Setting of apache2.4 on my linux box

自宅サーバのapacheを2.2.xから2.4.xにバージョンアップしました

apr-1.6.3

tar xvf apr-1.6.3.tar.bz2
cd apr-1.6.3
./configure
make
make install

apr-util-1.6.1

tar xvf apr-util-1.6.1.tar.bz2
cd apr-util-1.6.1
./configure --with-apr=/usr/local/apr
make
make install

php-7.3.14

tar xvf php-7.3.14.tar.bz2
cd php-7.3.14
undefined reference to isfinite対策
- ./buildconf --force
- perl -pi -e 's/if test "x\$ac_cv_have_decl_isfinite/if test "x\$ac_cv_have_decl_isfiniteNaNa/' ./configure
./configure --with-apxs2=/usr/local/apache24/bin/apxs --with-mysqli=mysqlnd --with-pdo-mysql=mysqlnd --with-gd --with-jpeg-dir=/usr/lib --with-zlib --with-bz2 --with-openssl=/usr/local/ssl --enable-mbstring
make
make install
cp php.ini-development /usr/local/lib/php7.ini

vim /usr/local/lib/php7.ini

extension=imagick.so
mysqli.default_socket = /var/run/mysql/mysql.sock

cd /usr/local/lib && rm php.ini && ln -s php7.ini php.ini

vim /usr/local/apache24/conf/httpd.conf

#DEL_LoadModule php5_module        modules/libphp5.so
LoadModule php7_module        modules/libphp7.so

imagick-3.4.3

tar xvf imagick-3.4.3.tgz
cd imagick-3.4.3
phpize
./configure
make
make install

httpd-2.4.41

tar xvf httpd-2.4.41.tar.bz2
cd httpd-2.4.41
./configure --prefix=/usr/local/apache24 --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr --enable-mods-shared=most --enable-ssl --with-ssl=/usr/local/ssl --enable-so --with-mpm=prefork
make

make certificate
SSL通信用に秘密鍵とサーバ証明書(公開鍵)を作成する。但し、ここで作成するサーバ証明書は自分自身で署名された物(^^;なので、あくまでもUnofficialな物であることに注意して下さい。
(もちろん下記の鍵を自分でopensslコマンドで作成してもOK)

秘密鍵 : /usr/local/apache24/conf/server.key
電子証明書(公開鍵) : /usr/local/apache24/conf/server.crt

cd /usr/local/ssl/misc/
openssl genrsa -rand demoCA/random.dat -aes256 2048 >demoCA/private_myh.no-ip.org.pem
openssl req -new -sha256 -key demoCA/private_myh.no-ip.org.pem -out demoCA/csr_myh.no-ip.org.pem
openssl ca -md sha256 -policy policy_anything -days 3650 -out demoCA/cert_myh.no-ip.org.pem -infiles demoCA/csr_myh.no-ip.org.pem
openssl pkcs12 -export -in demoCA/cert_myh.no-ip.org.pem -inkey demoCA/private_myh.no-ip.org.pem -certfile demoCA/cacert.pem -out demoCA/mycert_myh.no-ip.org.p12
cd demoCA/
cp cert_myh.no-ip.org.pem /usr/local/apache24/conf/server.crt
openssl rsa -in private_myh.no-ip.org.pem -out /usr/local/apache24/conf/server.key

make install
vipw
ユーザ httpd を追加
vi /etc/group
グループ httpd を追加
vi /etc/rc.d/rc.local
/usr/local/apache24/bin/apachectl start

let's encryptによるサーバ証明書の作成

let's encryptを利用して正式な(オレオレでない)サーバ証明書を作れます。

Pre-requirement

mercurial-1.8.2.tar.gz
python-2.7.11.tar.gz
curl-7.53.1.tar.gz (must be enabled SNI)

getssl-2.10

インストール

unzip -x getssl-2.10.zip
cd getssl-2.10
make

設定

LD_LIBRARY_PATH="/usr/local/ssl/lib"; export LD_LIBRARY_PATH

デフォルトの設定ファイルを作成

getssl -c myh.no-ip.org

~/.getssl/getssl.cfg

CA="https://acme-v01.api.letsencrypt.org"
ACCOUNT_EMAIL="m-ito@myh.no-ip.org"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/root/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
RENEW_ALLOW="30"
SERVER_TYPE="https"
CHECK_REMOTE="true"

~/.getssl/myh.no-ip.org/getssl.cfg

CA="https://acme-v01.api.letsencrypt.org"
SANS=""
ACL=('/usr/local/apache24/htdocs/.well-known/acme-challenge')

