Apache Compile Stand-alone

by Ramses Soto-Navarro ramses@sotosystems.com, 2/1/2022


Overview
Download Source
Disable Apache
Restore OS OpenSSL
Compile OpenSSL Stand-alone
Compile APR and APR-Util
Compile Apache Stand-alone
Compile Tomcat Connectors
Configure Apache
Configure Apache Startup Scripts
Test New Apache Startup
Test Commands
Server Status and Info Page
Rename Old Apache Binaries
Systems Affected by OpenSSL


Overview

Brief notes about compiling Apache and Openssl stand-alone on /usr/local/, on SUSE 15 SP3. Previously Apache was installed on top of the binaries installed by the SUSE packages. However, that method disabled the possibility of using the newest OpenSSL libraries; because updating OpenSSL would break other system utilities. Hence, compiling stand-alone in /usr/local/. The audience is experienced Linux administrators.

Download Source

# DIR=/usr/src/apache ; mkdir $DIR ; cd $DIR
# wget https://dlcdn.apache.org//apr/apr-1.7.0.tar.gz
# wget https://dlcdn.apache.org//apr/apr-util-1.6.1.tar.gz
# wget https://dlcdn.apache.org//httpd/httpd-2.4.52.tar.gz
# wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
# https://dlcdn.apache.org/tomcat/tomcat-connectors/jk/tomcat-connectors-1.2.48-src.tar.gz

Disable Apache

Stop apache and lock the packages.

# systemctl stop apache2
# systemctl disable apache2
# zypper ll
# zypper al apache2*
# zypper al apache*

Restore OS OpenSSL

Restore the original OpenSSL.

# zypper ref
# zypper in -f libopenssl1_1 libxmlsec1-openssl1 openssl-1_1 openssl
# openssl version
# reboot

Compile OpenSSL Stand-alone

# cd /usr/src/apache/openssl-1.1.1m

# make clean
# ./config no-shared no-pinshared --prefix=/usr/local --openssldir=/usr/local/etc/ssl | tee config.txt
# make | tee make.txt
# make install | tee make-install.txt
# ldconfig
# openssl version
# /usr/local/bin/openssl version

Change the default system-wide PATH for root so that /usr/local is seached first.

# vi /etc/profile
  #PATH=/sbin:/usr/sbin:/usr/local/sbin:$PATH
  PATH=/usr/local/sbin:/usr/local/bin:/usr/local/apr/bin:/sbin:/usr/sbin:$PATH

Compile APR and APR-Util

# cd /usr/src/apache/apr-1.7.0
# vi configure
  $RM -f "$cfgfile"

# touch libtoolT
# ./configure --prefix=/usr/local/apr | tee configure.txt
# make | tee make.txt
# make install | tee make-install.txt
# ldconfig

# cd ../apr-util-1.6.1
# ./configure --prefix=/usr/local/apr --with-apr=/usr/local/apr/ | tee configure.txt
# make | tee make.txt
# make install | tee make-install.txt
# ldconfig

Copy all the code to the Apache source library:

# cd /usr/src/apache/httpd-2.4.52/srclib
# cp -R /usr/src/apache/apr-1.7.0 apr
# cp -R /usr/src/apache/apr-util-1.6.1 apr-util
# cp -R /usr/src/apache/openssl-1.1.1m openssl

Compile Apache Stand-alone

# cd /usr/src/apache/httpd-2.4.52

# vi config.layout
<Layout SuSE>
    prefix:        /usr/local
    exec_prefix:   ${prefix}
    bindir:        ${prefix}/bin
    sbindir:       ${prefix}/sbin
    libdir:        ${prefix}/lib
    libexecdir:    ${prefix}/lib/apache
    mandir:        ${prefix}/share/man
    sysconfdir:    ${prefix}/etc/httpd
    datadir:       /usr/local/httpd
    installbuilddir: ${datadir}/build
    errordir:      ${datadir}/error
    iconsdir:      ${datadir}/icons
    htdocsdir:     ${datadir}/htdocs
    manualdir:     ${datadir}/manual
    cgidir:        ${datadir}/cgi-bin
    includedir:    ${prefix}/include/apache
    localstatedir: ${prefix}/var/lib/httpd
    runtimedir:    ${prefix}/var/run
    logfiledir:    ${prefix}/var/log/httpd
    proxycachedir: ${prefix}/var/cache/httpd
</Layout>

