Apache Compile Stand-alone
Tuesday, February 1, 2022
Add a comment
by Ramses Soto-Navarro ramses@sotosystems.com, 2/1/2022
Overview
Download Source
Disable Apache
Restore OS OpenSSL
Compile OpenSSL Stand-alone
Compile APR and APR-Util
Compile Apache Stand-alone
Compile Tomcat Connectors
Configure Apache
Configure Apache Startup Scripts
Test New Apache Startup
Test Commands
Server Status and Info Page
Rename Old Apache Binaries
Systems Affected by OpenSSL
Overview
Brief notes about compiling Apache and Openssl stand-alone on /usr/local/, on SUSE 15 SP3. Previously Apache was installed on top of the binaries installed by the SUSE packages. However, that method disabled the possibility of using the newest OpenSSL libraries; because updating OpenSSL would break other system utilities. Hence, compiling stand-alone in /usr/local/. The audience is experienced Linux administrators.
Download Source
# DIR=/usr/src/apache ; mkdir $DIR ; cd $DIR # wget https://dlcdn.apache.org//apr/apr-1.7.0.tar.gz # wget https://dlcdn.apache.org//apr/apr-util-1.6.1.tar.gz # wget https://dlcdn.apache.org//httpd/httpd-2.4.52.tar.gz # wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz # https://dlcdn.apache.org/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.48-src.tar.gz
Disable Apache
Stop apache and lock the packages.
# systemctl stop apache2 # systemctl disable apache2 # zypper ll # zypper al apache2* # zypper al apache*
Restore OS OpenSSL
Restore the original OpenSSL.
# zypper ref # zypper in -f libopenssl1_1 libxmlsec1-openssl1 openssl-1_1 openssl # openssl version # reboot
Compile OpenSSL Stand-alone
# cd /usr/src/apache/openssl-1.1.1m # make clean # ./config no-shared no-pinshared --prefix=/usr/local --openssldir=/usr/local/etc/ssl | tee config.txt # make | tee make.txt # make install | tee make-install.txt # ldconfig # openssl version # /usr/local/bin/openssl version
Change the default system-wide PATH for root so that /usr/local is seached first.
# vi /etc/profile #PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/local/apr/bin:/sbin:/usr/sbin:$PATH
Compile APR and APR-Util
# cd /usr/src/apache/apr-1.7.0 # vi configure $RM -f "$cfgfile" # touch libtoolT # ./configure --prefix=/usr/local/apr | tee configure.txt # make | tee make.txt # make install | tee make-install.txt # ldconfig # cd ../apr-util-1.6.1 # ./configure --prefix=/usr/local/apr --with-apr=/usr/local/apr/ | tee configure.txt # make | tee make.txt # make install | tee make-install.txt # ldconfig
Copy all the code to the Apache source library:
# cd /usr/src/apache/httpd-2.4.52/srclib # cp -R /usr/src/apache/apr-1.7.0 apr # cp -R /usr/src/apache/apr-util-1.6.1 apr-util # cp -R /usr/src/apache/openssl-1.1.1m openssl
Compile Apache Stand-alone
# cd /usr/src/apache/httpd-2.4.52 # vi config.layout<Layout SuSE> prefix: /usr/local exec_prefix: ${prefix} bindir: ${prefix}/bin sbindir: ${prefix}/sbin libdir: ${prefix}/lib libexecdir: ${prefix}/lib/apache mandir: ${prefix}/share/man sysconfdir: ${prefix}/etc/httpd datadir: /usr/local/httpd installbuilddir: ${datadir}/build errordir: ${datadir}/error iconsdir: ${datadir}/icons htdocsdir: ${datadir}/htdocs manualdir: ${datadir}/manual cgidir: ${datadir}/cgi-bin includedir: ${prefix}/include/apache localstatedir: ${prefix}/var/lib/httpd runtimedir: ${prefix}/var/run logfiledir: ${prefix}/var/log/httpd proxycachedir: ${prefix}/var/cache/httpd </Layout># ./configure --enable-layout="SuSE" --enable-modules="all" --enable-mods-shared="all" --enable-ssl --enable-mpms-shared="all" --with-mpm="worker" --enable-imagemap --with-ssl=/usr/local --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr | tee configure.txt
# make | tee make.txt
# make install | tee make-install.txt
# ldconfig
Compile Tomcat Connectors
