[system-administrators-guide] Apache: 2.2 to 2.4
stephenw
stephenw at fedoraproject.org
Thu Aug 7 20:03:30 UTC 2014
commit 561fbb1823bfd4b2a4fea53744d24c50d080e247
Author: Stephen Wadeley <swadeley at redhat.com>
Date: Thu Aug 7 21:56:41 2014 +0200
Apache: 2.2 to 2.4
Thanks to jorton for technical review and patches.
Thanks to hkario for SSL Server - recommended key size
en-US/The_Apache_HTTP_Server.xml | 359 ++++++++++++++++++++++++++------------
1 files changed, 245 insertions(+), 114 deletions(-)
---
diff --git a/en-US/The_Apache_HTTP_Server.xml b/en-US/The_Apache_HTTP_Server.xml
index f70321f..32f2422 100644
--- a/en-US/The_Apache_HTTP_Server.xml
+++ b/en-US/The_Apache_HTTP_Server.xml
@@ -8,106 +8,242 @@
<see><application>Apache HTTP Server</application></see>
</indexterm>
<para>
- This section focuses on the <application>Apache HTTP Server 2.2</application>, a robust, full-featured open source web server developed by the <ulink url="http://www.apache.org/">Apache Software Foundation</ulink>, that is included in &MAJOROSVER;. It describes the basic configuration of the <systemitem class="service">httpd</systemitem> service, and covers advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
+ The web server available in &MAJOROSVER; is the Apache HTTP server daemon, <systemitem class="daemon">httpd</systemitem>, an open source web server developed by the <ulink url="http://www.apache.org/">Apache Software Foundation</ulink>. In &MAJOROSVER; the Apache server has been updated to <application>Apache HTTP Server 2.4</application>. This section describes the basic configuration of the <systemitem class="service">httpd</systemitem> service, and covers some advanced topics such as adding server modules, setting up virtual hosts, or configuring the secure HTTP server.
</para>
<para>
- There are important differences between the Apache HTTP Server 2.2 and version 2.0, and if you are upgrading from a previous release of &MAJOROS;, you will need to update the <systemitem class="service">httpd</systemitem> service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.
+ There are important differences between the Apache HTTP Server 2.4 and version 2.2, and if you are upgrading from a previous release of &MAJOROS;, you will need to update the <systemitem class="service">httpd</systemitem> service configuration accordingly. This section reviews some of the newly added features, outlines important changes, and guides you through the update of older configuration files.
</para>
- <section id="s2-apache-version2-features">
- <title>New Features</title>
+ <section id="s2-apache-changes">
+ <title>Notable Changes</title>
<indexterm>
<primary><application>Apache HTTP Server</application></primary>
- <secondary>version 2.2</secondary>
- <tertiary>features</tertiary>
+ <secondary>version 2.4</secondary>
+ <tertiary>changes</tertiary>
</indexterm>
<para>
- The Apache HTTP Server version 2.2 introduces the following enhancements:
+ The Apache HTTP Server version 2.4 has the following changes:
</para>
- <itemizedlist>
+ <variablelist>
+
+ <varlistentry>
+ <term>httpd Service Control</term>
<listitem>
<para>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_cache</systemitem></tertiary>
- </indexterm>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_disk_cache</systemitem></tertiary>
- </indexterm>
- Improved caching modules, that is, <systemitem class="resource">mod_cache</systemitem> and <systemitem class="resource">mod_disk_cache</systemitem>.
+With the migration away from SysV init scripts, server administrators should switch to using the <command>apachectl</command> and <command>systemctl</command> commands to control the service, in place of the <command>service</command> command. The following examples are specific to the <systemitem class="daemon">httpd</systemitem> service.
+The command:
+<synopsis>service httpd graceful</synopsis>
+is replaced by
+<synopsis>apachectl graceful</synopsis>
+The command:
+<synopsis>service httpd configtest</synopsis>
+ is replaced by
+ <synopsis>apachectl configtest</synopsis>
+The <systemitem class="daemon">systemd</systemitem> unit file for <systemitem class="daemon">httpd</systemitem> has different behavior from the init script as follows:
+<itemizedlist>
+ <listitem>
+ <para>
+ A graceful restart is used by default when the service is reloaded.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ A graceful stop is used by default when the service is stopped.
