This is a log of my installation/Compilation of Apache DSO
with SSL, MM, under Solaris 2.8. gcc was: egcs-2.91.66
This log includes compilation from scratch of Apache. I personally
usually compile stuff from scratch, since I have the NIH (Not Invented Here)
mental syndrome, and I do not like THEIR layout. It is still mild, and
my shrink tells me that he still does not have to report me to the authorities.
Frankly, I do not like my own layout after a while too, and change it
often.
This memo was originally writtent around Jul 28, 2002
The UNIX commands are in italic. It assumed that you will just grab them
with the mouse and paste them in your xterm...
Few terms:
Apache -- the Web Server
DSO -- Dynamic Shared Object (additional modules can be added/updated
to Apache without the need to recompile the whole thing, similar
to shared libraries, but DSO modules are not only called, but
can also call routines within Apache)
MM -- memory management or something like that - an add-on to Apache
and its modules to communicate via shared memory rather than files
(faster).
SSL -- Secure Socket Layer - the encryption and certificate package which
works with Apache
I assume you have moderately latest GNU tools (gmake, gzip, etc...) installed
and you also have a recent version of perl installed distribution.
I assume that you do all installation as root...
You can also get the wget utility from
ftp://ftp.gnu.org/pub/gnu/wget/. The local copy is here.
You will need to have openssl libraries (libcrypto and libssl) installed
for the latest wget to compile. If you do not have them, install openssl
first as described later on in this log.
By default, it installs wget binary to /usr/local/bin and puts man page into
/usr/local/man. You can edit the Makefile after .configure step if you
want them elsewhere. I installed the latest GNU one (now 1.8.2)as:
get wget-1.8.2.tar.gz and move it to directory /usr/local/uploads or
the one you like the most, e.g.; /tmp.
gunzip wget-1.8.2.tar.gz
gtar xvf wget-1.8.2.tar
mv wget-1.8.2 /usr/local # I like it in /usr/local
cd /usr/local/wget-1.8.2
./configure
make
make install
wget has also extensive GNU info pages and if you have install, do
info wget
and seek knowledge.
1) Be a root... Run ksh or bash or other sh, but not C-shell.
Before you install the new Apache, you have to know if you have some
other installation of Apache running. If you do, you need to decide
if you want to keep the old Apache running, or you stop it.
The problem is that Apache server by default listens to standard
Web TCP ports, and you cannot have some other Apache listen on the same
port(s). If Apache was installed before you will need either to disable
it, or choose other ports. If some Apache is running
(do: ps -ef | grep httpd) check which ports it is using by:
netstat -a | grep LISTEN
or
netstat -a -n | grep LISTEN
if you want to see all ports given as numbers, rather than services names.
If you get (among others):
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:https *:* LISTEN
(or, with netstat -n option:
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN )
The "well known ports" for HTTP and HTTPS are booked and some web
server is running.
2) If the old server is running check the files in /etc/init.d and
see if there is an httpd file (or similar) and stop apache as:
/etc/init.d/httpd stop
3) If you do not want to kill previous Apache, and install the
new one in such a way that their TCP ports do not conflict, just
continue on, and you will OK, since this installation uses
ports 4080 and 6443 rather than standard ports which your existing
installation is most likely using (change them is already used for
something else). If you know where is the configuration file for
the already installed apache located, you can edit it and change
port assignements, for example:
edit file /usr/local/apache1.3.13/conf/httpd.conf and change ports:
cd /usr/local/apache1.3.13/conf
cp -p httpd.conf httpd.conf.original
emacs (or vi or whatever) httpd.conf and replace lines:
Listen 80 --> Listen 6080
Port 80 --> Port 6080
Listen 443 --> Listen 6443
<VirtualHost _default_:443> --> <VirtualHost _default_:6443>
then restart apache and check pages:
cd /etc/init.d
./httpd start
and try if this works, i.e., try the URLs:
http://my.machine.com:6080/
https://my.machine.com:6443/
8) You usually have openssl installed, but if you cannot find the
libraries:
/usr/lib/libcrypto* or /usr/local/lib/libcrypto*
/usr/lib/libssl* or /usr/local/lib/libssl*
you need to install the openssl.
Even if you have the openssl and libraries already
installed, you probably have to go through this step, due to a number
of utilities and scripts which are often not installed on the regular
systems. There are two distributions of openssl: "normal" and
"engine". The "engine" is an experimental version of openssl to support
external crypto devices, and you will most likely not need it.
