Building LAMP Server #4 – Apache HTTP Server

In this part of the series on building a LAMP stack, we will cover installing and initially configuring Apache HTTP Server. Many distributions do not maintain the most recent stable version of Apache, so we will need to build it from source if we want to be current.

Estimated time (this post only): 15 minutes
* varies slightly by distro

Apache Prerequisites

Choose your distribution below for distro-specific instructions:

CentOS tends to only maintain older versions of Apache HTTP Server, so you will definitely want to build from source.

First install a few prerequisites, including a text browser to use for some websites that support it:

sudo yum install wget lynx pcre pcre-devel openssl-devel gnupg

Fedora does a great job at maintaining current versions of Apache HTTP Server in the official repos, but I still recommend building it from source (as does Apache).

First install a few prerequisites, including a text browser to use for some websites that support it:

sudo dnf install wget lynx pcre pcre-devel openssl-devel gnupg

First install a few prerequisites, including a text browser to use for some websites that support it:

sudo apt-get install wget lynx libpcre3 libpcre3-dev libssl-dev gnupg

I received an error related to Perl doing this in Debian, but everything still seemed to work.

First install a few prerequisites, including a text browser to use for some websites that support it:

sudo zypper install wget lynx libpcre1 pcre-devel libopenssl-devel gpg2

Important: Arch Linux uses the brand new OpenSSL 1.1 as of this writing, but Apache HTTP 2.4.x does not fully support it yet. There are patches being made right now to make Apache compatible, but for now it is best to stick with OpenSSL 1.0. Just follow these instructions and you will be fine:

Install a few prerequisites, including a text browser to use for some websites that support it:

sudo pacman -S wget lynx pcre openssl-1.0 gnupg
export PKG_CONFIG_PATH=/usr/lib/openssl-1.0/pkgconfig

It is very important that you do not restart the server until after completing the Apache configure script (we will get to that shortly). If you do, the PKG_CONFIG_PATH variable will be lost (you can set it again at any time).

Download

Download the latest stable version of Apache:

cd ~
lynx httpd.apache.org/download.cgi

Use the arrows to scroll down to the version you want to download and use <Enter> to browse to the source files and save them to the current location (see screenshots below). With some Lynx builds you may need to press <d> on the link to the download rather than <Enter>.

Use the <g> key to open another URL: apr.apache.org/download.cgi

Download the latest version of APR and APR-Util as well (be sure it is the tar.gz version).

Exit Lynx with <q>. Now we should verify the downloads. The version numbers are critical here, so if you need a reminder of what you downloaded, just type:

ls -lah

Now, type the following commands to verify those downloads, editing for the proper version numbers as needed:

wget apache.org/dist/httpd/KEYS
wget apache.org/dist/httpd/httpd-2.4.25.tar.gz.asc
wget apache.org/dist/apr/apr-1.5.2.tar.gz.asc
wget apache.org/dist/apr/apr-util-1.5.4.tar.gz.asc
gpg --import KEYS
gpg --verify httpd-2.4.25.tar.gz.asc
gpg --verify apr-1.5.2.tar.gz.asc
gpg --verify apr-util-1.5.4.tar.gz.asc
rm KEYS

See the following websites to check the signature:
http://httpd.apache.org/download.cgi#verify
http://apr.apache.org/download.cgi#verify

Now that we’ve verified the downloads, extract them (edit commands as necessary):

tar -zxvf httpd-2.4.25.tar.gz
rm httpd-2.4.25.tar.*
tar -zxvf apr-1.5.2.tar.gz
rm apr-1.5.2.tar.*
mv apr-1.5.2 httpd-2.4.25/srclib/apr
tar -zxvf apr-util-1.5.4.tar.gz
rm apr-util-1.5.4.tar.*
mv apr-util-1.5.4 httpd-2.4.25/srclib/apr-util
cd httpd-2.4.25

Build and Install

Now configure the source tree, build, and install. Below is the syntax I used but you may want to alter some options. See the Apache documentation for more options.

./configure --prefix=/opt/apache --enable-so \
--with-included-apr --enable-ssl --with-mpm=prefork
make
sudo make install
cd ..
sudo mv httpd-2.4.25 /usr/local/src/

Let’s start it up and make sure it works:

sudo /opt/apache/bin/apachectl -k start
lynx http://localhost

Ignore the error about the lack of a FQDN for now. If everything worked you should see the words "It works!" at the top of the screen. Then exit Lynx with <q> again.

