Apache with mod_ssl, Building and Configuration

Apache with ssl support should be the basic platform for providing web services... There are several different implementations to choose from, some commercial (stronghold) and some open source (apache+ssl, apache+modssl). We've chosen to work with apache+modssl.

You can use the FreeBSD ports copy of apache, or build your own. Much of how you install and configure Apache will depend on how the server will be used.

Will the server host lots of user websites, or just a few web-sites?

Is the machine to be a dedicated webserver

Is the webserver an interface to other applications

Building apache today

We're going to build apache with one optional component

ssl support

Files

For this build therefore, we need three major components

openssl-0.9.6j.tar.gz
apache_1.3.27.tar.gz
mod_ssl_2.8.14.tar.gz
Optionally You can also get mm-1.3.0.tar.gz a Shared Memory Library in APACHE/EAPI
Get them from ftp://noc.ws.afnog.org/pub/t1 and drop them in /usr/local/

Building OpenSSL

tar -zxvf openssl-0.9.6j.tar.gz

cd openssl-0.9.6j/
Take a look at the README and INSTALL files.
$ sh config no-threads -fPIC
$ make
$ make test
$ cd ..
NOTE: OpenSSL understands a lot more options on the `config' command line. For instance you can add some command line options (like `-DSSL_FORBID_ENULL' for not allowing Null encryptions, or adding `-DSSL_ALLOW_ADH' for allowing Anonymous Diffie-Hellman ciphers, etc) to adjust the OpenSSL internals (see OpenSSL's top-level Makefile for details). NOTE: When your system already has OpenSSL installed (for instance some Linux distributions ship with OpenSSL installed out-of-the-box) in system locations you can ignore the OpenSSL steps above, too. Then use `SSL_BASE=SYSTEM' instead of `SSL_BASE=../openssl-0.9.x' and mod_ssl will search for OpenSSL's binary, header and library files in $PATH and system locations. NOTE: The -fPIC option builds OpenSSL with Position Independent Code (PIC) which is only important when building mod_ssl as a Dynamic Shared Object (DSO). NOTE: The optional `no-threads' keyword above is to increase performance inside OpenSSL, because Apache 1.3 does not use threads anyway. However, OpenSSL, if built without `no-threads', by default builds with multi-threading support. This multi-threading support involves using locking around a lot of internal object manipulation (esp. reference counts). The fact that it is not possible in Apache 1.3 to have threads racing on any kind of object internal to OpenSSL means that any overhead (memory and/or time) relating to these locking mechanisms is wasted by default. Building the MM shared memory Library Optionally you now can build the MM Shared Memory library when you want shared memory support in Apache/EAPI. For instance this allows mod_ssl to use a high-performance RAM-based session cache instead of a disk-based one. $ tar xvzf mm-1.3.0.tar.gz $ cd mm-1.3.0 $ ./configure --disable-shared $ make $ cd .. NOTE: When your system already has MM installed in system locations you can ignore the steps above and then use `EAPI_MM=SYSTEM' instead of `EAPI_MM=../mm-1.1.x' below. NOTE: Do not forget the --disable-shared option above. Else you've to establish an explicit LD_LIBRARY_PATH which includes the /path/to/mm-1.1.x/.libs/ directory or the compilation of Apache will fail because the shared library cannot be found. Building Apache with mod_ssl. Now apply the mod_ssl source extension and source patches to the Apache source tree, configure the Apache sources and build Apache with mod_ssl and OpenSSL. $ cd mod_ssl-2.8.14-1.3.27 $ ./configure --with-apache=../apache_1.3.27 --with-ssl=../openssl-0.9.6j --with-mm=../mm-1.3.0 --prefix=/usr/local/apache $ cd .. $ cd apache_1.3.27 $ make $ make certificate TYPE=custom $ make install $ cd .. NOTE: The --enable-shared=ssl option enables the building of mod_ssl as a DSO `libssl.so'. Read the INSTALL and htdocs/manual/dso.html documents in the Apache source tree for more information about DSO support in Apache. It is advisable for ISPs and package maintainers to use the DSO facility for maximum flexibility with mod_ssl. But notice that DSO is not supported by Apache on all platforms. You can now test whether your installation has been sucessfull by running /usr/local/apache/bin/apachectl startssl and then firing up your browser and going to https://pcname.t1.ws.afnog.org where pcname is the hostname of your workstation. using ssl means you're running two virtual servers one on port 80 (the regular server) one on port 443 (the ssl server) You have more directories to keep track of because of your keys the key that was generated is valid for only one hostname So, a key per virtual host is a good idea if you're doing virtual hosts with ssl servers as well Unsigned keys are fine for things like running your webmail services through ssl, for ecommerce type applications having a key signed by a reliable CA (certificate authority) is considered normal. CA's include Verisign (USA), Thawte (South Africa) and others References Apache HTTP server MOD_SSL.org OpenSSL.org Last modified: Mon June 10 01:30:40 EAT 2003