A.4 Installing Apache

This section explains how to install the Apache 2 web server. We also show you how to optionally install and configure a secure web server that can serve https:// requests, including how to create a private key, a certificate request, and a simple self-signed certificate.

A.4.1 Installing a Secure Apache Server

This section describes how to prepare to install a secure version of the Apache web server so that you can support https:// URLs. If you don't need a secure server, skip this section and continue the basic Apache 2 install in "Installing a Regular Apache Server." You can find out more about secure web servers in Chapter 11.

There are two major differences encountered when installing Apache to use SSL versus installing Apache normally:

Secure Sockets Layer software is required.

There are several sources of Secure Sockets Layer software. The OpenSSL is probably the most-commonly used with Apache, and we show you how to obtain and install it in this section.

A site certificate needs to be obtained and configured.

A free, self-signed certificate can be created (and that's what we do in this section). You need to replace it with a purchased certificate from a Certification Authority when an application goes live.

A.4.1.1 Installing OpenSSL

To start your secure install, you need to set up the secure tools as follows:

  1. Get the latest version of OpenSSL from http://www.openssl.org/source/. Download the Unix tar-ed and gzip-ed file under the heading "Tarball." For example, download the file openssl-0.9.7c.tar.gz.

  2. Run a terminal program and login as the root user.

  3. Store the distribution file in a directory that can be used to build the OpenSSL libraries. To move the file to /usr/local/src, use:

    % mv openssl-0.9.7c.tar.gz /usr/local/src

    Then, change directory to where the file is stored:

    % cd /usr/local/src

  4. Uncompress and un-tar the distribution file in the new installation directory using gzip and tar. If the version downloaded was 0.9.7c, the commands are:

    % gzip -d openssl-0.9.7c.tar.gz
    % tar xvf openssl-0.9.7c.tar

    The distribution files are listed as they are extracted from the tar file.

  5. Change the directory to the openssl source directory, run the config script, and then make the installation. Assuming the version downloaded is 0.9.7c, the commands are:

    % cd openssl-0.9.7c
    % ./config
    % make
    % make test

    To install OpenSSL in a directory-path of your choice instead of /usr/local/ssl, run config with the openssldir=directory-path directive.

  6. Build the install binaries of SSL:

    % make install

    This creates an installation of SSL in the directory /usr/local/ssl.

  7. Now continue with Section A.4.2. You need to complete the regular install before you can continue with the next section.

A.4.1.2 Creating a key and a certificate

For Apache to use SSL, it needs to be configured with a private key and a certificate. Once the key and certificate have been created, they need to be configured into Apache. These steps show you how:

  1. First, complete the steps in the previous section and in Section A.4.2. You need to complete these before you can continue with these steps.

  2. Log in as the root user, and change directory to the location of the openssl binary and create the key:

    % cd /usr/local/ssl/bin
    % ./openssl genrsa -des3 1024 > /usr/local/apache2/conf/localhost.key

    If you have an actual domain for your server, replace localhost with the full domain name. Supply a password, and record it for future use. You've now created the private key.

  3. Create the certificate request by typing:

    % ./openssl req -new -key /usr/local/apache2/conf/localhost.key > \

    If you have an actual domain for your server, replace localhost with the full domain name. The process asks for several fields including country, state, organization name, and email address. The script produces a file that contains the certificate signing request.

  4. Now, create the self-signed certificate by typing:

    % ./openssl req -x509 -days 90 -key \  
      /usr/local/apache2/conf/localhost.key \
      -in /usr/local/apache2/conf/localhost.csr > \

    You need to provide the password you used to create your private key.

  5. Modify the ssl.conf file with a text editor so that it uses your certificate. The configuration file is found in the directory /usr/local/apache2/conf/. Using a text editor, find the following lines in the ssl.conf file:

    DocumentRoot "/usr/local/apache2/htdocs"
    ServerName new.host.name:443
    SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt
    SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key

    Change the lines so that they are as follows:

    DocumentRoot "secure-document-root
    "ServerName localhost:443
    SSLCertificateFile /usr/local/apache2/conf/localhost .crt
    SSLCertificateKeyFile /usr/local/apache2/conf/localhost.key

    Replace secure-document-root with the directory from which you want to serve secure files. You could use /usr/local/apache2/htdocs-secure. If you have an actual domain for your server, also replace localhost with the full domain name.

