This section explains how to install the Apache 2 web server. We also show you how to optionally install and configure a secure web server that can serve https:// requests, including how to create a private key, a certificate request, and a simple self-signed certificate.
This section describes how to prepare to install a secure version of the Apache web server so that you can support https:// URLs. If you don't need a secure server, skip this section and continue the basic Apache 2 install in "Installing a Regular Apache Server." You can find out more about secure web servers in Chapter 11.
There are two major differences encountered when installing Apache to use SSL versus installing Apache normally:
There are several sources of Secure Sockets Layer software. The OpenSSL is probably the most-commonly used with Apache, and we show you how to obtain and install it in this section.
A free, self-signed certificate can be created (and that's what we do in this section). You need to replace it with a purchased certificate from a Certification Authority when an application goes live.
To start your secure install, you need to set up the secure tools as follows:
Get the latest version of OpenSSL from http://www.openssl.org/source/. Download the Unix tar-ed and gzip-ed file under the heading "Tarball." For example, download the file openssl-0.9.7c.tar.gz.
Run a terminal program and login as the root user.
Store the distribution file in a directory that can be used to build the OpenSSL libraries. To move the file to /usr/local/src, use:
% mv openssl-0.9.7c.tar.gz /usr/local/src
Then, change directory to where the file is stored:
% cd /usr/local/src
Uncompress and un-tar the distribution file in the new installation directory using gzip and tar. If the version downloaded was 0.9.7c, the commands are:
% gzip -d openssl-0.9.7c.tar.gz % tar xvf openssl-0.9.7c.tar
The distribution files are listed as they are extracted from the tar file.
Change the directory to the openssl source directory, run the config script, and then make the installation. Assuming the version downloaded is 0.9.7c, the commands are:
% cd openssl-0.9.7c % ./config % make % make test
To install OpenSSL in a directory-path of your choice instead of /usr/local/ssl, run config with the openssldir=directory-path directive.
Build the install binaries of SSL:
% make install
This creates an installation of SSL in the directory /usr/local/ssl.
Now continue with Section A.4.2. You need to complete the regular install before you can continue with the next section.
For Apache to use SSL, it needs to be configured with a private key and a certificate. Once the key and certificate have been created, they need to be configured into Apache. These steps show you how:
First, complete the steps in the previous section and in Section A.4.2. You need to complete these before you can continue with these steps.
Log in as the root user, and change directory to the location of the openssl binary and create the key:
% cd /usr/local/ssl/bin
% ./openssl genrsa -des3 1024 > /usr/local/apache2/conf/localhost.key
If you have an actual domain for your server, replace localhost with the full domain name. Supply a password, and record it for future use. You've now created the private key.
Create the certificate request by typing:
% ./openssl req -new -key /usr/local/apache2/conf/localhost.key > \ /usr/local/apache2/conf/localhost.csr
If you have an actual domain for your server, replace localhost with the full domain name. The process asks for several fields including country, state, organization name, and email address. The script produces a file that contains the certificate signing request.
Now, create the self-signed certificate by typing:
% ./openssl req -x509 -days 90 -key \ /usr/local/apache2/conf/localhost.key \ -in /usr/local/apache2/conf/localhost.csr > \ /usr/local/apache2/conf/localhost.crt
You need to provide the password you used to create your private key.
Modify the ssl.conf file with a text editor so that it uses your certificate. The configuration file is found in the directory /usr/local/apache2/conf/. Using a text editor, find the following lines in the ssl.conf file:
DocumentRoot "/usr/local/apache2/htdocs" ServerName new.host.name:443 SSLCertificateFile /usr/local/apache2/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/server.key
Change the lines so that they are as follows:
DocumentRoot "secure-document-root "ServerName localhost:443 SSLCertificateFile /usr/local/apache2/conf/localhost .crt SSLCertificateKeyFile /usr/local/apache2/conf/localhost.key
Replace secure-document-root with the directory from which you want to serve secure files. You could use /usr/local/apache2/htdocs-secure. If you have an actual domain for your server, also replace localhost with the full domain name.
Create the directory from which you want to serve secure files. For example, if you replaced secure-document-root with /usr/local/apache2/htdocs-secure in the previous step, use:
% mkdir /usr/local/apache2/htdocs-secure
Now, for testing, create a simple index.html file in the new directory with a text editor that contains:
<html>Secure hello!</html>
Save the file, and ensure it's world-readable using:
% chmod a+rx /usr/local/apache2/htdocs-secure/ % chmod a+r /usr/local/apache2/htdocs-secure/index.html
Start Apache. Use the following command:
% /usr/local/apache2/bin/apachectl startssl
You need to provide your password again. A secure Apache is now running and serving requests on port 443 (the default HTTPS port) via SSL and also serving regular HTTP requests on post 80. You can test it by requesting the resources https://127.0.0.1/ and http://127.0.0.1/ with a web browser running on the same machine as the web server. You should see your sample page, and your regular pages respectively.
