apache2 - The 2.x version of the Apache HTTP server
ChangeLog
| Web site: | https://httpd.apache.org/ |
| Repository: | https://httpd.apache.org/dev/devnotes.html |
| Wikipedia: | https://en.wikipedia.org/wiki/Apache_HTTP_Server |
HOWTO
# Apache HTTP 2.x + mod_ssl
# =========================
# Historically you would just call the web server software "Apache"
#
# Now there are many different Apache projects, so now it should be
# really be referred to as "Apache HTTP"
#
# This HOWTO is "apache2" because before Tomcat and OpenOffice and
# SpamAssassin and the hundreds of others that there are now...
# Apache Project List
# Unlike Apache 1.x, mod_ssl is part of Apache 2.x (if you enable it)
# Success building it with OpenSSL 1.1.1 and 3.0
# If you also want mod_jk, see the Apache Tomcat HOWTO, which I have not
# yet uploaded because it is drastically outdated, so never mind
# Versions of Apache 2.x that are included with Slackware:
# Slackware 14.0: httpd 2.4.3
# Slackware 14.1: httpd 2.4.6
# Slackware 14.2: httpd 2.4.20
# Slackware 15.0: httpd 2.4.52
#
# Always check 'patches' for updates
# Create directories for the extracted source and the tarball
mkdir -p -m 0700 ~/backup/apache2 ~/installed/apache2 ~/src/apache2
# Apache httpd 2.4.59
# ===================
# Prerequisites:
# pkg-config
# APR
# APR-util
# OpenLDAP (optional)
# Berkeley DB (bdb)
# Expat
# glibc's iconv or libiconv
# OpenSSL >= 0.9.8a (optional)
# rustls (optional)
# LibreSSL (optional)
# rsync (see below)
# PCRE2 or PCRE
# Nghttp2 >= 1.2.1 (optional)
# Brotli (optional)
# Apache HTTP Server 2.4.x release announcements
# [ANNOUNCEMENT] Apache HTTP Server 2.4.59 Released (mailing list)
# New features in Apache HTTP Server 2.4
# Apache HTTP Server 2.4 vulnerabilities
# Changes for all releases of Apache HTTP Server (since 2.3.0)
# Changes for Apache HTTP Server 2.4.59 only
# We use the CDN (content delivery network) URL below.
# If you can, use one of the Apache mirrors instead of www.apache.org
# Automatic mirror selection
# Specific alternate download URLs:
# https://dlcdn.apache.org/httpd/httpd-2.4.59.tar.bz2
# https://downloads.apache.org/httpd/httpd-2.4.59.tar.bz2
# https://apache.osuosl.org/httpd/httpd-2.4.59.tar.bz2
# OpenSSL 3.x support for mod_ssl was added as of 2.4.52
# Get the source tarball
cd
test -f installed/apache2/httpd-2.4.59.tar.bz2 &&
mv installed/apache2/httpd-2.4.59.tar.bz2 .
test ! -f httpd-2.4.59.tar.bz2 &&
wget https://dlcdn.apache.org/httpd/httpd-2.4.59.tar.bz2
# Verify base64-encoded digest w/ cksum from coreutils >= 9.2:
echo "IJ2gu6xeJWTUWQMCUVs1SVvmQCJz/0AkqpPoXkRVTJXgUyAdYGODk2QlpB4b\
W5fmtABV3Ls4XraRpQKabzFYwg== httpd-2.4.59.tar.bz2" | cksum -a sha512 -c
# Verify tarball w/ sha512sum:
# (this came from my gpg-verified tarball and the Apache site)
# (you can get it this way too: openssl sha512 httpd-2.4.59.tar.bz2)
echo "209da0bbac5e2564d4590302515b35495be6402273ff4024aa93e85e4455\
4c95e053201d606383936425a41e1b5b97e6b40055dcbb385eb691a5029a6f3158\
c2 httpd-2.4.59.tar.bz2" | sha512sum -c
# Import gpg/pgp keys in case you can't find it
# on a keyserver:
wget -nc https://downloads.apache.org/httpd/KEYS &&
gpg --import KEYS && rm KEYS
# Verify tarball w/ gpg:
( gpg --list-keys 65B2D44FE74BD5E3DE3AC3F082781DE46D5954FA > /dev/null 2>&1 ||
gpg --recv-keys 65B2D44FE74BD5E3DE3AC3F082781DE46D5954FA ) &&
wget -nc https://dlcdn.apache.org/httpd/httpd-2.4.59.tar.bz2.asc &&
gpg --verify httpd-2.4.59.tar.bz2.asc && rm httpd-2.4.59.tar.bz2.asc
# Extract it
cd ~/src/apache2
find -maxdepth 1 -type d -name "httpd-*" -exec rm -r {} \;
tar xjvf ~/httpd-2.4.59.tar.bz2
cd httpd-2.4.59
test $UID = 0 && chown -R root:root .
