Author: herodongOICQ: 6678705 * Lone Wolf: The original article is too big, more than 36 K. I chose to paste the important part, if you need the original article can MAILTO: wolflx@263.net our goal is to install a web server that allows us to host multiple websites, some of which are security solutions for e-commerce, most websites are installed by connecting to Apachemysql
Author: herodong OICQ: 6678705
/* Lone Wolf: The original article is too big, more than 36 K. I choose to paste the important part, if you need the original can MAILTO: wolflx@263.net
Our goal is to install a web server that allows us to host multiple websites, some of which are security solutions for e-commerce, most websites are script-driven by connecting to a database server and extracting its data.
The tools required for this task are:
Apache-a website server
Mod_SSL-a Secure Socket Layer (SSL) module
OpenSSL-Open Source Toolkit (required for mod_ssl)
RSARef-only for American users
MySQL-a database server
PHP-a scripting language
"Rome is a great path "...... Therefore, this is only one of the many configurations that meet our requirements. I chose this configuration because it is the simplest and fastest. The reason for choosing Mod_SSL/OpenSSL is that I have previous experience and is the fastest configuration and the easiest installation. To facilitate integration with Apache, I chose PHP and MySQL. Remember, Perl can do whatever you want, but PHP is simple and easy for any programmer who wants to learn it.
We hope that you will successfully achieve the following goals after finishing this simple guide.
Install and set the MySQL database server
Install and set up an Apache website server with SSL
Install and configure the PHP 4.0 hypertext preprocessor for server scripts
Create sample certificates for Apache SSL
This document assumes that you have installed the following software on your system.
Perl (preferably ver 5 +)
Gzip or gunzip
Gcc and GNU make
Preparation
Apache-http://www.apache.org
Mod_SSL-http://www.modssl.org
OpenSSL (SSL toolbox)-http://www.openssl.org
PHP (scripting language)-http://www.php.net
MySQL (SQL database server)-http://www.mysql.com
Download the source code of all (tar files) to a temporary directory. Make sure you put them in a place with a lot of space ...... You should download them as root to avoid permission issues.
Our plan
Our plan is to first install the MySQL server and ensure it works, then we will install PHP and Mod_SSL, and finally we will install the Apache website server. After Apache is installed, we can test whether PHP and Mod_SSL support works.
MySQL source code installation (UNIX)
The basic command you must use to install and install MySQL source code distribution is (from the "tar" file ):
Use su to become the root user.
$ Su
Directly go to the directory where you have the tar file. (Use a temporary directory. Use/tmp/download/here /)
# Cd/tmp/download/
Use the following command to extract files.
# Gunzip-d-c mysql-3.22.xx.tar.gz | tar xvf-
Change to the new directory, which is created during extraction.
# Cd mysql-3.22.xx
Now you can start "configuring" the MySQL server. You can use configure to specify multiple options and use configure -- help to view all options. I have selected -- prefix to specify the direct path to the installation location. Configure will check your compiler and some other things. If you have any errors, you can check the config. cache file for errors.
# Configure -- prefix =/usr/local/mysql
After you complete the configuration, you can execute the following command to make the real binary code.
# Make
Now you are ready to install all the binary code. Run the following command to install the binary code in the directory specified by the configure -- prefix option.
# Make install
PHP installation (UNIX)
Now install the PHP language. You have downloaded the latest beta version, but you may have to download a non-beta version. Remember that the beta version requires GNU make.
You still assume it is root. if not, su returns to root.
PHP requires that you have pre-configured Apache so that it can know where the required items are. You will be back here when you install the Apache server in the future. Change to the directory where you have source code.
# Cd/tmp/DOWNLOAD
# Gunzip-c apache_1.3.x.tar.gz | tar xf-
# Cd apache_1.3.x
#./Configure
# Cd ..
Okay. now you can start installing PHP. Extract the source code file and enter its directory. If you download version 3, there is a slight change in the number and command.
# Gunzip-c php-4.0.x.tar.gz | tar xf-
# Cd php-4.0.x
If you are compiling code, configure will always be your friend. As a result, configure has many options. Use configure -- help to determine which ones you want to add. I just need MySQL and LDAP, and of course Apache.
