2/26/2008

Apache 2.2 + SSL

Compile, Install and Configure Apache 2.2 and mod_ssl from source.

Apache 2.2 + SSL

#------------------------------------------------------------------------------
# Pre Install
#------------------------------------------------------------------------------
> remove rpm packages
rpm -e httpd-manual; rpm -e mod_ssl; rpm -e httpd

>Downlaod apache and openssl

>Install openssl
tar zxvf openssl-0.9.8g.tar.gz
cd openssl-0.9.8g
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make
>If no error, go to next
make test
make install

#------------------------------------------------------------------------------
# Apache 2.2.6 Setup
#------------------------------------------------------------------------------
tar zxvf httpd-2.2.6.tar.gz
cd httpd-2.2.6

./configure --prefix=/usr/local/apache_2.2.6 --with-mpm=prefork --enable-ssl --enable-setenvif --enable-so --enable-headers --enable-usertrack--with-ssl=/usr/local

make
make install

groupadd apache
useradd -g apache apache
ln -s apache_2.2.6/ ./apache
chown -R apache.apache apache_2.2.6

#------------------------------------------------------------------------------
# Apache 2.2.6 configuration
#------------------------------------------------------------------------------

vi /usr/local/apache/conf/httpd.conf

# =================================================
# Basic settings
# =================================================
User apache
Group apache
ServerAdmin alex.fung@artificial-life.com
#ServerName
UseCanonicalName Off
ServerSignature Off
HostnameLookups Off
ServerTokens Prod
ServerRoot "/usr/local/apache_2.2.6"
DocumentRoot "/usr/local/apache_2.2.6/htdocs"
PidFile /usr/local/apache_2.2.6/logs/httpd.pid
ScoreBoardFile /usr/local/apache_2.2.6/logs/httpd.scoreboard

DirectoryIndex index.html


# =================================================
# HTTP and performance settings
# =================================================
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 30

MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0


# =================================================
# Access control
# =================================================

Options None
AllowOverride None
Order deny,allow
Deny from all


Order allow,deny
Allow from all


# =================================================
# MIME encoding
# =================================================

TypesConfig /usr/local/apache_2.2.6/conf/mime.types

DefaultType text/plain

AddEncoding x-compress .Z
AddEncoding x-gzip .gz .tgz
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-tar .tgz
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl


# =================================================
# Logs
# =================================================
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
ErrorLog /usr/local/apache_2.2.6/logs/error_log
CustomLog /usr/local/apache_2.2.6/logs/access_log combined
CustomLog /usr/local/apache_2.2.6/logs/ssl_request_log "%t %h %{HTTPS}x %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_CIPHER_USEKEYSIZE}x %{SSL_CLIENT_VERIFY}x \"%r\"
%b"

# =================================================
# SSL/TLS settings
# =================================================
Listen 0.0.0.0:443

SSLEngine on
SSLOptions +StrictRequire


SSLRequireSSL


SSLProtocol -all +TLSv1 +SSLv3
SSLCipherSuite HIGH:MEDIUM:!aNULL:+SHA1:+MD5:+HIGH:+MEDIUM

SSLMutex file:/usr/local/apache_2.2.6/logs/ssl_mutex

SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect file:/dev/urandom 1024

SSLSessionCache shm:/usr/local/apache_2.2.6/logs/ssl_cache_shm
SSLSessionCacheTimeout 600

SSLPassPhraseDialog builtin
SSLCertificateFile /usr/local/apache_2.2.6/conf/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/apache_2.2.6/conf/ssl.key/server.key

SSLVerifyClient none
SSLProxyEngine off


AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl



SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

#------------------------------------------------------------------------------
# Setup SSL directories
#------------------------------------------------------------------------------

#Prepare the directory structure for web server's private keys, certificates and certification revocation lists
mkdir /usr/local/apache_2.2.6/conf/ssl.key
mkdir /usr/local/apache_2.2.6/conf/ssl.crt
mkdir /usr/local/apache_2.2.6/conf/ssl.crl

#Create a self-signed server certificate
openssl req \
-new \
-x509 \
-days 30 \
-keyout /usr/local/apache_2.2.6/conf/ssl.key/server.key \
-out /usr/local/apache_2.2.6/conf/ssl.crt/server.crt \
-subj '/CN=Test-Only Certificate'

Enter PEM pass phrase: password
Verifying - Enter PEM pass phrase: password

#Start apache server
/usr/local/apache_2.2.6/bin/apachectl start
Posted by at
Labels: , ,

沒有留言:

發佈留言

訂閱: 發佈留言 (Atom)