MIT apache-ssl (rev7) with tomcat
The apache-ssl locker contains software
recommended by MIT Information Systems for providing
secure web servers.
This software is provided with no support, and is
intended to be used by experienced Unix systems
administrators.
As such, the documentation we provide is sketchy
but should provide a good starting point for an
experienced Unix systems administrator.
Webservers are increasingly complex, and we provide
only minimal configuration examples. We provide no
support for your webserver design and configuration, testing,
deployment, management, tuning or any other areas that
your webserver administrator will need to address.
MIT's apache-ssl software is based on the Apache
webserver, and includes our added support for ssl and Java servlet
development.
Support for Java servlets is for the Solaris platform only,
due to the lack of the JSDK for any other platform.
Currently supported platforms
The rev7 release of apache-ssl is only for systems running
Solaris 5.8. There is currently no support for Linux, Windows NT
or other platforms, and no definite plans to support them at this time.
Software components that make up apache-ssl rev7
- The current (rev7) version of the apache-ssl software
is based on:
- apache_1.3.19, available from
apache.org
- openssl-0.9.6a, available from the
OpenSSL Project
- apache-ssl, incorporating apache_1.3.19 and ssl_1.44, , available from
apache-ssl.org
- ApacheJServ-1.1.2, available from
Apache Java Group
(Available only for the Solaris platform, used only with apache-ssl rev7 with jserv)
- We have built, tested and provide pre-compiled binaries of
apache-ssl (rev7) for:
- Solaris version 5.8, architecture 4x (4m, 4u)
- We have pre-built several httpd servers, which are included as binary files in the
current distribution:
- httpd which is an Apache server with DSO enabled
- httpsd which is an Apache server with SSL and DSO enabled
- httpsd+athena which is an Apache SSL server, with DSO enabled
and short URL (an Athena specific feature)
- httpsd+jserv which is an Apache server with SSL, DSO and Jserv
engine.
- If our pre-compiled binaries do not suit your needs,
you can build your own apache-ssl webserver using our
source distribution ( found in /var/https/source, once you untar
our distribution tar files).
- See the section below for information on
getting the apache-ssl distribution.
The apache-ssl distrubtion consists of tarfiles which contain
all sources, documentation and examples for you to run one of the
pre-compiled webservers or to build your own
custom apache-ssl (rev7) webserver. Basically, you untar the
distribution onto /var on your local disk. You then edit one or more
configuration files to run one of the pre-compiled webservers, or you can
build your own server on your local disk.
Linux
- We have not yet ported the software to Linux, but may do so at some point.
Windows NT
- We have not ported the software to NT, and have no plans to do so.
Get the tarfiles
Download the appropriate tarfiles.
Whether you are starting for the first time, or updating an existing
"cookie-cutter" installation, or updating an exisitng custom installation,
you pick up the same tarfiles. The tarfile distributions are based on
platform type and (with rev7) the method for adding Java servlet
functionality.
- All Solaris: Get var.ssl.tar.gz, which will go into the /var/ssl/
directory on your webserver
- Solaris apache-ssl with tomcat: Get var.https.tomcat.tar.gz,
which will go into the /var/https/ directory on your webserver
Note: Unless you specifically need Tomcat, we recommend you
choose the Jserv version.
Untar the files
The basic method involves untarring the files. If you are making an apache-ssl webserver for
the first time, or if you want to overwrite an existing one, you can simply untar them
in /var/ssl/ and /var/https/. If you will be updating a previous installation
of an apache-ssl webserver, or if you already have other things in /var/ssl/ or /var/https/,
you will need to take more care, and figure things out on your
own.
Updating a previous installation of apache-ssl
If you are running one of our "cookie-cutter" versions of
apache-ssl (up to rev5) and want to update to rev7,
you basically need to put some new binaries in place
and make a few configuration
file changes. We provide some sketchy information as a
starting point for experienced Unix systems administrators.
If you are running a custom apache-ssl server and want to update it
to rev7, you should probably pick up the entire rev7 distribution
as you would if you were setting up an apache-ssl webserver for the first
time
Setting up a cookie-cutter installation of apache-ssl
To set up an apache-ssl webserver for the first time:
- Get and untar the tarfiles as described above.
- Follow the instructions in the README file
Notes:
-
After you untar the files that go into /var/https/bin/, you'll notice a number of
files that start with the name httpsd.
You can verify that these binaries run on your system and find out what modules have
been compiled in using the commands
/var/https/bin/httpsd -v
to see the version number, and
/var/https/bin/httpsd -l
to see the compiled-in modules.
You can run these commands to look at each of the webserver binaries that are included in
the distribution, and you can set the symlink from httpsd to point to whichever
one you want to use.
- jserv assumes that your environment (specifically, the webserver's environment) is
java1.3, and that it is found in the directory /var/java1.3.
If you do not have a java1.3 environment,
download var.java1.3.tar.gz and
untar it in /var/java1.3.
- AFS access: These files are located in the "rev7/arch" directory
in the locker, under "rev7/arch/SYS/tar" where SYS represents the platform
type.
- These are essentially "cookie cutter" installations, with a
few pre-compiled binaries. If you install them exactly
according to the instructions, they should work as expected. In
particular, you must install them in /var/https/ and /var/ssl/.
The distribution contains all sources and
documentation, so if you need to make changes, it is relatively simple for an
experienced Unix system adminstrator to compile and configure an apache-ssl
webserver to meet your needs.
(example build commands).
- Get the server certificate from the MIT CA
( How to), which you will need
if you want your webserver to handle "https" connections.
Install an rc script to automatically start/stop the server on
reboot. (example of rc file )
All previous versions of apache-ssl are obsolete.
Some remain online for reference purposes.
The apache-ssl software is provided with no support, other than the
documentation that appears in these webpages and what is included in
the software distribution. You may send mail to the
apache-ssl-users mailing list.
If you use this software, please let us know
by sending mail to
apache-ssl@mit.edu.
This way, we'll be able to inform you of
problems, new releases and so on.
If you have an Athena account, you can use listmaint or blanche to add yourself to the
apache-ssl-users@mit.edu
mailing list.
None at this time.
Consulting
- The main supporter of this software is
miki@mit.edu
- Address general questions regarding setting up secure webservers at MIT to
web-help@mit.edu
Users group
Send general questions to the apache-ssl users at MIT at
apache-ssl-users@mit.edu
Bug Reports
Send bug reports to
apache-ssl@mit.edu
Maintainers
[an error occurred while processing this directive]
Revision History
- First release, rev1, on 1/22/98
- Second release, rev2, on 10/5/98
- Third release, rev3, on 1/21/99
- Fourth release, rev4, on 9/3/99
- Fifth release, rev5 on 7/13/00
- Sixth release, rev6, never released
- Seventh release, rev7, on 12/5/01
Comments to
apache-ssl@mit.edu
$Date: 2001/12/07 16:50:10 $