Introduction
I have been using CERN httpd installation and use of the environment that have been under virtual Web server root. Create a virtual root on the Web server environment, there are various advantages and disadvantages. In the early stages of Web development, this technology also provides additional valuable security mechanism. However, in the field of apache, this technology does not seem too useful, can it still be interesting.
I offer to the apache environment in linux and soloris installation of the virtual root of the example environment, both can do the standard editor (when necessary, be marked as non-DSO), or to do dynamic shared object editor (it will be necessary is marked as DSO). Options for the DSO's Solaris for example has not yet documented, so I did not test it (I intend to test the use of Solaris 8).
In the Linux environment to install a virtual root directory of the Apache tree is quite simple. This example uses the Red Hat 6 .* and Apache 1.3.12. At the same time, it also includes PHP4 (as an Apache module), and the environment of the virtual root directory tree of the perl5 installation. Also installed mod-ssl and mod-perl.
This example also assumes relatively complete Red Hat installation (ie: there are enough files, libraries and development tools). Note that if you install Red Hat used the custom (prefered) configuration, and select a development option; or you are using a server (server) configuration, you will have a complete development environment.
Mysql3.22.27 not installed in the realization of the virtual root directory tree in the environment, but for completeness we include it into this.
Statement
I am not an expert:), especially in the encryption (openssl, mod-ssl and company) my level is limited. I am a normal person, make mistakes, so if you find anything or have any constructive suggestions, please let me know.
I wrote this article just hope you learn something, get some help. I can often provide a number of RPM, but if you know you can start from scratch, independent of their own to build a modern Web site, it probably would be more interesting. However, in the current Internet, learning, understanding, running a Web site on the various issues and the risks, depend on yourself.
Solaris example
Web directory tree on the virtual root of the solaris environment example and the example is very similar to Linux. Of course, if you do not install GNU development environment, solaris example of examples can not be as easy as Linux.
Solaris example document in another web page.
Additional Notes
Use ldd to find the necessary tools for shared libraries.
In this example, the user of such tips:
root user:
ROOT #
ordinary user:
$
I basically as a normal user, not root user to compile and install all the software. This helps avoid the file system (especially when using unfamiliar software) caused unnecessary damage. This also helps to give warning before carrying out dangerous operations, such as binary files have been installed on the "setuid" operation, and in unusual places such as the operation of the installation files before the alerts hazardous operations.
In this case, as the user soft: soft to compile and installation operations.
In fact, as long as the identity of the owner to ensure the software ID and the Apache directory tree of the user's ID (in this case we use the 888) can be the difference.
Red Hat's default root environment, there is an interactive switch-I was added to the command cp, mv and rm on. If your root environment without these settings, I suggest you best to add it. You can check the following documents:
ROOT # alias | grep''-i''
alias cp =''cp-i''
alias mv =''mv-i''
alias rm =''rm-i''
You should make your configuration as simple - do not install those with less or no unnecessary modules. In general, a standard non-DSO (dynamic shared object non-) Apache, install a perl, for most people is enough.
DSO and mod-ssl on the need to pay attention to:
If you intend to put anything in accordance with the DSO to compile the template, you first have to build mod-ssl, then you really have to follow the order to build their own Apache directory tree. Mod-ssl will significantly modify the Apache build directory tree, according to my experience in using the software version we have just mentioned the premise, the following order is because it is the most simple order:
Build Apache
To establish and increase in the Apache mod-ssl
To establish and increase in the Apache php and mod-perl.
You should be recorded in the appropriate place is how you build your tree to do reference. (You can print it, and add comments)
The installation of various software, the ultimate environment of the virtual root directory tree with 23MB, which includes 8MB of shared libraries and perl. The following is based on a summary of DSO files installed (in KB that):
ROOT # pwd
/ Www
ROOT # du-s.
22737.
