ApacheLAMP 2020LinuxOpen Source

Apache HTTP Server – Building a LAMP Server (2020)

This covers installing Apache HTTP Server from source. Even for distros which maintain current versions, the Apache Software Foundation recommends compiling HTTP Server from source.

Estimated time (this post only): 10 minutes
* varies slightly by distro

Apache Prerequisites


Although your distro probably already has PCRE installed, the Apache website recommends compiling the most recent version for use with HTTP Server. Apache requires the latest version of the original PCRE library and not PCRE2. See the PCRE site for the most current version of PCRE and edit the first line below as necessary.

cd ~
wget -c -t 10 https://ftp.pcre.org/pub/pcre/pcre-${TMPVER}.tar.gz
wget -c -t 10 https://ftp.pcre.org/pub/pcre/pcre-${TMPVER}.tar.gz.sig
wget -c -t 10 https://ftp.pcre.org/pub/pcre/Public-Key
gpg --import Public-Key
gpg --verify pcre-${TMPVER}.tar.gz.sig pcre-${TMPVER}.tar.gz

The GPG commands will ensure the download matches the signature. If you don’t see "Good signature" in the output, then you have a corrupted download and should run the commands again. Now extract the archive, compile, and install:

tar zxvf pcre-${TMPVER}.tar.gz
mkdir -v pcre-${TMPVER}/bld
cd pcre-${TMPVER}/bld
../configure --prefix=/opt/pcre
make && make test

Assuming all tests passed, you can continue:

sudo env "PATH=$PATH" make install
cd ~
rm Public-Key
sudo mv pcre-${TMPVER} /usr/local/src/
rm -rf pcre-*


Optional for most distributions, but you may consider compiling OpenSSL from source rather than relying on the version that comes with your distro. For example: as of this writing, the LTS (long-term support) branch is 1.1.1, which is at version 1.1.1h. But CentOS uses 1.1.1c. See the OpenSSL website for current version information.

You can check your current version with:

openssl version

Important: Even if you have the latest version provided by your system, Apache may still fail to compile unless you compile OpenSSL from source. However, a side-by-side installation of two versions of OpenSSL using the same libraries can cause conflicts, possibly breaking things like your package manager or preventing you from generating certificates. So this installation will not be be set as default and used only for Apache.

Download and compile. For this example I will be installing the current latest stable version. Change version number on the first line if necessary, and copy/paste the rest into your SSH terminal.

cd ~
wget -c -t 10 https://www.openssl.org/source/openssl-${TMPVER}.tar.gz
tar zxvf openssl-${TMPVER}.tar.gz
cd openssl-${TMPVER}
CC="gcc -fPIC" ./config --prefix=/opt/openssl --openssldir=/opt/openssl
make && make test

Assuming all tests passed, you can continue. Important: If you did not compile Perl from source as recommended in the last post, the installation may fail. To overcome this, either compile Perl from source or install perl-podlators via your package manager.

sudo env "PATH=$PATH" make install
cd ~
sudo mv openssl-${TMPVER} /usr/local/src/
rm openssl-*

Download Apache Files

First, visit this page to find your closest Apache mirror. Copy/paste the site address somewhere or write it down. Then find the latest stable version number at the HTTP Server Project page. Lastly, find the latest versions of APR and APR-utils and copy this information as well.

In the following example, the Apache mirror it found for me was "https://mirrors.ocf.berkeley.edu/apache/" so replace that string and the version numbers in the first few lines below with whatever you found. Then copy/paste the rest of the commands into your SSH terminal.

cd ~
wget -c -t 10 ${URL}httpd/httpd-${APACHEVER}.tar.gz
wget -c -t 10 apache.org/dist/httpd/httpd-${APACHEVER}.tar.gz.asc
wget -c -t 10 ${URL}apr/apr-${APRVER}.tar.gz
wget -c -t 10 apache.org/dist/apr/apr-${APRVER}.tar.gz.asc
wget -c -t 10 ${URL}apr/apr-util-${APRUTILVER}.tar.gz
wget -c -t 10 apache.org/dist/apr/apr-util-${APRUTILVER}.tar.gz.asc
wget -c -t 10 apache.org/dist/httpd/KEYS

Now, type the following commands to verify those downloads:

gpg --import KEYS
gpg --verify httpd-${APACHEVER}.tar.gz.asc
gpg --verify apr-${APRVER}.tar.gz.asc
gpg --verify apr-util-${APRUTILVER}.tar.gz.asc

If each check contains the text "Good signature" then the downloads are good. If there were problems, try a different Apache mirror.

Now that we’ve verified the downloads, extract them:

tar zxvf httpd-${APACHEVER}.tar.gz
tar zxvf apr-${APRVER}.tar.gz
mv apr-${APRVER} httpd-${APACHEVER}/srclib/apr
tar zxvf apr-util-${APRUTILVER}.tar.gz
mv apr-util-${APRUTILVER} httpd-${APACHEVER}/srclib/apr-util
mkdir -v httpd-${APACHEVER}/bld
cd httpd-${APACHEVER}/bld

Build and Install

Now configure the source tree, build, and install. Below is the syntax I used but you may want to alter some options. See the Apache documentation for more options. If you did not compile OpenSSL as described above, you can try using the system-provided version by omitting the --with-ssl option, but this may not work on all distributions.

../configure --prefix=/opt/apache --with-included-apr \
--enable-so --with-pcre=/opt/pcre --with-ssl=/opt/openssl --enable-ssl
sudo -E env "PATH=$PATH" make install

Do some cleanup:

cd ~
sudo mv httpd-${APACHEVER} /usr/local/src/
rm KEYS httpd-* apr-*

Let’s start it up and make sure it works:

sudo /opt/apache/bin/apachectl -k start
lynx http://localhost

Ignore the possible error about the lack of a FQDN for now. If everything worked you should see the words "It works!" at the top of the screen. Then exit Lynx with q.

Configure Apache

The first version of this tutorial, written years ago, assumed you were using SysVinit rather than Systemd under CentOS/Fedora, but since then almost all distributions use Systemd to start services, so I will only be covering that in this tutorial.

Create Apache service.

sudo /opt/apache/bin/apachectl -k stop
sudo touch /usr/lib/systemd/system/httpd.service
sudo chmod 664 /usr/lib/systemd/system/httpd.service
sudo nano /usr/lib/systemd/system/httpd.service

In this new file, copy/paste the following:

Description=The Apache HTTP Server

ExecStart=/opt/apache/bin/apachectl -k start
ExecReload=/opt/apache/bin/apachectl -k graceful
ExecStop=/opt/apache/bin/apachectl -k graceful-stop


Next, set Apache httpd to load at startup.

sudo systemctl daemon-reload
sudo systemctl enable httpd.service

You can start/stop/restart it with:

sudo systemctl start httpd.service
sudo systemctl stop httpd.service
sudo systemctl restart httpd.service

Let’s get rid of that annoying error FQDN message now (if you encountered it)…

sudo nano /opt/apache/conf/httpd.conf

Go down and un-comment/edit the line that begins with "#ServerName" so it says something like:

ServerName lamp.localdomain:80

Change the above to match whatever FQDN you gave the system during install (or just use the static IP address). While you are in here you may also want to un-comment any needed modules. Common modules you may need include mod_cgid and mod_rewrite (Ctrl-W comes in handy here). We will cover the SSL stuff in a minute.

After saving and exiting nano, do the following to ensure you don’t get the FQDN error anymore:

sudo systemctl restart httpd.service

Setup SSL

Now set up SSL if desired. You need to edit the configuration file again:

sudo nano /opt/apache/conf/httpd.conf

Find and un-comment the following three lines, which are not together (Ctrl-W comes in handy here):

LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
Include conf/extra/httpd-ssl.conf

Save and exit. For now we are not going to edit the "httpd-ssl.conf" configuration file so just generate and sign a certificate. First, generate the key (you may wish to use a 2048 bit key for compatibility reasons):

cd ~
openssl genrsa -out server.key 4096

I didn’t use the -des3 option above because I don’t want to have to enter a password every time Apache starts (and this is just a test server). Now let’s create the CSR:

openssl req -new -key server.key -out server.csr

The above command will ask for some info to be included in the certificate. Go with defaults or customize as desired. Finally, we can create the actual certificate:

openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt

Customize the above command as desired. I set the certificate to expire in 10 years since this is only for testing purposes. Now type the following:

ls server*

The above should show the following 3 files:

server.crt server.csr server.key

Copy the needed files to their proper location, restart Apache, and test SSL:

sudo cp server.key /opt/apache/conf/
sudo cp server.crt /opt/apache/conf/
rm server.*
sudo systemctl restart httpd.service
lynx https://localhost

Lynx will complain about it being a self-signed certificate. Just verify it is okay with y.

This is also a good time to test the connection from the host system (if using a VM) or another computer on your network using a browser like Firefox or Chrome. Just open your browser of choice and type each of the following in turn into the address bar (adjusting the IP address if needed):

You will get a security warning for the SSL site. That is expected, so confirm the certificate. If something went wrong, the problem is most likely with your firewall settings, so go back to that section in the OS installation article and check that the HTTP/HTTPS ports are open on your local network.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.