mirror of https://github.com/tLDP/LDP
389 lines
15 KiB
Plaintext
389 lines
15 KiB
Plaintext
<!doctype linuxdoc system>
|
|
<article>
|
|
<title>Linux Apache SSL PHP/FI frontpage mini-HOWTO
|
|
<author>Marcus Faure, <htmlurl url="mailto:marcus@faure.de"
|
|
name="marcus@faure.de">
|
|
<date>v1.1, July 1998
|
|
|
|
<abstract>
|
|
This document is about building a <bf>multipurpose webserver</bf> that will
|
|
support dynamic web content via the <bf>PHP/FI</bf> scripting language,
|
|
secure transmission of data based on Netscape's <bf>SSL</BF>,
|
|
secure execution of <bf>CGI's</bf> and
|
|
M$ <bf>Frontpage Server Extensions</bf>
|
|
</abstract>
|
|
|
|
<toc>
|
|
|
|
<sect>Introduction
|
|
<p>
|
|
Before you start reading:
|
|
I am not a native speaker, so there are probably spelling/grammatical errors
|
|
in this document. Feel encouraged to inform me of mistakes.
|
|
|
|
<sect1>Description of the components
|
|
<p>
|
|
The webserver you hopefully will get after having read this howto is composed
|
|
of several parts, the original apache sources with some (well, many) patches
|
|
and some external executables. I recommend using the software versions I
|
|
tried, they will probably compile without greater problems and result in a
|
|
fairly stable daemon. If you are courageous, you can try to compile all the
|
|
latest-stuff-with-tons-of-new-features, but don't blame me if something
|
|
fails ;-). However, you may report other working configurations to be included
|
|
in future versions of this document. All of the steps were tested on a
|
|
linux 2.0.35 box, so the howto is somewhat linux-specific, but you should be
|
|
able to use it for other unixes as well.
|
|
|
|
You do not necesserily have to compile in all components. I tried to structure
|
|
this howto so that you can skip the parts you are not interested in.
|
|
|
|
The document is neither a user manual to Apache, SSL, PHP/FI nor frontpage.
|
|
Its prime intention is to save webservice providers some headaches when
|
|
installing their server and to do my little contribution to the linux
|
|
community.
|
|
|
|
<bf>PHP</bf> is a scripting language that supports dynamic HTML pages. It is a
|
|
bit like Apache's SSI, but by far more complex and has database modules for
|
|
many popular dbs. The GD libraries are needed by PHP.
|
|
|
|
<bf>SSL</bf> is an implementation of Netscape's Secure Socket Layer that allow
|
|
secure connections over insecure networks, e.g. to transmit credit card
|
|
numbers to web based forms.
|
|
|
|
<bf>frontpage</bf> is a wysiwyg web authoring tool that makes use of some
|
|
server-specific extensions called webbots. Some people think frontpage is
|
|
cool because you can create feedback forms and discussion webs without
|
|
having to know a bit about html or cgi. It even protects the designer
|
|
from uploading his/her site via ftp by using a builtin publisher. If you wish
|
|
to support frontpage but do not like to setup a windows server, the apache
|
|
server extensions are your choice.
|
|
|
|
<sect1>Working configurations
|
|
<p>
|
|
Though this document has been downloaded some 100 times since I published
|
|
it, I received only little feedback. In particular, noone told me of other
|
|
working combinations. Combinations that work for me are:
|
|
<itemize>
|
|
<item>Linux 2.0.31, Apache 1.2.4, PHP 2.0.0, SSL 0.8.0, fp 98 3.0.3 (*)
|
|
<item>Linux 2.0.33, Apache 1.2.5, PHP 2.0.1, SSL 0.8.0, fp 98 3.0.3 (*)
|
|
<item>Linux 2.0.35, Apache 1.2.6, PHP 3, SSL 0.8.0, fp 98 3.0.4
|
|
</itemize>
|
|
(*) version 3.0.3 is <ref id="fpverswarning" name="not recommended">
|
|
|
|
<sect1>History
|
|
<p>
|
|
|
|
v0.0/Apr 98: Preview version
|
|
|
|
v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor corrections
|
|
|
|
v1.1/Jul 98: Sgmlized and restructered version
|
|
|
|
You can find the latest version of this document at
|
|
<url url="http://www.faure.de">
|
|
|
|
<sect>Component installation
|
|
|
|
<sect1>Preparations
|
|
<p>
|
|
You will need:
|
|
<itemize>
|
|
<item>Apache 1.2.6 <url url="http://www.apache.org/dist/apache_1_2_6.tar.gz">
|
|
<item>PHP/FI Extensions
|
|
<url url="http://php.iquest.net/files/download.phtml?/files/php-2.01.tar.gz">
|
|
<item>GD Library <url url="http://siva.cshl.org/gd/gd.html">
|
|
<item>SSL 0.8.0
|
|
<url url="ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay-0.8.0.tar.gz">
|
|
<item>SSL patch for Apache 1.2.6
|
|
<url url="ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz">
|
|
<item>frontpage 98 server extensions and install script
|
|
<url url="http://www.rtr.com/fpsupport/download.htm">
|
|
</itemize>
|
|
|
|
Get the sources you want. Untar apche, php, gd and ssl to
|
|
<tt>/usr/src</tt>. Untar the SSL patch to <tt>/usr/src/apache_1.2.6</tt>.
|
|
|
|
<sect1>Adding PHP
|
|
<p>
|
|
<tt>cd</tt> to /usr/src/gd1.2 and type make. This will build the GD
|
|
library <tt>libgd.a</tt>, that should be copied to <tt>/usr/lib</tt>.
|
|
Now <tt>cd</tt> to <tt>php-2.0.1</tt> and run <tt>./install</tt>.
|
|
|
|
The relevant questions are:
|
|
<verb>
|
|
Would you like to compile PHP/FI as an Apache module? [yN] y
|
|
Are you compiling for an Apache 1.1 or later server? [Yn] y
|
|
Are you using Apache-Stronghold? [yN] y
|
|
Does your Apache server support ELF dynamic loading? [yN] y
|
|
Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/src
|
|
Would you like to build an ELF shared library? [yN] y
|
|
Additional directories to search for .h files []: /usr/src/gd1.2
|
|
Would you like the bundled regex library? [yN] n
|
|
</verb>
|
|
|
|
Like the frontpage extensions, phtml includes a security problem
|
|
because it is run under the uid of the webserver. Be sure to turn on safe
|
|
mode in src/php.h and restrict the search path to a save value. There are some
|
|
other options in php.h you may want to edit. If you are very concerned
|
|
about security, compile php as a cgi. However, this will be a performance
|
|
loss and not as smart as the module version.
|
|
|
|
Type <tt>make</tt> to build all files. When the compilation is done,
|
|
copy <tt>mod_php.*</tt> and <tt>libphp.a</tt> to
|
|
<tt>/usr/src/apache_1.2.6/src</tt> Add a line
|
|
<verb>
|
|
Module php_module mod_php.o
|
|
</verb>
|
|
to the end of <tt>/usr/src/apache_1.2.6/src/Configuration</tt>, add
|
|
<verb>
|
|
-lphp -lm -lgdbm -lgd
|
|
</verb>
|
|
to the <tt>EXTRA_LIBS</tt> in the same file,
|
|
<verb>
|
|
application/x-httpd-php phtml
|
|
</verb>
|
|
to Apache's <tt>mime.types</tt> and
|
|
<verb>
|
|
AddType application/x-httpd-php .phtml
|
|
</verb>
|
|
to Apache's <tt>srm.conf</tt>.
|
|
|
|
You may also want to add <tt>index.phtml</tt> to <tt>DirectoryIndex</tt> in
|
|
that file so that a file index.phtml is automatically loaded when its
|
|
directory is requested.
|
|
|
|
<sect1>Adding SSL
|
|
<p>
|
|
<tt>cd /usr/src/SSL-0.8.0; ./Configure linux-elf; make; make rehash</tt>
|
|
This will create libraries needed by apache. You may issue <tt>make test</tt>
|
|
to verify the compilation.
|
|
You have to apply a patch to apache. It is important that you apply it
|
|
before the frontpage patch, otherwise frontpage will not work.
|
|
<tt>cd</tt> to <tt>/usr/src/apache_1.2.6/src</tt> and issue
|
|
<tt>patch < /usr/src/apache_1.2.6/SSLpatch</tt>.
|
|
Set <tt>SSL_BASE=/usr/src/SSLeay-0.8.0</tt> in <tt>Configuration</tt>. Make
|
|
sure that <tt>Module proxy_module</tt> is disabled otherwise Apache won't
|
|
compile. If you are in need of a proxy, go for Squid
|
|
<htmlurl url="http://squid.nlanr.net/" name="http://squid.nlanr.net/">
|
|
|
|
Now <tt>make certificate</tt> to generate <tt>SSLconf/conf/httpsd.pem</tt>.
|
|
|
|
<sect1>Adding frontpage
|
|
<p>
|
|
Rename the <tt>fp30.linux.tar.Z</tt> file to <tt>fp30.linux.tar.gz</tt>,
|
|
otherwise the install script will not find it. Run <tt>./fp_install</tt>
|
|
to copy the extension files to <tt>/usr/local/frontpage</tt>. zcat can
|
|
usually be invoked as /usr/bin/zcat.
|
|
|
|
You now have to apply the FP patch. <tt>cd</tt> to
|
|
<tt>/usr/src/apache_1.2.6/src</tt> and type
|
|
<tt>patch < /usr/src/frontpage/version3.0/apache-fp/fp-patch-apache_1.2.5</tt>
|
|
This will create the <tt>mod_frontpage.*</tt> files and do some modifications
|
|
to <tt>Configuration</tt> etc. The 1.2.5 patch will work with both
|
|
apache 1.2.5 and 1.2.6. Skip the part about installing webs, you can do
|
|
that later
|
|
|
|
<sect>Putting it all together
|
|
|
|
<sect1>Apache modules to try
|
|
<p>
|
|
The modules I use besides SSL, PHP and frontpage are:
|
|
<verb>
|
|
Module env_module mod_env.o
|
|
Module config_log_module mod_log_config.o
|
|
Module mime_module mod_mime.o
|
|
Module negotiation_module mod_negotiation.o
|
|
Module dir_module mod_dir.o
|
|
Module cgi_module mod_cgi.o
|
|
Module asis_module mod_asis.o
|
|
Module imap_module mod_imap.o
|
|
Module action_module mod_actions.o
|
|
Module alias_module mod_alias.o
|
|
Module rewrite_module mod_rewrite.o
|
|
Module access_module mod_access.o
|
|
Module auth_module mod_auth.o
|
|
Module anon_auth_module mod_auth_anon.o
|
|
Module digest_module mod_digest.o
|
|
Module expires_module mod_expires.o
|
|
Module headers_module mod_headers.o
|
|
Module browser_module mod_browser.o
|
|
</verb>
|
|
|
|
<sect1>Giving CGI's more security
|
|
<p>
|
|
If you are an ISP (you probably are when you read this) you will
|
|
want to improve security. The suexec utility allows you to do so; it will
|
|
execute cgi's under the UID of the webowner instead of executing it
|
|
under the webservers UID.
|
|
Go to <tt>/usr/src/apache_1.2.6/support</tt> and <tt>make suexec</tt>.
|
|
<tt>chmod 4711 suxec</tt> and copy it to the location specified in
|
|
<tt>../src/httpd.h</tt> which is <tt>/usr/local/etc/httpd/sbin/suexec</tt>
|
|
by default. If the path seems a little cryptic to you - it did to me - edit
|
|
<tt>httpd.h</tt> and set the path to a more comfortable value.