# The default prefix is /usr/local/apache2, so if you have a truly ancient
# Apache 1.x installed under /usr/local/apache, it will not be overwritten.
# I include some of the options that I pass to configure below. You may only
# want to run ./configure with no options. See './configure --help' and
# the docs for more information about building certain features into Apache,
# and how to leave others out. --enable-vhost-alias and --enable-rewrite
# are notably spiffy ones.
# If you're upgrading an older version of Apache HTTP and you don't know
# what modules it was built with, look in /usr/local/apache2/modules to see
# what so modules are available, the LoadModule lines that are not commented
# out in httpd.conf for which ones were being used, and if that older
# version is available, run '/usr/local/apache2/bin/httpd -l'
# If you're planning on installing subversion and it's Apache modules,
# pass "--enable-dav --enable-dav-fs" to configure
# Note: even though --with-ldap isn't listed in the output of ./configure
# --help, it was necessary for me in the past with a previous release
# If your OpenSSL is entirely installed under the OpenSSL < 1.1.0 default
# prefix of /usr/local/ssl, use --with-ssl=/usr/local/ssl Otherwise, if you
# use /usr or /usr/local (default as of >= 1.1.0) it should find it.
# If APR-util was built with LDAP support, that is good enough
#
# To successfully pass --enable-ldap --enable-authnz-ldap to configure here,
# APR-util will had to have been built with it
## If you use a multi-threaded MPM, use mod_cgid instead of mod_cgi. You can
## build it in by default with --enable-cgid or you can un-comment the
## appropriate line in httpd.conf to use it as a module:
# LoadModule cgid_module modules/mod_cgid.so
## and then (re-)start httpd. For more info:
# https://httpd.apache.org/docs/2.4/mod/mod_cgid.html
# https://httpd.apache.org/docs/2.4/mpm.html
# Configure the build
./configure --enable-ssl --enable-rewrite --enable-vhost-alias --enable-so \
--enable-cgid --with-mpm=event
# Build it
make
# Become root to install it
su
# Though 'make install' will not overwrite existing files, back everything
# up. This will exclude binaries, libraries, icons, etc. to save space. If
# you want to back up any of those things, leave out the appropriate
# --exclude=dir part.
test -d /usr/local/apache2 &&
( cd /usr/local
tar cjv --exclude=bin --exclude=build --exclude=error --exclude=icons \
--exclude=include --exclude=lib --exclude=man --exclude=manual \
--exclude=modules -f apache2-`date +%Y%m%d`.tar.bz2 apache2
test -s apache2-`date +%Y%m%d`.tar.bz2 &&
mv -f apache2-`date +%Y%m%d`.tar.bz2 ~/backup/apache2/ )
# If you are upgrading Apache HTTP, and httpd is still running, keep in mind
# that it may segfault once you 'make install'. So you may want to stop it
# or redirect port 80/443 to another web server (ie. with a 'Down for server
# maintenance') page).
# If you're replacing an Apache 2.x that came from a Slackware package,
# back up those files, remove the package, and then remove the leftovers
# (and shut it down first if it's running)
test -d /etc/httpd -a -d /var/www &&
( mkdir -p -m 0700 /root/backup/apache2
tar cjvf ~/backup/apache2/httpd-$(date +%Y%m%d).tar.bz2 \
/etc/httpd /etc/logrotate.d/httpd /etc/rc.d/rc.httpd /var/www
test -x /etc/rc.d/rc.httpd && /etc/rc.d/rc.httpd stop
test -x /sbin/removepkg && /sbin/removepkg httpd
test -d /etc/httpd && rm -r /etc/httpd
test -d /var/run/httpd && rm -r /var/run/httpd
test -d /var/www && rm -r /var/www )
