wiki:howto/Apache2

Version 11 (modified by whmagill, 10 years ago) (diff)

clean up ssl instructions

<- Back to the HOWTO section

About Apache

The Apache HTTP Server, commonly referred to as Apache, is the world's most-popular web server.

For information on integrating Apache with MySQL and PHP, see MAMP.

Versions

MacPorts includes the following versions of Apache:

  • apache2: Apache HTTP Server v2.2.x. This is the recommended port to use.
  • apache24-devel: Apache HTTP Server v2.4.x. This is intended for testing, and cannot be used to replace apache2 at this time. It has a different directory layout from apache2, so none of the other ports that use apache2 can use apache24-devel. it is expected that the contents of the apache24-devel port will eventually replace the contents of the apache2 port at which time the apache24-devel port will be retired.
  • apache: Apache HTTP Server v1.3.x. This version reached end of life in 2010 and is therefore not recommended.

This page shows how to install and use the apache2 port. The instructions cannot be easily adapted to the other ports.

Step 1: Turn off Apple's "Personal Web Sharing"

If you haven’t already done so, make sure you turn off Apple’s "Personal Web Sharing" so that the default Apache server is not running. While you can set things up so that both servers run on different ports (e.g., port 80 and port 8080), it’s not worth the hassle of maintaining two web server daemons. Just use the latest Apache from MacPorts and be done with it.

OS X 10.8 Mountain Lion and earlier

Turn off Personal Web Sharing in the Sharing pane of System Preferences.

OS X 10.9 Mavericks

Stop the web server from the command line:

$ sudo launchctl unload -w /System/Library/LaunchDaemons/org.apache.httpd.plist

OS X 10.10 Yosemite and later

Yosemite no longer has Personal Web Sharing as an option. Although the Apache 2 web server is still supplied by Apple as part of the Yosemite distribution, there is no "easy" way to turn it on (or off). So, if you managed to turn it on, you already know how to turn it off!

OS X Server

Launch Server Manager and turn off the web server.

Step 2: Install Apache

$ sudo port install apache2

A sample configuration file is provided in /opt/local/apache2/conf/original/httpd.conf. Don't edit this file; leave it as is so you can refer to the defaults later. The first time you install apache2, the sample configuration file will be copied to /opt/local/apache2/conf/httpd.conf for you. You can edit this file as desired. When you later upgrade apache2 to a newer version, MacPorts will upgrade the sample configuration file but will not modify your httpd.conf, so be sure to manually compare your httpd.conf with the new sample configuration file and bring over any relevant changes. You should also keep backup copies of your httpd.conf in a safe place.

Step 3: Verify your config file

Verify any changes you have made to the config file: /opt/local/apache2/conf/httpd.conf

$ /opt/local/apache2/bin/apachectl -t

This will return either "Syntax OK" or a specific line by line error listing.

Step 4: Activate Apache2

Activate your Apache installation so that it starts now and every time you boot your machine:

$ sudo port load apache2

If when you issue this command, you immediately receive the message:

/opt/local/etc/LaunchDaemons/org.macports.apache2/org.macports.apache2.plist: Operation already in progress

This means that the Launch Daemon believes that it successfully started Apache. At this point, a configuration error is your most likely problem. Verify your config file as above.

After correcting any config errors and saving the updated config file, simply run:

$ sudo port unload apache2

to stop apache (even though it is not running) and then start it using

$ sudo port load apache2

to start it again.

The default log file location is: /opt/local/apache2/logs/. The startup will be logged in "error_log"

Step 5: Initial changes to the config file

Once you have determined that your basic installation is working, you need to consider making some initial changes to your config file.

After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.

$ /opt/local/apache2/bin/apachectl -t
$ sudo port unload apache2
$ sudo port load apache2

In Apache documentation (including this page), you will see the use of "apachectl -k restart" described as the method to cause the config file to be re-read.

However under OSX, the purpose of launchd is to notice processes that stop without its knowledge, and to restart them. So if you use apachectl -k restart, launchd may notice apache "crashing" and restart it itself, confusing apachectl. Instead, you shoulduse "port" to tell launchctl to unload apache2, then load it again. This will result in a short interruption of service.

If the sever name is not set properly in the configuration file, /opt/local/apache2/conf/httpd.conf, you will encounter the warning below.

httpd: Could not reliably determine the server's fully qualified domain name, using <Computer-Name>.local for ServerName

Where <Computer-Name> refers to the name of your computer as specified in the System Preferences Sharing pane. To resolve the warning, edit the configuration file and set the server name appropriately. For personal use, localhost is sufficient.

ServerName localhost:80

To verify Apache is now running, point your browser to http://localhost/ (you may need to reload the page). You should see a page that says "It works!"

If desired, reboot your machine and point your browser again to http://localhost/ to confirm that Apache is again running.

