commit c10fa36bc5fe6ade9e68b2e27b81bb78aa1f4ddc
Author: Stephen Wadeley <swadeley(a)redhat.com>
Date: Mon Dec 1 22:31:33 2014 +0100
Update after chapter review
thank you Laura Bailey
en-US/The_Apache_HTTP_Server.xml | 128 +++++++++++++++++++-------------------
1 files changed, 63 insertions(+), 65 deletions(-)
---
diff --git a/en-US/The_Apache_HTTP_Server.xml b/en-US/The_Apache_HTTP_Server.xml
index 4ae24a3..fe684eb 100644
--- a/en-US/The_Apache_HTTP_Server.xml
+++ b/en-US/The_Apache_HTTP_Server.xml
@@ -21,7 +21,7 @@
<tertiary>changes</tertiary>
</indexterm>
<para>
- The Apache HTTP Server version 2.4 has the following changes:
+ The Apache HTTP Server version 2.4 has the following changes compared to version
2.2:
</para>
<variablelist>
@@ -29,15 +29,13 @@
<term>httpd Service Control</term>
<listitem>
<para>
-With the migration away from SysV init scripts, server administrators should switch to
using the <command>apachectl</command> and
<command>systemctl</command> commands to control the service, in place of the
<command>service</command> command. The following examples are specific to the
<systemitem class="daemon">httpd</systemitem> service.
+With the migration away from SysV init scripts, server administrators should switch to
using the <command>apachectl</command> and
<command>systemctl</command> commands to control the service, in place of the
<command>service</command> command. The following examples are specific to the
<systemitem class="daemon">httpd</systemitem> service.</para>
+<para>
The command:
<synopsis>service httpd graceful</synopsis>
is replaced by
<synopsis>apachectl graceful</synopsis>
-The command:
-<synopsis>service httpd configtest</synopsis>
- is replaced by
- <synopsis>apachectl configtest</synopsis>
+
The <systemitem class="daemon">systemd</systemitem> unit file for
<systemitem class="daemon">httpd</systemitem> has different behavior
from the init script as follows:
<itemizedlist>
<listitem>
@@ -51,7 +49,13 @@ The <systemitem
class="daemon">systemd</systemitem> unit file for <systemitem cl
</para>
</listitem>
</itemizedlist>
-
+
+The command:
+<synopsis>service httpd configtest</synopsis>
+ is replaced by
+ <synopsis>apachectl configtest</synopsis>
+
+
</para>
</listitem>
</varlistentry>
@@ -69,26 +73,23 @@ To enhance system security, the <systemitem
class="daemon">systemd</systemitem>
<term>Configuration Layout</term>
<listitem>
<para>
-Configuration files which load modules are now placed in the <filename
class="directory">/etc/httpd/conf.modules.d</filename> directory.
Packages, such as <package>php</package>, which provide additional loadable
modules for <systemitem class="daemon">httpd</systemitem> will place
a file in this directory. Any configuration files in the <filename
class="directory">conf.modules.d</filename> are processed before the
main body of <filename>httpd.conf</filename>. Configuration files in the
<filename class="directory">/etc/httpd/conf.d</filename> directory
are now processed after the main body of
<filename>httpd.conf</filename>.</para>
+Configuration files which load modules are now placed in the <filename
class="directory">/etc/httpd/conf.modules.d</filename> directory.
Packages that provide additional loadable modules for <systemitem
class="daemon">httpd</systemitem>, such as
<package>php</package>, will place a file in this directory. Any configuration
files in the <filename class="directory">conf.modules.d</filename>
directory are processed before the main body of
<filename>httpd.conf</filename>. Configuration files in the <filename
class="directory">/etc/httpd/conf.d</filename> directory are now
processed after the main body of
<filename>httpd.conf</filename>.</para>
<para>
Some additional configuration files are provided by the
<package>httpd</package> package itself:</para>
<itemizedlist>
<listitem>
<para>
- <synopsis>/etc/httpd/conf.d/autoindex.conf</synopsis>
- This configures mod_autoindex directory indexing.
+ <filename>/etc/httpd/conf.d/autoindex.conf</filename> — This configures
mod_autoindex directory indexing.
</para>
</listitem>
<listitem>
<para>
- <synopsis>/etc/httpd/conf.d/userdir.conf</synopsis>
- This configures access to user directories, for example,
<
literal>http://example.com/~username/</literal>; such access is disabled by
default for security reasons.
