Note: I’m
going to use VMnet3 for my web hosts:
Ethernet adapter VMware Network Adapter
VMnet3:
Connection-specific DNS Suffix .
:
Link-local IPv6 Address . . . . . : fe80::a817:e023:3443:30d3%28
IPv4
Address. . . . . . . . . . . : 192.168.242.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
To see if apache is already installed you can use the “which” command which
will show the path of the program you're searching for:
nico@web1:~$ which apache2
/usr/sbin/apache2
Or you could search for the apache process:
nico@ubuntu:~$ pgrep apache
9002
9004
9005
9006
Or you could check if the package is actually installed (sooooo
may ways, but that’s the joy of Linux!):
nico@ubuntu:~$ dpkg -l "apache*"
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required
(Status,Err: uppercase=bad)
||/ Name Version Description
+++-==============-==============-============================================
un apache
(no
description available)
un apache-common
(no
description available)
un apache-utils
(no
description available)
ii apache2
2.2.17-1ubuntu Apache HTTP Server metapackage
So if it’s not
installed, install it with the below command (you will need Internet access):
nico@ubuntu:~$ sudo apt-get install apache2
Reading package lists... Done
Building dependency tree
Reading state information...
Done
The following extra packages
will be installed:
apache2-mpm-worker apache2-utils
apache2.2-bin apache2.2-common libapr1
libaprutil1 libaprutil1-dbd-sqlite3
libaprutil1-ldap
Suggested packages:
apache2-doc apache2-suexec
apache2-suexec-custom
The following NEW packages will
be installed:
apache2 apache2-mpm-worker apache2-utils
apache2.2-bin apache2.2-common
libapr1 libaprutil1 libaprutil1-dbd-sqlite3
libaprutil1-ldap
0 upgraded, 9 newly installed,
0 to remove and 248 not upgraded.
Need to get 3,115 kB of
archives.
After this operation, 10.5 MB
of additional disk space will be used.
Do you want to continue [Y/n]? Y
* Starting web server
apache2 apache2: Could not
reliably determine the server's fully qualified domain name, using 127.0.1.1
for ServerName
[ OK ]
Setting up apache2
(2.2.17-1ubuntu1.4) ...
Processing triggers for
libc-bin ...
ldconfig deferred processing
now taking place
nico@ubuntu:~$
Note the error message regarding the FQDN. Let’s fix that:
nico@ubuntu:~$ sudo gedit
/etc/apache2/httpd.conf
When gedit opens
up paste the following text in and save:
ServerName 192.168.242.129
Now run the
restart command again and notice the error has gone:
nico@ubuntu:~sudo /etc/init.d/apache2 restart
* Restarting web server apache2 ... waiting
[ OK ]
nico@ubuntu:~$
Now browse to the IP of the webserver (ifconfig if you don’t know
it), or you could browse to http://localhost/
on the webserver itself.
You should see the “It
works!” page
You can change this text to something unique so you can edit the
index.html that’s in /var/www/ (as below), but if you are going to configure
SSL (see next post) then the index.html file location will change so its
probably not worth changing this one:
nico@web1:~$ sudo gedit /var/www/index.html
<html><body><h1>Web
Server 1 works!</h1>
<p>This is the default
web page for this server.</p>
</body></html>
If you want
to test HTTPS (SSL) then you will need to do the following:
Confirm you
have open ssl installed:
nico@web1:~$ which openssl
/usr/bin/openssl
nico@web1:~$
Create Certificate
Authorities and self-signed SSL certificatesWe can create our own CA (Certificate Authority) and self-signed SSL server certificates with openssl. Self-signing is the simpler route to take, but making our own CA allows the signing of multiple server certificates using the same CA and takes only a couple extra steps. But we’ll just self-sign a server certificate:
Create a self-signed certificate (if you don’t want to make a CA)
First generate a server key
nico@web1:~$ sudo openssl genrsa -des3 -out
server.key 4096
Generating RSA private key, 4096 bit long modulus
.........................................................................................................................++
...................................................................................++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
nico@web1:~$
Then
follow the bouncing ball until it asks you for your "Common Name" and
make sure that it is the same fqdn of the server or its IP address. Don’t make a challenge password yet as it will
mean more typing:
nico@web1:~$ sudo
openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
Country Name (2 letter code) [AU]:AU
State or Province Name (full name)
[Some-State]:Victoria
Locality Name (eg, city) []:Melbourne
Organization Name (eg, company) [Internet Widgits
Pty Ltd]:nwten.net
Organizational Unit Name (eg, section) []:operations
Common Name (eg, YOUR name) []:192.168.242.129
Email Address []:info@nwten.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
nico@web1:~$
Tip: The
default values for the questions located at /etc/ssl/openssl.cnf
Next we need to sign the certificate signing request. In this case 365 days:
nico@web1:~$ sudo
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=AU/ST=Victoria/L=Melbourne/O=nwten.net/OU=operations/CN=192.168.242.129/emailAddress=info@nwten.net
Getting Private key
Enter pass phrase for server.key:
nico@web1:~$
Now
make
a version of the server.key which doesn't require a password:
nico@web1:~$ sudo
openssl rsa -in server.key -out server.key.insecure
Enter pass phrase for server.key:
writing RSA key
nico@web1:~$
nico@web1:~$ sudo
mv server.key server.key.secure
nico@web1:~$ sudo
mv server.key.insecure server.key
Verify
nico@web1:~$ ls
–la
-rw-r--r-- 1
nico nico 2025 2011-12-23 01:11 server.crt
-rw-r--r-- 1
nico nico 1760 2011-12-23 01:07 server.csr
-rw-r--r-- 1
nico nico 3243 2011-12-23 01:13 server.key
-rw-r--r-- 1
nico nico 3311 2011-12-23 01:01 server.key.secure
Create an SSL folder to store certificates and
related files:
nico@web1:~$ sudo mkdir
/etc/apache2/ssl
Then copy server.key and server.crt to the new new folder:
nico@web1:~$ sudo
cp server.key /etc/apache2/ssl
nico@web1:~$ sudo
cp server.crt /etc/apache2/ssl
Enable ssl
nico@web1:~$ sudo
a2enmod ssl
Enabling module ssl.
See /usr/share/doc/apache2.2-common/README.Debian.gz
on how to configure SSL and create self-signed certificates.
Run '/etc/init.d/apache2 restart' to activate new
configuration!
nico@web1:~$
Restart
apache
nico@web1:~$ sudo
/etc/init.d/apache2 restart
* Restarting
web server apache2 .. waiting
[ OK ]
If using an earlier Ubuntu version than
10.04 we need to create a stub SSL conf. File to establish a necessary symlink:
nico@web1:~$ sudo cp
/etc/apache2/sites-available/default /etc/apache2/sites-available/default-sslNext we need to establish a symlink from the 'available' default-ssl file to the 'enabled' file:
nico@web1:~$ sudo ln -s /etc/apache2/sites-available/default-ssl /etc/apache2/sites-enabled/000-default-ssl
The default location for HTML pages is /var/www but we need to create a location for the ssl files:
nico@web1:/var$ cd /var/www
nico@web1:/var/www$ sudo mkdir html
nico@web1:/var/www$ cd /var
nico@web1:/var$ sudo mkdir www-ssl
nico@web1:/var$ cd www-ssl
nico@web1:/var/www-ssl$ sudo mkdir html
nico@web1:/var/www-ssl$
Next
we need to configure HTTP over port 80 and HTTPS over 443 (and declare the
document root folders and the fqdn):For HTTP, add the server name, IP or fqdn, in my case I simply used the IP, “192.168.242.129”, I also added the error log and custom log, and changed the DocumentRoot to /var/www/html. Lastly I changed the Directory (which Im not sure is necessary yet):
nico@web1:~$ sudo gedit /etc/apache2/sites-available/default
ServerAdmin
webmaster@localhost
ServerName
192.168.242.129
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
DocumentRoot
/var/www/html/
Options
FollowSymLinks
AllowOverride
None
Options
Indexes FollowSymLinks MultiViews
AllowOverride
None
Order
allow,deny
allow
from all
nico@web1:~$ sudo
cp /etc/apache2/sites-available/default
/etc/apache2/sites-available/default-ssl
nico@web1:~$ sudo gedit
/etc/apache2/sites-available/default-ssl
ServerAdmin
webmaster@localhost
ServerName
192.168.242.129
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
DocumentRoot
/var/www-ssl/html/
Options
FollowSymLinks
AllowOverride
None
Options
Indexes FollowSymLinks MultiViews
AllowOverride
None
Order
allow,deny
allow
from all
Turn on the SSL engine by making sure the following is located in default-ssl file. The SSLengine
should be on, and the cert and key should be properly pathed:
ServerAdmin
webmaster@localhost
ServerName
192.168.242.129
SSLEngine On
SSLCertificateFile
/etc/apache2/ssl/server.crt
SSLCertificateKeyFile
/etc/apache2/ssl/server.key
Note:
I didn’t need to do the last step as 443 was defined in another part of the
script:
Listen 443
nico@web1:/var/www-ssl$ sudo /etc/init.d/apache2 restart
Restarting web server apache2 ... waiting [ OK ]
Now
create 2 index.html files, one for HTTP and one for HTTPS:
nico@ubuntu:/$ sudo
gedit /var/www/html/index.html
<html><body><h1>Web Server 1 works!</h1>
<p>This is the default
web page for this server.</p>
</body></html>
nico@ubuntu:/$ sudo
gedit /var/www-ssl/html/index.html
<html><body><h1>Web Server 1 SSL
works!</h1>
<p>This is the default web page for this
server.</p>
</body></html>
So
that’s it, now create 2 or 3 more of these web servers (within VMware and load balance
them with something like F5’s BIG-IP LTM VE.
Makes for a nice load balancing lab ;)
0 comments:
Post a Comment