Compiling Apache from Source

One of the reasons this is called the advanced course is that we'll put you into situations that call for advanced skills. One of these situations is installing software from their source packages. First, we should point out that installing software from source will sometimes present you with challenges. Though the package maintainers do a great job, they can't plan for everybody's system setup. This means that occasionally, you'll get error messages. What makes the advanced Linux user different is his or her perseverance in the goal of making things work. This means that first, and most importantly, you shouldn't give up in frustration. Things may take a while, but in since 1997, I've done everything I've wanted to do with Linux. It sometimes takes a while, but it will eventually works. Linux and the array of open source and Free Software programs are probably the best documented software out there. Another way of solving problems is to use your favorite Google, ahem, I mean ... search engine. Chances are that somebody, somewhere has had the same problem you had and he or she found out how to fix it and then documented it.

When these methods fail, you may need outside help. There is usually plenty of that at online forums (or fora, for Latin purists). One word of advice, though. If you post to a help forum, remember the rules of 'netiquette'. Rule one: Be nice. Rule two: Explain your problem clearly and concisely. Don't mail bomb mailing lists with obscure error messages that you don't understand in hopes of a solution.

To start off, create a directory wherever you'd like. Let's call it 'apache_install'. Then we'll get the source to the Apache web server and some other packages we'll need. In case you're thinking of running a website where users can input data that might be sensitive, it's in our best interest to install a version of Apache that can handle this. For this reason, we'll need OpenSSL and two other packages to accompany it:

There are now two major versions of the Apache Webserver. These are the 2.0x version and the 1.3x version. 2.0x is the most recent version but server administrators, particularly on the Unix and Linux platforms, have been somewhat slow to abandon 1.3x in favor of the newer 2.0x. Despite the fact that the newer version has been out there for over 2 years (at the time of this writing), 1.3x is still more popular. For this reason, we'll be using 1.3x for the examples in this lesson. Get the source tarball from: http://httpd.apache.org/download.cgi. Untar this in the apache_install directory. We'll need the source code shortly.

OpenSSL

SSL stands for Secure Sockets Layer. SSL's most common job, in the real world, is to encrypt the contents of web forms. This greatly decreases the chances that your credit card number, when entered into an online store's web form, ends up in somewhere else, other than the store's database. OpenSSL is the open source version of this and is available under the Apache-style license for free commercial and non-commercial use.

Since you're installing Apache, that means that you'll be on the receiving end of sensitive information. To help OpenSSL process this information, we'll need the help of a package called 'mm'. This is available at: http://www.ossp.org/pkg/lib/mm/. We'll need to compile and install this first. Get the tarball for 'mm' and untar it in our aforementioned apache_install directory. Now we're ready to configure, compile and install it. Do the following as a normal user:

./configure --disable-shared

Then:

make

and finally, as root.

make install

This will install the 'mm' libraries that OpenSSL can use to work more efficiently. Now we'll do the same for OpenSSL. You can pick up the source for OpenSSL from http://www.openssl.org/source/ Pick up the source tarball and untar it in our apache_install directory.

To configure, run the following command:

./config no-idea -fPIC

The 'no-idea' option is for people living in a country that's part of the European Union. If you don't live in the EU, you don't have to use that.

You should now get a message for your to issue the command:

 make depend

We can now compile OpenSSL by issuing the command:

make

This may take some time, depending on your CPU power.

Finally, issue:

make test

and

make install

to finish.

Now we're ready to configure, compile and install mod_ssl, which will work directly with Apache. You can get mod_ssl from http://www.modssl.org/ Untar the package in your apache_install directory.

First, we'll issue the configure command with some options for our setup:

./configure --with-apache=../apache_1.3.31 \
 -with-ssl=../openssl-0.9.7d --with-mm=../mm-1.3.1 \
 --enable-shared=ssl  --enable-rule=EAPI \
| tee config_output_YYYYMMDD-HHMM

I find it a good idea to pipe the output to a separate file as you see in this example. I mark it on the end with the date and the time (YYYYMMDD-HHMM). This way, if you have to try various configuration options, you can keep track of which ones you tried and when.

