Install Apache 2.4 from source with openssl and PFC

Quick overview how to install Apache from source on Debian Wheezy, including the latest openssl to achieve perfect forward secrecy with modern browsers.

With the Heartbleed incident in mind there's good reason to build Apache with the latest openssl available - from source. This way we are able to implement the best possible Forward Secrecy when it comes to SSL encryption for HTTPS connections.

With the setup described below I was able to achieve an A-rating via https://ssllabs.com/ssltest:

How to do it:

Create the user who'll be used as the daemon user:

adduser --disabled-login apache

Download the latest:

Needed additional libraries for your build:

  • libpcre3-dev

Prepare the build environment:

aptitude install gcc libc6-dev libssl-dev \
libbz2-dev autoconf \
libpcre3-dev

Openssl

Before we go for Apache, we have to install openssl first. Download the latest from http://www.openssl.org/source/

cd /usr/src
tar xzf ~/openssl-1.0.1g.tar.gz
chown -R root.root openssl-1.0.1g

My configure-script for openssl:

#!/bin/bash
 
VER=1.0.1g
 
cd openssl-${VER}
./config --prefix=/opt/openssl-${VER} --openssldir=/opt/openssl-${VER}

Apache

Extract apr and apr-util to their proper destination:

cd /usr/src/apache
tar xjf ~/httpd-2.4.7.tar.bz2
cd httpd-2.4.7/srclib
tar xjf ~/apr-1.5.0.tar.bz2
tar xjf ~/apr-util-1.5.3.tar.bz2
ln -s apr-1.5.0 apr
ln -s apr-util-1.5.3 apr-util
cd ..
chown -R root.root *

My configure-script in /usr/src/apache

#!/bin/bash
 
APACHEVER=2.4.9
 
cd httpd-${APACHEVER}
./configure --prefix=/opt/httpd-${APACHEVER} \
--with-included-apr \
--disable-userdir \
--enable-status \
--disable-include \
--enable-rewrite \
--enable-so \
--enable-mpms-shared \
--with-mpm=prefork \
--enable-deflate \
--enable-headers \
--enable-expires \
--with-ssl=/opt/openssl-1.0.1g \
--enable-ssl-staticlib-deps \
--enable-mods-static=ssl

This configure will build Apache with the (old-style) mpm-prefork module activated.

cd httpd-2.4.9
make -j4 && make install

Make sure the mpm-prefork is enabled in your config file:

httpd.conf
[...]

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

[...]

httpd-ssl.conf has to be tweaked - these are the essential changes we have to do:

httpd-ssl.conf
[...]
 
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 3DES +3DES !aNULL !eNULL !LOW !MD5 !EXP"
 
SSLProtocol all -SSLv2
SSLHonorCipherOrder On
SSLCompression Off
 
[...]

As this guide is somewhat quick and dirty in terms of background information I would suggest going further to improve your understanding:

Achieving an A(+) rating and locking out 30% of your potential visitors because you don't have the right cipher suites configured isn't really clever.

Anything you're missing?
Feel free to leave your comments below - or contact me via Twitter: @T_Baecker
I'll do my best to improve this guide.

apache/installation.txt · Last modified: 2016-03 by tb
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready