The Apache website has a page of related projects, one of which is Apache-SSL, “an encrypting web server, based on Apache and OpenSSL, which implements Secure Sockets Layer (SSL) functionality as a set of patches to existing Apache source code.” Without going into too much detail, the SSL protocol was developed by Netscape, allowing secure communication between a client (web browser) and a server (webserver). Most often the message is encrypted via a certificate (or key) that is signed (vouched for) by a reputable company, such as Verisign. The Apache-SSL people designed a supposedly automatic method of patching Apache with the OpenSSL code, much like one might do with Perl or PHP. Thus the Apache-SSL combination would allow the Apache webserver to communicate securely (encrypt and decrypt data) with the web browser when dealing with especially sensitive data like credit card and bank PIN numbers.
The Apache-SSL code was only up to date as of version Apache 1.3.12, but I decided to give it a shot with Apache 1.3.14, just to see what might happen. To make a long story short, it didn’t work. In fact, I couldn’t even get Apache-SSL to work with Apache 1.3.12, following its rather clumsy instructions. After several days, I gave up and started looking into mod_ssl, with is another method of creating a secure Apache server, just like mod_perl or mod_php. Though I assumed Apache-SSL was a more mature project, to my delight, I found that mod_ssl had been updated for Apache 1.3.14. What follows is my successful and rather painless of installation of Apache with both mod_ssl and PHP.
# gzip -V
gzip 1.2.4 (18 Aug 93)
Using a similiar command for Perl, I discovered that I did not have perl-5.6.0, so I proceeded to install it, following their instructions and crossing my fingers:
# cd perl-5.6.0
# rm -f config.sh Policy.sh
# sh Configure –de
# make
# make test
# make install
# cd ..
Though I clipped out the screenfuls of output that came between those commands, Perl installed flawlessly. I checked to make sure it was a success:
# perl -v
This is perl, v5.6.0 built for i686-linux
It was.
# tar zxf apache_1.3.14.tar.gz
# tar zxf mod_ssl-2.7.1-1.3.14.tar.gz
# tar zxf openssl-0.9.6.tar.gz
# tar zxf mm-1.1.3.tar.gz
The apache_1.3.14 file is the plain Apache webserver source, openssl-0.9.6 provides the SSL functionality (note: it's a derivative of SSLeay), and mod_ssl-2.7.1-1.3.14 provides the bridge between the two. The mm-1.1.3 file is an optional part of the installation. Supposedly it assists in the management of shared memory between forked processes. I figured I'd go with it as well.
Following the mod_ssl instructions pretty closely, I configured and made OpenSSL:
# cd openssl-0.9.6
# sh config -fPIC
# make
# make test
# cd ..
The instructions didn’t have me "make install" openssl, which differed from the Apache-SSL instructions that I had attempted first. This time I hoped I was in better hands. The instructions mentioned that the --fPIC option was important if installing mod_ssl as a Dynamic Shared Object (DSO). Since I had had luck with DSO before (installing PHP), I decided to give it a shot again. Next came MM:
# cd mm-1.1.3
# ./configure --disable-shared
# make
# cd ..
Once again, the instructions stopped just before "make install"-ing MM. Next came the mod_ssl patch, which would modify and configure the Apache source code, using both OpenSSL and MM. I typed the following configure command with its several options in the mod_ssl directory:
# cd mod_ssl-2.7.1-1.3.14
# ./configure \
> --with-apache=../apache_1.3.14 \
> --with-ssl=../openssl-0.9.6 \
> --with-mm=../mm-1.1.3 \
> --prefix=/usr/local/apache-mod_ssl \
> --enable-shared=ssl \
> --enable-module=so
# cd ..
And this was all it took to modify Apache for SSL functionality. Lastly, I needed to execute the following commands in the Apache source directory to make and install Apache:
# cd apache_1.3.14
# make
# make certificate
# make install
# cd ..
I typed in the previous three commands, and I got no errors. I was most worried about “make certificate” which hadn't worked when I had originally tried Apache-SSL. This time, however, it did, asking me a number of questions about me and my site in order to create a dummy (unsigned) certificate. Had I shelled out the bucks for a real certificate from Verisign, I would have added their paths when I was configuring mod_ssl. “make install” finished the installation, copying the files to /usr/local/apache-mod_ssl, to prevent overwriting my working Apache webserver in /usr/local/apache.
That was it. Next I had to test my server. I moved to the correct directory, made sure I stopped my first installation of Apache 1.3.12, and I started the new httpd server:
# apachectl start
It started okay. I pointed my browser to http://nchcap.unc.edu (our webserver 152.2.38.210 had since been assigned a domain name alias--its official DNS name is ttk210.sph.unc.edu). It worked ok, showing a generic SSL Apache webpage. Next I needed to try the secure server:
# apachectl stop
# apachectl startssl
It appeared to start ok, so again I pointed my web browser to http://nchcap.unc.edu. It looked just like it had before:
Image of http://nchcap.unc.edu
Next, I pointed my browser to https://nchcap.unc.edu, and what do you know, a little series of windows popped up to tell me that I might not want to trust this website with a untrusted certificate. I recorded the process as a series of screen shots, to prove that it did indeed work:
New Site Certificate - Netscape does not recognize authority of certificate signer (me)
New Site Certificate - Certificate Information
New Site Certificate - Accept Site Certificate?
New Site Certificate - Final Warning
New Site Certificate - Second Final Warning
Certificate Name Check - Third Final Warning
Image of https://nchcap.unc.edu (secure server!)
I was so pleased that it worked, and even better: I didn’t have to buy some $300 signed certificate to test a secure web connection. Netscape does a good job of annoying people who visit sites with untrusted certificates, displaying no less than six windows. Of course this makes undoubtedly sure that the client (web browser) does indeed want to accept a certificate from some shady website.
# ./configure --with-mysql --with-apxs=/usr/local/apache-mod_ssl/bin/apxs
# make
# make install
It went off without a hitch, so after uncommenting the following lines in httpd.conf:
LoadModule php4_module libexec/libphp4.so
AddType application/x-httpd-php .php
I restarted the server and I created the simple diagnostic php file:
<? phpinfo() ?>
I saved it in an inls183 directory under htdocs, and I pointed my browser to it:
Image of https://nchcap.unc.edu/inls183/index.php (secure server!)
and it appeared, obviously parsed, and clearly secure (see the locked padlock image in the lower lefthand corner).
INLS 183 Project 6: Apache_1.3.14 and mod_ssl-2.7.1-1.3.14 script file
