222 lines
8.7 KiB
HTML
222 lines
8.7 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Linux Apache SSL PHP/FI frontpage mini-HOWTO: Putting it all together</TITLE>
|
|
<LINK HREF="Apache+SSL+PHP+fp-2.html" REL=previous>
|
|
<LINK HREF="Apache+SSL+PHP+fp.html#toc3" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
Next
|
|
<A HREF="Apache+SSL+PHP+fp-2.html">Previous</A>
|
|
<A HREF="Apache+SSL+PHP+fp.html#toc3">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s3">3. Putting it all together</A></H2>
|
|
|
|
<H2><A NAME="ss3.1">3.1 Apache modules to try</A>
|
|
</H2>
|
|
|
|
<P>The modules I use besides SSL, PHP and frontpage are:
|
|
<PRE>
|
|
Module env_module mod_env.o
|
|
Module config_log_module mod_log_config.o
|
|
Module mime_module mod_mime.o
|
|
Module negotiation_module mod_negotiation.o
|
|
Module dir_module mod_dir.o
|
|
Module cgi_module mod_cgi.o
|
|
Module asis_module mod_asis.o
|
|
Module imap_module mod_imap.o
|
|
Module action_module mod_actions.o
|
|
Module alias_module mod_alias.o
|
|
Module rewrite_module mod_rewrite.o
|
|
Module access_module mod_access.o
|
|
Module auth_module mod_auth.o
|
|
Module anon_auth_module mod_auth_anon.o
|
|
Module digest_module mod_digest.o
|
|
Module expires_module mod_expires.o
|
|
Module headers_module mod_headers.o
|
|
Module browser_module mod_browser.o
|
|
</PRE>
|
|
<P>
|
|
<H2><A NAME="ss3.2">3.2 Giving CGI's more security</A>
|
|
</H2>
|
|
|
|
<P>If you are an ISP (you probably are when you read this) you will
|
|
want to improve security. The suexec utility allows you to do so; it will
|
|
execute cgi's under the UID of the webowner instead of executing it
|
|
under the webservers UID.
|
|
Go to <CODE>/usr/src/apache_1.2.6/support</CODE> and <CODE>make suexec</CODE>.
|
|
<CODE>chmod 4711 suxec</CODE> and copy it to the location specified in
|
|
<CODE>../src/httpd.h</CODE> which is <CODE>/usr/local/etc/httpd/sbin/suexec</CODE>
|
|
by default. If the path seems a little cryptic to you - it did to me - edit
|
|
<CODE>httpd.h</CODE> and set the path to a more comfortable value.
|
|
<P>
|
|
<H2><A NAME="ss3.3">3.3 Compiling and installing the server daemon</A>
|
|
</H2>
|
|
|
|
<P>Enter <CODE>/usr/src/apache_1.2.6/src</CODE> and edit
|
|
<CODE>Configuration</CODE> to set all the Modules you want to include in your
|
|
Apache daemon. When done, run <CODE>./Configure</CODE> and <CODE>make</CODE>. This is
|
|
the last (and most complicated) compilation step, so cross your fingers. If it
|
|
succeeds, <CODE>cp httpsd</CODE> to <CODE>/usr/sbin</CODE>. The daemon is somewhat
|
|
big, consider this when assembling your webserver. Create the directory
|
|
<CODE>/var/httpd</CODE> with subdirectories <CODE>cgi-bin</CODE>, <CODE>conf</CODE>,
|
|
<CODE>htdocs</CODE>, <CODE>icons</CODE>, <CODE>virt1</CODE>, <CODE>virt2</CODE> and
|
|
<CODE>logs</CODE>. In <CODE>/usr/src/apache_1.2.6/conf</CODE> edit
|
|
<CODE>access.conf-dist</CODE>, <CODE>mime.types</CODE> and <CODE>srm.conf-dist</CODE>
|
|
to suit your needs and copy them to <CODE>var/httpd/conf/access.conf</CODE>,
|
|