If the preceding command was successful, this is all we need to do with mod_ssl for now. Let's move on to Apache.

Configure, compile and Install Apache

After installing Apache, we'll also install PHP and mod_perl to provide support for these web scripting languages. The configuration options we use in this lesson take this into account.

You should have previously untarred the source code for Apache 1.3x. First, enter that directory. Before we issue the 'configure' command, we need to pass some preliminary variables to the shell. This is because we're going to be using Apache with mod_perl and it needs to know these variables for them to play well together.

CFLAGS="-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64" \
LIBS="-lpthread" \

Then we pass variables so that Apache with know where to find the OpenSSL and mm libraries:

SSL_BASE=../openssl-0.9.7d \
EAPI_MM=../mm-1.3.1 \

Now, we can run the configure command with some options:

./configure\
 --enable-module=rewrite \
 --prefix=/usr/local/apache \
 --enable-shared=ssl \
 --enable-rule=SHARED_CORE \
 --enable-rule=SHARED_CHAIN \
 --enable-module=so \
 --enable-module=ssl \
 | tee configure_apache_YYMMDD-HHMM

If successful (and there's no reason it shouldn't be, if you've followed all the directions), we can now compile Apache. Issue the command:

make

Since we've built OpenSSL support into Apache for encrypting web transactions, we'll need to create a certificate. If your server is not going to be public, you can create what's called a 'dummy' or 'test' certificate (you will see this explained after the 'make' process has finished). If you're going to put this on the public web, then you'll need to create a real one. For this, you should now issue the command:

make certificate TYPE=custom

You will now have to answer some questions. These, of course, all depend on your circumstances. They mostly have to do with where in the world the server is, who's running it and where to contact the administrator among other things. Examples are given and this should be straightforward.

After, you'll need to create a password for starting the secure server. Even though this goes without saying, pick one you'll remember.

There is a downside to having the secure server password protected and that is that someone will need to enter the password every time the server starts up. If you're not planning on having any downtime or you're going to be within an arms length of the server at all times, this is practical. If it isn't, then you may want to create a server.key file that doesn't require a password. You could also create a script using the scripting language 'expect' that would restart the Apache server if it goes down and automatically feed it the password. This, though, might not be a good idea from a security standpoint as the password would have to be stored in a plain text file. Again, you'll have to evaluate these options taking into account your company's or personal security policy.

Finally, to install Apache, issue the command: make install.

You should now have a working Apache web server on your machine. You can issue this command to start the normal (not secure) web server and test it:

/usr/local/apache/bin/apachectl start

Point your browser to: http://localhost:8080/ if you installed it on the machine your working on. If you did it on some other machine, point it at http://somemachine:8080/ instead. If you've been successful, you should see this:

Our installation procedure put the main Apache configuration file in /usr/local/apache/conf/. You may want to go there now and change the ports that the server runs on to 80 for the normal server and 443 for the SSL enabled secure server. These are the default ports for http:// and https:// respectively. Our install initially runs on 8080 and 8443 which is not understood automatically by web browsers. This may cause problems if you're running a public web server. You, however, may be running an intranet and those ports may just be fine in your case. To make the change, open /usr/local/apache/conf/httpd.conf and find the following section and make it look like this: (I have commented out the values the install provided by default)

# Port: The port to which the standalone server listens. For
# ports < 1023, you will need httpd to be run as root initially.
#
#Port 8080
Port 80
##
##  SSL Support
##
##  When we also provide SSL we have to listen to the 
##  standard HTTP port (see above) and to the HTTPS port
##
<IfDefine SSL>
#Listen 8080
#Listen 8443
Listen 80
Listen 443
</IfDefine SSL>

You should also change the following:

##
## SSL Virtual Host Context
##

#<VirtualHost _default_:8443>
<VirtualHost _default_:443>

Test this out by pointing your browser to https://localhost or the server that you've installed Apache on. You should be asked to accept the certificate you created. You've now got a secure version of the Apache web server up and running.

There are actually a lot of Apache configuration issues still left to deal with, but we'll leave Apache for the moment and install the web scripting language PHP.