- </para>
+ <filename>/etc/httpd/conf.d/userdir.conf</filename> — This configures
access to user directories, for example,
<
literal>http://example.com/~username/</literal>; such access is disabled by
default for security reasons.
+ </para>
</listitem>
<listitem>
<para>
-<synopsis>/etc/httpd/conf.d/welcome.conf</synopsis>
- As in previous releases, this configures the welcome page displayed for
<literal>http://localhost/</literal> when no content is present.
+<filename>/etc/httpd/conf.d/welcome.conf</filename> — As in previous
releases, this configures the welcome page displayed for
<literal>http://localhost/</literal> when no content is present.
</para>
</listitem>
@@ -100,16 +101,16 @@ Some additional configuration files are provided by the
<package>httpd</package>
<term>Default Configuration</term>
<listitem>
<para>
-A minimal default <filename>httpd.conf</filename> is now provided by default.
Many common configuration settings, such as <literal>Timeout</literal> or
<literal>KeepAlive</literal> are no longer explicitly configured in the
default configuration; hard-coded settings will be used instead, by default. The
hard-coded default settings for all configuration directives are specified in the manual.
See <xref linkend="s3-apache-resources-installed" /> for more
information.
+A minimal <filename>httpd.conf</filename> file is now provided by default.
Many common configuration settings, such as <literal>Timeout</literal> or
<literal>KeepAlive</literal> are no longer explicitly configured in the
default configuration; hard-coded settings will be used instead, by default. The
hard-coded default settings for all configuration directives are specified in the manual.
See <xref linkend="s3-apache-resources-installed" /> for more
information.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>Configuration Changes</term>
+ <term>Incompatible Syntax Changes</term>
<listitem>
<para>
-A number of backwards-incompatible changes to the <systemitem
class="daemon">httpd</systemitem> configuration syntax were made which
will require changes if migrating an existing configuration from <application>httpd
2.2</application> to <application>httpd 2.4</application>. See the
following Apache document for more information on upgrading <ulink
url="http://httpd.apache.org/docs/2.4/upgrading.html" />
+If migrating an existing configuration from <application>httpd
2.2</application> to <application>httpd 2.4</application>, a number of
backwards-incompatible changes to the <systemitem
class="daemon">httpd</systemitem> configuration syntax were made which
will require changes. See the following Apache document for more information on upgrading
<ulink
url="http://httpd.apache.org/docs/2.4/upgrading.html" />
</para>
</listitem>
</varlistentry>
@@ -121,14 +122,14 @@ A number of backwards-incompatible changes to the <systemitem
class="daemon">htt
<para>
In previous releases of &MAJOROS;, different <firstterm>multi-processing
models</firstterm> (<acronym>MPM</acronym>) were made available as
different <systemitem class="daemon">httpd</systemitem> binaries:
the forked model, <quote>prefork</quote>, as
<filename>/usr/sbin/httpd</filename>, and the thread-based model
<quote>worker</quote> as
<filename>/usr/sbin/httpd.worker</filename>.</para>
<para>
-In &MAJOROSVER;, only a single <systemitem
class="daemon">httpd</systemitem> binary is used, and three MPMs are
available as loadable modules: worker, prefork (default), and event. The configuration
file <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> can be changed
to select which of the three MPM modules is loaded.</para>
+In &MAJOROSVER;, only a single <systemitem
class="daemon">httpd</systemitem> binary is used, and three MPMs are
available as loadable modules: worker, prefork (default), and event. Edit the
configuration file <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename>
as required, by adding and removing the comment character <literal>#</literal>
so that only one of the three MPM modules is loaded.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Packaging Changes</term>
<listitem>
<para>
-The LDAP authentication and authorization modules are now provided in a separate
sub-package <package>mod_ldap</package>. The new module
<application>mod_session</application> and associated helper modules are
provided in a new sub-package, <package>mod_session</package>. The new modules
<application>mod_proxy_html</application> and
<application>mod_xml2enc</application> are provided in a new sub-package,
<package>mod_proxy_html</package>.
+The LDAP authentication and authorization modules are now provided in a separate
sub-package, <package>mod_ldap</package>. The new module
<application>mod_session</application> and associated helper modules are
provided in a new sub-package, <package>mod_session</package>. The new modules
<application>mod_proxy_html</application> and
<application>mod_xml2enc</application> are provided in a new sub-package,
<package>mod_proxy_html</package>.
</para>
</listitem>
</varlistentry>
@@ -136,27 +137,24 @@ The LDAP authentication and authorization modules are now provided
in a separate
<term>Packaging Filesystem Layout</term>
<listitem>
<para>
-The <filename class="directory">/var/cache/mod_proxy</filename>
directory is no longer provided; instead, the <filename
class="directory">/var/cache/httpd/</filename> directory is packaged
with a <literal>proxy</literal> and <literal>ssl</literal>
subdirectory.
+The <filename class="directory">/var/cache/mod_proxy/</filename>
directory is no longer provided; instead, the <filename
class="directory">/var/cache/httpd/</filename> directory is packaged
with a <literal>proxy</literal> and <literal>ssl</literal>
subdirectory.
</para>
<para>
Packaged content provided with <systemitem
class="daemon">httpd</systemitem> has been moved from <filename
class="directory">/var/www/</filename> to <filename
class="directory">/usr/share/httpd/</filename>:
<itemizedlist>
<listitem>
<para>
- <synopsis>/usr/share/httpd/icons/</synopsis>
- The <filename class="directory">/var/www/icons/</filename> has
moved to <filename
class="directory">/usr/share/httpd/icons</filename>. This directory
contains a set of icons used with directory indices. Available at
<literal>http://localhost/icons/</literal> in the default configuration, via
<filename>/etc/httpd/conf.d/autoindex.conf</filename>.
+ <filename>/usr/share/httpd/icons/</filename> — The directory containing a
set of icons used with directory indices, previously contained in <filename
class="directory">/var/www/icons/</filename>, has moved to <filename
class="directory">/usr/share/httpd/icons</filename>. Available at
<literal>http://localhost/icons/</literal> in the default configuration; the
location and the availability of the icons is configurable in the
<filename>/etc/httpd/conf.d/autoindex.conf</filename> file.
</para>
</listitem>
<listitem>
<para>
- <synopsis>/usr/share/httpd/manual/</synopsis>
- The <filename class="directory">/var/www/manual/</filename> has
moved to <filename
class="directory">/usr/share/httpd/manual/</filename>. This directory,
contained in the <package>httpd-manual</package> package, contains the HTML
version of the manual for <systemitem
class="daemon">httpd</systemitem>. Available at
<literal>http://localhost/manual/</literal> if the package is installed, via
<literal>/etc/httpd/conf.d/manual.conf</literal>.</para>
+ <filename>/usr/share/httpd/manual/</filename> — The <filename
class="directory">/var/www/manual/</filename> has moved to <filename
class="directory">/usr/share/httpd/manual/</filename>. This directory,
contained in the <package>httpd-manual</package> package, contains the HTML
version of the manual for <systemitem
class="daemon">httpd</systemitem>. Available at
<literal>http://localhost/manual/</literal> if the package is installed, the
location and the availability of the manual is configurable in the
<literal>/etc/httpd/conf.d/manual.conf</literal> file.</para>
</listitem>
<listitem>
<para>
- <synopsis>/usr/share/httpd/error/</synopsis>
- The <filename class="directory">/var/www/error/</filename> has
moved to <filename
class="directory">/usr/share/httpd/error/</filename>. Custom
multi-language HTTP error pages. Not configured by default, the example configuration file
is provided at
<filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-multilang-errordoc.conf</filename>.
+ <filename>/usr/share/httpd/error/</filename> — The <filename
class="directory">/var/www/error/</filename> has moved to <filename
class="directory">/usr/share/httpd/error/</filename>. Custom
multi-language HTTP error pages. Not configured by default, the example configuration file
is provided at
<filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-multilang-errordoc.conf</filename>.
</para>
</listitem>
@@ -182,7 +180,7 @@ The configuration directives used to control authentication,
authorization and a
<term>suexec</term>
<listitem>
<para>
-To improve system security, the <application>suexec</application> binary is
no longer installed <literal>setuid root</literal>; instead, it has file
system capability bits set which allow a more restrictive set of permissions. In
conjunction with this change, the <application>suexec</application> binary no
longer uses the <filename>/var/log/httpd/suexec.log</filename> logfile.
Instead, log messages are sent to <application>syslog</application>; by
default these will appear in the <filename>/var/log/secure</filename> log
file.
