# Using apache and apache+ssl on the same box

## Kuhndog86

Hi guys,

I am currently attempting to set up a NetReg machine for securing a wireless network.  www.netreg.org  I have been folllowing the instructions on that site.  NetReg requires both Apache and Apache+SSL to be running on the NetReg server.  Since I am using Gentoo instead of RedHat, i cannot follow the directions on the netreg website and i noticed that there are no ebuilds avalable for Apache+ssl.  Could mod_ssl be used instead of apache+ssl (and still use regular apache at the same time??).

Cheers

----------

## jonnevers

 *Kuhndog86 wrote:*   

> Hi guys,
> 
> I am currently attempting to set up a NetReg machine for securing a wireless network.  www.netreg.org  I have been folllowing the instructions on that site.  NetReg requires both Apache and Apache+SSL to be running on the NetReg server.  Since I am using Gentoo instead of RedHat, i cannot follow the directions on the netreg website and i noticed that there are no ebuilds avalable for Apache+ssl.  Could mod_ssl be used instead of apache+ssl (and still use regular apache at the same time??).
> 
> Cheers

 

you could, if you make sure that apache only binds to port 80 and that apache+ssl only binds to port 443 (i hope thats the right port).

I have configured my single apache instance to handle both http and https traffic. Configuration of this is straight forward (emerge -pv mod_ssl)...

Then the single instance will bind to both 80 and 443 and listen for requests, doing the SSL handshaking/negotiation on 443 only...

----------

## Kuhndog86

I like your idea better.  Is there any configuration settings that need to be changed to add ssl support?

----------

## behd

yep 443 is the right port:

first you need to emerge mod_ssl

then modify /etc/conf.d/apache2:

APACHE2_OPTS="-D SSL" (and any other mods)

then create your self signed certificate (search tips & tricks, there's a kewl little script to do that, better than the one you can find in portage)

then:

- for http & https

in your apache2.conf, just listen on port 443 too (and you are done... I think)

- to redirect all to https

do not add listen 443

include vhosts.conf in apache2.conf

change the vhosts.conf file with:

<VirtualHost *:80>

SeverName xxx

DocumentRoot /xxx/yyy

Redirect / https://xxx/

</VirtualHost>

----------

## Kuhndog86

Thank you for all your help, but when i try to start apache, I get this error:

```

MSF-NetReg root # /etc/init.d/apache2 restart

 * Starting apache2...

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443

no listening sockets available, shutting down

Unable to open logs  

```

I can post my config files if you want.

Thank you

----------

## behd

I also had this pbm, try w/o the option in apache2.conf:

Listen 443

(I think that I was wrong when I suggested you this option...

mod_ssl is listening by default on this port)

----------

## Kuhndog86

It appears that mod_ssl installed apache 1.3 as a dependancy.  Would running apache and apache2 give me a secure and normal server??

----------

## jonnevers

 *Kuhndog86 wrote:*   

> It appears that mod_ssl installed apache 1.3 as a dependancy.  Would running apache and apache2 give me a secure and normal server??

 

normal? no

... when i emerge mod_ssl It depended on apache2 ... I'd use one of the other. for both normal traffic and ssl traffic. it'll be easier to administrate.

both apache1 and apache2 are fully capable of handling both types of connections from a single installed instance.

----------

## Kuhndog86

OK, I have apache2 running the nonsecured server for now.  as for the secure server, here is my output when i try to start it.

```
MSF-NetReg root # /etc/init.d/apache restart

 * Starting apache...

Syntax error on line 59 of /etc/apache/conf/apache.conf:

Cannot load /etc/apache/extramodules/libssl.so into server: /etc/apache/extramodules/libssl.so: undefined symbol: dbm_firstkey                            [ !! ]

MSF-NetReg root #

