[LINUX] Source compile Apache2.4 + PHP7.4 with Raspberry Pi and build a Web server ―― 1. Apache introduction
Assumptions and preparations
Linux server building article
-Building a file server with Samba (CentOS 8.1 / openSUSE 15.1 / Ubuntu 20.04) -Source compilation of Apache2.4 + PHP7.4 on Linux-- 1. Apache introduction / [Raspberry Pi: This article] -Source compilation of Apache2.4 + PHP7.4 on Linux-- 2. PHP introduction / [[Raspberry Pi]](https://qiita.com/kazumi75kitty / items / 50f1a447f6ebc2ee2b61) -Source compilation of Apache2.4 + PHP7.4 on Linux-- 3. MySQL introduction/[[Raspberry Pi]](https://qiita.com/kazumi75kitty / items / 4212dacc45944f27ca94) -Apache2.4 + PHP7.4 on Linux --4 Security (chown and firewalld) -Build an IPsec gateway on Linux VPN-- 1. Introduce StrongSwan / [[Ubuntu 20.04 + Raspberry Pi]](https://qiita.com/kazumi75kitty/ items / 08259681247a6c2ebd0d) -Build an IPsec gateway on Linux for VPN-- 2. Check connection to VPN / [[Ubuntu 20.04 + Raspberry Pi]](https://qiita.com / kazumi75kitty / items / c83f920f052d83d62457)
I used to build a web server for x64 such as the usual PC and virtual machines such as Hyper-V last time, but this time it is a PC or virtual machine Instead, ** build on Raspberry Pi with a web server with Apache ** (⑅ • ᴗ • ⑅)
Meaning of compiling with source code
It's just as easy to configure Apache on any distribution, and you'll have the version you need (the standard package commands will vary depending on the version of that distribution).
However, if you compile all the packages from the source, you will search all the major libraries, so only those that you absolutely want to run fixedly, such as Apache and PHP, compile the source and what is necessary for make Supported by standard package commands such as dnf and apt
environment
--Web server program: Apache 2.4.46 (source compilation) --Client: Windows10 Pro --Server architecture: Raspberry Pi 3B + (with armv8) Linux distribution: openSUSE 15.1 Leap (64bit) / Raspberry Pi OS 2020.08 version (32bit)
Premise
--Minimal installation of OS. Also, the OS must be updated in the latest state. --User installed as root (in my verification, it is an administrator account called admin, and it is processed by sudo from there) --In openSUSE, the firewall uses firewalld (does not use distribution-specific firewall commands). In Raspberry Pi OS of Raspberry Pi, for firewalld, since the interlocking around IPv6 was a shit, I decided to use the Debian standard ufw.
Server conditions
IP address
--Client: 192.168.1.11
--Web server: 192.168.1.18 (verified with the same IP address for all distributions)
--Affiliation network segment: 192.168.1.0/24
Ability and version to download and install individual packages (as of June 2020)
- zlib-1.2.11.tar.gz
- apr-1.7.0.tar.gz
- apr-util-1.6.1.tar.gz
- httpd-2.4.46.tar.gz
- php-7.4.10.tar.gz
Other required packages are installed with the distribution's standard package commands (dnf, apt, etc.) and do not need to be downloaded individually.
For download, you can access the official website, download from there and transfer it by FTP, or you can get it with wget if you know the URL of the download file, but the acquisition method is omitted.
Work procedure
Preparation
Install make, cmake, package decompression function
openSUSE15.1(RaspberryPi)
# zypper -n install make cmake tar bzip2
RaspberryPiOS(2020.08)
# apt-get -y install make cmake tar bzip2
Install GCC and C ++ compiler
openSUSE15.1(RaspberryPi)
# zypper -n install gcc gcc-c++
RaspberryPiOS(2020.08)
# apt-get -y install gcc build-essential
zlib source installation
I installed zlib without changing the default location.
