Odynia.org blog

I guess it is time for the big boy. Apache can be one of the most complicated things you install, mostly for the additional languages and modules. Like many, I have my own way of configuring it.

I’ll lay this out up front: I don’t like the FreeBSD layout for Apache. Everything is scattered throughout /usr/local and buried deep in the system. I got used to using the OpenBSD layout during my stint with that OS, and so I continue to use that on FreeBSD. It puts everything in /var/www/ and keeps it nice and clean together.

That said, the binaries and other bits and pieces should remain in /usr/local/.

Building from Scratch

For once we’re not going to install Apache from ports. Why? Because it’s too damn hard to adjust the layout without building a completely custom port. What we can do though is use the ports tree to do a big chunk of the work for us.

Configure your options

Run make config in the port and select the options you want installed. I go with the defaults here usually.

[root@shana /]$ cd /usr/ports/www/apache22
[root@shana /usr/ports/www/apache22]$ make config

1 2	[root@shana /]$ cd /usr/ports/www/apache22 [root@shana /usr/ports/www/apache22]$ make config

Install the dependencies

Now that we’ve selected our options, we can also use it to build and install the dependencies, much the same as we would do if we were installing Apache through ports.

[root@shana /usr/ports/www/apache22]$ make depends
# ===>   apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found
# ===>   apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found
# ===>   apache-2.2.22_5 depends on shared library: expat - found
# ===>   apache-2.2.22_5 depends on shared library: apr-1 - found
# ===>   apache-2.2.22_5 depends on shared library: pcre - found
# ===>   apache-2.2.22_5 depends on shared library: iconv.3 - found
# ===>   apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found
# ===>   apache-2.2.22_5 depends on file: /usr/local/bin/autoconf-2.69 - found
# ===>   apache-2.2.22_5 depends on package: libtool>=2.4 - found
# ===>   apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found

[root@shana /usr/ports/www/apache22]$ make depends

# ===> apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found

# ===> apache-2.2.22_5 depends on shared library: expat - found

# ===> apache-2.2.22_5 depends on shared library: apr-1 - found

# ===> apache-2.2.22_5 depends on shared library: pcre - found

# ===> apache-2.2.22_5 depends on shared library: iconv.3 - found

# ===> apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found

# ===> apache-2.2.22_5 depends on file: /usr/local/bin/autoconf-2.69 - found

# ===> apache-2.2.22_5 depends on package: libtool>=2.4 - found

# ===> apache-2.2.22_5 depends on file: /usr/local/bin/perl5.12.4 - found

So that is everything we should need.

Generating the configure command

Now we let the port install get as far as configuring the build, that will generate the configure command that was used, and we can copy that command and use it to build our own setup.

[root@shana /usr/ports/www/apache22]$ make configure
#
#  To enable a module category: WITH_<CATEGORY>_MODULES
#  To disable a module category: WITHOUT_<CATEGORY>_MODULES
#
#  Per default categories are:
#   AUTH AUTHN AUTHZ DAV CACHE MISC
#  Categories available:
#   AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP  MISC PROXY SSL SUEXEC THREADS
#
#   To see all available knobs, type make show-options
#   To see all modules in different categories, type make show-categories
#   You can check your modules configuration by using make show-modules
#
# ===>  Found saved configuration for apache-2.2.22_5
# ===>  Extracting for apache-2.2.22_5
# <snip>
# config.status: creating include/ap_config_auto.h
# config.status: executing default commands

[root@shana /usr/ports/www/apache22]$ make configure

# To enable a module category: WITH_<CATEGORY>_MODULES

# To disable a module category: WITHOUT_<CATEGORY>_MODULES

# Per default categories are:

# AUTH AUTHN AUTHZ DAV CACHE MISC

# Categories available:

# AUTH AUTHN AUTHZ CACHE DAV EXPERIMENTAL LDAP MISC PROXY SSL SUEXEC THREADS

# To see all available knobs, type make show-options

# To see all modules in different categories, type make show-categories

# You can check your modules configuration by using make show-modules

# ===> Found saved configuration for apache-2.2.22_5

# ===> Extracting for apache-2.2.22_5

# <snip>

# config.status: creating include/ap_config_auto.h

# config.status: executing default commands

Setting up our own build environment

Now we’ve had our fun with ports it is time to build our own copy of Apache. I do my compilation in a directory called /archive/compile, but you can do it anywhere you like.
READ MORE »

It is time to get security conscious! Installing and using pf for your firewall is a breeze, so this post will mostly be describing my firewall configuration and some of the awesome things you can do.

Warning: This is another long one.

I use the OpenBSD Packet Filter, or pf, for my server-level firewall. Why? Based originally on ipf, I find it to be much simpler and more powerful than the usual tools like iptables. How powerful? One line will normalise all incoming traffic. Normalisation is the process of cleaning up bad or invalid packets that can wreak havoc in poorly written server software.

It has the usual port filtering and Network Address Translation (NAT) features, plus traffic redirection (port forwarding), Operating System-based filtering, packet queuing, prioritisation, address pools, and load balancing. Yep, when paired with CARP (the Common Address Redundancy Protocol), pf can bring you the same level of redundancy and load balancing as enterprise level Cisco gear. I had a series of four servers setup in an old workplace, each was redundant for the other using CARP + pf. You could even control the order of failover across all four servers.

Anyway, pf is installed by default, we just need to setup our rules and enable it. The first thing you need to know though, is don’t turn it on with untested rules. If you do you’re more than likely to lock yourself out of the server, at which point you’d better hope your console access is working.

Before we dive into my configuration, an overview of the configuration file is probably in order. A pf.conf file is generally broken into several sections.

Macros	Variables that you can set to be re-used later on.
Tables	Variables that can hold a list of data, like a list of IP Addresses
Options	Options that control how pf functions.
Queuing	Rules and options to support queuing and prioritisation
Filter Rules	The bulk of your firewall ruleset, providing port filtering, NAT and traffic redirection.

Now, while my general configuration has a few interesting things you can do with pf, it is actually rather boring compared to some setups I’ve done in the past. I don’t use traffic redirection, queuing, prioritisation or load balancing. It’s just a server firewall.

The most useful resource you will find for pf is the OpenBSD FAQ page on the topic.

Read on for my configuration and the step by step instructions to set it up.
READ MORE »

Posts tagged http

Installing Apache and its Ecosystem: Part 1

Building from Scratch

Configure your options

Install the dependencies

Generating the configure command

Setting up our own build environment

Firewalling: The OpenBSD Packet Filter