1<<if: ZXIDBOOK>> 2<<else: >>Apache Setup Receipe for ZXID 3############################# 4<<author: Sampo Kellom�ki (sampo@iki.fi)>> 5<<class: article!a4paper!!ZXID Apache 01>> 6<<cvsid: $Id: apache.pd,v 1.22 2009-11-14 22:44:43 sampo Exp $>> 7 8While I am not a guru in Apache set ups and others will do this much 9better, not to speak of the official documentation, I still find that 10to ensure initial success of the new installer, some help may be in order. 11 12Consider this receipe only one of many possible setups and not 13necessarily even the best. The receipe worked for me in August 2006. If 14you come much later, things may have changed. 15 16This Apache setup aims to illustrate 17 18* CGI invocation of zxid C binary 19* mod_php5 invocation of zxid.php 20* mod_perl invocation of zxid.pl 21* CGI invocation of zxid.pl (alternative to mod_perl) 22* Support mod_auth_saml 23 24If you are looking for mod_auth_saml specific instructions, 25please read <<link:../mod_auth_saml/mod_auth_saml.html: Apache with mod_auth_saml Receipe>>. 26 27For more general information about ZXID.org compilation or APIs start 28reading in <<link:../html/README.zxid.html: README.zxid>>. 29 301 Architectural Overview 31======================== 32 33<<doc-inc.pd>> 34<<htmlpreamble: <title>Apache Setup Receipe for ZXID</title><link type="text/css" rel=stylesheet href="zx.css"><body><h1>Apache Setup Receipe for ZXID</h1> >> 35 36<<dia: arch-zxid-apache:bg,fg: ZXID, via mod_auth_saml, adds to Apache httpd Single Sign-On (SSO), Attribute Broker, and XACML PEP Capabilities that can be used by existing static and dynamic content without alteration.>> 37<<newpage: >> 38 392 Compiling from Source 40======================= 41 42<<fi: >> 43 44You may also install from binaries, but I feel the compilation 45route is only reliable way to have reproducible results. 46 472.1 apache httpd-2.2.3 48---------------------- 49 50Download from: http://httpd.apache.org/download.cgi 51 52For PHP it is critical that --enable-so is supplied as that seems to 53be the only documented (supported?) installation route. PHP 54recommends (Aug 2006) against using Apache 2 threaded MPM. My stock 55perl does not support threads either, I guess the prefork MPM route is 56fine. 57 58 tar xvjf /t/httpd-2.2.3.tar.bz2 59 ./configure --prefix=/apps/apache/2.2.3 --with-mpm=prefork --enable-so --enable-cgi --disable-cgid --enable-ssl --with-ssl=/apps/openssl/std 60 61I got following configure error 62 63 checking for SSL_set_cert_store... no 64 65This seems to be documented as bug http://issues.apache.org/bugzilla/show_bug.cgi?id=39913, 66but no solution was known as of Aug 2006. Further investigation shows 67that httpd-2.2.3/modules/ssl/README has following 68 69 o per-directory SSLCACertificate{File,Path} is now thread-safe but 70 requires SSL_set_cert_store patch to OpenSSL 71 72but fails to provide the patch or give any hint as to how to obtain it. 73 74Apparently hacking the configure script to remove all references to 75the offending variable in question is the only way forward. Look at 76config.log to identify the places to hack. Iterate ./configure script 77until it works and then say 78 79 make 80 81A couple of linking failures dues to missing -lz happen. Just run the 82links manually, supplying the -lz flag. Sheesh, apache is supposed to be 83stable software. 