httpd-2.2.3

  Unix

Solaris 10 の httpd2 は、メンテナンスしてるのかどうかさっぱりわからん。
サポート契約していないからか、smpatch で全く httpd2 のパッチが落ちてこない。
セキュリティホールも多々出てるので、Solaris 10 標準の apache を捨てて、自分でソースから入れる。
OpenSSL を有効にするには /usr/sfw を指定する必要がある。Red Hat 風に datadir を /var/www にしてみる。

cd src/
wget "http://www.meisei-u.ac.jp/mirror/apache/dist/httpd/httpd-2.2.3.tar.gz"
wget "http://www.apache.org/dist/httpd/httpd-2.2.3.tar.gz.md5"
md5sum --check httpd-2.2.3.tar.gz.md5
if [ $? -ne 0 ]; then exit 1; fi
gtar zxf httpd-2.2.3.tar.gz
cd httpd-2.2.3/
./configure \
  --prefix=/usr/local/httpd-2.2.3 \
  --datadir=/var/www \
  --localstatedir=/var/www \
  --enable-mods-shared=all \
  --enable-ssl \
  --with-ssl=/usr/sfw
make
sudo make install
cd /usr/local/
sudo ln -s httpd-2.2.3 httpd

/var/svc/manifest/network/httpd.xml

<?xml version='1.0'?>
<!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'>
<service_bundle type='manifest' name='export'>
  <service name='network/httpd' type='service' version='0'>
    <create_default_instance enabled='false'/>
    <single_instance/>
    <dependency name='network' grouping='require_all' restart_on='error' type='service'>
      <service_fmri value='svc:/milestone/network:default'/>
    </dependency>
    <dependency name='filesystem-local' grouping='require_all' restart_on='none' type='service'>
      <service_fmri value='svc:/system/filesystem/local:default'/>
    </dependency>
    <dependency name='autofs' grouping='optional_all' restart_on='error' type='service'>
      <service_fmri value='svc:/system/filesystem/autofs:default'/>
    </dependency>
    <exec_method name='start' type='method' exec='/lib/svc/method/httpd start' timeout_seconds='60'>
      <method_context/>
    </exec_method>
    <exec_method name='stop' type='method' exec='/lib/svc/method/httpd stop' timeout_seconds='60'>
      <method_context/>
    </exec_method>
    <exec_method name='refresh' type='method' exec='/lib/svc/method/httpd refresh' timeout_seconds='60'>
      <method_context/>
    </exec_method>
    <property_group name='httpd' type='application'>
      <stability value='Evolving'/>
      <propval name='ssl' type='boolean' value='false'/>
    </property_group>
    <property_group name='startd' type='framework'>
      <propval name='ignore_error' type='astring' value='core,signal'/>
    </property_group>
    <stability value='Evolving'/>
    <template>
      <common_name>
        <loctext xml:lang='C'>Apache HTTP Server 2.2</loctext>
      </common_name>
      <documentation>
        <manpage title='httpd' section='8' manpath='/usr/local/httpd/man'/>
        <doc_link name='apache.org' uri='http://httpd.apache.org'/>
      </documentation>
    </template>
  </service>
</service_bundle>

/lib/svc/method/httpd

#!/sbin/sh
. /lib/svc/share/smf_include.sh
APACHE_HOME=/usr/local/httpd
CONF_FILE=/usr/local/httpd/conf/httpd.conf
PIDFILE=/var/www/logs/httpd.pid
[ ! -f ${CONF_FILE} ] &&  exit $SMF_EXIT_ERR_CONFIG
case "$1" in
start)
        /bin/rm -f ${PIDFILE}
        cmd="start"
        ;;
refresh)
        cmd="graceful"
        ;;
stop)
        cmd="stop"
        ;;
*)
        echo "Usage: $0 {start|stop|refresh}"
        exit 1
        ;;
esac
exec ${APACHE_HOME}/bin/apachectl $cmd 2>&1