#./Configure -- with-mysql =/usr/local/mysql \
-- With-xml \
-- With-apache = ../apache_1.3.x \
-- Enable-track-vars \
-- With-ldap
Make and install the binary code.
# Make
# Make install
Copy the INI file to the lib directory.
# Cp php. ini-dist/usr/local/lib/php. ini
Apache and Mod_SSL
Configure and install mod_ssl and Apache. For this, you will need a rsaref-2.0 file. Go to http://ft?arch.lycos.com/and search for the parameter rsaref=tar.z ". If you do not like Lycos, you can select other search engines to search for files. Of course, you only need this file in the United States. (For more information, see http://ft?arch.ntnu.no !.)
Create a rasref directory where you will extract files. Note. This assumes that you have downloaded a temporary directory, and you are in this directory.
# Mkdir rsaref-2.0
# Cd rsaref-2.0
# Gzip-d-c ../rsaref1_tar. Z | tar xvf-
Configure and construct the OpenSSL library.
# Cd rsaref-2.0
# Cp-rp install/unix local
# Cd local
# Make
# Mv rsaref. a librsaref.
# Cd ../..
Install OpenSSL. Remember, you will use it to create a license certificate and a CSR file. The -- prefix option specifies the main installation directory.
# Cd openssl-0.9.x
#./Config-prefix =/usr/local/ssl \
-L 'pwd'/../rsaref-2.0/local/rsaref-fPIC
Now make, test and install it.
# Make
# Make test
# Make install
# Cd ..
We will configure the MOD_SSL module, and then use Apache configuration to specify it as a installable module.
# Cd mod_ssl-2.5.x-1.3.x
#./Configure \
-- With-apache = ../apache_1.3.x \
# Cd ..
Now we can add more Apache modules to the Apache source code tree. The optional -- enable-shared = ssl option makes mod_ssl a DSO "libssl. so ". For more information about how to support DSO in Apache, see INSTALL and htdocs/manual/dso.html in the Apache source code tree. I strongly recommend that the ISP and software packaging maintainers use the DSO tool for the most flexible use of mod_ssl, but note that DSO is not supported by Apache on all platforms.
# Cd apache_1.3.x
# SSL_BASE = ../openssl-0.9.x \
RSA_BASE = ../rsaref-2.0/local \
./Configure \ -- enable-module = ssl \
-- Activate-module = src/modules/php4/libphp4.a \
-- Enable-module = php4 -- prefix =/usr/local/apache \
-- Enable-shared = ssl
[... You can add more options...]
Generate Apache, generate the certificate, and install...
# Make
If you have completed the operation correctly, you will get information similar to the following:
+ ----------------------------------------------------------------------- +
| Before you install the package you now shocould prepare the SSL |
| Certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
|
| % Make certificate TYPE = dummy (dummy self-signed Snake Oil cert) |
| % Make certificate TYPE = test (test cert signed by Snake Oil CA) |
| % Make certificate TYPE = custom (custom cert signed by own CA) |
| % Make certificate TYPE = existing (existing cert) |
| CRT =/path/to/your. crt [KEY =/path/to/your. key] |
|
| Use TYPE = dummy when you're a vendor package maintainer, |
| The TYPE = test when you're an admin but want to do tests only, |
| The TYPE = custom when you're an admin willing to run a real server |
| And TYPE = existing when you're an admin who upgrades a server. |
| (The default is TYPE = test) |
|
| Additionally add ALGO = RSA (default) or ALGO = DSA to select |
| The signature algorithm used for the generated certificate. |
|
| Use 'make certificate VIEW = 1' to display the generated data. |
|
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| Rse@engelschall.com |
| Www.engelschall.com |
+ ----------------------------------------------------------------------- +
Now you can create a custom certificate. This option prompts you to enter your address, company, and other things. For more information about certificates, see the end of this article.
# Make certificate TYPE = custom
Install Apache now...