```

Here is my apache.conf file

```

### /etc/apache/conf/apache.conf

### $Id: apache.conf,v 1.4 2004/04/04 17:59:30 zul Exp $

###

### Main Configuration Section

### You really shouldn't change these settings unless you're a guru

###

ServerType standalone

ServerRoot /etc/apache

ServerName MSF-NetReg.uwc.edu

#LockFile /etc/httpd/httpd.lock

PidFile /var/run/apache.pid

ScoreBoardFile /etc/apache/apache.scoreboard

ErrorLog logs/error_log

LogLevel warn

ResourceConfig /dev/null

AccessConfig /dev/null

DocumentRoot /var/www/localhost/htsdocs

### Dynamic Shared Object (DSO) Support

### 

###

LoadModule mmap_static_module modules/mod_mmap_static.so

LoadModule env_module         modules/mod_env.so

LoadModule config_log_module  modules/mod_log_config.so

LoadModule agent_log_module   modules/mod_log_agent.so

LoadModule referer_log_module modules/mod_log_referer.so

LoadModule mime_magic_module  modules/mod_mime_magic.so

LoadModule mime_module        modules/mod_mime.so

LoadModule negotiation_module modules/mod_negotiation.so

LoadModule status_module      modules/mod_status.so

LoadModule info_module        modules/mod_info.so

LoadModule includes_module    modules/mod_include.so

LoadModule autoindex_module   modules/mod_autoindex.so

LoadModule dir_module         modules/mod_dir.so

LoadModule cgi_module         modules/mod_cgi.so

LoadModule asis_module        modules/mod_asis.so

LoadModule imap_module        modules/mod_imap.so

LoadModule action_module      modules/mod_actions.so

LoadModule speling_module     modules/mod_speling.so

LoadModule userdir_module     modules/mod_userdir.so

LoadModule proxy_module       modules/libproxy.so

LoadModule alias_module       modules/mod_alias.so

LoadModule rewrite_module     modules/mod_rewrite.so

LoadModule access_module      modules/mod_access.so

LoadModule auth_module        modules/mod_auth.so

LoadModule anon_auth_module   modules/mod_auth_anon.so

LoadModule dbm_auth_module    modules/mod_auth_dbm.so

LoadModule db_auth_module     modules/mod_auth_db.so

LoadModule digest_module      modules/mod_digest.so

LoadModule cern_meta_module   modules/mod_cern_meta.so

LoadModule expires_module     modules/mod_expires.so

LoadModule headers_module     modules/mod_headers.so

LoadModule usertrack_module   modules/mod_usertrack.so

LoadModule example_module     modules/mod_example.so

LoadModule unique_id_module   modules/mod_unique_id.so

LoadModule setenvif_module    modules/mod_setenvif.so

LoadModule vhost_alias_module   modules/mod_vhost_alias.so

LoadModule ssl_module         extramodules/libssl.so

#  Reconstruction of the complete module list from all available modules

#  (static and shared ones) to achieve correct module execution order.

#  [WHENEVER YOU CHANGE THE LOADMODULE SECTION ABOVE UPDATE THIS, TOO]

ClearModuleList

AddModule mod_mmap_static.c

AddModule mod_env.c

AddModule mod_log_config.c

AddModule mod_log_agent.c

AddModule mod_log_referer.c

AddModule mod_mime_magic.c

AddModule mod_mime.c

AddModule mod_negotiation.c

AddModule mod_status.c

AddModule mod_info.c

AddModule mod_include.c

AddModule mod_autoindex.c

AddModule mod_dir.c

AddModule mod_cgi.c

AddModule mod_asis.c

AddModule mod_imap.c

AddModule mod_actions.c

AddModule mod_speling.c

AddModule mod_userdir.c

AddModule mod_proxy.c

AddModule mod_alias.c

AddModule mod_rewrite.c

AddModule mod_access.c

AddModule mod_auth.c

AddModule mod_auth_anon.c

AddModule mod_auth_dbm.c

AddModule mod_auth_db.c

AddModule mod_digest.c

AddModule mod_cern_meta.c

AddModule mod_expires.c

AddModule mod_headers.c

AddModule mod_usertrack.c

AddModule mod_example.c

AddModule mod_unique_id.c

AddModule mod_so.c

AddModule mod_setenvif.c

AddModule mod_vhost_alias.c

###

### Global Configuration

###

# Splitting up apache.conf into two files makes it possible to support

# multiple configurations on the same serer.  In commonapache.conf

# you keep directives that apply to all implementations and in this

# file you keep server-specific directives.  While we don't yet have

# multiple configurations out-of-the-box, this allows us to do that

# in the future easily.

Include conf/commonapache.conf

