Source compile Apache2.4 (httpd 2.4.43) + PHP7.4 on Linux and build a Web server ―― 1. Apache introduction

Assumptions and preparations

Linux server building article

-Building a file server with Samba (CentOS 8.1 / openSUSE 15.1 / Ubuntu 20.04) --Source compilation of Apache2.4 + PHP7.4 on Linux --1 Apache introduction [this article] -Source compilation of Apache2.4 + PHP7.4 on Linux-- 2. PHP introduction -Source compilation of Apache2.4 + PHP7.4 on Linux --3 MySQL introduction

First, I tried to build a file server using Samba as a server that can be built on a small PC, whether it is a used PC or a rasp pie, by sharing PC files from private management and small and medium-sized enterprises, but this time Build on a web server with Apache (⑅ • ᴗ • ⑅)

Meaning of compiling with source code

It's just as easy to configure Apache on any distribution, and you'll have the version you need (the standard package commands will vary depending on the version of that distribution).

However, if you compile all the packages from the source, you will search all the major libraries, so only those that you absolutely want to run fixedly, such as Apache and PHP, compile the source and what is necessary for make Supported by standard package commands such as dnf and apt

environment

--Web server program: Apache 2.4.43 (source compilation) --Client: Windows10 Pro --Server architecture: x64 (operation confirmed with Hyper-V 2nd generation) Linux distribution: CentOS 8.1 / openSUSE 15.1 Leap / Ubuntu 20.04 (all 64bit)

Premise

--Minimal installation of OS. Also, the OS must be updated in the latest state. --User installed as root (in my verification, it is an administrator account called admin, and it is processed by sudo from there) --For all distributions, the firewall uses firewalld (does not use distribution-specific firewall commands) --For CentOS, disable SELinux (reboot is also required after editing / etc / selinux / config).

CentOS8.1

# vi /etc/selinux/config

/etc/selinux/config

SELINUX=disabled

CentOS8.1

# reboot

Server conditions

IP address

--Client: 192.168.1.11 --Web server: 192.168.1.18 (verified with the same IP address for all distributions) --Affiliation network segment: 192.168.1.0/24

Ability and version to download and install individual packages (as of June 2020)

• zlib-1.2.11.tar.gz
• apr-1.7.0.tar.gz
• apr-util-1.6.1.tar.gz
• mysql80-community-release-el8-1.noarch.rpm (CentOS 8.1)
• mysql80-community-release-sl15-3.noarch.rpm (openSUSE 15.1)
• mysql-apt-config_0.8.15-1_all.deb (Ubuntu 20.04)
• oniguruma-devel-6.8.2-1.el8.x86_64.rpm (CentOS 8.1)
• httpd-2.4.43.tar.gz
• php-7.4.6.tar.gz

Other required packages are installed with the distribution's standard package commands (dnf, apt, etc.) and do not need to be downloaded individually.

For download, you can access the official website, download from there and transfer it by FTP, or you can get it with wget if you know the URL of the download file, but the acquisition method is omitted.

Work procedure

Preparation

Install make, cmake, package decompression function

CentOS8.1

# dnf -y install make cmake tar bzip2

openSUSE15.1

# zypper -n install make cmake tar bzip2

Install GCC and C ++ compiler

CentOS8.1

# dnf -y install gcc gcc-c++

openSUSE15.1

# zypper -n install gcc gcc-c++

zlib source installation

I installed zlib without changing the default location.

# cd [The directory where the zlib archive files are located]
# tar zxvf zlib-1.2.11.tar.gz
# cd zlib-1.2.11/
# ./configure
# make
# make install

Install the packages required to compile Apache with the distribution standard package command

By installing Perl or SSL libraries, you can get all the features you need for Apache. Note: If you do not execute it even if it is troublesome, you will get an error saying that there is no package and the compilation will be stopped (´ • ω • ̥`)

CentOS8.1

# dnf -y install ncurses-devel perl libaio libaio-devel perl-Data-Dumper expat-devel pcre pcre-devel openssl-devel

openSUSE15.1

# zypper -n install ncurses-devel perl libaio1 libaio-devel perl-Data-Dump libexpat-devel pcre pcre-devel libopenssl-devel

