Setting of apache2 on my linux box

自宅サーバのapacheを1.3.xから2.2.xにバージョンアップしました

openssl 1.0.2u

• tar xvzf openssl-1.0.2u.tar.gz
• cd openssl-1.0.2u
• ./config shared
• make
• make test
• make install
• vi /etc/ld.so.conf
  /usr/local/ssl/lib を追加する
• PATH=${PATH}:/usr/local/ssl/bin;export PATH

openssl 1.1.1d

• tar xvzf openssl-1.1.1d.tar.gz
• cd openssl-1.1.1d
• CPPFLAGS=-D_GNU_SOURCE ./config shared
• make
• make test
• make install
• vi /etc/ld.so.conf
  /usr/local/lib を追加する
• PATH=${PATH}:/usr/local/bin;export PATH

httpd-2.2.34

• tar xvjf httpd-2.2.34.tar.bz2
• cd httpd-2.2.34
• ./configure --enable-mods-shared=most --enable-ssl --with-ssl=/usr/local/ssl --with-included-apr --enable-so
• make
• make certificate
  SSL通信用に秘密鍵と電子証明書(公開鍵)を作成する。但し、ここで作成する電子証明書は自分自身で署名された 物(^^;なので、あくまでもUnofficialな物であることに注意して下さい。
  (もちろん下記の鍵を自分でopensslコマンドで作成してもOK)
  • 秘密鍵 : /usr/local/apache2/conf/server.key
  • 電子証明書(公開鍵) : /usr/local/apache2/conf/server.crt

  cd /usr/local/ssl/misc/
  openssl genrsa -rand demoCA/random.dat -aes256 2048 >demoCA/private_myh.no-ip.org.pem
  openssl req -new -sha256 -key demoCA/private_myh.no-ip.org.pem -out demoCA/csr_myh.no-ip.org.pem
  openssl ca -md sha256 -policy policy_anything -days 3650 -out demoCA/cert_myh.no-ip.org.pem -infiles demoCA/csr_myh.no-ip.org.pem
  openssl pkcs12 -export -in demoCA/cert_myh.no-ip.org.pem -inkey demoCA/private_myh.no-ip.org.pem -certfile demoCA/cacert.pem -out demoCA/mycert_myh.no-ip.org.p12
  cd demoCA/
  cp cert_myh.no-ip.org.pem /usr/local/apache2/conf/server.crt
  openssl rsa -in private_myh.no-ip.org.pem -out /usr/local/apache2/conf/server.key
    

• make certificate by let's encrypt
  • mercurial-1.8.2.tar.gz
  • python-2.7.11.tar.gz
  • curl-7.53.1.tar.gz (must be enabled SNI)
  • getssl-2.10.zip
    • LD_LIBRARY_PATH="/usr/local/ssl/lib"; export LD_LIBRARY_PATH
    • "getssl -c myh.no-ip.org" to create default config files.
      • ~/.getssl/getssl.cfg

        CA="https://acme-v01.api.letsencrypt.org"
        ACCOUNT_EMAIL="m-ito@myh.no-ip.org"
        ACCOUNT_KEY_LENGTH=4096
        ACCOUNT_KEY="/root/.getssl/account.key"
        PRIVATE_KEY_ALG="rsa"
        RENEW_ALLOW="30"
        SERVER_TYPE="https"
        CHECK_REMOTE="true"
                

      • ~/.getssl/myh.no-ip.org/getssl.cfg

        CA="https://acme-v01.api.letsencrypt.org"
        SANS=""
        ACL=('/usr/local/apache2/htdocs/.well-known/acme-challenge')
                

    • "getssl myh.no-ip.org" to create certificate etc.
    • "getssl -u -a -q" to update certificate.
• make install
• vipw
  ユーザ httpd を追加
• vi /etc/group
  グループ httpd を追加
• vi /etc/rc.d/rc.local
  /usr/local/apache2/bin/apachectl start (1.3.xであった`startssl'は`start'に統合された)