Create directory /usr/local/openssl and retrieve latest release of openssl
mkdir /usr/local/openssl
cd /usr/local/openssl
wget http://www.openssl.org/source/openssl-0.9.6d.tar.gz
Local copy of openssl-0.9.6d.tar.gz is here
Check if you have "ar" utility in the PATH:
which ar
If not, you need to add some directories to the path:
PATH=${PATH}:/usr/ccs/bin:/usr/ucb/bin
export PATH
Compiled the openssl [if you are in Europe, you need to
check the mod_ssl INSTALL for the no-idea option. Note: RSA released RSAREF
to public domain, so you do not have to use RSAREF library in US, and can
use the optimized library which comes with openssl. I chose default install
paths for openssl (/usr/local/ssl).
cd /usr/local/openssl
gtar zxvf openssl-0.9.6d.tar.gz
cd openssl-0.9.6d
./config -fPIC shared \
--prefix=/usr/local/ssl \
--openssldir=/usr/local/ssl
make
make test
make install
cp -a /usr/local/ssl/openssl-0.9.6d/lib* /usr/local/ssl/lib
During "make test" it barked on me:
bc does not work properly ('SunOStest' failed). Looking for another bc...
/usr/bin/bc does not work properly ('SunOStest' failed). Looking for
another bc ...
No working bc found. Consider installing GNU bc.
Oh, well, there is a default Soloris bc in /usr/bin/bc and it is obviously
less powerfull than the GNU bc. But I will leave it there for now.
This installation created: /usr/local/ssl/{bin, include, lib}.
To make them generally available I made symbolic links in the
/usr/local/{bin, include, lib} which are generally in the PATH...
If you are brave, you can do links in /usr/{bin, include, lib} and/or
set PATH and LD_LIBRARY_PATH. I made the following links:
cd /usr/lib
ln -s ../local/ssl/lib/libcrypto.a libcrypto.a
ln -s ../local/ssl/lib/libcrypto.so.0.9.6 libcrypto.so.0.9.6
ln -s libcrypto.so.0.9.6 libcrypto.so.0
ln -s libcrypto.so.0 libcrypto.so
ln -s ../local/ssl/lib/libssl.a libssl.a
ln -s ../local/ssl/lib/libssl.so.0.9.6 libssl.so.0.9.6
ln -s libssl.so.0.9.6 libssl.so.0
ln -s libssl.so.0 libssl.so
cd /usr/include
ln -s ../local/ssl/include/openssl openssl
cd /usr/bin
ln -s ../local/ssl/bin/openssl openssl
ln -s ../local/ssl/bin/c_rehash c_rehash
9) Make top directory for Apache 1.3.14 installation. I did
/usr/local/apache_1.3.26
mkdir /usr/local/apache_1.3.26
Then set APACHE_HOME environment variable
APACHE_HOME=/usr/local/apache_1.3.26
export APACHE_HOME
I also made a subdirectory "sources" to have all needed sources in one
place:
mkdir /usr/local/apache_1.3.26/sources
cd /usr/local/apache_1.3.26/sources
Put there the tar files:
wget http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz
wget http://www.modssl.org/source/mod_ssl-2.8.10-1.3.26.tar.gz
wget ftp://ftp.ossp.org/pkg/lib/mm/mm-1.2.1.tar.gz
Local copied of the tarballs from above are here:
apache_1.3.26.tar.gz
mod_ssl-2.8.10-1.3.26.tar.gz
mm-1.2.1.tar.gz
10) Unpack sources to buld DSO Apache with mod_ssl and mm:
cd /usr/local/apache_1.3.26
cd sources
gtar zxvf apache_1.3.26.tar.gz
gtar zxvf mod_ssl-2.8.10-1.3.26.tar.gz
gtar zxvf mm-1.2.1.tar.gz
11) Compiled MM shared memory library
cd /usr/local/apache_1.3.26/sources/mm-1.2.1
./configure --disable-shared
make
12) Configured mod_ssl
cd /usr/local/apache_1.3.26/sources/mod_ssl-2.8.10-1.3.26
EAPI_MM=../mm-1.2.1 \
./configure \
--with-apache=/usr/local/apache_1.3.26/sources/apache_1.3.26
13)
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
SSL_BASE=/usr/local/ssl \
EAPI_MM=/usr/local/apache_1.3.26/sources/mm-1.2.1 \
./configure --prefix=/usr/local/apache_1.3.26 \
--enable-module=so \
--enable-rule=SHARED_CORE \
--enable-module=most \
--enable-shared=max \
--enable-module=ssl \
--enable-shared=ssl
make
14) Now you can make certificates. If you want to install self signed
certificates which you will use (read a pagefull below), do:
make certificate TYPE=custom
One thing to remember, is to enter the fully qualified domain name of the
host on which this Apache Web server runs (in my case: server1.ccl.net)
when you are asked for info for X.509 certificate signing request
for SERVER [server.csr] at item 6. Common Name.