コンフィグする。
余分なモジュールをぶっこ抜く(ならコンパイルすんなよってツっこむな)。
あと、自宅監視用にするつもりなので、80/tcp も Listen させない。SSL で 443/tcp しか使わない。
Solaris 10 では、Web サーバー用にユーザー webservd があるので、これを使おう。

--- /usr/local/httpd-2.2.3/conf/httpd.conf.default      Sun Aug 13 17:54:00 2006
+++ /usr/local/httpd-2.2.3/conf/httpd.conf      Sat Aug 19 00:20:48 2006
@@ -37,7 +37,7 @@
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 #
 # Dynamic Shared Object (DSO) Support
@@ -51,54 +51,54 @@
 # Example:
 # LoadModule foo_module modules/mod_foo.so
 #
-LoadModule authn_file_module modules/mod_authn_file.so
-LoadModule authn_dbm_module modules/mod_authn_dbm.so
-LoadModule authn_anon_module modules/mod_authn_anon.so
-LoadModule authn_dbd_module modules/mod_authn_dbd.so
-LoadModule authn_default_module modules/mod_authn_default.so
+#LoadModule authn_file_module modules/mod_authn_file.so
+#LoadModule authn_dbm_module modules/mod_authn_dbm.so
+#LoadModule authn_anon_module modules/mod_authn_anon.so
+#LoadModule authn_dbd_module modules/mod_authn_dbd.so
+#LoadModule authn_default_module modules/mod_authn_default.so
 LoadModule authz_host_module modules/mod_authz_host.so
 LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
 LoadModule authz_user_module modules/mod_authz_user.so
-LoadModule authz_dbm_module modules/mod_authz_dbm.so
-LoadModule authz_owner_module modules/mod_authz_owner.so
-LoadModule authz_default_module modules/mod_authz_default.so
+#LoadModule authz_dbm_module modules/mod_authz_dbm.so
+#LoadModule authz_owner_module modules/mod_authz_owner.so
+#LoadModule authz_default_module modules/mod_authz_default.so
 LoadModule auth_basic_module modules/mod_auth_basic.so
-LoadModule auth_digest_module modules/mod_auth_digest.so
-LoadModule dbd_module modules/mod_dbd.so
-LoadModule dumpio_module modules/mod_dumpio.so
-LoadModule ext_filter_module modules/mod_ext_filter.so
-LoadModule include_module modules/mod_include.so
-LoadModule filter_module modules/mod_filter.so
-LoadModule deflate_module modules/mod_deflate.so
+#LoadModule auth_digest_module modules/mod_auth_digest.so
+#LoadModule dbd_module modules/mod_dbd.so
+#LoadModule dumpio_module modules/mod_dumpio.so
+#LoadModule ext_filter_module modules/mod_ext_filter.so
+#LoadModule include_module modules/mod_include.so
+#LoadModule filter_module modules/mod_filter.so
+#LoadModule deflate_module modules/mod_deflate.so
 LoadModule log_config_module modules/mod_log_config.so
-LoadModule log_forensic_module modules/mod_log_forensic.so
-LoadModule logio_module modules/mod_logio.so
+#LoadModule log_forensic_module modules/mod_log_forensic.so
+#LoadModule logio_module modules/mod_logio.so
 LoadModule env_module modules/mod_env.so
 LoadModule mime_magic_module modules/mod_mime_magic.so
-LoadModule cern_meta_module modules/mod_cern_meta.so
-LoadModule expires_module modules/mod_expires.so
-LoadModule headers_module modules/mod_headers.so
-LoadModule ident_module modules/mod_ident.so
-LoadModule usertrack_module modules/mod_usertrack.so
-LoadModule unique_id_module modules/mod_unique_id.so
+#LoadModule cern_meta_module modules/mod_cern_meta.so
