This is a log of my installation/Compilation of Apache DSO
with SSL, MM, under Red Hat 7.3 on Pentium III
This log includes compilation from scratch of Apache. I personally
usually compile stuff from scratch, since I have the NIH (Not Invented Here)
mental syndrome, and I do not like THEIR layout. It is still mild, and
my shrink tells me that he still does not have to report me to the authorities.
Frankly, I do not like my own layout after a while too, and change it
often. This time, I even adopted Red Hat layout...
This memo was originally writtent around Aug 30, 2002
The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...
Few terms:
Apache -- the Web Server
DSO -- Dynamic Shared Object (additional modules can be added/updated
to Apache without the need to recompile the whole thing, similar
to shared libraries, but DSO modules are not only called, but
can also call routines within Apache)
MM -- memory management or something like that - an add-on to Apache
and its modules to communicate via shared memory rather than files
(faster).
SSL -- Secure Socket Layer - the encryption and certificate package which
works with Apache
I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed distribution.
I assume that you do all installation as root...
You can also get the wget utility from
ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here.
You will need to have openssl libraries (libcrypto and libssl) installed
for the latest wget to compile. If you do not have them, install openssl
first as described later on in this log.
By default, it installs wget binary to /usr/local/bin and puts man page into
/usr/local/man. You can edit the Makefile after .configure step if you
want them elsewhere. I installed the latest GNU one (now 1.8.2)as:
get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or
the one you like the most, e.g.; /tmp.
gunzip wget-1.8.2.tar.gz
gtar xvf wget-1.8.2.tar
mv wget-1.8.2 /usr/local # I like it in /usr/local
cd /usr/local/wget-1.8.2
./configure
make
make install
wget has also extensive GNU info pages and if you have install, do
info wget
and seek knowledge.
1) Be a root... Run ksh or bash or other sh, but not C-shell.
Before you install the new Apache, you have to know if you have some
other installation of Apache running. If you do, you need to decide
if you want to keep the old Apache running, or you stop it.
The problem is that Apache server by default listens to standard
Web TCP ports, and you cannot have some other Apache listen on the same
port(s). If Apache was installed before you will need either to disable
it, or choose other ports. If some Apache is running
(do: ps -ef | grep httpd) check which ports it is using by:
netstat -a | grep LISTEN
or
netstat -a -n | grep LISTEN
if you want to see all ports given as numbers, rather than services names.
If you get (among others):
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:https *:* LISTEN
(or, with netstat -n option:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN )
The "well known ports" for HTTP and HTTPS are booked and some web
server is running.
2) If the old server is running check the files in /etc/init.d and
see if there is an httpd file (or similar) and stop apache as:
/etc/init.d/httpd stop
3) If you do not want to kill previous Apache, and install the
new one in such a way that their TCP ports do not conflict, just
continue on, and you will OK, since this installation uses
ports 4080 and 6443 rather than standard ports which your existing
installation is most likely using (change them is already used for
something else). If you know where is the configuration file for
the already installed apache located, you can edit it and change
port assignements, for example:
edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports:
cd /usr/local/apache1.3.13/conf
cp -p httpd.conf httpd.conf.original
emacs (or vi or whatever) httpd.conf and replace lines:
Listen 80 --> Listen 6080
Port 80 --> Port 6080
Listen 443 --> Listen 6443
<VirtualHost _default_:443> --> <VirtualHost _default_:6443>
then restart apache and check pages:
cd /etc/init.d
./httpd start
and try if this works, i.e., try the URLs:
http://my.machine.com:6080/
https://my.machine.com:6443/
4) You usually have openssl installed, but if you cannot find the
libraries:
/usr/lib/libcrypto* or /usr/local/lib/libcrypto*
/usr/lib/libssl* or /usr/local/lib/libssl*
you need to install the openssl.
Even if you have the openssl and libraries already
installed, you may have to go through this step, if you did
not install the development version of the openssl and are missing
the header files. At this writing I had the following RPMs installed:
openssl-0.9.6b-28.i386, openssl-devel-0.9.6b-28.i386,
openssl-perl-0.9.6b-28.i386, openssl095a-0.9.5a-18.i386,
openssl096-0.9.6-13.i386.