# cd [The directory where the zlib archive files are located]
# tar zxvf zlib-1.2.11.tar.gz
# cd zlib-1.2.11/
# ./configure
# make
# make install
Install the packages required to compile Apache with the distribution standard package command
By installing Perl or SSL libraries, you can get all the features you need for Apache. If you do not execute it even if it is troublesome, you will get an error saying that there is no package and the compilation will be stopped (´ • ω • ̥`)
openSUSE15.1(RaspberryPi)
# zypper -n install ncurses-devel perl libaio1 libaio-devel perl-Data-Dump libexpat-devel pcre pcre-devel libopenssl-devel
RaspberryPiOS(2020.08)
# apt-get -y install libncurses5-dev perl libaio1 libaio-dev libexpat1-dev libpcre3 libpcre3-dev libssl-dev
Install APR and its utility library
APR installs the library in /opt/apr-1.7.0 and APR-Util installs the library in /opt/apt-util-1.6.1
# cd [apr-1.7.0.tar.Directory where gz is located]
# tar xvzf apr-1.7.0.tar.gz
# cd apr-1.7.0/
# ./configure --prefix=/opt/apr-1.7.0
# make
# make install
# cd [apr-util-1.6.1.tar.Directory where gz is located]
# tar xvzf apr-util-1.6.1.tar.gz
# cd apr-util-1.6.1/
# ./configure --prefix=/opt/apr-util-1.6.1 --with-apr=/opt/apr-1.7.0
# make
# make install
Install Apache 2.4 source compilation
Well, here is the production. This work took quite some time. It was a Raspberry Pi, so it may have taken about 40 minutes. ..
configure and make
# cd [httpd-2.4.46.tar.Directory where gz is located]
# tar xvzf httpd-2.4.46.tar.gz
# cd httpd-2.4.46/
# ./configure --with-apr=/opt/apr-1.7.0 --with-apr-util=/opt/apr-util-1.6.1 --enable-so --enable-ssl --enable-mods-shared=all --enable-mpms-shared=all
Therefore, as the configuration specification, specify the path specified in the installation for the APR and APR-Util paths. Here, APR is installed in "/opt/apr-1.7.0" and APR-Util is installed in "/opt/apr-util-1.6.1", and I used it.
I also have SSL enabled.
- If you want to change the OpenSSL path, specify the installation destination like "--with-ssl = / usr / local / ssl", but in my environment OpenSSL uses the package default one. So I haven't changed it.
I installed all the required packages above and I was able to configure without errors (\ * ´꒳` \ *) Now, the essential compilation and installation. If you get an error there, Apache is already full of features, so it's a hassle to find out where the error occurred (˙꒳ ˙ᐢ).
# make
# make install
If you can compile without error, the installation is complete ♪ (\ * ˘︶˘ \ *) ...: \ * ♡
Apache preferences
Once installed, the next step is the configuration file (˙꒳ ˙ᐢ) When you install Apache with source compilation, Apache itself is installed in / usr / local / apache2. The configuration file is stored in / usr / local / apache2 / conf /, so configure the Apache environment in it.
[Apache basic settings]
# vi /usr/local/apache2/conf/httpd.conf
/usr/local/apache2/conf/httpd.conf
…
#ServerName www.example.com:80
ServerName localhost:80 ← Add this line directly under ↑
…
DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
…
Options Indexes FollowSymLinks
↑ At the beginning "#Comment out with ""
(Do not allow unnecessary access to directories that are not published as pages)
…
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule ssl_module modules/mod_ssl.so
Look for the two lines above, and both are "#And load the so library
…
#Include conf/extra/httpd-ssl.conf
↑ "#And conf/extra/httpd-ssl.Allows conf to be read
…
[Apache SSL(https)settings of]
# vi /usr/local/apache2/conf/extra/httpd-ssl.conf
/usr/local/apache2/conf/extra/httpd-ssl.conf
…
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
…
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
…
Here, I decided that the key location required for https is located in / usr / local / apache2 / conf /, which is the same as the configuration file.
SSL certificate creation
Originally, the certificate is created via the root certification authority, but here we will give priority to the method of making Apache compatible with https **, so we will not touch on the certificate issuing authority. So when you access it, you will get a security warning [. .. .. ]
# cd /usr/local/apache2/conf/
# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr
In the process of creating an SSL key, there is also a dialogue to enter the profile of the organization, but you can create the certificate without problems by entering the following
python
# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:<what entry=The prefecture you live in example=Kanagawa>
Locality Name (eg, city) [Default City]:<what entry=Municipalities where you live example=Miura>
Organization Name (eg, company) [Default Company Ltd]:<what entry=Arbitrary organization name>
Organizational Unit Name (eg, section) []:<what entry=Any organizational unit>
Common Name (eg, your name or your server's hostname) []:<what entry=Domain name example=kazumi-jam.chips.jp>
Email Address []:<what entry=Email address [email protected]>
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<what entry=Appropriate for the time being>
An optional company name []:<what entry=Blank Enter for the time being>
I want to color-code it in an easy-to-understand manner, so I added "what should I enter" in the XML style (\ * ˘︶˘ \ *) The XML tag style "<what entry =…" is , What to enter "example = ..." is an example of input. Actually, it does not matter if there is a space.
Example:
State or Province Name (full name) []: Kanagawa Pref.
Locality Name (eg, city) [Default City]: Miura city
After creating server.csr, create a set of certificates.
# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Without the "-days" option, it is only valid for 90 days and is useless for purposes other than experimentation. So here, it is set as "-days 3650" for 10 years. Even so, the certificate itself is not issued by an institution trusted by the Oreore certificate ... (\ * ˘ᗜ˘ \ *;)
Now that you have created the SSL certificate, change the permissions so that no one else can touch it.
# chmod 600 /usr/local/apache2/conf/server.crt
# chmod 600 /usr/local/apache2/conf/server.csr
# chmod 600 /usr/local/apache2/conf/server.key
# ls -l /usr/local/apache2/conf/
108 in total
drwxr-xr-x 2 root root 313 June 24 13:08 extra
-rw-r--r--1 root root 19316 June 24 13:07 httpd.conf
-rw-r--r--1 root root 13064 June 24 13:03 magic
-rw-r--r--1 root root 60847 June 24 13:03 mime.types
drwxr-xr-x 3 root root 37 June 24 13:03 original
-rw-------1 root root 1379 June 24 13:06 server.crt
-rw-------1 root root 1119 June 24 13:04 server.csr
-rw-------1 root root 1675 June 24 13:03 server.key
With the "ls -l" command, ** 3 files related to certificate keys such as "server.crt" (the bottom 3 lines in the above list) are owned by root and the permissions are "rw -------" (600) ”** Confirm that it is. It's a security breach when the contents of the private key are visible to other users. ..
Start Apache service
Create and enable Apache service startup script
You have all the necessary environment settings and keys for Apache. So I would like to be able to start it. Since the startup script is Systemd, create it in / etc / systemd / system
# cd /etc/systemd/system
# vi httpd.service
httpd.service
[Unit]
Description=Apache
[Service]
Type=forking
ExecStart=/usr/local/apache2/bin/apachectl start
ExecStop=/usr/local/apache2/bin/apachectl stop
[Install]
WantedBy=multi-user.target
The Systemd script is not explained in detail here, but since the Apache startup file itself is in / usr / local / apache2 / bin, you can start Apache by executing the "apachectl" command for starting the Apache service in it. And can be stopped. Also, in the case of Apache, the process of the Web server is executed as a subprocess (in short, when it is started and executed on a certain terminal, it will be in the "running" state and other operations will not be possible. , You can go back to the command input and execute other operations as it is. Do you understand ??), so specify forking as Type.
Firewall settings
Then it accepts ** ports 80 (http) and 443 (httpd) **. As a premise, ** the server and client belong to the network of 192.168.1.0/24 **, so access from other outside is not accepted, so allow it with the rich rule as follows.
openSUSE15.1(RaspberryPi)(firewalld)
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="443" protocol="tcp" accept'
# firewall-cmd --reload
RaspberryPiOS2020.08(ufw)
# ufw allow proto tcp from 192.168.1.0/24 to any port 80
# ufw allow proto tcp from 192.168.1.0/24 to any port 443
# ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 30303/tcp ALLOW IN 192.168.1.0/24
[ 2] 5900:5999/tcp ALLOW IN 192.168.1.0/24
[ 3] 80/tcp ALLOW IN 192.168.1.0/24
[ 4] 443/tcp ALLOW IN 192.168.1.0/24
Start up and check operation
Let's start it. Always start with enable Enable & confirm that status is "Active" and "Running".
# systemctl start httpd
# systemctl enable httpd
# systemctl status httpd
**However…! !! ** ** With openSUSE, systemctl start httpd ** Apache failed to start! !! ** (´ • ω • ̥`)
openSUSE15.1(raspberryPi)
# journalctl -xe
When I checked the journal log obtained by the above command, I found that ** in openSUSE of Raspberry Pi, the user "daemon" specified in the Apache configuration file does not exist **. So I decided to create a new user to start the Apache process. .. ..
openSUSE15.1(raspberryPi)
# useradd -m apache
# passwd apache
# vi /usr/local/apache2/conf/httpd.conf
…(Omission)…
Change to User daemon ← apache
Change to Group daemon ← users
…(Omission)…
# systemctl start httpd
In openSUSE, by default the user group is the same as the user name and is not created but created as a "users" group.
You can now start it with "systemctl start httpd"! !!
From the Windows client side, enter https: // [Linux server IP address] / in your browser to confirm.
Here, the Linux web server is 192.168.1.18, so go to https://192.168.1.18. Of course, the certificate is not issued by a trusted institution, so it will result in a privacy error ;; in that case, select "Access as is" to proceed (although it behaves differently in Chrome and Firefox).
The image above is a capture when done with a virtual machine, but it is successful because the same screen as above appears on the Raspberry Pi! !! (˶˙ᵕ˙˶)
next time
Introduce PHP and post the foundation of the web application server