You can look at my dialog with the computer here.
I then tarred my certificates/keys into a file:
cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
gtar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
just in case, if I lost them (these certificates were made for 5 years,
and I do not want to redo it every time I update apache). When you need
to restore the certificates, just do:
cd $APACHE_HOME/conf
gtar zxvf /usr/local/apache-certificates.tgz
If you have your certificates already made and signed you can just
create dummy certificates as:
make certificate TYPE=dummy
and you will replace them later in the $APACHE_HOME/conf with the
real ones.
Then you install Apacje in the directories under $APACHE_HOME
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
make install
Also, if for some reason, you need to redo the certificates (I actually
had to do it, since I had a typo in server name, discovered it after
I finished the apache installation):
cd /usr/local/apache_1.3.26/sources/apache_1.3.26
make certificate TYPE=custom
and copy them by hand to the $APACHE_HOME/conf directory:
cd /usr/local/apache_1.3.26/sources/apache_1.3.26/conf
gtar zcvf /usr/local/apache-certificates.tgz ssl*
chmod 600 /usr/local/apache-certificates.tgz
cd $APACHE_HOME/conf
gtar zxvf /usr/local/apache-certificates.tgz
and do not redo the make install !!!
14) edited a file in $APACHE_HOME/conf/httpd.conf (in my case:
/usr/local/apache_1.3.26/conf/httpd.conf). You can look at
the copy of my initial httpd.conf.
I made a few changes to the original default httpd.conf which was
produced by the installation, namely, changed the ports on which
Apache listens to requests so the new installtion does not interfere
with the Apache server, which currently runs on your machine (assuming
that you have some server already running). I have no way of knowing
which ports on your machine are assigned to some services. In my case
I chose the port 4080 for the unencrypted Web Server port (which
corresponds to standard port 80 for HTTP), and the 6443 port for
the secure port (which corresponds to the standard port 443 for HTTPS).
I simply changed the following lines in
/usr/local/apache_1.3.26/conf/httpd.conf:
Port 80 ---> Port 6080
Listen 80 ---> Listen 6080
Listen 443 ---> Listen 6443
<VirtualHost _default_:443> ---> <VirtualHost _default_:6443>
Also uncommented the ServerName to point to a real machine.
The modified file is here.
15) I created the a file which starts the Web server when machine
is rebooted. I named it /etc/init.d/httpd-jkl. Its copy
is given here. Then, I started
the new apache as:
/etc/init.d/httpd-jkl start
and checked if the pages show up at
http://heechee.ccl.net:6080/
and
https://heechee.ccl.net:6443/ (this one will asked me to accept the
server certificate which I created)
In the https case you should get a lot of windows
which ask you for accepting the certificate. Just click Next to the
series of questions, and also mark "Keep this certificate forever"
on one of the boxes.
Pages worked so I placed the links in the /etc/rc3.d directory to make
the server start on boot-up.
cd /etc/rc3.d/init.d
ln -s ../init.d/httpd-jkl S55httpd-jkl
Note, I can start and stop apache either as:
/etc/init.d/httpd-jkl start
/etc/init.d/httpd-jkl stop
or as
/usr/local/apache_1.3.26/bin/apachectl startssl
/usr/local/apache_1.3.26/bin/apachectl stop
Stop apache, since you are not finshed yet.
Building and installing ant
==============================
16) At this point it is probably prudent to log out and log in again as root
and reset your environment variables by doing:
JAVA_HOME=/usr/local/j2sdk1.4.1
export JAVA_HOME
PATH=/usr/local/bin:${JAVA_HOME}/bin:${PATH}
export PATH
Assuming that the top directory of your Java SDK is /usr/local/j2sdk1.4.1.
My notes on installing Java 2 SDK can be found at
18) Create directory /usr/local/jakarta and retrieved latest ant from
http://jakarta.apache.org
"Ant" does for Java what "make' does for C. It is used to build
applications for Java. I did:
mkdir /usr/local/jakarta
cd /usr/local/jakarta
mkdir ant1.5
cd ant1.5
wget http://jakarta.apache.org/builds/jakarta-ant/release/v1.5/src/jakarta-ant-1.5-src.tar.gz
gtar zxvf jakarta-ant-1.5-src.tar.gz
which resulted in the jakarta-ant-1.5 subdirectory. Chech if you
JAVA_HOME and PATH variable are properly initialized for Java.
cd /usr/local/jakarta/ant1.5/jakarta-ant-1.5
./bootstrap.sh
./build.sh
This created a directory dist which contains bin and lib directory.
