440 lines
15 KiB
Plaintext
440 lines
15 KiB
Plaintext
Linux Apache SSL PHP/FI frontpage mini-HOWTO
|
||
Marcus Faure, marcus@faure.de
|
||
v1.1, July 1998
|
||
|
||
This document is about building a multipurpose webserver that will
|
||
support dynamic web content via the PHP/FI scripting language, secure
|
||
transmission of data based on Netscape's SSL, secure execution of
|
||
CGI's and M$ Frontpage Server Extensions
|
||
______________________________________________________________________
|
||
|
||
Table of Contents
|
||
|
||
|
||
1. Introduction
|
||
|
||
1.1 Description of the components
|
||
1.2 Working configurations
|
||
1.3 History
|
||
|
||
2. Component installation
|
||
|
||
2.1 Preparations
|
||
2.2 Adding PHP
|
||
2.3 Adding SSL
|
||
2.4 Adding frontpage
|
||
|
||
3. Putting it all together
|
||
|
||
3.1 Apache modules to try
|
||
3.2 Giving CGI's more security
|
||
3.3 Compiling and installing the server daemon
|
||
3.4 Adding frontpage support to a web
|
||
3.5 Starting the daemon
|
||
3.6 Some considerations left
|
||
3.7 Known bugs
|
||
3.8 The final word
|
||
|
||
|
||
______________________________________________________________________
|
||
|
||
1. Introduction
|
||
|
||
Before you start reading: I am not a native speaker, so there are
|
||
probably spelling/grammatical errors in this document. Feel encouraged
|
||
to inform me of mistakes.
|
||
|
||
|
||
1.1. Description of the components
|
||
|
||
The webserver you hopefully will get after having read this howto is
|
||
composed of several parts, the original apache sources with some
|
||
(well, many) patches and some external executables. I recommend using
|
||
the software versions I tried, they will probably compile without
|
||
greater problems and result in a fairly stable daemon. If you are
|
||
courageous, you can try to compile all the latest-stuff-with-tons-of-
|
||
new-features, but don't blame me if something fails ;-). However, you
|
||
may report other working configurations to be included in future
|
||
versions of this document. All of the steps were tested on a linux
|
||
2.0.35 box, so the howto is somewhat linux-specific, but you should be
|
||
able to use it for other unixes as well.
|
||
|
||
You do not necesserily have to compile in all components. I tried to
|
||
structure this howto so that you can skip the parts you are not
|
||
interested in.
|
||
|
||
|
||
The document is neither a user manual to Apache, SSL, PHP/FI nor
|
||
frontpage. Its prime intention is to save webservice providers some
|
||
headaches when installing their server and to do my little
|
||
contribution to the linux community.
|
||
|
||
PHP is a scripting language that supports dynamic HTML pages. It is a
|
||
bit like Apache's SSI, but by far more complex and has database
|
||
modules for many popular dbs. The GD libraries are needed by PHP.
|
||
|
||
SSL is an implementation of Netscape's Secure Socket Layer that allow
|
||
secure connections over insecure networks, e.g. to transmit credit
|
||
card numbers to web based forms.
|
||
|
||
frontpage is a wysiwyg web authoring tool that makes use of some
|
||
server-specific extensions called webbots. Some people think frontpage
|
||
is cool because you can create feedback forms and discussion webs
|
||
without having to know a bit about html or cgi. It even protects the
|
||
designer from uploading his/her site via ftp by using a builtin
|
||
publisher. If you wish to support frontpage but do not like to setup a
|
||
windows server, the apache server extensions are your choice.
|
||
|
||
|
||
1.2. Working configurations
|
||
|
||
Though this document has been downloaded some 100 times since I
|
||
published it, I received only little feedback. In particular, noone
|
||
told me of other working combinations. Combinations that work for me
|
||
are:
|
||
|
||
<20> Linux 2.0.31, Apache 1.2.4, PHP 2.0.0, SSL 0.8.0, fp 98 3.0.3 (*)
|
||
|
||
<20> Linux 2.0.33, Apache 1.2.5, PHP 2.0.1, SSL 0.8.0, fp 98 3.0.3 (*)
|
||
|
||
<20> Linux 2.0.35, Apache 1.2.6, PHP 3, SSL 0.8.0, fp 98 3.0.4
|
||
|
||
(*) version 3.0.3 is ``not recommended''
|
||
|
||
|
||
1.3. History
|
||
|
||
|
||
v0.0/Apr 98: Preview version
|
||
|
||
v1.0/Jun 98: Now using Apache 1.2.6, updated fp section, minor
|
||
corrections
|
||
|
||
v1.1/Jul 98: Sgmlized and restructered version
|
||
|
||
You can find the latest version of this document at
|
||
<http://www.faure.de>
|
||
|
||
|
||
2. Component installation
|
||
|
||
2.1. Preparations
|
||
|
||
You will need:
|
||
|
||
<20> Apache 1.2.6 <http://www.apache.org/dist/apache_1_2_6.tar.gz>
|
||
|
||
<20> PHP/FI Extensions
|
||
<http://php.iquest.net/files/download.phtml?/files/php-2.01.tar.gz>
|
||
|
||
<20> GD Library <http://siva.cshl.org/gd/gd.html>
|
||
|
||
|
||
<20> SSL 0.8.0 <ftp://ftp.ox.ac.uk/pub/crypto/SSL/SSLeay-0.8.0.tar.gz>
|
||
|
||
<20> SSL patch for Apache 1.2.6
|
||
<ftp://ftp.ox.ac.uk/pub/crypto/SSL/apache_1.2.6+ssl_1.17.tar.gz>
|
||
|
||
<20> frontpage 98 server extensions and install script
|
||
<http://www.rtr.com/fpsupport/download.htm>
|
||
|
||
Get the sources you want. Untar apche, php, gd and ssl to /usr/src.
