############ # # Notes on installing apache, mod_perl, and mod_ssl. # # - Jim M, September 2001 # ###################### First I made sure that several system-wide libraries and binaries were up to date and in place. To follow this particular recipe you'll need to make sure you have these, too. * OpenSSL : I got version 0.96b and installed it with compile options consistent with open_ssl. See /usr/local/src/openssl for the details. * EXPAT : We have 0.95 installed; see /usr/local/src/expat/ Next I created a source directory to compile everything in. cd /usr/local/src mkdir apache.22sep2001 cd apache.22sep2001 Then I made sure I had up to date sources. 'wget' and 'gnutar zxf' on http://perl.apache.org/dist/mod_perl-1.26.tar.gz http://httpd.apache.org/dist/httpd/apache_1.3.20.tar.gz http://www.modssl.org/source/mod_ssl-2.8.4-1.3.20.tar.gz http://www.engelschall.com/sw/mm/mm-1.1.3.tar.gz (MM is a memory management tool that the mod_ssl reccommend for better performace. I have not installed that system wide but only "making" it here so that apache and mod_ssl can use it.) Then I compiled everything using the "flexible APACI-only way" # This is following mod_ssl install instructions cd mm-1.1.3 ./configure --disable-shared make cd .. # Then we have mod_ssl modify the apache source tree. cd mod_ssl-2.8.4-1.3.20 ./configure --with-apache=../apache_1.3.20 cd .. ---- mod_ssl says --- Now proceed with the following commands (Bourne-Shell syntax): $ cd ../apache_1.3.20 $ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl $ make $ make certificate $ make install # And then have mod_perl modify the apache source tree. cd mod_perl-1.26 perl Makefile.PL \ APACHE_SRC=../apache_1.3.20/src \ DO_HTTPD=1 \ USE_APACI=1 \ PREP_HTTPD=1 \ EVERYTHING=1 make make install # Now, before doing the "make install" I'm going to copy over # the entire /home/httpd tree into /home/testhttpd/ so that # I'm installing on top of our current configuration and files. # Then I'm going to install apache's httpd into /home/testhttpd/httpd # for testing purposes cd /home gnutar zcf httpd.tar.gz httpd mv httpd.tar.gz /home/testhttpd cd /home/testhttpd rm -rf httpd gnutar zxf httpd.tar.gz cd /usr/local/src/apache.22sep2001/apache_1.3.20 # And finally, move into the apache tree for its config, make, etc. # For now I'm using a prefix of /home/testhttpd/httpd , which is # where I'll run a test version on a non-standard port to make sure # everything looks OK before replacing our regular server. # The order of the options here does matter, and it's # sensitive to which ones are here. I played around with this a bit # before getting a set I liked, with mod_ssl and mod_perl # statically installed (check with "src/httpd -l"; I think that's safer). # (Dynamic implies you need "LoadModule ..." in httpd.conf to enable it.) # I tried get this to compile with "EAPI" (extended API), but # even --disable-rule=EAPI (and leaving out MM) wasn't succeeding. # But with EAPI, the java # servlets generate warnings when they get loaded, saying that they # should be re-compiled with -DEAPI . # # (Ah - I now see in the ssl_faq.html SSL requires EAPI. # So that's why trying to turn it off didn't work.) SSL_BASE=SYSTEM EAPI_MM=../mm-1.1.3 \ ./configure \ --enable-module=ssl \ --prefix=/home/testhttpd/httpd \ --disable-rule=SSL_COMPAT \ --enable-rule=SSL_SDBM \ --activate-module=src/modules/perl/libperl.a \ --enable-shared=remain \ --disable-module=auth_dbm \ --disable-module=auth_db \ --disable-rule=EXPAT \ --enable-module=rewrite # Same thing on one line : SSL_BASE=SYSTEM EAPI_MM=../mm-1.1.3 ./configure --enable-module=ssl --prefix=/home/testhttpd/httpd --disable-rule=SSL_COMPAT --enable-rule=SSL_SDBM --activate-module=src/modules/perl/libperl.a --enable-shared=remain --disable-module=auth_dbm --disable-module=auth_db --disable-rule=EXPAT --enable-module=rewrite # Then I create from scratch (the first time) or point to (subsequent # times) a server and certificate authority (CA) certificates # Apache says: # +---------------------------------------------------------------------+ # | Before you install the package you now should prepare the SSL | # | certificate system by running the 'make certificate' command. | # | For different situations the following variants are provided: | # | | # | % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) | # | % make certificate TYPE=test (test cert signed by Snake Oil CA) | # | % make certificate