I moved these directories to /usr/local/jakarta/ant1.5/
cd /usr/local/jakarta/ant1.5
mv jakarta-ant-1.5/dist/bin .
mv jakarta-ant-1.5/dist/lib .
I then edited the ant script in the bin directory by adding the following
at the top:
JAVA_HOME=/usr/local/j2sdk1.4.1
ANT_HOME=/usr/local/jakarta/ant1.5
PATH=${JAVA_HOME}/bin:${ANT_HOME}/bin:/usr/local/bin:${PATH}
export JAVA_HOME ANT_HOME PATH
if [ ${CLASSPATH}"x" = "x" ] ; then
CLASSPATH=${ANT_HOME}/lib/ant.jar:${ANT_HOME}/lib/optional.jar
else
CLASSPATH=${CLASSPATH}:${ANT_HOME}/lib/ant.jar
CLASSPATH=${CLASSPATH}:${ANT_HOME}/lib/optional.jar
fi
export CLASSPATH
Alternatively, you could put these lines into a /etc/ant.conf file
which is sourced at the top of the /usr/local/jakarta/ant1.5/bin/ant
script.
Then, I linked the ant script in /usr/local/bin as:
ln -s /usr/local/jakarta/ant1.5/bin/ant /usr/local/bin/ant
Building and installing tomcat 3.3.1
====================================
Created directory and downloaded the release of 3.3.1
cd /usr/local/jakarta
mkdir tomcat3.3.1
cd tomcat3.3.1
wget http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1/src/jakarta-tomcat-3.3.1-src.tar.gz
gtar zxvf jakarta-tomcat-3.3.1-src.tar.gz
Then I built the tomcat as:
cd /usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src
ant
This created a directory:
/usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src/build/tomcat
I moved all files/directories from under it to
/usr/local/jakarta/tomcat3.3.1
cd /usr/local/jakarta/tomcat3.3.1/jakarta-tomcat-3.3.1-src/build/tomcat
mv * /usr/local/jakarta/tomcat3.3.1
Since Tomcat should not run as root, I decided to run it as
user webrun. My webrun account in /etc/passwd was set to run /bin/ksh
and its home directory was /home/webrun. I placed the following in the
file /home/webrun/.profile:
JAVA_HOME=/usr/local/j2sdk1.4.1
TOMCAT_HOME=/usr/local/jakarta/tomcat3.3.1/
PATH=${JAVA_HOME}/bin:${TOMCAT_HOME}/bin:${PATH}
export JAVA_HOME TOMCAT_HOME PATH
To make sure that Tomcat can write files and logs
in its directories I changed ownership of some directories to webrun
cd /usr/local/jakarta/tomcat3.3.1
mkdir work
chown -R webrun:webrun logs conf webapps work
Tomcat by default runs HTTP on port 8080 and takes ports 8007 and 8009
for connectors to Apache. If you have other Tomcat's running, you need
to edit file server.xml in the /usr/local/jakarta/tomcat3.3.1/directory
to point at different ports. I My webrun was /bin/ksh ad
I tested Tomcat as follows:
su - webrun
${TOMCAT_HOME}/bin/startup.sh
and then tried with the browser if the http://heechee.ccl.net:8080/ works
Ran a few examples and things seemed to work.
I stopped Tomcat by executing
${TOMCAT_HOME}/bin/shutdown.sh
23) testing Tomcat. I become a "webrun" user for this part, not a root.
Since I have other Tomcats running on this machine, I changed
the default ports in $TOMCAT_HOME/conf/server.xml
cd $TOMCAT_HOME/conf
emacs/vi/joe/whatever server.xml
Change 8080 --> 6180
Change 8007 --> 6007
Change 8009 --> 6009
While the SSL connector is at this moment commented out, I changed
the port
Change 8443 --> 6243
so I do not forget about it in the future.
I also added "doc" application to Tomcat. This contains the static
documentation files from $TOMCAT_HOME/doc. I created it by using the new
way of adding webapplication, i.e., by creating a file conf/apps-name.xml.
