Request for advice: Which Debian release to use with pagespeed module?

[bl...@paulromer.net]

I would like to use Pagespeed on a production website that runs on Apache on Debian. 

I'll start with a summary of my understanding of the constraints and options that are implied by the bug in Apache 2.4.1. I have little experience with Debian or Apache and no experience with Pagespeed so I may have some of these wrong. Please correct if I do. 

Then I'll pose my 3 questions. 

Constraints and Options:

1. According to https://developers.google.com/speed/pagespeed/module/configuration

mod_pagespeed is compatible with Apache 2.2.x and Apache 2.4.x series, versions 2.4.2 and newer. Please note that Apache 2.4.1 has a bug that may cause stability problems in combination withmod_pagespeed, so use with 2.4.1 is strongly discouraged.

2. If I use  https://packages.debian.org/search to search for apache2 (on the amd architecture), it seems that the following versions of Apache are available with these releases: 

• Apache 2.2.22-13+deb7u6: amd64  from wheezy 
• Apache 2.4.10-10+deb8u4: amd64 from jessie
• Apache 2.4.20-1: amd64 from sid 

As far as I can tell, the next release after jessie, stretch, currently includes the same version of Apache as jessie. 

3. According to the Pagespeed release notes 

Release 1.11.33.1-stable

This release depends on glibc >= 2.14 and will no longer run on Debian Wheezy, (7.0) which is also no longer officially supported by the Debian security team.

4. If I want to rely on apt to manage the ongoing process of getting updates and applying patches, the available options seem to include using: 

i) The jessie release with a pinned version of Apache 2.2.22 

ii) The jessie release and Apache 2.4.20, which I backport manually when I configure the server

iii) The stretch release and Apache 2.4.20, which I backport manually when I configure the server   

iv) The sid release 

Questions: 

a) Which release of Debian would you recommend for a production site that uses Pagespeed and Apache and relies on apt for ongoing package management? I can see arguments for and against any of the possibilities i, ii, iii, and iv from #4. I suspect that there are other options as well.

b) Given the Debian release that you suggest, how would you recommend doing the initial configuration of the server? For example, can one (should one) install Apache using apt and Debian repositories or using dpkg with .deb files from other sources such as Apache? Or perhaps compile from source? 

c) How would you recommend managing updates and patches on an ongoing basis? 

- If you suggest relying on apt, what repositories would you include in /etc/apt/sources.list? 

 

- I take it that one can pin Apache 2.2.22 to prevent apt with jessie or stretch from applying an update to Apache 2.4.1. But if so, are there any additional steps might be required to ensure that any security patches or updates that address security issues for that version of Apache are applied? (Will there be any additional security patches for Apache 2.2.22? The comment from the release notes suggests that the Debian security team will not be offering these, but I assume that the Apache project might.) 

 

- If the server is configured with Apache 2.4.20 and the jessie or stretch release, must I pin this version of Apache or can I assume that apt will not "update" to an older version of Apache? In this case, what additional steps must I take to make sure that any security patches or bug fixes for Apache 2.4 are applied?

[Jeffrey Crowell]

What is wrong with using Jessie and  2.4.10-10+deb8u4?  2.4.10-10+deb8u4 is newer than 2.4.1 and should not have stability problems.

--
You received this message because you are subscribed to the Google Groups "mod-pagespeed-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mod-pagespeed-di...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/mod-pagespeed-discuss/f455a2da-66b2-4405-950b-76039ca4ec5d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.