Building a Secure Web Server That Supports PHP4

Building a Secure Web Server That Supports PHP4

Now comes the most time-consuming part of the install, though it's still pretty easy to do. We're going to build a powerful Web server, one that supports the scripting language PHP4 and secure connections via SSL. To do this, we first have to merge these components into the server software and then build it.

First we unpack our sources that we will be using for this installation:

 $ tar -zxvf apache_1.3.14.tar.gz 
 $ tar -zxvf mod_ssl-2.7.1-1.3.14.tar.gz 
 $ tar -zxvf php-4.0.3pl1.tar.gz 

Note that mod_ssl has two version numbers , in this case 2.7.1 and 1.3.14. This is because it is a large set of patches and source additions to the Apache source code tree. Because of this, it must match the Apache source code version you are using, other wise it just won't work.

The first thing we will do is to apply the source code patches from mod_ssl to Apache. The only directive we have to tell mod_ssl is where the Apache source code tree is, which is up and to the right:

 $ cd mod_ssl-2.7.1-1.3.14 
 $ ./configure --with-apache=../apache_1.3.14 
 $ cd .. 

Be sure to watch for errors in this step. Any errors will almost surely mess up the rest of the steps here. If you do find errors, make sure that your mod_ssl version matches your Apache version. It should apply cleanly. If you have to, remove both directories, unpack them again, and start this step over.

Now we have to preconfigure the Apache source code tree. We do this so that the PHP source code knows all about our Apache system and can prepare itself correctly:

 $ cd apache_1.3.14 
 $ ./configure --prefix=/usr/local/apache --without-confadjust 
 $ cd .. 

Now we can prepare PHP for its installation in Apache. This may seem a bit strange , but we're going to install it in the Apache source tree. At this stage most of the PHP module is built, which can take a bit since there's a lot of software to build. We build it also to support the IMAP client functions, which we need for Web-based e-mail using IMAP.

 $ cd php-4.0.3pl1 
 $ ./configure --with-apache=../apache_1.3.14 --with-imap=../imap-2000 

Now go ahead and install its components on your system and for Apache:

 # make install 
 $ cd .. 

Now we're ready to build our Apache server. It has SSL support and PHP4 support prepared; we just have to tell it to be sure to include them in the configuration step.

We also have to tell it where our SSL libraries reside, which we installed earlier when we installed OpenSSL.

 $ cd apache_1.3.14 
 $ SSL_BASE=/usr/local/ssl ./configure \ 
 --enable-module=ssl \ 
 --without-confadjust \ 
 --activate-module=src/modules/php4/libphp4.a 

One thing to note here: libphp4.a does not yet exist, but this step will ensure that it is built and added into the server. Don't try and outsmart it; it's supposed to be like this!

Now we can build and install the Web server and the SSL certificates:

 $ make 
 $ make certificate 

This step will interactively generate a certificate for your server. These are used in cryptographic negotiations with your Web clients . See the Resources section at the end of the chapter for where to find more information on SSL. In the mean time, here are my suggested answers to the questions (you'll have to adjust some parameters).

 Signature Algorithm ((R)SA or (D)SA) [R]:  R  
 (  omitted  ) 
 1. Country Name (2 letter code) [XY]:  US  
 2. State or Province Name (full name) [Snake Desert]:  Ohio  
 3. Locality Name (e.g., city) [Snake Town]:  Cleveland  
 4. Organization Name (e.g., company) [Snake Oil, Ltd]:  Home  
 5. Organizational Unit Name (eg, section) [Web server Team]:  Parents  
 6. Common Name (e.g., FQDN) [www.snakeoil.dom]:  friend.dsl.isp.com  
 7. Email Address (e.g., name@FQDN) [www@snakeoil.dom]:  friend@isp.com  
 8. Certificate Validity (days) [365]:  365  
 _____________________________________________________________________________________ 
 STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt] 
 Certificate Version (1 or 3) [3]:  3  
 (omitted) 
 Encrypt the private key now? [Y/n]:  n  
 (omitted) 

While the certificate process correctly notes that this certificate should not be used on a production system, for home use it should be just fine. Basically, there is no trust mechanism in place, so the certificate could be a forged one, allowing an attacker to listen to sensitive information. However, since it is just you, and signing a certificate can be expensive, we'll work with these certificates. If you want to host, say, a commerce site on your Web server, you should definitely get it signed by a recognized authority.

We also chose not to encrypt the private key with a passphrase. This is because this passphrase would be required if the server had to restart. If you are away from your server and it reboots and restarts, it would wait for you to enter this passphrase before it could start up. By omitting a passphrase, we allow the server to restart without you. This is not advised if you are on a multiuser machine with untrusted users, by the way.

Finally, we can install the whole server, configurations, and certificates:

  # make install  

To get it to understand PHP files, which the server has to process before serving, we need to edit the configuration file. While we're at it, we'll add forcing Web-mail clients to use SSL:

  # cd /usr/local/apache/conf  
  # vi httpd.conf  

We first want to change the server to understand PHP files and to interpret them. This is absolutely required for Web-mail to work. Uncomment (remove the leading # sign) the following lines:

  AddType application/x-httpd-php .php3  
  AddType application/x-httpd-php-source .phps  
  AddType application/x-httpd-php .php  
  AddType application/x-httpd-php-source .phps  

The first lines will be for application/x-httpd-php3 and source, so just re move the 3. PHP3 is slowly being phased out, and PHP4 is backwards compatible. However, it doesn't get parsed properly if it is treated as a PHP3 file, so treat it as plain PHP.

Now we're gong to change the server to require SSL to be used if you want to read your e-mail. This way you can't make a mistake and send your password across an untrusted network in plain text, letting someone listen to it. We do this by adding the following lines, called a Directory Directive. Place these after the </Ifmodule> directive where PHP handling was described.

  <Directory /usr/local/apache/htdocs/aeromail>  
  SSLRequireSSL  
  </Directory>  

Yes, these directives read just like HTML, with a start and an end. Now go ahead and write out the configuration file. We're almost ready to start the server and test it out.

 



Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net