84 85 make install 86 872.2 perl-5.8.8 88-------------- 89 90From http://ftp.funet.fi/pub/CPAN/src/ 91 92This can be usually skipped if your stock perl is 5.8 series and nonthreaded 93and you are happy with prefork MPM. Try 94 95 perl -V:useithreads -V:usemultiplicity 96 97If it says 98 99 useithreads='undef'; 100 usemultiplicity='undef'; 101 102then its fine for using prefork MPM. 103 104To compile perl you would 105 106 ./Configure -prefix=/apps/perl/5.8.8 -des -Dusethreads -Doptimize='-g' -Dusedevel 107 make && make test && make install 108 1092.3 mod_perl-2.0.4 110------------------ 111 112From http://perl.apache.org/dist/ 113 114Install instructions: http://perl.apache.org/docs/2.0/user/install/install.html 115 116tar xvf /t/mod_perl-2.0.4.tar.gz 117 118 perl Makefile.PL MP_APXS=/apps/apache/std/bin/apxs MP_DEBUG=1 119 make 120 make test 121 # Seems to fail because wants to create core files and I do not let it to! 122 make install 123 # installs stuff to perl lib directory as well as apache modules directory 124 125You can read futher at http://perl.apache.org/docs/2.0/user/intro/start_fast.html 126 127<<ignore: 128[Sat Nov 14 12:13:55 2009] [error] [client 127.0.0.1] failed to resolve handler `ModPerl::Registry': Can't locate ModPerl/Registry.pm in @INC (@INC contains: /usr/local/lib/perl5/5.8.4/i686-linux /usr/local/lib/perl5/5.8.4 /usr/local/lib/perl5/site_perl/5.8.4/i686-linux /usr/local/lib/perl5/site_perl/5.8.4 /usr/local/lib/perl5/site_perl . /apps/apache/2.2.3) at (eval 2) line 3.\n 129>> 130 1312.4 php-5.1.6 132------------- 133 134From php.net 135 136Install instructions: http://www.php.net/manual/en/install.unix.apache2.php 137 138 ./configure --prefix=/apps/php/5.1.6 --with-apxs2=/apps/apache/std/bin/apxs --with-openssl=/apps/openssl/std --with-zlib --with-curl=/apps --enable-soap --with-libxml-dir=/apps 139 make 140 make install 141 1422.5 php-5.3.6 143------------- 144 145 EXTRA_LIBS="-lresolv" ./configure --prefix=/apps/php/5.3.6 --with-apxs2=/apps/apache/std/bin/apxs --with-openssl=/apps/openssl/std --with-zlib --with-curl=/apps --enable-soap --with-libxml-dir=/apps -with-mysql=shared 146 make 147 make install 148 149/home/navarrb/CPHP/source/php-5.3.1/ext/standard/dns.c:418: undefined reference to `__dn_expand' 150# Add -lresolv: export EXTRA_LIBS="-lresolv" 151 1523 Configuring Apache 153==================== 154 155These configuration steps are to enable all ZXID Apache related functionality, 156including mod_auth_saml, mod_perl, mod_php, and CGI. 157 158* Allow zxid to be triggered as CGI (the trick is SetHandler inside <Location>) 159* Allow zxid.pl to be triggered by mod_perl. The trick is 160 AddHandler perl-script .pl 161 PerlResponseHandler ModPerl::Registry 162 PerlOptions +ParseHeaders 163* Allow zxid.php to be triggered by mod_php5. Trick is 164 AddType application/x-httpd-php .php .phtml 165* Enable the mod_auth_saml for some directories 166* Set port number and domain 167* Enable SSL operation 168 169Once you have edited the Apache config files, you say 170 171 /apps/apache/std/bin/apachectl restart 172 tail -f tmp/err-httpd & # Apache errorlog, per configuration 173 174to get apache running. Below are the edits I applied to my apache 175config files (in /apps/apache/std/conf directory if you followed 176this receipe). It's a shame the apache config wizardry is so 177bloated that the diff does not fit on one page. Also distributions 178with an attitude tend to complicate apache configuration files 179further by pulverizing them in many files over many directories. 