コンフィグレーション

extra/httpd-userdir.conf

*** ./extra/httpd-userdir.conf.ORG	2010-06-01 15:29:21.000000000 +0900
--- ./extra/httpd-userdir.conf	2010-06-02 16:30:53.000000000 +0900
***************
*** 14,21 ****
  # for a site where these directories are restricted to read-only.
  #
  <Directory "/home/*/public_html">
!     AllowOverride FileInfo AuthConfig Limit Indexes
!     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      <Limit GET POST OPTIONS>
          Order allow,deny
          Allow from all
--- 14,24 ----
  # for a site where these directories are restricted to read-only.
  #
  <Directory "/home/*/public_html">
! # by m-ito
! ##    AllowOverride FileInfo AuthConfig Limit Indexes
! ##    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
!     AllowOverride All
!     Options Includes FollowSymlinks ExecCGI
      <Limit GET POST OPTIONS>
          Order allow,deny
          Allow from all

extra/httpd-vhosts.conf

*** ./extra/httpd-vhosts.conf.ORG	2010-06-01 15:38:07.000000000 +0900
--- ./extra/httpd-vhosts.conf	2017-03-27 23:43:48.000000000 +0900
***************
*** 24,45 ****
  # The first VirtualHost section is used for all requests that do not
  # match a ServerName or ServerAlias in any <VirtualHost> block.
  #
  <VirtualHost *:80>
!     ServerAdmin webmaster@dummy-host.example.com
!     DocumentRoot "/usr/local/apache2/docs/dummy-host.example.com"
!     ServerName dummy-host.example.com
!     ServerAlias www.dummy-host.example.com
!     ErrorLog "logs/dummy-host.example.com-error_log"
!     CustomLog "logs/dummy-host.example.com-access_log" common
  </VirtualHost>
! 
  <VirtualHost *:80>
!     ServerAdmin webmaster@dummy-host2.example.com
!     DocumentRoot "/usr/local/apache2/docs/dummy-host2.example.com"
!     ServerName dummy-host2.example.com
!     ErrorLog "logs/dummy-host2.example.com-error_log"
!     CustomLog "logs/dummy-host2.example.com-access_log" common
  </VirtualHost>
- 
- 
- 
--- 24,80 ----
  # The first VirtualHost section is used for all requests that do not
  # match a ServerName or ServerAlias in any <VirtualHost> block.
  #
+ # by m-ito
+ ##<VirtualHost *:80>
+ ##    ServerAdmin webmaster@dummy-host.example.com
+ ##    DocumentRoot "/usr/local/apache2/docs/dummy-host.example.com"
+ ##    ServerName dummy-host.example.com
+ ##    ServerAlias www.dummy-host.example.com
+ ##    ErrorLog "logs/dummy-host.example.com-error_log"
+ ##    CustomLog "logs/dummy-host.example.com-access_log" common
+ ##</VirtualHost>
+ ##
+ ##<VirtualHost *:80>
+ ##    ServerAdmin webmaster@dummy-host2.example.com
+ ##    DocumentRoot "/usr/local/apache2/docs/dummy-host2.example.com"
+ ##    ServerName dummy-host2.example.com
+ ##    ErrorLog "logs/dummy-host2.example.com-error_log"
+ ##    CustomLog "logs/dummy-host2.example.com-access_log" common
+ ##</VirtualHost>
  <VirtualHost *:80>
!     ServerAdmin root@spameater
!     DocumentRoot /usr/local/apache2/spam_htdocs
!     ServerName spameater
!     ErrorLog /usr/local/apache2/logs/error_spameater_log
!     CustomLog /usr/local/apache2/logs/access_spameater_log combined
  </VirtualHost>
! #
! <VirtualHost *:80>
!     ServerAdmin root@myh.no-ip.org
!     DocumentRoot /usr/local/apache2/htdocs
!     ServerName myh.no-ip.org
! </VirtualHost>
! #
! <VirtualHost *:80>
!     ServerAdmin root@secret1.no-ip.org
!     DocumentRoot /home/secret1/public_html
!     ServerName secret1.no-ip.org
!     ErrorLog /usr/local/apache2/logs/error_secret1.no-ip.org_log
!     CustomLog /usr/local/apache2/logs/access_secret1.no-ip.org_log combined
! </VirtualHost>
! #
! <VirtualHost *:80>
!     ServerAdmin root@secret2.no-ip.org
!     DocumentRoot /home/secret2/public_html
!     ServerName secret2.no-ip.org
!     ErrorLog /usr/local/apache2/logs/error_secret2.no-ip.org_log
!     CustomLog /usr/local/apache2/logs/access_secret2.no-ip.org_log combined
! </VirtualHost>
! #
  <VirtualHost *:80>
!     ServerAdmin root@secret3.ddns.net
!     DocumentRoot /home/acceptor/public_html
!     ServerName secret3.ddns.net
!     ErrorLog /usr/local/apache2/logs/error_secret3.ddns.net_log
!     CustomLog /usr/local/apache2/logs/access_secret3.ddns.net_log combined
  </VirtualHost>