|
||
Untar the SSL patch to /usr/src/apache_1.2.6.
|
||
|
||
|
||
2.2. Adding PHP
|
||
|
||
cd to /usr/src/gd1.2 and type make. This will build the GD library
|
||
libgd.a, that should be copied to /usr/lib. Now cd to php-2.0.1 and
|
||
run ./install.
|
||
|
||
The relevant questions are:
|
||
|
||
Would you like to compile PHP/FI as an Apache module? [yN] y
|
||
Are you compiling for an Apache 1.1 or later server? [Yn] y
|
||
Are you using Apache-Stronghold? [yN] y
|
||
Does your Apache server support ELF dynamic loading? [yN] y
|
||
Apache include directory (which has httpd.h)? [/usr/local/include/apache] /usr/src/apache_1.2.6/src
|
||
Would you like to build an ELF shared library? [yN] y
|
||
Additional directories to search for .h files []: /usr/src/gd1.2
|
||
Would you like the bundled regex library? [yN] n
|
||
|
||
|
||
|
||
Like the frontpage extensions, phtml includes a security problem
|
||
because it is run under the uid of the webserver. Be sure to turn on
|
||
safe mode in src/php.h and restrict the search path to a save value.
|
||
There are some other options in php.h you may want to edit. If you are
|
||
very concerned about security, compile php as a cgi. However, this
|
||
will be a performance loss and not as smart as the module version.
|
||
|
||
Type make to build all files. When the compilation is done, copy
|
||
mod_php.* and libphp.a to /usr/src/apache_1.2.6/src Add a line
|
||
|
||
Module php_module mod_php.o
|
||
|
||
|
||
to the end of /usr/src/apache_1.2.6/src/Configuration, add
|
||
|
||
-lphp -lm -lgdbm -lgd
|
||
|
||
|
||
to the EXTRA_LIBS in the same file,
|
||
|
||
application/x-httpd-php phtml
|
||
|
||
|
||
to Apache's mime.types and
|
||
|
||
AddType application/x-httpd-php .phtml
|
||
|
||
|
||
to Apache's srm.conf.
|
||
|
||
You may also want to add index.phtml to DirectoryIndex in that file so
|
||
that a file index.phtml is automatically loaded when its directory is
|
||
requested.
|
||
|
||
|
||
2.3. Adding SSL
|
||
|
||
cd /usr/src/SSL-0.8.0; ./Configure linux-elf; make; make rehash This
|
||
will create libraries needed by apache. You may issue make test to
|
||
verify the compilation. You have to apply a patch to apache. It is
|
||
important that you apply it before the frontpage patch, otherwise
|
||
frontpage will not work. cd to /usr/src/apache_1.2.6/src and issue
|
||
patch < /usr/src/apache_1.2.6/SSLpatch. Set
|
||
SSL_BASE=/usr/src/SSLeay-0.8.0 in Configuration. Make sure that Module
|
||
proxy_module is disabled otherwise Apache won't compile. If you are in
|
||
need of a proxy, go for Squid http://squid.nlanr.net/
|
||
|
||
Now make certificate to generate SSLconf/conf/httpsd.pem.
|
||
|
||
|
||
2.4. Adding frontpage
|
||
|
||
Rename the fp30.linux.tar.Z file to fp30.linux.tar.gz, otherwise the
|
||
install script will not find it. Run ./fp_install to copy the
|
||
extension files to /usr/local/frontpage. zcat can usually be invoked
|
||
as /usr/bin/zcat.