180Some of the known distribution locations 181 182 /etc/apache2/sites-available/default # Ubuntu ca. 2009 183 184<<logoutput: 185diff -u /apps/apache/std/conf/httpd.conf.orig /apps/apache/std/conf/httpd.conf 186--- httpd.conf.orig 2006-08-31 19:23:42.000000000 -0400 187+++ httpd.conf 2006-08-31 20:31:17.000000000 -0400 188@@ -37,7 +37,8 @@ 189 # prevent Apache from glomming onto all bound IP addresses. 190 # 191 #Listen 12.34.56.78:80 192-Listen 80 193+##Listen 80 194+Listen 8080 195 196 # 197 # Dynamic Shared Object (DSO) Support 198@@ -51,6 +52,8 @@ 199 # Example: 200 # LoadModule foo_module modules/mod_foo.so 201 # 202+LoadModule perl_module modules/mod_perl.so 203+LoadModule php5_module modules/libphp5.so 204 205 <IfModule !mpm_netware_module> 206 # 207@@ -98,7 +101,8 @@ 208 # documents. By default, all requests are taken from this directory, but 209 # symbolic links and aliases may be used to point to other locations. 210 # 211-DocumentRoot "/apps/apache/2.2.3/htdocs" 212+##DocumentRoot "/apps/apache/2.2.3/htdocs" 213+DocumentRoot "/home/sampo/zxid" 214 215 # 216 # Each directory to which Apache has access can be configured with respect 217@@ -125,7 +129,8 @@ 218 # 219 # This should be changed to whatever you set DocumentRoot to. 220 # 221-<Directory "/apps/apache/2.2.3/htdocs"> 222+##<Directory "/apps/apache/2.2.3/htdocs"> 223+<Directory "/home/sampo/zxid"> 224 # 225 # Possible values for the Options directive are "None", "All", 226 # or any combination of: 227@@ -138,7 +143,13 @@ 228 # http://httpd.apache.org/docs/2.2/mod/core.html#options 229 # for more information. 230 # 231- Options Indexes FollowSymLinks 232+ ##Options Indexes FollowSymLinks 233+ Options All 234+ 235+ AddHandler cgi-script .cgi 236+ AddHandler perl-script .pl 237+ PerlResponseHandler ModPerl::Registry 238+ PerlOptions +ParseHeaders 239 240 # 241 # AllowOverride controls what directives may be placed in .htaccess files. 242@@ -155,6 +166,10 @@ 243 244 </Directory> 245 246+<Location "/zxid"> 247+SetHandler cgi-script 248+</Location> 249+ 250 # 251 # DirectoryIndex: sets the file that Apache will serve if a directory 252 # is requested. 253@@ -180,14 +195,16 @@ 254 # logged here. If you *do* define an error logfile for a <VirtualHost> 255 # container, that host's errors will be logged there and not here. 256 # 257-ErrorLog logs/error_log 258+##ErrorLog logs/error_log 259+ErrorLog /home/sampo/zxid/tmp/err-httpd 260 261 # 262 # LogLevel: Control the number of messages logged to the error_log. 263 # Possible values include: debug, info, notice, warn, error, crit, 264 # alert, emerg. 265 # 266-LogLevel warn 267+##LogLevel warn 268+LogLevel debug 269 270 <IfModule log_config_module> 271 # 272@@ -209,13 +226,14 @@ 273 # define per-<VirtualHost> access logfiles, transactions will be 274 # logged therein and *not* in this file. 275 # 276- CustomLog logs/access_log common 277+ ##CustomLog logs/access_log common 278 279 # 280 # If you prefer a logfile with access, agent, and referer information 281 # (Combined Logfile Format) you can use the following directive. 282 # 283 #CustomLog logs/access_log combined 284+ CustomLog /home/sampo/zxid/tmp/log.httpd combined 285 </IfModule> 286 287 <IfModule alias_module> 288@@ -245,7 +263,7 @@ 289 # client. The same rules about trailing "/" apply to ScriptAlias 290 # directives as to Alias. 