<CODE>srm.conf</CODE> and <CODE>mime.types</CODE>. Copy the <CODE>httpsd.pem</CODE> you
|
|
created with <CODE>make certificate</CODE> to <CODE>/var/httpd/conf</CODE>. Use the
|
|
following <CODE>httpd.conf</CODE>:
|
|
<PRE>
|
|
ServerType standalone
|
|
Port 80
|
|
Listen 80
|
|
Listen 443
|
|
User wwwrun
|
|
Group wwwrun
|
|
ServerAdmin webmaster@yourhost.com
|
|
ServerRoot /var/httpd
|
|
ErrorLog logs/error_log
|
|
TransferLog logs/access_log
|
|
PidFile logs/httpd.pid
|
|
ServerName www.yourhost.com
|
|
MinSpareServers 3
|
|
MaxSpareServers 20
|
|
StartServers 3
|
|
|
|
SSLCACertificatePath /var/httpd/conf
|
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLLogFile /var/httpd/logs/ssl.log
|
|
|
|
<VirtualHost www.virt1.com>
|
|
SSLDisable
|
|
ServerAdmin webmaster@virt1.com
|
|
DocumentRoot /var/httpd/virt1
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|
ServerName www.virt1.com
|
|
ErrorLog logs/virt1-error.log
|
|
TransferLog logs/virt1-access.log
|
|
User virt1admin
|
|
Group users
|
|
</VirtualHost>
|
|
|
|
<VirtualHost www.virt1.com:443>
|
|
ServerAdmin webmaster@virt1.com
|
|
DocumentRoot /var/httpd/virt1
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt1/cgi-bin/
|
|
ServerName www.virt1.com
|
|
ErrorLog logs/virt1-ssl-error.log
|
|
TransferLog logs/virt1-ssl-access.log
|
|
User virt1admin
|
|
Group users
|
|
SSLCACertificatePath /var/httpd/conf
|
|
SSLCACertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLCertificateFile /var/httpd/conf/httpsd.pem
|
|
SSLLogFile /var/httpd/logs/virt1-ssl.log
|
|
SSLVerifyClient 0
|
|
SSLFakeBasicAuth
|
|
</VirtualHost>
|
|
|
|
<VirtualHost www.virt2.com>
|
|
SSLDisable
|
|
ServerAdmin webmaster@virt2.com
|
|
DocumentRoot /var/httpd/virt2
|
|
ScriptAlias /cgi-bin/ /var/httpd/virt2/cgi-bin/
|
|
ServerName www.virt2.com
|
|
ErrorLog logs/virt2-error.log
|
|
TransferLog logs/virt2-access.log
|
|
</VirtualHost>
|
|
</PRE>
|
|
<P>Depending on the modules compiled in, not all directives may be available.
|
|
You can retrieve a list of available directives with <CODE>httpsd -h</CODE>.
|
|
<P>
|
|
<H2><A NAME="ss3.4">3.4 Adding frontpage support to a web</A>
|
|
</H2>
|
|
|
|
<P>Enter <CODE>/usr/local/frontpage/version3.0/bin</CODE> and load
|
|
<CODE>./fpsrvadm</CODE>. Choose <CODE>install</CODE> and <CODE>apache-fp</CODE>. The next
|
|
questions should be answered the following way:
|
|
<PRE>
|
|
Enter server config filename: /var/httpd/conf/httpd.conf
|
|
Enter host name for multi-hosting []: www.virt2.com
|
|
Starting install, port: www.virt2.com:80, web: ""
|
|
Enter user's name []: virt2admin
|
|
Enter user's password:
|
|
Confirm password:
|
|
Creating root web
|
|
Recalculate links for root web
|
|
Install completed.
|
|
</PRE>
|
|
<P>The user name must be the unix login of the webowner. The password does not
|
|
necessarily have to match the system password.
|
|
You have to manually add <CODE>sendmailcommand:/usr/sbin/sendmail %r</CODE>
|
|
to <CODE>/usr/local/frontpage/www.virt2.com:80.conf</CODE>, otherwise your users
|
|
will not be able to send web-generated eMails.
