440 lines
15 KiB
Plaintext
440 lines
15 KiB
Plaintext
|
Linux Apache SSL PHP/FI frontpage mini-HOWTO
|
|||
|
Marcus Faure, marcus@faure.de
|
|||
|
v1.1, July 1998
|
|||
|
|
|||
|
This document is about building a multipurpose webserver that will
|
|||
|
support dynamic web content via the PHP/FI scripting language, secure
|
|||
|
transmission of data based on Netscape's SSL, secure execution of
|
|||
|
CGI's and M$ Frontpage Server Extensions
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
Table of Contents
|
|||
|
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
1.1 Description of the components
|
|||
|
1.2 Working configurations
|
|||
|
1.3 History
|
|||
|
|
|||
|
2. Component installation
|
|||
|
|
|||
|
2.1 Preparations
|
|||
|
2.2 Adding PHP
|
|||
|
2.3 Adding SSL
|
|||
|
2.4 Adding frontpage
|
|||
|
|
|||
|
3. Putting it all together
|
|||
|
|
|||
|
3.1 Apache modules to try
|
|||
|
3.2 Giving CGI's more security
|
|||
|
3.3 Compiling and installing the server daemon
|
|||
|
3.4 Adding frontpage support to a web
|
|||
|
3.5 Starting the daemon
|
|||
|
3.6 Some considerations left
|
|||
|
3.7 Known bugs
|
|||
|
3.8 The final word
|
|||
|
|
|||
|
|
|||
|
______________________________________________________________________
|
|||
|
|
|||
|
1. Introduction
|
|||
|
|
|||
|
Before you start reading: I am not a native speaker, so there are
|
|||
|
probably spelling/grammatical errors in this document. Feel encouraged
|
|||
|
to inform me of mistakes.
|
|||
|
|
|||
|
|
|||
|
1.1. Description of the components
|
|||
|
|
|||
|
The webserver you hopefully will get after having read this howto is
|
|||
|
composed of several parts, the original apache sources with some
|
|||
|
(well, many) patches and some external executables. I recommend using
|
|||
|
the software versions I tried, they will probably compile without
|
|||
|
greater problems and result in a fairly stable daemon. If you are
|
|||
|
courageous, you can try to compile all the latest-stuff-with-tons-of-
|
|||
|
new-features, but don't blame me if something fails ;-). However, you
|
|||
|
may report other working configurations to be included in future
|
|||
|
versions of this document. All of the steps were tested on a linux
|
|||
|
2.0.35 box, so the howto is somewhat linux-specific, but you should be
|
|||
|
able to use it for other unixes as well.
|
|||
|
|
|||
|
You do not necesserily have to compile in all components. I tried to
|
|||
|
structure this howto so that you can skip the parts you are not
|
|||
|
interested in.
|
|||
|
|
|||
|
|
|||
|
The document is neither a user manual to Apache, SSL, PHP/FI nor
|
|||
|
frontpage. Its prime intention is to save webservice providers some
|
|||
|
headaches when installing their server and to do my little
|
|||
|
contribution to the linux community.
|
|||
|
|
|||
|
PHP is a scripting language that supports dynamic HTML pages. It is a
|
|||
|
bit like Apache's SSI, but by far more complex and has database
|
|||
|
modules for many popular dbs. The GD libraries are needed by PHP.
|
|||
|
|
|||
|
SSL is an implementation of Netscape's Secure Socket Layer that allow
|
|||
|
secure connections over insecure networks, e.g. to transmit credit
|
|||
|
card numbers to web based forms.
|
|||
|
|
|||
|
frontpage is a wysiwyg web authoring tool that makes use of some
|
|||
|
server-specific extensions called webbots. Some people think frontpage
|
|||
|
is cool because you can create feedback forms and discussion webs
|
|||
|
without having to know a bit about html or cgi. It even protects the
|
|||
|
designer from uploading his/her site via ftp by using a builtin
|
|||
|
publisher. If you wish to support frontpage but do not like to setup a
|
|||
|
windows server, the apache server extensions are your choice.