# Make install
If everything is normal, you should see information similar to the following:
+ ---------------------------------------------------------------------------------- +
| You now have successfully built and installed the |
| Apache 1.3 HTTP server. To verify that Apache actually |
| Works correctly you now shocould first check the |
| (Initially created or preserved) configuration files |
|
|/Usr/local/apache/conf/httpd. conf |
| And then you shocould be able to immediately fire up |
| Apache the first time by running: |
|
|/Usr/local/apache/bin/apachectl start |
| Or when you want to run it with SSL enabled use: |
|
|/Usr/local/apache/bin/apachectl startssl |
| Thanks for using Apache. The Apache Group |
| Http://www.apache.org/|
+ ---------------------------------------------------------------------------------- +
Verify that Apache and PHP are working. However, we need to edit srm. conf and httpd. conf to ensure that we add the PHP type to the configuration. View httpd. conf and remove the comments from the following lines. If you follow the instructions in this document accurately, your httpd. conf file will be located in the/usr/local/apache/conf directory. There is a line in the file that adds comments to the addtype of php4, and now the comments are removed. Httpd. conf file-part
> # And for PHP 4.x, use:
> #
---> AddType application/x-httpd-php. php
---> AddType application/x-httpd-php-source. phps
Now we are going to start the Apache server to see if it is working. First, we will start a server that does not support SSL to see if it has started. We will check for PHP support, then we will stop the server, start the server with SSL support enabled, and check if everything works. Configtest checks whether all configurations are correctly set.
# Cd/usr/local/apache/bin
#./Apachectl configtest
Syntax OK
#./Apachectl start
./Apachectl start: httpd started
// Test APACHE + PHP + MYSQL
Is the SSL option working ??
Now we are ready to test SSL. Stop the server and restart it with the SSL enabled option.
#/Usr/local/apache/bin/apachectl stop
#/Usr/local/apache/bin/apachectl startssl
Test whether it works: by connecting to the server with a Netscape and choosing https protocol, that is: https://youserver.yourdomain.com or http://yoursever.yourdomain.com: 443, you can also try the IP address of your server, that is: https://xxx.xxx.xxx.xxx and http://xxx.xxx.xxx.xxx: 443.
If it works, the server sends the certificate to the browser to establish a secure connection. The browser prompts you to accept the certificate you signed ., If it is a certificate from VeriSign or Thawte, the browser will not prompt you because the certificate comes from a trusted certificate authority (CA ). In our case, we create and sign our own certificates ...... We don't want to buy one right away. First, we want to ensure that we can make everything normal.
Note: HTML and PHP commands can be used in the same file. This is the wonder of PHP scripts.
SSL virtual host
Creating an ssl vm is similar to a non-ssl vm. In addition to specifying other commands, you also need to add a DNS record and modify httpd. conf. Here is an example.
#--------------------------------------------#
# SSL Virtual Host Context
#--------------------------------------------#
# General setup for the virtual host
DocumentRoot/usr/local/apache/htdocs
ServerAdmin webmaster@securedomain1.com
ServerName www.securedomain1.com
ErrorLoglogs/domain1.com-error_log
TransferLog logs/domain1.com-transfer_log
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# Server Certificate:
# Point SSLCertificateFile at a PEM encoded certificate. If
# The certificate is encrypted, then you will be prompted for
# Pass phrase. Note that a kill-HUP will prompt again. A test
# Certificate can be generated with 'make certificate' under
# Built time. Keep in mind that if you 've both a RSA and a DSA
# Certificate you can configure both in parallel (to also allow
# The use of DSA ciphers, etc .)
# Note that I keep my certificate files located in a central
# Location. You cocould change this if you are an ISP, or ASP.
SSLCertificateFile/usr/local/apache/conf/ssl. crt/server. crt
# Server Private Key:
# If the key is not combined with the certificate, use this
# Directive to point at the key file. Keep in mind that if
# You 've both a RSA and a DSA private key you can configure
# Both in parallel (to also allow the use of DSA ciphers, etc .)
SSLCertificateKeyFile/usr/local/apache/conf/ssl. key/server. key
# Per-Server Logging:
# The home of a custom SSL log file. Use this when you want
# Compact non-error SSL logfile on a virtual host basis.
CustomLog/usr/local/apache/logs/ssl_request_log \
"% T % h % {SSL_PROTOCOL} x % {SSL_CIPHER} x \" % r \ "% B"
Remember that you have many commands to specify. We will discuss it in another article about Apache configuration. This article is just an entry-level guide.