# 'make install' runs rsync, so make sure you've got it and that it's
# functional (make sure 'rsync --help' runs OK)
# Install it
make install
# Open up /usr/local/apache2/conf/httpd.conf and fix at least ServerAdmin,
# setting ServerName is usually a good idea too, even though you usually
# don't have to.
# If you're upgrading from 1.x to 2.x you may want to change Listen to
# 8080 (or some other port), then make sure everything works under
# http://localhost:8080/ before moving it over for real.
# Start the server. Replace 'action' below with what you want to do. If
# you're upgrading an old copy, use 'stop' to stop the old one first. To
# start httpd use 'start'. If this is an upgrade and you had previously
# configured mod_ssl and were starting it with 'startssl', be aware that
# 'startssl' has been removed (if SSL is configured, it'll start it). If
# you're upgrading and you had previously configured PHP (or other modules),
# wait to start it until PHP is installed below.
#
# /usr/local/apache2/bin/apachectl action
# If this is your first installation, make sure it works:
# lynx http://localhost/
#
# And if you enabled mod_ssl - make sure that works by opening this URL:
# https://localhost/
# with whatever SSL-supporting browser that you have. lynx, links, etc.
# can all be built with OpenSSL and if you have a GUI handy,
# Firefox/Mozilla/Netscape, Konqueror, Opera, etc. can all be used as well.
#
# If you don't have any of the above, but you do have non-SSL lynx and an
# SSL enabled curl, try this:
# curl -k https://localhost/ | lynx -stdin
# To make Apache start at boot-up, create a /etc/rc.d/rc.httpd If it exists
# and is executable, Slackware's /etc/rc.d/rc.M will source it. If you
# do have the Slackware rc.httpd, open it up and fix the paths
# (/usr/sbin -> /usr/local/apache2/bin, pid is in the logs directory).
wget -nc https://englanders.us/pub/linux/misc/rc.httpd \
-O /etc/rc.d/rc.httpd.new
test -f /etc/rc.d/rc.httpd &&
( mv -f /etc/rc.d/rc.httpd /etc/rc.d/rc.httpd.old
chmod 600 /etc/rc.d/rc.httpd.old )
test -s /etc/rc.d/rc.httpd.new &&
( mv -f /etc/rc.d/rc.httpd.new /etc/rc.d/rc.httpd
chmod 700 /etc/rc.d/rc.httpd )
# Add /usr/local/apache2/bin to the PATH and
# /usr/local/apache2/man to the MANPATH.
cat << EOF > /etc/profile.d/apache2.sh
#!/bin/sh
export PATH=\$PATH:/usr/local/apache2/bin
export MANPATH=\$MANPATH:/usr/local/apache2/man
EOF
chmod +x /etc/profile.d/apache2.sh
# Read those variables into your current shell, or log out and then
# log in again
. /etc/profile.d/apache2.sh
# If you upgraded from a Slackware package Apache to this source one,
# you may have to change ownership of files from apache to
# daemon, or you can change the user and group that Apache runs as. See
# the User= and Group= lines in your old /etc/httpd/httpd.conf vs
# /usr/local/apache2/conf/httpd.conf
# In the past, I've used 'nobody' as well.
# Make sure your non-root user can remove the source later
chown -R $(logname) .
chmod -R u+w .
