Tuesday, July 31, 2012

Apple Breaks My Gitit Wiki Under Mountain Lion

So this is a pretty specific problem, and I'm just posting in case this helps anyone else who comes across this via Google.

I have a Wiki that I use on my LAN by using gitit (a Haskell wiki running on top of Git). It runs a web server, on a local port (5001), but I want to share it with other machines on my LAN, so I use Apache and some proxying. This was all working under Lion, with some effort, but when I upgraded to Mountain Lion today, I discovered that Apple really hosed up people who actually used their Apache web sharing. MANY things were broken and it's taken me some gnashing of teeth to figure it out.

First of all, they overwrote /etc/apache2/httpd.conf which was, I thought, a bit rude. Fortunately my old config file was preserved in https.conf~previous. I did not just use the old one; I pulled out the lines I had added (you always tag lines you add or change in config files with comments like PRP ADDED: (stuff) END OF PRP ADDED or PRP CHANGED FROM: (stuff) TO: (different stuff) when you change standard system config files, don't you?) Fortunately the Mountain Lion upgrade did not remove the proxy_html.conf and gitit.proxy.conf I had put in /etc/apache2/other/. Since I'm documenting this, my gitit_proxy.conf file looks like this:
# These commands will proxy /gitit/ to port 5001

ProxyRequests Off

<Proxy *>
  Order deny,allow
  Allow from all

# Per the mod_proxy_html 3.1.2 sample proxy_html.conf file, this is a critical security setting

ProxyRequests Off

ProxyPass /gitit/ http://localhost:5001/

<Location /gitit/>
        # PRP: This is obsolete for mod_proxy_html versions 3.1+
        # SetOutputFilter proxy-html
        # The result is silent failure!
        # PRP: use this instead:
        ProxyHTMLEnable On
        # Note also that it is critically important that the proxy_html.conf file (default works for me)
        # is present where Apache can find it (in mod_proxy_html versions 3.1+, apparently no HTML
        # elements are changed unless they are specifically declared in a config file, so again, the
        # result is silent failure!)
        ProxyPassReverse /
        ProxyHTMLURLMap / /gitit/
        RequestHeader unset Accept-Encoding
while my proxy.html.conf file is the standard one that came with mod_proxy_html.

Also while I'm at it, if you have problems with punctuation in Wiki URLs, I recently got some advice from the author of gitit to include xss-sanitize: no in the .conf file I use for configuring gitit, and that fixed it. For example:

[Dar Tellum: Stranger from a Distant Planet]()

was not being recognized as a Wiki link because of the colon until I changed this. Note that this might enable some sort of obscure security hole if your Wiki is facing the general public instead of behind a firewall.

Anyway, where were we? Oh yeah, Mountain Lion and the Apache web server. Apparetly after the upgrade, you can no longer turn on web sharing from the "Sharing" control panel, which was kind of a dick move on Apple's part! But you can find some instructions to turn it on here.

What I did was to enable the launch daemon with sudo defaults write /System/Library/LaunchDaemons/org.apache.httpd Disabled -bool false and then to allow me to turn it on and off more easily while testing, I installed this 3rd-party web sharing preference pane. Now personally I don't care about sharing something from my home directory or from my web root, so I didn't bother to fix the fact that accessing http://localhost/ now gives "permission denied," since I'm using a virtual server under http://localhost/gitit/, but if that bugs you, can probably find how to fix that elsewhere.

OK, there's more. I had a couple of Apache modules added to my system. They were broken. Apache wouldn't log any errors, but was failing constantly, and so the system was trying to restart it every ten seconds. I finally was able to figure out what was going wrong using apachectl configtest, which told me things like httpd: Syntax error on line 98 of /private/etc/apache2/httpd.conf: Cannot load /usr/libexec/apache2/mod_xml2enc.so into server: dlopen(/usr/libexec/apache2/mod_xml2enc.so, 10): image not found. Which meant the shared libraries were missing.

So I didn't bother to try to find if the Mountain Lion upgrade had preserved these shared libraries somewhere; I wanted to rebuild them. I had originally built them using this gentleman's advice. But under Mountain Lion this would no longer work. The commands he suggested,
$ sudo apxs -ci -I /usr/include/libxml2 mod_xml2enc.c
$ sudo apxs -ci -I /usr/include/libxml2 -I . mod_proxy_html.c
had several problems; the libtool commands used by apxs under Mountain Lion apparently have some new problems, so I'd get
libtool: compile: unable to infer tagged configurationlibtool: compile: specify a tag with `--tag'
I tried to fix this by changing things in /usr/share/httpd/build/config_vars.mk, but that wouldn't work, and I really didn't want to go down a libtool rabbit hole trying to understand that whole nightmare. So what I finally had to do was modify the commands that the apxs calls expanded out into. There were a couple of things I had to fix first. Although I had XCode and the command-line tools installed under Lion, when I upgraded, they were removed. This meant I had no system headers under /usr/include (the error referenced missing ctype.h). The fix was to run XCode, look under Preferences, Downloads, Components, and check for and reinstall the Command Line Tools component.

Next, note that the CC path referenced in the aforementioned config_vars.mk is broken, which looks like a Mountain Lion bug to me. So I had to change that path to correspond to the one that actually exists in the latest XCode (now installed under Applications instead of the whole Developer tree). And finally, our specific libtool used for this build needs to get --tag=CC in order to work correctly.

Inside my downloaded mod_proxy_html source directory, I used these commands:
sudo /usr/share/apr-1/build-1/libtool --silent --mode=compile --tag=CC /Applications/Xcode.app/Contents/Developer/Toolchains/XCodeDefault.xctoolchain/usr/bin/cc    -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -I/usr/local/include -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1  -I/usr/include/libxml2  -c -o mod_xml2enc.lo mod_xml2enc.c && touch mod_xml2enc.slo
sudo /usr/share/apr-1/build-1/libtool --silent --mode=compile --tag=CC /Applications/Xcode.app/Contents/Developer/Toolchains/XCodeDefault.xctoolchain/usr/bin/cc    -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -I/usr/local/include -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1  -I/usr/include/libxml2 -I.  -c -o mod_proxy_html.lo mod_proxy_html.c && sudo touch mod_proxy_html.slo
Try saying that three times fast. All I can really say is "it worked for me." Your mileage may vary.

Then I had to hand-copy the generated .so files out of the super-secret generated .libs directory and into the place Apache uses them, so:
sudo cp ./mod_proxy_html.so /usr/libexec/apache2/
sudo cp ./mod_xml2enc.so /usr/libexec/apache2/
And, my stuff's working again. http://localhost/gitit/ connects to my Wiki from my local machine, and also works across the network.

I hope this might save you a little time. What a mess!

No comments: