Apache
Aus Wiki.hidden.ch
Die Installation von Apache 2.x ist separat aufgeführt.
Inhaltsverzeichnis |
Prä-Installations-Tuning
Zunächst wollen wir ein wenig die Installation tunen. Dazu fügen wir im /etc/make.conf folgendes ein:
WITH_APACHE_PERF_TUNING=yes APACHE_HARD_SERVER_LIMIT=1024
Installation von Apache
Falls man vorhat, Apache ohne irgendwelche SSL Unterstützung zu installieren, so kann man den einfachen Port installieren:
-su-2.05b# cd /usr/ports/www/apache13 -su-2.05b# make install clean
Installation von Apache + ModSSL
Apache zu installieren ist aus den Ports eine schnell erledigte Geschichte. Wir wollen den Apache mit SSL Unterstützung installieren.
-su-2.05b# cd /usr/ports/www/apache13-modssl -su-2.05b# make
Das "install clean" schenken wir uns noch vorerst. Da wir zunächst ein Zertifikat haben möchten.
Installation eines eigenen SSL Zertifikates
Anschliessend heisst es, ein dummy Zertifikat zu installieren. Nach der Installation wird die Anleitung hierzu netterweise grad angezeigt:
+---------------------------------------------------------------------+ | Before you install the package you now should prepare the SSL | | certificate system by running the 'make certificate' command. | | For different situations the following variants are provided: | | | | % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) | | % make certificate TYPE=test (test cert signed by Snake Oil CA) | | % make certificate TYPE=custom (custom cert signed by own CA) | | % make certificate TYPE=existing (existing cert) | | CRT=/path/to/your.crt [KEY=/path/to/your.key] | | | | Use TYPE=dummy when you're a vendor package maintainer, | | the TYPE=test when you're an admin but want to do tests only, | | the TYPE=custom when you're an admin willing to run a real server | | and TYPE=existing when you're an admin who upgrades a server. | | (The default is TYPE=test) | | | | Additionally add ALGO=RSA (default) or ALGO=DSA to select | | the signature algorithm used for the generated certificate. | | | | Use 'make certificate VIEW=1' to display the generated data. | | | | Thanks for using Apache & mod_ssl. Ralf S. Engelschall | | rse@engelschall.com | | www.engelschall.com | +---------------------------------------------------------------------+
Zunächst sagen wir dem Installations-Tool, dass wir ein Selbst-signiertes Zertifikat erstellen möchten:
-su-2.05b# make certificate TYPE=custom
Dann gehts auch schon los:
===> Creating Test Certificate for Server SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating custom certificate signed by own CA [CUSTOM] ______________________________________________________________________ STEP 0: Decide the signature algorithm used for certificates The generated X.509 certificates can contain either RSA or DSA based ingredients. Select the one you want to use. Signature Algorithm ((R)SA or (D)SA) [R]: <ENTER> ______________________________________________________________________ STEP 1: Generating RSA private key for CA (1024 bit) [ca.key] 30091 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...........................................................++++++ .................................................................................................++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request for CA [ca.csr] You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:CH 2. State or Province Name (full name) [Snake Desert]:Zurich 3. Locality Name (eg, city) [Snake Town]:Zurich 4. Organization Name (eg, company) [Snake Oil, Ltd]:Glogger Net 5. Organizational Unit Name (eg, section) [Certificate Authority]: CA 6. Common Name (eg, CA name) [Snake Oil CA]:Glogger Net CA 7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:meine@eMailAdresse.tld 8. Certificate Validity (days) [365]: <ENTER> ______________________________________________________________________ STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=CA/CN=Glogger Net CA/emailAddress=meine@eMailAdresse.tld Getting Private key Verify: matching certificate & key modulus Verify: matching certificate signature ../conf/ssl.crt/ca.crt: /C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=CA/CN=Glogger Net CA/emailAddress=meine@eMailAdresse.tld error 18 at 0 depth lookup:self signed certificate OK ______________________________________________________________________ STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key] 30091 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .........++++++ ...................++++++ e is 65537 (0x10001) ______________________________________________________________________
So, jetzt ist unsere eigene CA erstellt und wir können unser Zertifikat uns ausstellen:
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr] You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:CH 2. State or Province Name (full name) [Snake Desert]:Zurich 3. Locality Name (eg, city) [Snake Town]:Zurich 4. Organization Name (eg, company) [Snake Oil, Ltd]:Glogger Net 5. Organizational Unit Name (eg, section) [Webserver Team]:Webserver Team 6. Common Name (eg, FQDN) [www.snakeoil.dom]:daisy.mrmouse.ch <-- Servername! 7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:meine@eMailAdresse.tld 8. Certificate Validity (days) [365]: <ENTER> ______________________________________________________________________
Und jetzt wird unser Zertifikat mit unserer eigenen CA grad selbst signiert.
