Generating certificates with openssl

Chty — Thu, 20 Mar 2008 21:55:00 +0100

I'm sometimes using openssl to generate certificates, mostly for apache but not enough to remember the complete shell command each time. So I paste it here, as a reminder.

openssl req -new > server.cert.csr openssl rsa -in privkey.pem -out server.cert.key openssl x509 -in server.cert.csr -out server.cert.crt -req -signkey server.cert.key -days 365

Theses commands generate .pem, .crt, .csr and .key files. Note that apache only require .crt and .key files for SSLCertificateFile, SSLCertificateKeyFile directives.

Apache2 + mod_fastcgi + suexec on debian etch

Chty — Mon, 29 Oct 2007 14:49:00 +0100

I know it's difficult to find good documentation to configure apache2 with mod_fastcgi and suexec to make php websites works. This configuration works well with Debian Etch (4.0).
Here an example of configuration.

The following suppose that your web data are in /var/www/ (there are good reason for this as we'll see later).
/var/www/toto/: the web account of toto
/var/www/toto/web/: the web dir of the toto's account
/var/www/toto/conf/php.ini: you own php.ini file
/var/www/toto/cgi-bin/php.fcgi: the fcgi file which allow to run php5-cgi with a specific php.ini file for each virtual host

First of all don't forget that mod_fastcgi and mod_fcgid are different. Difference between mod_fastcgi and mod_fcgid is mostly at license level, since some might consider mod_fastcgi not to be totally free.

Enable fastcgi and suexec:

#a2enmod fastcgi
#a2enmod suexec

Suexec has no configuration file, because every parameter is hardcoded. Therefore, if you need to configure suexec, do it at apache2 compile time.
Let's see how...

#/usr/lib/apache2/suexec -V 
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"

AP_DOC_ROOT is set to "/var/www", which is the reason you would want to put your files in /var/www/. You cannot just ignore this fact; if this directory is inconsistently set, it just won't work. If you want to change this directory, you must recompile apache2 with your own configuration.

/var/www/toto/cgi-bin/php.fcgi:

#!/bin/sh
PHPRC="/var/www/toto/conf/"
export PHPRC
PHP_FCGI_CHILDREN=4
export PHP_FCGI_CHILDREN
PHP_FCGI_MAX_REQUESTS=200
export PHP_FCGI_MAX_REQUESTS
exec /usr/bin/php5-cgi

fastcgi.conf: (in /etc/apache2/mods-available/ for Debian)

<IfModule mod_fastcgi.c>
 AddHandler fastcgi-script .fcgi
 FastCgiWrapper /usr/lib/apache2/suexec
 FastCgiIpcDir /var/lib/apache2/fastcgi
 FastCgiConfig -singleThreshold 1 -autoUpdate -idle-timeout 240 -pass-header HTTP_AUTHORIZATION
</IfModule>

See http://www.fastcgi.com/ if you want to know about all the options possible in fastcgi.conf.

Let's configure (in /etc/apache2/sites-available/ for debian etch) a virtual host for toto:



<VirtualHost xxx.xxx.xxx.xxx:80>
        ServerAdmin webmaster@toto.org
        ServerName toto.org
        DocumentRoot /var/www/toto/web/

        SuexecUserGroup UserName GroupName

        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/toto/web/>
                Options -Indexes FollowSymLinks -MultiViews
                AllowOverride all
                Order allow,deny
                Allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /var/www/toto/cgi-bin/
        <Directory "/var/www/toto/cgi-bin/">
                AllowOverride None
                Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        AddHandler php-fastcgi .php
        AddType application/x-httpd-php .php
        DirectoryIndex index.html index.php
        Action php-fastcgi /cgi-bin/php.fcgi

        ServerSignature On
</VirtualHost>

This virtual host can be enabled in /etc/apache2/sites-enabled/ by creating a symbolic link.
Make sure to set appropriate rights for /var/www/toto/ you set in the virtual host (SuexecUserGroup), since php5-cgi will be executed with these rights.

restart apache2 :
#/etc/init.d/apache2 restart

A maximum of four php5-cgi will be launched when the first visitor will visit the website. They would be killed after a timeout of 240 seconds of inactivity, as set in fastcgi.conf.
It should work.
Please tell me know if you are aware of issue that may arise with such a configuration.

Debian Etch

Chty — Mon, 09 Apr 2007 23:42:42 +0000

Debian Etch, le quatrième volet de la distribution, est sorti hier ! J'ai commencé une migration. Ça fait plaisir :-)

Chty blog - debian

Generating certificates with openssl

Apache2 + mod_fastcgi + suexec on debian etch

Debian Etch