サーバ証明書の作成

getssl myh.no-ip.org

サーバ証明書を更新

getssl -u -a -q

コンフィグレーション

httpd-vhosts.conf

*** ./extra/httpd-vhosts.conf.ORG	2018-03-18 01:04:12.000000000 +0900
--- ./extra/httpd-vhosts.conf	2018-03-18 01:14:53.000000000 +0900
***************
*** 20,41 ****
  # The first VirtualHost section is used for all requests that do not
  # match a ServerName or ServerAlias in any <VirtualHost> block.
  #
  <VirtualHost *:80>
!     ServerAdmin webmaster@dummy-host.example.com
!     DocumentRoot "/usr/local/apache24/docs/dummy-host.example.com"
!     ServerName dummy-host.example.com
!     ServerAlias www.dummy-host.example.com
!     ErrorLog "logs/dummy-host.example.com-error_log"
!     CustomLog "logs/dummy-host.example.com-access_log" common
  </VirtualHost>
  
  <VirtualHost *:80>
!     ServerAdmin webmaster@dummy-host2.example.com
!     DocumentRoot "/usr/local/apache24/docs/dummy-host2.example.com"
!     ServerName dummy-host2.example.com
!     ErrorLog "logs/dummy-host2.example.com-error_log"
!     CustomLog "logs/dummy-host2.example.com-access_log" common
  </VirtualHost>
  
  
  
--- 20,76 ----
  # The first VirtualHost section is used for all requests that do not
  # match a ServerName or ServerAlias in any <VirtualHost> block.
  #
+ ##<VirtualHost *:80>
+ ##    ServerAdmin webmaster@dummy-host.example.com
+ ##    DocumentRoot "/usr/local/apache24/docs/dummy-host.example.com"
+ ##    ServerName dummy-host.example.com
+ ##    ServerAlias www.dummy-host.example.com
+ ##    ErrorLog "logs/dummy-host.example.com-error_log"
+ ##    CustomLog "logs/dummy-host.example.com-access_log" common
+ ##</VirtualHost>
+ ##
+ ##<VirtualHost *:80>
+ ##    ServerAdmin webmaster@dummy-host2.example.com
+ ##    DocumentRoot "/usr/local/apache24/docs/dummy-host2.example.com"
+ ##    ServerName dummy-host2.example.com
+ ##    ErrorLog "logs/dummy-host2.example.com-error_log"
+ ##    CustomLog "logs/dummy-host2.example.com-access_log" common
+ ##</VirtualHost>
+ 
  <VirtualHost *:80>
!     ServerAdmin root@spameater
!     DocumentRoot /usr/local/apache24/spam_htdocs
!     ServerName spameater
!     ErrorLog /usr/local/apache24/logs/error_spameater_log
!     CustomLog /usr/local/apache24/logs/access_spameater_log combined
  </VirtualHost>
  
  <VirtualHost *:80>
!     ServerAdmin root@myh.no-ip.org
!     DocumentRoot /usr/local/apache24/htdocs
!     ServerName myh.no-ip.org
  </VirtualHost>
  
+ <VirtualHost *:80>
+     ServerAdmin root@foo.no-ip.org
+     DocumentRoot /home/foo/public_html
+     ServerName foo.no-ip.org
+     ErrorLog /usr/local/apache24/logs/error_foo.no-ip.org_log
+     CustomLog /usr/local/apache24/logs/access_foo.no-ip.org_log combined
+ </VirtualHost>
  
+ <VirtualHost *:80>
+     ServerAdmin root@bar.no-ip.org
+     DocumentRoot /home/bar/public_html
+     ServerName bar.no-ip.org
+     ErrorLog /usr/local/apache24/logs/error_bar.no-ip.org_log
+     CustomLog /usr/local/apache24/logs/access_bar.no-ip.org_log combined
+ </VirtualHost>
  
+ <VirtualHost *:80>
+     ServerAdmin root@hoge.ddns.net
+     DocumentRoot /home/hoge/public_html
+     ServerName hoge.ddns.net
+     ErrorLog /usr/local/apache24/logs/error_hoge.ddns.net_log
+     CustomLog /usr/local/apache24/logs/access_hoge.ddns.net_log combined
+ </VirtualHost>

httpd-userdir.conf

*** ./extra/httpd-userdir.conf.ORG	2018-03-18 01:15:31.000000000 +0900
--- ./extra/httpd-userdir.conf	2018-03-18 01:18:21.000000000 +0900
***************
*** 14,21 ****
  # for a site where these directories are restricted to read-only.
  #
  <Directory "/home/*/public_html">
!     AllowOverride FileInfo AuthConfig Limit Indexes
!     Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
      Require method GET POST OPTIONS
  </Directory>
  