+To improve system security, the <application>suexec</application> binary is
no longer installed as if by the <systemitem
class="username">root</systemitem> user; instead, it has file system
capability bits set which allow a more restrictive set of permissions. In conjunction with
this change, the <application>suexec</application> binary no longer uses the
<filename>/var/log/httpd/suexec.log</filename> logfile. Instead, log messages
are sent to <application>syslog</application>; by default these will appear in
the <filename>/var/log/secure</filename> log file.
</para>
</listitem>
</varlistentry>
@@ -190,7 +188,7 @@ To improve system security, the
<application>suexec</application> binary is no l
<term>Module Interface</term>
<listitem>
<para>
-Due to changes to the <systemitem class="daemon">httpd</systemitem>
module interface, <application>httpd 2.4</application> is not compatible with
third-party binary modules built against <application>httpd 2.2</application>.
Such modules will need to be adjusted as necessary for the <application>httpd
2.4</application> module interface, and then rebuilt. A detailed list of the API
changes in version <literal>2.4</literal> is available here: <ulink
url="http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html" />.
+Third-party binary modules built against <application>httpd 2.2</application>
are not compatible with <application>httpd 2.4</application> due to changes to
the <systemitem class="daemon">httpd</systemitem> module interface.
Such modules will need to be adjusted as necessary for the <application>httpd
2.4</application> module interface, and then rebuilt. A detailed list of the API
changes in version <literal>2.4</literal> is available here: <ulink
url="http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html" />.
</para>
<para>
The <application>apxs</application> binary used to build modules from source
has moved from <filename>/usr/sbin/apxs</filename> to
<filename>/usr/bin/apxs</filename>.
@@ -204,7 +202,7 @@ The <application>apxs</application> binary used to build
modules from source has
List of <systemitem class="daemon">httpd</systemitem> modules
removed in &MAJOROSVER;:
<variablelist>
<varlistentry>
- <term>mod_auth_mysql, mod_auth_pgsql</term>
+ <term>mod_auth_mysql, mod_auth_pgsql</term>
<listitem>
<para>
<application>httpd 2.4</application> provides SQL database
authentication support internally in the
<application>mod_authn_dbd</application> module.
@@ -212,7 +210,7 @@ List of <systemitem
class="daemon">httpd</systemitem> modules removed in &MAJORO
</listitem>
</varlistentry>
<varlistentry>
- <term>mod_perl</term>
+ <term>mod_perl</term>
<listitem>
<para>
<application>mod_perl</application> is not officially supported with
<application>httpd 2.4</application> by upstream.
@@ -220,10 +218,10 @@ List of <systemitem
class="daemon">httpd</systemitem> modules removed in &MAJORO
</listitem>
</varlistentry>
<varlistentry>
- <term>mod_authz_ldap</term>
+ <term>mod_authz_ldap</term>
<listitem>
<para>
- <application>httpd 2.4</application> provides LDAP support internally
using <application>mod_authnz_ldap</application>.
+ <application>httpd 2.4</application> provides LDAP support in
sub-package <package>mod_ldap</package> using
<application>mod_authnz_ldap</application>.
</para>
</listitem>
</varlistentry>
@@ -275,7 +273,7 @@ List of <systemitem
class="daemon">httpd</systemitem> modules removed in &MAJORO
<para>
Note that you can check the configuration for possible errors by using the
following command:
</para>
- <screen>~]# <command>apachectl configtest</command>
+ <screen>~]# <command>apachectl configtest</command>
Syntax OK</screen>
<para>
For more information on upgrading the Apache HTTP Server configuration from version
2.2 to 2.4, see <ulink
url="http://httpd.apache.org/docs/2.4/upgrading.html"/>.
@@ -286,7 +284,7 @@ Syntax OK</screen>
<para>
This section describes how to start, stop, restart, and check the current status of
the Apache HTTP Server. To be able to use the <systemitem
class="service">httpd</systemitem> service, make sure you have the
<package>httpd</package> installed. You can do so by using the following
command:
</para>
- <screen>~]# <command>yum install httpd</command></screen>
+ <screen>~]# <command>yum install
httpd</command></screen>
<para>
For more information on the concept of targets and how to manage system services in
&MAJOROS; in general, see <remark>link to systemd section when
ready</remark> <xref linkend="ch-Services_and_Daemons" />.