+ </para>
+ </listitem>
+</itemizedlist>
+
</para>
</listitem>
+ </varlistentry>
+
+<varlistentry>
+ <term>Private /tmp</term>
<listitem>
<para>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_proxy_balancer</systemitem></tertiary>
- </indexterm>
- Support for proxy load balancing, that is, the <systemitem class="resource">mod_proxy_balancer</systemitem> module.
- </para>
- </listitem>
+To enhance system security, the <systemitem class="daemon">systemd</systemitem> unit file runs the <systemitem class="daemon">httpd</systemitem> daemon using a private <filename class="directory">/tmp</filename> directory, separate to the system <filename class="directory">/tmp</filename> directory.
+</para>
+</listitem>
+</varlistentry>
+
+ <varlistentry>
+ <term>Configuration Layout</term>
<listitem>
<para>
- Support for large files on 32-bit architectures, allowing the web server to handle files greater than 2GB.
+Configuration files which load modules are now placed in the <filename class="directory">/etc/httpd/conf.modules.d</filename> directory. Packages, such as <package>php</package>, which provide additional loadable modules for <systemitem class="daemon">httpd</systemitem> will place a file in this directory. Any configuration files in the <filename class="directory">conf.modules.d</filename> are processed before the main body of <filename>httpd.conf</filename>. Configuration files in the <filename class="directory">/etc/httpd/conf.d</filename> directory are now processed after the main body of <filename>httpd.conf</filename>.</para>
+<para>
+Some additional configuration files are provided by the <package>httpd</package> package itself:</para>
+<itemizedlist>
+ <listitem>
+ <para>
+ <synopsis>/etc/httpd/conf.d/autoindex.conf</synopsis>
+ This configures mod_autoindex directory indexing.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+ <synopsis>/etc/httpd/conf.d/userdir.conf</synopsis>
+ This configures access to user directories, for example, <literal>http://example.com/~username/</literal>; such access is disabled by default for security reasons.
+ </para>
+ </listitem>
+ <listitem>
+ <para>
+<synopsis>/etc/httpd/conf.d/welcome.conf</synopsis>
+ As in previous releases, this configures the welcome page displayed for <literal>http://localhost/</literal> when no content is present.
</para>
</listitem>
+
+</itemizedlist>
+</listitem>
+ </varlistentry>
+
+<varlistentry>
+ <term>Default Configuration</term>
<listitem>
<para>
- A new structure for authentication and authorization support, replacing the authentication modules provided in previous versions.
- </para>
- </listitem>
- </itemizedlist>
- </section>
- <section id="s2-apache-version2-changes">
- <title>Notable Changes</title>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>version 2.2</secondary>
- <tertiary>changes</tertiary>
- </indexterm>
- <para>
- Since version 2.0, few changes have been made to the default <systemitem class="service">httpd</systemitem> service configuration:
- </para>
- <itemizedlist>
+A minimal default <filename>httpd.conf</filename> is now provided by default. Many common configuration settings, such as <literal>Timeout</literal> or <literal>KeepAlive</literal> are no longer explicitly configured in the default configuration; hard-coded settings will be used instead, by default. The hard-coded default settings for all configuration directives are specified in the manual. See <xref linkend="s3-apache-resources-installed" /> for more information.
+</para>
+</listitem>
+</varlistentry>
+
+<varlistentry>
+ <term>Configuration Changes</term>
<listitem>
<para>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_cern_meta</systemitem></tertiary>
- </indexterm>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_asis</systemitem></tertiary>
- </indexterm>
- The following modules are no longer loaded by default: <systemitem class="resource">mod_cern_meta</systemitem> and <systemitem class="resource">mod_asis</systemitem>.
