HomeStreek ResourcesClient AppsDeveloper ResourcesTalksHowTo Docs
 

Apache 2 with mod_ssl: check-out and configure

Audience

Developers with access to UC Berkeley's CVS repository, who need to install and configure Apache2 httpd with SSL/TLS (via the mod_ssl interface to OpenSSL).

Note

Developers who need to deploy a version of httpd other than the one(s) available in CVS may be interested to read step-by-step documentation provided elsewhere on this site. Note that the bulk of work described in the detailed documentation has been performed and committed to CVS for selected versions of Apache's httpd web server, and/or is more easily accomplished via Ant build files described in this document.

Purpose

To install and configure Apache 2 with SSL/TLS (via the mod_ssl interface to OpenSSL).

Due to copyright and legal considerations, Apache does not make binary (pre-built) versions of httpd with SSL available for download from its project site; this document describes the process of checking out necessary binaries and other files from UC Berkeley's CVS repository, and using supplied Ant build files to properly configure and deploy Apache's web server with generated, self-signed certificates. The automated steps committed to a common repository and/or facilitated by Ant build scripts may also be accomplished manually, as described in step-by-step documentation available here.

Prerequisites

  • An operating system for which binaries exist in the CVS repository (at the time these instructions were tested, Win32 binaries had been checked in to CVS and these instructions were tested on a Windows 2000 SP4 platform)
  • Sufficient hard-disk space
  • Some familiarity with Apache configuration files (cf. documentation for info)
  • Access to CVS

Installing Apache2 with mod_ssl

The following steps, described below, are intended to be performed sequentially:

  • Set environment variables
  • Check out Apache binaries and configuration files from CVS
  • Copy selected binaries (.dll files) to SystemRoot directory
  • Edit configuration properties file to conform to intended deployment
  • Edit Ant build scripts, as necessary
  • Run appropriate Ant target(s)

Set Environment Variables

The environment variable APACHE_HOME must be set in order for the Ant deploy targets to work properly.

It is strongly recommended that Apache httpd be deployed in a directory outside the developer's workspace. This will help prevent accidental deletion or overwriting of web-content, certificates, etc. generated or deployed outside the context of the process described in this document. A directory close to the filesystem root is generally appropriate for Apache httpd deployment (e.g., c:\apache\ on a Windows filesystem; or /usr/local/apache on a unix or linux filesystem).

If you are using an IDE, such as Eclipse, you may need to restart the IDE after setting or re-setting environment variables.

Check out Apache httpd from CVS

Check out the appropriate project from CVS, e.g., the project apache-httpd-2-0-49 located in the CVS repository /usr/local/cvsrep/third-party/apache on canvas.berkeley.edu. Checkout should be into the regular workspace - not to the deployment directory, APACHE_HOME. The build scripts associated with this project assume that the project is checked out into the directory defined by CVSHOME.

This project includes Apache binaries for selected operating systems (e.g., for Windows, Linux, and/or Solaris); as well as configuration templates, properties files, and Ant targets which, in combination, simplify httpd configuration, SSL certificate generation, and deployment.

Copy .dll files (Windows only)

To deploy Apache httpd with SSL on Windows, the following .dll files must be copied to the machine's SystemRoot directory:

  • windows\resources\win-dll\ssleay32.dll
  • windows\resources\win-dll\libeay32.dll

The filenames above are given relative to the root directory of the project checked out in a previous step.

To determine the SystemRoot directory of a Windows machine, type the following in a command window: set SystemRoot.

Edit configuration properties

The configuration properties (e.g., httpd server name, IP address, ports, and access control; self-signed certificate parameters; etc.) are set in a single file, located in the checked-out project tree at <your OS>/resources/properties/apache-conf.properties.

Consult this file's comments, as well as Apache's configuration documentation and documents referred (via URL) within the comments themselves, in order to understand the significance and appropriate values for each of these properties.

Warning

It is critically important that the properties in apache-conf.properties be set appropriately: the web server's configuration will be built from these settings.

Edit build.xml file (Ant)

Selected properties at the beginning of the Ant build file in the root of the project directory may require editing:

apache.binaries.subdir

Apache binaries and associated resources are grouped in directories under the project's root-directory. These directories are named to indicate the operating system (OS) for which the Apache binaries the directory contains were built.

This property holds the name of the OS-specific directory. It should be set to a value corresponding to the OS of the machine on which Apache httpd will be deployed (e.g., "windows" or "linux").

ARCHIVE_EXTANT_CONFIG_FILES

If this property is set (to any value), the deploy targets in this build file will archive (back up) copies of generated configuration, certificate, and key files before overwriting them. Archives are created in the directory where the generated files are deployed (e.g., APACHE_HOME/conf/archive/). To turn the archive functionality off, do not set this property (i.e., comment it out in the build file).

Run build target(s)

Run Ant build target(s), as appropriate.

The default target, local-deploy-apache, will configure, generate self-signed X.509 certificate and key files, and deploy Apache httpd with SSL to the directory specified in the environment variable APACHE_HOME. This and other targets of potential interest are described below:

local-deploy-apache

Default target (and the one most users will prefer to use). End-to-end configuration, generation of self-signed X.509 certificate and key files, and deployment of Apache httpd with SSL (to the directory specified in the environment variable APACHE_HOME).

local-deploy-apache-binaries

Overwrite current binaries in directory specified by the environment variable APACHE_HOME with those in the project tree directory specified by build property apache.binaries.subdir. Binaries and default content and configuration files are overwritten; files extant in the APACHE_HOME tree but not in the project tree will not be deleted. Called by local-deploy-apache.

local-deploy-generated-apache-config

Overwrites files in local APACHE_HOME/conf directory with generated configuration files. Called by local-deploy-apache.

local-deploy-generated-apache-certs

Overwrites files with generated self-signed certificate and key files; target directory is the subdirectory of APACHE_HOME specified by the apache-server-ssl-cert-directory property in apache-conf.properties. Called by local-deploy-apache.

configure-apache

Calls targets to copy model httpd.conf and ssl.conf files using token filtering. Depended on by local-deploy-generated-apache-config.

generate-self-signed-certificate

Generates self-signed certificate and key files with openssl, based on peroperties set in apache-conf.properties. Depended on by local-deploy-generated-apache-certs.

Test Drive

The following steps test your installation of Apache and SSL.

  • Open a Command window and change directory to the one in which httpd (the Apache web-server) was installed.
  • Type the following command to start Apache httpd with SSL:
    apache -D SSL
  • If there are error messages, resolve them (e.g., check that all properties in apache-conf.properties are defined appropriately).