When a resource such as https://127.0.0.1/ is requested with a browser, the browser alerts the user to an unknown certificate. To obtain a certificate that will be trusted by users, you need to send your certificate request to a Certification Authority to be signed using their authoritative certificates. There is a fee for this service. While the Apache configuration allows both the key and the certificate to be placed in a single file, the private key should not be sent to anyone, not even the Certification Authority. More documentation can be found at http://www.openssl.org/docs/apps/openssl.html.
This section explains how to install a regular Apache 2 web server that supports HTTP requests. Here are the steps to install Apache 2:
If you determined earlier in Section A.1 that an Apache web server is already running, stop the web server using:
% /usr/local/apache2/bin/apachectl stop
If your Apache isn't installed in this directory, replace the directory with the correct one you noted earlier.
Get the latest version of the Apache HTTP Server from http://httpd.apache.org/. Scroll down the page until you see a heading such as Apache 2.0.48 is the best available version. Form beneath the heading, choose the latest source code version ending in the suffix .tar.gz and save the file in the /tmp directory.
Move the Apache distribution file to the desired installation directory. The most common location is /usr/local/src. Assuming the distribution downloaded is Apache 2.0.47, and it was downloaded in the first step into the /tmp directory, the command is:
% mv httpd-2.0.47.tar.gz /usr/local/src
After moving the distribution to the desired location, change the directory to that location using:
% cd /usr/local/src
Uncompress the package in the new installation directory by running:
% gzip -d httpd-version_number.tar.gz
If the distribution downloaded is Apache 2.0.47, the command is:
% gzip -d httpd-2.0.47.tar.gz
Un-tar the archive file by running:
% tar xvf httpd-version_number.tar
The list of files extracted is shown. If the version downloaded was Apache 2.0.47, the command is:
% tar xvf httpd-2.0.47.tar
Change directory to the Apache installation:
% cd httpd-version_number
If the Apache version is 2.0.47, type:
% cd httpd-2.0.47
Configure the Apache installation by running the configure script. This detects the available tools, the installation environment, and other details for the Apache configuration:
% ./configure --enable-so --with-layout=Apache
Respectively, the two parameters enable the shared module support (PHP can then be loaded as a shared module) and set up the standard directory layout.
If you are planning on serving HTTPS requests, and you've installed OpenSSL following our instructions in "Installing a Secure Apache Server", add --enable-ssl to the list of parameters:
% ./configure --enable-so --with-layout=Apache --enable-ssl
Compile the Apache web server using the command:
% make
Install the Apache server using the command:
% make install
If the installation of Apache with PHP support has been successful, you'll be returned to a shell prompt without any error messages appearing. The last line of the install should be similar to this:
make[1]: Leaving directory `/usr/local/src/httpd-2.0.47'
Start the Apache web server by running the command:
% /usr/local/apache2/bin/apachectl start
Check that the server is responding to HTTP requests by accessing it using a web browser. The simplest way to check is to use a web browser to load the URL http://127.0.0.1/. If Apache is serving correctly, a web page is displayed.
You can now create and serve HTML pages from the directory /usr/local/apache2/htdocs/ and these will be accessible using the base URL http://127.0.0.1/ or using the domain name of your server. Record this directory for later use.
For example, you could create the file /usr/local/apache2/htdocs/hello.html using a text editor and this is then accessible as http://127.0.0.1/hello.html. If you find that a Forbidden error appears when you try and retrieve a new page, you'll need to make the file readable by everyone using, for example, chmod a+r /usr/local/apache2/htdocs/hello.html.
When the machine is rebooted, Apache will not be restarted automatically. After reboot, you can manually restart Apache using apachectl or, alternatively, this process can be made automatic. If you know the standard method to add an automatically-started service on your system, add the startup command.
One common standard method to make the process automatic is to add commands to the file rc.local (normally either in or below the directory /etc). The rc.local file is used to list locally installed software that should be run on startup. You'll typically find the file rc.local either in or below the directory /etc. Using an editor, add the following line to the bottom of the rc.local file:
/usr/local/apache2/bin/apachectl start
If Apache needs to be stopped at any time, this can by achieved by executing:
% /usr/local/apache2/bin/apachectl stop