Apache

Aus Wiki.hidden.ch
Wechseln zu: Navigation, Suche

Die Installation von Apache 2.x ist separat aufgeführt.

Prä-Installations-Tuning

Zunächst wollen wir ein wenig die Installation tunen. Dazu fügen wir im /etc/make.conf folgendes ein:

WITH_APACHE_PERF_TUNING=yes 
APACHE_HARD_SERVER_LIMIT=1024

Installation von Apache

Falls man vorhat, Apache ohne irgendwelche SSL Unterstützung zu installieren, so kann man den einfachen Port installieren:

-su-2.05b# cd /usr/ports/www/apache13
-su-2.05b# make install clean

Installation von Apache + ModSSL

Apache zu installieren ist aus den Ports eine schnell erledigte Geschichte. Wir wollen den Apache mit SSL Unterstützung installieren.

-su-2.05b# cd /usr/ports/www/apache13-modssl
-su-2.05b# make

Das "install clean" schenken wir uns noch vorerst. Da wir zunächst ein Zertifikat haben möchten.

Installation eines eigenen SSL Zertifikates

Anschliessend heisst es, ein dummy Zertifikat zu installieren. Nach der Installation wird die Anleitung hierzu netterweise grad angezeigt:

+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL       |
| certificate system by running the 'make certificate' command.       |
| For different situations the following variants are provided:       |
|                                                                     |
| % make certificate TYPE=dummy    (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test     (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom   (custom cert signed by own CA)     |
| % make certificate TYPE=existing (existing cert)                    |
|        CRT=/path/to/your.crt [KEY=/path/to/your.key]                |
|                                                                     |
| Use TYPE=dummy    when you're a  vendor package maintainer,         |
| the TYPE=test     when you're an admin but want to do tests only,   |
| the TYPE=custom   when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server.       |
| (The default is TYPE=test)                                          |
|                                                                     |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select           |
| the signature algorithm used for the generated certificate.         |
|                                                                     |
| Use 'make certificate VIEW=1' to display the generated data.        |
|                                                                     |
| Thanks for using Apache & mod_ssl.       Ralf S. Engelschall        |
|                                          rse@engelschall.com        |
|                                          www.engelschall.com        |
+---------------------------------------------------------------------+

Zunächst sagen wir dem Installations-Tool, dass wir ein Selbst-signiertes Zertifikat erstellen möchten:

-su-2.05b# make certificate TYPE=custom

Dann gehts auch schon los:

===>  Creating Test Certificate for Server
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating custom certificate signed by own CA [CUSTOM]
______________________________________________________________________

STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]: <ENTER>
______________________________________________________________________

STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
30091 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................................................++++++
.................................................................................................++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:CH
2. State or Province Name   (full name)     [Snake Desert]:Zurich
3. Locality Name            (eg, city)      [Snake Town]:Zurich
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:Glogger Net   
5. Organizational Unit Name (eg, section)   [Certificate Authority]: CA
6. Common Name              (eg, CA name)   [Snake Oil CA]:Glogger Net CA
7. Email Address            (eg, name@FQDN) [ca@snakeoil.dom]:meine@eMailAdresse.tld
8. Certificate Validity     (days)          [365]: <ENTER>
______________________________________________________________________

STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=CA/CN=Glogger Net CA/emailAddress=meine@eMailAdresse.tld
Getting Private key
Verify: matching certificate & key modulus
Verify: matching certificate signature
../conf/ssl.crt/ca.crt: /C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=CA/CN=Glogger Net CA/emailAddress=meine@eMailAdresse.tld
error 18 at 0 depth lookup:self signed certificate
OK
______________________________________________________________________

STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
30091 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
.........++++++
...................++++++
e is 65537 (0x10001)
______________________________________________________________________

So, jetzt ist unsere eigene CA erstellt und wir können unser Zertifikat uns ausstellen:

STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:CH
2. State or Province Name   (full name)     [Snake Desert]:Zurich
3. Locality Name            (eg, city)      [Snake Town]:Zurich
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:Glogger Net
5. Organizational Unit Name (eg, section)   [Webserver Team]:Webserver Team
6. Common Name              (eg, FQDN)      [www.snakeoil.dom]:daisy.mrmouse.ch  <-- Servername!
7. Email Address            (eg, name@fqdn) [www@snakeoil.dom]:meine@eMailAdresse.tld
8. Certificate Validity     (days)          [365]: <ENTER>
______________________________________________________________________

Und jetzt wird unser Zertifikat mit unserer eigenen CA grad selbst signiert.

STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=CH/ST=Zurich/L=Zurich/O=Glogger Net/OU=Webserver Team/CN=daisy.mrmouse.ch/emailAddress=meine@eMailAdresse.tld
Verify: matching certificate & key modulus
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.

Wer will, kann seine Privaten Verschlüsselungs Key's mit Passwort schützen. Wer will kann hier Enter drücken und ein Passwort eingeben.

Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

So, fertig ist es. Und jetzt erfahren wir, wozu welches File gut ist, und wohin es installiert wurde.

RESULT: CA and Server Certification Files

o  conf/ssl.key/ca.key
   The PEM-encoded RSA private key file of the CA which you can
   use to sign other servers or clients. KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/ca.crt
   The PEM-encoded X.509 certificate file of the CA which you use to
   sign other servers or clients. When you sign clients with it (for
   SSL client authentication) you can configure this file with the
   'SSLCACertificateFile' directive.

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file of the server which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file of the server which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request of the server file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our own CA) which later can replace the conf/ssl.crt/server.crt
   file.

Congratulations that you establish your server with real certificates.

Und jetzt wird alles Installiert:

-su-2.05b# make install clean

Jetzt editieren wir noch /etc/rc.conf und fügen folgende Zeile ein:

apache_enable="YES"

Tja, und dann sieht es so aus:

Apache after install.jpg


Tja, dann kann man eigentlich dazu übergehen, PHP zu installieren.

Kontrolle über Apache

Um Apache zu starten und stoppen gibt es zwei wege:

  • Man führt /usr/local/etc/rc.d/apache.sh mittels stop/start oder restart aus.
  • Man benutzt den befehl apachectl:
usage: /usr/local/sbin/apachectl (start|stop|restart|fullstatus|status|graceful|configtest|help)

start      - start httpd
startssl   - start httpd with SSL enabled
stop       - stop httpd
restart    - restart httpd if running by sending a SIGHUP or start if 
             not running
fullstatus - dump a full status screen; requires lynx and mod_status enabled
status     - dump a short status screen; requires lynx and mod_status enabled
graceful   - do a graceful restart by sending a SIGUSR1 or start if not running
configtest - do a configuration syntax test
help       - this screen

Es empfiehlt sich nach Config-Änderungen den befehl apachectl configest auszuführen. So wird schnell geprüft, ob das Configfile in Ordnung ist.

-su-2.05b# apachectl configtest
Warning: DocumentRoot [/www/test.hidden.ch/doc_admin] does not exist

oder falls alles ok ist:

-su-2.05b# apachectl configtest
Syntax OK

Probleme

Sollte Apache mal nicht starten, so empfielt sich immer nachzuschauen, was im /var/log/httpd-error.log steht.

-su-2.05b# tail /var/log/httpd-error.log 
[Sun Jun 19 14:23:27 2005] [notice] Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7e configured -- resuming normal operations
[Sun Jun 19 14:23:27 2005] [notice] Accept mutex: flock (Default: flock)
[Sun Jun 19 14:23:27 2005] [notice] child pid 28814 exit signal Segmentation fault (11)
[Sun Jun 19 14:23:27 2005] [notice] child pid 28813 exit signal Segmentation fault (11)
[Sun Jun 19 14:23:27 2005] [error] (2)No such file or directory: Incorrect permissions on webroot "/www/dumm/_vti_pvt" and webroot's _vti_pvt directory in FrontPageAlias().