NOTE: The setting of "ServerName" to anything other than the Fully Qualified Domain Name (FQDN) of the server under Apache 2.2.x and Yosemite, does not produce the expected results. Using the links above to "localhost" will fail with Safari complaining "Failed to open page. Safari can't open the page "localhost" because Safari can't connect to the server "localhost". The simple answer is "localhost" is an "old-tyme" shortcut which should still work, but often does not for many different reasons. The "Fix" is to simply use the FQDN of your server when testing Apache or related Web services.

User directories

If you would like to be able to access web pages in the Sites directory of your home directory, edit /opt/local/apache2/conf/httpd.conf and locate the following line:

#Include conf/extra/httpd-userdir.conf

Uncomment it by removing the "#" at the start of the line so that it reads:

Include conf/extra/httpd-userdir.conf

This file: "/opt/local/apache2/conf/extra/httpd-userdir.conf" will activate the "Sites" sub-directory for all ~users on your system. ("/Users/*/Sites") and contains initial, basic restrictions for access to the contents of that directory.

After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.

$ /opt/local/apache2/bin/apachectl -t
$ sudo port unload apache2
$ sudo port load apache2

You can then view your personal pages by accessing http://localhost/~username/, where "username" is your Mac OS X account's short name.

Local Apache manual

The Apache manual is available on the Apache web site. If you would like to be able to access a copy of this manual on your web server, edit /opt/local/apache2/conf/httpd.conf and uncomment the following line:

#Include conf/extra/httpd-manual.conf

So that it reads like this:

Include conf/extra/httpd-manual.conf

After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.

$ /opt/local/apache2/bin/apachectl -t
$ sudo port unload apache2
$ sudo port load apache2

You can then view the manual by accessing http://localhost/manual/.

NOTE: This option expects "/opt/local/apache2/manual" to be accessible under "<Document Root>." This can be accomplished by

$ cd <Document Root>
$ ln -s /opt/local/apache2/manual

and then accessing: http://<servername>/manual/

Apache SSL/TLS Encryption (aks Secure Sockets or https)

Note: Establishing Secure Sockets is a fairly extensive process. One should first read the current Apache2 documentation found in the Apache2 manual:

http://httpd.apache.org/docs/2.2/ssl/

Generate a self-signed certificate

The following instructions are to generate a "self-signed" certificate.
This is simply a shortcut for testing purposes (a self-signed certificate is not recommended for production!).
The complete dialog is listed here for reference. The commands necessary are prefixed as "$ sudo", with comments prefixed with a #.

$ sudo openssl genrsa -des3 -out server.key 1024
# Enter pass phrase for server.key [enter your passphrase, a simple password we will remove soon]

Generating RSA private key, 1024 bit long modulus
.....++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:


$ sudo openssl req -new -key server.key -out server.csr
# 
# [you can accept all the defaults, it does not matter, or customize it to your liking]

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


$ sudo openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
# [will ask for passphrase - the same as you entered in the first step]

Signature ok
subject=/C=US/ST=Pennsylvania/L=Elizabethtown/O=MVE/OU=Elizabethtown/CN=mcgillsociety.org/emailAddress=magill@icloud.com
Getting Private key
Enter pass phrase for server.key:

$ sudo cp server.key server.key.bak
$ sudo openssl rsa -in server.key.bak -out server.key
# [will ask for passphrase - the same as you entered in the first step]

Enter pass phrase for server.key.bak:
writing RSA key

$ sudo cp server.crt /opt/local/apache2/conf/
$ sudo cp server.key /opt/local/apache2/conf/

Note: Certificate generation can be accomplished in any directory. If you did so in "/opt/local/apache2/conf" the last two copy commands are redundant, and will generate the following errors respectively:

cp: /opt/local/apache2/conf/server.crt and server.crt are identical (not copied).
cp: /opt/local/apache2/conf/server.key and server.key are identical (not copied).

Then enable the following in /opt/local/apache2/conf/httpd.conf

LoadModule ssl_module modules/mod_ssl.so

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

After each change to the config file, you should again verify the file syntax, and then you need to stop and restart Apache for the changes to take effect.

$ /opt/local/apache2/bin/apachectl -t
$ sudo port unload apache2
$ sudo port load apache2

The most likely error you will receive is:

Syntax error on line 120 of /opt/local/apache2/conf/extra/httpd-ssl.conf:
SSLCertificateFile: file '/opt/local/apache2/conf/server.crt' does not exist or is empty

If so, simply revisit the instructions above to create a self-signed certificate.

Verify your success

type "https://<your server address>" in Safari.
Safari should return the pop-up: "Safari can't verify the identity of the website "<your server address>"
At which point you can view the details of your certificate and select your appropriate actions.

<- Back to the HOWTO section