Apache 2 with SSL on FreeBSD 6

Gabe — Mon, 15 Oct 2007 15:30:37 +0000

It wasn’t exactly trivial installing and configuring Apache 2 on FreeBSD. Much of the configuration had to be done manually, which depending on your point-of-view is good or bad. This describes how I went about getting Apache 2 with SSL support up and running on FreeBSD 6. I did this on 6.2 but it should equally apply to 6.x.

Note: These instructions use “www.example.com” as an example.

To Install Apache2:

After the UpdatePorts, install apache2 as follows:

cd /usr/ports/www/apache2

make install clean

Enable Apache2 in /etc/rc.conf by adding the following…

apache2_enable="YES"

apache2ssl_enable="YES"

Setup the certificates:

mkdir /usr/local/etc/apache2/ssl.crt

mkdir /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/ssl.conf and set the following…

SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key

After saving the certificates in their appropriate directories run:

chmod -R 700 /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/httpd.conf and set the following:

ServerAdmin mshurst@engmail.uwaterloo.ca
UseCanonicalName On
DocumentRoot "/homepages"
UserDir disabled
ServerSignature Off

In set…

Options FollowSymlinks Multiview Includes ExecCGI

AllowOverride All

Comment out the section and replace it with…


   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all



   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all



   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all



   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all

Restart apache2 to start using the new certificate…

/usr/local/etc/rc.d/apache2.sh stop /usr/local/etc/rc.d/apache2.sh start

To enable CGIWrap
Allows execution of cgi scripts using user permissions

To install cgiwrap…

cd /usr/ports/www/cgiwrap
make
make install

Add AddHandler cgi-script .cgi to /usr/local/etc/apache2/httpd.conf.

Access control files are required for cgiwrap. To allow open access…

touch /usr/local/etc/cgiwrap.deny

To enable the “debug” version of cgiwrap…

chmod 4755 /usr/local/www/cgi-bin/cgiwrapd

In set…

  Options ExecCGI

To restrict “debug” access to on-campus only, add the following to httpd.conf…

     order deny,allow
     deny from all
     allow from 129.97



     order deny,allow
     deny from all
     allow from 129.97

To enable Server Side Includes
Allows server side parsing of html files.

Make the following changes in /usr/local/etc/apache2/httpd.conf…

uncomment (or add)

AddType text/html .shtml

AddHandler server-parsed .shtml

Allow index.shtml to be a default page

DirectoryIndex index.html ... index.shtml

Add the “Includes” option

Options Indexes FollowSymLinks MultiViews ExecCGI Includes

Customized Virtual Host settings

   * Make the following changes to /usr/local/etc/apache2/ssl.conf...

#


DocumentRoot "/homepages"
ServerName www.eng.uwaterloo.ca

ServerAdmin mshurst@engmail.uwaterloo.ca

   * Configure logging to include the virtual host name by adding %v to the end of the LogFormat entry in httpd.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

   * Add the following CustomLog entry to the www.example.com virtual host entry.

CustomLog /var/log/httpd-sydewww.log combined

   * Update the rollapachelogs.csh script to include the httpd-sydewww.log files.

==
Rolling the Apache logs ==
The logs must be rolled occasionally to prevent the disk from filling with logs. This isn’t as trivial as it should be, because:

   * If you roll the logs, and send a SIGTERM to httpd, all httpd processes will abort, possibly resulting in incomplete database updates etc

   * If you roll the logs, and send a SIGUSR1 to httpd, you must wait some unknown period of time to allow all child httpd processes to complete, before compressing logs.

Alternatives:

   * Don't compress the logs, and use newsyslog with signal 30 (USR1)

   * pipe the logs in httpd.conf through some other process

   * use a custom log roller script

To do the latter, run:

fetch -o /usr/local/bin/rollapachelogs.csh http://www.freebsd.uwaterloo.ca/rollapachelogs.csh

chmod u+x /usr/local/bin/rollapachelogs.csh

Add to /etc/crontab:

# rotate apache logs

0       3       *       *       *       root    /usr/local/bin/rollapachelogs.csh

Configuring Name-based virtual hosting

Set the folloowing in /usr/local/etc/apache2/httpd.conf…

NameVirtualHost *

# Default VirtualHost is listed here

# others are listed in /usr/local/etc/apache2/Includes/vhosts.conf


   ServerName www.eng.uwaterloo.ca
   ServerAlias www.eng
   DocumentRoot /homepages
   UserDir public_html
   ErrorDocument 403 /lookup.cgi
   ErrorDocument 404 /lookup.cgi
   ErrorDocument 410 /lookup.cgi

Then add the other virtual hosts to /usr/local/etc/apache2/Includes/vhosts.conf…

   ServerName www.engcomp.uwaterloo.ca
   ServerAlias www.engcomp www.engineeringcomputing.uwaterloo.ca www.engineeringcomputing
   DocumentRoot /u2/engcomp/public_html

         Options All
      AllowOverride All
      Order allow,deny
      Allow from all
   

   ScriptAlias /cgi-bin/ "/u2/eng_comp/public_html/cgi-bin/"
   
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all

Restrict access to printman pages


   Order deny,allow
   Deny from all
   Allow from 129.97

dragffy.com » ssl

Apache 2 with SSL on FreeBSD 6