--- 14,23 ----
  # for a site where these directories are restricted to read-only.
  #
  <Directory "/home/*/public_html">
! ##    AllowOverride FileInfo AuthConfig Limit Indexes
! ##    Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
!     AllowOverride All
!     Options Includes FollowSymlinks ExecCGI
      Require method GET POST OPTIONS
  </Directory>

httpd-ssl.conf

*** ./extra/httpd-ssl.conf.ORG	2018-03-18 01:18:31.000000000 +0900
--- ./extra/httpd-ssl.conf	2018-03-18 01:29:13.000000000 +0900
***************
*** 49,56 ****
  #   ensure these follow appropriate best practices for this deployment.
  #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
  #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
! SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
! SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
  
  #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
  #  Older ciphers should be disallowed as soon as possible, while the
--- 49,60 ----
  #   ensure these follow appropriate best practices for this deployment.
  #   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
  #   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
! ##SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
! ##SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
! SSLHonorCipherOrder On
! SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
! SSLProxyCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
! SSLCompression Off
  
  #  By the end of 2016, only TLSv1.2 ciphers should remain in use.
  #  Older ciphers should be disallowed as soon as possible, while the
***************
*** 122,129 ****
  
  #   General setup for the virtual host
  DocumentRoot "/usr/local/apache24/htdocs"
! ServerName www.example.com:443
! ServerAdmin you@example.com
  ErrorLog "/usr/local/apache24/logs/error_log"
  TransferLog "/usr/local/apache24/logs/access_log"
  
--- 126,135 ----
  
  #   General setup for the virtual host
  DocumentRoot "/usr/local/apache24/htdocs"
! ##ServerName www.example.com:443
! ##ServerAdmin you@example.com
! ServerName myh.no-ip.org:443
! ServerAdmin m-ito@myh.no-ip.org
  ErrorLog "/usr/local/apache24/logs/error_log"
  TransferLog "/usr/local/apache24/logs/access_log"
  
***************
*** 163,168 ****
--- 169,175 ----
  #   when the CA certificates are directly appended to the server
  #   certificate for convenience.
  #SSLCertificateChainFile "/usr/local/apache24/conf/server-ca.crt"
+ SSLCertificateChainFile "/usr/local/apache24/conf/chain.crt"
  
  #   Certificate Authority (CA):
  #   Set the CA certificate verification path where to find CA

httpd.conf

*** ./httpd.conf.ORG	2018-03-18 01:30:31.000000000 +0900
--- ./httpd.conf	2018-03-18 17:21:30.000000000 +0900
***************
*** 80,91 ****
--- 80,93 ----
  LoadModule auth_basic_module modules/mod_auth_basic.so
  #LoadModule auth_form_module modules/mod_auth_form.so
  #LoadModule auth_digest_module modules/mod_auth_digest.so
+ LoadModule auth_digest_module modules/mod_auth_digest.so
  #LoadModule allowmethods_module modules/mod_allowmethods.so
  #LoadModule file_cache_module modules/mod_file_cache.so
  #LoadModule cache_module modules/mod_cache.so
  #LoadModule cache_disk_module modules/mod_cache_disk.so
  #LoadModule cache_socache_module modules/mod_cache_socache.so
  #LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
+ LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
  #LoadModule socache_dbm_module modules/mod_socache_dbm.so
  #LoadModule socache_memcache_module modules/mod_socache_memcache.so
  #LoadModule watchdog_module modules/mod_watchdog.so
***************
*** 98,103 ****
--- 100,106 ----
  #LoadModule ext_filter_module modules/mod_ext_filter.so
  #LoadModule request_module modules/mod_request.so
  #LoadModule include_module modules/mod_include.so
+ LoadModule include_module modules/mod_include.so
  LoadModule filter_module modules/mod_filter.so
  #LoadModule substitute_module modules/mod_substitute.so
  #LoadModule sed_module modules/mod_sed.so
***************
*** 129,135 ****
  #LoadModule session_cookie_module modules/mod_session_cookie.so
  #LoadModule session_dbd_module modules/mod_session_dbd.so
  #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
! #LoadModule ssl_module modules/mod_ssl.so
  #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
  #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
  #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
--- 132,138 ----
  #LoadModule session_cookie_module modules/mod_session_cookie.so
  #LoadModule session_dbd_module modules/mod_session_dbd.so
  #LoadModule slotmem_shm_module modules/mod_slotmem_shm.so
! LoadModule ssl_module modules/mod_ssl.so
  #LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
  #LoadModule lbmethod_bytraffic_module modules/mod_lbmethod_bytraffic.so
  #LoadModule lbmethod_bybusyness_module modules/mod_lbmethod_bybusyness.so
***************
*** 140,145 ****
--- 143,149 ----
  LoadModule autoindex_module modules/mod_autoindex.so
  #LoadModule info_module modules/mod_info.so
  #LoadModule cgid_module modules/mod_cgid.so
+ LoadModule cgid_module modules/mod_cgid.so
  #LoadModule dav_fs_module modules/mod_dav_fs.so
  #LoadModule vhost_alias_module modules/mod_vhost_alias.so
  #LoadModule negotiation_module modules/mod_negotiation.so
***************
*** 147,154 ****
--- 151,160 ----
  #LoadModule actions_module modules/mod_actions.so
  #LoadModule speling_module modules/mod_speling.so
  #LoadModule userdir_module modules/mod_userdir.so
+ LoadModule userdir_module modules/mod_userdir.so
  LoadModule alias_module modules/mod_alias.so
  #LoadModule rewrite_module modules/mod_rewrite.so
+ LoadModule php5_module        modules/libphp5.so
  
