apache (An HTTP server)

概要

apache とは、世界で最も多く (?) 使われている HTTP サーバー・ソフトである。

URL

http://www.apache.org/ (Official Site)
http://www.modssl.org/ (SSL 対応モジュール)

インストール環境

Plamo Linux 1.4.4 (Kernel 2.2.10 + libc5)
Plamo Linux 2.0 (Kernel 2.2.15 + glibc 2.1.2)
Plamo Linux 2.2.1 (Kernel 2.2.19 + glibc 2.2)
Slackware 7.0 (Kernel 2.2.14 + glibc 2.1.2)

必要なもの

Perl 5

バージョン

Apache : 1.3.12, 1.3.20, 1.3.22, 1.3.26, 1.3.27
mod_ssl : 2.6.6-1.3.12, 2.8.4-1.3.20, 2.8.5-1.3.22, 2.8.10-1.3.26, 2.8.14-1.3.27

インストール手順 (for Apache 単体)

$ tar xvfz apache-1.3.12.tar.gz $ cd apache_1.3.12 $ ./configure $ make $ su # make install # exit

あとは、以下のような内容のあ /etc/rc.d/rc.httpd ファイルを作成して、 chmod 755 /etc/rc.d/rc.httpd しておけば OK 。

#!/bin/sh /usr/local/apache/bin/apachectl start

インストール手順 (with mod_ssl)

まずは OpneSSL をインストールしておく。 また apache のソースファイルも展開 (../apache-1.3.x) しておくこと。 次に mod_ssl の展開から。

$ tar xvfz mod_ssl-2.6.6-1.3.12.tar.gz $ cd mod_ssl-2.6.6-1.3.12 $ ./configure --with-apache=../apache_1.3.12 --with-ssl=../openssl-0.9.5a --prefix=/usr/local/apache (snip) Configuring for Apache, Version 1.3.12 + using installation path layout: Apache (config.layout) Creating Makefile Creating Configuration.apaci in src Error: Cannot find SSL binaries under /usr/local/src/openssl-0.9.5a Creating Makefile in src (snip)

む。SSL ライブラリが見付かっていない。こうかな？

$ ./configure --with-apache=../apache_1.3.12 --with-ssl=/usr/local/ssl --prefix=/usr/local/apache

今度は OK らしい。./configure --help を見ると、 --with-ssl には path to OpenSSL source tree と書いてあるのだが...。 ま、いいでしょ。
次に Apache の configure 。--enable-module=so を忘れないように (PHP で使う場合) 。

$ cd ../apache_1.3.12 $ SSL_BASE=/usr/local/ssl ./configure --enable-module=ssl --enable-module=unique_id --enable-module=rewrite --enable-module=speling --enable-module=info --enable-module=so $ make (snip) +---------------------------------------------------------------------+ | Before you install the package you now should prepare the SSL | | certificate system by running the 'make certificate' command. | | For different situations the following variants are provided: | | | | % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) | | % make certificate TYPE=test (test cert signed by Snake Oil CA) | | % make certificate TYPE=custom (custom cert signed by own CA) | | % make certificate TYPE=existing (existing cert) | | CRT=/path/to/your.crt [KEY=/path/to/your.key] | | | | Use TYPE=dummy when you're a vendor package maintainer, | | the TYPE=test when you're an admin but want to do tests only, | | the TYPE=custom when you're an admin willing to run a real server | | and TYPE=existing when you're an admin who upgrades a server. | | (The default is TYPE=test) | | | | Additionally add ALGO=RSA (default) or ALGO=DSA to select | | the signature algorithm used for the generated certificate. | | | | Use 'make certificate VIEW=1' to display the generated data. | | | | Thanks for using Apache & mod_ssl. Ralf S. Engelschall | | rse@engelschall.com | | www.engelschall.com | +---------------------------------------------------------------------+ (snip) $ su # make install (snip) +--------------------------------------------------------+ | You now have successfully built and installed the | | Apache 1.3 HTTP server. To verify that Apache actually | | works correctly you now should first check the | | (initially created or preserved) configuration files | | | | /usr/local/apache/conf/httpd.conf | | | and then you should be able to immediately fire up | | Apache the first time by running: | | | | /usr/local/apache/bin/apachectl start | | | Or when you want to run it with SSL enabled use: | | | | /usr/local/apache/bin/apachectl startssl | | | Thanks for using Apache. The Apache Group | | http://www.apache.org/ | +--------------------------------------------------------+ # exit

とりあえず、これでインストールまで完了。

設定方法 (自分が CA になって証明書を発行する)

1.) CA 自身の秘密鍵 ca.key の作成。

$ openssl genrsa -des3 -out ca.key 1024

2.) CA 自身の証明書 ca.crt を作成。

$ openssl req -new -x509 -key ca.key -out ca.crt Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: <--- パスフレーズ入力 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP ~~ State or Province Name (full name) [Some-State]:Aichi ~~~~~ Locality Name (eg, city) []:Nagoya ~~~~~~ Organization Name (eg, company) [Internet Widgits Pty Ltd]:CA for test. ~~~~~~~~~~~~ 組織名 Organizational Unit Name (eg, section) []:Admin ~~~~~ 所属セクション Common Name (eg, YOUR name) []:Taro Yamada ~~~~~~~~~~~ Email Address []:foo@bar.co.jp ~~~~~~~~~~~~~