291 # 292- ScriptAlias /cgi-bin/ "/apps/apache/2.2.3/cgi-bin/" 293+ ##ScriptAlias /cgi-bin/ "/apps/apache/2.2.3/cgi-bin/" 294 295 </IfModule> 296 297@@ -303,7 +321,7 @@ 298 # 299 AddType application/x-compress .Z 300 AddType application/x-gzip .gz .tgz 301- 302+AddType application/x-httpd-php .php .phtml 303 # 304 # AddHandler allows you to map certain file extensions to "handlers": 305 # actions unrelated to filetype. These can be either built into the server 306@@ -394,7 +412,7 @@ 307 #Include conf/extra/httpd-default.conf 308 309 # Secure (SSL/TLS) connections 310-#Include conf/extra/httpd-ssl.conf 311+Include conf/extra/httpd-ssl.conf 312 # 313 # Note: The following must must be present to support 314 # starting without SSL on platforms with no /dev/random equivalent 315 316diff -u httpd-ssl.conf.orig httpd-ssl.conf 317--- httpd-ssl.conf~ 2006-08-31 18:24:09.000000000 -0400 318+++ httpd-ssl.conf 2006-08-31 19:35:53.000000000 -0400 319@@ -22,9 +22,9 @@ 320 # Manual for more details. 321 # 322 #SSLRandomSeed startup file:/dev/random 512 323-#SSLRandomSeed startup file:/dev/urandom 512 324+SSLRandomSeed startup file:/dev/urandom 512 325 #SSLRandomSeed connect file:/dev/random 512 326-#SSLRandomSeed connect file:/dev/urandom 512 327+SSLRandomSeed connect file:/dev/urandom 512 328 329 330 # 331@@ -34,7 +34,7 @@ 332 # Note: Configurations that use IPv6 but not IPv4-mapped addresses need two 333 # Listen directives: "Listen [::]:443" and "Listen 0.0.0.0:443" 334 # 335-Listen 443 336+Listen 5443 337 338 ## 339 ## SSL Global Context 340@@ -71,14 +71,16 @@ 341 ## SSL Virtual Host Context 342 ## 343 344-<VirtualHost _default_:443> 345+<VirtualHost _default_:5443> 346 347 # General setup for the virtual host 348-DocumentRoot "/apps/apache/2.2.3/htdocs" 349-ServerName www.example.com:443 350+##DocumentRoot "/apps/apache/2.2.3/htdocs" 351+DocumentRoot "/home/sampo/zxid" 352+##ServerName www.example.com:443 353+ServerName sp1.zxidsp.org:443 354 ServerAdmin you@example.com 355-ErrorLog /apps/apache/2.2.3/logs/error_log 356-TransferLog /apps/apache/2.2.3/logs/access_log 357+##ErrorLog /apps/apache/2.2.3/logs/error_log 358+##TransferLog /apps/apache/2.2.3/logs/access_log 359 360 # SSL Engine Switch: 361 # Enable/Disable SSL for this virtual host. 362@@ -96,15 +98,16 @@ 363 # in mind that if you have both an RSA and a DSA certificate you 364 # can configure both in parallel (to also allow the use of DSA 365 # ciphers, etc.) 366-SSLCertificateFile /apps/apache/2.2.3/conf/server.crt 367+##SSLCertificateFile /apps/apache/2.2.3/conf/server.crt 368 #SSLCertificateFile /apps/apache/2.2.3/conf/server-dsa.crt 369+SSLCertificateFile /home/sampo/zxid/zxid.pem 370 371 # Server Private Key: 372 # If the key is not combined with the certificate, use this 373 # directive to point at the key file. Keep in mind that if 374 # you've both a RSA and a DSA private key you can configure 375 # both in parallel (to also allow the use of DSA ciphers, etc.) 376-SSLCertificateKeyFile /apps/apache/2.2.3/conf/server.key 377+##SSLCertificateKeyFile /apps/apache/2.2.3/conf/server.key 378 #SSLCertificateKeyFile /apps/apache/2.2.3/conf/server-dsa.key 379 380 # Server Certificate Chain: 381@@ -225,7 +228,7 @@ 382 # Per-Server Logging: 383 # The home of a custom SSL log file. Use this when you want a 384 # compact non-error SSL logfile on a virtual host basis. 