- </para>
- </listitem>
+A number of backwards-incompatible changes to the <systemitem class="daemon">httpd</systemitem> configuration syntax were made which will require changes if migrating an existing configuration from <application>httpd 2.2</application> to <application>httpd 2.4</application>. See the following Apache document for more information on upgrading <ulink url="http://httpd.apache.org/docs/2.4/upgrading.html" />
+</para>
+</listitem>
+</varlistentry>
+
+
+<varlistentry>
+ <term>Processing Model</term>
<listitem>
<para>
- <indexterm>
- <primary><application>Apache HTTP Server</application></primary>
- <secondary>modules</secondary>
- <tertiary><systemitem class="resource">mod_ext_filter</systemitem></tertiary>
- </indexterm>
- The following module is newly loaded by default: <systemitem class="resource">mod_ext_filter</systemitem>.
- </para>
- </listitem>
- </itemizedlist>
+In previous releases of &MAJOROS;, different <firstterm>multi-processing models</firstterm> (<acronym>MPM</acronym>) were made available as different <systemitem class="daemon">httpd</systemitem> binaries: the forked model, <quote>prefork</quote>, as <filename>/usr/sbin/httpd</filename>, and the thread-based model <quote>worker</quote> as <filename>/usr/sbin/httpd.worker</filename>.</para>
+<para>
+In &MAJOROSVER;, only a single <systemitem class="daemon">httpd</systemitem> binary is used, and three MPMs are available as loadable modules: worker, prefork (default), and event. The configuration file <filename>/etc/httpd/conf.modules.d/00-mpm.conf</filename> can be changed to select which of the three MPM modules is loaded.</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+ <term>Packaging Changes</term>
+ <listitem>
+ <para>
+The LDAP authentication and authorization modules are now provided in a separate sub-package <package>mod_ldap</package>. The new module <application>mod_session</application> and associated helper modules are provided in a new sub-package, <package>mod_session</package>. The new modules <application>mod_proxy_html</application> and <application>mod_xml2enc</application> are provided in a new sub-package, <package>mod_proxy_html</package>.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+ <term>Packaging Filesystem Layout</term>
+ <listitem>
+ <para>
+The <filename class="directory">/var/cache/mod_proxy</filename> directory is no longer provided; instead, the <filename class="directory">/var/cache/httpd/</filename> directory is packaged with a <literal>proxy</literal> and <literal>ssl</literal> subdirectory.
+</para>
+<para>
+Packaged content provided with <systemitem class="daemon">httpd</systemitem> has been moved from <filename class="directory">/var/www/</filename> to <filename class="directory">/usr/share/httpd/</filename>:
+<itemizedlist>
+<listitem>
+<para>
+ <synopsis>/usr/share/httpd/icons/</synopsis>
+ The <filename class="directory">/var/www/icons/</filename> has moved to <filename class="directory">/usr/share/httpd/icons</filename>. This directory contains a set of icons used with directory indices. Available at <literal>http://localhost/icons/</literal> in the default configuration, via <filename>/etc/httpd/conf.d/autoindex.conf</filename>.
+ </para>
+ </listitem>
+
+<listitem>
+<para>
+ <synopsis>/usr/share/httpd/manual/</synopsis>
+ The <filename class="directory">/var/www/manual/</filename> has moved to <filename class="directory">/usr/share/httpd/manual/</filename>. This directory, contained in the <package>httpd-manual</package> package, contains the HTML version of the manual for <systemitem class="daemon">httpd</systemitem>. Available at <literal>http://localhost/manual/</literal> if the package is installed, via <literal>/etc/httpd/conf.d/manual.conf</literal>.</para>
+ </listitem>
+<listitem>
+<para>
+ <synopsis>/usr/share/httpd/error/</synopsis>
+ The <filename class="directory">/var/www/error/</filename> has moved to <filename class="directory">/usr/share/httpd/error/</filename>. Custom multi-language HTTP error pages. Not configured by default, the example configuration file is provided at <filename>/usr/share/doc/httpd-<replaceable>VERSION</replaceable>/httpd-multilang-errordoc.conf</filename>.