</para>
@@ -299,11 +297,11 @@ Syntax OK</screen>
<para>
To run the <systemitem class="service">httpd</systemitem>
service, type the following at a shell prompt as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>systemctl start
httpd.service</command></screen>
+ <screen>~]# <command>systemctl start
httpd.service</command></screen>
<para>
- If you want the service to start automatically at the boot time, use the
following command:
+ If you want the service to start automatically at boot time, use the following
command:
</para>
- <screen>~]# <command>systemctl enable httpd.service</command>
+ <screen>~]# <command>systemctl enable
httpd.service</command>
ln -s '/usr/lib/systemd/system/httpd.service'
'/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<note>
<title>Using the secure server</title>
@@ -342,7 +340,7 @@ rm
'/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To restart the service completely, enter the following command as
<systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>systemctl restart
httpd.service</command></screen>
+ <screen>~]# <command>systemctl restart
httpd.service</command></screen>
<para>
This stops the running <systemitem
class="service">httpd</systemitem> service and immediately starts it
again. Use this command after installing or removing a dynamically loaded module such as
PHP.
</para>
@@ -351,18 +349,18 @@ rm
'/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To only reload the configuration, as <systemitem
class="username">root</systemitem>, type:
</para>
- <screen>~]# <command>systemctl reload
httpd.service</command></screen>
+ <screen>~]# <command>systemctl reload
httpd.service</command></screen>
<para>
- This causes the running <systemitem
class="service">httpd</systemitem> service to reload its configuration
file. Any requests being currently processed will be interrupted, which may cause a client
browser to display an error message or render a partial page.
+ This causes the running <systemitem
class="service">httpd</systemitem> service to reload its configuration
file. Any requests currently being processed will be interrupted, which may cause a client
browser to display an error message or render a partial page.
</para>
</listitem>
<listitem>
<para>
To reload the configuration without affecting active requests, enter the
following command as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>service httpd
graceful</command></screen>
+ <screen>~]# <command>apachectl
graceful</command></screen>
<para>
- This cause the running <systemitem
class="service">httpd</systemitem> service to reload its configuration
file. Any requests being currently processed will use the old configuration.
+ This causes the running <systemitem
class="service">httpd</systemitem> service to reload its configuration
file. Any requests currently being processed will continue to use the old configuration.
</para>
</listitem>
</orderedlist>
@@ -379,7 +377,7 @@ rm
'/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<para>
To verify that the <systemitem
class="service">httpd</systemitem> service is running, type the
following at a shell prompt:
</para>
- <screen>~]# <command>systemctl is-active httpd.service</command>
+ <screen>~]# <command>systemctl is-active
httpd.service</command>
active</screen>
</section>
</section>
@@ -443,7 +441,7 @@ active</screen>
<para>
To check the configuration for possible errors, type the following at a shell
prompt:
</para>
- <screen>~]# <command>apachectl configtest</command>
+ <screen>~]# <command>apachectl configtest</command>
Syntax OK</screen>
<para>
To make the recovery from mistakes easier, it is recommended that you make a copy
of the original file before editing it.
@@ -3767,14 +3765,14 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to create a new DSO module, make sure you have the
<package>httpd-devel</package> package installed. To do so, enter the
following command as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install
httpd-devel</command></screen>
+ <screen>~]# <command>yum install
httpd-devel</command></screen>
<para>
This package contains the include files, the header files, and the
<application>APache eXtenSion</application>
(<command>apxs</command>) utility required to compile a module.
</para>
<para>
Once written, you can build the module with the following command:
</para>
- <screen>~]# <command>apxs -i -a -c
<replaceable>module_name</replaceable>.c</command></screen>
+ <screen>~]# <command>apxs -i -a -c
<replaceable>module_name</replaceable>.c</command></screen>
<para>
If the build was successful, you should be able to load the module the same way
as any other module that is distributed with the Apache HTTP Server.
</para>
@@ -3791,7 +3789,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<see><application>Apache HTTP Server</application></see>
</indexterm>
<para>
- The Apache HTTP Server's built in virtual hosting allows the server to provide
different information based on which IP address, hostname, or port is being requested.
+ The Apache HTTP Server's built in virtual hosting allows the server to provide
different information based on which IP address, host name, or port is being requested.