###

### IP Address/Port

###

#BindAddress *

#Port 80

#Listen 80

Port 443

Listen 443

###

### Log configuration Section

###

# Single logfile with access, agent and referer information

# This is the default, if vlogs are not defined for the main server

CustomLog logs/access_log combined env=!VLOG

# If VLOG is defined in conf/vhosts/Vhosts.conf, we use this entry

#CustomLog "|/usr/sbin/apachesplitlogfile" vhost env=VLOG

###

### Virtual Hosts 

###

# We include different templates for Virtual Hosting. Have a look in the 

# vhosts directory and modify to suit your needs.

#Include conf/vhosts/Vhosts.conf

#Include conf/vhosts/DynamicVhosts.conf

#Include conf/vhosts/VirtualHomePages.conf

###

### Performance settings Section

###

#

# Timeout: The number of seconds before receives and sends time out.

#

Timeout 300

#

# KeepAlive: Whether or not to allow persistent connections (more than

# one request per connection). Set to "Off" to deactivate.

#

KeepAlive On

#

# MaxKeepAliveRequests: The maximum number of requests to allow

# during a persistent connection. Set to 0 to allow an unlimited amount.

# We recommend you leave this number high, for maximum performance.

#

MaxKeepAliveRequests 100

#

# KeepAliveTimeout: Number of seconds to wait for the next request from the

# same client on the same connection.

#

KeepAliveTimeout 15

#

# Server-pool size regulation.  Rather than making you guess how many

# server processes you need, Apache dynamically adapts to the load it

# sees --- that is, it tries to maintain enough server processes to

# handle the current load, plus a few spare servers to handle transient

# load spikes (e.g., multiple simultaneous requests from a single

# Netscape browser).

#

# It does this by periodically checking how many servers are waiting

# for a request.  If there are fewer than MinSpareServers, it creates

# a new spare.  If there are more than MaxSpareServers, some of the

# spares die off.  The default values are probably OK for most sites.

#

MinSpareServers 4

MaxSpareServers 10

#

# Number of servers to start initially --- should be a reasonable ballpark

# figure.

#

StartServers 4

#

# Limit on total number of servers running, i.e., limit on the number

# of clients who can simultaneously connect --- if this limit is ever

# reached, clients will be LOCKED OUT, so it should NOT BE SET TOO LOW.

# It is intended mainly as a brake to keep a runaway server from taking

# the system with it as it spirals down...

#

MaxClients 150

#

# MaxRequestsPerChild: the number of requests each child process is

# allowed to process before the child dies.  The child will exit so

# as to avoid problems after prolonged use when Apache (and maybe the

# libraries it uses) leak memory or other resources.  On most systems, this

# isn't really needed, but a few (such as Solaris) do have notable leaks

# in the libraries. For these platforms, set to something like 10000

# or so; a setting of 0 means unlimited.

#

# NOTE: This value does not include keepalive requests after the initial

#       request per connection. For example, if a child process handles

#       an initial request and 10 subsequent "keptalive" requests, it

#       would only count as 1 request towards this limit.

#

MaxRequestsPerChild 500

# LimitRequestBody: This directvie specifies the number of bytes from 0 

# (meaning unlimited) to 2147483647 (2B) that are allows in a request body.

# The LimitRequestBody directive allows the user to set a limit on allowed

# size of an HTTP request message body within the context in which the

# directive is given ( server, per-directory, per-file, or per-location).

# If the client requests exceeds that limit, the server will return an 

# error response insteam of servicing the request. The size of a normal

# request message body will vary greatly depending on the nature of the resource# and the methods aloowed on the resource. 

#

# NOTE: If, for example, you are permitting file uploads to a particular

# location, and wich to limit the size of the upload to 100K, you might use the

# following directive: LimitRequestBody 102400

# Default: 524288

#LimitRequestBody 524288