+ </para>
+ </listitem>
+
+</itemizedlist>
+
+</para>
+</listitem>
+</varlistentry>
+
+ </variablelist>
+
+
+<variablelist>
+<varlistentry>
+ <term>Authentication, Authorization and Access Control</term>
+ <listitem>
+ <para>
+The configuration directives used to control authentication, authorization and access control have changed significantly. Existing configuration files using the <literal>Order</literal>, <literal>Deny</literal> and <literal>Allow</literal> directives should be adapted to use the new <literal>Require</literal> syntax. See the following Apache document for more information <ulink url="http://httpd.apache.org/docs/2.4/howto/auth.html" />
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+ <term>suexec</term>
+ <listitem>
+ <para>
+To improve system security, the <application>suexec</application> binary is no longer installed <literal>setuid root</literal>; instead, it has file system capability bits set which allow a more restrictive set of permissions. In conjunction with this change, the <application>suexec</application> binary no longer uses the <filename>/var/log/httpd/suexec.log</filename> logfile. Instead, log messages are sent to <application>syslog</application>; by default these will appear in the <filename>/var/log/secure</filename> log file.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+<term>Module Interface</term>
+<listitem>
+<para>
+Due to changes to the <systemitem class="daemon">httpd</systemitem> module interface, <application>httpd 2.4</application> is not compatible with third-party binary modules built against <application>httpd 2.2</application>. Such modules will need to be adjusted as necessary for the <application>httpd 2.4</application> module interface, and then rebuilt. A detailed list of the API changes in version <literal>2.4</literal> is available here: <ulink url="http://httpd.apache.org/docs/2.4/developer/new_api_2_4.html" />.
+</para>
+<para>
+The <application>apxs</application> binary used to build modules from source has moved from <filename>/usr/sbin/apxs</filename> to <filename>/usr/bin/apxs</filename>.
+</para>
+</listitem>
+</varlistentry>
+<varlistentry>
+ <term>Removed modules</term>
+ <listitem>
+ <para>
+List of <systemitem class="daemon">httpd</systemitem> modules removed in &MAJOROSVER;:
+<variablelist>
+ <varlistentry>
+ <term>mod_auth_mysql, mod_auth_pgsql</term>
+ <listitem>
+ <para>
+ <application>httpd 2.4</application> provides SQL database authentication support internally in the <application>mod_authn_dbd</application> module.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>mod_perl</term>
+ <listitem>
+ <para>
+ <application>mod_perl</application> is not officially supported with <application>httpd 2.4</application> by upstream.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>mod_authz_ldap</term>
+ <listitem>
+ <para>
+ <application>httpd 2.4</application> provides LDAP support internally using <application>mod_authnz_ldap</application>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+</variablelist>
+</para>
+</listitem>
+</varlistentry>
+</variablelist>
+
</section>
<section id="s2-apache-version2-migrating">
<title>Updating the Configuration</title>
<indexterm>
<primary><application>Apache HTTP Server</application></primary>
- <secondary>version 2.2</secondary>
- <tertiary>updating from version 2.0</tertiary>
+ <secondary>version 2.4</secondary>
+ <tertiary>updating from version 2.2</tertiary>
</indexterm>
<para>
- To update the configuration files from the Apache HTTP Server version 2.0, take the following steps:
+ To update the configuration files from the Apache HTTP Server version 2.2, take the following steps:
</para>
<procedure>
<step>
@@ -139,19 +275,20 @@
<para>
Note that you can check the configuration for possible errors by using the following command:
</para>
- <screen><command>service httpd configtest</command></screen>
+ <screen>~]# <command>service httpd configtest</command>
+Syntax OK</screen>
<para>
- For more information on upgrading the Apache HTTP Server configuration from version 2.0 to 2.2, refer to <ulink url="http://httpd.apache.org/docs/2.2/upgrading.html" />.
+ For more information on upgrading the Apache HTTP Server configuration from version 2.2 to 2.4, see <ulink url="http://httpd.apache.org/docs/2.4/upgrading.html"/>.