ROOT # du-s backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp
6832apache
0 bin
1 dev
7 etc
6679lib
1 tmp
9215usr
1 webhome
ROOT # du-s apache / bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware
600 apache / bin
3 apache / cgi-bin
125 apache / conf
1560apache / htdocs
133 apache / icons
392 apache / include
3925apache / libexec
64 apache / man
29 apache / var
ROOT # du-s usr / *
8410usr/Local
336 usr / bin
340 usr / lib
128 usr / share
1. Get the source code
If you want a package to the environment of your virtual root directory tree, you must get this package in the source code of any file. Most source files can be from the corresponding Linux version is called SRPMs (RPM source code package) to get the original code disc; of course, from the tarball file (. Tar.gz) to get (this method is suitable for you bandwidth limited).
In the Red Hat system, you as the root user to install Source:
ROOT # rpm-i / path / to / SRPMfile.src.rpm
Then, in the / usr / src / redhat / SOURCES / directory to extract the source code.
In our example I will point out that the Internet, where you can get the source code:
Package version number information source code documentation
Apache 1.3.12www.apache.org/dist / www.apache.org/docs/
MySQL3.22.27 www.mysql.com / downloads www.mysql.com/documentation/
PHP 4.0.2 www.php.net / downloads.phpwww.php.net / docs.php
Perl 5.00503 www.cpan.org/src/ www.cpan.org / doc / manual / html / index.html
mod_perl1.24 perl.apache.org / dist / perl.apache.org / # docs
Hello.pm perl.apache.org / dist / contrib /
mod_ssl 2.6.6-1.3.12 ftp://ftp.modssl.org/source/ www.modssl.org/docs/2.6/
OpenSSL 0.9.5aftp: / / ftp.openssl.org / source / www.openssl.org / support / faq.html
RSAref 2.0google search google search
2. Step details
Ready for a virtual environment of the root file system after
2.1 installation directory tree anywhere
Note: The best in another disk, or install non-system partition, so that others can avoid the tree from the Web than to establish a connection to the file, but you can use the symlink (example: / www) to connect to find the trees tree.
ROOT # mkdir / export / misc / www
ROOT # ln-s / export / misc / www / www
2.2 generates the basic directory, bin will be usr / bin connection
Note: in these examples (except directly from the general file system I copied the code) I have omitted the preamble of the "/", so you do not pay attention to the environment of the virtual root of the directory tree and the real "/" confusion .
In the following I will use purple mark the virtual environment of the document root
ROOT # cd / www
ROOT # mkdir-p usr / bin usr / lib lib etc tmp dev webhome
ROOT # ln-s usr / bin bin
2.3 / tmp is assumed that the special perms
ROOT # chmod 777 tmp
ROOT # chmod + t tmp
2.4 to construct the special device dev / null
ROOT # mknod-m 666 dev / null c 1 3
2.5 for your own time zone setting the time zone information (here using MET)
ROOT # mkdir-p usr / share / zoneinfo
ROOT # cp-pi / usr / share / zoneinfo / MET usr / share / zoneinfo /
ROOT # cd etc
ROOT # ln-s .. / usr / share / zoneinfo / MET localtime
ROOT # cd ..
2.6 You will find the lack of local settings, perl, and mod-perl and more are inconvenient, but you can root environment in the realization of a virtual directory tree to install the local file to overcome it:
ROOT # set | grep LANG
LANG = en_US
ROOT # mkdir / www / usr / share / locale
ROOT # cp-a / usr / share / locale / en_US / www / usr / share / locale /
2.7 Now, can provide very basic environment of the virtual root file system shared libraries
ROOT # cp-pi / lib/libtermcap.so.2 / lib/ld-linux.so.2 / lib/libc.so.6 lib /
2.8 Test your directory tree (Apachect1 later will be used to "cat", but not required)
ROOT # cp-pi / bin / ls / bin / sh / bin / cat bin /
ROOT # chroot / www / bin / ls-l /
lrwxrwxrwx 1 00 7 Jan 29 09:24 bin -> usr / bin
drwxr-xr-x 2 001024 Jan 29 09:28 dev
drwxr-xr-x 2 003072 Jan 29 13:17 etc
drwxr-xr-x 2 001024 Jan 29 13:12 lib
drwxrwxrwt 2 001024 Jan 29 09:23 tmp
drwxr-xr-x 5 001024 Jan 29 09:23 usr
drwxr-xr-x 2 001024 Jan 29 10:41 webhome
You can move about 2.9 ls, it is only used for testing.