|
|||
|
|
|||
|
|
|||
|
1.2. Working configurations
|
|||
|
|
|||
|
Though this document has been downloaded some 100 times since I
|
|||
|
published it, I received only little feedback. In particular, noone
|
|||
|
told me of other working combinations. Combinations that work for me
|
|||
|
are:
|
|||
|
|
|||
|
<20> Linux 2.0.31, Apache 1.2.4, PHP 2.0.0, SSL 0.8.0, fp 98 3.0.3 (*)
|
|||
|
|
|||
|
<20> Linux 2.0.33, Apache 1.2.5, PHP 2.0.1, SSL 0.8.0, fp 98 3.0.3 (*)
|
|||
|
|
|||
|
<20> Linux 2.0.35, Apache 1.2.6, PHP 3, SSL 0.8.0, fp 98 3.0.4
|
|||
|
|
|||
|
(*) version 3.0.3 is ``not recommended''
|
|||
|
|
|||
|
|
|||
|
1.3. History
|
|||
|
|
|||
|
|
|||
|
v0.0/Apr 98: Preview version
|
|||
|
|
|||
|
v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor
|
|||
|
corrections
|
|||
|
|
|||
|
v1.1/Jul 98: Sgmlized and restructered version
|
|||
|
|
|||
|
You can find the latest version of this document at
|
|||
|
<http://www.faure.de>
|
|||
|
|
|||
|
|
|||
|
2. Component installation
|
|||
|
|
|||
|
2.1. Preparations
|
|||
|
|
|||
|
You will need:
|
|||
|
|
|||
|
<20> Apache 1.2.6 <http://www.apache.org/dist/apache_1_2_6.tar.gz>
|
|||
|
|
|||
|
<20> PHP/FI Extensions
|
|||
|
<http://php.iquest.net/files/download.phtml?/files/php-2.01.tar.gz>
|
|||
|
|
|||
|
<20> GD Library <http://siva.cshl.org/gd/gd.html>
|
|||
|
|
|||
|
|
|||
|
<20> SSL 0.8.0 <ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay-0.8.0.tar.gz>
|
|||
|
|
|||
|
<20> SSL patch for Apache 1.2.6
|
|||
|
<ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz>
|
|||
|
|
|||
|
<20> frontpage 98 server extensions and install script
|
|||
|
<http://www.rtr.com/fpsupport/download.htm>
|
|||
|
|
|||
|
Get the sources you want. Untar apche, php, gd and ssl to /usr/src.
|
|||
|
Untar the SSL patch to /usr/src/apache_1.2.6.
|
|||
|
|
|||
|
|
|||
|
2.2. Adding PHP
|
|||
|
|
|||
|
cd to /usr/src/gd1.2 and type make. This will build the GD library
|
|||
|
libgd.a, that should be copied to /usr/lib. Now cd to php-2.0.1 and
|
|||
|
run ./install.
|
|||
|
|
|||
|
The relevant questions are:
|
|||
|
|
|||
|
Would you like to compile PHP/FI as an Apache module? [yN] y
|
|||
|
Are you compiling for an Apache 1.1 or later server? [Yn] y
|
|||
|
Are you using Apache-Stronghold? [yN] y
|
|||
|
Does your Apache server support ELF dynamic loading? [yN] y
|
|||
|
Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/src
|
|||
|
Would you like to build an ELF shared library? [yN] y
|
|||
|
Additional directories to search for .h files []: /usr/src/gd1.2
|
|||
|
Would you like the bundled regex library? [yN] n
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Like the frontpage extensions, phtml includes a security problem
|
|||
|
because it is run under the uid of the webserver. Be sure to turn on
|
|||
|
safe mode in src/php.h and restrict the search path to a save value.
|
|||
|
There are some other options in php.h you may want to edit. If you are
|
|||
|
very concerned about security, compile php as a cgi. However, this
|
|||
|
will be a performance loss and not as smart as the module version.
|
|||
|
|
|||
|
Type make to build all files. When the compilation is done, copy
|
|||
|
mod_php.* and libphp.a to /usr/src/apache_1.2.6/src Add a line
|
|||
|
|
|||
|
Module php_module mod_php.o
|
|||
|
|
|||
|
|
|||
|
to the end of /usr/src/apache_1.2.6/src/Configuration, add
|
|||
|
|
|||
|
-lphp -lm -lgdbm -lgd
|
|||
|
|
|||
|
|
|||
|
to the EXTRA_LIBS in the same file,
|
|||
|
|
|||
|
application/x-httpd-php phtml
|
|||
|
|
|||
|
|
|||
|
to Apache's mime.types and
|
|||
|
|
|||
|
AddType application/x-httpd-php .phtml
|
|||
|
|
|||
|
|
|||
|
to Apache's srm.conf.
