Christophe Casalegno

How to compile an old apache 1.3.x with suexec and mod_ssl on a recent server

When you manage a hosting company you have many clients that can’t upgrade their software version. The only solution to keep this clients is to maintain old packages version like php or stop the service.

Today i’m migrating an historical server with clients that use an old php version (php4) and an apache 1.3 version to a new server for security reasons. example on a Mandriva 2010.2 64 bits linux distribution :

First step : install required packages on the system : 

urpmi make gcc libpng-devel libjpeg-devel freetype2-devel mysql-devel curl-devel munin munin-node munin-master flex bzip2-devel pure-ftpd python-devel gd-devel librsync-devel ntp-client vim-e

I also need some files to install the old versions : 

– mod_ssl-2.8.31-1.3.41.tar.gz
– apache_1.3.41.tar.gz
– suexec.c modifié maison
– php-4.4.9.tar.gz

After untar all files and replaced src/support/suexec.c by my patched file, i am trying to compile apache :

cd apache_1.3.41
./configure --prefix=/usr/local/apache
Configuring for Apache, Version 1.3.41
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ using "tr [a-z] [A-Z]" to uppercase
+ checking for system header files
+ adding selected modules
+ using builtin Expat
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard

Step 2 : mod_ssl

cd ../mod_ssl-2.8.31-1.3.41
./configure --with-apache=../apache_1.3.41 --with-ssl --prefix=/usr/local/apache
Configuring mod_ssl/2.8.31 for Apache/1.3.41
+ Apache location: ../apache_1.3.41 (Version 1.3.41)
+ Auxiliary patch tool: ./etc/patch/patch (local)
+ Applying packages to Apache source tree:
o Extended API (EAPI)
o Distribution Documents
o SSL Module Source
o SSL Support
o SSL Configuration Additions
o SSL Module Documentation
o Addons
Done: source extension and patches successfully applied.

Now we try to compile apache with mod_ssl :

cd ../apache_1.3.41
./configure --prefix=/usr/local/apache --enable-module=so --enable-module=rewrite --enable-suexec --suexec-caller=nobody --suexec-userdir=www --suexec-docroot=/ --suexec-logfile=/var/log/httpd/cgi.log --suexec-uidmin=500 --suexec-gidmin=100 --suexec-safepath=/usr/local/bin:/usr/bin:/bin --enable-module=ssl

Configuring for Apache, Version 1.3.41
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ using "tr [a-z] [A-Z]" to uppercase
+ checking for system header files
+ adding selected modules
o rewrite_module uses ConfigStart/End
disabling DBM support for mod_rewrite
(perhaps you need to add -ldbm, -lndbm or -lgdbm to EXTRA_LIBS)
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.31
+ SSL interface build type: OBJ
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: [SYSTEM]
Error: Cannot find SSL library files in any of the following dirs:
Error: . /lib /usr/lib /usr/local/lib
+ SSL library version: OpenSSL 1.0.0a 1 Jun 2010

First issue : the 64 bits library aren’t in the same place of 32 bits version : a symbolic link can solve the problem : 

ln -s /usr/lib64/libssl.so /usr/lib/libssl.so

Retry :



./configure --prefix=/usr/local/apache --enable-module=so --enable-module=rewrite --enable-suexec --suexec-caller=nobody --suexec-userdir=www --suexec-docroot=/ --suexec-logfile=/var/log/httpd/cgi.log --suexec-uidmin=500 --suexec-gidmin=100 --suexec-safepath=/usr/local/bin:/usr/bin:/bin --enable-module=ssl
Configuring for Apache, Version 1.3.41
+ using installation path layout: Apache (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
+ configured for Linux platform
+ setting C compiler to gcc
+ setting C pre-processor to gcc -E
+ using "tr [a-z] [A-Z]" to uppercase
+ checking for system header files
+ adding selected modules
o rewrite_module uses ConfigStart/End
disabling DBM support for mod_rewrite
(perhaps you need to add -ldbm, -lndbm or -lgdbm to EXTRA_LIBS)
o ssl_module uses ConfigStart/End
+ SSL interface: mod_ssl/2.8.31
+ SSL interface build type: OBJ
+ SSL interface compatibility: enabled
+ SSL interface experimental code: disabled
+ SSL interface conservative code: disabled
+ SSL interface vendor extensions: disabled
+ SSL interface plugin: Built-in SDBM
+ SSL library path: [SYSTEM]
+ SSL library version: OpenSSL 1.0.0a 1 Jun 2010
+ SSL library type: installed package (system-wide)
+ enabling Extended API (EAPI)
+ using builtin Expat
+ using -ldl for vendor DSO support
+ checking sizeof various data types
+ doing sanity check on compiler and options
Creating Makefile in src/support
Creating Makefile in src/regex
Creating Makefile in src/os/unix
Creating Makefile in src/ap
Creating Makefile in src/main
Creating Makefile in src/lib/expat-lite
Creating Makefile in src/modules/standard
Creating Makefile in src/modules/ssl

