Solaris 10 の httpd2 は、メンテナンスしてるのかどうかさっぱりわからん。
サポート契約していないからか、smpatch で全く httpd2 のパッチが落ちてこない。
セキュリティホールも多々出てるので、Solaris 10 標準の apache を捨てて、自分でソースから入れる。
OpenSSL を有効にするには /usr/sfw を指定する必要がある。Red Hat 風に datadir を /var/www にしてみる。
cd src/ wget "http://www.meisei-u.ac.jp/mirror/apache/dist/httpd/httpd-2.2.3.tar.gz" wget "http://www.apache.org/dist/httpd/httpd-2.2.3.tar.gz.md5" md5sum --check httpd-2.2.3.tar.gz.md5 if [ $? -ne 0 ]; then exit 1; fi gtar zxf httpd-2.2.3.tar.gz cd httpd-2.2.3/ ./configure \ --prefix=/usr/local/httpd-2.2.3 \ --datadir=/var/www \ --localstatedir=/var/www \ --enable-mods-shared=all \ --enable-ssl \ --with-ssl=/usr/sfw make sudo make install cd /usr/local/ sudo ln -s httpd-2.2.3 httpd
/var/svc/manifest/network/httpd.xml
<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
<service name='network/httpd' type='service' version='0'>
<create_default_instance enabled='false'/>
<single_instance/>
<dependency name='network' grouping='require_all' restart_on='error' type='service'>
<service_fmri value='svc:/milestone/network:default'/>
</dependency>
<dependency name='filesystem-local' grouping='require_all' restart_on='none' type='service'>
<service_fmri value='svc:/system/filesystem/local:default'/>
</dependency>
<dependency name='autofs' grouping='optional_all' restart_on='error' type='service'>
<service_fmri value='svc:/system/filesystem/autofs:default'/>
</dependency>
<exec_method name='start' type='method' exec='/lib/svc/method/httpd start' timeout_seconds='60'>
<method_context/>
</exec_method>
<exec_method name='stop' type='method' exec='/lib/svc/method/httpd stop' timeout_seconds='60'>
<method_context/>
</exec_method>
<exec_method name='refresh' type='method' exec='/lib/svc/method/httpd refresh' timeout_seconds='60'>
<method_context/>
</exec_method>
<property_group name='httpd' type='application'>
<stability value='Evolving'/>
<propval name='ssl' type='boolean' value='false'/>
</property_group>
<property_group name='startd' type='framework'>
<propval name='ignore_error' type='astring' value='core,signal'/>
</property_group>
<stability value='Evolving'/>
<template>
<common_name>
<loctext xml:lang='C'>Apache HTTP Server 2.2</loctext>
</common_name>
<documentation>
<manpage title='httpd' section='8' manpath='/usr/local/httpd/man'/>
<doc_link name='apache.org' uri='http://httpd.apache.org'/>
</documentation>
</template>
</service>
</service_bundle>
/lib/svc/method/httpd
#!/sbin/sh
. /lib/svc/share/smf_include.sh
APACHE_HOME=/usr/local/httpd
CONF_FILE=/usr/local/httpd/conf/httpd.conf
PIDFILE=/var/www/logs/httpd.pid
[ ! -f ${CONF_FILE} ] && exit $SMF_EXIT_ERR_CONFIG
case "$1" in
start)
/bin/rm -f ${PIDFILE}
cmd="start"
;;
refresh)
cmd="graceful"
;;
stop)
cmd="stop"
;;
*)
echo "Usage: $0 {start|stop|refresh}"
exit 1
;;
esac
exec ${APACHE_HOME}/bin/apachectl $cmd 2>&1
コンフィグする。
余分なモジュールをぶっこ抜く(ならコンパイルすんなよってツっこむな)。
あと、自宅監視用にするつもりなので、80/tcp も Listen させない。SSL で 443/tcp しか使わない。
Solaris 10 では、Web サーバー用にユーザー webservd があるので、これを使おう。
--- /usr/local/httpd-2.2.3/conf/httpd.conf.default Sun Aug 13 17:54:00 2006
+++ /usr/local/httpd-2.2.3/conf/httpd.conf Sat Aug 19 00:20:48 2006
@@ -37,7 +37,7 @@
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
-Listen 80
+#Listen 80
#
# Dynamic Shared Object (DSO) Support
@@ -51,54 +51,54 @@
# Example:
# LoadModule foo_module modules/mod_foo.so
#
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authn_dbm_module modules/mod_authn_dbm.so
-LoadModule authn_anon_module modules/mod_authn_anon.so
-LoadModule authn_dbd_module modules/mod_authn_dbd.so
-LoadModule authn_default_module modules/mod_authn_default.so
+#LoadModule authn_file_module modules/mod_authn_file.so
+#LoadModule authn_dbm_module modules/mod_authn_dbm.so
+#LoadModule authn_anon_module modules/mod_authn_anon.so
+#LoadModule authn_dbd_module modules/mod_authn_dbd.so
+#LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule authz_dbm_module modules/mod_authz_dbm.so
-LoadModule authz_owner_module modules/mod_authz_owner.so
-LoadModule authz_default_module modules/mod_authz_default.so
+#LoadModule authz_dbm_module modules/mod_authz_dbm.so
+#LoadModule authz_owner_module modules/mod_authz_owner.so
+#LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule auth_digest_module modules/mod_auth_digest.so
-LoadModule dbd_module modules/mod_dbd.so
-LoadModule dumpio_module modules/mod_dumpio.so
-LoadModule ext_filter_module modules/mod_ext_filter.so
-LoadModule include_module modules/mod_include.so
-LoadModule filter_module modules/mod_filter.so
-LoadModule deflate_module modules/mod_deflate.so
+#LoadModule auth_digest_module modules/mod_auth_digest.so
+#LoadModule dbd_module modules/mod_dbd.so
+#LoadModule dumpio_module modules/mod_dumpio.so
+#LoadModule ext_filter_module modules/mod_ext_filter.so
+#LoadModule include_module modules/mod_include.so