I retrieved the latest openssl RPMs from http://rufus.w3.org, put them
in a /tmp directory, and did:
rpm -Uhv openssl*
5) Make top directory for Apache 1.3.26 installation. I did
/usr/local/apache_1.3.26
mkdir /usr/local/apache_1.3.26
Then set APACHE_HOME environment variable
APACHE_HOME=/usr/local/apache_1.3.26
export APACHE_HOME
I also made a subdirectory "sources" to have all needed sources in one
place:
mkdir /usr/local/apache_1.3.26/sources
cd /usr/local/apache_1.3.26/sources
Put there the tar files:
wget http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz
wget http://www.modssl.org/source/mod_ssl-2.8.10-1.3.26.tar.gz
wget ftp://ftp.ossp.org/pkg/lib/mm/mm-1.2.1.tar.gz
Local copied of the tarballs from above are here:
apache_1.3.26.tar.gz
mod_ssl-2.8.10-1.3.26.tar.gz
mm-1.2.1.tar.gz
6) Unpack sources to buld DSO Apache with mod_ssl and mm:
cd /usr/local/apache_1.3.26
cd sources
gtar zxvf apache_1.3.26.tar.gz
gtar zxvf mod_ssl-2.8.10-1.3.26.tar.gz
gtar zxvf mm-1.2.1.tar.gz
7) Compiled MM shared memory library
cd /usr/local/apache_1.3.26/sources/mm-1.2.1
./configure --disable-shared
make
8) Configured mod_ssl
cd /usr/local/apache_1.3.26/sources/mod_ssl-2.8.10-1.3.26
EAPI_MM=../mm-1.2.1 \
./configure \
--with-apache=/usr/local/apache_1.3.26/sources/apache_1.3.26
9)
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
SSL_BASE=SYSTEM \
EAPI_MM=/usr/local/apache_1.3.26/sources/mm-1.2.1 \
./configure --with-layout=RedHat \
--enable-module=so \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max \
--enable-module=ssl \
--enable-shared=ssl
make
11) Now you can make certificates. If you want to install self signed
certificates which you will use (read a pagefull below), do:
make certificate TYPE=custom
One thing to remember, is to enter the fully qualified domain name of the
host on which this Apache Web server runs (in my case: ccl.net)
when you are asked for info for X.509 certificate signing request
for SERVER [server.csr] at item 6. Common Name.
You can look at my dialog with the computer here.
I then tarred my certificates/keys into a file:
cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
gtar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
just in case, if I lost them (these certificates were made for 6 or so
years, and I do not want to redo it every time I update apache). When you
need to restore the certificates, just do:
cd $APACHE_HOME/conf
gtar zxvf /usr/local/apache-certificates.tgz
If you have your certificates already made and signed you can just
create dummy certificates as:
make certificate TYPE=dummy
and you will replace them later in the $APACHE_HOME/conf with the
real ones.
Then you install Apacje in the directories under $APACHE_HOME
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
make install
Also, if for some reason, you need to redo the certificates (I actually
had to do it, since I had a typo in server name, discovered it after
I finished the apache installation):
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
make certificate TYPE=custom
and copy them by hand to the $APACHE_HOME/conf directory:
cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
gtar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
cd $APACHE_HOME/conf
gtar zxvf /usr/local/apache-certificates.tgz
and do not redo the make install !!!
12) With the RedHat setup, the config and authorization files are
located in /etc/httpd
You need to edit /etc/httpd/conf/httpd.conf or use your
previous httpd.conf. You need to set up the
ServerRoot "/etc/httpd"
ServerName your.actual.machine
DocumentRoot "/your/actual/document/root
and try it with:
/usr/sbin/apachectl startssl
then point your browser at:
http://your.machine/
and
https://your.machine/
and you should see something. If not, you have a problem.
Then I did
/usr/sbin/apachectl stop
to stop apache, so I can tweak startup scripts
13) I went to /etc/rc.d/init.d directory and created a startup script
for apache, httpd-ssl,
so Apache can start on reboot. I also checked if there are some
old links to the previous/default installation of httpd
in the /etc/rc.d directories by doing:
cd /etc/rc.d
find . -name '*http*' -print
If you do not run another apache, remove these links by doing:
cd /etc/rc.d
find . -name '[KS]*http*' -exec rm {} \;
and then remake the links by doing:
cd /etc/rc.d/init.d
chkconfig --add httpd-ssl
chkconfig --list httpd-ssl
if this does not show the line:
httpd-ssl 0:off 1:off2:off3:on4:on5:on6:off
make sure your there is a line close to the top of httpd-ssl script:
# chkconfig: 345 85 15
Now start and stop apache as:
/etc/rc.d/init.d/httpd-ssl start
/etc/rc.d/init.d/httpd-ssl stop
and check if you are getting the pages served both for http and https
protocols.
-- THE END --
If you see something wrong here, please let me know, so I can save
other peoples time.
Jan