Description of problem:
Most dynamic module options in httpd.conf are surrounded by <IfModule> which
only get processed if that module was activated previously in the config. Some
mod_ssl options are surrounded by <IfModule mod_ssl.c> but other mod_ssl
virtual host and listen options are surrounded by <IfDefine HAVE_SSL>, which is
inconsistent with the rest of the dynamic config. <IfModule> evaluates based
on the preceeding configuration, <IfDefine> evaluates based on how the binary
was loaded by the sysadmin or init scripts. This basically splits parts of the
configuration out of the configuration file.
As such, to properly disable mod_ssl requires commenting out large portions of
httpd.conf because <IfDefine> regards how the binary was loaded, not how it was
configured previously in httpd.conf. It really doesn't matter either way too
much except that it's inconsistent, and it doesn't make sense to do it this way
when there's a better more uniform way.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install apache, mod_ssl
2. less /etc/httpd/conf/httpd.conf
It seems that the packager intended the sysadmin to chmod a-x the modules in
the filesystem in order to configure their server. This adds to the complexity
of installation and upgrading. There is no guarantee that the file modes will
stay the same during an upgrade (in fact they likely would not), which would
cause a dramatic change in the configuration of the server, and potential
failure to load. Configuration should be in the config files, not in the
All mod_ssl options being surrounded by <IfModule mod_ssl.c> instead of
<IfDefine HAVE_SSL>. Sysadmin should be able to select which modules they want
loaded in httpd.conf and have the rest of the config adapt.
The -DHAVE_FOO system was removed in 8.0 in favour of the conf.d directory; this
is essentially a solved problem. Thanks for the report.