Generate certificate
This is a step-by-step description of how to generate a certificate.
Create an RSA private key for your Apache server (encrypted by Triple-DES and formatted by PEM ):
# Openssl Gen RSA-des3-out server. key 1024
Back up the server. key file in a safe place. Remember the phrase you entered (pass phrase )! You can see the details of the RSA private key through the following command.
# Openssl rsa-noout-text-in server. key
You can create an encrypted PEM version for this RSA private key (not recommended) by running the following command:
# Openssl rsa-in server. key-out server. key. unsecure
Use the RSA private key of the server to generate a Certificate Signing Request (CSR-Certificate Signing Request) (the output will be in PEM format ):
# Openssl req-new-key server. key-out server. csr
When OpenSSL prompts you "CommonName", make sure that you have entered the server's FQDN ("Fully Qualified Domain Name"), that is, when you use https://www.foo.dom/ to generate a csr, enter "www. foo. dom ". You can use the following commands to view the details of the CSR:
# Openssl req-noout-text-in server. csr
Send the CSR to a CA
Now you must send the CSR to a CA for signing, and the result is a real certificate that can be used for Apache.
There are two options:
First, you can sign a certificate through a commercial CA such as Verisign or Thawte. Then you usually need to paste the CSR into a web form, pay the signing fee and wait for the signed certificate, and then you can store it in a server. crt file. For more information about commercial CAs, see the following links:
Verisign-http://digitalid.verisign.com/server/apacheNotice.htm
Thawte Consulting http://www.thawte.com/certs/server/request.html
CertiSign Certificadora Digital Ltda.-http://www.certisign.com.br
IKS GmbH-http://www.iks-jena.de/produkte/ca/
Uptime Commerce Ltd.-http://www.uptimecommerce.com
BelSign NV/SA-http://www.belsign.be
Your own CA
Second, you can use your own CA and the CA signs the CSR. You can create your own authentication center to sign the certificate. The simplest method is to use the CA. sh or CA. pl script provided by OpenSSL. The complex and manual method is as follows:
Create an RSA private key for your CA (encrypted by Triple-DES and formatted by PEM ):
# Openssl genrsa-des3-out ca. key 1024
Back up the ca. key file in a safe place. Remember the phrase you entered (pass phrase )! You can see the details of the RSA private key through the following command.
// Lone Wolf comment: it is best not to enter pass phrase, press enter directly, or you will be required to enter the default APACHE startup! However, if you are familiar with SHELL, you can directly change it in SHELL.
# Openssl rsa-noout-text-in ca. key
You can create an encrypted PEM version for this RSA private key (not recommended) by running the following command:
# Openssl rsa-in ca. key-out ca. key. unsecure
Use the RSA key of the CA to create a self-signed CA certificate (X509 structure) (the output will be in the PEN format ):
# Openssl req-new-x509-days 365-key ca. key-out ca. crt
You can run the following command to view the details of the certificate:
# Openssl x509-noout-text-in ca. crt
Prepare a script for signing. because the "openssl ca" command has some strange requirements, and the default OpenSSL configuration does not allow you to directly use the "openssl ca" command, it is named sign. sh scripts are released along with mod_ssl distribution (subdirectory pkg. contrib /). Use this script for signing.
Now you can have this CA sign the server's CSR to create a real SSL certificate for the Apache server (assuming you already have a server. csr ):
#./Sign. sh server. csr
It signs the CSR of the server and the result is in a server. crt file.
Now you have two files: server. ket and server. crt. In your Apache httpd. conf file, use them as follows:
SSLCertificateFile/path/to/this/server. crt
SSLCertificateKeyFile/path/to/this/server. key
Server. csr is no longer needed.