extra/httpd-ssl.conf

*** ./extra/httpd-ssl.conf.ORG	2010-06-01 15:48:29.000000000 +0900
--- ./extra/httpd-ssl.conf	2017-04-16 12:06:59.000000000 +0900
***************
*** 75,82 ****
  
  #   General setup for the virtual host
  DocumentRoot "/usr/local/apache2/htdocs"
! ServerName www.example.com:443
! ServerAdmin you@example.com
  ErrorLog "/usr/local/apache2/logs/error_log"
  TransferLog "/usr/local/apache2/logs/access_log"
  
--- 75,85 ----
  
  #   General setup for the virtual host
  DocumentRoot "/usr/local/apache2/htdocs"
! # by m-ito
! ##ServerName www.example.com:443
! ##ServerAdmin you@example.com
! ServerName myh.no-ip.org:443
! ServerAdmin m-ito@myh.no-ip.org
  ErrorLog "/usr/local/apache2/logs/error_log"
  TransferLog "/usr/local/apache2/logs/access_log"
  
***************
*** 84,93 ****
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on
  
  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
! SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
  
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
--- 87,107 ----
  #   Enable/Disable SSL for this virtual host.
  SSLEngine on
  
+ # by m-ito
+ #   SSL Protocol support:
+ #   List the protocol versions which clients are allowed to
+ #   connect with. Disable SSLv2 by default (cf. RFC 6176).
+ SSLProtocol all -SSLv2 -SSLv3
+ 
  #   SSL Cipher Suite:
  #   List the ciphers that the client is permitted to negotiate.
  #   See the mod_ssl documentation for a complete list.
! # by m-ito
! ###SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
! #SSLCipherSuite ALL:!ADH:RC4+RSA:!EXP:!aNULL:!eNULL:+HIGH:+MEDIUM:!LOW:!SSLv2
! SSLHonorCipherOrder On
! SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
! SSLCompression Off
  
  #   Server Certificate:
  #   Point SSLCertificateFile at a PEM encoded certificate.  If
***************
*** 115,120 ****
--- 129,135 ----
  #   when the CA certificates are directly appended to the server
  #   certificate for convinience.
  #SSLCertificateChainFile "/usr/local/apache2/conf/server-ca.crt"
+ SSLCertificateChainFile "/usr/local/apache2/conf/chain.crt"
  
  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA

httpd.conf

*** ./httpd.conf.ORG	2010-06-01 15:13:44.000000000 +0900
--- ./httpd.conf	2018-02-10 21:19:31.000000000 +0900
***************
*** 80,85 ****
--- 80,89 ----
  LoadModule ident_module modules/mod_ident.so
  LoadModule setenvif_module modules/mod_setenvif.so
  LoadModule version_module modules/mod_version.so
+ #
+ # by m-ito
+ LoadModule ssl_module modules/mod_ssl.so
+ #
  LoadModule mime_module modules/mod_mime.so
  LoadModule dav_module modules/mod_dav.so
  LoadModule status_module modules/mod_status.so
***************
*** 97,102 ****
--- 101,110 ----
  LoadModule userdir_module modules/mod_userdir.so
  LoadModule alias_module modules/mod_alias.so
  LoadModule rewrite_module modules/mod_rewrite.so
+ # by m-ito (by php5 installer)
+ LoadModule php5_module        modules/libphp5.so
+ # by m-ito (by php7 installer)
+ #LoadModule php7_module        modules/libphp7.so
  
  <IfModule !mpm_netware_module>
  <IfModule !mpm_winnt_module>
***************
*** 108,115 ****
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  #
! User daemon
! Group daemon
  
  </IfModule>
  </IfModule>
--- 116,126 ----
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  #
! # by m-ito
! ##User daemon
! ##Group daemon
! User httpd
! Group httpd
  
  </IfModule>
  </IfModule>
***************
*** 131,137 ****
  # e-mailed.  This address appears on some server-generated pages, such
  # as error documents.  e.g. admin@your-domain.com
  #
! ServerAdmin you@example.com
  
  #
  # ServerName gives the name and port that the server uses to identify itself.
--- 142,150 ----
  # e-mailed.  This address appears on some server-generated pages, such
  # as error documents.  e.g. admin@your-domain.com
  #
! # by m-ito
! ##ServerAdmin you@example.com
! ServerAdmin m-ito@myh.no-ip.org
  
  #
  # ServerName gives the name and port that the server uses to identify itself.
***************
*** 140,146 ****
--- 153,161 ----
  #
  # If your host doesn't have a registered DNS name, enter its IP address here.
  #
+ # by m-ito
  #ServerName www.example.com:80
+ ServerName myh.no-ip.org:80
  
  #
  # DocumentRoot: The directory out of which you will serve your
***************
*** 159,167 ****
  #
  <Directory />
      Options FollowSymLinks
!     AllowOverride None
!     Order deny,allow
!     Deny from all
  </Directory>
  
  #
--- 174,184 ----
  #
  <Directory />
      Options FollowSymLinks
! # by m-ito
! ##    AllowOverride None
!     AllowOverride All
! ##    Order deny,allow
! ##    Deny from all
  </Directory>
  
  #
***************
*** 194,200 ****
      # It can be "All", "None", or any combination of the keywords:
      #   Options FileInfo AuthConfig Limit
      #
!     AllowOverride None
  
      #
      # Controls who can get stuff from this server.
--- 211,219 ----
      # It can be "All", "None", or any combination of the keywords:
      #   Options FileInfo AuthConfig Limit
      #
! # by m-ito
! ##    AllowOverride None
!     AllowOverride All
  
      #
      # Controls who can get stuff from this server.
***************
*** 209,215 ****
  # is requested.
  #
  <IfModule dir_module>
!     DirectoryIndex index.html
  </IfModule>
  
  #
--- 228,236 ----
  # is requested.
  #
  <IfModule dir_module>
! # by m-ito
! ##    DirectoryIndex index.html
!     DirectoryIndex index.html index.php
  </IfModule>
  
  #
***************
*** 258,270 ****
      # define per-<VirtualHost> access logfiles, transactions will be
      # logged therein and *not* in this file.
      #
!     CustomLog "logs/access_log" common
  
      #
      # If you prefer a logfile with access, agent, and referer information
      # (Combined Logfile Format) you can use the following directive.
      #
!     #CustomLog "logs/access_log" combined
  </IfModule>
  
  <IfModule alias_module>
--- 279,293 ----
      # define per-<VirtualHost> access logfiles, transactions will be
      # logged therein and *not* in this file.
      #
! # by m-ito
! ##    CustomLog "logs/access_log" common
  
      #
      # If you prefer a logfile with access, agent, and referer information
      # (Combined Logfile Format) you can use the following directive.
      #
! # by m-ito
!     CustomLog "logs/access_log" combined
  </IfModule>
  
  <IfModule alias_module>
***************
*** 311,317 ****
  # CGI directory exists, if you have that configured.
  #
  <Directory "/usr/local/apache2/cgi-bin">
!     AllowOverride None
      Options None
      Order allow,deny
      Allow from all
--- 334,342 ----
  # CGI directory exists, if you have that configured.
  #
  <Directory "/usr/local/apache2/cgi-bin">
! # by m-ito
! ##    AllowOverride None
!     AllowOverride All
      Options None
      Order allow,deny
      Allow from all
***************
*** 361,367 ****
--- 386,394 ----
      # To use CGI scripts outside of ScriptAliased directories:
      # (You will also need to add "ExecCGI" to the "Options" directive.)
      #
+ # by m-ito
      #AddHandler cgi-script .cgi
+     AddHandler cgi-script .cgi
  