ROOT # rm bin / ls
3. Preparation and a user name server
Next we generate a user running Apache, this configuration is necessary following the naming service:
3.1 generates a non-existent on the system's new user, give him a special name and user ID (such as 888).
Note: there is a genuine identification documents (/ etc / passwd / etc / group) of user.group, it is not necessary, completely your decision:
ROOT # cd / www
ROOT # touch etc / passwd etc / group etc / shadow
ROOT # chmod 400 etc / shadow
3.2 Edit the three files, in this case, I just re-transmission back to the data file:
ROOT # echo''www: x: 888:888: Web Account: / webhome: / usr / bin / False''> etc / passwd
ROOT # echo''www: x: 888:''> etc / group
ROOT # echo''www: *: 10882: -1:99999: -1: -1: -1:134537804''> etc / shadow
3.3 I did not give the user login or the shell, just to complete, compile a bit as false, no-go shell.
ROOT # echo''int main (int argc, char * argv []) (return (1);)''> / tmp / False.c
ROOT # cc-o / www / usr / bin / False / tmp / False.c
3.4 Let us look at the binary stream tag:
ROOT # chmod 111 usr / bin / *
3.5 Some naming services is essential. However, due to conversion library glibc and the presence of naming services, those libraries are not so essential glance. As for the details, you can use the command "man nsswitch" to look. Although my machine running Internet Information Services (NIS), but I chose to rely on documents and Domain Name Service (DNS). Note: libresolve library is also required, after the installation of PHP, this demand is quite obvious.
ROOT # cp-pi / lib/libnss_files.so.2 lib /
ROOT # cp-pi / lib/libnss_dns.so.2 lib /
3.6 We will need three documents to complete the configuration of the naming service.
The contents of the file depends on your IP and DNS settings. Here we assume that the web server name is ns.mynet.home, its IP address: 192.168.196.2 (in fact it is my name server)
# ---- Contents ofetc / nsswitch.conf ----#
passwd: files
shadow: files
group: files
hosts: files dns
# ---- Contents ofetc / resolv.conf ----#
domain mynet.home
# # Use the IP address of your naming server
# # If bind is not installed on your web server
# Nameserver 192.168.196.xxx
# # Use this if your web server is a (caching) name server
nameserver 127.0.0.1
# ---- Contents ofetc / hosts ----#
127.0.0.1 localhost loopback
192.168.196.2 ns.mynet.home ns www
4. Compile and install Apache
Apache 4.1 installed for the establishment of top-level directory, and generate a real tree to connect its system.
ROOT # mkdir / www / apache
ROOT # ln-s / www / apache / apache
4.2 I are as a general user to install and compile the work (as in this example softs),
Note: Apache installation is needed root identity. In this example, I was in usr / local / src / chr (the file belongs to softs: softs's) carried out the source code compiled
$ Cd / usr / local / src / chr
$ Tar zxf / path/to/apache_1.3.12.tar.gz
$ Cd apache_1.3.12
4.3 Edit config.layout, so it will contain a special design called chroot (layout).
# Chroot layout.
prefix: / apache
exec_prefix: $ prefix
bindir: $ exec_prefix / bin
sbindir: $ exec_prefix / bin
libexecdir: $ exec_prefix / libexec
mandir: $ prefix / man
sysconfdir: $ prefix / conf
datadir: $ prefix
iconsdir: $ datadir / icons
htdocsdir: $ datadir / htdocs
cgidir: $ datadir / cgi-bin
includedir: $ prefix / include
localstatedir: $ prefix / var
runtimedir: $ localstatedir / logs
logfiledir: $ localstatedir / logs
proxycachedir: $ localstatedir / proxy
4.4 is now configured and constructed to
non-DSO:
$. / Configure - with-layout = chroot - enable-module = most - enable-module = so
Make modules "so" effectively, so that later you can use DSO + APXS mechanism, through a third class module (3rd party module) to expand your Apache installation.