```

I know that it is complaining about the mod_ssl module.  Is there another way to load the module or can it be loaded this way?

thanks

----------

## jonnevers

can you display the output of

```
 emerge -pv apache; emerge -pv apache

```

To enable ssl support in apache, installed through portage, you will need to modify (or at least acknowledge) the file /etc/conf.d/apache2 (assuming using apache2).

 *Quote:*   

> APACHE2_OPTS="-D SSL -D PHP4"
> 
> 

 

is this case ssl and php (4x version) are enabled by apache.

----------

## Kuhndog86

Here's the output

```

MSF-NetReg root # emerge -pv apache; emerge -pv apache

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-www/apache-2.0.52-r1  +berkdb -debug -doc +gdbm +ipv6 -ldap +ssl -static -threads 0 kB

Total size of downloads: 0 kB

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-www/apache-2.0.52-r1  +berkdb -debug -doc +gdbm +ipv6 -ldap +ssl -static -threads 0 kB

Total size of downloads: 0 kB

MSF-NetReg root #

```

here's my /etc/conf.d/apache.conf

```

# Copyright 1999-2004 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-www/apache/files/apache.confd,v 1.5 2004/07/15 00:24:42 agriffis Exp $

# Config file for /etc/init.d/apache

# Here's an example from /etc/apache/conf/apache.conf using mod_ssl:

#

# <IfDefine SSL>

# LoadModule ssl_module    extramodules/libssl.so

# </IfDefine>

#

# This means that libssl.so is only loaded into the server when you

# pass "-D SSL" to it at startup.

#

# Anything else in apache.conf which is guarded similarly, like:

#

# <IfDefine FOO> ... </IfDefine>

#

# can be easily turned on/off by editing APACHE_OPTS below to

# include or to not include "-D FOO".

#

# If you installed mod_throttle, you can add "-D THROTTLE"; if you

# installed mod_dav, then add "-D DAV".  For mod_gzip use "-D GZIP".

# The mod_contribs package has several options you can use.  See

# your apache.conf file for more details.

APACHE_OPTS="-D SSL"

```

Thanks

----------

## lonewoulf

anyone else think this would make an awesome howto guide?  :Smile: 

----------

## Kuhndog86

I think it could, although it would be incomplete since the problem is still not solved

----------

## lonewoulf

true, but I'm saying make the complete "configureing apache with ssl and getting it running well" guide could be usefull

----------

## jonnevers

I must apologize, I had a typo in my last message.

```
emerge -pv apache; emerge -pv mod_ssl
```

not emerge -pv apache twice... sorry!

in my experience, if you used portage to install apache and it installed the apache 2.x series all apache confs are labeled to the version. i.e. apache2.conf. It looks like you may have both apache and apache2 installed and are getting them mixed up when configuring/executing them.

try:

```
cat /etc/conf.d/apache2.conf;

```

```
emerge -pvC apache
```

what does this do?

```
/etc/init.d/apache2 start
```

----------

## lonewoulf

I thought the apache2 conf was in /etc/conf.d/apache2/apache2.conf

----------

## Kuhndog86

alright, Here is the output of emerge -pv mod_ssl

```

MSF-NetReg root # emerge -pv mod_ssl

These are the packages that I would merge, in order:

Calculating dependencies ...done!

[ebuild   R   ] net-www/mod_ssl-2.8.21  0 kB

Total size of downloads: 0 kB

```

I do have both apache 1.3 and apache 2 installed.  They are using the correct config files because i can make the proper one fail to start in unsecured mode when i screw somthing up  :Very Happy: 

Here is the output of cat /etc/conf.d/apache2

```

# Copyright 1999-2004 Gentoo Foundation

# Distributed under the terms of the GNU General Public License v2

# $Header: /var/cvsroot/gentoo-x86/net-www/apache/files/2.0.49/apache2.confd,v 1.2 2004/07/15 00:24:42 agriffis Exp $

# Config file for /etc/init.d/apache2

# An example from /etc/apache2/conf/modules.d/40_mod_ssl.conf:

#

# <IfDefine SSL>

#  <IfModule !mod_ssl.c>

#    LoadModule ssl_module    extramodules/mod_ssl.so

#  </IfModule>

# </IfDefine>

#

# This means that the mod_ssl.so DSO module is only loaded

# into the server when you pass "-D SSL" at startup.  To

# enable WebDAV, add "-D DAV -D DAV_FS".  If you installed

# mod_php then add "-D PHP4".  For more options, please

# read the files in the /etc/apache2/conf/modules.d directory.

APACHE2_OPTS="-D SSL -D PHP4"

# Extended options for advanced uses of Apache ONLY

# You don't need to edit these unless you are doing crazy Apache stuff

# As not having them set correctly, or feeding in an incorrect configuration

# via them will result in Apache failing to start

# YOU HAVE BEEN WARNED.

# ServerRoot setting

#SERVERROOT=/etc/apache2

# Configuration file location

# - If this does NOT start with a '/', then it is treated relative to

# $SERVERROOT by Apache

#CONFIGFILE=conf/apache2.conf

# Location to log startup errors to

# They are normally dumped to your terminal.

#STARTUPERRORLOG="/var/log/apache2/startuperror.log"

# PID file location

# Note that this MUST match the setting in your configuration file!

PIDFILE=/var/run/apache2.pid

# Restart style

# see http://httpd.apache.org/docs-2.0/stopping.html for more details

# the default is 'graceful', the other possible value is 'restart'

# If you use 'graceful', completion of the command does NOT imply that the system

# has finished restarting. Restart is finished only when all child processes

# have finished serving their current request sets. Read the URL for details.

#RESTARTSTYLE="restart"

RESTARTSTYLE="graceful"

