I downloaded the source of Apache already. And verify the signature by the following command. It first get the key from key server with the specific key id found on the page of apache foundation. the verify the signature against it. The signature is “good”, however, got warning.
vic@rome:~$ gpg --keyserver pgpkeys.mit.edu --recv-key 7F7214A7
gpg: requesting key 7F7214A7 from hkp server pgpkeys.mit.edu
gpg: key B55D9977: public key "William A. Rowe, Jr. <wrowe@rowe-clan.net>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
vic@rome:~$ gpg httpd-2.2.17.tar.gz.asc
gpg: Signature made Thu 14 Oct 2010 08:48:36 PM CEST using RSA key ID 7F7214A7
gpg: Good signature from "William A. Rowe, Jr. <wrowe@rowe-clan.net>"
gpg: aka "William A. Rowe, Jr. <wrowe@apache.org>"
gpg: aka "William A. Rowe, Jr. <william.rowe@springsource.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401 9235 193F 180A B55D 9977
Subkey fingerprint: 4962 0827 E32B C882 DC6B EF54 A348 B984 7F72 14A7
next, build Apache with SSL and virtual host
./configure --enable-ssl --enable-vhost-alias
This command configure the build tool to enable the ssl and vhost module. After the build is configured, just simplily make it by
make sudo make install
The make command does not need root privilege but install does need. The build takes a while, but works like a charm. Now, check to see if the server is running and pages can be served. It is not serving page, of course, it is not running…..
start the server
vic@rome:~/httpd-2.2.16$ /usr/local/apache2/bin/apachectl start (13)Permission denied: make_sock: could not bind to address [::]:80 (13)Permission denied: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down Unable to open logs vic@rome:~/httpd-2.2.16$ sudo /usr/local/apache2/bin/apachectl start
Again, root privilege needed. Now try again. Got the famous “It Works!” page. nice. :)
we can check the compiled module by using
vic@rome:~/httpd-2.2.16$ /usr/local/apache2/bin/httpd -l Compiled in modules: core.c mod_authn_file.c mod_authn_default.c mod_authz_host.c mod_authz_groupfile.c mod_authz_user.c mod_authz_default.c mod_auth_basic.c mod_include.c mod_filter.c mod_log_config.c mod_env.c mod_setenvif.c mod_version.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_status.c mod_autoindex.c mod_asis.c mod_cgi.c mod_vhost_alias.c mod_negotiation.c mod_dir.c mod_actions.c mod_userdir.c mod_alias.c mod_so.c
now make the apache server start at startup of the system. Just put the server control in the /etc/rc.local which will be auto executed at root privilege.
/usr/local/apache2/bin/apachectl start
We can also retrieve the status of the apache server by using this control utility.
/usr/local/apache2/bin/apachectl status
Got compalin that 102: lynx: not found
So
sudo apt-get install lynx
In order to get the status from the control utility, I firstly have to configure the server by editing the httpd.conf.
My httpd.conf after editting, only edited parts are shown, others are omitted.
#... # # ServerAdmin: Your address, where problems with the server should be # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # ServerAdmin vic@rome.practicum.os3.nl #... #... # Real-time info on requests and configuration Include conf/extra/httpd-info.conf # Virtual hosts Include conf/extra/httpd-vhosts.conf #...
What I did is change the server admin email to vic@rome.practicum.os3.nl to make it look more genuine. The enable the real time status and virtual host ability. It was compiled, but not enabled by default.
The httpd-info.conf
<Location /server-status> SetHandler server-status Order deny,allow Allow from 145.100.96.0/20 Allow from 127.0.0.1 # Deny from all </Location> <Location /server-info> SetHandler server-info Order deny,allow Allow from 145.100.96.0/20 Allow from 127.0.0.1 # Deny from all </Location>
I trust the people in the lab, so anyone from the lab ip range can request the status of my server.
My httpd-vhosts.conf
NameVirtualHost *:80 # # VirtualHost example: # Almost any Apache directive may go into a VirtualHost container. # The first VirtualHost section is used for all requests that do not # match a ServerName or ServerAlias in any <VirtualHost> block. # <VirtualHost *:80> ServerAdmin vic@rome.practicum.os3.nl DocumentRoot "/usr/local/apache2/htdocs/rome.practicum.os3.nl" ServerName rome.practicum.os3.nl ServerAlias www.rome.practicum.os3.nl ServerAlias wwww.rome.practicum.os3.nl ErrorLog "logs/rome.practicum.os3.nl-error_log" CustomLog "logs/rome.practicum.os3.nl-access_log" common </VirtualHost>
My server can serve multi-sites, but now it is only serving www.rome.practicum.os3.nl and wwww.rome.practicum.os3.nl , in case my user made a typo.
encryption
Enable SSL in already built in and enabled in httpd.conf .
# Secure (SSL/TLS) connections Include conf/extra/httpd-ssl.conf
Then create my fake certificate in order test, normally we have to buy it from real CA.
openssl req -new -x509 -days 30 -keyout /usr/local/apache2/conf/ssl.key/server.key -out /usr/local/apache2/conf/ssl.crt/server.crt -subj '/CN=Test-Only Certificate'
After both of the actions are done, we should restart our apache server to make the change happen.
vic@rome:~/ca$ sudo /usr/local/apache2/bin/apachectl restart httpd not running, trying to start Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide the pass phrases. Server www.rome.practicum.os3.nl:443 (RSA) Enter pass phrase:
OK, it is working. But of course, there is a security warning on the certificate. As it is not genuine.
I can also verify it by using the tool from openssl
issuer=/CN=Test-Only Certificate --- No client certificate CA names sent --- SSL handshake has read 1151 bytes and written 319 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5D848897BE2D1F51E0AF86DDD99D6126B3CF708B1DC70869FA76672340D61EBD Session-ID-ctx: Master-Key: 163EE922435C65EFF9991FBD8A71F2219647049CB6E5DA33472D228233E7E7C5A1D03F1DC639AFE822C0FF2966B32E61 Key-Arg : None Start Time: 1287745406 Timeout : 300 (sec) Verify return code: 18 (self signed certificate)
Security
Now I will change my index.html to do the SSI (server side inclusion) and a simple Perl page says helloworld.
First SSI, change again and again our httpd.conf
Options +Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
The first line opens the SSI, the later two lines added shtml as a type and handler for it. As SSI won't just work in simple html. We have to add .shtml. I add the option +includes to the directory of htdocs/rome.practicum.os3.nl. only in this folder, SSI will work.
The SSI now is working!!!
Second, Perl page.
#!/usr/local/bin/perl ## ## printenv -- demo CGI program which just prints its environment ## print "hello";
to be able to execute this file and limit the execution permission to only this one I use the permission below
<Directory "/usr/local/apache2/cgi-bin"> AllowOverride None Options FollowSymLinks +ExecCGI Order allow,deny Allow from all </Directory> sudo chmod +x test.cgi
Only files with in cgi-bin can be executed, and only test.cgi has the x permission.