DSO:
$. / Configure - with-layout = chroot - enable-module = most - enable-shared = max
$ Make
ROOT # make install # # I am root!
4.5 is to copy the example of Apache to use shared libraries
Note that for other configurations may be used other libraries (you can ldd to check)
ROOT # cd / www
ROOT # cp-pi / lib/libm.so.6 / lib/libcrypt.so.1 / lib/libdb.so.3 lib /
ROOT # cp-pi / lib/libdl.so.2 lib /
4.6 can be a quick test to see if the results
Rapid test, configuration file / www / apache / conf / httpd.conf in the need to edit the main parts are:
User www
Group www
ServerName yourserver.yourdomain.here
Port 8088 # # pick your favourite test port
4.7 start the daemon (daemon)
ROOT # chroot / www / apache / bin / apachectl start
4.8 Test URL
$ Lynx-dump http://yourserver/
Test in another port (eg: 8088) on the URL
$ Lynx-dump http://yourserver:8088/
4.9 Here is a small perl script that will generate most of the comments from the configuration file has been removed to form a simplified document.
4.10 The ownership of the htdocs directory tree to tree, the owner of the Web Directory
ROOT # chown-R 888:888 / www / apache / htdocs
5. Compile and install MySQL
MySQL is not installed in the environment of the virtual root directory tree, in fact, it may be installed on other systems. But in my case, it is, and Apache installed on a web server.
This example includes the creation of users and the database location, and generate the initial database
5.1 generates the user, he will be the owner of the MySQL database.
For example: in the home / mysql / generate a user 777:777
ROOT # groupadd-g 777 mysqldba
ROOT # useradd-c "mysql DBA"-d / home / mysql-u 777-g 777-m-n mysql
5.2 solve the original code, and source directory tree to the mysql user
ROOT # groupadd-g 777 mysqldba
ROOT # useradd-c "mysql DBA"-d / home / mysql-u 777-g 777-m-n mysql
5.3 is a mysql user, mysql database to create the directory and start the installation and compiling mysql
$ Mkdir ~ / db # # where the DB will reside
$ Cd / usr/local/src/mysql-3.22.27
$. / Configure - localstatedir = / home / mysql / db - prefix = / usr / local / mysql
$ Make
$ Make install
5.4 Generation * MySQL * Authorization Form (only installed * MySQL before, this is required)
$. / Scripts / mysql_install_db
5.5 install and modify the database startup script, the owner of the database into mysql from root
ROOT # cd / usr/local/src/mysql-3.22.27 /
ROOT # cp support-files/mysql.server / etc / rc.d / init.d /
ROOT # chmod 755 / etc / rc.d / init.d / mysql.server
ROOT # [edit / etc / rc.d / init.d / mysql.server:]
mysql_daemon_user = mysql # # so we can run mysqld as this user.
ROOT # chkconfig - add mysql.server # # permanently add server to rc scripts
Mysql 5.6 installed, you must empty the shared library cache.
ROOT # / sbin / ldconfig-nv / usr / local / lib
Mysql 5.7 as the owner of editing PATH variable, and set the database root password.
$ [Edit shell login script. Bash_profile]
PATH = $ PATH: $ HOME / bin: / usr / local / mysql / bin
$. ~ /. Bash_profile # # source it!
$ Mysqladmin-u root password''2mUch! Data''# # pick your own password!