|
||
|
||
You now have to apply the FP patch. cd to /usr/src/apache_1.2.6/src
|
||
and type patch < /usr/src/frontpage/version3.0/apache-fp/fp-patch-
|
||
apache_1.2.5 This will create the mod_frontpage.* files and do some
|
||
modifications to Configuration etc. The 1.2.5 patch will work with
|
||
both apache 1.2.5 and 1.2.6. Skip the part about installing webs, you
|
||
can do that later
|
||
|
||
|
||
3. Putting it all together
|
||
|
||
3.1. Apache modules to try
|
||
|
||
The modules I use besides SSL, PHP and frontpage are:
|
||
|
||
Module env_module mod_env.o
|
||
Module config_log_module mod_log_config.o
|
||
Module mime_module mod_mime.o
|
||
Module negotiation_module mod_negotiation.o
|
||
Module dir_module mod_dir.o
|
||
Module cgi_module mod_cgi.o
|
||
Module asis_module mod_asis.o
|
||
Module imap_module mod_imap.o
|
||
Module action_module mod_actions.o
|
||
Module alias_module mod_alias.o
|
||
Module rewrite_module mod_rewrite.o
|
||
Module access_module mod_access.o
|
||
Module auth_module mod_auth.o
|
||
Module anon_auth_module mod_auth_anon.o
|
||
Module digest_module mod_digest.o
|
||
Module expires_module mod_expires.o
|
||
Module headers_module mod_headers.o
|
||
Module browser_module mod_browser.o
|
||
|
||
|
||
|
||
3.2. Giving CGI's more security
|
||
|
||
If you are an ISP (you probably are when you read this) you will want
|
||
to improve security. The suexec utility allows you to do so; it will
|
||
execute cgi's under the UID of the webowner instead of executing it
|
||
under the webservers UID. Go to /usr/src/apache_1.2.6/support and
|
||
make suexec. chmod 4711 suxec and copy it to the location specified
|
||
in ../src/httpd.h which is /usr/local/etc/httpd/sbin/suexec by
|
||
default. If the path seems a little cryptic to you - it did to me -
|
||
edit httpd.h and set the path to a more comfortable value.
|
||
|
||
|
||
3.3. Compiling and installing the server daemon
|
||
|
||
Enter /usr/src/apache_1.2.6/src and edit Configuration to set all the
|
||
Modules you want to include in your Apache daemon. When done, run
|
||
./Configure and make. This is the last (and most complicated)
|
||
compilation step, so cross your fingers. If it succeeds, cp httpsd to
|
||
/usr/sbin. The daemon is somewhat big, consider this when assembling
|
||
your webserver. Create the directory /var/httpd with subdirectories
|
||
cgi-bin, conf, htdocs, icons, virt1, virt2 and logs. In
|
||
/usr/src/apache_1.2.6/conf edit access.conf-dist, mime.types and
|
||
srm.conf-dist to suit your needs and copy them to
|
||
var/httpd/conf/access.conf, srm.conf and mime.types. Copy the
|
||
httpsd.pem you created with make certificate to /var/httpd/conf. Use
|
||
the following httpd.conf:
|
||
|
||
|
||
|
||
ServerType standalone
|
||
Port 80
|
||
Listen 80
|
||
Listen 443
|
||
User wwwrun
|
||
Group wwwrun
|
||
ServerAdmin webmaster@yourhost.com
|
||
ServerRoot /var/httpd
|
||
ErrorLog logs/error_log
|
||
TransferLog logs/access_log
|
||
PidFile logs/httpd.pid
|
||
ServerName www.yourhost.com
|
||
MinSpareServers 3
|
||
MaxSpareServers 20
|
||
StartServers 3
|
||
|
||
SSLCACertificatePath /var/httpd/conf
|
||
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
||
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
||
SSLLogFile /var/httpd/logs/ssl.log
|
||
|
||
<VirtualHost www.virt1.com>
|
||
SSLDisable
|
||
ServerAdmin webmaster@virt1.com
|
||
DocumentRoot /var/httpd/virt1
|
||
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
||
ServerName www.virt1.com
|
||
ErrorLog logs/virt1-error.log
|
||
TransferLog logs/virt1-access.log
|
||
User virt1admin
|
||
Group users
|
||
</VirtualHost>
|
||
|
||
<VirtualHost www.virt1.com:443>
|
||
ServerAdmin webmaster@virt1.com
|
||
DocumentRoot /var/httpd/virt1
|
||
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
||
ServerName www.virt1.com
|
||
ErrorLog logs/virt1-ssl-error.log
|
||
TransferLog logs/virt1-ssl-access.log
|
||
User virt1admin
|
||
Group users
|
||
SSLCACertificatePath /var/httpd/conf
|
||
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
||
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
||
SSLLogFile /var/httpd/logs/virt1-ssl.log
|
||
SSLVerifyClient 0
|
||
SSLFakeBasicAuth
|
||
</VirtualHost>
|
||
|
||
<VirtualHost www.virt2.com>
|
||
SSLDisable
|
||
ServerAdmin webmaster@virt2.com
|
||
DocumentRoot /var/httpd/virt2
|
||
ScriptAlias /cgi-bin/ /var/httpd/virt2/cgi-bin/
|
||
ServerName www.virt2.com
|
||
ErrorLog logs/virt2-error.log
|
||
TransferLog logs/virt2-access.log
|
||
</VirtualHost>
|
||
|
||
|
||
|
||
Depending on the modules compiled in, not all directives may be
|
||
available. You can retrieve a list of available directives with
|
||
httpsd -h.
