This covers installing Apache HTTP Server from source. Even for distros which maintain current versions, the Apache Software Foundation recommends compiling HTTP Server from source.
Estimated time (this post only): 10 minutes
* varies slightly by distro
Contents
Apache Prerequisites
PCRE
Although your distro probably already has PCRE installed, the Apache website recommends compiling the most recent version for use with HTTP Server. Apache requires the latest version of the original PCRE library and not PCRE2. See the PCRE site for the most current version of PCRE and edit the first line below as necessary.
TMPVER="8.44" cd ~ wget -c -t 10 https://ftp.pcre.org/pub/pcre/pcre-${TMPVER}.tar.gz wget -c -t 10 https://ftp.pcre.org/pub/pcre/pcre-${TMPVER}.tar.gz.sig wget -c -t 10 https://ftp.pcre.org/pub/pcre/Public-Key gpg --import Public-Key gpg --verify pcre-${TMPVER}.tar.gz.sig pcre-${TMPVER}.tar.gz
The GPG commands will ensure the download matches the signature. If you don’t see "Good signature" in the output, then you have a corrupted download and should run the commands again. Now extract the archive, compile, and install:
tar zxvf pcre-${TMPVER}.tar.gz mkdir -v pcre-${TMPVER}/bld cd pcre-${TMPVER}/bld ../configure --prefix=/opt/pcre make && make test
Assuming all tests passed, you can continue:
sudo env "PATH=$PATH" make install cd ~ rm Public-Key sudo mv pcre-${TMPVER} /usr/local/src/ rm -rf pcre-*
OpenSSL
Optional for most distributions, but you may consider compiling OpenSSL from source rather than relying on the version that comes with your distro. For example: as of this writing, the LTS (long-term support) branch is 1.1.1, which is at version 1.1.1h. But CentOS uses 1.1.1c. See the OpenSSL website for current version information.
You can check your current version with:
openssl version
Important: Even if you have the latest version provided by your system, Apache may still fail to compile unless you compile OpenSSL from source. However, a side-by-side installation of two versions of OpenSSL using the same libraries can cause conflicts, possibly breaking things like your package manager or preventing you from generating certificates. So this installation will not be be set as default and used only for Apache.
Download and compile. For this example I will be installing the current latest stable version. Change version number on the first line if necessary, and copy/paste the rest into your SSH terminal.
TMPVER="1.1.1h" cd ~ wget -c -t 10 https://www.openssl.org/source/openssl-${TMPVER}.tar.gz tar zxvf openssl-${TMPVER}.tar.gz cd openssl-${TMPVER} CC="gcc -fPIC" ./config --prefix=/opt/openssl --openssldir=/opt/openssl make && make test
Assuming all tests passed, you can continue. Important: If you did not compile Perl from source as recommended in the last post, the installation may fail. To overcome this, either compile Perl from source or install perl-podlators
via your package manager.
sudo env "PATH=$PATH" make install cd ~ sudo mv openssl-${TMPVER} /usr/local/src/ rm openssl-*
Download Apache Files
First, visit this page to find your closest Apache mirror. Copy/paste the site address somewhere or write it down. Then find the latest stable version number at the HTTP Server Project page. Lastly, find the latest versions of APR and APR-utils and copy this information as well.
In the following example, the Apache mirror it found for me was "https://mirrors.ocf.berkeley.edu/apache/" so replace that string and the version numbers in the first few lines below with whatever you found. Then copy/paste the rest of the commands into your SSH terminal.
URL="https://mirrors.ocf.berkeley.edu/apache/" APACHEVER="2.4.46" APRVER="1.7.0" APRUTILVER="1.6.1" cd ~ wget -c -t 10 ${URL}httpd/httpd-${APACHEVER}.tar.gz wget -c -t 10 apache.org/dist/httpd/httpd-${APACHEVER}.tar.gz.asc wget -c -t 10 ${URL}apr/apr-${APRVER}.tar.gz wget -c -t 10 apache.org/dist/apr/apr-${APRVER}.tar.gz.asc wget -c -t 10 ${URL}apr/apr-util-${APRUTILVER}.tar.gz wget -c -t 10 apache.org/dist/apr/apr-util-${APRUTILVER}.tar.gz.asc wget -c -t 10 apache.org/dist/httpd/KEYS
Now, type the following commands to verify those downloads:
gpg --import KEYS gpg --verify httpd-${APACHEVER}.tar.gz.asc gpg --verify apr-${APRVER}.tar.gz.asc gpg --verify apr-util-${APRUTILVER}.tar.gz.asc
If each check contains the text "Good signature" then the downloads are good. If there were problems, try a different Apache mirror.
