pantz.org banner
Signing your own SSl keys
Posted on 09-16-2005 01:00:00 UTC | Updated on 09-16-2005 01:00:00 UTC
Section: /software/apache/ | Permanent Link

Just a note for commands to make and sign your own SSL keys without a password. Remeber to blank any passwords if your going to use this with Apache so you don't need to input the password when the Apache service starts each time. You can use the certs that you sign on things like pop3s and imaps servers also. You will get warning from mail clients if you sign your own certs but just accept the cert. It is still and encrypted connection.

Generate the private key. Keep this safe and back it up.

openssl genrsa -out server.key 1024

Generate certificate signing request. You have to answer some questions here. Just put in fake or real info it does not matte. The only box that really matters is the one called "Common Name". This is where you have to put the exact host and domain name in. Like for a mail server with the name mail.example.org you would put mail.example.org.

openssl req -new -key server.key -out server.csr

Sign the request ourselves

openssl x509 -req -days 7300 -in server.csr -signkey server.key -out server.crt

Del.icio.us! | Digg Me! | Reddit!

Related stories

Apache and other webserver tuning tips
Posted on 07-25-2001 00:13:00 UTC | Updated on 07-25-2001 00:13:00 UTC
Section: /software/apache/ | Permanent Link

Here are some tips to get your Apache webserver running to it's fullest potential. Many of the tips below are generic and apply to any webserver not just Apache.
  1. Upgrade Apache to the newest version. You may want to try Apache 2.X.X. It has worker threaded MPM and other speed enhancements. Benchmark both with your site and see which one is better for you.
  2. In httpd.conf, set "HostNameLookups off" which avoids doing a reverse DNS lookup on every visitor who hits your web site.
  3. In httpd.conf, a good rule of thumb for "MaxClients" is divide your total RAM by 5 megabytes. So a server with 1GB of RAM could probably handle a MaxClients setting of 200. You will have to test this. You might be have to set it higher or lower. Setting it to high would be bad because each Apache process consumes some memory. You can only fit a certain number processes in RAM before the web server begins swap things between RAM and the hard drive in a horrid attempt to make things work. The result is a totally unresponsive server with a thrashing hard disk. Suggestions from Willy Tarreau a 2.4 kernel maintainer in this area are the following. "Observe the average per-process memory usage. Play with the MaxClient parameter to adjust the maximum number of simultaneous processes so that the server never swaps. If there are large differences between processes, it means that some requests produce large data sets, which are a real waste when kept in memory. To solve this, you will need to tell Apache to make its processes die sooner, by playing with the MaxRequestsPerChild value. The higher the value, the higher the memory usage. The lower the value, the higher the CPU usage. Generally, values between 30 and 300 provide best results. Then set the MinSpareServers and MaxSpareServers to values close to MaxClient so that the server does not take too much time forking off new processes when the load comes in."
  4. In httpd.conf, busy websites should set "KeepAliveTimeout" low. Like to 2 seconds. Keeping it low like this gives the client enough time to request all of the files needed for a page without having to open multiple connections, yet will allow Apache to terminate the connection soon enough to be able to handle many more clients than usual. Some people even suggest turning keep-alives off totally. Willy Tarreau a 2.4 kernel maintainer suggests this. He says "First, disable keep-alive. This is the nastiest thing against performance. It was designed at a time sites were running NCSA httpd forked off inetd at every request. All those forks were killing the servers, and keep-alive was a neat solution against this. Right now, things have changed. The servers do not fork at each connection and the cost of each new connection is minimal. Application servers run a limited number of threads or processes, often because of either memory constraints, file descriptor limits or locking overhead. Having a user monopolize a thread for seconds or even minutes doing nothing is pure waste. The server will not use all of its CPU power, will consume insane amounts of memory and users will wait for a connection to be free. If the keep-alive time is too short to maintain the session between two clicks, it is useless. If it is long enough, then it means that the servers will need roughly one process per simultaneous user, not counting the fact that most browsers commonly establish 4 simultaneous sessions! Simply speaking, a site running keep-alive with an Apache-like server has no chance of ever serving more than a few hundreds users at a time."
  5. Serve web graphics (such as jpg,png,gif files) or static files (html,javascript,CSS) from another machine if possible. Try to use a light weight daemon like thttpd for this. Make sure the thttpd version supports keep alives. Set your keep alives low (like 2-3 secs). Doing this will free up Apache for handling the dynamic PHP/Perl stuff if you have it.
  6. Keep your Apache lean and mean. Compile Apache with as few modules as needed. Before compiling (before your run make), edit the /apache_1.x.x/src/Configuration file put a # in front of any AddModule lines you don't need.
  7. If you don't need traffic logs (such as a site that only serves graphics) then use the TransferLog directive in httpd.conf to redirect log entries to /dev/null/
  8. Unless you insist on using .htaccess files to control access to certain directories (there are other ways to do that), in access.conf (or httpd.conf in newer versions of Apache) in the <Directory> section, set "AllowOverride None" so that Apache will not bother looking for an .htaccess file in each directory with each request.
  9. DO NOT serve web pages or write web traffic logs on a networked disk drive (ie. NFS or SAMBA networked disks) -- read and write to local disk drives only. NFS I/O operations incure huge overhead.
  10. DO NOT run Apache (httpd) via the tcpd wrapper in /etc/inetd.conf. Apache can be started when the machine boots by either adding the startup command to your rc.local file or by placing the httpd startup script to your /etc/rc.d/rc3.d/ directory. If you want some mechanism to block requests by IP address then use the "deny from" directive in the Apache's conf files or in a .htacess file.
  11. Avoid using SSI tags if you can.
  12. In CGI scripts:
    • File I/O: Open as few files as possible. Be sure to explicetly close each opened file. Stop reading the file as soon as you found the data you need. Consider structuring data files into fixed-length fields and using read() function to skip ahead to just the part of the file you need to read.
    • Shell Commands: Call shell commands via their full path: eg. use '/bin/date' instead of just `date` in a perl script.
    • If your site is mostly CGI driven, by all means use mod_perl. See http://perl.apache.org/. Mod_perl gives huge Perl speed increases.
    • Perl programmers should study "Effective Perl Programming" by Joseph N. Hall (an Addison Wesley book) and "The Perl Cookbook" by Tom Christiansen (an O'Reilly book) -- two good texts for optimizing perl code. For example, you can preallocate the memory for a hash that will contain 256 items like so: "keys(%names) = 256;".
    • Avoid having more than 1000 files in your web page directory. Organize your web page files into subdirectories. The more files there are in a directory, the longer it takes to locate that file during a request.
  13. Put as few graphics in your web pages as possible. Make sure each image is run through an image compressor.
  14. Stress test your web site. Run Apache Benchmark program (called "ab") in Apache's /bin or /sbin directory. The ab program will simulate heavy traffic by running multiple simultaneous requests on any web page you want for as long as you want then measures the load and response times. Very useful for measuring the effects of your tuning efforts.
  15. The single biggest hardware issue affecting webserver performance is RAM. A webserver should never ever have to swap, swapping increases the latency of each request beyond a point that users consider "fast enough". This causes users to hit stop and reload, further increasing the load. You can, and should, control the MaxClients setting so that your server does not spawn so many children it starts swapping.
  16. I should not have to say this but do not run any extra non-needed processes on the server (X windows,mail,samba, or whatever).
  17. Turn on follow FollowSymLinks (Options -Indexes FollowSymLinks). This saves a few io reads. Apache doesn't have to check if its a symlink, it just goes ahead and traverses. Turn off SymLinksIfOwnerMatch to prevent additional lstat() system calls from being made.
  18. Increase your kernel's tcp/ip write buffers so that most, if not all generated pages can be written without blocking. If the page that Apache generates fits in this buffer, then Apache's write() call returns instantaneously, then Apache hands the socket over to lingerd, logs the hit, and is immediately free for more work. If the page doesn't fit, then write() blocks until the client has acknowledged part of the data, which can take several seconds. To change this, use the SendBufferSize directive from httpd.conf. However, this directive cannot increase the buffer size past the kernel limit. Changing this kernel limit is OS-specific. Under Linux you can set it by echo'ing a larger number (eg. 131072) into /proc/sys/net/core/wmem_max, before starting Apache. If you change wmem_default as well as wmem_max, then the SendBufferSize directive is not needed.
  19. Disable ExtendedStatus unless you're actually debugging. Same goes for mod_info.
  20. Use a reverse proxy cache in front of your server farm. This will return cached contents without hitting the application servers.