# ./configure --enable-layout="SuSE" --enable-modules="all" --enable-mods-shared="all" --enable-ssl --enable-mpms-shared="all" --with-mpm="worker" --enable-imagemap --with-ssl=/usr/local --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr | tee configure.txt
# make | tee make.txt
# make install | tee make-install.txt
# ldconfig

Compile Tomcat Connectors

# cd /usr/src/apache/tomcat-connectors-1.2.48-src/native
# make clean
# ./configure --with-apxs=/usr/local/bin/apxs | tee configure.txt
# make | tee make.txt
# make install | tee make-install.txt
# libtool --finish /usr/local/lib/apache

Configure Apache

Configure the httpd.conf

# vi /usr/local/etc/httpd/httpd.conf

ServerRoot "/usr/local"
Listen 80
LoadModule mpm_worker_module lib/apache/mod_mpm_worker.so
LoadModule authn_file_module lib/apache/mod_authn_file.so
LoadModule authn_core_module lib/apache/mod_authn_core.so
LoadModule authz_host_module lib/apache/mod_authz_host.so
LoadModule authz_groupfile_module lib/apache/mod_authz_groupfile.so
LoadModule authz_user_module lib/apache/mod_authz_user.so
LoadModule authz_core_module lib/apache/mod_authz_core.so
LoadModule access_compat_module lib/apache/mod_access_compat.so
LoadModule auth_basic_module lib/apache/mod_auth_basic.so
LoadModule reqtimeout_module lib/apache/mod_reqtimeout.so
LoadModule include_module lib/apache/mod_include.so
LoadModule filter_module lib/apache/mod_filter.so
LoadModule mime_module lib/apache/mod_mime.so
LoadModule log_config_module lib/apache/mod_log_config.so
LoadModule env_module lib/apache/mod_env.so
LoadModule headers_module lib/apache/mod_headers.so
LoadModule setenvif_module lib/apache/mod_setenvif.so
LoadModule version_module lib/apache/mod_version.so
LoadModule ssl_module lib/apache/mod_ssl.so
LoadModule unixd_module lib/apache/mod_unixd.so
LoadModule status_module lib/apache/mod_status.so
LoadModule autoindex_module lib/apache/mod_autoindex.so
LoadModule asis_module lib/apache/mod_asis.so
LoadModule cgid_module lib/apache/mod_cgid.so
LoadModule negotiation_module lib/apache/mod_negotiation.so
LoadModule dir_module lib/apache/mod_dir.so
LoadModule userdir_module lib/apache/mod_userdir.so
LoadModule alias_module lib/apache/mod_alias.so
LoadModule rewrite_module lib/apache/mod_rewrite.so
LoadModule jk_module /usr/local/lib/apache/mod_jk.so
LoadModule info_module lib/apache/mod_info.so

JkShmFile /usr/local/var/log/httpd/jk-runtime-status.log
JkLogFile /usr/local/var/log/httpd/mod_jk.log
JkWorkersFile /usr/local/etc/httpd/workers.properties
Include /usr/local/etc/httpd/jkmounts
LoadModule jk_module /usr/local/lib/apache/mod_jk.so


 Options +FollowSymLinks
 AllowOverride None
 Require all denied

DocumentRoot “/example.com/webcontent”

    Options FollowSymLinks
    AllowOverride None
    Require all granted


Include /usr/local/etc/httpd/httpd-ssl.conf

Configure the httpd-ssl.conf

# vi /usr/local/etc/httpd/httpd-ssl.conf

Listen 443
SSLSessionCache        "shmcb:/usr/local/var/run/ssl_scache(512000)"

DocumentRoot "/example.com/webcontent"
ServerName www.example.com:443
ServerAdmin admin@example.com
ErrorLog "/usr/local/var/log/httpd/error_log"
TransferLog "/usr/local/var/log/httpd/access_log"
SSLEngine on
SSLCertificateFile "/usr/local/etc/httpd/server.crt"
SSLCertificateKeyFile "/usr/local/etc/httpd/server.key"

    SSLOptions +StdEnvVars


    SSLOptions +StdEnvVars

BrowserMatch "MSIE [2-5]"
         nokeepalive ssl-unclean-shutdown
         downgrade-1.0 force-response-1.0
CustomLog "/usr/local/var/log/httpd/ssl_request_log"
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x "%r" %b"

Configure Apache Startup Scripts

NOTE: First disable the old apache scripts:

# systemctl disable apache2
# systemctl stop apache2
# chkconfig apache2 off
# vi /etc/init.d/apache

#!/bin/bash
#
### Edited by Ramses Soto-Navarro ramses@sotosystems.com 1/18/2022

### BEGIN INIT INFO
# Provides:          Apache 2.4.52
# Required-Start:    $syslog $remote_fs
# Should-Start:      $time
# Required-Stop:     $syslog
# Should-Stop:
# Default-Start:     3 5
# Default-Stop:      0 1 2 6
# Short-Description: Apache 2.4.52 daemon
# Description:       Start Apache 2.4.52
### END INIT INFO

name="Apache"
bin="/usr/local/sbin/httpd"
pid="/usr/local/var/run/httpd.pid"
cfg="/usr/local/etc/httpd/httpd.conf"

. /etc/rc.status

rc_reset

case "$1" in
        start)
                echo -n "Starting $name: "
                /sbin/startproc $bin
                rc_status -v
                ;;
        stop)
                echo -n "Shutting down $name: "
                /sbin/killproc -TERM $bin
                rc_status -v
                ;;
        restart)
                $0 stop
                $0 start
                ;;
        reload)
                echo -n "Reloading $name: "
                /sbin/killproc -HUP $bin
                rc_status -v
                ;;
        status)
                echo -n "Status of $name: "
                /sbin/checkproc $bin
                rc_status -v
                ;;
      *)
                echo "Usage: $0 {start|stop|restart|reload|status}"
                exit 1
                ;;
esac
echo ""
# vi /usr/lib/systemd/system/apache.service

[Unit]
Description=Apache Web Server
After=network.target remote-fs.target nss-lookup.target

[Service]
Type=forking
PIDFile=/usr/local/var/run/httpd.pid
ExecStart=/usr/local/sbin/apachectl start
ExecStop=/usr/local/sbin/apachectl graceful-stop
ExecReload=/usr/local/sbin/apachectl graceful
PrivateTmp=true
LimitNOFILE=infinity

[Install]
WantedBy=multi-user.target

Assign permissions to the startup files and enable them:

# chmod 0750 /etc/init.d/apache
# chown root.root /etc/init.d/apache

# systemctl enable apache.service
# systemctl daemon-reload

Test New Apache Startup

Copy the old ssl.crt and ssl.key subdirectories to /usr/local/etc/httpd/

# cp -r /etc/apache2/ssl.* /usr/local/etc/httpd/

Copy the Tomcat configuration files, restart, confirm status:

# cp /etc/apache2/{jkmounts,workers.properties} /usr/local/etc/httpd/
# systemctl start apache.service
# systemctl status apache.service
# ss -ltn | grep -E "80|443"
# ps aux | grep http
# apachectl -M
# apachectl -V

Test Commands

# curl -I http://www.example.com/server-status
Date: Tue, 18 Jan 2022 19:00:51 GMT
Server: Apache/2.4.52 (Unix) OpenSSL/1.1.1m mod_jk/1.2.48
Content-Type: text/html; charset=iso-8859-1

# w3m http://www.example.com
It works!

NOTE: Leave the old apache2 intact as much as possible. It is a second apache that we can revert to; and it can always be overwritten by the default OS packages with a forced re-install.

Server Status and Info Page

Configure the status page for testing:

# vi /usr/local/etc/httpd/httpd.conf


    SetHandler server-status
    #Require host www.example.com
    #Require ip 10



    SetHandler server-info
    #Require host www.example.com

# systemctl restart apache
# w3m http://www.example.com/server-status
# w3m http://www.example.com/server-info
# curl -I http://www.example.com

NOTE: For tighter security, later on, configure who can access this via IP address (see above)

Rename Old Apache Binaries

Rename the old apache binaries in order not to confuse it with the new compiled binaries in /usr/local/:

# for a in `rpm -ql apache2 | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done

# for a in `rpm -ql apache2-devel | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done

# for a in `rpm -ql apache2-utils | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done

# for a in `rpm -ql apache2-prefork | grep "bin/"` ; do mv $a `echo $a | sed -e 's//usr/bin///usr/bin/old-/g' -e 's//usr/sbin///usr/sbin/old-/g'` ; done

# mv /usr/sbin/httpd /usr/sbin/old-httpd

Systems Affected by OpenSSL

System packages affected by OpenSSL:

systemd-journald
systemd-udevd
systemd-logind
sssd
vgauthd
vmtoolsd
snmpd
sshd
apache2

System commands affected by OpenSSL:

systemd
systemd-journald
systemd-logind
udevadm
sssd
vmtoolsd
sssd_*
snmpd
sshd
httpd
sudo

The End.