Solaris 10 の httpd2 は、メンテナンスしてるのかどうかさっぱりわからん。
サポート契約していないからか、smpatch で全く httpd2 のパッチが落ちてこない。
セキュリティホールも多々出てるので、Solaris 10 標準の apache を捨てて、自分でソースから入れる。
OpenSSL を有効にするには /usr/sfw を指定する必要がある。Red Hat 風に datadir を /var/www にしてみる。
cd src/ wget "http://www.meisei-u.ac.jp/mirror/apache/dist/httpd/httpd-2.2.3.tar.gz" wget "http://www.apache.org/dist/httpd/httpd-2.2.3.tar.gz.md5" md5sum --check httpd-2.2.3.tar.gz.md5 if [ $? -ne 0 ]; then exit 1; fi gtar zxf httpd-2.2.3.tar.gz cd httpd-2.2.3/ ./configure \ --prefix=/usr/local/httpd-2.2.3 \ --datadir=/var/www \ --localstatedir=/var/www \ --enable-mods-shared=all \ --enable-ssl \ --with-ssl=/usr/sfw make sudo make install cd /usr/local/ sudo ln -s httpd-2.2.3 httpd
/var/svc/manifest/network/httpd.xml
<?xml version='1.0'?> <!DOCTYPE service_bundle SYSTEM '/usr/share/lib/xml/dtd/service_bundle.dtd.1'> <service_bundle type='manifest' name='export'> <service name='network/httpd' type='service' version='0'> <create_default_instance enabled='false'/> <single_instance/> <dependency name='network' grouping='require_all' restart_on='error' type='service'> <service_fmri value='svc:/milestone/network:default'/> </dependency> <dependency name='filesystem-local' grouping='require_all' restart_on='none' type='service'> <service_fmri value='svc:/system/filesystem/local:default'/> </dependency> <dependency name='autofs' grouping='optional_all' restart_on='error' type='service'> <service_fmri value='svc:/system/filesystem/autofs:default'/> </dependency> <exec_method name='start' type='method' exec='/lib/svc/method/httpd start' timeout_seconds='60'> <method_context/> </exec_method> <exec_method name='stop' type='method' exec='/lib/svc/method/httpd stop' timeout_seconds='60'> <method_context/> </exec_method> <exec_method name='refresh' type='method' exec='/lib/svc/method/httpd refresh' timeout_seconds='60'> <method_context/> </exec_method> <property_group name='httpd' type='application'> <stability value='Evolving'/> <propval name='ssl' type='boolean' value='false'/> </property_group> <property_group name='startd' type='framework'> <propval name='ignore_error' type='astring' value='core,signal'/> </property_group> <stability value='Evolving'/> <template> <common_name> <loctext xml:lang='C'>Apache HTTP Server 2.2</loctext> </common_name> <documentation> <manpage title='httpd' section='8' manpath='/usr/local/httpd/man'/> <doc_link name='apache.org' uri='http://httpd.apache.org'/> </documentation> </template> </service> </service_bundle>
/lib/svc/method/httpd
#!/sbin/sh . /lib/svc/share/smf_include.sh APACHE_HOME=/usr/local/httpd CONF_FILE=/usr/local/httpd/conf/httpd.conf PIDFILE=/var/www/logs/httpd.pid [ ! -f ${CONF_FILE} ] && exit $SMF_EXIT_ERR_CONFIG case "$1" in start) /bin/rm -f ${PIDFILE} cmd="start" ;; refresh) cmd="graceful" ;; stop) cmd="stop" ;; *) echo "Usage: $0 {start|stop|refresh}" exit 1 ;; esac exec ${APACHE_HOME}/bin/apachectl $cmd 2>&1
コンフィグする。
余分なモジュールをぶっこ抜く(ならコンパイルすんなよってツっこむな)。
あと、自宅監視用にするつもりなので、80/tcp も Listen させない。SSL で 443/tcp しか使わない。
Solaris 10 では、Web サーバー用にユーザー webservd があるので、これを使おう。
--- /usr/local/httpd-2.2.3/conf/httpd.conf.default Sun Aug 13 17:54:00 2006 +++ /usr/local/httpd-2.2.3/conf/httpd.conf Sat Aug 19 00:20:48 2006 @@ -37,7 +37,7 @@ # prevent Apache from glomming onto all bound IP addresses. # #Listen 12.34.56.78:80 -Listen 80 +#Listen 80 # # Dynamic Shared Object (DSO) Support @@ -51,54 +51,54 @@ # Example: # LoadModule foo_module modules/mod_foo.so # -LoadModule authn_file_module modules/mod_authn_file.so -LoadModule authn_dbm_module modules/mod_authn_dbm.so -LoadModule authn_anon_module modules/mod_authn_anon.so -LoadModule authn_dbd_module modules/mod_authn_dbd.so -LoadModule authn_default_module modules/mod_authn_default.so +#LoadModule authn_file_module modules/mod_authn_file.so +#LoadModule authn_dbm_module modules/mod_authn_dbm.so +#LoadModule authn_anon_module modules/mod_authn_anon.so +#LoadModule authn_dbd_module modules/mod_authn_dbd.so +#LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_user_module