Build Your Own Apache Server with mod_perl and mod_sslby David Wheeler
In part one of this article I discussed some of the issues with Mac OS X's default Apache install, and how we can get around those issues through the tried-and-true approach of compiling Apache yourself. Now I'd like to go back and guide you through the process of including support for mod_ssl in your custom build of Apache.
mod_ssl is an Apache module that provides cryptographically secure connections via the Secure Sockets Layer (SSL). Any time you connect to a site and the lock icon in your browser's status bar is active, the browser has established an SSL connection to the server. Most often, the connection scheme in the URL changes from "http" to "https", for secure hypertext transport protocol. Just about any site providing commerce transactions provides SSL connectivity for sending credit card numbers and such; you would be well advised to steer clear of those that don't.
The upshot is that SSL support is a necessity for serious Internet developers, so it makes sense to add SSL to our custom-built Apache Web server. For those who use Apple's default Apache, you can use the Apache-SSL library, libssl, which is included as a dynamically loadable module. See Kevin Hemenway's "Apache Web-Serving with Mac OS X, Part 6" for some tips on using Apple's Apache modules. Of course, the same caveats I mentioned in part one of this article still apply. So for those who want to take advantage of a custom-built Apache Web server, follow me!
If you followed the instructions in part one, we can pick up right where we left off. We'll just be adding more to the sources and compiling Apache again. The work we did last time won't get in the way, and you don't have to start over from scratch.
But you may want to consider doing so anyway, as there has been a new release of Apache since part one of this article was published. Version 1.3.27 addresses three security vulnerabilities and features numerous bug fixes and new or improved features. See the Apache release announcement for a complete list of recent changes. I will be using Apache version 1.3.27 in all of the examples in this article.
If you haven't read part one, please do so now. To save time, you can follow all of the instructions through to the installation of mod_perl. Once you return here, we'll pick up at that point to compile Apache with mod_perl and some other goodies.
A Fix for DBM Support
At this point, you should have Perl installed per Apple's
instructions, downloaded and unpacked Apache in
/usr/local, and configured and installed mod_perl (although in truth, if you don't want or need mod_perl support, you can just download the Apache sources and start from there). We have one minor task to get out of
the way before we start configuring mod_ssl and that's to patch Apache
If you've done this before you'll be familiar with the headaches of getting it to work with Berkeley DB, also known as DBM. DBM is a lightweight database library required by mod_ssl and included with Mac OS X. However, an attempt to configure Apache with mod_ssl would fail with errors such as this:
/usr/bin/ld: can't locate file for: -ldbm
The apparent solution to this problem was to install GDBM, the GNU DBM library, and go from there. The problem was that other applications seemed to find and link in Apple's DBM without problem. Take Perl 5.8.0, for example. When running its test suite, Mac OS X users will see this message:
ext/DB_File/t/db-btree...............# # This test is known to crash in Mac OS X versions 10.1.5 (or earlier) # because of the buggy Berkeley DB version included with the OS. # FAILED at test 0
Although it was a "buggy" DBM, at least Perl could find it.
Apache with mod_ssl, it seemed, could not. But plans to write this
article motivated me to chase the problem down, and thanks to the
assistance of my colleagues on the firstname.lastname@example.org
mail list, and especially Ken
Williams, I traced the problem to a setting in Apache's
Configure file. The fix is quite simple, and has been reported
to the Apache project, as well as to Apple (Radar #3109002). It may well
be fixed in a future release of Apache or of the Apple compiler. In the
meantime, I've posted the fix on my web site, and now we need to apply
% curl -O http://david.wheeler.net/macosx/apache_dbm.patch % cd apache_1.3.27 % patch -p0 < ../apache_dbm.patch % cd ..
As in the first article, I use
curl to download the
patch. I then move into the Apache source code directory and use the
patch program to apply the patch to the Apache sources. As
with the apreq patch discussed in part one, the DBM patch modifies the
Apache sources so that they will properly configure and compile with DBM
support on Mac OS X.
In truth, the DBM bug that Perl's tests identify is relatively obscure, so using the Mac OS X DBM is fairly safe (and may well be fixed in a future Apple update). But if you're concerned about the bugginess of the Mac OS X DBM library, you can still install GDBM and use it. Ignore the patch above, and follow this procedure to install GDBM:
% curl -O ftp://ftp.gnu.org/gnu/gdbm/gdbm-1.8.3.tar.gz % tar zxvf gdbm-1.8.3.tar.gz % cd gdbm-1.8.3 % cp /usr/share/libtool/config* . % ./configure % make % sudo make install % sudo ln -s /usr/local/lib/libgdbm.a \ /usr/local/lib/libdbm.a % cd ..
Once I use
curl to grab the GDBM source tarball (check the
GNU FTP server for the latest
release), I unpack it with
tar and then move into the source
directory. Next I copy Mac OS X's
config.sub files into the GDBM source directory so that
configure can find the resources it needs to build GDBM. On
Mac OS X 10.1.x, copy
/usr/libexec/config*, instead. Next, I
build and install GDBM with
install. The last step is the creation of a symlink. A symlink is
like an Alias in the Macintosh Finder: it's another name for an existing
file. In this case we create
libdbm.a to point to
libgdbm.a, since most applications (including Apache/mod_ssl)
will look for DBM by that name.