|
||
|
||
3.4. Adding frontpage support to a web
|
||
|
||
Enter /usr/local/frontpage/version3.0/bin and load ./fpsrvadm. Choose
|
||
install and apache-fp. The next questions should be answered the
|
||
following way:
|
||
|
||
Enter server config filename: /var/httpd/conf/httpd.conf
|
||
Enter host name for multi-hosting []: www.virt2.com
|
||
Starting install, port: www.virt2.com:80, web: ""
|
||
Enter user's name []: virt2admin
|
||
Enter user's password:
|
||
Confirm password:
|
||
Creating root web
|
||
Recalculate links for root web
|
||
Install completed.
|
||
|
||
|
||
|
||
The user name must be the unix login of the webowner. The password
|
||
does not necessarily have to match the system password. You have to
|
||
manually add sendmailcommand:/usr/sbin/sendmail %r to
|
||
/usr/local/frontpage/www.virt2.com:80.conf, otherwise your users will
|
||
not be able to send web-generated eMails. kill -HUP your httpsd to
|
||
make fp reread its config. You can now access www.virt2.com with your
|
||
frontpage client.
|
||
|
||
Under some circumstances fpsrvadm complaints that a root web has to be
|
||
installed first. This is pretty useless, but you should do so to
|
||
silence fpsrvadm.
|
||
|
||
|
||
3.5. Starting the daemon
|
||
|
||
Start Apache with httpsd -f /var/httpd/conf/httpd.conf. You can now
|
||
access www.virt1.com both through http and https which is pretty cool.
|
||
Of course you have to pay for a real certificate if you want to offer
|
||
webwide SSL or users might laugh at you.
|
||
|
||
Copy one of the demo files from the php examples directory to virt1 to
|
||
test phtml.
|
||
|
||
|
||
3.6. Some considerations left
|
||
|
||
Do not use frontpage 97 extensions. They do not work, at least under
|
||
Linux. When installing specific versions of the c++ libraries, they
|
||
appear to work but your logs will soon fill with premature end of
|
||
script headers and your mailbox will fill with complaints. Do not use
|
||
frontpage 98 extensions before version 3.0.2.1330. Do not be confused,
|
||
version numbers are somewhat inheterogenous. When telnetting to port
|
||
80, typing "get / http/1.0" and hitting return twice, you get a
|
||
version number 3.0.4 for frontpage.
|
||
|
||
You can find out the more specific version number by executing
|
||
/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe -version.
|
||
Older versions have a nasty bug that requires httpd.conf to be
|
||
writable by the gid of the webserver. This should make you scream if
|
||
you are at all concerned about security. Versions since 3.0.2.1330
|
||
are more usable.
|
||
|
||
|
||
3.7. Known bugs
|
||
|
||
When touching Recalculate Links in the frontpage client, the server
|
||
starts a process that consumes 99% cpu cycles and some 10 mb of
|
||
memory. But even for medium-sized webs and fast machines, the client
|
||
sometimes recieves a timeout message, though the calculation will be
|
||
finished correctly. Inform frontpage users to be patient and not to
|
||
hit Recalculate Links several times. Inform yourself to equip the
|
||
server with at least 64MB.
|
||
|
||
Please note that at the time of writing both SSL and frontpage work,
|
||
but not at the same time, that means you can neither publish your web
|
||
using ssl nor make use of the webbots through https. You can publish
|
||
your web on port 80 and access it encrypted on port 443, but your
|
||
counters etc. will be broken. I consider this a bug. This problem
|
||
shall be fixed in SSL 0.9.0.
|
||
|
||
|
||
3.8. The final word
|
||
|
||
For those who think the title of this howto is nearly as long as the
|
||
document: Did you ever listened to Meat Loaf?
|
||
|
||
O.K. readers, you're done for today. Feel free to send me your
|
||
feedback, eternal gratitude, flowers, ecash, cars, oil sources etc.
|
||
|
||
|
||
|