In my case the file $TOMCAT_HOME/conf/apps-doc.xml was:
<?xml version="1.0" encoding="ISO-8859-1"?>
<webapps>
<!-- Setting special properties for /doc
( as an example of overriding the defaults )
-->
<Context path="/examples"
docBase="/usr/local/jakarta/tomcat3.3.1/doc"
debug="0"
reloadable="true" >
<SimpleRealm filename="conf/users/example-users.xml" />
<LogSetter name="doc_tc.log" path="logs/doc.log" />
<LogSetter name="dcc_servlet_log"
path="logs/servlet_doc.log"
servletLogger="true"/>
</Context>
</webapps>
which was just a modification of the apps-examples.xml file.
I then restarted TOMCAT as:
${TOMCAT_HOME}/bin/startup.sh
The initial server.xml file is here and the apps-doc.xml is here.
And checked if I can read the http://heechee.ccl.net:6180/doc
in my browser. I could...
I printed myself some pages, and studied -- do the same. Namely:
http://heechee.ccl.net:6180/doc/serverxml.html
http://heechee.ccl.net:6180/doc/tomcat-ug.html
http://heechee.ccl.net:6180/doc/tomcat-security.html
http://heechee.ccl.net:6180/doc/Tomcat-Workers-HowTo.html
http://heechee.ccl.net:6180/doc/tomcat-ssl-howto.html
http://heechee.ccl.net:6180/doc/mod_jk-howto.html
http://heechee.ccl.net:6180/doc/internal.html
I also mounted webapps/ROOT
as /ROOT and changed all docBase attributes of Context to full path.
While /ROOT is also mounted in server.xml as /, I need another mount
point for Apache. If I mounted ROOT as / in apache, all my content
would have to be served by Tomcat, since DocumentRoot would be located
there. There are many ways of doing this, for example, I could copy
only the index.html file to the Apache DocumentRoot directory and mount
the subirectories of /ROOT as Contexts. I decided to mount /ROOT as
context /ROOT (i.e., it will be accessed as http://my.machine:port/ROOT
and solve the problem of relative/absolute links by using rewrite module.
Note that server.xml is the file which is read in by Tomcat to
configure itself. The other files are not read in by Tomcat. The web.xml
in the ${TOMCAT_HOME}/conf is not read in either (but it is read in
in other versions of Tomcat). This web.xml should be a starting place
for your own web.xml files which you place under WEB-INF directory
in your servlet/JSP contexts (WEB applications).
The other files are mostly prototypes of config files for the various
Web servers which work with Tomcat. Moreover, based on its own
configuration, it produces prototype configuration files for various
Web servers: iis_redirect.reg-auto and uriworkermap.properties-auto (for
MS IIS), mod_jk.conf-auto (for mod_jk module of Apache), obj.conf-auto
(for Netescape or whoever/whatever server, if you know what I mean),
and tomcat-apache.conf (for Apache mod_jserv module which we do not use
here). These prototype files are essentially ready to go for simple
configurations. The files like tomcat-apache.conf, tomcat.properties,
tomcat.conf are used when tomcat was working with mod_jserv module.
We are using here mod_jk module, and these files can be ignored.
The files for mod_jk module of Apache are mod_jk.conf and
workers.properties. For the time being, I tested if Tomcat works
alone by starting it as:
cd $TOMCAT_HOME/bin
./startup.sh
then checked the stuff at tomcat port
http://server1.ccl.net:4180/
and looked at test pages. Things worked... Then I shut it down as:
./shutdown.sh
What worried me was the number of threads the Tomcat opened, namely
ps auwx | grep java | wc -l
gave 36. These are supposedly lightweight threads and you should not
worry about this.
24) Now, let us create the mod_jk module. This is a DSO object
which you load into Apache. It is called "server plug-in"
sometimes. It allows Apache to talk to Tomcat. While Tomcat
can also run inprocess, it cannot be supported with current Apache/Tomcat
combination. So there are two processes: Apache and Tomcat, and they
need to talk to each other if they want to work together (or at
least send memos {:-)}). Note that in this communication Apache
(The web server) is a client (not a server!) of Tomcat.
Tomcat is started, and listens for requests from Apache, i.e., in
this relation, it is a server. Tomcat listens by default on port 8007,
but you can change it by editing the server.xml file. In my case,
as you saw in 23) I had to change the default port since I have several
Tomcats running on my machine. The module mod_jk is compiled as:
cd $JAKARTA_HOME/jakarta-tomcat-3.2.1-src/src/native
cd apache1.3
$APACHE_HOME/bin/apxs -o mod_jk.so \
-I${JAVA_HOME}/include/linux \
-I../jk -I${JAVA_HOME}/include \
-c *.c ../jk/*.c
cp mod_jk.so ${APACHE_HOME}/libexec
While I provide here the binary:
mod_jk.so -- press right mouse button here and choose: Save Link as
which you can just copy to ${APACHE_HOME}/libexec directory I strongly
suggest that you build the one yourself, since there are many options
to Apache, and it simply will not work, if your Apache is different
than my Apache.