Now that we’ve verified the downloads, extract them:
tar zxvf httpd-${APACHEVER}.tar.gz tar zxvf apr-${APRVER}.tar.gz mv apr-${APRVER} httpd-${APACHEVER}/srclib/apr tar zxvf apr-util-${APRUTILVER}.tar.gz mv apr-util-${APRUTILVER} httpd-${APACHEVER}/srclib/apr-util mkdir -v httpd-${APACHEVER}/bld cd httpd-${APACHEVER}/bld
Build and Install
Now configure the source tree, build, and install. Below is the syntax I used but you may want to alter some options. See the Apache documentation for more options. If you did not compile OpenSSL as described above, you can try using the system-provided version by omitting the --with-ssl
option, but this may not work on all distributions.
../configure --prefix=/opt/apache --with-included-apr \ --enable-so --with-pcre=/opt/pcre --with-ssl=/opt/openssl --enable-ssl make sudo -E env "PATH=$PATH" make install
Do some cleanup:
cd ~ sudo mv httpd-${APACHEVER} /usr/local/src/ rm KEYS httpd-* apr-*
Let’s start it up and make sure it works:
sudo /opt/apache/bin/apachectl -k start lynx http://localhost
Ignore the possible error about the lack of a FQDN for now. If everything worked you should see the words "It works!" at the top of the screen. Then exit Lynx with q
.
Configure Apache
The first version of this tutorial, written years ago, assumed you were using SysVinit rather than Systemd under CentOS/Fedora, but since then almost all distributions use Systemd to start services, so I will only be covering that in this tutorial.
Create Apache service.
sudo /opt/apache/bin/apachectl -k stop sudo touch /usr/lib/systemd/system/httpd.service sudo chmod 664 /usr/lib/systemd/system/httpd.service sudo nano /usr/lib/systemd/system/httpd.service
In this new file, copy/paste the following:
[Unit] Description=The Apache HTTP Server After=network.target [Service] Type=forking ExecStart=/opt/apache/bin/apachectl -k start ExecReload=/opt/apache/bin/apachectl -k graceful ExecStop=/opt/apache/bin/apachectl -k graceful-stop PIDFile=/opt/apache/logs/httpd.pid PrivateTmp=true [Install] WantedBy=multi-user.target
Next, set Apache httpd to load at startup.
sudo systemctl daemon-reload sudo systemctl enable httpd.service
You can start/stop/restart it with:
sudo systemctl start httpd.service sudo systemctl stop httpd.service sudo systemctl restart httpd.service
Let’s get rid of that annoying error FQDN message now (if you encountered it)…
sudo nano /opt/apache/conf/httpd.conf
Go down and un-comment/edit the line that begins with "#ServerName" so it says something like:
ServerName lamp.localdomain:80
Change the above to match whatever FQDN you gave the system during install (or just use the static IP address). While you are in here you may also want to un-comment any needed modules. Common modules you may need include mod_cgid
and mod_rewrite
(Ctrl-W comes in handy here). We will cover the SSL stuff in a minute.
After saving and exiting nano, do the following to ensure you don’t get the FQDN error anymore:
sudo systemctl restart httpd.service
Setup SSL
Now set up SSL if desired. You need to edit the configuration file again:
sudo nano /opt/apache/conf/httpd.conf
Find and un-comment the following three lines, which are not together (Ctrl-W comes in handy here):
LoadModule ssl_module modules/mod_ssl.so LoadModule socache_shmcb_module modules/mod_socache_shmcb.so Include conf/extra/httpd-ssl.conf
Save and exit. For now we are not going to edit the "httpd-ssl.conf" configuration file so just generate and sign a certificate. First, generate the key (you may wish to use a 2048 bit key for compatibility reasons):
cd ~ openssl genrsa -out server.key 4096
I didn’t use the -des3 option above because I don’t want to have to enter a password every time Apache starts (and this is just a test server). Now let’s create the CSR:
openssl req -new -key server.key -out server.csr
The above command will ask for some info to be included in the certificate. Go with defaults or customize as desired. Finally, we can create the actual certificate:
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Customize the above command as desired. I set the certificate to expire in 10 years since this is only for testing purposes. Now type the following:
ls server*
The above should show the following 3 files:
server.crt server.csr server.key
Copy the needed files to their proper location, restart Apache, and test SSL:
sudo cp server.key /opt/apache/conf/ sudo cp server.crt /opt/apache/conf/ rm server.* sudo systemctl restart httpd.service lynx https://localhost
Lynx will complain about it being a self-signed certificate. Just verify it is okay with y
.
This is also a good time to test the connection from the host system (if using a VM) or another computer on your network using a browser like Firefox or Chrome. Just open your browser of choice and type each of the following in turn into the address bar (adjusting the IP address if needed):
http://192.168.56.101 https://192.168.56.101
You will get a security warning for the SSL site. That is expected, so confirm the certificate. If something went wrong, the problem is most likely with your firewall settings, so go back to that section in the OS installation article and check that the HTTP/HTTPS ports are open on your local network.