Apache ssl
0 likes321 views
This document provides instructions for setting up a Linux web server with Apache, PHP, SSL, and Frontpage support. It describes: 1. The components - Apache, PHP scripting language, SSL for secure connections, and Frontpage server extensions. 2. Installing each component - Downloading and compiling Apache, PHP as an Apache module, SSL libraries, and applying necessary patches. 3. Configuring Apache - Enabling PHP and SSL modules, configuring mime types and indexes, and applying the Frontpage patch.
![1.3 History
v0.0/Apr 98: Preview version
v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor corrections
v1.1/Jul 98: Sgmlized and restructered version
You can find the latest version of this document at http://www.faure.de
2.Component installation
2.1 Preparations
You will need:
• Apache 1.2.6 http://www.apache.org/dist/apache_1_2_6.tar.gz
• PHP/FI Extensions http://php.iquest.net/files/download.phtml?/files/php−2.01.tar.gz
• GD Library http://siva.cshl.org/gd/gd.html
• SSL 0.8.0 ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay−0.8.0.tar.gz
• SSL patch for Apache 1.2.6 ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz
• frontpage 98 server extensions and install script http://www.rtr.com/fpsupport/download.htm
Get the sources you want. Untar apche, php, gd and ssl to /usr/src. Untar the SSL patch to
/usr/src/apache_1.2.6.
2.2 Adding PHP
cd to /usr/src/gd1.2 and type make. This will build the GD library libgd.a, that should be copied to
/usr/lib. Now cd to php−2.0.1 and run ./install.
The relevant questions are:
Would you like to compile PHP/FI as an Apache module? [yN] y
Are you compiling for an Apache 1.1 or later server? [Yn] y
Are you using Apache−Stronghold? [yN] y
Does your Apache server support ELF dynamic loading? [yN] y
Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/s
Would you like to build an ELF shared library? [yN] y
Additional directories to search for .h files []: /usr/src/gd1.2
Would you like the bundled regex library? [yN] n
Like the frontpage extensions, phtml includes a security problem because it is run under the uid of the
Linux Apache SSL PHP/FI frontpage mini−HOWTO
1.3 History 3](https://image.slidesharecdn.com/apachesslphpfp1674-140416074248-phpapp01/85/Apache-ssl-5-320.jpg)
Apache ssl
- 1. Linux Apache SSL PHP/FI frontpage mini−HOWTO
- 2. Table of Contents Linux Apache SSL PHP/FI frontpage mini−HOWTO....................................................................................1 Marcus Faure, marcus@faure.de.............................................................................................................1 1.Introduction...........................................................................................................................................1 2.Component installation.........................................................................................................................1 3.Putting it all together.............................................................................................................................1 1.Introduction...........................................................................................................................................2 1.1 Description of the components..........................................................................................................2 1.2 Working configurations.....................................................................................................................2 1.3 History...............................................................................................................................................3 2.Component installation.........................................................................................................................3 2.1 Preparations........................................................................................................................................3 2.2 Adding PHP.......................................................................................................................................3 2.3 Adding SSL........................................................................................................................................4 2.4 Adding frontpage...............................................................................................................................4 3.Putting it all together.............................................................................................................................5 3.1 Apache modules to try.......................................................................................................................5 3.2 Giving CGI's more security...............................................................................................................5 3.3 Compiling and installing the server daemon.....................................................................................5 3.4 Adding frontpage support to a web....................................................................................................7 3.5 Starting the daemon...........................................................................................................................7 3.6 Some considerations left....................................................................................................................7 3.7 Known bugs.......................................................................................................................................8 3.8 The final word....................................................................................................................................8 Linux Apache SSL PHP/FI frontpage mini−HOWTO i
- 3. Linux Apache SSL PHP/FI frontpage mini−HOWTO Marcus Faure, marcus@faure.de v1.1, July 1998 This document is about building a multipurpose webserver that will support dynamic web content via the PHP/FI scripting language, secure transmission of data based on Netscape's SSL, secure execution of CGI's and M$ Frontpage Server Extensions 1.Introduction • 1.1 Description of the components • 1.2 Working configurations • 1.3 History 2.Component installation • 2.1 Preparations • 2.2 Adding PHP • 2.3 Adding SSL • 2.4 Adding frontpage 3.Putting it all together • 3.1 Apache modules to try • 3.2 Giving CGI's more security • 3.3 Compiling and installing the server daemon • 3.4 Adding frontpage support to a web • 3.5 Starting the daemon • 3.6 Some considerations left • 3.7 Known bugs • 3.8 The final word Linux Apache SSL PHP/FI frontpage mini−HOWTO 1
- 4. 1.Introduction Before you start reading: I am not a native speaker, so there are probably spelling/grammatical errors in this document. Feel encouraged to inform me of mistakes. 1.1 Description of the components The webserver you hopefully will get after having read this howto is composed of several parts, the original apache sources with some (well, many) patches and some external executables. I recommend using the software versions I tried, they will probably compile without greater problems and result in a fairly stable daemon. If you are courageous, you can try to compile all the latest−stuff−with−tons−of−new−features, but don't blame me if something fails ;−). However, you may report other working configurations to be included in future versions of this document. All of the steps were tested on a linux 2.0.35 box, so the howto is somewhat linux−specific, but you should be able to use it for other unixes as well. You do not necesserily have to compile in all components. I tried to structure this howto so that you can skip the parts you are not interested in. The document is neither a user manual to Apache, SSL, PHP/FI nor frontpage. Its prime intention is to save webservice providers some headaches when installing their server and to do my little contribution to the linux community. PHP is a scripting language that supports dynamic HTML pages. It is a bit like Apache's SSI, but by far more complex and has database modules for many popular dbs. The GD libraries are needed by PHP. SSL is an implementation of Netscape's Secure Socket Layer that allow secure connections over insecure networks, e.g. to transmit credit card numbers to web based forms. frontpage is a wysiwyg web authoring tool that makes use of some server−specific extensions called webbots. Some people think frontpage is cool because you can create feedback forms and discussion webs without having to know a bit about html or cgi. It even protects the designer from uploading his/her site via ftp by using a builtin publisher. If you wish to support frontpage but do not like to setup a windows server, the apache server extensions are your choice. 1.2 Working configurations Though this document has been downloaded some 100 times since I published it, I received only little feedback. In particular, noone told me of other working combinations. Combinations that work for me are: • Linux 2.0.31, Apache 1.2.4, PHP 2.0.0, SSL 0.8.0, fp 98 3.0.3 (*) • Linux 2.0.33, Apache 1.2.5, PHP 2.0.1, SSL 0.8.0, fp 98 3.0.3 (*) • Linux 2.0.35, Apache 1.2.6, PHP 3, SSL 0.8.0, fp 98 3.0.4 (*) version 3.0.3 is not recommended Linux Apache SSL PHP/FI frontpage mini−HOWTO 1.Introduction 2
- 5. 1.3 History v0.0/Apr 98: Preview version v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor corrections v1.1/Jul 98: Sgmlized and restructered version You can find the latest version of this document at http://www.faure.de 2.Component installation 2.1 Preparations You will need: • Apache 1.2.6 http://www.apache.org/dist/apache_1_2_6.tar.gz • PHP/FI Extensions http://php.iquest.net/files/download.phtml?/files/php−2.01.tar.gz • GD Library http://siva.cshl.org/gd/gd.html • SSL 0.8.0 ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay−0.8.0.tar.gz • SSL patch for Apache 1.2.6 ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz • frontpage 98 server extensions and install script http://www.rtr.com/fpsupport/download.htm Get the sources you want. Untar apche, php, gd and ssl to /usr/src. Untar the SSL patch to /usr/src/apache_1.2.6. 2.2 Adding PHP cd to /usr/src/gd1.2 and type make. This will build the GD library libgd.a, that should be copied to /usr/lib. Now cd to php−2.0.1 and run ./install. The relevant questions are: Would you like to compile PHP/FI as an Apache module? [yN] y Are you compiling for an Apache 1.1 or later server? [Yn] y Are you using Apache−Stronghold? [yN] y Does your Apache server support ELF dynamic loading? [yN] y Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/s Would you like to build an ELF shared library? [yN] y Additional directories to search for .h files []: /usr/src/gd1.2 Would you like the bundled regex library? [yN] n Like the frontpage extensions, phtml includes a security problem because it is run under the uid of the Linux Apache SSL PHP/FI frontpage mini−HOWTO 1.3 History 3
- 6. webserver. Be sure to turn on safe mode in src/php.h and restrict the search path to a save value. There are some other options in php.h you may want to edit. If you are very concerned about security, compile php as a cgi. However, this will be a performance loss and not as smart as the module version. Type make to build all files. When the compilation is done, copy mod_php.* and libphp.a to /usr/src/apache_1.2.6/src Add a line Module php_module mod_php.o to the end of /usr/src/apache_1.2.6/src/Configuration, add −lphp −lm −lgdbm −lgd to the EXTRA_LIBS in the same file, application/x−httpd−php phtml to Apache's mime.types and AddType application/x−httpd−php .phtml to Apache's srm.conf. You may also want to add index.phtml to DirectoryIndex in that file so that a file index.phtml is automatically loaded when its directory is requested. 2.3 Adding SSL cd /usr/src/SSL−0.8.0; ./Configure linux−elf; make; make rehash This will create libraries needed by apache. You may issue make test to verify the compilation. You have to apply a patch to apache. It is important that you apply it before the frontpage patch, otherwise frontpage will not work. cd to /usr/src/apache_1.2.6/src and issue patch < /usr/src/apache_1.2.6/SSLpatch. Set SSL_BASE=/usr/src/SSLeay−0.8.0 in Configuration. Make sure that Module proxy_module is disabled otherwise Apache won't compile. If you are in need of a proxy, go for Squid http://squid.nlanr.net/ Now make certificate to generate SSLconf/conf/httpsd.pem. 2.4 Adding frontpage Rename the fp30.linux.tar.Z file to fp30.linux.tar.gz, otherwise the install script will not find it. Run ./fp_install to copy the extension files to /usr/local/frontpage. zcat can usually be invoked as /usr/bin/zcat. You now have to apply the FP patch. cd to /usr/src/apache_1.2.6/src and type patch < /usr/src/frontpage/version3.0/apache−fp/fp−patch−apache_1.2.5 This will create the mod_frontpage.* files and do some modifications to Configuration etc. The 1.2.5 patch will work with both apache 1.2.5 and 1.2.6. Skip the part about installing webs, you can do that later Linux Apache SSL PHP/FI frontpage mini−HOWTO 2.3 Adding SSL 4
- 7. 3.Putting it all together 3.1 Apache modules to try The modules I use besides SSL, PHP and frontpage are: Module env_module mod_env.o Module config_log_module mod_log_config.o Module mime_module mod_mime.o Module negotiation_module mod_negotiation.o Module dir_module mod_dir.o Module cgi_module mod_cgi.o Module asis_module mod_asis.o Module imap_module mod_imap.o Module action_module mod_actions.o Module alias_module mod_alias.o Module rewrite_module mod_rewrite.o Module access_module mod_access.o Module auth_module mod_auth.o Module anon_auth_module mod_auth_anon.o Module digest_module mod_digest.o Module expires_module mod_expires.o Module headers_module mod_headers.o Module browser_module mod_browser.o 3.2 Giving CGI's more security If you are an ISP (you probably are when you read this) you will want to improve security. The suexec utility allows you to do so; it will execute cgi's under the UID of the webowner instead of executing it under the webservers UID. Go to /usr/src/apache_1.2.6/support and make suexec. chmod 4711 suxec and copy it to the location specified in ../src/httpd.h which is /usr/local/etc/httpd/sbin/suexec by default. If the path seems a little cryptic to you − it did to me − edit httpd.h and set the path to a more comfortable value. 3.3 Compiling and installing the server daemon Enter /usr/src/apache_1.2.6/src and edit Configuration to set all the Modules you want to include in your Apache daemon. When done, run ./Configure and make. This is the last (and most complicated) compilation step, so cross your fingers. If it succeeds, cp httpsd to /usr/sbin. The daemon is somewhat big, consider this when assembling your webserver. Create the directory /var/httpd with subdirectories cgi−bin, conf, htdocs, icons, virt1, virt2 and logs. In /usr/src/apache_1.2.6/conf edit access.conf−dist, mime.types and srm.conf−dist to suit your needs and copy them to var/httpd/conf/access.conf, srm.conf and mime.types. Copy the httpsd.pem you created with make certificate to /var/httpd/conf. Use the following httpd.conf: ServerType standalone Linux Apache SSL PHP/FI frontpage mini−HOWTO 3.Putting it all together 5