macOS Catalina how to upgrade the Apache httpd [duplicate]

A DHS sweep of the network showed that one of the researchers Macs is running a non-safe version of Apache (2.4.25) and they would like him to update to at least 2.4.27.

He is having difficulty getting MacOS to use the new version of Apache rather than the one installed by default with Sierra. His issues are:

Mac OS X 10.12.6 Sierra

  1. I have installed httpd 2.4.27 . . . /usr/local/apache2/bin/

  2. but the default httpd running is located at /usr/sbin/

  3. I cannot install a new httpd into /usr/sbin/ - no write persmissions for sudo

  4. I made a root user active - but "root" does not have write permissions for /usr/sbin/ either

I cannot find any source on the web that describes how to change the httpd path from the default system version (/usr/sbin/httpd) to a new USER installed version, like /usr/local/apache2/bin/httpd

What steps am I missing?


Solution 1:

To use a new version of Apache you need to disable the built in Apache version:

sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

You need root access (an admin user and password for instance) to disable this. Then you can run your own apache - whatever source and location and version you want. This is better than replacing the shipping version since each macOS update can and will change the build in version. Side loading your preferred source of apache guarantees it will last outside the Apple update process. The only down side is you have to patch and secure this side loaded version.

One excellent way to side load a robust and easily patched version of apache https is with https://brew.sh homebrew package manager.

$ brew info httpd
httpd: stable 2.4.37 (bottled) Apache HTTP server
https://httpd.apache.org/
Not installed
From: https://github.com/Homebrew/homebrew-core/blob/master/Formula/httpd.rb
==> Dependencies Required: apr ✘, apr-util ✘, brotli ✘, nghttp2 ✘, openssl ✔, pcre ✘.
==> Caveats DocumentRoot is /usr/local/var/www.

The default ports have been set in /usr/local/etc/httpd/httpd.conf to 8080 and in /usr/local/etc/httpd/extra/httpd-ssl.conf to 8443 so that httpd can run without sudo.

To have launchd start httpd now and restart at login:
brew services start httpd
Or, if you don't want/need a background service you can just run:
apachectl start

The other benefit is you can use brew services to set the daemon to launch at boot and it will respawn without you needing to make your own launchd / launchctl script or use crontab or equivalent.