25) When I tested standalone Tomcat in 23), it created automatically
a config file for mod_jk for Apache which is available as:
$TOMCAT_HOME/conf/mod_jk.conf-auto
I did the following:
cd $TOMCAT_HOME/conf
mv mod_jk.conf mod_jk.conf.original
mv mod_jk.conf-auto mod_jk.conf
i.e., I saved the original and copied the automatic version to
mod_jk.conf.
For the time being, I edited the Apache config file to include
the mod_jk.conf (more needs to be done for sensible install,
though). I edited file;
$APACHE_HOME/conf/httpd.conf and at the last line I put:
Include /usr/local/tomcat_3.2.1/tomcat-3.2.1/conf/mod_jk.conf
The actual initial httpd.conf is here.
I replaced all occurances of ajp12 with ajp13 in the
${TOMCAT_HOME}/conf/mod_jk.conf and added a mount point for /ROOT
You can find the copy of it here. I also changed server.xml (see below).
Just compare it to the original with UNIX diff utility.
Made several changes to workers.properties. Namely:
changed workers.tomcat_home, workers.java_home, ps, worker.ajp12.port,
worker.ajp13.port and commented out all inprocess stuff which is meant
for the Web servers which support inprocess. You can look up them here.
Note, my ajp12 port is 4006 and ajp13 is 4007.
26) changed the $TOMCAT_HOME/conf/server.xml to activate the ajp13 connector.
Added this:
<!-- Apache AJP13 support. -->
<Connector className="org.apache.tomcat.service.PoolTcpConnector">
<Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
<Parameter name="port" value="4007"/>
</Connector>
Left apj12 support at port 4006 since it is needed for shutdown.
Look here for initial server.xml.
27) Heavily edited the $TOMCAT_HOME/bin/startup.sh,
$TOMCAT_HOME/bin/startup.sh and $TOMCAT_HOME/bin/jspc.sh
to include necessary environmental
variables. These initial files can be found here:
startup.sh
shutdown.sh
jspc.sh
tomcat.sh
28) Started tomat
cd $TOMCAT_HOME/bin
./startup.sh
It told me something like this:
Using classpath: /usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local
/tomcat_3.2.1/tomcat-3.2.1/lib/test:/usr/local/tomcat_3.2.1/tomcat-3.2.1/lib/we
bserver.jar:/usr/local/jdk1.3/lib/tools.jar:/usr/local/jdk1.3/lib/tools.jar:/us
r/local/jdk1.3/lib/dt.jar:/usr/local/jdk1.3/jre/lib/ext/jce1_2_1.jar:/usr/local
/jdk1.3/jre/lib/ext/jcert.jar:/usr/local/jdk1.3/jre/lib/ext/jnet.jar:/usr/local
/jdk1.3/jre/lib/ext/jsse.jar:/usr/local/tomcat_3.2.1/ant-1.2/lib/ant.jar:/usr/l
ocal/tomcat_3.2.1/servletapi-3.2/lib/servlet.jar:/usr/local/jaxp-1.1ea2/jaxp.ja
r:/usr/local/jaxp-1.1ea2/crimson.jar:/usr/local/jaxp-1.1ea2/xalan.jar:/usr/loca
l/tomcat_3.2.1/tomcat-3.2.1/lib/jasper.jar:/usr/local/tomcat_3.2.1/tomcat-3.2.1
/lib/webserver.jar
2001-01-28 03:31:39 - ContextManager: Adding context Ctx(/examples )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /admin )
Starting tomcat. Check logs/tomcat.log for error messages
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( )
2001-01-28 03:31:39 - ContextManager: Adding context Ctx( /test )
2001-01-28 03:31:40 - PoolTcpConnector: Starting HttpConnectionHandler on 4180
2001-01-28 03:31:40 - PoolTcpConnector: Starting Ajp12ConnectionHandler on 4006
2001-01-28 03:31:41 - PoolTcpConnector: Starting Ajp13ConnectionHandler on 4007
(if you have errors, check if tomcat or something else is not running
and using the same TCP ports. Do, for exampl:
ps auxw | grep tomcat
and kill if needed. Also check if any ports from above: 4006, 4007,
6080, 4180, 6443, are used by using:
netstat -a | more
They would be listed in the first column, e.g., *.6443
)
29) Started Apache
$APACHE_HOME/bin/apachectl startssl
Things worked on port 6080(http) and 6443(https). I checked
http://server1.ccl.net:6080/examples and
https://server1.ccl.net:6443/examples
30) Stopped Tomcat
cd $TOMCAT_HOME/bin
./shutdown.sh
31) Stopped Apache
$APACHE_HOME/bin/apachectl stop
32) Reconfigured Tomcat and Apache to do things I want them to do.