Del.icio.us! | Digg Me! | Reddit!

Related stories

Install of Apache, PHP, SSL, MySQL in linux
Posted on 07-25-2001 00:13:00 UTC | Updated on 07-25-2001 00:13:00 UTC
Section: /software/apache/ | Permanent Link

The following steps will show you how to install the Apache web server on GNU/Linux. This install also includes installing mod_ssl, MySQL and PHP4.You may encounter problems compiling any one of these tarballs.It is up to you to fix the problems. This install assumes that you have everything you need to do all of the compiles. The x's in each file name stands for what ever the version number is at the time you download it.

Download and extract all the source tarballs.

The following are links to the sites you will need to download the source files. Go to each sites download section and download the latest version of each piece of software. After you have downloaded them all to the same directory we are going to unzip and untar them.

Apache.org
Openssl.org
ModSSL.org
Php.net
MySQL.com (Download the Linux binary version)

tar -xvzf apache_1.3.xx.tar.gz
tar -xvzf openssl-0.9.Xx
tar -xvzf mod_ssl-2.X.xx-1.3.xx
tar -xvzf php-4.X.x.tar.gz

Install MySQL (binary version)

groupadd mysql
useradd -g mysql mysql
cd /usr/local
gunzip < /path/to/mysql-VERSION-OS.tar.gz | tar xvf -
ln -s full-path-to-mysql-VERSION-OS mysql
cd mysql
scripts/mysql_install_db
chown -R root .
chown -R mysql data
chgrp -R mysql .
bin/safe_mysqld --user=mysql &

or

bin/mysqld_safe --user=mysql &
## if you are running MySQL 4.x

Build OpenSSL

cd openssl-0.9.Xx
./config
make
make test
make install
cd ..