  
  #
***************
*** 159,166 ****
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  #
! User daemon
! Group daemon
  
  
  
--- 165,174 ----
  # It is usually good practice to create a dedicated user and group for
  # running httpd, as with most system services.
  #
! ##User daemon
! ##Group daemon
! User httpd
! Group httpd
  
  
  
***************
*** 181,187 ****
  # e-mailed.  This address appears on some server-generated pages, such
  # as error documents.  e.g. admin@your-domain.com
  #
! ServerAdmin you@example.com
  
  #
  # ServerName gives the name and port that the server uses to identify itself.
--- 189,196 ----
  # e-mailed.  This address appears on some server-generated pages, such
  # as error documents.  e.g. admin@your-domain.com
  #
! ##ServerAdmin you@example.com
! ServerAdmin m-ito@myh.no-ip.org
  
  #
  # ServerName gives the name and port that the server uses to identify itself.
***************
*** 191,196 ****
--- 200,206 ----
  # If your host doesn't have a registered DNS name, enter its IP address here.
  #
  #ServerName www.example.com:80
+ ServerName myh.no-ip.org:80
  
  #
  # Deny access to the entirety of your server's filesystem. You must
***************
*** 198,205 ****
  #  blocks below.
  #
  
!     AllowOverride none
!     Require all denied
  
  
  #
--- 208,216 ----
  #  blocks below.
  #
  
! ##    AllowOverride none
!     AllowOverride All
! ##    Require all denied
  
  
  #
***************
*** 235,241 ****
      # It can be "All", "None", or any combination of the keywords:
      #   AllowOverride FileInfo AuthConfig Limit
      #
!     AllowOverride None
  
      #
      # Controls who can get stuff from this server.
--- 246,253 ----
      # It can be "All", "None", or any combination of the keywords:
      #   AllowOverride FileInfo AuthConfig Limit
      #
! ##    AllowOverride None
!     AllowOverride All
  
      #
      # Controls who can get stuff from this server.
***************
*** 248,254 ****
  # is requested.
  #
  
!     DirectoryIndex index.html
  
  
  #
--- 260,267 ----
  # is requested.
  #
  
! ##    DirectoryIndex index.html
!     DirectoryIndex index.html index.php
  
  
  #
***************
*** 295,307 ****
      # define per- access logfiles, transactions will be
      # logged therein and *not* in this file.
      #
!     CustomLog "logs/access_log" common
  
      #
      # If you prefer a logfile with access, agent, and referer information
      # (Combined Logfile Format) you can use the following directive.
      #
      #CustomLog "logs/access_log" combined
  
  
  
--- 308,321 ----
      # define per- access logfiles, transactions will be
      # logged therein and *not* in this file.
      #
! ##    CustomLog "logs/access_log" common
  
      #
      # If you prefer a logfile with access, agent, and referer information
      # (Combined Logfile Format) you can use the following directive.
      #
      #CustomLog "logs/access_log" combined
+     CustomLog "logs/access_log" combined
  
  
  
***************
*** 348,354 ****
  # CGI directory exists, if you have that configured.
  #
  
!     AllowOverride None
      Options None
      Require all granted
  
--- 362,369 ----
  # CGI directory exists, if you have that configured.
  #
  
! ##    AllowOverride None
!     AllowOverride All
      Options None
      Require all granted
  