a) In $APACHE_HOME/conf/httpd.conf made sure mod_jk is before mod_rewrite
LoadModule jk_module libexec/mod_jk.so
LoadModule rewrite_module libexec/mod_rewrite.so
and
AddModule mod_jk.c
AddModule mod_rewrite.c
and commented out the line
# LoadModule jk_module libexec/mod_jserv.so
in $TOMCAT_HOME/conf/mod_jk.conf
33) In the $APACHE_HOME/conf/httpd.conf I added some rewrite
rules before
## SSL Global Context
comment , and also inside 6443 virtual host scope after line:
TransferLog /usr/local/apache_1.3.26/logs/access_log :
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteLog /usr/local/apache_1.3.26/logs/rewrite_log
RewriteLogLevel 2
RewriteRule ^/ROOT/examples /examples [R]
RewriteRule ^/ROOT/test /test [R]
RewriteRule ^/ROOT/admin /admin [R]
RewriteRule ^/ROOT/ROOT /ROOT [R]
RewriteRule ^/tomcat.gif /ROOT/tomcat.gif [R]
RewriteRule ^/examples/servlets$ /examples/servlets/ [R]
RewriteRule ^/examples/jsp$ /examples/jsp/ [R]
RewriteRule ^/examples$ /examples/ [R]
RewriteRule ^/admin$ /admin/ [R]
RewriteRule ^/ROOT$ /ROOT/ [R]
RewriteRule ^/test$ /test/ [R]
</IfModule>
for the HTTP (port 6080) and HTTPS (virtual host at 6443). It was needed
to cure a problem that $TOMCAT_HOME/webapps/ROOT
is a Document Root for Tomcat, but for Apache, the
$APACHE_HOME/htdocs is the Document Root.
34) Created new users, in my case webinst, and webrun, and groups for
them, home directories, and regular login environment.
The webrun was assigned /bin/bash and webinst had tcsh as primary
shell (yes, I know that t/csh is brain dead, but people want it,
and people will have it -- it sucks, e.g., with its limitations:
"Word too long" when your environment variable is longer than 1024 --
it happens to me all the time with longer CLASSPATHs).
Note, that when you execute the script as
su - uid -c script
the script will be executed with the default shell (i.e., the shell
the user uid has assigned in /etc/passwd) of the uid user, and it
does not matter what you put in #!/bin/someshell on the top of your script.
While some UNICES allow you to specify shell on the command line (Linux
allows) I did not use this feature.
The script is sourced with default shell, not forked with a new shell.
The webinst will own most of the files in the web site, while the
webrun will be the user who runs the Apache server and the tomcat.
It will own log files and other files which the apache/tomcat/ needs
to write. In $APACHE_HOME/conf/httpd.conf I did:
User webrun
Group webrun
Also, I changed the directories for the Document root and CGI-BIN
Final version of httpd.conf is given here.
Also chown_ed to webrun the log directories:
chown -R webrun $APACHE_HOME/logs
chgrp -R webrun $APACHE_HOME/logs
And for tomcat:
chown -R webrun $TOMCAT_HOME/conf
chgrp -R webrun $TOMCAT_HOME/conf
chown -R webrun $TOMCAT_HOME/logs
chgrp -R webrun $TOMCAT_HOME/logs
chown -R webrun $TOMCAT_HOME/work
chgrp -R webrun $TOMCAT_HOME/work
35) In $APACHE_HOME/bin
cp apachectl apache-tomcat
and edited apache-tomcat to have a script to start/stop
tomcat and apache. This is an example: $APACHE_HOME/bin/apache-tomcat
Then chmoded apache-tomcat to be executable :
chmod 755 $APACHE_HOME/bin/apache-tomcat
36) Started the apache/tomcat as:
$APACHE_HOME/bin/apache-tomcat startssl
and checked if http://server1.ccl.net:6080/examples and
https://server1.ccl.net:6443/examples worked.
