Installing an Apache + SSL on FreeBSD using the ports tree
Installing Apache + SSL is very easy on FreeBSD.
Note: Tested on FreeBSD 9
- First install FreeBSD. Instructions for installing FreeBSD is contained in this article.
How I install FreeBSD?
How I install FreeBSD 9? - Second update FreeBSD and install the ports tree. Instructions for this are in this article.
What are the first commands I run after installing FreeBSD? - Install the latest version of Apache, which is Apache 2.2 as of writing this.
#
#cd /usr/ports/www/apache22
make BATCH=yes installThis will download the Apache 2.2 source and compile and install it. A few other dependencies will be installed as well.
Apache will not start automatically which is fine because we are not ready to start it yet.
- Configure Apache to automatically start when the FreeBSD system boots up. This is done using the /etc/rc.conf file.
#
#echo # Apache 2.2 >> /etc/rc.conf
echo 'apache22_enable="YES"' >> /etc/rc.conf - In order for Apache to use SSL, you must create a certificate. Now you may or may not know how to create one. I have made it easy for you by doing everything in a shell script. I have used SHA-256, because in this day an age, you need higher security than MD5 or SHA1.
makesha256key.sh
#!/bin/sh mkdir -p /root/mycert cd /root/mycert mkdir -p /usr/local/etc/apache22/ssl.key mkdir -p /usr/local/etc/apache22/ssl.crt chmod 0400 /usr/local/etc/apache22/ssl.key chmod 0400 /usr/local/etc/apache22/ssl.crt openssl genrsa -des3 -out $1.key 1024 openssl req -new -x509 -nodes -sha256 -days 365 -key $1.key -out $1.crt cp $1.key $1.key.orig openssl rsa -in $1.key.orig -out $1.key cp $1.key /usr/local/etc/apache22/ssl.key/ cp $1.crt /usr/local/etc/apache22/ssl.crt/ chmod 0400 /usr/local/etc/apache22/ssl.key/$1.key chmod 0400 /usr/local/etc/apache22/ssl.crt/$1.crt
This is NOT a fully functional shell script that shows you the command line options and everything. It is really just a list of commands to make this easier for you. Copy this to a shell script and run it. It takes one parameter, the cert name and you should call it like this:
./makesha256key.sh certname
IMPORTANT: The commands in the script will prompt you for a Certificate password, and your Certification information. The only thing you need to make certain of is that when prompted for the “Common Name” you use the URL. For example, if your web site is www.rhyous.com, then www.rhyous.com is your Common Name.
Or you can run the commands from the shell script manually one at a time if you want (replacing $1 with your desired certificate name).
Note: In this script, the certificate will be a self-signed certificate, but you can get a signed certificate free here: http://cert.startcom.org
- Now configure Apache to read the httpd-ssl.conf file when it starts.
Open the /usr/local/etc/apache22/httpd.conf using the easy editor or ee.
# ee /usr/local/etc/apache22/httpd.conf Near the end of the file, remove the comment symbol, the # sign, from the following line:
Include etc/apache22/extra/httpd-ssl.confNote: While you are in this file you may want to remove the comment from the line for enabling Virtual Hosts too if you are going to have multiple URLs hosted at this page.
- Configure the httpd-ssl.conf.
# ee /usr/local/etc/apache22/extra/httpd-ssl.conf I only change the two lines to point to the correct certificate. Here is an sample httpd-ssl.conf without the comments.
Listen 443 AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/var/run/ssl_scache(512000)" SSLSessionCacheTimeout 300 SSLMutex "file:/var/run/ssl_mutex" <VirtualHost _default_:443> DocumentRoot "/usr/local/www/apache22/data" ServerName www.example.com:443 ServerAdmin you@example.com ErrorLog "/var/log/httpd-error.log" TransferLog "/var/log/httpd-access.log" SSLEngine on SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL SSLCertificateFile "/usr/local/etc/apache22/ssl.crt/server.crt" SSLCertificateKeyFile "/usr/local/etc/apache22/ssl.key/server.key" <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> <Directory "/usr/local/www/apache22/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/var/log/httpd-ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost> - Now start or restart Apache.
# /usr/local/etc/rc.d/apache22 start
Now just open a browser (on another system of course) and connect to your new FreeBSD installed web server. You can connect using name, fqdn, or IP and see which work.
- http://servername
- http://www.YourDomain.com
- http://192.168.0.100
You can also try to connect with SSL.
- https://servername
- https://www.YourDomain.com
- https://192.168.0.100
Common Errors
-
Performing sanity check on apache22 configuration: httpd: apr_sockaddr_info_get() failed for F9 httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName Syntax OK Starting apache22. httpd: apr_sockaddr_info_get() failed for F9 httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName /usr/local/etc/rc.d/apache22: WARNING: failed to start apache22
If you get this error, you need to update your /etc/hosts file and make sure the system’s hostname there.
::1 localhost YourServerNameHere 127.0.0.1 localhost YourServerNameHere
Install other software
It is now very common to install a database server and a scripting language, such as MySQL and PHP. I have separate documents for each install:
[…] Apache – https://www.rhyous.com/2009/11/06/installing-an-apache-ssl-on-freebsd-using-the-ports-tree/ […]
2cu.co.nz
Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous
aplus seo
Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous
seo
Installing an Apache + SSL on FreeBSD using the ports tree | Rhyous
Hi,
I would like to add, that the point under "Common Errors" is actually just a "Warning". Apache runs nevertheless, if you have right domain name pointing to the IP or not.
Anyways, good article.
Cheer,
Samuli
Thanks Samuli. You are right, in a lab with a fake FQDN, I often have to update my hosts file or else Apache won't even start.
Thanks mate!!!
By the way, excelent website logo as well. Hail the sword!!!
Thanks!
I just realized my facicon.ico wasn't there. It is a sword too. It has been missing for two years! Now it is back.
Excelent post, cheers!! \o/
It is useful to try everything in practice anyway and I like that here it's always possible to find something new. 🙂
You have tested it and writing form your personal experience or you find some information online?
Yes, I have tested it and it is in production at my work for an internal site for my support team. We are running dotProject and a few other sites off it. I'll be honest this was the first time I went with SHA-256 over MD5, but it is working well.