|[설치/설정] Apache2 & OpenSSL on Linux - A Quick Install Guide|
|글쓴이||날 짜||06-02-21 21:49||조 회||6245|
오늘 설치!! 아래 설치 가이드에 따라 설치 되었습니다.
오늘 하루 종일 관련 설치 문서를 찾았는데 찾기어렵 더군요. 어렵게 찾은 문서 입니다.
좋은 자료가 되었으면 합니다.
Quick Install Guide
A Reminder, not a Tutorial
for Apache 2.0.xx with mod_perl, mod_SSL and OpenSSL..
Assumes use of x86 processors either Slackware or Redhat
This quick guide will remind/show how to setup Apache2 for a domain with a secure SSL web site and a regular web site. The cgi-bin for the SSL web site is seperate from the common cgi-bin.
NOTE: My preference is to run Apache 2.0 in /usr/local/apache2 (this is apache default location)
Slackware uses /var/lib/apache or /var/lib/httpd - use pkgtool to remove any existinig version
Redhat uses /etc/httpd -- sorry, I am a Slackware slack now.
1 - download new Apache source http://www.apache.org/httpd.html , the mod_perl source code from http://perl.apache.org/download/index.html Be sure to get the mod_perl for Apache 2.
2 - mv the apache and mod_perl source file to /usr/src/apache (My preference, but it can be unpacked anywhere)
3 -unpack the new Apache 2.0.XX and mod_perl with:
tar zxvf httpd-2.0.XX.tar.gz -- if the file ends in tar.gz(where XXX is the version) for the Apache 2.0.XX
tar zxvf mod_perl.XXXX.tar.gz -- if the file ends in tar.gz(where XXX is the version) for the mod_perl version.. Note that the lastest version may be mod_perl-2.0-current.tar.gz but when unpacked give mod_perl-1.99_XX or something like it..
4 - cd httpd-2.0.XX directory
5 - Read the README and INSTALL files etc...
6 - Edit the configure file in the main directory to select modules to be compiled in the new Apache. This starts after Optional Features. --enable will enable the feature, --disable will disable it.. Note that there appears to be a bug/glitch in that not all modules are controlled from configure..
7 - Create a file named configthese to enable/disable needed modules:
./configure --prefix=/usr/local/apache2 \
8 - chmod 744 configthese to make it executable.
9 - Now to compile and install it.
10 - To install it either cp httpd /usr/local/apache2/bin/httpd to replace existing httpd (Slackware and Redhat may have it in sbin instead of bin)
or make install to install all Apache files and subdirectories -- may replace existing httpd.conf--Yikes!!
Often there are changes made in the httpd.conf file in new versions to reflect the server changes/additions.
If you have a previous version of apache that is running, first stop it by
11 - edit apachectl in apache2/bin or apache2/sbin. You may need to edit it, but it should work as is.
PIDFILE=where the pid file is
HTTPD=where the httpd file is
STATUSURL="http://localhost/server-status" (should work ok as is)
12 - Now to compile and install mod_perl.
cd /usr/src/apache/mod_perl-1.99_XX .......or whatever the current version is..
Read the INSTALL and README files. The Simple Install should work ok.
perl Makefile.PL MP_AP_PREFIX=/usr/local/apache2
make && make test
The install should copy mod_perl.so into /usr/local/apache2/modules. Check to make sure it is there.
Now to edit the Apache configuration file.
13 -Edit your /usr/local/apache2/conf/httpd.conf file to check the following
ServerRoot "/usr/local/apache2" or wherever
PidFile /usr/local/apache2/logs/httpd.pid should be the same as the above PIDFILE in step 11
ServerAdmin who@domain (maybe correct/useable as installed)
ServerName new.host.name:80 replace with either your IP or domain name..
UserDir public_html (public_html is the default. Just make sure each user has one.)
Remove the # from infront of the example control access to UserDir directories. Should follow the UserDir public_html section.
DirectoryIndex index.html index.htm index.html.var index.shtml default.html default.htm
DirectoryIndex is the starting page name and the search order.(index.html is the default)
uncomment and edit: AddHandler cgi-script .cgi
for serverside includes
uncomment and edit AddType text/html .shtml .htm .html
AddHandler server-parsed .shtml .htm .html
Also for the serverside includes to work, you will need to have either a Options Includes or Options IncludesNoExec within the <Directory> ...</Directory> sections.
Under the Dynamic Shared Oject (DSO) Support you will need to make sure the following two lines are there, otherwise your mod_perl might not be loaded into Apache.
# now to load the perl module
LoadModule perl_module modules/mod_perl.so
Uncomment the <Location /server-status> section
and edit the Allow from .your_domain.com with one or more IPs or domain names.. let these and only these be able to http://servername-or-IP/server-status. All this info would be usefull to a cracker/hacker to attack your Apache server. You can use either the 192.168.1 or 192.168.1.0/24 notation for IPs.
Uncomment the ExtendedStatus On line -- do be sure you have restricted the Allow from in the <Location /server-status> section.
Uncomment the <Location /server-info> section
and edit the Allow from .your_domain.com with one or more IPs or domain names.. let these and only these be able to http://servername-or-IP/server-info. All this info would be usefull to a cracker/hacker to attack your Apache server. You can use either the 192.168.1 or 192.168.1.0/24 notation for IPs.
Uncomment or add in a NameVirtualHost with the servers IP
Add any <VirtualHost section>
14 - edit the startup files as needed.
Slackware is /etc/rc.d/rc.httpd
Redhat is /etc/rc.d/init.d/httpd.org
15 - start it up either using the startup file or cd to the apache2/bin directory and using
./apachectl start without mod_SSL support
./apachectl startssl with mod_SSL support
The SSL support is not yet complete as we have not yet installed a SSL Certificate.
Note that you may need to vi apachectl to edit the PIDFILE and HTTPD to where they really are.
16 - watch for errors then use a web browser on a pc to try it out... try a virtual host domain and a users directory. http://xx.yy.zz.aa/server-info (where xx.yy.zz.aa is an IP that your Apache Server will respond to) will tell you what modules your Apache has loaded.
http://xx.yy.zz.aa/server-status (where xx.yy.zz.aa is an IP that your Apache Server will respond to) for server status info.
17 run apachectl graceful after any changes to the httpd.conf file
Now for the SSL part...
18 - Download a current copy of OpenSSL from http://www.openssl.org/source/ . You may see openssl and openssl-engine. Download the current version of openssl. It does not matter where it is on your server. But I prefer /usr/src/
19 - unpack openssl with
tar zxvf opensll-0.9.xx.tar.gx where xx is the version.
20 - Change into the new directory cd openssl-0.9.xx and read the INSTALL and README files.
21 - Go with the defaults and just do the following:
This should compile it and install it in /usr/local/ssl. Note that the make and make test may take 5 minutes or so to compile and test.
Making a SSL key, CSR and self signed cert for Apache.
22 - Change to the /usr/local/ssl directory
echo $PATH to see if the ssl directory is in your path
echo $PATH and you should see the ssl directory in your path
23 - Now to generate an SSL Cert. For several years I could not figure this out but with the help of Linux Sever Hacks by Rob Flickenger from O'Reilly (hacks.oreilly.com) I was finally able to hack it. Peace of pie!
Tip! It seems to work best if you use your actual domain name for the file names in Steps 1-3 and to use the actual domain name for the Common Name in Step 2. Internet Explorer will ask for your OK each session time it encounters the certificate if you do not use the actual domain name.
openssl genrsa -des3 1024 > www.domainname.com.key to generate a SSL key with password protection. You will be asked to enter in a new password for this. You will need to remember this to generate the Certificate - crt in Step 3 and in starting Apache2 with mod_SSL.
openssl req -new -key www.domainname.com.key >www.domainname.com.csr to generate the Certificate Signing Request.
You will be asked for the following:
Country Name ( 2 letter code) = US
State or Province Name = Texas
Locality Name = Houston
0rganization Name = MegaDomane, Inc.
Organizational Unit Name = Our Secure Web Site
CommonName = www.domainname.com
Email Address = firstname.lastname@example.org
The default answers for these can be set in openssl.cnf. Just look for the lines with _default and change them...
openssl req -x509 -days 90 -key www.domainname.com.key \
-in www.domainname.com.csr > www.domainname.com.crt
You will be asked for the pass phrase that you entered in Step 1.
do a ls -l www* to see your new Certificates..
24 - Now to copy your new self signed SSLCerficatefile crt and key to the Apache2 directory tree.
cp www.domainname.com.crt /usr/local/apache2/conf/ssl.crt/www.domainname.com.crt
cp www.domainname.com.key /usr/local/apache2/conf/ssl.key/www.domainname.com.key
you may first need to:
Back to Apache2 Configuration:
25 - cd /usr/local/apache2/conf to change back to the Apache2 configuration directory.
26 - Now to edit the ssl.conf file. Tigers and lions and bears oh my!
The following should be enabled/uncommented and edited in conf/ssl.conf:
<NameVirtualHost ww.xx.yy.zz:443> #where ww.xx.yy.zz is the IP and 443 is the port for SSL
ScriptAlias /cgi-bin "/home/joeuser/cgi-bin"
27- Now back to the conf/httpd.conf file to edit.
To get a seperate normal web site/non SSL site, you will need to have the following lines in httpd.conf:
NameVirtualHost ww.xx.yy.zz:80 # where ww.xx.yy.zz is the IP and 80 is the port number.
ServerAlias www.domainname.net www.domainname.info
to be continued
Last modfied on Tuesday, 17-Jun-2003 13:08:22 CDT