modules/mod_authz_user.so -LoadModule authz_dbm_module modules/mod_authz_dbm.so -LoadModule authz_owner_module modules/mod_authz_owner.so -LoadModule authz_default_module modules/mod_authz_default.so +#LoadModule authz_dbm_module modules/mod_authz_dbm.so +#LoadModule authz_owner_module modules/mod_authz_owner.so +#LoadModule authz_default_module modules/mod_authz_default.so LoadModule auth_basic_module modules/mod_auth_basic.so -LoadModule auth_digest_module modules/mod_auth_digest.so -LoadModule dbd_module modules/mod_dbd.so -LoadModule dumpio_module modules/mod_dumpio.so -LoadModule ext_filter_module modules/mod_ext_filter.so -LoadModule include_module modules/mod_include.so -LoadModule filter_module modules/mod_filter.so -LoadModule deflate_module modules/mod_deflate.so +#LoadModule auth_digest_module modules/mod_auth_digest.so +#LoadModule dbd_module modules/mod_dbd.so +#LoadModule dumpio_module modules/mod_dumpio.so +#LoadModule ext_filter_module modules/mod_ext_filter.so +#LoadModule include_module modules/mod_include.so +#LoadModule filter_module modules/mod_filter.so +#LoadModule deflate_module modules/mod_deflate.so LoadModule log_config_module modules/mod_log_config.so -LoadModule log_forensic_module modules/mod_log_forensic.so -LoadModule logio_module modules/mod_logio.so +#LoadModule log_forensic_module modules/mod_log_forensic.so +#LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule mime_magic_module modules/mod_mime_magic.so -LoadModule cern_meta_module modules/mod_cern_meta.so -LoadModule expires_module modules/mod_expires.so -LoadModule headers_module modules/mod_headers.so -LoadModule ident_module modules/mod_ident.so -LoadModule usertrack_module modules/mod_usertrack.so -LoadModule unique_id_module modules/mod_unique_id.so +#LoadModule cern_meta_module modules/mod_cern_meta.so +#LoadModule expires_module modules/mod_expires.so +#LoadModule headers_module modules/mod_headers.so +#LoadModule ident_module modules/mod_ident.so +#LoadModule usertrack_module modules/mod_usertrack.so +#LoadModule unique_id_module modules/mod_unique_id.so LoadModule setenvif_module modules/mod_setenvif.so -LoadModule version_module modules/mod_version.so +#LoadModule version_module modules/mod_version.so LoadModule ssl_module modules/mod_ssl.so LoadModule mime_module modules/mod_mime.so -LoadModule dav_module modules/mod_dav.so +#LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so -LoadModule asis_module modules/mod_asis.so -LoadModule info_module modules/mod_info.so +#LoadModule asis_module modules/mod_asis.so +#LoadModule info_module modules/mod_info.so LoadModule cgi_module modules/mod_cgi.so -LoadModule dav_fs_module modules/mod_dav_fs.so -LoadModule vhost_alias_module modules/mod_vhost_alias.so -LoadModule negotiation_module modules/mod_negotiation.so +#LoadModule dav_fs_module modules/mod_dav_fs.so +#LoadModule vhost_alias_module modules/mod_vhost_alias.so +#LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so -LoadModule imagemap_module modules/mod_imagemap.so -LoadModule actions_module modules/mod_actions.so -LoadModule speling_module modules/mod_speling.so -LoadModule userdir_module modules/mod_userdir.so +#LoadModule imagemap_module modules/mod_imagemap.so +#LoadModule actions_module modules/mod_actions.so +#LoadModule speling_module modules/mod_speling.so +#LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule rewrite_module modules/mod_rewrite.so @@ -111,8 +111,8 @@ # It is usually good practice to create a dedicated user and group for # running httpd, as with most system services. # -User daemon -Group daemon +User webservd +Group webservd </IfModule> # 'Main' server configuration @@ -132,7 +132,7 @@ # e-mailed. This address appears on some server-generated pages, such # as error documents. e.g. admin@your-domain.com # -ServerAdmin you@example.com +#ServerAdmin you@example.com # # ServerName gives the name and port that the server uses to identify itself. @@ -148,7 +148,7 @@ # documents. By default, all requests are taken from this