STEP 6: Generating X.509 certificate signed by own CA [server.crt] Certificate Version (1 or 3) [3]: Signature ok subject=/C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=Webserver Team/CN=daisy.mrmouse.ch/emailAddress=meine@eMailAdresse.tld Verify: matching certificate & key modulus Verify: matching certificate signature ../conf/ssl.crt/server.crt: OK ______________________________________________________________________ STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key] The contents of the ca.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: n Warning, you're using an unencrypted private key. Please notice this fact and do this on your own risk. ______________________________________________________________________ STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase.
Wer will, kann seine Privaten Verschlüsselungs Key's mit Passwort schützen. Wer will kann hier Enter drücken und ein Passwort eingeben.
Encrypt the private key now? [Y/n]: n Warning, you're using an unencrypted RSA private key. Please notice this fact and do this on your own risk. ______________________________________________________________________
So, fertig ist es. Und jetzt erfahren wir, wozu welches File gut ist, und wohin es installiert wurde.
RESULT: CA and Server Certification Files o conf/ssl.key/ca.key The PEM-encoded RSA private key file of the CA which you can use to sign other servers or clients. KEEP THIS FILE PRIVATE! o conf/ssl.crt/ca.crt The PEM-encoded X.509 certificate file of the CA which you use to sign other servers or clients. When you sign clients with it (for SSL client authentication) you can configure this file with the 'SSLCACertificateFile' directive. o conf/ssl.key/server.key The PEM-encoded RSA private key file of the server which you configure with the 'SSLCertificateKeyFile' directive (automatically done when you install via APACI). KEEP THIS FILE PRIVATE! o conf/ssl.crt/server.crt The PEM-encoded X.509 certificate file of the server which you configure with the 'SSLCertificateFile' directive (automatically done when you install via APACI). o conf/ssl.csr/server.csr The PEM-encoded X.509 certificate signing request of the server file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our own CA) which later can replace the conf/ssl.crt/server.crt file. Congratulations that you establish your server with real certificates.
Und jetzt wird alles Installiert:
-su-2.05b# make install clean
Jetzt editieren wir noch /etc/rc.conf und fügen folgende Zeile ein:
apache_enable="YES"
Tja, und dann sieht es so aus:
Tja, dann kann man eigentlich dazu übergehen, PHP zu installieren.
Kontrolle über Apache
Um Apache zu starten und stoppen gibt es zwei wege:
- Man führt /usr/local/etc/rc.d/apache.sh mittels stop/start oder restart aus.
- Man benutzt den befehl apachectl:
usage: /usr/local/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help)
start - start httpd
startssl - start httpd with SSL enabled
stop - stop httpd
restart - restart httpd if running by sending a SIGHUP or start if
not running
fullstatus - dump a full status screen; requires lynx and mod_status enabled
status - dump a short status screen; requires lynx and mod_status enabled
graceful - do a graceful restart by sending a SIGUSR1 or start if not running
configtest - do a configuration syntax test
help - this screen
Es empfiehlt sich nach Config-Änderungen den befehl apachectl configest auszuführen. So wird schnell geprüft, ob das Configfile in Ordnung ist.
-su-2.05b# apachectl configtest Warning: DocumentRoot [/www/test.hidden.ch/doc_admin] does not exist
oder falls alles ok ist:
-su-2.05b# apachectl configtest Syntax OK
Probleme
Sollte Apache mal nicht starten, so empfielt sich immer nachzuschauen, was im /var/log/httpd-error.log steht.
-su-2.05b# tail /var/log/httpd-error.log [Sun Jun 19 14:23:27 2005] [notice] Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e configured -- resuming normal operations [Sun Jun 19 14:23:27 2005] [notice] Accept mutex: flock (Default: flock) [Sun Jun 19 14:23:27 2005] [notice] child pid 28814 exit signal Segmentation fault (11) [Sun Jun 19 14:23:27 2005] [notice] child pid 28813 exit signal Segmentation fault (11) [Sun Jun 19 14:23:27 2005] [error] (2)No such file or directory: Incorrect permissions on webroot "/www/dumm/_vti_pvt" and webroot's _vti_pvt directory in FrontPageAlias().