</para>
<para>
To create a name-based virtual host, copy the example configuration file
<filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-vhosts.conf</filename>
into the <filename class="directory">/etc/httpd/conf.d/</filename>
directory, and replace the <literal>@@Port@@</literal> and
<literal>@@ServerRoot@@</literal> placeholder values. Customize the options
according to your requirements as shown in <xref
linkend="example-apache-virtualhosts-config"/>.
@@ -3882,10 +3880,10 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<tertiary>certificate authority</tertiary>
</indexterm>
<para>
- To provide secure communications using SSL, an SSL server must use a digital
certificate signed by a <firstterm>Certificate Authority</firstterm>
(<acronym>CA</acronym>). The certificate lists various attributes of the
server (that is, the server hostname, the name of the company, its location, etc.), and
the signature produced using the CA's private key. This signature ensures that a
particular certificate authority has issued the certificate, and that the certificate has
not been modified in any way.
+ To provide secure communications using SSL, an SSL server must use a digital
certificate signed by a <firstterm>Certificate Authority</firstterm>
(<acronym>CA</acronym>). The certificate lists various attributes of the
server (that is, the server host name, the name of the company, its location, etc.), and
the signature produced using the CA's private key. This signature ensures that a
particular certificate authority has signed the certificate, and that the certificate has
not been modified in any way.
</para>
<para>
- When a web browser establishes a new SSL connection, it checks the certificate
provided by the web server. If the certificate does not have a signature from a trusted
CA, or if the hostname listed in the certificate does not match the hostname used to
establish the connection, it refuses to communicate with the server and usually presents a
user with an appropriate error message.
+ When a web browser establishes a new SSL connection, it checks the certificate
provided by the web server. If the certificate does not have a signature from a trusted
CA, or if the host name listed in the certificate does not match the host name used to
establish the connection, it refuses to communicate with the server and usually presents a
user with an appropriate error message.
</para>
<para>
By default, most web browsers are configured to trust a set of widely used
certificate authorities. Because of this, an appropriate CA should be chosen when setting
up a secure server, so that target users can trust the connection, otherwise they will be
presented with an error message, and will have to accept the certificate manually. Since
encouraging users to override certificate errors can allow an attacker to intercept the
connection, you should use a trusted CA whenever possible. For more information on this,
see <xref linkend="table-apache-mod_ssl-certificates-authorities" />.
@@ -3947,7 +3945,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to set up an SSL server, make sure you have the
<package>mod_ssl</package> (the <systemitem
class="resource">mod_ssl</systemitem> module) and
<package>openssl</package> (the OpenSSL toolkit) packages installed. To do so,
enter the following command as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install mod_ssl
openssl</command></screen>
+ <screen>~]# <command>yum install mod_ssl
openssl</command></screen>
<indexterm>
<primary><application>Apache HTTP
Server</application></primary>
<secondary>files</secondary>
@@ -3996,8 +3994,8 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you want to use an existing key and certificate, move the relevant files to
the <filename class="directory">/etc/pki/tls/private/</filename> and
<filename class="directory">/etc/pki/tls/certs/</filename>
directories respectively. You can do so by issuing the following commands as
<systemitem class="username">root</systemitem>:
</para>
- <screen>~]# <command>mv</command>
<filename><replaceable>key_file</replaceable>.key</filename>
<filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
-~]# <command>mv</command>
<filename><replaceable>certificate</replaceable>.crt</filename>
<filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
+ <screen>~]# <command>mv</command>
<filename><replaceable>key_file</replaceable>.key</filename>
<filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
+~]# <command>mv</command>
<filename><replaceable>certificate</replaceable>.crt</filename>
<filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
<para>
Then add the following lines to the
<filename>/etc/httpd/conf.d/ssl.conf</filename> configuration file:
</para>
@@ -4007,9 +4005,9 @@ SSLCertificateKeyFile
/etc/pki/tls/private/<replaceable>hostname</replaceable>.k
To load the updated configuration, restart the <systemitem
class="service">httpd</systemitem> service as described in <xref
linkend="s3-apache-running-restarting" />.