6. Compile and install PHP
6.1 stop the Apache daemon (daemon) running
ROOT # chroot / www / apache / bin / apachectl stop
The first thing you have to compile PHP 6.2
If you are using a non-DSO installation, you must re-compile Apache. (Non-DSO time to upgrade any software package, you must then do it again.)
$ Cd / usr / local / src / chr # # I am NOT root!
$ Tar zxf / path/to/php-4.02.tar.gz
$ Cd php-4.02
non-DSO:
$. / Configure - with-mysql = / usr / local / mysql
- With-apache =.. / apache_1.3.12 - enable-track-vars
- With-config-file-path = / apache / conf - sharedstatedir = / tmp
DSO:
$. / Configure - with-mysql = / usr / local / mysql
- With-apxs = / apache / bin / apxs - enable-track-vars
- With-config-file-path = / apache / conf - sharedstatedir = / tmp
DSO:
(Or add CFLAGS switch when mod_ssl was also configured as a DSO module)
$ CFLAGS =- DEAPI. / Configure - with-mysql = / usr / local / mysql
- With-apxs = / apache / bin / apxs - enable-track-vars
- With-config-file-path = / apache / conf - sharedstatedir = / tmp
$ Make
non-DSO:
$ Make install
DSO:
ROOT # make install
For DSO's PHP install "make install", you must be root. Because the module is a direct access to the module directory tree / apache / libexec, and the other, Apache's configuration file has changed.
6.3 now only discuss the non-DSO installation, first recompile Apache, then PHP module activation
$ Cd ../apache_1.3.12 /
$. / Configure - with-layout = chroot
- Enable-module = most - enable-module = so
- Activate-module = src/modules/php4/libphp4.a
$ Make
ROOT # make install # # I am root!
6.4 The environment in the realization of the virtual root directory tree of PHP need more shared libraries, you can use ldd to see
For non-DSO: ldd / apache / bin / httpd
For DSO: ldd / apache/apache/libexec/libphp4.so
You can use small for loop, from the / lib and / usr / lib copy the necessary files in the
ROOT # cd / www
ROOT # for i in libresolv.so.2 libnsl.so.1 libpam.so.0; do
> Cp-pi / lib / $ i / www / lib /; done
ROOT # for i in libgd.so.1 libgdbm.so.2 libz.so.1; do
> Cp-pi / usr / lib / $ i / www / usr / lib /; done
6.5 If you need mysql, you must compile it to install the appropriate library where
ROOT # cp-pi / usr/local/mysql/lib/mysql/libmysqlclient.so.6 / www / usr / lib /
6.6 you must edit the httpd.conf file, so that it can be identified. Php files
ROOT # cd / apache / conf
ROOT # [edit / apache / conf / httpd.conf]
AddType application / x-httpd-php. Php
AddType application / x-httpd-php-source. Phps
6.7 restart the daemon (daemon)
ROOT # chroot / www / apache / bin / apachectl start
6.8 in the non-DSO, you can check the PHP has been compiled
ROOT # chroot / www / apache / bin / httpd-l | grep php
mod_php4.c
6.9 Here is a small helloworld script program to test php, it must be installed as hello.php. If you want to browse the source code so you can copy or create a link to hello.phps system. Testing complete, to close the connection.
7. Compile and install perl
You can simply be / usr/lib/perl5 copy to www / usr / lib, and usr/bin/perl5.00503 (assuming a Red Hat6. 0 version) copy to www / usr / bin, so trouble. At the same time, you need to detect and install any missing shared library, you need to build from usr/bin/perl5.00503 to / www in / usr / bin / perl's hard to connect.
The simplest way is:
ROOT # cp-a / usr/lib/perl5 / www / usr / lib / perl
ROOT # cp-p / usr/bin/perl5.00503 / www / usr / bin /
ROOT # cd / www / usr / bin
ROOT # ln perl5.00503 perl
However, I still talk about how to install and compile perl, if you want to install mod-perl, you have to compile in this perl:
7.1 The establishment of the environment to the virtual root directory tree in the installation of the necessary connections.