+#LoadModule filter_module modules/mod_filter.so
+#LoadModule deflate_module modules/mod_deflate.so
LoadModule log_config_module modules/mod_log_config.so
-LoadModule log_forensic_module modules/mod_log_forensic.so
-LoadModule logio_module modules/mod_logio.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
+#LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule cern_meta_module modules/mod_cern_meta.so
-LoadModule expires_module modules/mod_expires.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule ident_module modules/mod_ident.so
-LoadModule usertrack_module modules/mod_usertrack.so
-LoadModule unique_id_module modules/mod_unique_id.so
+#LoadModule cern_meta_module modules/mod_cern_meta.so
+#LoadModule expires_module modules/mod_expires.so
+#LoadModule headers_module modules/mod_headers.so
+#LoadModule ident_module modules/mod_ident.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule version_module modules/mod_version.so
+#LoadModule version_module modules/mod_version.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
-LoadModule dav_module modules/mod_dav.so
+#LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule asis_module modules/mod_asis.so
-LoadModule info_module modules/mod_info.so
+#LoadModule asis_module modules/mod_asis.so
+#LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
-LoadModule dav_fs_module modules/mod_dav_fs.so
-LoadModule vhost_alias_module modules/mod_vhost_alias.so
-LoadModule negotiation_module modules/mod_negotiation.so
+#LoadModule dav_fs_module modules/mod_dav_fs.so
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+#LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
-LoadModule imagemap_module modules/mod_imagemap.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule speling_module modules/mod_speling.so
-LoadModule userdir_module modules/mod_userdir.so
+#LoadModule imagemap_module modules/mod_imagemap.so
+#LoadModule actions_module modules/mod_actions.so
+#LoadModule speling_module modules/mod_speling.so
+#LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
@@ -111,8 +111,8 @@
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
-User daemon
-Group daemon
+User webservd
+Group webservd
</IfModule>
# 'Main' server configuration
@@ -132,7 +132,7 @@
# e-mailed. This address appears on some server-generated pages, such
# as error documents. e.g. admin@your-domain.com
#
-ServerAdmin you@example.com
+#ServerAdmin you@example.com
#
# ServerName gives the name and port that the server uses to identify itself.
@@ -148,7 +148,7 @@
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
-DocumentRoot "/var/www/htdocs"
+#DocumentRoot "/var/www/htdocs"
#
# Each directory to which Apache has access can be configured with respect
@@ -239,6 +239,7 @@
#
LogLevel warn
+
<IfModule log_config_module>
#
# The following directives define some format nicknames for use with
@@ -444,7 +445,7 @@
#Include conf/extra/httpd-default.conf
# Secure (SSL/TLS) connections
-#Include conf/extra/httpd-ssl.conf
+Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
SSL の鍵を作る。
cd /usr/local/httpd-2.2.3/conf/ sudo openssl genrsa -des3 -out /usr/local/httpd/conf/server.key 1024 sudo openssl req -new -x509 -key /usr/local/httpd/conf/server.key -days 365 -out /usr/local/httpd/conf/server.crt sudo chmod 400 /usr/local/httpd/conf/server.key /usr/local/httpd/conf/server.crt
ここで問題が、、、Solaris 標準の OpenSSL が 256bit ブロック暗号が使えん! DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA とか。
かといって、OpenSSL を入れなおすのはさすがにしんどいので、Firefox 用に DHE-RSA-AES128-SHA, IE 用に RC4-SHA あたりで我慢しておくか。所詮、自宅用暗号化だし。
$ openssl ciphers -v
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
/usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf で SSL の設定をする。
SSLPassPhraseDialog で Key パスフレーズ入力用スクリプトを指定しておく。
Key のパスフレーズを外すと知り合いの管理者ス○キさんが怖いので。((((;゚Д゚)))ガクガクブルブル
SSLCipherSuite は上記理由で AES128-SHA で我慢する。
--- /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf.default Sun Aug 13 17:54:05 2006 +++ /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf Sat Aug 19 00:22:08 2006 @@ -53,7 +53,7 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin +SSLPassPhraseDialog exec:/usr/local/httpd-2.2.3/bin/pp-filter # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism @@ -75,8 +75,8 @@ # General setup for the virtual host DocumentRoot "/var/www/htdocs" -ServerName www.example.com:443 -ServerAdmin you@example.com +ServerName auxo.pooh.gr.jp:443 +ServerAdmin "webmaster at pooh.gr.jp" ErrorLog /var/www/logs/error_log TransferLog /var/www/logs/access_log @@ -87,7 +87,7 @@ # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +SSLCipherSuite AES128-SHA:RC4-SHA # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If
/usr/local/httpd-2.2.3/bin/pp-filter(パーミッションは 100)はこんなカンジ。
#!/bin/sh /bin/echo "ぱすふれーず"
SMF で自動起動するようにしておく。
svcadm enable httpd
しばらく運用してみらな、これでいいかどうか、よーわからん。
ここがダメぽってのに気づいたら、教えてください。