385-CustomLog /apps/apache/2.2.3/logs/ssl_request_log \ 386- "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 387+#CustomLog /apps/apache/2.2.3/logs/ssl_request_log \ 388+# "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 389 390 </VirtualHost> 391>> 392 3934 Trying Out Apache 394=================== 395 396Check sp1.zxidsp.org resolves 397 398 ping sp1.zxidsp.org 399 400Start Apache httpd using 401 402 apachectl restart 403 404or possibly some other distribution dependent way 405 406 apache2ctl restart 407 sudo invoke-rc.d apache2 restart # Ubuntu ca. 2009 408 409<<ignore: 410/apps/apache/std/bin/apachectl restart 411https://sp1.zxidsp.org:5443/README.zxid 412>> 413 414At this stage you should observe carefully for any unresolved symbols 415or missing shared libraries (.so) (or dynamic link libraries, DLLs). 416If you see any, you need to resolve them, e.g. by setting LD_LIBRARY_PATH 417environment variable. 418 419Now, use browser to access following URLs to try your accomplishments out: 420 4211. https://sp1.zxidsp.org:5443/README.zxid tests (tests simple file access 422 and that the server works at all) 4232. https://sp1.zxidsp.org:5443/zxid?o=E (tests the SP CGI written in C) 4243. https://sp1.zxidsp.org:5443/zxid.pl?o=E (tests the SP mod_perl way) 4254. https://sp1.zxidsp.org:5443/zxid.php?o=E (tests the SP mod_php5 way) 4265. https://sp1.zxidsp.org:5443/protected/content.txt 427 428If any of the above does not work, be sure to inspect the apache 429logs (be sure to replace /home/sampo with whatever makes sense): 430 431 tail -f /home/sampo/zxid/tmp/err-httpd 432 433If you can't get any access at all, be sure you do not have the mini_httpd 434or some other process running on the same port. 435 436Also make sure the execute permission is set for any CGI scripts, e.g: 437 438 chmod a+x zxid.pl 439 4405 Debugging Apache Cores 441======================== 442 443mod_auth_saml, mod_php, or mod_perl with Net::SAML can crash in C 444code. That can be debugged using this receipe. If using all three 445simultaneously, beware of version discrepancy: a newer module can pick 446up libzxid symbols from an older module. This leads to rather 447confusing "warning: Source file is more recent than executable." 448 449<<code: 450tail -f tmp/log.httpd & 451tail -f tmp/err-httpd & 452ulimit -c unlimited 453/apps/apache/std/bin/httpd -X # Run Apache in single threaded debug mode 454gdb /apps/apache/std/bin/httpd /d/sampo/zxid/core 455>> 456 457<<if: ZXIDBOOK>> 458<<else: >> 459 4607 Conclusion 461============ 462 463If you have any trouble, please do not hesitate to contact the author. 464 465<<htmlpreamble: <title>Apache Setup Receipe for ZXID</title><body bgcolor="#330033" text="#ffaaff" link="#ffddff" vlink="#aa44aa" alink="#ffffff"><font face=sans><h1>Apache Setup Receipe for ZXID</h1> >> 466<<EOF: >> 467 468grep ap_internal_redirect * */* */*/* */*/*/* */*/*/*/* */*/*/*/*/* 469 470Apparent order of processing in Apache httpd-2.2.3 471 472tail -f tmp/log.httpd & 473tail -f tmp/err-httpd & 474/apps/apache/std/bin/apachectl restart 475https://sp1.zxidsp.org:5443/protected/content.txt 476https://s-idp.liberty-iop.org:8881/N 477 478ulimit -c unlimited 479/apps/apache/std/bin/httpd -X # Run Apache in single threaded debug mode 480gdb /apps/apache/std/bin/httpd /d/sampo/zxid/core 481 482Apache and cores: 483* http://www.cyberciti.biz/tips/configure-apache-web-server-for-core-dump.html 484* CoreDumpDirectory /tmp/cores 485* cat /proc/sys/kernel/core_pattern 486 487#SAMLTrustToken domain ENTERPRISE_ # Import attributes from an enterprise trust token 488 489 490<<fi: >>