</para>
</section>
<section id="s2-apache-running">
<title>Running the httpd Service</title>
<para>
- This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the <systemitem class="service">httpd</systemitem> service, make sure you have the <package>httpd</package> installed. You can do so by using the following command as <systemitem class="username">root</systemitem>:
+ This section describes how to start, stop, restart, and check the current status of the Apache HTTP Server. To be able to use the <systemitem class="service">httpd</systemitem> service, make sure you have the <package>httpd</package> installed. You can do so by using the following command:
</para>
- <screen><command>yum install httpd</command></screen>
+ <screen>~]# <command>yum install httpd</command></screen>
<para>
- For more information on the concept of runlevels and how to manage system services in &MAJOROS; in general, refer to <xref linkend="ch-Services_and_Daemons" />.
+ For more information on the concept of targets and how to manage system services in &MAJOROS; in general, see <remark>link to systemd section when ready</remark> <xref linkend="ch-Services_and_Daemons" />.
</para>
<section id="s3-apache-running-starting">
<title>Starting the Service</title>
@@ -162,14 +299,12 @@
<para>
To run the <systemitem class="service">httpd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl start httpd.service</command></screen>
+ <screen>~]# <command>systemctl start httpd.service</command></screen>
<para>
If you want the service to start automatically at the boot time, use the following command:
</para>
- <screen><command>systemctl enable httpd.service</command></screen>
- <para>
- See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
- </para>
+ <screen>~]# <command>systemctl enable httpd.service</command>
+ln -s '/usr/lib/systemd/system/httpd.service' '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
<note>
<title>Using the secure server</title>
<para>
@@ -186,14 +321,12 @@
<para>
To stop the running <systemitem class="service">httpd</systemitem> service, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl stop httpd.service</command></screen>
+ <screen>~]# <command>systemctl stop httpd.service</command></screen>
<para>
To prevent the service from starting automatically at the boot time, type:
</para>
- <screen><command>systemctl disable httpd.service</command></screen>
- <para>
- See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
- </para>
+ <screen>~]# <command>systemctl disable httpd.service</command>
+rm '/etc/systemd/system/multi-user.target.wants/httpd.service'</screen>
</section>
<section id="s3-apache-running-restarting">
<title>Restarting the Service</title>
@@ -202,54 +335,52 @@
<secondary>restarting</secondary>
</indexterm>
<para>
- There are <!-- three -->two different ways to restart the running <systemitem class="service">httpd</systemitem> service:
+ There are three different ways to restart a running <systemitem class="service">httpd</systemitem> service:
</para>
<orderedlist>
<listitem>
<para>
To restart the service completely, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>systemctl restart httpd.service</command></screen>
+ <screen>~]# <command>systemctl restart httpd.service</command></screen>
<para>
- This will stop the running <systemitem class="service">httpd</systemitem> service, and then start it again. Use this command after installing or removing a dynamically loaded module such as PHP.
+ This stops the running <systemitem class="service">httpd</systemitem> service and immediately starts it again. Use this command after installing or removing a dynamically loaded module such as PHP.
</para>
</listitem>
<listitem>
<para>
To only reload the configuration, as <systemitem class="username">root</systemitem>, type:
</para>
- <screen><command>systemctl reload httpd.service</command></screen>
+ <screen>~]# <command>systemctl reload httpd.service</command></screen>
<para>
- This will cause the running <systemitem class="service">httpd</systemitem> service to reload the configuration file. Note that any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
+ This causes the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests being currently processed will be interrupted, which may cause a client browser to display an error message or render a partial page.
</para>
</listitem>
<listitem>
<para>
To reload the configuration without affecting active requests, run the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>service httpd graceful</command></screen>
+ <screen>~]# <command>service httpd graceful</command></screen>
<para>
- This will cause the running <systemitem class="service">httpd</systemitem> service to reload the configuration file. Note that any requests being currently processed will use the old configuration.
