Compiled static into https-2.4.46 and it broke PHP in many locations

[4nanook]

I have an Apache server 2.4.46 which all modules are compiled in static. When I added this one it broke php, php would only execute in some places afterwards. In other locations it would print the PHP code instead of executing it. I was not able to discern a pattern and this involved NO change to the Apache configuration, ,just added this to the configuration file._

[4nanook]

I can't see how to select or I would add the working and non-working configuration.

[bimimicah]

What sort of environment are you working with? Please provide the following information:

1. OS Kernel (MAC/WINDOWS/LINUX/BSD UNIX/etc)
2. Distribution source & version number (e.g. CentOS 7, Ubuntu 1804, Windows 10, MacOS Sierra, etc.)
3. Apache source - is this compiled from an unmodified distribution source package or is this a customized source fork of some kind?
4. Apache threading model (mpm module) used - event, worker, prefork, or something else?
5. PHP module - are you using mod_php or one of the CGI options?
6. Where did you get the source for mod_php and the standalone php package?
7. What compiler and version are you using? (GCC 7, MSVC 14, etc.)
8. Please provide a complete list of all modules that you have statically compiled into Apache
9. If possible, please attach your Apache configuration file(s). Feel free to mask any sensitive bits with ***** or something before you send them.

[bimimicah]

If you got it working, please let us know so that we can close this issue as resolved.
If the issue is not resolved, please provide the information we requested so that we can attempt to diagnose it.

[4nanook]

No it is still broken, I grabbed the most recent code, see the two attached images. Without mod-auth-external compiled into Apache 2.4.46, owncloud displays properly, WITH mod-auth-external compiled in it just prints rather than executes the PHP code.

[4nanook]

Also I am using:
cat /etc/os-release
NAME="Ubuntu"
VERSION="20.04.1 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.1 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

uname -a
Linux ftp.eskimo.com 5.8.17 #1 SMP Sun Nov 1 01:10:16 PST 2020 x86_64 x86_64 x86_64 GNU/Linux

Kernel is self compiled, and also gcc (GCC) 11.0.0 20200824 (experimental)

This is my configuration file for Apache2 compile:
export CFLAGS="-O3 -march=native"
./configure
--enable-suexec=static
--with-suexec-bin=/usr/sbin/suexec
--with-crypto
--with-suexec-caller=apache
--with-suexec-userdir=public_html/cgi-bin/
--with-suexec-docroot=/misc/www/
--with-suexec-uidmin=2
--with-suexec-gidmin=2
--without-suexec-logfile
--with-suexec-syslog
--with-included-apr
--bindir=/usr/bin
--datadir=/usr/share
--includedir=/usr/include
--libdir=/usr/lib64
--libexecdir=/usr/lib64/httpd/modules
--mandir=/usr/share/man
--sbindir=/usr/sbin
--sysconfdir=/etc/httpd
--enable-rewrite=static
--enable-authn-file=static
--enable-authn-dbm=static
--enable-authn-anon=static
--enable-authn-dbd=static
--enable-authn-socache=static
--enable-authn-core=static
--enable-authz-host=static
--enable-authz-groupfile=static
--enable-authz-user=static
--enable-authz-dbm=static
--enable-authz-owner=static
--enable-authz-dbd=static
--enable-authz-core=static
--enable-access-compat=static
--enable-auth-basic=static
--enable-auth-form=static
--enable-auth-digest=static
--enable-isapi
--enable-cache=static
--enable-disk-cache=static
--enable-mem-cache=static
--enable-socache-memcache=static
--enable-cache-socache=static
--enable-so=static
--enable-dbd=static
--enable-buffer=static
--enable-reqtimeout=static
--enable-include=static
--enable-deflate=static
--enable-http=static
--enable-mime=static
--enable-log-config=static
--enable-log-debug=static
--enable-log-forensic=static
--enable-env=static
--enable-mime-magic=static
--enable-expires=static
--enable-headers=static
--disable-ident --enable-setenvif=static
--enable-version=static
--enable-remoteip=static
--enable-session=static
--enable-session-crypto=static
--enable-socache-shmcb=static
--enable-slotmem-shm=static
--enable-request=static
--enable-filter=static
--enable-alias=static
--enable-ssl=static
-enable-ssl-staticlib-deps=static
--with-openssldir=/usr/local/lib64
--with-ssl=/usr/local/lib64
--enable-unique-id
--enable-http2=static
--enable-geoip
--enable-modules="reallyall"
--enable-systemd
--enable-proxy=static
--enable-proxy-wstunnel=static
--enable-proxy-http=static
--enable-session-cookie=static
--enable-session-dbd=static
--enable-cgid=static
--enable-unixd=static
--enable-dav=static
--enable-status=static
--enable-autoindex=static
--enable-info=static
--enable-dave-fs=static
--enable-vhost-alias=static
--enable-negotiation=static
--enable-dir=static
--enable-speling=static
--enable-userdir=static
--with-module=aaa:/usr/src/mod_suphp/src/apache2/mod_suphp.c
--enable-suexec-capabilities \

--with-module=aaa:/usr/src/mod-auth-external/mod_authnz_external/mod_authnz_external.c

 Only change is the last line commented or uncommented.  If uncommented to include mod_authnz_external.c then it

breaks printing the PHP code for nextcloud rather than executing it, but Wordpress still works.