Install APR and its utility library

APR installs the library in /opt/apr-1.7.0 and APR-Util installs the library in /opt/apt-util-1.6.1

# cd [APR 1.7.Directory where 0 archive files are located]
# tar xvzf apr-1.7.0.tar.gz
# cd apr-1.7.0/
# ./configure --prefix=/opt/apr-1.7.0
# make
# make install

# cd [APR-Util 1.6.Directory where 1 archive file is located]
# tar xvzf apr-util-1.6.1.tar.gz
# cd apr-util-1.6.1/
# ./configure --prefix=/opt/apr-util-1.6.1 --with-apr=/opt/apr-1.7.0
# make
# make install	

Install Apache 2.4 source compilation

Well, here is the production. This work took quite a while (probably 30 minutes on my Hyper-V PC)

configure and make

# cd [The directory where Apache httpd is located]
# tar xvzf httpd-2.4.43.tar.gz
# cd httpd-2.4.43/
# ./configure --with-apr=/opt/apr-1.7.0 --with-apr-util=/opt/apr-util-1.6.1 --enable-so --enable-ssl --enable-mods-shared=all --enable-mpms-shared=all

Therefore, as the configuration specification, specify the path specified in the installation for the APR and APR-Util paths. Here, APR is installed in "/opt/apr-1.7.0" and APR-Util is installed in "/opt/apr-util-1.6.1", and I used it.

I also have SSL enabled.

• If you want to change the OpenSSL path, specify the installation destination like "--with-ssl = / usr / local / ssl", but in my environment OpenSSL uses the package default one. So I haven't changed it.

I installed all the required packages above and I was able to configure without errors (\ * ´꒳` \ *) Now, the essential compilation and installation. If you get an error there, Apache is already full of features, so it's a hassle to find out where the error occurred (˙꒳ ˙ᐢ).

# make
# make install

If you can compile without error, the installation is complete ♪ (\ * ˘︶˘ \ *) ...: \ * ♡

Apache preferences

Once installed, the next step is the configuration file (˙꒳ ˙ᐢ) When you install Apache with source compilation, Apache itself is installed in / usr / local / apache2. The configuration file is stored in / usr / local / apache2 / conf /, so configure the Apache environment in it.

[Apache basic settings]
# vi /usr/local/apache2/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

…
#ServerName www.example.com:80
ServerName localhost:80 ← Add this line directly under ↑
…
DocumentRoot "/usr/local/apache2/htdocs"
<Directory "/usr/local/apache2/htdocs">
    …
    Options Indexes FollowSymLinks
↑ At the beginning "#Comment out with ""
　　　(Do not allow unnecessary access to directories that are not published as pages)
…
#LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
#LoadModule ssl_module modules/mod_ssl.so
Look for the two lines above, and both are "#And load the so library
…
#Include conf/extra/httpd-ssl.conf
↑ "#And conf/extra/httpd-ssl.Allows conf to be read
…

[Apache SSL(https)settings of]
# vi /usr/local/apache2/conf/extra/httpd-ssl.conf

/usr/local/apache2/conf/extra/httpd-ssl.conf

…
SSLCertificateFile "/usr/local/apache2/conf/server.crt"
…
SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
…

Here, I decided that the key location required for https is located in / usr / local / apache2 / conf /, which is the same as the configuration file.

SSL certificate creation

Originally, the certificate is created via the root certification authority, but here we will give priority to the method of making Apache compatible with https **, so we will not touch on the certificate issuing authority. So when you access it, you will get a security warning [. .. .. ]

# cd /usr/local/apache2/conf/
# openssl genrsa -out server.key 2048
# openssl req -new -key server.key -out server.csr

In the process of creating an SSL key, there is also a dialogue to enter the profile of the organization, but you can create the certificate without problems by entering the following

python

# openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:<what entry=The prefecture you live in example=Kanagawa>
Locality Name (eg, city) [Default City]:<what entry=Municipalities where you live example=Miura>
Organization Name (eg, company) [Default Company Ltd]:<what entry=Arbitrary organization name>
Organizational Unit Name (eg, section) []:<what entry=Any organizational unit>
Common Name (eg, your name or your server's hostname) []:<what entry=Domain name example=kazumi-jam.chips.jp>
Email Address []:<what entry=Email address [email protected]>

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:<what entry=Appropriate for the time being>
An optional company name []:<what entry=Blank Enter for the time being>

I want to color-code it in an easy-to-understand manner, so I added "what should I enter" in the XML style (\ * ˘︶˘ \ *) The XML tag style "<what entry =…" is , What to enter "example = ..." is an example of input. Actually, it does not matter if there is a space.