+ This cause the running <systemitem class="service">httpd</systemitem> service to reload its configuration file. Any requests being currently processed will use the old configuration.
</para>
</listitem>
</orderedlist>
<para>
- See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
+ <!--For more information on how to manage system services in &MAJOROSVER;, see <xref linkend="chap-Managing_Services_with_systemd"/>.-->
</para>
</section>
<section id="s3-apache-running-status">
- <title>Checking the Service Status</title>
+ <title>Verifying the Service Status</title>
<indexterm>
<primary><application>Apache HTTP Server</application></primary>
<secondary>checking status</secondary>
</indexterm>
<para>
- To check whether the service is running, type the following at a shell prompt:
- </para>
- <screen><command>systemctl is-active httpd.service</command></screen>
- <para>
- See <xref linkend="ch-Services_and_Daemons" /> for more information on how to configure services in &MAJOROS;.
+ To verify that the <systemitem class="service">httpd</systemitem> service is running, type the following at a shell prompt:
</para>
+ <screen>~]# <command>systemctl is-active httpd.service</command>
+active</screen>
</section>
</section>
<section id="s2-apache-editing">
@@ -312,7 +443,8 @@
<para>
To check the configuration for possible errors, type the following at a shell prompt:
</para>
- <screen><command>service httpd configtest</command></screen>
+ <screen>~]# <command>service httpd configtest</command>
+Syntax OK</screen>
<para>
To make the recovery from mistakes easier, it is recommended that you make a copy of the original file before editing it.
</para>
@@ -3635,14 +3767,14 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to create a new DSO module, make sure you have the <package>httpd-devel</package> package installed. To do so, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>yum install httpd-devel</command></screen>
+ <screen>~]# <command>yum install httpd-devel</command></screen>
<para>
This package contains the include files, the header files, and the <application>APache eXtenSion</application> (<command>apxs</command>) utility required to compile a module.
</para>
<para>
Once written, you can build the module with the following command:
</para>
- <screen><command>apxs -i -a -c <replaceable>module_name</replaceable>.c</command></screen>
+ <screen>~]# <command>apxs -i -a -c <replaceable>module_name</replaceable>.c</command></screen>
<para>
If the build was successful, you should be able to load the module the same way as any other module that is distributed with the Apache HTTP Server.
</para>
@@ -3786,8 +3918,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<entry>
<application>Opera</application>
</entry>
- <entry>
- <ulink url="http://my.opera.com/rootstore/blog/">The Opera Rootstore</ulink>.
+ <entry><ulink url="http://www.opera.com/docs/ca/">Root certificates used by Opera</ulink>.
</entry>
</row>
<row>
@@ -3810,7 +3941,7 @@ ErrorDocument 404 /404-not_found.html</programlisting>
<para>
If you intend to set up an SSL server, make sure you have the <package>mod_ssl</package> (the <systemitem class="resource">mod_ssl</systemitem> module) and <package>openssl</package> (the OpenSSL toolkit) packages installed. To do so, type the following at a shell prompt as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>yum install mod_ssl openssl</command></screen>
+ <screen>~]# <command>yum install mod_ssl openssl</command></screen>
<indexterm>
<primary><application>Apache HTTP Server</application></primary>
<secondary>files</secondary>
@@ -3854,13 +3985,13 @@ ErrorDocument 404 /404-not_found.html</programlisting>
</listitem>
</orderedlist>
<para>
- In either of the above cases, you will need to obtain a new certificate. For more information on this topic, refer to <xref linkend="s3-apache-mod_ssl-genkey" />.
+ In either of the above cases, you will need to obtain a new certificate. For more information on this topic, see <xref linkend="s3-apache-mod_ssl-genkey"/>.