|
|||
|
|
|||
|
You may also want to add index.phtml to DirectoryIndex in that file so
|
|||
|
that a file index.phtml is automatically loaded when its directory is
|
|||
|
requested.
|
|||
|
|
|||
|
|
|||
|
2.3. Adding SSL
|
|||
|
|
|||
|
cd /usr/src/SSL-0.8.0; ./Configure linux-elf; make; make rehash This
|
|||
|
will create libraries needed by apache. You may issue make test to
|
|||
|
verify the compilation. You have to apply a patch to apache. It is
|
|||
|
important that you apply it before the frontpage patch, otherwise
|
|||
|
frontpage will not work. cd to /usr/src/apache_1.2.6/src and issue
|
|||
|
patch < /usr/src/apache_1.2.6/SSLpatch. Set
|
|||
|
SSL_BASE=/usr/src/SSLeay-0.8.0 in Configuration. Make sure that Module
|
|||
|
proxy_module is disabled otherwise Apache won't compile. If you are in
|
|||
|
need of a proxy, go for Squid http://squid.nlanr.net/
|
|||
|
|
|||
|
Now make certificate to generate SSLconf/conf/httpsd.pem.
|
|||
|
|
|||
|
|
|||
|
2.4. Adding frontpage
|
|||
|
|
|||
|
Rename the fp30.linux.tar.Z file to fp30.linux.tar.gz, otherwise the
|
|||
|
install script will not find it. Run ./fp_install to copy the
|
|||
|
extension files to /usr/local/frontpage. zcat can usually be invoked
|
|||
|
as /usr/bin/zcat.
|
|||
|
|
|||
|
You now have to apply the FP patch. cd to /usr/src/apache_1.2.6/src
|
|||
|
and type patch < /usr/src/frontpage/version3.0/apache-fp/fp-patch-
|
|||
|
apache_1.2.5 This will create the mod_frontpage.* files and do some
|
|||
|
modifications to Configuration etc. The 1.2.5 patch will work with
|
|||
|
both apache 1.2.5 and 1.2.6. Skip the part about installing webs, you
|
|||
|
can do that later
|
|||
|
|
|||
|
|
|||
|
3. Putting it all together
|
|||
|
|
|||
|
3.1. Apache modules to try
|
|||
|
|
|||
|
The modules I use besides SSL, PHP and frontpage are:
|
|||
|
|
|||
|
Module env_module mod_env.o
|
|||
|
Module config_log_module mod_log_config.o
|
|||
|
Module mime_module mod_mime.o
|
|||
|
Module negotiation_module mod_negotiation.o
|
|||
|
Module dir_module mod_dir.o
|
|||
|
Module cgi_module mod_cgi.o
|
|||
|
Module asis_module mod_asis.o
|
|||
|
Module imap_module mod_imap.o
|
|||
|
Module action_module mod_actions.o
|
|||
|
Module alias_module mod_alias.o
|
|||
|
Module rewrite_module mod_rewrite.o
|
|||
|
Module access_module mod_access.o
|
|||
|
Module auth_module mod_auth.o
|
|||
|
Module anon_auth_module mod_auth_anon.o
|
|||
|
Module digest_module mod_digest.o
|
|||
|
Module expires_module mod_expires.o
|
|||
|
Module headers_module mod_headers.o
|
|||
|
Module browser_module mod_browser.o
|
|||
|
|
|||
|
|
|||
|
|
|||
|
3.2. Giving CGI's more security
|
|||
|
|
|||
|
If you are an ISP (you probably are when you read this) you will want
|
|||
|
to improve security. The suexec utility allows you to do so; it will
|
|||
|
execute cgi's under the UID of the webowner instead of executing it
|
|||
|
under the webservers UID. Go to /usr/src/apache_1.2.6/support and
|
|||
|
make suexec. chmod 4711 suxec and copy it to the location specified
|
|||
|
in ../src/httpd.h which is /usr/local/etc/httpd/sbin/suexec by
|
|||
|
default. If the path seems a little cryptic to you - it did to me -
|
|||
|
edit httpd.h and set the path to a more comfortable value.