```

Here is the ouptut of emerge -pvC apache

[codeMSF-NetReg root # emerge -pvC apache

>>> These are the packages that I would unmerge:

 net-www/apache

    selected: 1.3.32-r1 2.0.52-r1

   protected: none

     omitted: none

>>> 'Selected' packages are slated for removal.

>>> 'Protected' and 'omitted' packages will not be removed.

[/code]

And, finally, when no instance of apche is running, /etc/init.d/apache2 start does this (when trying to start in ssl mode):

```

 /etc/init.d/apache2 start

 * Starting apache2...

(98)Address already in use: make_sock: could not bind to address 0.0.0.0:443

no listening sockets available, shutting down

Unable to open logs                                                       [ !! ]

```

thanks guys

----------

## jonnevers

can you verify that /etc/apache2/conf/apache2.conf contains the line

 *Quote:*   

> Listen 80

 

and that /etc/apache2/conf/modules.d/40_mod_ssl.conf contains the line 

 *Quote:*   

> Listen 443

 

and that 'Listen 443' is not defined in any of the apache2 conf files except 

40_mod_ssl.conf.

```
cd /etc/apache2/conf; grep -R -i 'Listen 443' *;
```

----------

## Kuhndog86

that is confirmed.  I did have "listen 443" in /etc/apache2/conf/apache2.conf."

Now that I removed it all i get when I attempt to start it is the two red exclamations.  Where does apache2 keep it's logs.  The only logs I could fined were in /var/log/apache/error_log, but that log was for apache 1.3

Thanks

----------

## jonnevers

 *Kuhndog86 wrote:*   

> that is confirmed.  I did have "listen 443" in /etc/apache2/conf/apache2.conf."
> 
> Now that I removed it all i get when I attempt to start it is the two red exclamations.  Where does apache2 keep it's logs.  The only logs I could fined were in /var/log/apache/error_log, but that log was for apache 1.3
> 
> Thanks

 

my apache2 logs are in /var/logs/apache2/

try starting apache2 manually (no init.d script). I can do this, as root by issuing the following command:

 *Quote:*   

> apache2ctl start

 

it is possible that the init.d script is supressing error messages generated by apache2, this could even be happening before apache2 initially opens the logs (i.e it is parsing the conf files)

```
apache2ctl configtest
```

This should only output 'Syntax OK', anything else means a misconfiguration somewhere in the various conf files.

----------

## Kuhndog86

When I run apache2ctl configtest I get the "Syntax OK" output.  When I run apache2ctl start there is no output.  What could be going on here?

----------

## bfdi533

I am having the same trouble and when I issue the command

```
apachectl configtest 

```

I get the following:

```
 ~ # apache2ctl configtest

Syntax error on line 3 of /usr/lib/apache2/conf/modules.d/40_mod_ssl.conf:

Cannot load /usr/lib/apache2/extramodules/mod_ssl.so into server: /usr/lib/apache2/extramodules/mod_ssl.so: cannot open shared object file: No such file or directory

```

But, additional confusion here is that emerge -s mod_ssl shows that mod_ssl is for apache 1.3.x.  See here:

```
~ # emerge -s mod_ssl

Searching...   

[ Results for search key : mod_ssl ]

[ Applications found : 1 ]

 

*  net-www/mod_ssl

      Latest version available: 2.8.22

      Latest version installed: 2.8.22

      Size of downloaded files: 736 kB

      Homepage:    http://www.modssl.org/

      Description: An SSL module for the Apache 1.3 Web server

      License:     as-is

```

What gives?  How does one get SSL for Apache2?

----------