3.) サーバ用秘密鍵 server.key の作成。

$ openssl genrsa -des3 -out server.key 1024

4.) サーバ証明書発行のための CSR (Certificate Signing Request) の作成。

$ openssl req -new -key server.key -out server.csr Using configuration from /usr/local/ssl/openssl.cnf Enter PEM pass phrase: <--- パスフレーズ入力 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP ~~ State or Province Name (full name) [Some-State]:Aichi ~~~~~ Locality Name (eg, city) []:Nagoya ~~~~~~ Organization Name (eg, company) [Internet Widgits Pty Ltd]:HogeHoge Co.,ltd. ~~~~~~~~~~~~~~~~~ Organizational Unit Name (eg, section) []:Admin ~~~~~ Common Name (eg, YOUR name) []:www.hoge.co.jp ~~~~~~~~~~~~~~ サーバ名 Email Address []:webmaster@hoge.co.jp ~~~~~~~~~~~~~~~~~~~~ Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: <--- Enter のみ An optional company name []: <--- Enter のみ

5.) サーバ用証明書の発行。 # 注) この時、ca.key は ca.crt 等はこのファイル名通りでないとダメなことに注意。

$ /usr/local/src/mod_ssl-2.6.6-1.3.12/pkg.contrib/sign.sh server.csr CA signing: server.csr -> server.crt: Using configuration from ca.config Enter PEM pass phrase: Check that the request matches the signature Signature ok The Subjects Distinguished Name is as follows countryName :PRINTABLE:'JP' stateOrProvinceName :PRINTABLE:'Aichi' localityName :PRINTABLE:'Nagoya' organizationName :PRINTABLE:'hogehoge.com' organizationalUnitName:PRINTABLE:'Admin' commonName :PRINTABLE:'www.hogehoge.com' emailAddress :IA5STRING:'webmaster@hogehoge.com' Certificate is to be certified until Sep 13 04:30:55 2001 GMT (365 days) Sign the certificate? [y/n]:y ~ 1 out of 1 certificate requests certified, commit? [y/n]y ~ Write out database with 1 new entries Data Base Updated CA verifying: server.crt <-> CA cert server.crt: OK

あとは、.../apache-1.3.12/conf/httpd.conf-dist を httpd.conf のひな型として、 各自設定すればよい。最低限、SSL 対応で設定すべきは以下の通り。 なお、これらのファイルは所有者を root とし、 所有者以外はアクセス不可にしておくこと。

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ CA から発行されたサーバ証明書 SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ サーバ用秘密鍵

最後に、一旦 apache を終了させ、SSL モード (?) で再起動すればおしまい。

$ su # apachectl stop # apachectl startssl Apache/1.3.12 mod_ssl/2.6.6 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server www.hogehoge.com:443 (RSA) Enter pass phrase: <--- (サーバ用秘密鍵の) パスフレーズを入力 Ok: Pass Phrase Dialog successful. /usr/local/apache/bin/apachectl startssl: httpd started # exit

インストール手順 (on Plamo 2.2.1)

インストールそのものは、上述の手順で問題なし。 ただし、起動スクリプトが用意されていないため、そのままでは自動起動しない。 /etc/rc.d/rc.httpd として以下のような内容のファイルを作成する。実行権を つけるのを忘れないように。

#!/bin/sh /usr/local/apache/bin/apachectl start

設定方法 (make certificate を用いた場合)