Patch Apache with mod_ssl

cd mod_ssl-2.X.xx-1.3.xx
./configure --with-apache=../apache_1.3.xx
cd ..

Preconfigure Apache for PHP

cd apache_1.3.xx
./configure --prefix=/usr/local/apache
cd ..

Configure PHP and compile it for Apache

cd php-4.x.x
CFLAGS='-O2 -I../openssl-0.9.Xx'
./configure \
--with-apache=../apache_1.3.xx \
--with-mysql
make
make install
cd ..

or

You can configure and compile a ton of other things into PHP. I usually compile in the following: GD,JPEG,PNG,libcrypt,MySQL,Freetype,and zlib. Make sure if you compile these other things in that you scan back thru the configure output to make sure all of the things you tried to compile in were found. If you install the libjpeg,freetype,libpng,and zlib on RedHat you just need to put /usr in for the directory.Other paths refer to the areas the library's were installed and compiled. Type: ./configure --help to see all of the things you can configure PHP with. My config line looks like this:

./configure \
--with-gd=/usr \
--with-mysql \
--with-png-dir=/usr \
--with-zlib-dir=/usr \
--with-ttf=/tmp/freetype-2.0.5/ \
--with-freetype-dir=/tmp/freetype-2.0.x \
--with-jpeg-dir=/usr \
--with-mcrypt=/tmp/libmcrypt \
--with-apache=../apache_1.3.xx
make
make install
cd ..

Build Apache with mod_ssl and PHP

cd apache_1.3.xx
SSL_BASE=../openssl-0.9.Xx \
./configure \
--prefix=/usr/local/apache \
--enable-module=ssl \
--activate-module=src/modules/php4/libphp4.a \
--enable-module=php4

make
make certificate   <--Optional step.
make install
cd ..

Configure Apache's Preferences File

vi /usr/local/apache/conf/httpd.conf

See the Apache documentation on how to configure your Apache httpd.conf.

Start your Apache server

/usr/local/apache/bin/apachectl startssl

That's it, enjoy!

Del.icio.us! | Digg Me! | Reddit!

Related stories


RSS Feed RSS feed logo
About


3com
3ware
alsa
alsactl
alsamixer
amd
android
apache
areca
arm
ati
auditd
awk
badblocks
bash
bind
bios
bonnie
cable
carp
cat5
cdrom
cellphone
centos
chart
chrome
cifs
cisco
cloudera
comcast
commands
comodo
compiz-fusion
corsair
cpufreq
cpufrequtils
cpuspeed
cron
crontab
crossover
cu
cups
cvs
database
dbus
dd
dd_rescue
ddclient
debian
decimal
dhclient
dhcp
diagnostic
diskexplorer
disks
dkim
dns
dos
dovecot
drac
dsniff
dvdauthor
e-mail
echo
editor
emerald
ethernet
expect
ext3
ext4
fat32
fedora
fetchmail
fiber
filesystems
firefox
firewall
flac
flexlm
floppy
flowtools
fonts
format
freebsd
ftp
gdm
gmail
gnome
greasemonkey
greylisting
growisofs
grub
hacking
hadoop
harddrive
hba
hex
hfsc
html
html5
http
https
idl
ie
ilo
intel
ios
iperf
ipmi
iptables
ipv6
irix
javascript
kde
kernel
kickstart
kmail
kprinter
krecord
kubuntu
kvm
lame
ldap
linux
logfile
lp
lpq
lpr
maradns
matlab
memory
mencoder
mhdd
mkinitrd
mkisofs
moinmoin
motherboard
mouse
movemail
mplayer
multitail
mutt
myodbc
mysql
mythtv
nagios
nameserver
netflix
netflow
nginx
nic
ntfs
ntp
nvidia
odbc
openbsd
openntpd
openoffice
openssh
openssl
openvpn
opteron
parted
partimage
patch
perl
pf
pfflowd
pfsync
photorec
php
pop3
pop3s
ports
postfix
power
procmail
proftpd
proxy
pulseaudio
putty
pxe
python
qemu
r-studio
raid
recovery
redhat
router
rpc
rsync
ruby
saltstack
samba
schedule
screen
scsi
seagate
seatools
sed
sendmail
sgi
shell
siw
smtp
snort
solaris
soundcard
sox
spam
spamd
spf
sql
sqlite
squid
srs
ssh
ssh.com
ssl
su
subnet
subversion
sudo
sun
supermicro
switches
symbols
syslinux
syslog
systemrescuecd
t1
tcpip
tcpwrappers
telnet
terminal
testdisk
tftp
thttpd
thunderbird
timezone
ting
tls
tools
tr
trac
tuning
tunnel
ubuntu
unbound
vi
vpn
wget
wiki
windows
windowsxp
wireless
wpa_supplicant
x
xauth
xfree86
xfs
xinearama
xmms
youtube
zdump
zeromq
zic
zlib