[bimimicah]

What sort of environment are you working with? Please provide the following information:

3. Apache source - is this compiled from an unmodified distribution
   source package or is this a customized source fork of some kind?

4. Apache threading model (mpm module) used - event, worker, prefork,
   or something else?

6. Where did you get the source for mod_suphp?

9. If possible, please attach your Apache configuration file(s). 
   Feel free to mask any sensitive bits with ***** or something before 
   you send them.

Please provide the information above so we can try to figure out what's going on. Also, please provide the following:

1. It looks like suPHP was discontinued a couple years ago. Are you using a fork? If so, which one?

2. Could you please attach your apache and php error logs from a single run? Feel free to mask any sensitive bits with ***** or something before you send them.

[4nanook]

The Apache source itself is unmodified. but I am using apr 1.6.5 rather than apr 1.7 because 1.7 and openssl 1.1.1g has a symbol mismatch and will not load. 1.7 works okay with 1.1.1f but not 1.1.1g.

Server Settings

Server Version: Apache/2.4.46 (Unix) OpenSSL/1.1.1g
Server Built: Nov 19 2020 18:41:29
Server loaded APR Version: 1.6.5
Compiled with APR Version: 1.6.5
Server loaded APU Version: 1.6.1
Compiled with APU Version: 1.6.1
Module Magic Number: 20120211:93
Hostname/port: www.eskimo.com:443
Timeouts: connection: 600 keep-alive: 600
MPM Name: event
MPM Information: Max Daemons: 5 Threaded: yes Forked: yes
Server Architecture: 64-bit

Source for mod suphp came from here: https://github.com/lightsey/mod_suphp/
But is slightly modified. I've removed the check for parent directory permissions which did not work well with my setup, so it only cares about the owner of the php executable.

I've zip'd up a tar file of the conf attached. Why this won't accept plain tar or .xz is beyond me.

-- link removed --

[bimimicah]

I noticed you have .htaccess directives turned on for nextcloud. Could you please attach those files? Alternately, feel free to send them directly to me.
As a side note, I noticed an old key database and some other things which may not have been intentionally uploaded, so I have removed the link and contacted GitHub support to request that the uploaded attachment be removed. I still have a copy of the zip on my side for reference as we troubleshoot this issue, which I plan to delete after closing the issue.

[4nanook]

Could you e-mail me the location (which file(s)) those old keys are in? There shouldn't have been any in the actual conf, I thought I had externalized all of them but obviously missed something.
-- sent by e-mail --

cat .htaccess
<IfModule mod_headers.c>
  <IfModule mod_setenvif.c>
    <IfModule mod_fcgid.c>
       SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
       RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
       SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
    </IfModule>
  </IfModule>

  <IfModule mod_env.c>
    # Add security and privacy related headers
    Header always set Referrer-Policy "no-referrer"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Download-Options "noopen"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-Permitted-Cross-Domain-Policies "none"
    Header always set X-Robots-Tag "none"
    Header always set X-XSS-Protection "1; mode=block"
    SetEnv modHeadersAvailable true
  </IfModule>

  # Add cache control for static resources
  <FilesMatch "\.(css|js|svg|gif)$">
    Header set Cache-Control "max-age=15778463"
  </FilesMatch>

  # Let browsers cache WOFF files for a week
  <FilesMatch "\.woff2?$">
    Header set Cache-Control "max-age=604800"
  </FilesMatch>
</IfModule>
<IfModule mod_php7.c>
  php_value mbstring.func_overload 0
  php_value default_charset 'UTF-8'
  php_value output_buffering 0
  <IfModule mod_env.c>
    SetEnv htaccessWorking true
  </IfModule>
</IfModule>
<IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{HTTP_USER_AGENT} DavClnt
  RewriteRule ^$ /remote.php/webdav/ [L,R=302]
  RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
  RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
  RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
  RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
  RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
  RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
  RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
  RewriteRule ^remote/(.*) remote.php [QSA,L]
  RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
  RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
  RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
</IfModule>
<IfModule mod_mime.c>
  AddType image/svg+xml svg svgz
  AddEncoding gzip svgz
</IfModule>
<IfModule mod_dir.c>
  DirectoryIndex index.php index.html
</IfModule>
AddDefaultCharset utf-8
Options -Indexes
<IfModule pagespeed_module>
  ModPagespeed Off
</IfModule>
#### DO NOT CHANGE ANYTHING ABOVE THIS LINE ####

ErrorDocument 403 /nextcloud/
ErrorDocument 404 /nextcloud/

[bimimicah]

Sorry I haven't had a chance to get back to this. I will try to carve out some time soon to try building a similar setup to test, but I don't know when that will be.
If you have any php or httpd log files to attach, that will be helpful as well.

[4nanook]

Thought it been a while so I tried compiling in the module again, broke the server in the same way, instead of php being interpreted, it just prints the code as if it were not php code.

[4nanook]

mod_suphp wants to be compiled static, but if I also compile in mod_authnz_external static, then mod suphp disappears from server-info, however, if I instead compile mod_authnz_external as a dynamic object and load it, then suphp remains and everything works. I wanted to compile everything statically to maximize performance but these two modules will not co-exist if mnaud_authnz_external is compiled static even though suphp is, it makes the latter disappear.