May 4, 2010
I’ve decided to write a “simple” guide to installing Apache with mod_security, mod_chroot and mod_ssl, PHP with suhosin and common addons, and MySQL. The common LAMP server with a few security modifications 
This will be unique in that we are installing everything in the /opt directory, mainly to make updating/removing super easy. No trying to track down files, you just remove a directory. I’ve found this way works best.
This is the first part, the rest are coming in the next few days. Let me know if you are having any troubles.
# Download and extract the package
wget http://mirror.csclub.uwaterloo.ca/apache/httpd/httpd-2.2.15.tar.gz
tar -xvzf httpd-2.2.15.tar.gz
cd httpd-2.2.15
# Configure it with options
./configure --prefix=/opt/httpd --sysconfdir=/opt/httpd/etc --enable-ssl --enable-rewrite --enable-so
# Compile and Install it
make
make install
# Link to /etc
ln -s /opt/httpd/etc /etc/httpd2
Now for the explanation. The first command uses wget to fetch the httpd source code. You should go to the Apache website and make sure you are downloading the most recent version of their software (Excluding developmental releases) for security and performance reasons.
Next we extract the source using tar and change into the source directory
The next line is the interesting one. We configure it with any options that we want. I’ve chosen to install it into the /opt/httpd directory, although you can put it wherever you’d like. I’ve enabled SSL, mod_rewrite, and shared modules. This allows us to load dynamic modules without recompiling (Like mod_security and php). You can always run ./configure –help to see which options you can enable or disable. I HIGHLY recommend you do this so you can at least see what’s available. If you know what you are doing, there are lots of modules you do not need.
You then compile the source code and install it into the proper directories (Make & make install).
And I like creating a symlink in /etc/httpd2 to my configuration directory for ease of use.
Now we create an init script to run the web server. Copy this into /etc/init.d/httpd (I did not write this, I copied it from a distribution install on CentOS 5.4. I’ll probably make my own in the future.
#!/bin/bash
#
# httpd Startup script for the Apache HTTP Server
#
# chkconfig: - 85 15
# description: Apache is a World Wide Web server. It is used to serve \
# HTML files and CGI.
# processname: httpd
# config: /etc/httpd/conf/httpd.conf
# config: /etc/sysconfig/httpd
# pidfile: /var/run/httpd.pid
# Source function library.
. /etc/rc.d/init.d/functions
#if [ -f /etc/sysconfig/httpd ]; then
# . /etc/sysconfig/httpd
#fi
# Start httpd in the C locale by default.
HTTPD_LANG=${HTTPD_LANG-"C"}
# This will prevent initlog from swallowing up a pass-phrase prompt if
# mod_ssl needs a pass-phrase from the user.
INITLOG_ARGS=""
# Set HTTPD=/usr/sbin/httpd.worker in /etc/sysconfig/httpd to use a server
# with the thread-based "worker" MPM; BE WARNED that some modules may not
# work correctly with a thread-based MPM; notably PHP will refuse to start.
# Path to the apachectl script, server binary, and short-form for messages.
apachectl=/opt/httpd/bin/apachectl
httpd=${HTTPD-/opt/httpd/bin/httpd}
prog=httpd
pidfile=${PIDFILE-/var/run/httpd.pid}
lockfile=${LOCKFILE-/var/lock/subsys/httpd}
RETVAL=0
# check for 1.3 configuration
check13 () {
CONFFILE=/opt/httpd/etc/httpd.conf
GONE="(ServerType|BindAddress|Port|AddModule|ClearModuleList|"
GONE="${GONE}AgentLog|RefererLog|RefererIgnore|FancyIndexing|"
GONE="${GONE}AccessConfig|ResourceConfig)"
if LANG=C grep -Eiq "^[[:space:]]*($GONE)" $CONFFILE; then
echo
echo 1>&2 " Apache 1.3 configuration directives found"
echo 1>&2 " please read /usr/share/doc/httpd-2.2.15/migration.html"
failure "Apache 1.3 config directives test"
echo
exit 1
fi
}
# The semantics of these two functions differ from the way apachectl does
# things -- attempting to start while running is a failure, and shutdown
# when not running is also a failure. So we just do it the way init scripts
# are expected to behave here.
start() {
echo -n $"Starting $prog: "
check13 || exit 1
LANG=$HTTPD_LANG daemon $httpd $OPTIONS
RETVAL=$?
echo
[ $RETVAL = 0 ] && touch ${lockfile}
return $RETVAL
}
# When stopping httpd a delay of >10 second is required before SIGKILLing the
# httpd parent; this gives enough time for the httpd parent to SIGKILL any
# errant children.
stop() {
echo -n $"Stopping $prog: "
killproc -d 10 $httpd
RETVAL=$?
echo
[ $RETVAL = 0 ] && rm -f ${lockfile} ${pidfile}
}
reload() {
echo -n $"Reloading $prog: "
if ! LANG=$HTTPD_LANG $httpd $OPTIONS -t >&/dev/null; then
RETVAL=$?
echo $"not reloading due to configuration syntax error"
failure $"not reloading $httpd due to configuration syntax error"
else
killproc $httpd -HUP
RETVAL=$?
fi
echo
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
status)
status $httpd
RETVAL=$?
;;
restart)
stop
start
;;
condrestart)
if [ -f ${pidfile} ] ; then
stop
start
fi
;;
reload)
reload
;;
graceful|help|configtest|fullstatus)
$apachectl $@
RETVAL=$?
;;
*)
echo $"Usage: $prog {start|stop|restart|condrestart|reload|status|fullstatus|graceful|help|configtest}"
exit 1
esac
exit $RETVAL
Now you could run /etc/init.d/httpd to start your server but we haven’t configured the server or installed any modules. Those are coming up next!
LAMP Server Setup Pt. 2 – Installing Mod_Security
LAMP Server Setup Pt. 3 – Installing Mod_Chroot
LAMP Server Setup Pt. 4 – Installing PHP
LAMP Server Setup Pt. 5 – Configuring Apache
Recent Comments