</para>
<example id="example-apache-mod_ssl-keypair">
- <title>Using a key and certificate from the Red Hat Secure Web
Server</title>
- <screen>~]# <command>mv /etc/httpd/conf/httpsd.key
/etc/pki/tls/private/penguin.example.com.key</command>
-~]# <command>mv /etc/httpd/conf/httpsd.crt
/etc/pki/tls/certs/penguin.example.com.crt</command></screen>
+ <title>Using a key and certificate from the Red Hat Secure Web
Server</title>
+ <screen>~]# <command>mv /etc/httpd/conf/httpsd.key
/etc/pki/tls/private/penguin.example.com.key</command>
+~]# <command>mv /etc/httpd/conf/httpsd.crt
/etc/pki/tls/certs/penguin.example.com.crt</command></screen>
</example>
</section>
<section id="s3-apache-mod_ssl-genkey">
@@ -4025,30 +4023,30 @@ SSLCertificateKeyFile
/etc/pki/tls/private/<replaceable>hostname</replaceable>.k
<tertiary>certificate</tertiary>
</indexterm>
<para>
- In order to generate a new key and certificate pair, you must to have the
<package>crypto-utils</package> package installed on your system. As
<systemitem class="username">root</systemitem>, it can be installed
by entering the following command:
+ In order to generate a new key and certificate pair, the
<package>crypto-utils</package> package must be installed on the system. To
install it, enter the following command as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>yum install
crypto-utils</command></screen>
+ <screen>~]# <command>yum install
crypto-utils</command></screen>
<para>
- This package provides a set of tools to generate and manage SSL certificates and
private keys, and includes <application>genkey</application>, the Red Hat
Keypair Generation utility that will guide you through the key generation process.
+ This package provides a set of tools to generate and manage SSL certificates and
private keys, and includes <application>genkey</application>, the
Red Hat Keypair Generation utility that will guide you through the key generation
process.
</para>
<important>
<title>Replacing an existing certificate</title>
<para>
If the server already has a valid certificate and you are replacing it with a
new one, specify a different serial number. This ensures that client browsers are notified
of this change, update to this new certificate as expected, and do not fail to access the
page. To create a new certificate with a custom serial number, use the following command
instead of <application>genkey</application>:
</para>
- <screen>~]# <command>openssl req -x509 -new -set_serial
<replaceable>number</replaceable> -key
<replaceable>hostname</replaceable>.key -out
<replaceable>hostname</replaceable>.crt</command></screen>
+ <screen>~]# <command>openssl req -x509 -new -set_serial
<replaceable>number</replaceable> -key
<replaceable>hostname</replaceable>.key -out
<replaceable>hostname</replaceable>.crt</command></screen>
</important>
<note>
<title>Remove a previously created key</title>
<para>
- If there already is a key file for a particular host name on your system,
<application>genkey</application> will refuse to start. In this case, remove
the existing file using the following command as <systemitem
class="username">root</systemitem>:
+ If there already is a key file for a particular host name in your system,
<application>genkey</application> will refuse to start. In this case, remove
the existing file using the following command as <systemitem
class="username">root</systemitem>:
</para>
- <screen>~]# <command>rm
/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
+ <screen>~]# <command>rm
/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
</note>
<para>
- To run the utility, as <systemitem
class="username">root</systemitem>, enter the
<command>genkey</command> command followed by the appropriate host name (for
example, <systemitem
class="domainname">penguin.example.com</systemitem>):
+ To run the utility, use the <command>genkey</command> command
followed by the appropriate host name (for example, <systemitem
class="domainname">penguin.example.com</systemitem>):
</para>
- <screen>~]# <command>genkey</command>
<replaceable>hostname</replaceable></screen>
+ <screen>~]# <command>genkey</command>
<replaceable>hostname</replaceable></screen>
<para>
To complete the key and certificate creation, take the following steps:
</para>
@@ -4076,7 +4074,7 @@ SSLCertificateKeyFile
/etc/pki/tls/private/<replaceable>hostname</replaceable>.k
</step>
<step>
<para>
- Using the <keycap>Up</keycap> and
<keycap>down</keycap> arrow keys, select the suitable key size. Note that
while the large key increases the security, it also increases the response time of your
server. The NIST recommends using <literal>2048 bits</literal>. See <ulink
url="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A....
pubwork="book">NIST Special Publication
800-131A</citetitle></ulink>.
+ Using the <keycap>up</keycap> and
<keycap>down</keycap> arrow keys, select a suitable key size. Note that while
a larger key increases the security, it also increases the response time of your server.
The NIST recommends using <literal>2048 bits</literal>. See <ulink
url="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A....
pubwork="book">NIST Special Publication
800-131A</citetitle></ulink>.
</para>
<figure id="figure-apache-mod_ssl-genkey-02">
<title>Selecting the key size</title>