In this case use the directory tree usr / Local. Reason with him, is justified, careful not to bring him usr / local confusion. Be safe, I still use the softs user to install
ROOT # mkdir / www / usr / Local
ROOT # ln-s / www / usr / Local / usr / local
ROOT # chown softs: softs / www / usr / Local
RPM from RedHat 7.2 to get the source code
ROOT # rpm-i / path/to/perl-5.00503-2.src.rpm
7.3 As the owner of the source code directory tree, untie Perl
$ Cd / usr / Local / src / chr
$ Tar zxf / usr/src/redhat/SOURCES/perl5.005_03.tar.gz
7.4 RedHat SRPM contains a number in the patch. You can use the appropriate version of the patch. In this example, I used RedHat6. 0 patch.
$ Cp / usr / src / redhat / SOURCES / perl *. patch.
$ Cd perl5.005_03
$ Patch-p1 <../perl5-installman.patch
$ Patch-p1 <../perl5.005_02-buildsys.patch
$ Patch-p1 <../perl5.005_03-db1.patch
7.5 you need to run Configure, and accept most health settings are. You may also want to be none on the man-page special instructions. Here I do some changes to health settings:
$. / Configure
architecture name? i386-linux
Installation prefix to use? / Usr / Local
Directories to use for library searches? / Lib / usr / lib / usr / Local / lib
install perl as / usr / bin / perl? n
7.6 compile and run it
$ Make
$ Make test
$ Make install
7.7 based usr / bin directory to the perl tree connection.
If you do not install mod-perl, perl directory tree, you need to transfer the ownership of root. (But it is not necessary, as long as the owner of the Web directory tree permissions on the perl directory tree is only readable on the line)
ROOT # cd / www / usr / bin
ROOT # ln-s .. / Local / bin / perl perl
7.8 check the shared libraries, install any missing libraries (which depends mainly on your configuration)
In this case, we do not lack any library:
ROOT # ldd / www / usr / bin / perl
libnsl.so.1 => / lib/libnsl.so.1 (0x4001b000)
libdl.so.2 => / lib/libdl.so.2 (0x40031000)
libm.so.6 => / lib/libm.so.6 (0x40035000)
libc.so.6 => / lib/libc.so.6 (0x40052000)
libcrypt.so.1 => / lib/libcrypt.so.1 (0x40147000)
/ Lib/ld-linux.so.2 => / lib/ld-linux.so.2 (0x40000000)
7.9 Testing your installation:
ROOT # chroot / www / usr / bin / perl-v
This is perl, version 5.005_03 built for i386-linux
...
7.10 set installed on the Apache server's cgi bin perl script examples
ROOT # cd / www / apache / cgi-bin
ROOT # chmod ugo + x backup bin conf config data eshow_sitemap.html generate.sh log maint sitemap.html svn tmp
7.11 start the Apache server, test the example perl cgi bin script
ROOT # chroot / www / apache / bin / apachectl start
$ Lynx-dump http://yourserver/cgi-bin/printenv
Also check the test-cgi
$ Lynx-dump http://yourserver/cgi-bin/test-cgi
7.12 Finally, the implementation of the binary bit removed from the cgi script, or completely removed. Do not stay outside of the connection.
ROOT # chmod ugo-x / www / apache / cgi-bin / *
8. Compiled and installed mod-ssl
If you plan to use the DSO install mod-ssl, I hope you have read the additional comments section in front.
You have to compile openssl and mod-ssl, I also selects and edits rsaref version 2.0. You should read some documentation on the mod-ssl information in order to understand the mod-ssl some of the released version and options.
Note, openssl and rsaref provides include files, libraries and development tools, it allows you to compile mod-ssl, it must not say that it is the environment of the virtual root directory tree as part of, or is installed in the directory tree .