TYPE=custom (custom cert signed by own CA) | # | % make certificate TYPE=existing (existing cert) | # | CRT=/path/to/your.crt [KEY=/path/to/your.key] | # | | # | Use TYPE=dummy when you're a vendor package maintainer, | # | the TYPE=test when you're an admin but want to do tests only, | # | the TYPE=custom when you're an admin willing to run a real server | # | and TYPE=existing when you're an admin who upgrades a server. | # | (The default is TYPE=test) | # | | # | Additionally add ALGO=RSA (default) or ALGO=DSA to select | # | the signature algorithm used for the generated certificate. | # | | # | Use 'make certificate VIEW=1' to display the generated data. | # | | # | Thanks for using Apache & mod_ssl. Ralf S. Engelschall | # | rse@engelschall.com | # | www.engelschall.com | # +---------------------------------------------------------------------+ # Here's the certificate creation, # the first time, with parameters given below make certificate TYPE=custom # Here's the copying of those previous certificates # on subsequent installations. # ("make install" puts the crt and key in the --prefix directory tree) make certificate TYPE=existing CRT=/home/testhttpd/httpd/conf/ssl.crt/server.crt KEY=/home/testhttpd/httpd/conf/ssl.key/server.key --- certificate params ------------------------ ca.csr 1. Country Name (2 letter code) [XY]:US 2. State or Province Name (full name) [Snake Desert]:VT 3. Locality Name (eg, city) [Snake Town]:Marlboro 4. Organization Name (eg, company) [Snake Oil, Ltd]:Marlboro College 5. Organizational Unit Name (eg, section) [Certificate Authority]:Grad Center 6. Common Name (eg, CA name) [Snake Oil CA]:Marlboro College 7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:msie@bob.marlboro.edu 8. Certificate Validity (days) [365]: server.csr 1. Country Name (2 letter code) [XY]:US 2. State or Province Name (full name) [Snake Desert]:VT 3. Locality Name (eg, city) [Snake Town]:Marlboro 4. Organization Name (eg, company) [Snake Oil, Ltd]:Marlboro College 5. Organizational Unit Name (eg, section) [Webserver Team]:Grad Center 6. Common Name (eg, FQDN) [www.snakeoil.dom]:marlboro.edu 7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:msie@bob.marlboro.edu 8. Certificate Validity (days) [365]: ca.key: ********************** (put your secret mumbo-jumbo here) server.key: ********************** (and put some other secret stuff here) -------------------- # And then apache installs itself into /home/testhttpd/httpd : make install # Apache says # +--------------------------------------------------------+ # | You now have successfully built and installed the | # | Apache 1.3 HTTP server. To verify that Apache actually | # | works correctly you now should first check the | # | (initially created or preserved) configuration files | # | | # | /home/testhttpd/httpd/conf/httpd.conf # | | # | and then you should be able to immediately fire up | # | Apache the first time by running: | # | | # | /home/testhttpd/httpd/bin/apachectl start # | | # | Or when you want to run it with SSL enabled use: | # | | # | /home/testhttpd/httpd/bin/apachectl startssl # | | # | Thanks for using Apache. The Apache Group | # | http://www.apache.org/ | # +--------------------------------------------------------+ # # So it's time to edit /home/testhttpd/httpd/conf/httpd.conf : # * backed up httpd.conf -> httpd.conf_installed # * changed /home/httpd to /home/testhttpd/httpd everywhere in httpd.conf # * changed "Port 80" to "Port 88" # * Commented out all the "Listen" (Mason previewer, mostly) ports. # * "rm /home/testhttpd/httpd/logs/httpd.pid" # so apachectl # doesn't think it's controlling the main httpd process # * moved several pieces of httpd.conf to other files and put in # "Include" directives to clean things up a bit: # mod_perl.conf, wiki.conf, mason.conf, AxKit.conf, # java_servlets.conf, php.conf - all here in conf/ directory # * commented out "Include AxKit.conf" # * following copied from httpd.conf.default to httpd.conf # * copied long block of LoadModule and AddModule under "DSO Support" # * added block, including Listen 443 (https port) # * copied "SSL Global Context" and "SSL Virtual Host Context" blocks # * in changed # * DocumentRoot /home/testhttpd/httpd/html # * in added cgimp (our cgi mod_perl extension) cd /home/testhttpd/httpd/bin ./apachectl configtest # -- output is -- # [warn] Loaded DSO libexec/mod_jk.so uses plain Apache 1.3 API, # this module might crash under