+#LoadModule expires_module modules/mod_expires.so
+#LoadModule headers_module modules/mod_headers.so
+#LoadModule ident_module modules/mod_ident.so
+#LoadModule usertrack_module modules/mod_usertrack.so
+#LoadModule unique_id_module modules/mod_unique_id.so
 LoadModule setenvif_module modules/mod_setenvif.so
-LoadModule version_module modules/mod_version.so
+#LoadModule version_module modules/mod_version.so
 LoadModule ssl_module modules/mod_ssl.so
 LoadModule mime_module modules/mod_mime.so
-LoadModule dav_module modules/mod_dav.so
+#LoadModule dav_module modules/mod_dav.so
 LoadModule status_module modules/mod_status.so
 LoadModule autoindex_module modules/mod_autoindex.so
-LoadModule asis_module modules/mod_asis.so
-LoadModule info_module modules/mod_info.so
+#LoadModule asis_module modules/mod_asis.so
+#LoadModule info_module modules/mod_info.so
 LoadModule cgi_module modules/mod_cgi.so
-LoadModule dav_fs_module modules/mod_dav_fs.so
-LoadModule vhost_alias_module modules/mod_vhost_alias.so
-LoadModule negotiation_module modules/mod_negotiation.so
+#LoadModule dav_fs_module modules/mod_dav_fs.so
+#LoadModule vhost_alias_module modules/mod_vhost_alias.so
+#LoadModule negotiation_module modules/mod_negotiation.so
 LoadModule dir_module modules/mod_dir.so
-LoadModule imagemap_module modules/mod_imagemap.so
-LoadModule actions_module modules/mod_actions.so
-LoadModule speling_module modules/mod_speling.so
-LoadModule userdir_module modules/mod_userdir.so
+#LoadModule imagemap_module modules/mod_imagemap.so
+#LoadModule actions_module modules/mod_actions.so
+#LoadModule speling_module modules/mod_speling.so
+#LoadModule userdir_module modules/mod_userdir.so
 LoadModule alias_module modules/mod_alias.so
 LoadModule rewrite_module modules/mod_rewrite.so
@@ -111,8 +111,8 @@
 # It is usually good practice to create a dedicated user and group for
 # running httpd, as with most system services.
 #
-User daemon
-Group daemon
+User webservd
+Group webservd
 </IfModule>
 # 'Main' server configuration
@@ -132,7 +132,7 @@
 # e-mailed.  This address appears on some server-generated pages, such
 # as error documents.  e.g. admin@your-domain.com
 #
-ServerAdmin you@example.com
+#ServerAdmin you@example.com
 #
 # ServerName gives the name and port that the server uses to identify itself.
@@ -148,7 +148,7 @@
 # documents. By default, all requests are taken from this directory, but
 # symbolic links and aliases may be used to point to other locations.
 #
-DocumentRoot "/var/www/htdocs"
+#DocumentRoot "/var/www/htdocs"
 #
 # Each directory to which Apache has access can be configured with respect
@@ -239,6 +239,7 @@
 #
 LogLevel warn
+
 <IfModule log_config_module>
     #
     # The following directives define some format nicknames for use with
@@ -444,7 +445,7 @@
 #Include conf/extra/httpd-default.conf
 # Secure (SSL/TLS) connections
-#Include conf/extra/httpd-ssl.conf
+Include conf/extra/httpd-ssl.conf
 #
 # Note: The following must must be present to support
 #       starting without SSL on platforms with no /dev/random equivalent