# cd /usr/src/apache/tomcat-connectors-1.2.48-src/native # make clean # ./configure --with-apxs=/usr/local/bin/apxs | tee configure.txt # make | tee make.txt # make install | tee make-install.txt # libtool --finish /usr/local/lib/apache
Configure Apache
Configure the httpd.conf
# vi /usr/local/etc/httpd/httpd.conf ServerRoot "/usr/local" Listen 80 LoadModule mpm_worker_module lib/apache/mod_mpm_worker.so LoadModule authn_file_module lib/apache/mod_authn_file.so LoadModule authn_core_module lib/apache/mod_authn_core.so LoadModule authz_host_module lib/apache/mod_authz_host.so LoadModule authz_groupfile_module lib/apache/mod_authz_groupfile.so LoadModule authz_user_module lib/apache/mod_authz_user.so LoadModule authz_core_module lib/apache/mod_authz_core.so LoadModule access_compat_module lib/apache/mod_access_compat.so LoadModule auth_basic_module lib/apache/mod_auth_basic.so LoadModule reqtimeout_module lib/apache/mod_reqtimeout.so LoadModule include_module lib/apache/mod_include.so LoadModule filter_module lib/apache/mod_filter.so LoadModule mime_module lib/apache/mod_mime.so LoadModule log_config_module lib/apache/mod_log_config.so LoadModule env_module lib/apache/mod_env.so LoadModule headers_module lib/apache/mod_headers.so LoadModule setenvif_module lib/apache/mod_setenvif.so LoadModule version_module lib/apache/mod_version.so LoadModule ssl_module lib/apache/mod_ssl.so LoadModule unixd_module lib/apache/mod_unixd.so LoadModule status_module lib/apache/mod_status.so LoadModule autoindex_module lib/apache/mod_autoindex.so LoadModule asis_module lib/apache/mod_asis.so LoadModule cgid_module lib/apache/mod_cgid.so LoadModule negotiation_module lib/apache/mod_negotiation.so LoadModule dir_module lib/apache/mod_dir.so LoadModule userdir_module lib/apache/mod_userdir.so LoadModule alias_module lib/apache/mod_alias.so LoadModule rewrite_module lib/apache/mod_rewrite.so LoadModule jk_module /usr/local/lib/apache/mod_jk.so LoadModule info_module lib/apache/mod_info.so JkShmFile /usr/local/var/log/httpd/jk-runtime-status.log JkLogFile /usr/local/var/log/httpd/mod_jk.log JkWorkersFile /usr/local/etc/httpd/workers.properties Include /usr/local/etc/httpd/jkmounts LoadModule jk_module /usr/local/lib/apache/mod_jk.soOptions +FollowSymLinks AllowOverride None Require all denied DocumentRoot “/example.com/webcontent” Options FollowSymLinks AllowOverride None Require all granted Include /usr/local/etc/httpd/httpd-ssl.conf
Configure the httpd-ssl.conf
# vi /usr/local/etc/httpd/httpd-ssl.conf Listen 443 SSLSessionCache "shmcb:/usr/local/var/run/ssl_scache(512000)"DocumentRoot "/example.com/webcontent" ServerName www.example.com:443 ServerAdmin admin@example.com ErrorLog "/usr/local/var/log/httpd/error_log" TransferLog "/usr/local/var/log/httpd/access_log" SSLEngine on SSLCertificateFile "/usr/local/etc/httpd/server.crt" SSLCertificateKeyFile "/usr/local/etc/httpd/server.key" SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 CustomLog "/usr/local/var/log/httpd/ssl_request_log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"
Configure Apache Startup Scripts
NOTE: First disable the old apache scripts:
# systemctl disable apache2 # systemctl stop apache2 # chkconfig apache2 off
# vi /etc/init.d/apache
#!/bin/bash
