "5s";
           RuntimeDirectory = "httpd httpd/runtime";
           RuntimeDirectoryMode = "0750";
+          AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
         };
       };
 

nixos/modules/services/web-servers/apache-httpd/vhost-options.nix

@@ -137,7 +137,7 @@ in
 
     http2 = mkOption {
       type = types.bool;
-      default = false;
+      default = true;
       description = ''
         Whether to enable HTTP 2. HTTP/2 is supported in all multi-processing modules that come with httpd. <emphasis>However, if you use the prefork mpm, there will
         be severe restrictions.</emphasis> Refer to <link xlink:href="https://httpd.apache.org/docs/2.4/howto/http2.html#mpm-config"/> for details.