Example:
State or Province Name (full name) []: Kanagawa Pref.
Locality Name (eg, city) [Default City]: Miura city

After creating server.csr, create a set of certificates.

# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Without the "-days" option, it is only valid for 90 days and is useless for purposes other than experimentation. So here, it is set as "-days 3650" for 10 years. Even so, the certificate itself is not issued by an institution trusted by the Oreore certificate ... (\ * ˘ᗜ˘ \ *;)

Now that you've created the SSL certificate, change the permissions so that no one else touches it.

# chmod 600 /usr/local/apache2/conf/server.crt
# chmod 600 /usr/local/apache2/conf/server.csr
# chmod 600 /usr/local/apache2/conf/server.key
# ls -l /usr/local/apache2/conf/
108 in total
drwxr-xr-x 2 root root 313 June 24 13:08 extra
-rw-r--r--1 root root 19316 June 24 13:07 httpd.conf
-rw-r--r--1 root root 13064 June 24 13:03 magic
-rw-r--r--1 root root 60847 June 24 13:03 mime.types
drwxr-xr-x 3 root root 37 June 24 13:03 original
-rw-------1 root root 1379 June 24 13:06 server.crt
-rw-------1 root root 1119 June 24 13:04 server.csr
-rw-------1 root root 1675 June 24 13:03 server.key

With the "ls -l" command, ** 3 files related to certificate keys such as "server.crt" (the bottom 3 lines in the above list) are owned by root and the permissions are "rw -------" (600) ”** Confirm that it is. It's a security breach when the contents of the private key are visible to other users. ..

Start Apache service

Create and enable Apache service startup script

You have all the necessary environment settings and keys for Apache. So I would like to be able to start it. Since the startup script is Systemd, create it in / etc / systemd / system

# cd /etc/systemd/system
# vi httpd.service

httpd.service

[Unit]
Description=Apache

[Service]
Type=forking
ExecStart=/usr/local/apache2/bin/apachectl start
ExecStop=/usr/local/apache2/bin/apachectl stop

[Install]
WantedBy=multi-user.target

The Systemd script is not explained in detail here, but since the Apache startup file itself is located in / usr / local / apache2 / bin, you can start Apache by executing the "apachectl" command for starting the Apache service in it. And can be stopped. Also, in the case of Apache, the process of the Web server is executed as a sub-process (in short, when it is started and executed on a certain terminal, it will be in the "running" state and other operations will not be possible. , You can go back to the command input and execute other operations as it is. Do you understand ??), so specify forking as Type.

firewalld settings

Next, in the firewalld settings, ** ports 80 (http) and 443 (httpd) ** are accepted. As a premise, ** the server and client belong to the network of 192.168.1.0/24 **, so access from other outside is not accepted, so allow it with the rich rule as follows.

# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="80" protocol="tcp" accept'
# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port port="443" protocol="tcp" accept'
# firewall-cmd --reload

Start up and check operation

Let's start it. Always start with enable Enable & confirm that status is "Active" and "Running".

# systemctl start httpd
# systemctl enable httpd
# systemctl status httpd

If it looks like the picture above, the startup is successful. From the Windows client side, enter https: // [Linux server IP address] / in your browser to confirm.

Here, the Linux web server is 192.168.1.18, so go to https://192.168.1.18. Of course, the certificate is not issued by a trusted institution, so it will result in a privacy error ;; in that case, select "Access as is" to proceed (although it behaves differently in Chrome and Firefox).

Succeeded! !! (˶˙ᵕ˙˶)

next time

Introduce PHP and post the foundation of the web application server