directory, but # symbolic links and aliases may be used to point to other locations. # -DocumentRoot "/var/www/htdocs" +#DocumentRoot "/var/www/htdocs" # # Each directory to which Apache has access can be configured with respect @@ -239,6 +239,7 @@ # LogLevel warn + <IfModule log_config_module> # # The following directives define some format nicknames for use with @@ -444,7 +445,7 @@ #Include conf/extra/httpd-default.conf # Secure (SSL/TLS) connections -#Include conf/extra/httpd-ssl.conf +Include conf/extra/httpd-ssl.conf # # Note: The following must must be present to support # starting without SSL on platforms with no /dev/random equivalent
SSL の鍵を作る。
cd /usr/local/httpd-2.2.3/conf/ sudo openssl genrsa -des3 -out /usr/local/httpd/conf/server.key 1024 sudo openssl req -new -x509 -key /usr/local/httpd/conf/server.key -days 365 -out /usr/local/httpd/conf/server.crt sudo chmod 400 /usr/local/httpd/conf/server.key /usr/local/httpd/conf/server.crt
ここで問題が、、、Solaris 標準の OpenSSL が 256bit ブロック暗号が使えん! DHE-RSA-AES256-SHA, DHE-DSS-AES256-SHA, AES256-SHA とか。
かといって、OpenSSL を入れなおすのはさすがにしんどいので、Firefox 用に DHE-RSA-AES128-SHA, IE 用に RC4-SHA あたりで我慢しておくか。所詮、自宅用暗号化だし。
$ openssl ciphers -v
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1 EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1 DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1 DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1 AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1 RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 DHE-DSS-RC4-SHA SSLv3 Kx=DH Au=DSS Enc=RC4(128) Mac=SHA1 RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1 RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 RC4-64-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5 EXP1024-DHE-DSS-DES-CBC-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 export EXP1024-DES-CBC-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 export EXP1024-RC2-CBC-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC2(56) Mac=MD5 export EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 DES-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 EXP1024-DHE-DSS-RC4-SHA SSLv3 Kx=DH(1024) Au=DSS Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-SHA SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=SHA1 export EXP1024-RC4-MD5 SSLv3 Kx=RSA(1024) Au=RSA Enc=RC4(56) Mac=MD5 export EXP-EDH-RSA-DES-CBC-SHA SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-EDH-DSS-DES-CBC-SHA SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC2-CBC-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 SSLv3 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export EXP-RC4-MD5 SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
/usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf で SSL の設定をする。
SSLPassPhraseDialog で Key パスフレーズ入力用スクリプトを指定しておく。
Key のパスフレーズを外すと知り合いの管理者ス○キさんが怖いので。((((;゚Д゚)))ガクガクブルブル
SSLCipherSuite は上記理由で AES128-SHA で我慢する。
--- /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf.default Sun Aug 13 17:54:05 2006 +++ /usr/local/httpd-2.2.3/conf/extra/httpd-ssl.conf Sat Aug 19 00:22:08 2006 @@ -53,7 +53,7 @@ # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. -SSLPassPhraseDialog builtin +SSLPassPhraseDialog exec:/usr/local/httpd-2.2.3/bin/pp-filter # Inter-Process Session Cache: # Configure the SSL Session Cache: First the mechanism @@ -75,8 +75,8 @@ # General setup for the virtual host DocumentRoot "/var/www/htdocs" -ServerName www.example.com:443 -ServerAdmin you@example.com +ServerName auxo.pooh.gr.jp:443 +ServerAdmin "webmaster at pooh.gr.jp" ErrorLog /var/www/logs/error_log TransferLog /var/www/logs/access_log @@ -87,7 +87,7 @@ # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. -SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL +SSLCipherSuite AES128-SHA:RC4-SHA # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If
/usr/local/httpd-2.2.3/bin/pp-filter(パーミッションは 100)はこんなカンジ。
#!/bin/sh /bin/echo "ぱすふれーず"
SMF で自動起動するようにしておく。
svcadm enable httpd
しばらく運用してみらな、これでいいかどうか、よーわからん。
ここがダメぽってのに気づいたら、教えてください。