|
|||
|
|
|||
|
|
|||
|
3.3. Compiling and installing the server daemon
|
|||
|
|
|||
|
Enter /usr/src/apache_1.2.6/src and edit Configuration to set all the
|
|||
|
Modules you want to include in your Apache daemon. When done, run
|
|||
|
./Configure and make. This is the last (and most complicated)
|
|||
|
compilation step, so cross your fingers. If it succeeds, cp httpsd to
|
|||
|
/usr/sbin. The daemon is somewhat big, consider this when assembling
|
|||
|
your webserver. Create the directory /var/httpd with subdirectories
|
|||
|
cgi-bin, conf, htdocs, icons, virt1, virt2 and logs. In
|
|||
|
/usr/src/apache_1.2.6/conf edit access.conf-dist, mime.types and
|
|||
|
srm.conf-dist to suit your needs and copy them to
|
|||
|
var/httpd/conf/access.conf, srm.conf and mime.types. Copy the
|
|||
|
httpsd.pem you created with make certificate to /var/httpd/conf. Use
|
|||
|
the following httpd.conf:
|
|||
|
|
|||
|
|
|||
|
|
|||
|
ServerType standalone
|
|||
|
Port 80
|
|||
|
Listen 80
|
|||
|
Listen 443
|
|||
|
User wwwrun
|
|||
|
Group wwwrun
|
|||
|
ServerAdmin webmaster@yourhost.com
|
|||
|
ServerRoot /var/httpd
|
|||
|
ErrorLog logs/error_log
|
|||
|
TransferLog logs/access_log
|
|||
|
PidFile logs/httpd.pid
|
|||
|
ServerName www.yourhost.com
|
|||
|
MinSpareServers 3
|
|||
|
MaxSpareServers 20
|
|||
|
StartServers 3
|
|||
|
|
|||
|
SSLCACertificatePath /var/httpd/conf
|
|||
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|||
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|||
|
SSLLogFile /var/httpd/logs/ssl.log
|
|||
|
|
|||
|
<VirtualHost www.virt1.com>
|
|||
|
SSLDisable
|
|||
|
ServerAdmin webmaster@virt1.com
|
|||
|
DocumentRoot /var/httpd/virt1
|
|||
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|||
|
ServerName www.virt1.com
|
|||
|
ErrorLog logs/virt1-error.log
|
|||
|
TransferLog logs/virt1-access.log
|
|||
|
User virt1admin
|
|||
|
Group users
|
|||
|
</VirtualHost>
|
|||
|
|
|||
|
<VirtualHost www.virt1.com:443>
|
|||
|
ServerAdmin webmaster@virt1.com
|
|||
|
DocumentRoot /var/httpd/virt1
|
|||
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|||
|
ServerName www.virt1.com
|
|||
|
ErrorLog logs/virt1-ssl-error.log
|
|||
|
TransferLog logs/virt1-ssl-access.log
|
|||
|
User virt1admin
|
|||
|
Group users
|
|||
|
SSLCACertificatePath /var/httpd/conf
|
|||
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|||
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|||
|
SSLLogFile /var/httpd/logs/virt1-ssl.log
|
|||
|
SSLVerifyClient 0
|
|||
|
SSLFakeBasicAuth
|
|||
|
</VirtualHost>
|
|||
|
|
|||
|
<VirtualHost www.virt2.com>
|
|||
|
SSLDisable
|
|||
|
ServerAdmin webmaster@virt2.com
|
|||
|
DocumentRoot /var/httpd/virt2
|
|||
|
ScriptAlias /cgi-bin/ /var/httpd/virt2/cgi-bin/
|
|||
|
ServerName www.virt2.com
|
|||
|
ErrorLog logs/virt2-error.log
|
|||
|
TransferLog logs/virt2-access.log
|
|||
|
</VirtualHost>
|
|||
|
|
|||
|
|
|||
|
|
|||
|
Depending on the modules compiled in, not all directives may be
|
|||
|
available. You can retrieve a list of available directives with
|
|||
|
httpsd -h.