***************
*** 396,401 ****
--- 411,417 ----
      # (You will also need to add "ExecCGI" to the "Options" directive.)
      #
      #AddHandler cgi-script .cgi
+     AddHandler cgi-script .cgi
  
      # For type maps (negotiated resources):
      #AddHandler type-map var
***************
*** 408,413 ****
--- 424,431 ----
      #
      #AddType text/html .shtml
      #AddOutputFilter INCLUDES .shtml
+     AddType text/html .shtml
+     AddOutputFilter INCLUDES .shtml
  
  
  #
***************
*** 468,479 ****
--- 486,499 ----
  
  # User home directories
  #Include conf/extra/httpd-userdir.conf
+ Include conf/extra/httpd-userdir.conf
  
  # Real-time info on requests and configuration
  #Include conf/extra/httpd-info.conf
  
  # Virtual hosts
  #Include conf/extra/httpd-vhosts.conf
+ Include conf/extra/httpd-vhosts.conf
  
  # Local access to the Apache HTTP Server Manual
  #Include conf/extra/httpd-manual.conf
***************
*** 484,489 ****
--- 504,514 ----
  # Various default settings
  #Include conf/extra/httpd-default.conf
  
+ # add by m-ito
+ ServerSignature Off
+ ServerTokens ProductOnly
+ TraceEnable off
+ 
  # Configure mod_proxy_html to understand HTML4/XHTML1
  
  Include conf/extra/proxy-html.conf
***************
*** 491,496 ****
--- 516,522 ----
  
  # Secure (SSL/TLS) connections
  #Include conf/extra/httpd-ssl.conf
+ Include conf/extra/httpd-ssl.conf
  #
  # Note: The following must must be present to support
  #       starting without SSL on platforms with no /dev/random equivalent

mime.types

*** ./mime.types.ORG	2018-03-18 01:43:24.000000000 +0900
--- ./mime.types	2018-03-18 01:44:47.000000000 +0900
***************
*** 1853,1855 ****
--- 1853,1860 ----
  video/x-sgi-movie				movie
  video/x-smv					smv
  x-conference/x-cooltalk				ice
+ 
+ # add by m-ito
+ application/x-httpd-php				php
+ application/x-httpd-php-source			phps
+

apache起動時に入力が必要なパスフレーズを省略できるようにする(非推奨)

cd /usr/local/apache24/conf/ssl.key
cp -p server.key server.key.org
openssl rsa -in server.key.org -out server.key
パスフレーズ入力

Basic認証用 .htaccess

AuthUserFile /home/m-ito/.htpasswd
AuthType Basic
AuthGroupFile /dev/null
AuthName Secret
<LIMIT POST GET PUT>
require valid-user
</LIMIT>
<LimitExcept POST GET PUT>
Order allow,deny
Deny from all
</LimitExcept>
<FILES .htaccess>
order allow,deny
deny from all
</FILES>

.htpasswd作成

/usr/local/apache24/bin/htpasswd -c .htpasswd m-ito
/usr/local/apache24/bin/htpasswd .htpasswd foo
/usr/local/apache24/bin/htpasswd .htpasswd hoge

Digest認証用 .htaccess

AuthUserFile /home/m-ito/.htdigest
AuthType Digest
AuthGroupFile /dev/null
AuthName Secret
<LIMIT POST GET PUT>
require valid-user
</LIMIT>
<LimitExcept POST GET PUT>
Order allow,deny
Deny from all
</LimitExcept>
<FILES .htaccess*>
order allow,deny
deny from all
</FILES>

.htdigest作成

/usr/local/apache24/bin/htdigest -c .htdigest Secret m-ito
/usr/local/apache24/bin/htdigest .htdigest Secret foo
/usr/local/apache24/bin/htdigest .htdigest Secret hoge

<Limit>等の若干の解説

<Limit>で特定のメソッドに制限を加えた場合でも、それ以外のメソッドは制限がかかっていない事に注意が必用。以外のメソッドに制限を加える場合は<LimitExcept>を使う

order allow,deny等の若干の解説

order allow,denyの場合、allow条件->deny条件の順番で評価される。どの条件にも合致しないアクセスは拒否される
order deny,allowの場合、deny条件->allow条件の順番で評価される。どの条件にも合致しないアクセスは許可される
途中で合致する条件にヒットしても全ての条件が最後まで評価される。このあたりはiptablesの動きと違うので注意すること

m-ito@myh.no-ip.org

[更新]