# Become yourself again
exit
# Save the source for later
cd
rm -f installed/apache2/httpd-*.tar.*
mv httpd-2.4.59.tar.bz2 installed/apache2/
# Setting up mod_ssl
# ==================
# You can skip this part if you're upgrading Apache from an older version
# (which had mod_ssl configured).
# For more info about mod_ssl, go here:
# http://httpd.apache.org/docs/2.4/mod/mod_ssl.html
## If you have Let's Encrypt certificates, you can use these configuration
## options:
# SSLCertificateFile "/etc/letsencrypt/live/example.com/fullchain.pem"
# SSLCertificateKeyFile "/etc/letsencrypt/live/example.com/privkey.pem"
## See the certbot HOWTO for more info
# This part will cover creating SSL certificates for mod_ssl
# FYI, when I used OpenSSL >= 0.9.8 and it's CA.pl may have created
# different filenames (newreq.pem and newkey.pem) vs one from an older
# version of OpenSSL (newreq.pem with both the key and the CSR together).
# If you end up with different/missing files, split and/or rename them
# appropriately.
# To create SSL certs for Apache, go to the bottom of the OpenSSL howto,
# follow the instructions ("Creating SSL certs for an application to use"),
# then come back here. Those instructions use 'nodes' (no DES) so you won't
# be prompted for a password when Apache starts, which might be bad if
# you're not around after a power failure.
# Start from your home directory
cd
# Become root to install the certs
su
# Create a backup directory
mkdir -p -m 0700 ~/backup/apache2
# Now we back up (as *.old) an old cert/key if they're there and we install
# the new ones where apache will find them:
# [ Some of the locations used are based on where things used to go
# long ago ]
( cp newcert.pem newkey.pem /usr/local/apache2/conf/
cd /usr/local/apache2/conf
mkdir -p ssl.crt ssl.key
test -f ssl.crt/server.crt &&
mv -f ssl.crt/server.crt ssl.crt/server.crt.old
test -f ssl.key/server.key &&
mv -f ssl.key/server.key ssl.key/server.key.old
mv newcert.pem ssl.crt/server.crt
mv newkey.pem ssl.key/server.key
chown -R root:daemon ssl.crt ssl.key
chmod 750 ssl.crt ssl.key
chmod 640 ssl.crt/server.crt ssl.key/server.key
ln -s ssl.crt/server.crt server.crt
ln -s ssl.key/server.key server.key
find -type f -name "*.old" -exec chown root:root {} \;
find -type f -name "*.old" -exec chmod 600 {} \; )
# Back up the installed certificate and key in ~/backup/apache2/ just in
# case:
test -f /usr/local/apache2/conf/ssl.crt/server.crt &&
cp /usr/local/apache2/conf/ssl.crt/server.crt ~/backup/apache2/
test -f /usr/local/apache2/conf/ssl.crt/server.crt &&
cp /usr/local/apache2/conf/ssl.crt/server.crt ~/backup/apache2/
chmod -f 600 ~/backup/apache2/server.*
## Open up /usr/local/apache2/conf/httpd.conf and uncomment this line:
#LoadModule ssl_module modules/mod_ssl.so
## and this line, because of the default httpd-ssl.conf in 2.4.23:
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
## and this line for the SSL configuration to be read-in:
#Include conf/extra/httpd-ssl.conf
#
# Then open up /usr/local/apache2/conf/extra/httpd-ssl.conf and at least fix
# what it says next to ServerName and ServerAdmin, and verify the path to the
# certs (SSLCertificateFile and SSLCertificateKeyFile). ServerName should
# say the same thing that you entered for your SSL key (where I put
# serverhostnameorappropriatecname.foo.org - ie. www.foo.org).
# Now restart apache so SSL will be enabled. If this is an upgrade and
# you had previously configured mod_perl and/or PHP, don't start it until
# they're installed below.
/usr/local/apache2/bin/apachectl stop
/usr/local/apache2/bin/apachectl start
# Become your( non-root )self again
exit
## Now try it:
# lynx https://serverhostnameorappropriatecname.foo.org/
## or:
# curl --cacert ~/demoCA/cacert.pem \
# https://serverhostnameorappropriatecname.foo.org/
# To view the details of the various keys/CSRs/certs:
cd
echo $PATH | grep -q "/usr/local/ssl/bin" ||
export PATH=$PATH:/usr/local/ssl/bin
openssl rsa -noout -text -in demoCA/private/cakey.pem
openssl x509 -noout -text -in demoCA/cacert.pem
openssl rsa -noout -text -in newkey.pem
openssl req -noout -text -in newreq.pem
openssl x509 -noout -text -in newcert.pem
# or replace newreq.pem in the 3rd one with
# /usr/local/apache2/conf/ssl.key/server.key and newcert.pem in the 5th one
# with /usr/local/apache2/conf/ssl.crt/server.crt
# You can remove *.pem and ./demoCA/ now if you won't be using them again
# mod_perl
# ========
# If you would like to install mod_perl, that is covered in a separate
# HOWTO.
# PHP
# ===
# If you would like to install PHP, that is covered in a separate
# HOWTO.
List of HOWTOs
Web page itself last updated: 2023-12-20 8:06pm (EDT -0400)
HOWTO last updated: 2024-04-04 11:22pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
HOWTO last updated: 2024-04-04 11:22pm
Copyright © 2001-2024 Jason Englander. All Rights reserved.
![[HTML5]](HTML5_Logo_64-black.png){kind=logo}