8.1 extraction openssl, mod-ssl and rsaref20 source code
$ Cd / usr / local / src / chr
$ Tar zxf / path/to/mod_ssl-2.6.6-1.3.12.tar.gz
$ Tar zxf / path/to/openssl-0.9.5a.tar.gz
$ Mkdir rsaref-2.0
$ Cd rsaref-2.0
$ Tar zxf / path/to/rsaref20.1996.tar.Z
8.2 configuration and set up RSA reference library.
Note that in the 64-bit architecture you use rsaref need mod-ssl package in the INSTALL file to read the document information.
$ Cd / usr/local/src/chr/rsaref-2.0
$ Cp-rpi install / unix local
$ Cd local
$ Make
$ Mv rsaref.a librsaref.a
8.3 configuration and build openssl library
$ Cd / usr/local/src/chr/openssl-0.9.5a
$. / Config -L/usr/local/src/chr/rsaref-2.0/local-fPIC
$ Make
$ Make test # inspect output for anomalies
8.4 You may want to install the package, of course, is not installed in the directory tree.
Here, I assume softs have usr / local / tree, because the default installation of openssl the prefix of / usr / local / ssl. However, not have to install this package, because you can operate outside the src directory tree to build mod-ssl.
$ Make install
8.5 Configuration open-ssl
$ Cd / usr/local/src/chr/mod_ssl-2.6.6-1.3.12
$. / Configure-with-apache =.. / apache_1.3.12
8.6 into the Apache directory tree, complete setup, configuration, operation and construction
$ Cd / usr/local/src/chr/apache_1.3.12
non-DSO:
$ SSL_BASE =.. / openssl-0.9.5a RSA_BASE =.. / rsaref-2.0/local
. / Configure - prefix = / apache - with-layout = chroot
- Enable-module = most - enable-module = so - enable-module = ssl
- Disable-rule = SSL_COMPAT - enable-rule = SSL_SDBM
- Activate-module = src/modules/php4/libphp4.a
- Activate-module = src / modules / perl / libperl.a
DSO:
$ Cd src / modules
$ Make clean # # seems to be necessary if you previously compiled in the apache tree
$ Cd ../../
$ SSL_BASE =.. / openssl-0.9.5a RSA_BASE =.. / rsaref-2.0/local
. / Configure - prefix = / apache - with-layout = chroot
- Enable-module = most - enable-shared = max - enable-shared = ssl
- Disable-rule = SSL_COMPAT - enable-rule = SSL_SDBM
$ Make
8.7 re-install Apache. If he runs, to stop the run and install.
ROOT # chroot / www / apache / bin / apachectl stop
ROOT # make install # # I am root!
8.8 Installation for non-DSO module you can detect the internal compiler.
ROOT # chroot / www / apache / bin / httpd-l | grep-E''(php | perl | ssl)''
mod_ssl.c
mod_php4.c
mod_perl.c
8.9 in the realization of the virtual root directory tree to generate a random environment, the equipment
ROOT # cd / www / dev
ROOT # mknod random c 1 8
ROOT # mknod urandom c 1 9
8.10 will be the default configuration file integration into your current httpd.conf file.
I am different from the standard ports (80 ports) to other ports on the test, but for the safety of ports (443 ports), web services do not start again on it, so I'll look at the port will be used.
In this example, I have the default configuration file httpd.conf some of the changes are as follows:
User www
Group www
ServerName yourserver.yourdomain.here
Port 8088 # # pick a test port
Listen 8088 # # in''IfDefine SSL''section
Listen 443 # # this is the standard secure port!
AddType application / x-httpd-php. Php
AddType application / x-httpd-php-source. Phps
# Your Hello.pm script for mod_perl testing:
SetHandler perl-script
PerlHandler Apache:: Hello
SSLCertificateFile / apache / conf / server.crt
SSLCertificateKeyFile / apache / conf / server.key
# In this example I generate the key and crt files into / apache / conf
8.11 If you do not have a server keyword (keys) and certification (certficate), then build it now.
In this example I assume that openssl in your path, because you have already installed it. If not, you put it added to the path. Note, I have found my keyword, if you do very important things, you'd better use the licensing mechanism to distribute these keywords.
