Linux HOWTOs

About | Home | Search


HOWTO: apache2
Description: The 2.x version of the Apache HTTP server
Click here for ChangeLog
NOTE: I use GNU tar >= 1.13.25 so it's -j for .tar.bz2 files,
it's safe to assume that make, gcc, binutils, fileutils/coreutils, gawk, sed, and grep are prerequisites for almost everything


# Apache HTTP 2.x + mod_ssl
# =========================
# Unlike Apache 1.x, mod_ssl is part of Apache 2.x (if you enable it)

# If you also want mod_jk, see the Apache Tomcat HOWTO, which I have not
# yet uploaded because it is drastically outdated.

# Versions of Apache 2.x that are included with Slackware:
# Slackware 13.37: httpd 2.2.17
# Slackware 14.0: httpd 2.4.3
# Slackware 14.1: httpd 2.4.6
# Slackware 14.2: httpd 2.4.20 (check 'patches' for updates)

# Create directories for the extracted source and the tarball
mkdir -p -m 0700 ~/backup/apache2 ~/installed/apache2 ~/src/apache2


# Apache httpd 2.4.39
# ===================
# Prerequisites:
# pkg-config
# APR
# APR-util
# OpenLDAP (optional)
# Berkeley DB (bdb)
# Expat
# iconv
# OpenSSL >= 0.9.8a (optional)
# rsync (see below)
# PCRE
# Nghttp2 >= 1.2.1 (optional)
# Brotli (optional)

# Apache 2.4.39 announcement
# New features in Apache HTTP Server 2.4
# Changes with Apache 2.4.39

# Get it
cd
test -f installed/apache2/httpd-2.4.39.tar.bz2 &&
 mv installed/apache2/httpd-2.4.39.tar.bz2 .
test ! -f httpd-2.4.39.tar.bz2 &&
 wget http://www.apache.org/dist/httpd/httpd-2.4.39.tar.bz2

# Verify tarball w/ sha256sum:
# (this came from my gpg-verified tarball and the Apache site)
echo "b4ca9d05773aa59b54d66cd8f4744b945289f084d3be17d7981d1783a5decf\
a2  httpd-2.4.39.tar.bz2" | sha256sum -c

# Verify tarball w/ gpg:
( gpg --list-keys 1AD84DFF > /dev/null 2>&1 || gpg --recv-keys 1AD84DFF ) &&
 wget -nc http://www.apache.org/dist/httpd/httpd-2.4.39.tar.bz2.asc &&
  gpg --verify httpd-2.4.39.tar.bz2.asc && rm httpd-2.4.39.tar.bz2.asc

# Extract it
cd ~/src/apache2
find -maxdepth 1 -type d -name "httpd-*" -exec rm -r {} \;
tar xjvf ~/httpd-2.4.39.tar.bz2
cd httpd-2.4.39
test $UID = 0 && chown -R root:root .

# The default prefix is /usr/local/apache2, so if you have an Apache 1.x
# installed under /usr/local/apache it won't be overwritten.

# I include some of the options that I pass to configure below.  You may only
# want to run ./configure with no options.  See './configure --help' and
# the docs for more information about building certain features into Apache,
# and how to leave others out.  --enable-vhost-alias and --enable-rewrite
# are notably spiffy ones.  If you're upgrading an older version of Apache
# and you don't know what modules it was built with, run
# '/usr/local/apache2/bin/httpd -l' to list them.  Look in
# /usr/local/apache2/modules to see what so modules there are.

# If you're planning on installing subversion and it's Apache modules,
# pass "--enable-dav --enable-dav-fs" to configure

# Note: even though --with-ldap isn't listed in the output of ./configure
# --help, it was necessary for me in the past with a previous release

# If your OpenSSL is entirely installed under the < 1.1.0 /usr/local/ssl
# prefix, use --with-ssl=/usr/local/ssl  Otherwise, if you use /usr or
# /usr/local (default as of >= 1.1.0) it should find it.

# If APR-util was built with LDAP support, that is good enough
#
# To successfully pass --enable-ldap --enable-authnz-ldap to configure here,
# APR-util will had to have been built with it

# Configure the build
./configure --enable-ssl --enable-rewrite --enable-vhost-alias --enable-so \
 --with-mpm=prefork

# Build it
make

# Become root to install it
su

# Though 'make install' will not overwrite existing files, back everything
# up.  This will exclude binaries, libraries, icons, etc. to save space.  If
# you want to back up any of those things, leave out the appropriate
# --exclude=dir part.
test -d /usr/local/apache2 &&
 ( cd /usr/local
   tar cjv --exclude=bin --exclude=build --exclude=error --exclude=icons \
    --exclude=include --exclude=lib --exclude=man --exclude=manual \
    --exclude=modules -f apache2-`date +%Y%m%d`.tar.bz2 apache2
   test -s apache2-`date +%Y%m%d`.tar.bz2 &&
    mv -f apache2-`date +%Y%m%d`.tar.bz2 ~/backup/apache2/ )

