Compiling Apache with OpenSSL and mod_ssl John Kozubik - john@kozubik.com - http://www.kozubik.com January 3, 2002 This document gives step by step instructions on compiling the apache web server with SSL support via OpenSSL, using mod_ssl. Overview We first download and uncompress/untar the three packages (apache, mod_ssl, and OpenSSL). Next, we configure, make, and install OpenSSL. We then configure mod_ssl, but on the mod_ssl configure line we also add out configuration options for apache itself. No make / install of mod_ssl is necessary. Finally, we make, make certificate, and make install Apache, having already configured it via mod_ssl. Downloading and Unpacking Download OpenSSL from: ftp://ftp.openssl.org/source At the time of this writing, openssl-0.9.6.tar.gz is the correct file to get. Download mod_ssl from: ftp://ftp.modssl.org/source The mod_ssl filenames reflect the version of mod_ssl contained, and the version of Apache that it is to be used with. Therefore, if you plan on using Apache version 1.3.22, download mod_ssl-2.8.5-1.3.22.tar.gz - this is the version we will be using in this document. Download apache from one of the mirrors at http://www.apache.org/dyn/closer.cgi The file is apache_1.3.22.tar.gz, and it is important that this is the one you get, since it matches the version specified in the copy of mod_ssl we are using. Now place all three of these files into some directory - it is important that all three of these source .tar.gz files be placed in the same directory. This is not the directory that they will be installed in when all is said and done, just a nice place to unpack them and compile them. I usually just place all three files in /tmp. Throughout the rest of this document, I will refer to this installation location as (install_dir) Now `gunzip (filename).gz` all three of these files. Then `tar xvf (filename).tar` all three of the unzipped tarballs. Compile OpenSSL Our first step is to compile OpenSSL. Follow these instructions exactly as they are written: cd (install_dir)/openssl-0.9.6 ./config make make install You may note that for some reason you configure with the command 'config' instead of 'configure'. I have no idea why this is, but it has been this way for as long as I have been compiling OpenSSL. Configure mod_ssl NOTE: this section contains three examples - you most likely want to use the second example, as it will make integration with things like php and tomcat very easy. Please read and understand this entire section before executing any of the commands. We now configure mod_ssl, and when we configure it we also add any configuration directives that we would normally use with the configure for apache. For instance, let's say you want to install apache in /usr/local/apache, with no other considerations or custom configuration of apache, you would simply run these commands: cd (install_dir)/mod_ssl-2.8.5-1.3.22 ./configure --with-ssl=../openssl-0.9.6 --with-apache=../apache_1.3.22 --prefix=/usr/local/apache And that is all we would have to do. --with-ssl and --with-apache are directives for mod_ssl configure, and --prefix is a directive for apache configuration, but mod_ssl takes care of both. Your apache configuration may be more complicated. Suppose you want to install apache with DSO support (see http://httpd.apache.org/docs/dso.html) (hint, you probably DO want to install apache with DSO support - this will allow you to easily add the functionality of things like php and tomcat). cd (install_dir)/mod_ssl-2.8.5-1.3.22 ./configure --with-ssl=../openssl-0.9.6 --with-apache=../apache_1.3.22 --prefix=/usr/local/apache --enable-module=so Which then adds an apache configuration directive to compile in DSO support. Even very advanced apache configurations, like disabling certain modules for performance or security reasons can be handled: cd (install_dir)/mod_ssl-2.8.5-1.3.22 ./configure --with-ssl=../openssl-0.9.6 --with-apache=../apache_1.3.22 --prefix=/usr/local/apache --disable-module=negotiation --disable-module=status (I don't recommend doing this unless you know what you are doing) The example you probably want to use is the second one. This installs apache in /usr/local/apache, and enables DSO support which you will probably use in the future, especially if you will be using things like php or tomcat. Compile Apache After successfully configuring mod_ssl in the last step, you will notice some instructions that were given to you on the screen. All you have to do is follow those instructions and you will be done. cd ../apache_1.3.22 make make certificate (see below before running this) make install Now you are done. Apache is completely installed, with the options you designated when you configured mod_ssl, and it has SSL built in (and DSO if you used the example I recommended). Some notes on 'make certificate' - this step produces for you a dummy certificate that is very nice to use for development and testing. Do not worry about the answers you supply to the questions `make certificate` asks. I use the default for every answer EXCEPT for common name (Your Name). For that I enter the name of the webserver that will be running on the server (for instance, www.example.com). Also, when asked to protect the key with a passphrase, I say no, since it is a dummy and you don't need to worry about it. Starting Apache One final step will need to be completed before starting apache for the first time. Edit the file httpd.conf that should be in /usr/local/apache/conf In it, you will see a line: #ServerName www.example.com Uncomment that line and save the file. Now, start apache with this command line: `/usr/local/apache/bin/apachectl startssl` (ssl will not be active if you use a normal `apachectl start` command) You can now use your web browser and browse the site via http://www.example.com (or http://11.22.33.44 if your name is not resolving). You can also browse the site with SSL using https://www.example.com, although you will get a warning about an invalid certificate issuer, since it is a dummy certificate. Starting Apache at Boot Time In FreeBSD, you can add a file named "apache.sh" into the `/usr/local/etc/rc.d` directory (you may need to create this directory). and put the line: /usr/local/apache/bin/apachectl startssl into that file. Remember that that files filename has to end in .sh, and that you need to `chmod +x filename` that file. In Solaris, you can add a file S80httpd to the directory /etc/rc3.d and put the same command line in it. Remember that this file has to begin with a capital 'S' and you need to `chmod +x` that file. Apache will now start upon system startup without your intervention. What About PHP ? Tomcat ? etc.. If you used the second example above for configuring mod_ssl, which added DSO support to apache, tying in the functionality of other packages like php will be simple, since you don't need to change apache to do it. Simply install those other packages as you wish, and then edit /usr/local/apache/conf/httpd.conf and add directives pointing to the new modules (like PHP). This is the benefit of compiling in DSO support. Upgrading If you ever need to upgrade your copy of apache, or would like to recompile with new options, I suggest doing the following: 1. delete the directories you untarred in (install_dir), but leave the tarballs 2. freshly untar the three packages 3. follow the above instructions again, this time making the changes you need 4. when you do the final 'make install' of Apache, it will replace all of your binaries, if you install it into the same location, but it will preserve your configuration files. This means you don't need to save or reconfigure your httpd.conf files - onl the binaries will be replaced. You could also just install in a different location by changing the --prefix directive in the mod_ssl configure step, which would give you two fully functional apache installations on the same machine...but if they are both bound to port 80, you can only start one at a time.