An Optional Install
Now it's time to get busy. First, you might want to consider installing MM. This library, by mod_ssl author Ralf S. Engelschall, allows mod_ssl to share memory between forked Apache child processes, thereby optimizing the performance of mod_ssl. However, mod_ssl doesn't require MM to work; without MM, mod_ssl will use disk files to share data between Apache processes, an approach that works fine in a development environment. Unless optimal mod_ssl performance is mandatory, you needn't install MM. But if you do need MM or want it, it is fortunately easy to build and install on Mac OS X.
% curl -O ftp://ftp.ossp.org/pkg/lib/mm/mm-1.2.1.tar.gz % tar zxvf mm-1.2.1.tar.gz % cd mm-1.2.1 % ./configure --disable-shared % make % cd ..
Once I download the MM sources and untar them, as usual (check the MM site for the latest
release), I change into new directory and configure MM. The
INSTALL file recommends the use of the
--disable-shared option to simplify installation. Once
configure has found all the data it needs,
quickly compiles the needed library files. There's no need to
install, as we'll be telling Apache's
to find the sources so that it can link them in.
Next we need to download and configure mod_ssl. You must be careful to
select the proper version of mod_ssl, as each is specific to a release of
the Apache Web server. Thus the mod_ssl source tarball has two version
numbers in its file name. For example, the tarball I'm using for this
mod_ssl-2.8.12-1.3.27.tar.gz; note the two
separate version numbers, "2.8.12" and "1.3.27". The
first is the version number for mod_ssl itself. You'll generally want to
download the latest version in order to take advantage of the latest bug
fixes and security updates. The second number is the Apache version
number. This number must be the same as the version of Apache
you're building. Since I'm using Apache version 1.3.27 here, I've
downloaded the latest version of mod_ssl with "1.3.27" as its
second version number. Check the mod_ssl
web site for the latest version relevant to the version of Apache
% curl -O http://www.modssl.org/source/mod_ssl-2.8.12-1.3.27.tar.gz % tar zxvf mod_ssl-2.8.12-1.3.27.tar.gz
Once again, I take the familiar approach to downloading and unpacking the mod_ssl tarball. But we need to make one more special change before we follow through on the configuration of mod_ssl.
In the past people who wanted to build Apache with mod_ssl had to first download, configure, and build OpenSSL. But since Apple already includes OpenSSL with Mac OS X, I was once again motivated in the process of writing this article to determine how to get mod_ssl to use the Apple-supplied OpenSSL library. After a bit of investigation, I figured out where the problem was and created a very simple patch to fix it. I then submitted the patch to the mod_ssl development community, so it may well be fixed in a future version of mod_ssl. In the meantime, you can patch and build mod_ssl yourself by following these steps:
% curl -O http://www.justatheory.com/computers/os/macosx/mod_ssl_dylib.patch % cd mod_ssl-2.8.12-1.3.27 % patch -p0 < ../mod_ssl_dylib.patch % ./configure --with-apache=../apache_1.3.27 % cd ..
Using the trusty
curl utility, I download the mod_ssl
patch; I then change into the mod_ssl source directory and use
patch to apply the patch. The patch is fortunately trivial,
simply updating the mod_ssl configuration to properly find the Mac OS X
OpenSSL libraries. I then configure mod_ssl using the
--with-apache option so that mod_ssl can do its thing with
the Apache sources.
Security-conscious developers should be aware that Mac OS X's OpenSSL suffers from the same drawback as other Apple-supplied libraries: it tends to quickly become out-of-date. As of this writing, for example, the OpenSSL libraries included with Mac OS X 10.2.2 are at version 0.9.6e:
% openssl version OpenSSL 0.9.6e 30 Jul 2002
Meanwhile, the current release of OpenSSL is 0.9.6g (with 0.9.7 in beta testing). Since new releases of OpenSSL generally address security issues, you may wish to download and build the latest release of OpenSSL, anyway. In most development environments, this isn't a serious issue. But if you plan to put your Mac OS X-based Apache/mod_ssl server into production in a public environment where security is of paramount concern, I recommend that you use the latest OpenSSL libraries. Fortunately, doing so is straight-forward, if time-consuming:
% curl -O http://www.openssl.org/source/openssl-0.9.6g.tar.gz % tar zxvf openssl-0.9.6g.tar.gz % cd openssl-0.9.6g % ./config % make % make test % sudo make install % cd ..
Following the usual download and unpacking of the tarball, I run
config with no arguments, and then run
build OpenSSL. This will take a fairly long time, as OpenSSL is a large
and complex set of libraries. On the other hand, the
make install commands are actually optional;
Apache/mod_ssl just needs to be able to find the OpenSSL libraries in the
OpenSSL source directory; they don't have to be installed. Also, be aware
make test will fail, as some of the tests are
broken on Mac OS X. This issue has been addressed in the 0.9.7 beta
release of OpenSSL.
Of course the last step is to build Apache itself. Before doing so, we'll need to set some environment variables so that it can find the OpenSSL and optional MM libraries.
% setenv SSL_BASE SYSTEM % setenv EAPI_MM ../mm-1.2.1
The first environment variable we set,
SSL_BASE, tells the
Apache/mod_ssl configuration process where to find the OpenSSL library
files. We set it to "SYSTEM" as a way of telling configure to
find the OpenSSL library files where they have been installed as part of
the operating system. If you've compiled OpenSSL yourself, you'll need to
SSL_BASE environment variable to point to the
location of the OpenSSL source directory, instead:
% setenv SSL_BASE ../openssl-0.9.6g
The second environment variable simply tells the Apache/mod_ssl configuration process where to find the MM library files. If you opted not to use MM to optimize the performance of mod_ssl, then simply omit this environment variable.
The above syntax assumes that you're using the the
shell, which is the default command interpreter on Mac OS X. If you're
zsh instead of
you'll need to set the environment variables with the
% export SSL_BASE=SYSTEM % export EAPI_MM=../mm-1.2.1
If you're not sure what shell you're using, type the command
$SHELL to find out.
At last we're ready to configure and build Apache. Here are the commands to do it:
% ./configure \ --with-layout=Apache \ --enable-module=so \ --enable-module=ssl \ --enable-shared=ssl \ --activate-module=src/modules/perl/libperl.a \ --disable-shared=perl \ --without-execstrip % make
configure uses quite a number of options. As I
mentioned in part one, the
--with-layout=Apache option sets
up Apache to be installed with its usual file system layout. The
--enable-module=so option enables dynamically-loadable
library support, while
--enable-shared=ssl enable mod_ssl as a dynamically-loadable
module. If you'd rather have mod_ssl statically compiled into Apache, omit
--enable-shared=ssl option. The
--disable-shared=perl options activate mod_perl as a
statically compiled module. I include these options here for parity with
part one of this article; if you opted to build Apache without mod_perl
(why would you want to do that?), then omit these two options. And
--without-execstrip option is once again
required on Mac OS X to prevent the Apache binary from being stripped. The
make command of course compiles Apache.