ROOT # cd / www / apache / conf
set up a path of random files (files generated for the random path)
ROOT # randfiles =''/ var / log / messages: / proc / net / unix: / proc / stat: / proc / ksyms''
generate the server key (generated server keys)
ROOT # openssl genrsa-rand
$ Randfiles-out server.key 1024
Generate requests with signatures (in the time of certification do not add their own password)
Note that your Common Name must match your absolute right to access the web server name
ROOT # openssl req-new-nodes-out request.pem-key server.key
Sign your own key (valid for one year)
ROOT # openssl x509-in request.pem-out server.crt-req-signkey server.key-days 365
Protect your keys and certificates
ROOT # chmod 400 server .*
Request file deletion
ROOT # rm request.pem
Selectively encrypt your keys
ROOT # mv server.key server.key.unencrypted
ROOT # openssl rsa-des3-in server.key.unencrypted-out server.key
ROOT # chmod 000 server.key.unencrypted # # better yet delete it!
When you change your mind, you decide to remove the key from your encrypted password.
ROOT # openssl rsa-in server.key-out server.key.un
ROOT # mv server.key.un server.key
ROOT # chmod 400 server.key
8.12 without ssl to start Apache, to ensure that it at work.
ROOT # chroot / www / apache / bin / apachectl start
$ Lynx-dump http://yourserver:8088/
8.13 using ssl to restart Apache, and to test it with netscape.
ROOT # chroot / www / apache / bin / apachectl stop
ROOT # chroot / www / apache / bin / apachectl startssl
$ Netscape https: / / yourserver /
8.14 Now you might want to edit your server configuration file, and the standard port (port 80) set on the server.
If you test configuration, you do not need to configure port 443.
9. Some security considerations
Available from a number of online Apache documentation for help. A need to place special attention on in the httpd script to change the mandate.
ROOT # chmod ugo-rw / www / apache / bin / *
10. Get rid of your own virtual root for Environment Environment
When you intend to get rid of the root environment of their own virtual environment, we must be very careful. In the Unix world, there is always a task in different ways, you can try other methods.
I offer the following example, it can be cgi or php script to inspire.
...
/ Bin / boot / dev / etc / home / lib / lost + found / media / misc / mnt / net / opt / proc / root / sbin / selinux / srv / sys / tmp / u01 / usr / var / vmware construct the file name as $ f backup / bin / conf / data / log / maint / svn / tmp /
$ Cmd = "/ bin / mail"-s Some-subject-line-t webmaster @ localhost-f $ f "";
$ Op = exec ($ cmd, $ arr, $ retval);
...
?>
File is called wwwmail.c.
11. Removal after installation
11.1 Remove the temporary installation, the necessary connection
ROOT # rm / apache / usr / Local
11.2 through etc / rc.d / init.d install httpd startup script file is called automatically start Apache. Such as:
Standard appache on port 80
Apache on ports 80 and 443 (startssl)
Then run chkconfig to set up its symbolic connection
ROOT # chkconfig - add httpd
ROOT # chkconfig - list httpd
httpd 0: off 1: off 2: on3: on4: on5: on6: off
11.3 automatically record triming file.
In RedHat systems you can define their own records that file, and parameters, only in the etc / logrotate / conf described on the line.
12. Harvesting of documents based on RPM
Here I do not have time to complete the text of it, you can get it from the RPMS, then do not need to compile the original code to generate a virtual environment of the Web root directory tree. Now I have two scripts, then I would have them documented:
Script file based on Red Hat 7.0 that will harvest the RPMs
Script file for creating temporary SSL key and certificate (testing purposes only!!!)