|
|||
|
|
|||
|
3.4. Adding frontpage support to a web
|
|||
|
|
|||
|
Enter /usr/local/frontpage/version3.0/bin and load ./fpsrvadm. Choose
|
|||
|
install and apache-fp. The next questions should be answered the
|
|||
|
following way:
|
|||
|
|
|||
|
Enter server config filename: /var/httpd/conf/httpd.conf
|
|||
|
Enter host name for multi-hosting []: www.virt2.com
|
|||
|
Starting install, port: www.virt2.com:80, web: ""
|
|||
|
Enter user's name []: virt2admin
|
|||
|
Enter user's password:
|
|||
|
Confirm password:
|
|||
|
Creating root web
|
|||
|
Recalculate links for root web
|
|||
|
Install completed.
|
|||
|
|
|||
|
|
|||
|
|
|||
|
The user name must be the unix login of the webowner. The password
|
|||
|
does not necessarily have to match the system password. You have to
|
|||
|
manually add sendmailcommand:/usr/sbin/sendmail %r to
|
|||
|
/usr/local/frontpage/www.virt2.com:80.conf, otherwise your users will
|
|||
|
not be able to send web-generated eMails. kill -HUP your httpsd to
|
|||
|
make fp reread its config. You can now access www.virt2.com with your
|
|||
|
frontpage client.
|
|||
|
|
|||
|
Under some circumstances fpsrvadm complaints that a root web has to be
|
|||
|
installed first. This is pretty useless, but you should do so to
|
|||
|
silence fpsrvadm.
|
|||
|
|
|||
|
|
|||
|
3.5. Starting the daemon
|
|||
|
|
|||
|
Start Apache with httpsd -f /var/httpd/conf/httpd.conf. You can now
|
|||
|
access www.virt1.com both through http and https which is pretty cool.
|
|||
|
Of course you have to pay for a real certificate if you want to offer
|
|||
|
webwide SSL or users might laugh at you.
|
|||
|
|
|||
|
Copy one of the demo files from the php examples directory to virt1 to
|
|||
|
test phtml.
|
|||
|
|
|||
|
|
|||
|
3.6. Some considerations left
|
|||
|
|
|||
|
Do not use frontpage 97 extensions. They do not work, at least under
|
|||
|
Linux. When installing specific versions of the c++ libraries, they
|
|||
|
appear to work but your logs will soon fill with premature end of
|
|||
|
script headers and your mailbox will fill with complaints. Do not use
|
|||
|
frontpage 98 extensions before version 3.0.2.1330. Do not be confused,
|
|||
|
version numbers are somewhat inheterogenous. When telnetting to port
|
|||
|
80, typing "get / http/1.0" and hitting return twice, you get a
|
|||
|
version number 3.0.4 for frontpage.
|
|||
|
|
|||
|
You can find out the more specific version number by executing
|
|||
|
/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe -version.
|
|||
|
Older versions have a nasty bug that requires httpd.conf to be
|
|||
|
writable by the gid of the webserver. This should make you scream if
|
|||
|
you are at all concerned about security. Versions since 3.0.2.1330
|
|||
|
are more usable.
|
|||
|
|
|||
|
|
|||
|
3.7. Known bugs
|
|||
|
|
|||
|
When touching Recalculate Links in the frontpage client, the server
|
|||
|
starts a process that consumes 99% cpu cycles and some 10 mb of
|
|||
|
memory. But even for medium-sized webs and fast machines, the client
|
|||
|
sometimes recieves a timeout message, though the calculation will be
|
|||
|
finished correctly. Inform frontpage users to be patient and not to
|
|||
|
hit Recalculate Links several times. Inform yourself to equip the
|
|||
|
server with at least 64MB.
|
|||
|
|
|||
|
Please note that at the time of writing both SSL and frontpage work,
|
|||
|
but not at the same time, that means you can neither publish your web
|
|||
|
using ssl nor make use of the webbots through https. You can publish
|
|||
|
your web on port 80 and access it encrypted on port 443, but your
|
|||
|
counters etc. will be broken. I consider this a bug. This problem
|
|||
|
shall be fixed in SSL 0.9.0.
|
|||
|
|
|||
|
|
|||
|
3.8. The final word
|
|||
|
|
|||
|
For those who think the title of this howto is nearly as long as the
|
|||
|
document: Did you ever listened to Meat Loaf?
|
|||
|
|
|||
|
O.K. readers, you're done for today. Feel free to send me your
|
|||
|
feedback, eternal gratitude, flowers, ecash, cars, oil sources etc.
|
|||
|
|
|||
|
|
|||
|
|