Apache 2 with SSL on FreeBSD 6
on Monday 15th October, 2007 Gabe speculated thusly…It wasn’t exactly trivial installing and configuring Apache 2 on FreeBSD. Much of the configuration had to be done manually, which depending on your point-of-view is good or bad. This describes how I went about getting Apache 2 with SSL support up and running on FreeBSD 6. I did this on 6.2 but it should equally apply to 6.x.
Note: These instructions use “www.example.com” as an example.
To Install Apache2:
After the UpdatePorts, install apache2 as follows:
cd /usr/ports/www/apache2
make install clean
Enable Apache2 in /etc/rc.conf by adding the following…
apache2_enable="YES" apache2ssl_enable="YES"
Setup the certificates:
mkdir /usr/local/etc/apache2/ssl.crt mkdir /usr/local/etc/apache2/ssl.key
Edit /usr/local/etc/apache2/ssl.conf and set the following…
SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key
After saving the certificates in their appropriate directories run:
chmod -R 700 /usr/local/etc/apache2/ssl.key
Edit /usr/local/etc/apache2/httpd.conf and set the following:
ServerAdmin mshurst@engmail.uwaterloo.ca UseCanonicalName On DocumentRoot "/homepages" UserDir disabled ServerSignature Off
In <Directory "/homepages"> set…
Options FollowSymlinks Multiview Includes ExecCGI AllowOverride All
Comment out the <Directory /home/*/public_html> section and replace it with…
<Directory /u1/*/public_html> Options All -Indexes AllowOverride All Order allow,deny Allow from all </Directory> <Directory /u2/*/public_html> Options All -Indexes AllowOverride All Order allow,deny Allow from all </Directory> <Directory /u3/*/public_html> Options All -Indexes AllowOverride All Order allow,deny Allow from all </Directory> <Directory /u4/*/public_html> Options All -Indexes AllowOverride All Order allow,deny Allow from all </Directory>
Restart apache2 to start using the new certificate…
/usr/local/etc/rc.d/apache2.sh stop
/usr/local/etc/rc.d/apache2.sh start
To enable CGIWrap
Allows execution of cgi scripts using user permissions
To install cgiwrap…
cd /usr/ports/www/cgiwrap make make install
Add AddHandler cgi-script .cgi to /usr/local/etc/apache2/httpd.conf.
Access control files are required for cgiwrap. To allow open access…
touch /usr/local/etc/cgiwrap.deny
To enable the “debug” version of cgiwrap…
chmod 4755 /usr/local/www/cgi-bin/cgiwrapd
In <Directory "/usr/local/www/cgi-bin"> set…
Options ExecCGI
To restrict “debug” access to on-campus only, add the following to httpd.conf…
<Location /cgi-bin/cgiwrapd>
order deny,allow
deny from all
allow from 129.97
</Location>
<Location /cgi-bin/nph-cgiwrapd>
order deny,allow
deny from all
allow from 129.97
</Location>
To enable Server Side Includes
Allows server side parsing of html files.
Make the following changes in /usr/local/etc/apache2/httpd.conf…
uncomment (or add)
AddType text/html .shtml
AddHandler server-parsed .shtml
Allow index.shtml to be a default page
DirectoryIndex index.html ... index.shtml
Add the “Includes” option
Options Indexes FollowSymLinks MultiViews ExecCGI Includes
Customized Virtual Host settings
* Make the following changes to /usr/local/etc/apache2/ssl.conf...
#<VirtualHost _default_:443> <VirtualHost www.eng.uwaterloo.ca:443> DocumentRoot "/homepages" ServerName www.eng.uwaterloo.ca ServerAdmin mshurst@engmail.uwaterloo.ca
* Configure logging to include the virtual host name by adding %v to the end of the LogFormat entry in httpd.conf
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined
* Add the following CustomLog entry to the www.example.com virtual host entry.
CustomLog /var/log/httpd-sydewww.log combined
* Update therollapachelogs.cshscript to include thehttpd-sydewww.logfiles.
==
Rolling the Apache logs ==
The logs must be rolled occasionally to prevent the disk from filling with logs. This isn’t as trivial as it should be, because:
* If you roll the logs, and send a SIGTERM to httpd, all httpd processes will abort, possibly resulting in incomplete database updates etc * If you roll the logs, and send a SIGUSR1 to httpd, you must wait some unknown period of time to allow all child httpd processes to complete, before compressing logs.
Alternatives:
* Don't compress the logs, and use newsyslog with signal 30 (USR1) * pipe the logs in httpd.conf through some other process * use a custom log roller script
To do the latter, run:
fetch -o /usr/local/bin/rollapachelogs.csh http://www.freebsd.uwaterloo.ca/rollapachelogs.csh
chmod u+x /usr/local/bin/rollapachelogs.csh
Add to /etc/crontab:
# rotate apache logs 0 3 * * * root /usr/local/bin/rollapachelogs.csh
Configuring Name-based virtual hosting
Set the folloowing in /usr/local/etc/apache2/httpd.conf…
NameVirtualHost *
# Default VirtualHost is listed here # others are listed in /usr/local/etc/apache2/Includes/vhosts.conf <VirtualHost *> ServerName www.eng.uwaterloo.ca ServerAlias www.eng DocumentRoot /homepages UserDir public_html ErrorDocument 403 /lookup.cgi ErrorDocument 404 /lookup.cgi ErrorDocument 410 /lookup.cgi </VirtualHost>
Then add the other virtual hosts to /usr/local/etc/apache2/Includes/vhosts.conf…
ServerName www.engcomp.uwaterloo.ca
ServerAlias www.engcomp www.engineeringcomputing.uwaterloo.ca www.engineeringcomputing
DocumentRoot /u2/engcomp/public_html
<Directory /u2/engcomp/public_html> Options All
AllowOverride All
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/u2/eng_comp/public_html/cgi-bin/"
<Directory "/u2/eng_comp/public_html/cgi-bin/">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Direcotry>
Restrict access to printman pages
<Directory "/u2/eng_comp/public_html/printers"> Order deny,allow Deny from all Allow from 129.97 </Directory>
Tags: apache, code, FreeBSD, guide, HowTo, Server, ssl, wiki
Great to finally see somebody that are able to do a proper blogpost without spelling errors or lousy grammar.