|
|
|
|
<sect1>Compiling and installing the server daemon
|
|
<p>
|
|
Enter <tt>/usr/src/apache_1.2.6/src</tt> and edit
|
|
<tt>Configuration</tt> to set all the Modules you want to include in your
|
|
Apache daemon. When done, run <tt>./Configure</tt> and <tt>make</tt>. This is
|
|
the last (and most complicated) compilation step, so cross your fingers. If it
|
|
succeeds, <tt>cp httpsd</tt> to <tt>/usr/sbin</tt>. The daemon is somewhat
|
|
big, consider this when assembling your webserver. Create the directory
|
|
<tt>/var/httpd</tt> with subdirectories <tt>cgi-bin</tt>, <tt>conf</tt>,
|
|
<tt>htdocs</tt>, <tt>icons</tt>, <tt>virt1</tt>, <tt>virt2</tt> and
|
|
<tt>logs</tt>. In <tt>/usr/src/apache_1.2.6/conf</tt> edit
|
|
<tt>access.conf-dist</tt>, <tt>mime.types</tt> and <tt>srm.conf-dist</tt>
|
|
to suit your needs and copy them to <tt>var/httpd/conf/access.conf</tt>,
|
|
<tt>srm.conf</tt> and <tt>mime.types</tt>. Copy the <tt>httpsd.pem</tt> you
|
|
created with <tt>make certificate</tt> to <tt>/var/httpd/conf</tt>. Use the
|
|
following <tt>httpd.conf</tt>:
|
|
<verb>
|
|
ServerType standalone
|
|
Port 80
|
|
Listen 80
|
|
Listen 443
|
|
User wwwrun
|
|
Group wwwrun
|
|
ServerAdmin webmaster@yourhost.com
|
|
ServerRoot /var/httpd
|
|
ErrorLog logs/error_log
|
|
TransferLog logs/access_log
|
|
PidFile logs/httpd.pid
|
|
ServerName www.yourhost.com
|
|
MinSpareServers 3
|
|
MaxSpareServers 20
|
|
StartServers 3
|
|
|
|
SSLCACertificatePath /var/httpd/conf
|
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLLogFile /var/httpd/logs/ssl.log
|
|
|
|
<VirtualHost www.virt1.com>
|
|
SSLDisable
|
|
ServerAdmin webmaster@virt1.com
|
|
DocumentRoot /var/httpd/virt1
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|
ServerName www.virt1.com
|
|
ErrorLog logs/virt1-error.log
|
|
TransferLog logs/virt1-access.log
|
|
User virt1admin
|
|
Group users
|
|
</VirtualHost>
|
|
|
|
<VirtualHost www.virt1.com:443>
|
|
ServerAdmin webmaster@virt1.com
|
|
DocumentRoot /var/httpd/virt1
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|
ServerName www.virt1.com
|
|
ErrorLog logs/virt1-ssl-error.log
|
|
TransferLog logs/virt1-ssl-access.log
|
|
User virt1admin
|
|
Group users
|
|
SSLCACertificatePath /var/httpd/conf
|
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLLogFile /var/httpd/logs/virt1-ssl.log
|
|
SSLVerifyClient 0
|
|
SSLFakeBasicAuth
|
|
</VirtualHost>
|
|
|
|
<VirtualHost www.virt2.com>
|
|
SSLDisable
|
|
ServerAdmin webmaster@virt2.com
|
|
DocumentRoot /var/httpd/virt2
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt2/cgi-bin/
|
|
ServerName www.virt2.com
|
|
ErrorLog logs/virt2-error.log
|
|
TransferLog logs/virt2-access.log
|
|
</VirtualHost>
|
|
</verb>
|
|
|
|
Depending on the modules compiled in, not all directives may be available.
|
|
You can retrieve a list of available directives with <tt>httpsd -h</tt>.