#
### Edited by Ramses Soto-Navarro ramses@sotosystems.com 1/18/2022
### BEGIN INIT INFO
# Provides: Apache 2.4.52
# Required-Start: $syslog $remote_fs
# Should-Start: $time
# Required-Stop: $syslog
# Should-Stop:
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: Apache 2.4.52 daemon
# Description: Start Apache 2.4.52
### END INIT INFO
name="Apache"
bin="/usr/local/sbin/httpd"
pid="/usr/local/var/run/httpd.pid"
cfg="/usr/local/etc/httpd/httpd.conf"
. /etc/rc.status
rc_reset
case "$1" in
start)
echo -n "Starting $name: "
/sbin/startproc $bin
rc_status -v
;;
stop)
echo -n "Shutting down $name: "
/sbin/killproc -TERM $bin
rc_status -v
;;
restart)
$0 stop
$0 start
;;
reload)
echo -n "Reloading $name: "
/sbin/killproc -HUP $bin
rc_status -v
;;
status)
echo -n "Status of $name: "
/sbin/checkproc $bin
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|restart|reload|status}"
exit 1
;;
esac
echo ""
# vi /usr/lib/systemd/system/apache.service [Unit] Description=Apache Web Server After=network.target remote-fs.target nss-lookup.target [Service] Type=forking PIDFile=/usr/local/var/run/httpd.pid ExecStart=/usr/local/sbin/apachectl start ExecStop=/usr/local/sbin/apachectl graceful-stop ExecReload=/usr/local/sbin/apachectl graceful PrivateTmp=true LimitNOFILE=infinity [Install] WantedBy=multi-user.target
Assign permissions to the startup files and enable them:
# chmod 0750 /etc/init.d/apache # chown root.root /etc/init.d/apache # systemctl enable apache.service # systemctl daemon-reload
Test New Apache Startup
Copy the old ssl.crt and ssl.key subdirectories to /usr/local/etc/httpd/
# cp -r /etc/apache2/ssl.* /usr/local/etc/httpd/
Copy the Tomcat configuration files, restart, confirm status:
# cp /etc/apache2/{jkmounts,workers.properties} /usr/local/etc/httpd/
# systemctl start apache.service
# systemctl status apache.service
# ss -ltn | grep -E "80|443"
# ps aux | grep http
# apachectl -M
# apachectl -V
Test Commands
# curl -I http://www.example.com/server-status Date: Tue, 18 Jan 2022 19:00:51 GMT Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m mod_jk/1.2.48 Content-Type: text/html; charset=iso-8859-1 # w3m http://www.example.com It works!
NOTE: Leave the old apache2 intact as much as possible. It is a second apache that we can revert to; and it can always be overwritten by the default OS packages with a forced re-install.
Server Status and Info Page
Configure the status page for testing:
# vi /usr/local/etc/httpd/httpd.confSetHandler server-status #Require host www.example.com #Require ip 10 SetHandler server-info #Require host www.example.com
# systemctl restart apache # w3m http://www.example.com/server-status # w3m http://www.example.com/server-info # curl -I http://www.example.com
NOTE: For tighter security, later on, configure who can access this via IP address (see above)
Rename Old Apache Binaries
Rename the old apache binaries in order not to confuse it with the new compiled binaries in /usr/local/:
# for a in `rpm -ql apache2 | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done # for a in `rpm -ql apache2-devel | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done # for a in `rpm -ql apache2-utils | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done # for a in `rpm -ql apache2-prefork | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done # mv /usr/sbin/httpd /usr/sbin/old-httpd
Systems Affected by OpenSSL
System packages affected by OpenSSL:
systemd-journald systemd-udevd systemd-logind sssd vgauthd vmtoolsd snmpd sshd apache2
System commands affected by OpenSSL:
systemd systemd-journald systemd-logind udevadm sssd vmtoolsd sssd_* snmpd sshd httpd sudo
The End.