They did, so I killed the server with:
$APACHE_HOME/bin/apache-tomcat stop
Now, I also changed the startup script httpd-jkl in /etc/rc.d/init.d
to use the apache_tomcat rather than apachectl. The final version
is here. I also disabled the
RH7.0 Apache which comes with the standard installation by
/etc/rc.d/init.d/httpd stop
chkconfig --del httpd
chkconfig --list httpd
which showed rightly that httpd will not be invoked on boot:
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
and replaced Apache with this installation. I allowed the startup on
boot by activating the my script described above:
chkconfig --add httpd-jkl
chkconfig --list httpd-jkl
with list giving me OK:
httpd-jkl 0:off 1:off 2:off 3:on 4:on 5:on 6:off
Note, since we are using different ports, you do not have to stop the
original Apache which works on standard ports 80 and 443.
37) changed permissions/ownership on the example directories
cd $TOMCAT_HOME/webapps
chown -R webinst .
chgrp -R webinst .
cd $TOMCAT_HOME/logs
chown -R webrun .
38) After all these changes, the ports should be the following:
Orig New Files affected
http(apache) --> 80 --> 6080 ${APACHE_HOME}/conf/httpd.conf
https --> 443 --> 6443 ${APACHE_HOME}/conf/httpd.conf
http(tomcat) --> 8080 --> 4180 ${TOMCAT_HOME}/conf/server.xml
(disabled)
tomcat/apj13
--> 8009 --> 4007 ${TOMCAT_HOME}/conf/workers.properties
${TOMCAT_HOME}/conf/server.xml
tomcat/apj12 --> 8007 --> 4006 ${TOMCAT_HOME}/conf/workers.properties
${TOMCAT_HOME}/conf/server.xml
39) Since starting/stopping apache+tomcat in this environment requires
one to be a root, I created C wrappers to start and stop the whole zoo.
$APACHE_HOME/bin/apache_start.c
and compiled it with
gcc -o apache_start apache_start.c
as a root, and then added suid permissions to the resulting
apache_start executable file as:
chmod ug+s apache_start
I did exactly the same with apache_stop.c
gcc -o apache_stop apache_stop.c
chmod ug+s apache_stop
$APACHE_HOME/bin/apache_stop.c
Now, people do not have to have root access to start/stop Web Server/Tomcat
I also added a C program killme.c which kills the processes which are
running by user webrun. It is indentded to be used after "apache_stop"
to kill some runaway processes started by apache, Tomcat, or JServ.
After compiling the program:
gcc -o killme killme.c
changed its user and group ownership to webrun and added
SETUID permission bits
chown webrun killme
chgrp webrun killme
chmod ug+s killme
To learn which processes need to be killed, the user does
ps -ef | grep webrun | grep -v grep
(I actually saved this line as a shell script "killwhich" so they can
just type: killwhich).
and the user can kill the processes listed by previous command as:
killme pid1 pid2 ....
where pidn is the process id number in the second column.
$APACHE_HOME/bin/killme.c
40)If you look at my httpd.conf file
I have there a virtual host on HTTPS port 6443. The DocumentRoot directory
of this virtual host points at /content/html/private and the CGI script
directory /content/cgi/private are protected with the Basic Authentication
and contain the file .htaccess file:
AuthUserFile /usr/local/apache_1.3.26/auth/htpasswd
AuthGroupFile /usr/local/apache_1.3.26/auth/htgroup
AuthName "This directory is for internal users only"
AuthType Basic
<Limit GET POST PUT>
require group cclstaff
</Limit>
My /usr/local/apache_1.3.26/auth/htpasswd was similar to:
jkl:mqcxlex/TV9ywg
bubus:yVDEJCCn9/Lxo
lalus:F90sLCbaEEo
...
i.e., listed user names and their encrypted passwords. You can
get the encrypted password by typing at UNIX command line:
perl
print crypt("PASSWORD", "AB"), "\n";
^D
where "PASSWORD" should be actual open text password in quotes,
"AB" is a two character seed (can be any combination of letters and
digits, and some other characters, but stay with letters and digits
to be on safe side), and ^D is CTRL/D. For example, the abouve would
yield: ABIp8WSAPJnhI (of course, I am not endorsing using PASSWORD for
password).
My /usr/local/apache_1.3.26/auth/htgroup was similar to:
cclstaff:jkl bubus lalus
Of course you can have more groups and people.
-- THE END --
If you see something wrong here, please let me know, so I can save
other peoples time.
Jan