Install Apache 2.2 with OpenSSL and Tomcat connector

Jephe Wu - http://linuxtechres.blogspot.com

Objective: Install Apache, Openssl and Tomcat connector with the latest version to address vulnerabilities
Environment: CentOS 4.4, use chroot configuration (/chroot)


Steps:
1. download the latest softwares from individual websites:
httpd-2.2.15
openssl 1.0.0a
tomcat connector 1.2.30

2. install openssl 1.0.0a

if you have installed previous version of openssl, rename /usr/local/ssl to /usr/local/ssl.version
cd /usr/local; mv ssl ssl.0.9.8d
cd openssl-1.0.0a
./config;make;make test;make install

note: all the files will be written to /usr/local/ssl directory.

3. install httpd 2.2.15
"./configure" \
"--prefix=/usr/local/apache2" \
"--enable-mods-shared=most ssl rewrite deflate headers expires mime-magic unique-id" \
"--with-ssl=/usr/local/ssl" \
"$@"

make;make install

note: Some basic Apache configuration in httpd.conf
LoadModule authz_host_module modules/mod_authz_host.so 

#note: without above, you will get error below when you run 'bin/apachectl configtest' under /usr/local/apache2 directory
#Syntax error on line 167 of /usr/local/apache2/conf/httpd.conf:
#Invalid command 'Order', perhaps misspelled or defined by a module not included in the server configuration

LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule mime_module modules/mod_mime.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
Include conf/extra/httpd-default.conf


4.  tomcat connector installation
http://tomcat.apache.org/connectors-doc/

cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native
./configure --with-apxs=/usr/local/apache2/bin/apxs
make
cd /home/jephe/apache2215/tomcat-connectors-1.2.30-src/native/apache-2.0
cp mod_jk.so /usr/local/apache2/modules/

add the following line to /usr/local/apache2/conf/httpd.conf LoadModule directive

LoadModule jk_module modules/mod_jk.so


note:
1. you can find the building instruction at http://tomcat.apache.org/connectors-doc/webserver_howto/apache.html

5. Hardening apache

a. change conf/extra/httpd-default.conf
ServerSignature Off
ServerTokens Prod
MaxKeepAliveRequests 10000
TraceEnable off  => disable trace method

b. disable SSL2 and weak ciphers

SSLCipherSuite ALL:!ADH:!EXPORT56:!RC4:+HIGH:+MEDIUM:!LOW:!SSLv2:!EXP:!eNULL


c. put into chroot environment

new method: use apache 2.2. builtin chroot 
Since Apache 2.2.10,  it supports chroot, all you need to do is just put chrootdir /path in the main configuration file httpd.conf. You don't have to create anything under /path

startup Apache with command /usr/local/apache2/bin/apachectl start

Advantage: simplify chroot configuration, Apache 2.2.10 above only, it works with cronolog.
Disadvantage: it doens't work with cognos web gateway, got 'internal server error'. Also, when I tried to use Redirect index.html https://domain/path/to  in Apache virutal host configuration, it doesn't work, I have to change it to RewriteRule ^/$ https://domain/path/to to make this kind of redirection work.

old method: user manual chroot settings
search google.com for 'chroot apache', some page is at
http://www.faqs.org/docs/securing/chap29sec254.html
http://www.linux.com/archive/articles/36331

change /etc/init.d/apache starting script for $HTTPD
to  /usr/sbin/chroot /chroot $HTTPD
note: we use /chroot as chroot directory

[root@web1 conf]# ls /chroot
dev  etc  lib  opt  usr  var


note: according to my test, when you use manual chroot, if you use cronolog , you will hit  the problem, apache cannot find the path of the cronolog, so cannot start up Apache


Advantage: Apache 2.2 doesn't work with this kind of chroot if you are using cronolog, has not tried cognos web gateway, I don't think it works either, because when I was testing cronolog, it cannot find the program path
apache 2.0 is working with both cronolog and cognos web gateway
Disadvantage:  configuration is a bit difficult

6. testing Apache configuration
a.  syntax test
cd /usr/local/apache2
bin/apachectl configtest

b. Qualys SSL server test
https://www.ssllabs.com/ssldb/index.html

7. solution for Apache 2.0, chroot and cognos web gateway, cronolog
Using tranditional chroot, Apache 2.0.63, openssl 0.9.8o version.
If you using openssl 1.0.0.a version, apache 2.0.63 cannot compile successfully.

References:
http://httpd.apache.org/docs/2.2/programs/apxs.html
http://httpd.apache.org/docs/2.2/dso.html