# If you're replacing an Apache 2.x that came from a Slackware package,
# back up those files, remove the package, and then remove the leftovers
# (and shut it down first if it's running)
test -d /etc/httpd -a -d /var/www &&
 ( mkdir -p -m 0700 /root/backup/apache2
   tar cjvf ~/backup/apache2/httpd-$(date +%Y%m%d).tar.bz2 \
    /etc/httpd /etc/logrotate.d/httpd /etc/rc.d/rc.httpd /var/www
   test -x /etc/rc.d/rc.httpd && /etc/rc.d/rc.httpd stop
   test -x /sbin/removepkg && /sbin/removepkg httpd
   test -d /etc/httpd && rm -r /etc/httpd
   test -d /var/run/httpd && rm -r /var/run/httpd
   test -d /var/www && rm -r /var/www )

# If you are upgrading Apache, and Apache is still running, keep in mind
# that it may segfault once you 'make install'.  So you may want to stop it
# or redirect port 80 to another web server (ie. with a 'Down for server
# maintenance') page).

# 'make install' runs rsync, so make sure you've got it and that it's
# functional (make sure 'rsync --help' runs OK)

# Install it
make install

# Open up /usr/local/apache2/conf/httpd.conf and fix at least ServerAdmin,
# setting ServerName is usually a good idea too, even though you usually
# don't have to.

# If you're upgrading from 1.x to 2.x you may want to change Listen to
# 8080 (or some other port), then make sure everything works under
# http://localhost:8080/ before moving it over for real.

# Start the server.  Replace 'action' below with what you want to do.  If
# you're upgrading an old copy, use 'stop' to stop the old one first.  To
# start httpd use 'start'.  If this is an upgrade and you had previously
# configured mod_ssl and were starting it with 'startssl', be aware that
# 'startssl' has been removed (if SSL is configured, it'll start it).  If
# you're upgrading and you had previously configured PHP (or other modules),
# wait to start it until PHP is installed below.
#
# /usr/local/apache2/bin/apachectl action

# If this is your first installation, make sure it works:
# lynx http://localhost/
#
# And if you enabled mod_ssl - make sure that works by opening this URL:
# https://localhost/
# with whatever SSL-supporting browser that you have.  lynx, links, etc.
# can all be built with OpenSSL and if you have a GUI handy,
# Firefox/Mozilla/Netscape, Konqueror, Opera, etc. can all be used as well.
#
# If you don't have any of the above, but you do have non-SSL lynx and an
# SSL enabled curl, try this:
# curl -k https://localhost/ | lynx -stdin

# To make Apache start at boot-up, create a /etc/rc.d/rc.httpd  If it exists
# and is executable, Slackware's /etc/rc.d/rc.M will source it.  If you
# do have the Slackware rc.httpd, open it up and fix the paths
# (/usr/sbin -> /usr/local/apache2/bin, pid is in the logs directory).
wget -nc http://englanders.us/pub/linux/misc/rc.httpd \
-O /etc/rc.d/rc.httpd.new
test -f /etc/rc.d/rc.httpd &&
 ( mv -f /etc/rc.d/rc.httpd /etc/rc.d/rc.httpd.old
   chmod 600 /etc/rc.d/rc.httpd.old )
test -s /etc/rc.d/rc.httpd.new &&
 ( mv -f /etc/rc.d/rc.httpd.new /etc/rc.d/rc.httpd
   chmod 700 /etc/rc.d/rc.httpd )

# Add /usr/local/apache2/bin to the PATH and
# /usr/local/apache2/man to the MANPATH.
cat << EOF > /etc/profile.d/apache2.sh
#!/bin/sh
export PATH=\$PATH:/usr/local/apache2/bin
export MANPATH=\$MANPATH:/usr/local/apache2/man
EOF
chmod +x /etc/profile.d/apache2.sh

# Read those variables into your current shell, or log out and then
# log in again
. /etc/profile.d/apache2.sh

# If you upgraded from a Slackware package Apache to this source one,
# you may have to change ownership of files from apache to 
# daemon, or you can change the user and group that Apache runs as.  See
# the User= and Group= lines in your old /etc/httpd/httpd.conf vs
# /usr/local/apache2/conf/httpd.conf
# In the past, I've used 'nobody' as well.

# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .

# Become yourself again
exit

# Save the source for later
cd
rm -f installed/apache2/httpd-*.tar.*
mv httpd-2.4.39.tar.bz2 installed/apache2/


# Setting up mod_ssl
# ==================
# You can skip this part if you're upgrading Apache from an older version
# (which had mod_ssl configured).

# For more info about mod_ssl, go here:
# http://httpd.apache.org/docs/2.4/mod/mod_ssl.html

# This part will cover creating SSL certificates for mod_ssl
# FYI, I use OpenSSL >= 0.9.8 and it's CA.pl may create different filenames
# (newreq.pem and newkey.pem) then one from an older version of OpenSSL
# (newreq.pem with both the key and the CSR together).  If you end up with
# different/missing files, split and/or rename them appropriately.

# To create SSL certs for Apache, go to the bottom of the OpenSSL howto,
# follow the instructions ("Creating SSL certs for an application to use"),
# then come back here.  Those instructions use 'nodes' (no DES) so you won't
# be prompted for a password when Apache starts, which might be bad if
# you're not around after a power failure.

# Start from your home directory
cd

# Become root to install the certs
su

# Create a backup directory
mkdir -p -m 0700 ~/backup/apache2

# Now we back up (as *.old) an old cert/key if they're there and we install
# the new ones where apache will find them:
# [ Some of the locations used are based on wehre things used to go
#   long ago ]
( cp newcert.pem newkey.pem /usr/local/apache2/conf/
  cd /usr/local/apache2/conf
  mkdir -p ssl.crt ssl.key
  test -f ssl.crt/server.crt &&
   mv -f ssl.crt/server.crt ssl.crt/server.crt.old
  test -f ssl.key/server.key &&
   mv -f ssl.key/server.key ssl.key/server.key.old
  mv newcert.pem ssl.crt/server.crt
  mv newkey.pem ssl.key/server.key
  chown -R root:daemon ssl.crt ssl.key
  chmod 750 ssl.crt ssl.key
  chmod 640 ssl.crt/server.crt ssl.key/server.key
  ln -s ssl.crt/server.crt server.crt
  ln -s ssl.key/server.key server.key
  find -type f -name "*.old" -exec chown root:root {} \;
  find -type f -name "*.old" -exec chmod 600 {} \; )

# Back up the installed certificate and key in ~/backup/apache2/ just in
# case:
test -f /usr/local/apache2/conf/ssl.crt/server.crt &&
 cp /usr/local/apache2/conf/ssl.crt/server.crt ~/backup/apache2/
test -f /usr/local/apache2/conf/ssl.crt/server.crt &&
 cp /usr/local/apache2/conf/ssl.crt/server.crt ~/backup/apache2/
chmod -f 600 ~/backup/apache2/server.*

## Open up /usr/local/apache2/conf/httpd.conf and uncomment this line:
#LoadModule ssl_module modules/mod_ssl.so
## and this line, because of the default httpd-ssl.conf in 2.4.23:
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so 
## and this line for the SSL configuration to be read-in:
#Include conf/extra/httpd-ssl.conf
#
# Then open up /usr/local/apache2/conf/extra/httpd-ssl.conf and at least fix
# what it says next to ServerName and ServerAdmin, and verify the path to the
# certs (SSLCertificateFile and SSLCertificateKeyFile).  ServerName should
# say the same thing that you entered for your SSL key (where I put
# serverhostnameorappropriatecname.foo.org - ie. www.foo.org).

# Now restart apache so SSL will be enabled.  If this is an upgrade and
# you had previously configured mod_perl and/or PHP, don't start it until
# they're installed below.
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start

# Become your( non-root )self again
exit

## Now try it:
# lynx https://serverhostnameorappropriatecname.foo.org/
## or:
# curl --cacert ~/demoCA/cacert.pem \
#  https://serverhostnameorappropriatecname.foo.org/

# To view the details of the various keys/CSRs/certs:
cd
echo $PATH | grep -q "/usr/local/ssl/bin" ||
 export PATH=$PATH:/usr/local/ssl/bin
openssl rsa -noout -text -in demoCA/private/cakey.pem
openssl x509 -noout -text -in demoCA/cacert.pem
openssl rsa -noout -text -in newkey.pem
openssl req -noout -text -in newreq.pem
openssl x509 -noout -text -in newcert.pem
# or replace newreq.pem in the 3rd one with
# /usr/local/apache2/conf/ssl.key/server.key and newcert.pem in the 5th one
# with /usr/local/apache2/conf/ssl.crt/server.crt

# You can remove *.pem and ./demoCA/ now if you won't be using them again


# mod_perl
# ========
# If you would like to install mod_perl, that is covered in a separate
# HOWTO.


# PHP
# ===
# If you would like to install PHP, that is covered in a separate
# HOWTO.

Back to the list


Last updated: Tue, 07 Aug 2018 12:06:17 -0400
Jason Englander <jason at englanders dot us>