|
|
|
|
<sect1>Adding frontpage support to a web
|
|
<p>
|
|
Enter <tt>/usr/local/frontpage/version3.0/bin</tt> and load
|
|
<tt>./fpsrvadm</tt>. Choose <tt>install</tt> and <tt>apache-fp</tt>. The next
|
|
questions should be answered the following way:
|
|
<verb>
|
|
Enter server config filename: /var/httpd/conf/httpd.conf
|
|
Enter host name for multi-hosting []: www.virt2.com
|
|
Starting install, port: www.virt2.com:80, web: ""
|
|
Enter user's name []: virt2admin
|
|
Enter user's password:
|
|
Confirm password:
|
|
Creating root web
|
|
Recalculate links for root web
|
|
Install completed.
|
|
</verb>
|
|
|
|
The user name must be the unix login of the webowner. The password does not
|
|
necessarily have to match the system password.
|
|
You have to manually add <tt>sendmailcommand:/usr/sbin/sendmail %r</tt>
|
|
to <tt>/usr/local/frontpage/www.virt2.com:80.conf</tt>, otherwise your users
|
|
will not be able to send web-generated eMails.
|
|
<tt>kill -HUP</tt> your <tt>httpsd</tt> to make fp reread its config. You can
|
|
now access <tt>www.virt2.com</tt> with your frontpage client.
|
|
|
|
Under some circumstances <tt>fpsrvadm</tt> complaints that a root web has
|
|
to be installed first. This is pretty useless, but you should do so to silence
|
|
<tt>fpsrvadm</tt>.
|
|
|
|
<sect1>Starting the daemon
|
|
<p>
|
|
Start Apache with <tt>httpsd -f /var/httpd/conf/httpd.conf</tt>. You can
|
|
now access <tt>www.virt1.com</tt> both through http and https which is pretty
|
|
cool. Of course you have to pay for a real certificate if you want to offer
|
|
webwide SSL or users might laugh at you.
|
|
|
|
Copy one of the demo files from the php examples directory to <tt>virt1</tt>
|
|
to test phtml.
|
|
|
|
<sect1>Some considerations left
|
|
<p>
|
|
Do not use frontpage 97 extensions. They do not work, at least under
|
|
Linux. When installing specific versions of the c++ libraries, they
|
|
appear to work but your logs will soon fill with <tt>premature end of script
|
|
headers</tt> and your mailbox will fill with complaints.
|
|
Do not use frontpage 98 extensions before version 3.0.2.1330. Do not be
|
|
confused, version numbers are somewhat inheterogenous. When telnetting
|
|
to port 80, typing "get / http/1.0" and hitting return twice, you get a
|
|
version number 3.0.4 for frontpage.
|
|
|
|
<label id="fpverswarning">You can find out the more specific version
|
|
number by executing
|
|
<tt>/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe -version</tt>.
|
|
Older versions have a nasty bug that requires httpd.conf to be writable
|
|
by the gid of the webserver. This should make you scream if you are at all
|
|
concerned about security.
|
|
Versions since 3.0.2.1330 are more usable.
|
|
|
|
<sect1>Known bugs
|
|
<p>
|
|
When touching <tt>Recalculate Links</tt> in the frontpage client, the server
|
|
starts a process that consumes 99% cpu cycles and some 10 mb of memory. But
|
|
even for medium-sized webs and fast machines, the client sometimes recieves
|
|
a timeout message, though the calculation will be finished correctly. Inform
|
|
frontpage users to be patient and not to hit <tt>Recalculate Links</tt>
|
|
several times. Inform yourself to equip the server with at least 64MB.
|
|
|
|
Please note that at the time of writing both SSL and frontpage work, but
|
|
not at the same time, that means you can neither publish your web using ssl
|
|
nor make use of the webbots through https. You can publish your web on
|
|
port 80 and access it encrypted on port 443, but your counters etc. will be
|
|
broken. I consider this a bug. This problem shall be fixed in SSL 0.9.0.
|
|
|
|
<sect1>The final word
|
|
<p>
|
|
For those who think the title of this howto is nearly as long as the
|
|
document: Did you ever listened to Meat Loaf?
|
|
|
|
O.K. readers, you're done for today. Feel free to send me your feedback,
|
|
eternal gratitude, flowers, ecash, cars, oil sources etc.
|
|
|
|
</article>
|
|
|
|
|