Configure Apache

Set Apache to start automatically on boot:

sudo /opt/apache/bin/apachectl -k stop
sudo touch /etc/init.d/apache2
sudo chmod 755 /etc/init.d/apache2
sudo nano /etc/init.d/apache2

In this new file, add the following:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          apache2
# Required-Start:    $all
# Required-Stop:     $all
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: apache2
# Description:       httpd server for serving web content
### END INIT INFO

case "$1" in
start)
        echo "Starting Apache ..."
        # Change the location to your specific location
        /opt/apache/bin/apachectl -k start
;;
stop)
        echo "Stopping Apache ..."
        # Change the location to your specific location
        /opt/apache/bin/apachectl -k stop
;;
graceful)
        echo "Restarting Apache gracefully..."
        # Change the location to your specific location
        /opt/apache/bin/apachectl -k graceful
;;
restart)
        echo "Restarting Apache ..."
        # Change the location to your specific location
        /opt/apache/bin/apachectl -k restart
;;
*)
        echo "Usage: '$0' {start|stop|restart|graceful}"
        exit 64
;;
esac
exit 0

Save and exit. Then:

sudo chkconfig --add apache2

Apache should load at startup now. You can also easily start/stop/restart it with:

sudo service apache2 start
sudo service apache2 stop
sudo service apache2 restart

Set Apache to start automatically on boot:

sudo /opt/apache/bin/apachectl -k stop
sudo touch /etc/systemd/system/apache2.service
sudo chmod 664 /etc/systemd/system/apache2.service
sudo nano /etc/systemd/system/apache2.service

In this new file, add the following:

[Unit]
Description=httpd server for serving web content
After=network.target

[Service]
Type=forking
Restart=yes
EnvironmentFile=/opt/apache/bin/envvars
ExecStart=/opt/apache/bin/apachectl -k start
ExecStop=/opt/apache/bin/apachectl -k stop
ExecReload=/opt/apache/bin/apachectl -k graceful
KillSignal=SIGCONT
PrivateTmp=true

[Install]
WantedBy=multi-user.target

The restart option can cause problems if you don’t properly shut down Apache with systemctl (see below) before upgrading Apache later, but it helps ensure Apache will restart if it encounters a problem. Save and exit. Then:

sudo systemctl daemon-reload
sudo systemctl enable apache2.service

Apache should load at startup now. You can also easily start/stop/restart it with:

sudo systemctl start apache2.service
sudo systemctl stop apache2.service
sudo systemctl restart apache2.service

Let’s get rid of that annoying error message now…

sudo nano /opt/apache/conf/httpd.conf

Go down and un-comment/edit the line that begins with "#ServerName" so it says something like:

ServerName lamp.localdomain:80

Change the above to match whatever FQDN you gave the system during install (or just use the static IP address). After saving and exiting nano, do the following to ensure you don’t get the FQDN error anymore:

While you are in here you may also want to un-comment any needed modules. Common modules you may need include "mod_cgi" and "mod_rewrite" (Ctrl-W comes in handy here). We will cover the SSL stuff in a minute.

sudo service apache2 restart
sudo systemctl restart apache2.service

Setup SSL

Now set up SSL if desired. You need to edit the configuration file again:

sudo nano /opt/apache/conf/httpd.conf

Find and un-comment the following three lines, which are not together (Ctrl-W comes in handy here):

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

For now we are not going to edit the "httpd-ssl.conf" configuration file so just generate and sign a certificate. First, generate the key (you may wish to use a 2048 bit key for compatibility reasons):

cd ~
openssl genrsa -out server.key 4096

I didn’t use the -des3 option above because I don’t want to have to enter a password every time Apache starts (and this is just a test bed). Now let’s create the CSR:

openssl req -new -key server.key -out server.csr

The above command will ask for some info to be included in the certificate. Go with defaults or customize as desired. Finally, we can create the actual certificate:

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Customize the above command as desired. I set the certificate to expire in 10 years since this is only for testing purposes. Now type the following:

ls server*

The above should show the following 3 files:

server.crt server.csr server.key

Copy the needed files to their proper location, restart Apache, and test SSL:

sudo cp server.key /opt/apache/conf/
sudo cp server.crt /opt/apache/conf/
sudo service apache2 restart
lynx https://localhost
sudo cp server.key /opt/apache/conf/
sudo cp server.crt /opt/apache/conf/
sudo systemctl restart apache2.service
lynx https://localhost

Lynx will complain about it being a self-signed certificate. Just verify it is okay with <y>.

This is also a good time to test the connection from the host system (if using a VM) or another computer on your network using a browser like Firefox or Chrome. Just open your browser of choice and type each of the following in turn into the address bar (adjusting the IP address if needed):

http://192.168.56.101
https://192.168.56.101

You will get a security warning for the SSL site. That is expected, so confirm the certificate. If something went wrong, the problem is most likely with your firewall settings, so go back to that section in the previous article and check that the HTTP/HTTPS ports are open on your local network.

Leave a Reply