|
|
<CODE>kill -HUP</CODE> your <CODE>httpsd</CODE> to make fp reread its config. You can
|
|
now access <CODE>www.virt2.com</CODE> with your frontpage client.
|
|
<P>Under some circumstances <CODE>fpsrvadm</CODE> complaints that a root web has
|
|
to be installed first. This is pretty useless, but you should do so to silence
|
|
<CODE>fpsrvadm</CODE>.
|
|
<P>
|
|
<H2><A NAME="ss3.5">3.5 Starting the daemon</A>
|
|
</H2>
|
|
|
|
<P>Start Apache with <CODE>httpsd -f /var/httpd/conf/httpd.conf</CODE>. You can
|
|
now access <CODE>www.virt1.com</CODE> both through http and https which is pretty
|
|
cool. Of course you have to pay for a real certificate if you want to offer
|
|
webwide SSL or users might laugh at you.
|
|
<P>Copy one of the demo files from the php examples directory to <CODE>virt1</CODE>
|
|
to test phtml.
|
|
<P>
|
|
<H2><A NAME="ss3.6">3.6 Some considerations left</A>
|
|
</H2>
|
|
|
|
<P>Do not use frontpage 97 extensions. They do not work, at least under
|
|
Linux. When installing specific versions of the c++ libraries, they
|
|
appear to work but your logs will soon fill with <CODE>premature end of script
|
|
headers</CODE> and your mailbox will fill with complaints.
|
|
Do not use frontpage 98 extensions before version 3.0.2.1330. Do not be
|
|
confused, version numbers are somewhat inheterogenous. When telnetting
|
|
to port 80, typing "get / http/1.0" and hitting return twice, you get a
|
|
version number 3.0.4 for frontpage.
|
|
<P>
|
|
<A NAME="fpverswarning"></A> You can find out the more specific version
|
|
number by executing
|
|
<CODE>/usr/local/frontpage/currentversion/exes/_vti_bin/shtml.exe -version</CODE>.
|
|
Older versions have a nasty bug that requires httpd.conf to be writable
|
|
by the gid of the webserver. This should make you scream if you are at all
|
|
concerned about security.
|
|
Versions since 3.0.2.1330 are more usable.
|
|
<P>
|
|
<H2><A NAME="ss3.7">3.7 Known bugs</A>
|
|
</H2>
|
|
|
|
<P>When touching <CODE>Recalculate Links</CODE> in the frontpage client, the server
|
|
starts a process that consumes 99% cpu cycles and some 10 mb of memory. But
|
|
even for medium-sized webs and fast machines, the client sometimes recieves
|
|
a timeout message, though the calculation will be finished correctly. Inform
|
|
frontpage users to be patient and not to hit <CODE>Recalculate Links</CODE>
|
|
several times. Inform yourself to equip the server with at least 64MB.
|
|
<P>Please note that at the time of writing both SSL and frontpage work, but
|
|
not at the same time, that means you can neither publish your web using ssl
|
|
nor make use of the webbots through https. You can publish your web on
|
|
port 80 and access it encrypted on port 443, but your counters etc. will be
|
|
broken. I consider this a bug. This problem shall be fixed in SSL 0.9.0.
|
|
<P>
|
|
<H2><A NAME="ss3.8">3.8 The final word</A>
|
|
</H2>
|
|
|
|
<P>For those who think the title of this howto is nearly as long as the
|
|
document: Did you ever listened to Meat Loaf?
|
|
<P>O.K. readers, you're done for today. Feel free to send me your feedback,
|
|
eternal gratitude, flowers, ecash, cars, oil sources etc.
|
|
<P>
|
|
<HR>
|
|
Next
|
|
<A HREF="Apache+SSL+PHP+fp-2.html">Previous</A>
|
|
<A HREF="Apache+SSL+PHP+fp.html#toc3">Contents</A>
|
|
</BODY>
|
|
</HTML>
|