      # For type maps (negotiated resources):
      #AddHandler type-map var
***************
*** 372,379 ****
--- 399,412 ----
      # To parse .shtml files for server-side includes (SSI):
      # (You will also need to add "Includes" to the "Options" directive.)
      #
+ # by m-ito
      #AddType text/html .shtml
      #AddOutputFilter INCLUDES .shtml
+     AddType text/html .shtml
+     AddOutputFilter INCLUDES .shtml
+ 
+ # by m-ito
+     AddType application/x-httpd-php .php
  </IfModule>
  
  #
***************
*** 425,437 ****
--- 458,474 ----
  #Include conf/extra/httpd-languages.conf
  
  # User home directories
+ # by m-ito
  #Include conf/extra/httpd-userdir.conf
+ Include conf/extra/httpd-userdir.conf
  
  # Real-time info on requests and configuration
  #Include conf/extra/httpd-info.conf
  
  # Virtual hosts
+ # by m-ito
  #Include conf/extra/httpd-vhosts.conf
+ Include conf/extra/httpd-vhosts.conf
  
  # Local access to the Apache HTTP Server Manual
  #Include conf/extra/httpd-manual.conf
***************
*** 441,449 ****
--- 478,497 ----
  
  # Various default settings
  #Include conf/extra/httpd-default.conf
+ #
+ # by m-ito
+ ServerSignature Off
+ ServerTokens ProductOnly
+ #
+ ##RewriteEngine on
+ ##RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
+ ##RewriteRule .* - [F]
+ TraceEnable off
  
  # Secure (SSL/TLS) connections
+ # by m-ito
  #Include conf/extra/httpd-ssl.conf
+ Include conf/extra/httpd-ssl.conf
  #
  # Note: The following must must be present to support
  #       starting without SSL on platforms with no /dev/random equivalent

mime.types

*** ./mime.types.ORG	2014-04-29 22:59:12.000000000 +0900
--- ./mime.types	2014-04-29 23:00:27.000000000 +0900
***************
*** 1349,1351 ****
--- 1349,1355 ----
  video/x-msvideo					avi
  video/x-sgi-movie				movie
  x-conference/x-cooltalk				ice
+ 
+ # by m-ito
+ application/x-httpd-php				php
+ application/x-httpd-php-source			phps

apache起動時に入力が必要なパスフレーズを省略できるようにする(非推奨)

• cd /usr/local/apache2/conf/ssl.key
• cp -p server.key server.key.org
• openssl rsa -in server.key.org -out server.key
  パスフレーズ入

Basic認証用 .htaccess

AuthUserFile /home/m-ito/.htpasswd
AuthType Basic
AuthGroupFile /dev/null
AuthName Secret
<LIMIT POST GET PUT>
require valid-user
</LIMIT>
<LimitExcept POST GET PUT>
Order allow,deny
Deny from all
</LimitExcept>
<FILES .htaccess>
order allow,deny
deny from all
</FILES>

.htpasswd作成

/usr/local/apache2/bin/htpasswd -c .htpasswd m-ito
/usr/local/apache2/bin/htpasswd .htpasswd foo
/usr/local/apache2/bin/htpasswd .htpasswd hoge

Digest認証用 .htaccess

#
# 1.3.xでの`AuthDigestFile'は`AuthUserFile'に統合された
#
##AuthDigestFile /home/m-ito/.htdigest
AuthUserFile /home/m-ito/.htdigest
AuthType Digest
AuthGroupFile /dev/null
AuthName Secret
<LIMIT POST GET PUT>
require valid-user
</LIMIT>
<LimitExcept POST GET PUT>
Order allow,deny
Deny from all
</LimitExcept>
<FILES .htaccess*>
order allow,deny
deny from all
</FILES>

.htdigest作成

/usr/local/apache2/bin/htdigest -c .htdigest Secret m-ito
/usr/local/apache2/bin/htdigest .htdigest Secret foo
/usr/local/apache2/bin/htdigest .htdigest Secret hoge

<Limit>等の若干の解説

order allow,deny等の若干の解説

order deny,allowの場合、deny条件→allow条件の順番で評価される。どの条件にも合致しないアクセスは許可される

途中で合致する条件にヒットしても全ての条件が最後まで評価される。このあたりはiptablesの動きと違うので注意すること

BUGS