EAPI! (please recompile it with -DEAPI) # # [warn] Loaded DSO /home/testhttpd/httpd/libexec/mod_caucho.so # uses plain Apache 1.3 API, this module might crash under EAPI! # (please recompile it with -DEAPI) # # Syntax OK # Given the warnings, I've commented out the java servlet stuff # for now. Though they may well work as is; I haven't tested them. # -------------------- # Test plain old http : ./apachectl start # Then point browser at http://bob.marlboro.edu:88/ and it looks OK. # ---------- # Test https : ./apachectl stop ./apachectl startssl # and get prompted for server pass phrase before it starts. # Then point a browser at https://bob.marlboro.edu/ ... # and it works! (after going through all kinds of # "will you accept this certificate" dialogs.) # ------------- # Following the mod_ssl FAQ, I'm going to remove the encryption # from server.key, so that we can start up the https server # without typing in the secret key. (Otherwise there's no way # to have the web server come back up and boot time.) cd /home/testhttpd/httpd/conf/ssl.key cp server.key server.key.orig openssl rsa -in server.key.orig -out server.key chmod 400 server.key # Note that this means that our "secure" server is only # as secure as this (root read only but unencrypted) file, server.key # Now the server can be started with just /home/testhttpd/httpd/bin/apachectl # ---- Other notes ----- # # * Most of the http://bob/etc loads fine under https://bob/etc # # * But, one problem is that netscape won't load http:// images from # within https:// pages. It thinks they're insecure, and doesn't # show them. For example, https://bob/~msie/2002/wiki/wiki has # difficulty with the images, which are given with a full http:// path. # I tried to read more about this online, and found a number of # folks on discussion groups asking about it # (search "internal-icon-insecure") but noone giving good answers. Hmmm. # -------------- # All that's left to do is change the --prefix configuration # options to point at the actual installation location /home/httpd , # re-install, and copy over my changes to httpd.conf and # the conf/includes/ files. Oh, and the various keys. # So: # * moved /home/httpd/conf to conf-9.2001 # * cd /home/testhttpd/httpd/; tar cf conf.tar conf; # mv conf.tar /home/httpd; cd /home/httpd; tar xf conf.tar # * also copied httpd/perl_modules over (new Code2Html.pm perl handler) # * changed all testhttpd/httpd to httpd in conf files # And recompiled apache with /home/httpd prefix SSL_BASE=SYSTEM EAPI_MM=../mm-1.1.3 ./configure --enable-module=ssl --prefix=/home/httpd --disable-rule=SSL_COMPAT --enable-rule=SSL_SDBM --activate-module=src/modules/perl/libperl.a --enable-shared=remain --disable-module=auth_dbm --disable-module=auth_db --disable-rule=EXPAT --enable-module=rewrite make make certificate TYPE=existing CRT=/home/httpd/conf/ssl.crt/server.crt KEY=/home/httpd/conf/ssl.key/server.key make install +--------------------------------------------------------+ | You now have successfully built and installed the | | Apache 1.3 HTTP server. To verify that Apache actually | | works correctly you now should first check the | | (initially created or preserved) configuration files | | | | /home/httpd/conf/httpd.conf | | | and then you should be able to immediately fire up | | Apache the first time by running: | | | | /home/httpd/bin/apachectl start | | | Or when you want to run it with SSL enabled use: | | | | /home/httpd/bin/apachectl startssl | | | Thanks for using Apache. The Apache Group | | http://www.apache.org/ | +--------------------------------------------------------+ ============= Oct 4 - One more detail. Turns out that the last round of make certificate ... make instal ... was using the unencrypted server.key - as a result, I'm not sure it installed correctly. So, cd /home/httpd/conf/ssl.key mv server.key server.key.unencryp mv server.key.orig server.key cd /usr/local/src/apache.22sep2001/apache-1.3.20 make certificate ... make install cd /home/httpd/conf/ssl.key mv server.key server.key.orig mv server.key.unencryp server.key and restart things cd /home/httpd/bin ./apachectl stop ./apachectl startssl I hope that things are OK now. The various browsers seem to operate on https all right after the "do you want to accept this certificate" dialogs. But I'm not really sure what the traffic looks like, or if Explorer (in particular) is really doing the right thing. It's messages are a bit weird.