</para>
<para>
If you wish to use an existing key and certificate, move the relevant files to the <filename class="directory">/etc/pki/tls/private/</filename> and <filename class="directory">/etc/pki/tls/certs/</filename> directories respectively. You can do so by running the following commands as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
-<command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
+ <screen>~]# <command>mv</command> <filename><replaceable>key_file</replaceable>.key</filename> <filename>/etc/pki/tls/private/<replaceable>hostname</replaceable>.key</filename>
+~]# <command>mv</command> <filename><replaceable>certificate</replaceable>.crt</filename> <filename>/etc/pki/tls/certs/<replaceable>hostname</replaceable>.crt</filename></screen>
<para>
Then add the following lines to the <filename>/etc/httpd/conf.d/ssl.conf</filename> configuration file:
</para>
@@ -3890,7 +4021,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
<para>
In order to generate a new key and certificate pair, you must to have the <package>crypto-utils</package> package installed in your system. As <systemitem class="username">root</systemitem>, you can install it by typing the following at a shell prompt:
</para>
- <screen><command>yum install crypto-utils</command></screen>
+ <screen>~]# <command>yum install crypto-utils</command></screen>
<para>
This package provides a set of tools to generate and manage SSL certificates and private keys, and includes <application>genkey</application>, the Red Hat Keypair Generation utility that will guide you through the key generation process.
</para>
@@ -3899,19 +4030,19 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
<para>
If the server already has a valid certificate and you are replacing it with a new one, specify a different serial number. This ensures that client browsers are notified of this change, update to this new certificate as expected, and do not fail to access the page. To create a new certificate with a custom serial number, as <systemitem class="username">root</systemitem>, use the following command instead of <application>genkey</application>:
</para>
- <screen><command>openssl req -x509 -new -set_serial <replaceable>number</replaceable> -key <replaceable>hostname</replaceable>.key -out <replaceable>hostname</replaceable>.crt</command></screen>
+ <screen>~]# <command>openssl req -x509 -new -set_serial <replaceable>number</replaceable> -key <replaceable>hostname</replaceable>.key -out <replaceable>hostname</replaceable>.crt</command></screen>
</important>
<note>
<title>Remove a previously created key</title>
<para>
If there already is a key file for a particular hostname in your system, <application>genkey</application> will refuse to start. In this case, remove the existing file using the following command as <systemitem class="username">root</systemitem>:
</para>
- <screen><command>rm /etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
+ <screen>~]# <command>rm /etc/pki/tls/private/<replaceable>hostname</replaceable>.key</command></screen>
</note>
<para>
- To run the utility, as <systemitem class="username">root</systemitem>, run the <command>genkey</command> command followed by the appropriate hostname (for example, <systemitem class="domainname">penguin.example.com</systemitem>):
+ To run the utility, as <systemitem class="username">root</systemitem>, run the <command>genkey</command> command followed by the appropriate host name (for example, <systemitem class="domainname">penguin.example.com</systemitem>):
</para>
- <screen><command>genkey</command> <replaceable>hostname</replaceable></screen>
+ <screen>~]# <command>genkey</command> <replaceable>hostname</replaceable></screen>
<para>
To complete the key and certificate creation, take the following steps:
</para>
@@ -3939,7 +4070,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
</step>
<step>
<para>
- Using the <keycap>Up</keycap> and <keycap>down</keycap> arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. Because of this, the recommended option is <literal>1024 bits</literal>.
+ Using the <keycap>Up</keycap> and <keycap>down</keycap> arrow keys, select the suitable key size. Note that while the large key increases the security, it also increases the response time of your server. The NIST recommends using <literal>2048 bits</literal>. See <ulink url="http://csrc.nist.gov/publications/nistpubs/800-131A/sp800-131A.pdf"><citetitle pubwork="book">NIST Special Publication 800-131A</citetitle></ulink>.
</para>
<figure id="figure-apache-mod_ssl-genkey-02">
<title>Selecting the key size</title>
@@ -4083,7 +4214,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/<replaceable>hostname</replaceable>.k
<section id="s2-apache-resources">
<title>Additional Resources</title>
<para>
- To learn more about the Apache HTTP Server, refer to the following resources.
+ To learn more about the Apache HTTP Server, see the following resources.
</para>
<section id="s3-apache-resources-installed">
<title>Installed Documentation</title>
More information about the docs-commits
mailing list