macdevcenter.com
oreilly.comSafari Books Online.Conferences.

advertisement

AddThis Social Bookmark Button

Build Your Own Apache Server with mod_perl and mod_ssl
Pages: 1, 2, 3, 4

An Optional Install

Now it's time to get busy. First, you might want to consider installing MM. This library, by mod_ssl author Ralf S. Engelschall, allows mod_ssl to share memory between forked Apache child processes, thereby optimizing the performance of mod_ssl. However, mod_ssl doesn't require MM to work; without MM, mod_ssl will use disk files to share data between Apache processes, an approach that works fine in a development environment. Unless optimal mod_ssl performance is mandatory, you needn't install MM. But if you do need MM or want it, it is fortunately easy to build and install on Mac OS X.



% curl -O ftp://ftp.ossp.org/pkg/lib/mm/mm-1.2.1.tar.gz
% tar zxvf mm-1.2.1.tar.gz
% cd mm-1.2.1
% ./configure --disable-shared
% make
% cd ..

Once I download the MM sources and untar them, as usual (check the MM site for the latest release), I change into new directory and configure MM. The INSTALL file recommends the use of the --disable-shared option to simplify installation. Once configure has found all the data it needs, make quickly compiles the needed library files. There's no need to make install, as we'll be telling Apache's configure where to find the sources so that it can link them in.

Configuring mod_ssl

Next we need to download and configure mod_ssl. You must be careful to select the proper version of mod_ssl, as each is specific to a release of the Apache Web server. Thus the mod_ssl source tarball has two version numbers in its file name. For example, the tarball I'm using for this article is mod_ssl-2.8.12-1.3.27.tar.gz; note the two separate version numbers, "2.8.12" and "1.3.27". The first is the version number for mod_ssl itself. You'll generally want to download the latest version in order to take advantage of the latest bug fixes and security updates. The second number is the Apache version number. This number must be the same as the version of Apache you're building. Since I'm using Apache version 1.3.27 here, I've downloaded the latest version of mod_ssl with "1.3.27" as its second version number. Check the mod_ssl web site for the latest version relevant to the version of Apache you're building.

% curl -O http://www.modssl.org/source/mod_ssl-2.8.12-1.3.27.tar.gz
% tar zxvf mod_ssl-2.8.12-1.3.27.tar.gz

Once again, I take the familiar approach to downloading and unpacking the mod_ssl tarball. But we need to make one more special change before we follow through on the configuration of mod_ssl.

In the past people who wanted to build Apache with mod_ssl had to first download, configure, and build OpenSSL. But since Apple already includes OpenSSL with Mac OS X, I was once again motivated in the process of writing this article to determine how to get mod_ssl to use the Apple-supplied OpenSSL library. After a bit of investigation, I figured out where the problem was and created a very simple patch to fix it. I then submitted the patch to the mod_ssl development community, so it may well be fixed in a future version of mod_ssl. In the meantime, you can patch and build mod_ssl yourself by following these steps:

% curl -O http://www.justatheory.com/computers/os/macosx/mod_ssl_dylib.patch
% cd mod_ssl-2.8.12-1.3.27
% patch -p0 < ../mod_ssl_dylib.patch
% ./configure --with-apache=../apache_1.3.27
% cd ..

Using the trusty curl utility, I download the mod_ssl patch; I then change into the mod_ssl source directory and use patch to apply the patch. The patch is fortunately trivial, simply updating the mod_ssl configuration to properly find the Mac OS X OpenSSL libraries. I then configure mod_ssl using the --with-apache option so that mod_ssl can do its thing with the Apache sources.

Security-conscious developers should be aware that Mac OS X's OpenSSL suffers from the same drawback as other Apple-supplied libraries: it tends to quickly become out-of-date. As of this writing, for example, the OpenSSL libraries included with Mac OS X 10.2.2 are at version 0.9.6e:

% openssl version
OpenSSL 0.9.6e 30 Jul 2002

Meanwhile, the current release of OpenSSL is 0.9.6g (with 0.9.7 in beta testing). Since new releases of OpenSSL generally address security issues, you may wish to download and build the latest release of OpenSSL, anyway. In most development environments, this isn't a serious issue. But if you plan to put your Mac OS X-based Apache/mod_ssl server into production in a public environment where security is of paramount concern, I recommend that you use the latest OpenSSL libraries. Fortunately, doing so is straight-forward, if time-consuming:

% curl -O http://www.openssl.org/source/openssl-0.9.6g.tar.gz
% tar zxvf openssl-0.9.6g.tar.gz
% cd openssl-0.9.6g
% ./config
% make
% make test
% sudo make install
% cd ..

Following the usual download and unpacking of the tarball, I run config with no arguments, and then run make to build OpenSSL. This will take a fairly long time, as OpenSSL is a large and complex set of libraries. On the other hand, the make test and make install commands are actually optional; Apache/mod_ssl just needs to be able to find the OpenSSL libraries in the OpenSSL source directory; they don't have to be installed. Also, be aware that make test will fail, as some of the tests are broken on Mac OS X. This issue has been addressed in the 0.9.7 beta release of OpenSSL.

Building Apache

Of course the last step is to build Apache itself. Before doing so, we'll need to set some environment variables so that it can find the OpenSSL and optional MM libraries.

% setenv SSL_BASE SYSTEM
% setenv EAPI_MM ../mm-1.2.1

The first environment variable we set, SSL_BASE, tells the Apache/mod_ssl configuration process where to find the OpenSSL library files. We set it to "SYSTEM" as a way of telling configure to find the OpenSSL library files where they have been installed as part of the operating system. If you've compiled OpenSSL yourself, you'll need to set the SSL_BASE environment variable to point to the location of the OpenSSL source directory, instead:

% setenv SSL_BASE ../openssl-0.9.6g

The second environment variable simply tells the Apache/mod_ssl configuration process where to find the MM library files. If you opted not to use MM to optimize the performance of mod_ssl, then simply omit this environment variable.

The above syntax assumes that you're using the the tcsh shell, which is the default command interpreter on Mac OS X. If you're using bash or zsh instead of tcsh, you'll need to set the environment variables with the export command:

% export SSL_BASE=SYSTEM
% export EAPI_MM=../mm-1.2.1

If you're not sure what shell you're using, type the command echo $SHELL to find out.

At last we're ready to configure and build Apache. Here are the commands to do it:

% ./configure \
  --with-layout=Apache \
  --enable-module=so \
  --enable-module=ssl \
  --enable-shared=ssl \
  --activate-module=src/modules/perl/libperl.a \
  --disable-shared=perl \
  --without-execstrip
% make

Apache's configure uses quite a number of options. As I mentioned in part one, the --with-layout=Apache option sets up Apache to be installed with its usual file system layout. The --enable-module=so option enables dynamically-loadable library support, while --enable-module=ssl and --enable-shared=ssl enable mod_ssl as a dynamically-loadable module. If you'd rather have mod_ssl statically compiled into Apache, omit the --enable-shared=ssl option. The --activate-module=src/modules/perl/libperl.a and --disable-shared=perl options activate mod_perl as a statically compiled module. I include these options here for parity with part one of this article; if you opted to build Apache without mod_perl (why would you want to do that?), then omit these two options. And finally, the --without-execstrip option is once again required on Mac OS X to prevent the Apache binary from being stripped. The make command of course compiles Apache.

Pages: 1, 2, 3, 4

Next Pagearrow