I downloaded the source of Apache already. And verify the signature by the following command. It first get the key from key server with the specific key id found on the page of apache foundation. the verify the signature against it. The signature is "good", however, got warning.
vic@rome:~$ gpg --keyserver pgpkeys.mit.edu --recv-key 7F7214A7
gpg: requesting key 7F7214A7 from hkp server pgpkeys.mit.edu
gpg: key B55D9977: public key "William A. Rowe, Jr. " imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
vic@rome:~$ gpg httpd-2.2.17.tar.gz.asc
gpg: Signature made Thu 14 Oct 2010 08:48:36 PM CEST using RSA key ID 7F7214A7
gpg: Good signature from "William A. Rowe, Jr. "
gpg: aka "William A. Rowe, Jr. "
gpg: aka "William A. Rowe, Jr. "
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: B1B9 6F45 DFBD CCF9 7401 9235 193F 180A B55D 9977
Subkey fingerprint: 4962 0827 E32B C882 DC6B EF54 A348 B984 7F72 14A7
next, build Apache with SSL and virtual host
./configure --enable-ssl --enable-vhost-alias
This command configure the build tool to enable the ssl and vhost module. After the build is configured, just simplily make it by
make
sudo make install
The make command does not need root privilege but install does need. The build takes a while, but works like a charm. Now, check to see if the server is running and pages can be served. It is not serving page, of course, it is not running.....
start the server
vic@rome:~/httpd-2.2.16$ /usr/local/apache2/bin/apachectl start
(13)Permission denied: make_sock: could not bind to address [::]:80
(13)Permission denied: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
Unable to open logs
vic@rome:~/httpd-2.2.16$ sudo /usr/local/apache2/bin/apachectl start
Again, root privilege needed. Now try again. Got the famous "It Works!" page. nice. :)
we can check the compiled module by using
vic@rome:~/httpd-2.2.16$ /usr/local/apache2/bin/httpd -l
Compiled in modules:
core.c
mod_authn_file.c
mod_authn_default.c
mod_authz_host.c
mod_authz_groupfile.c
mod_authz_user.c
mod_authz_default.c
mod_auth_basic.c
mod_include.c
mod_filter.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_version.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_vhost_alias.c
mod_negotiation.c
mod_dir.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
now make the apache server start at startup of the system. Just put the server control in the /etc/rc.local which will be auto executed at root privilege.
/usr/local/apache2/bin/apachectl start
We can also retrieve the status of the apache server by using this control utility.
/usr/local/apache2/bin/apachectl status
Got compalin that // 102: lynx: not found // \\
So
sudo apt-get install lynx
In order to get the status from the control utility, I firstly have to configure the server by editing the httpd.conf.
My httpd.conf after editting, // only edited parts are shown, others are omitted. //
#...
#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
ServerAdmin vic@rome.practicum.os3.nl
#...
#...
# Real-time info on requests and configuration
Include conf/extra/httpd-info.conf
# Virtual hosts
Include conf/extra/httpd-vhosts.conf
#...
What I did is change the server admin email to // vic@rome.practicum.os3.nl // to make it look more genuine. The enable the real time status and virtual host ability. It was compiled, but not enabled by default.
The // httpd-info.conf //
SetHandler server-status
Order deny,allow
Allow from 145.100.96.0/20
Allow from 127.0.0.1
# Deny from all
SetHandler server-info
Order deny,allow
Allow from 145.100.96.0/20
Allow from 127.0.0.1
# Deny from all
I trust the people in the lab, so anyone from the lab ip range can request the status of my server.
My // httpd-vhosts.conf //
NameVirtualHost *:80
#
# VirtualHost example:
# Almost any Apache directive may go into a VirtualHost container.
# The first VirtualHost section is used for all requests that do not
# match a ServerName or ServerAlias in any block.
#
ServerAdmin vic@rome.practicum.os3.nl
DocumentRoot "/usr/local/apache2/htdocs/rome.practicum.os3.nl"
ServerName rome.practicum.os3.nl
ServerAlias www.rome.practicum.os3.nl
ServerAlias wwww.rome.practicum.os3.nl
ErrorLog "logs/rome.practicum.os3.nl-error_log"
CustomLog "logs/rome.practicum.os3.nl-access_log" common
My server can serve multi-sites, but now it is only serving // www.rome.practicum.os3.nl // and // wwww.rome.practicum.os3.nl //, in case my user made a typo.
==== encryption ====
Enable SSL in already built in and enabled in // httpd.conf //.
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf
Then create my fake certificate in order test, normally we have to buy it from real CA.
openssl req -new -x509 -days 30 -keyout /usr/local/apache2/conf/ssl.key/server.key -out /usr/local/apache2/conf/ssl.crt/server.crt -subj '/CN=Test-Only Certificate'
After both of the actions are done, we should restart our apache server to make the change happen.
vic@rome:~/ca$ sudo /usr/local/apache2/bin/apachectl restart
httpd not running, trying to start
Apache/2.2.16 mod_ssl/2.2.16 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide the pass phrases.
Server www.rome.practicum.os3.nl:443 (RSA)
Enter pass phrase:
OK, it is working. But of course, there is a security warning on the certificate. As it is not genuine.
I can also verify it by using the tool from // openssl //
issuer=/CN=Test-Only Certificate
---
No client certificate CA names sent
---
SSL handshake has read 1151 bytes and written 319 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DHE-RSA-AES256-SHA
Session-ID: 5D848897BE2D1F51E0AF86DDD99D6126B3CF708B1DC70869FA76672340D61EBD
Session-ID-ctx:
Master-Key: 163EE922435C65EFF9991FBD8A71F2219647049CB6E5DA33472D228233E7E7C5A1D03F1DC639AFE822C0FF2966B32E61
Key-Arg : None
Start Time: 1287745406
Timeout : 300 (sec)
Verify return code: 18 (self signed certificate)
==== Security ====
Now I will change my index.html to do the SSI (server side inclusion) and a simple Perl page says helloworld.
First SSI, change again // and again // our // httpd.conf //
Options +Includes
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
The first line opens the SSI, the later two lines added shtml as a type and handler for it. As SSI won't just work in simple html. We have to add .shtml. I add the option +includes to the directory of htdocs/rome.practicum.os3.nl. only in this folder, SSI will work.
The SSI now is working!!!
Second, Perl page.
#!/usr/local/bin/perl
##
## printenv -- demo CGI program which just prints its environment
##
print "hello";
to be able to execute this file and limit the execution permission to only this one I use the permission below
AllowOverride None
Options FollowSymLinks +ExecCGI
Order allow,deny
Allow from all
sudo chmod +x test.cgi
Only files with in cgi-bin can be executed, and only test.cgi has the // x //permission.