何時からか make certificate というスクリプトが用意されている。 これを使った場合の設定はこんな感じ。

$ cd /usr/local/src/apache_1.3.20 $ make certificate TYPE=custom make[1]: Entering directory `/usr/local/src/apache_1.3.20/src' SSL Certificate Generation Utility (mkcert.sh) Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved. Generating custom certificate signed by own CA [CUSTOM] ______________________________________________________________________ STEP 0: Decide the signature algorithm used for certificates The generated X.509 certificates can contain either RSA or DSA based ingredients. Select the one you want to use. Signature Algorithm ((R)SA or (D)SA) [R]: (Enter) ______________________________________________________________________ STEP 1: Generating RSA private key for CA (1024 bit) [ca.key] 7766142 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus ...................++++++ ...............++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 2: Generating X.509 certificate signing request for CA [ca.csr] Using configuration from .mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:JP 2. State or Province Name (full name) [Snake Desert]:Aichi-Ken 3. Locality Name (eg, city) [Snake Town]:Nagoya City 4. Organization Name (eg, company) [Snake Oil, Ltd]:HOGE HOGE, KK. 5. Organizational Unit Name (eg, section) [Certificate Authority]:Tech section 6. Common Name (eg, CA name) [Snake Oil CA]:HOGE-HOGE CA 7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:foo@hogehoge.co.jp 8. Certificate Validity (days) [365]:(Enter) ______________________________________________________________________ STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt] Certificate Version (1 or 3) [3]: (Enter) Signature ok subject=/C=JP/ST=Aichi-Ken/L=Nagoya City/O=HOGE HOGE, KK./OU=Tech section/CN=HOGE-HOGE CA/Email=foo@hogehoge.co.jp Getting Private key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/ca.crt: /C=JP/ST=Aichi-Ken/L=Nagoya City/O=HOGE HOGE, KK./OU=Tech section/CN=HOGE-HOGE CA/Email=foo@hogehoge.co.jp error 18 at 0 depth lookup:self signed certificate OK ______________________________________________________________________ STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key] 7766142 semi-random bytes loaded Generating RSA private key, 1024 bit long modulus .............................................++++++ ...................................................++++++ e is 65537 (0x10001) ______________________________________________________________________ STEP 5: Generating X.509 certificate signing request for SERVER [server.csr] Using configuration from .mkcert.cfg You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- 1. Country Name (2 letter code) [XY]:JP 2. State or Province Name (full name) [Snake Desert]:Aichi-Ken 3. Locality Name (eg, city) [Snake Town]:Nagoya City 4. Organization Name (eg, company) [Snake Oil, Ltd]:HOGE HOGE, KK. 5. Organizational Unit Name (eg, section) [Webserver Team]:Tech section 6. Common Name (eg, FQDN) [www.snakeoil.dom]:www.hogehoge.co.jp 7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:foo@hogehoge.co.jp 8. Certificate Validity (days) [365]:(Enter) ______________________________________________________________________ STEP 6: Generating X.509 certificate signed by own CA [server.crt] Certificate Version (1 or 3) [3]:(Enter) Signature ok subject=/C=JP/ST=Aichi-Ken/L=Nagoya City/O=HOGE HOGE, KK./OU=Tech section/CN=www.hogehoge.co.jp/Email=foo@hogehoge.co.jp Getting CA Private Key Verify: matching certificate & key modulus read RSA key Verify: matching certificate signature ../conf/ssl.crt/server.crt: OK ______________________________________________________________________ STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key] The contents of the ca.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: (Enter) read RSA key writing RSA key Enter PEM pass phrase: パスフレーズを入力 Verifying password - Enter PEM pass phrase: パスフレーズを入力 Fine, you're using an encrypted private key. ______________________________________________________________________ STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key] The contents of the server.key file (the generated private key) has to be kept secret. So we strongly recommend you to encrypt the server.key file with a Triple-DES cipher and a Pass Phrase. Encrypt the private key now? [Y/n]: (Enter) read RSA key writing RSA key Enter PEM pass phrase: パスフレーズを入力 Verifying password - Enter PEM pass phrase: パスフレーズを入力 Fine, you're using an encrypted RSA private key. ______________________________________________________________________ RESULT: CA and Server Certification Files o conf/ssl.key/ca.key The PEM-encoded RSA private key file of the CA which you can use to sign other servers or clients. KEEP THIS FILE PRIVATE! o conf/ssl.crt/ca.crt The PEM-encoded X.509 certificate file of the CA which you use to sign other servers or clients. When you sign clients with it (for SSL client authentication) you can configure this file with the 'SSLCACertificateFile' directive. o conf/ssl.key/server.key The PEM-encoded RSA private key file of the server which you configure with the 'SSLCertificateKeyFile' directive (automatically done when you install via APACI). KEEP THIS FILE PRIVATE! conf/ssl.crt/server.crt The PEM-encoded X.509 certificate file of the server which you configure with the 'SSLCertificateFile' directive (automatically done when you install via APACI). o conf/ssl.csr/server.csr The PEM-encoded X.509 certificate signing request of the server file which you can send to an official Certificate Authority (CA) in order to request a real server certificate (signed by this CA instead of our own CA) which later can replace the conf/ssl.crt/server.crt file. Congratulations that you establish your server with real certificates. make[1]: Leaving directory `/usr/local/src/apache_1.3.20/src'

これで各種ファイルが /usr/local/src/apache_1.3.20/conf の下にできるので、 証明書ファイル等を適切なディレクトリにコピーする。

# cp ./conf/ssl.crt/server.crt /usr/local/apache/conf/ssl.crt # cp ./conf/ssl.key/server.key /usr/local/apache/conf/ssl.key

次に /usr/local/apache/conf/httpd.conf を上記ファイルの格納ディレクトリに合わせて変更する。

SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key

最後に以下のように SSL モードで起動しなおせばおしまい。

$ su # /usr/local/apache/bin/apachectl stop /usr/local/apache/bin/apachectl stop: httpd stopped # /usr/local/apache/bin/apachectl startssl Apache/1.3.20 mod_ssl/2.8.4 (Pass Phrase Dialog) Some of your private key files are encrypted for security reasons. In order to read them you have to provide us with the pass phrases. Server vizzer.d-cruise.co.jp:443 (RSA) Enter pass phrase: パスフレーズを入力 Ok: Pass Phrase Dialog successful. /usr/local/apache/bin/apachectl startssl: httpd started