  6. Create the directory from which you want to serve secure files. For example, if you replaced secure-document-root with /usr/local/apache2/htdocs-secure in the previous step, use:

    % mkdir /usr/local/apache2/htdocs-secure

    Now, for testing, create a simple index.html file in the new directory with a text editor that contains:

    <html>Secure hello!</html>

    Save the file, and ensure it's world-readable using:

    % chmod a+rx /usr/local/apache2/htdocs-secure/
    % chmod a+r /usr/local/apache2/htdocs-secure/index.html

  7. Start Apache. Use the following command:

    % /usr/local/apache2/bin/apachectl startssl

    You need to provide your password again. A secure Apache is now running and serving requests on port 443 (the default HTTPS port) via SSL and also serving regular HTTP requests on post 80. You can test it by requesting the resources and with a web browser running on the same machine as the web server. You should see your sample page, and your regular pages respectively.

When a resource such as is requested with a browser, the browser alerts the user to an unknown certificate. To obtain a certificate that will be trusted by users, you need to send your certificate request to a Certification Authority to be signed using their authoritative certificates. There is a fee for this service. While the Apache configuration allows both the key and the certificate to be placed in a single file, the private key should not be sent to anyone, not even the Certification Authority. More documentation can be found at http://www.openssl.org/docs/apps/openssl.html.

A.4.2 Installing a Regular Apache Server

This section explains how to install a regular Apache 2 web server that supports HTTP requests. Here are the steps to install Apache 2:

  1. If you determined earlier in Section A.1 that an Apache web server is already running, stop the web server using:

    % /usr/local/apache2/bin/apachectl stop

    If your Apache isn't installed in this directory, replace the directory with the correct one you noted earlier.

  2. Get the latest version of the Apache HTTP Server from http://httpd.apache.org/. Scroll down the page until you see a heading such as Apache 2.0.48 is the best available version. Form beneath the heading, choose the latest source code version ending in the suffix .tar.gz and save the file in the /tmp directory.

  3. Move the Apache distribution file to the desired installation directory. The most common location is /usr/local/src. Assuming the distribution downloaded is Apache 2.0.47, and it was downloaded in the first step into the /tmp directory, the command is:

    % mv httpd-2.0.47.tar.gz /usr/local/src

  4. After moving the distribution to the desired location, change the directory to that location using:

    % cd /usr/local/src

  5. Uncompress the package in the new installation directory by running:

    % gzip -d httpd-version_number.tar.gz

    If the distribution downloaded is Apache 2.0.47, the command is:

    % gzip -d httpd-2.0.47.tar.gz

  6. Un-tar the archive file by running:

    % tar xvf httpd-version_number.tar

    The list of files extracted is shown. If the version downloaded was Apache 2.0.47, the command is:

    % tar xvf httpd-2.0.47.tar

  7. Change directory to the Apache installation:

    % cd httpd-version_number

    If the Apache version is 2.0.47, type:

    % cd httpd-2.0.47

  8. Configure the Apache installation by running the configure script. This detects the available tools, the installation environment, and other details for the Apache configuration:

    % ./configure --enable-so --with-layout=Apache

    Respectively, the two parameters enable the shared module support (PHP can then be loaded as a shared module) and set up the standard directory layout.

    If you are planning on serving HTTPS requests, and you've installed OpenSSL following our instructions in "Installing a Secure Apache Server", add --enable-ssl to the list of parameters:

    % ./configure --enable-so --with-layout=Apache --enable-ssl

  9. Compile the Apache web server using the command:

    % make

  10. Install the Apache server using the command:

    % make install

  11. If the installation of Apache with PHP support has been successful, you'll be returned to a shell prompt without any error messages appearing. The last line of the install should be similar to this:

    make[1]: Leaving directory `/usr/local/src/httpd-2.0.47'

  12. Start the Apache web server by running the command:

    % /usr/local/apache2/bin/apachectl start

  13. Check that the server is responding to HTTP requests by accessing it using a web browser. The simplest way to check is to use a web browser to load the URL If Apache is serving correctly, a web page is displayed.

  14. You can now create and serve HTML pages from the directory /usr/local/apache2/htdocs/ and these will be accessible using the base URL or using the domain name of your server. Record this directory for later use.

    For example, you could create the file /usr/local/apache2/htdocs/hello.html using a text editor and this is then accessible as If you find that a Forbidden error appears when you try and retrieve a new page, you'll need to make the file readable by everyone using, for example, chmod a+r /usr/local/apache2/htdocs/hello.html.

  15. When the machine is rebooted, Apache will not be restarted automatically. After reboot, you can manually restart Apache using apachectl or, alternatively, this process can be made automatic. If you know the standard method to add an automatically-started service on your system, add the startup command.

    One common standard method to make the process automatic is to add commands to the file rc.local (normally either in or below the directory /etc). The rc.local file is used to list locally installed software that should be run on startup. You'll typically find the file rc.local either in or below the directory /etc. Using an editor, add the following line to the bottom of the rc.local file:

    /usr/local/apache2/bin/apachectl start

  16. If Apache needs to be stopped at any time, this can by achieved by executing:

    % /usr/local/apache2/bin/apachectl stop