SSL の鍵を作る。

cd /usr/local/httpd-2.2.3/conf/
sudo openssl genrsa -des3 -out /usr/local/httpd/conf/server.key 1024
sudo openssl req -new -x509 -key /usr/local/httpd/conf/server.key -days 365 -out /usr/local/httpd/conf/server.crt
sudo chmod 400 /usr/local/httpd/conf/server.key /usr/local/httpd/conf/server.crt

ここで問題が、、、Solaris 標準の OpenSSL が 256bit ブロック暗号が使えん! DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA とか。
かといって、OpenSSL を入れなおすのはさすがにしんどいので、Firefox 用に DHE-RSA-AES128-SHA, IE 用に RC4-SHA あたりで我慢しておくか。所詮、自宅用暗号化だし。

$ openssl ciphers -v
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
RC2-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=RC2(128)  Mac=MD5
DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-MD5                 SSLv2 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
RC4-64-MD5              SSLv2 Kx=RSA      Au=RSA  Enc=RC4(64)   Mac=MD5
EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=DES(56)   Mac=SHA1 export
EXP1024-DES-CBC-SHA     SSLv3 Kx=RSA(1024) Au=RSA  Enc=DES(56)   Mac=SHA1 export
EXP1024-RC2-CBC-MD5     SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC2(56)   Mac=MD5  export
EDH-RSA-DES-CBC-SHA     SSLv3 Kx=DH       Au=RSA  Enc=DES(56)   Mac=SHA1
EDH-DSS-DES-CBC-SHA     SSLv3 Kx=DH       Au=DSS  Enc=DES(56)   Mac=SHA1
DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1
DES-CBC-MD5             SSLv2 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=MD5
EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS  Enc=RC4(56)   Mac=SHA1 export
EXP1024-RC4-SHA         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=SHA1 export
EXP1024-RC4-MD5         SSLv3 Kx=RSA(1024) Au=RSA  Enc=RC4(56)   Mac=MD5  export
EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512)  Au=DSS  Enc=DES(40)   Mac=SHA1 export
EXP-DES-CBC-SHA         SSLv3 Kx=RSA(512) Au=RSA  Enc=DES(40)   Mac=SHA1 export
EXP-RC2-CBC-MD5         SSLv3 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Au=RSA  Enc=RC2(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv3 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export
EXP-RC4-MD5             SSLv2 Kx=RSA(512) Au=RSA  Enc=RC4(40)   Mac=MD5  export

/usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf で SSL の設定をする。
SSLPassPhraseDialog で Key パスフレーズ入力用スクリプトを指定しておく。
Key のパスフレーズを外すと知り合いの管理者ス○キさんが怖いので。((((;゚Д゚)))ガクガクブルブル
SSLCipherSuite は上記理由で AES128-SHA で我慢する。

--- /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf.default    Sun Aug 13 17:54:05 2006
+++ /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf    Sat Aug 19 00:22:08 2006
@@ -53,7 +53,7 @@
 #   Configure the pass phrase gathering process.
 #   The filtering dialog program (`builtin' is a internal
 #   terminal dialog) has to provide the pass phrase on stdout.
-SSLPassPhraseDialog  builtin
+SSLPassPhraseDialog exec:/usr/local/httpd-2.2.3/bin/pp-filter
 #   Inter-Process Session Cache:
 #   Configure the SSL Session Cache: First the mechanism
@@ -75,8 +75,8 @@
 #   General setup for the virtual host
 DocumentRoot "/var/www/htdocs"
-ServerName www.example.com:443
-ServerAdmin you@example.com
+ServerName auxo.pooh.gr.jp:443
+ServerAdmin "webmaster at pooh.gr.jp"
 ErrorLog /var/www/logs/error_log
 TransferLog /var/www/logs/access_log
@@ -87,7 +87,7 @@
 #   SSL Cipher Suite:
 #   List the ciphers that the client is permitted to negotiate.
 #   See the mod_ssl documentation for a complete list.
-SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+SSLCipherSuite AES128-SHA:RC4-SHA
 #   Server Certificate:
 #   Point SSLCertificateFile at a PEM encoded certificate.  If

/usr/local/httpd-2.2.3/bin/pp-filter(パーミッションは 100)はこんなカンジ。

#!/bin/sh
/bin/echo "ぱすふれーず"

SMF で自動起動するようにしておく。

svcadm enable httpd

しばらく運用してみらな、これでいいかどうか、よーわからん。
ここがダメぽってのに気づいたら、教えてください。