All is ok, so we can try to launch the “make” command :

ssl_util_ssl.c: In function ‘SSL_X509_isSGC’:
ssl_util_ssl.c:327: erreur: ‘STACK’ undeclared (first use in this function)
ssl_util_ssl.c:327: erreur: (Each undeclared identifier is reported only once
ssl_util_ssl.c:327: erreur: for each function it appears in.)
ssl_util_ssl.c:327: erreur: ‘sk’ undeclared (first use in this function)
ssl_util_ssl.c:336: erreur: expected expression before ‘)’ token
make[4]: *** [ssl_util_ssl.o] Erreur 1
make[3]: *** [all] Erreur 1
make[2]: *** [subdirs] Erreur 1
make[2]: quittant le répertoire « /home/dni/apache/apache_1.3.41/src »
make[1]: *** [build-std] Erreur 2
make[1]: quittant le répertoire « /home/dni/apache/apache_1.3.41 »
make: *** [build] Erreur 2

So we need to patch ssl_util_ssl.c

Ligne 327 :

 

- STACK *sk;
+ _STACK *sk;

Ligne 336 :


- if ((sk = (STACK *)X509V3_EXT_d2i(ext)) != NULL) {
+ if ((sk = (_STACK *)X509V3_EXT_d2i(ext)) != NULL) {

We can retry :


make
/usr/include/stdio.h:651: note: previous declaration of ‘getline’ was here
make[2]: *** [htpasswd.o] Erreur 1
make[2]: quittant le répertoire « /home/dni/apache/apache_1.3.41/src/support »
make[1]: *** [build-support] Erreur 1
make[1]: quittant le répertoire « /home/dni/apache/apache_1.3.41 »
make: *** [build] Erreur 2

Now we need to modify a light system modification :

 

vim /usr/include/stdio.h


Ligne 651 :


- extern _IO_ssize_t getline (char **__restrict __lineptr,
+ extern _IO_ssize_t preline (char **__restrict __lineptr,

and we retry :


make
make[1]: entrant dans le répertoire « /home/dni/apache/apache_1.3.41 »
+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL |
| certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
| |
| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom (custom cert signed by own CA) |
| % make certificate TYPE=existing (existing cert) |
| CRT=/path/to/your.crt [KEY=/path/to/your.key] |
| |
| Use TYPE=dummy when you're a vendor package maintainer, |
| the TYPE=test when you're an admin but want to do tests only, |
| the TYPE=custom when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server. |
| (The default is TYPE=test) |
| |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select |
| the signature algorithm used for the generated certificate. |
| |
| Use 'make certificate VIEW=1' to display the generated data. |
| |
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| rse@engelschall.com |
| www.engelschall.com |
+---------------------------------------------------------------------+
make[1]: quittant le répertoire « /home/dni/apache/apache_1.3.41 »

that works !

and :

make install
make[1]: quittant le répertoire « /home/dni/apache/apache_1.3.41 »
+--------------------------------------------------------+
| You now have successfully built and installed the |
| Apache 1.3 HTTP server. To verify that Apache actually |
| works correctly you now should first check the |
| (initially created or preserved) configuration files |
| |
| /usr/local/apache/conf/httpd.conf
| |
| and then you should be able to immediately fire up |
| Apache the first time by running: |
| |
| /usr/local/apache/bin/apachectl start
| |
| Or when you want to run it with SSL enabled use: |
| |
| /usr/local/apache/bin/apachectl startssl
| |
| Thanks for using Apache. The Apache Group |
| http://www.apache.org/ |
+--------------------------------------------------------+

All is ok !

Step 3 : compile php with suexec :

cd php-4.4.9

perl -pi -e "s/cgi = 1;/cgi = 0;/" sapi/cgi/cgi_main.c

Now we try to configure  :

./configure --with-xml --with-domxml --enable-ftp --enable-bcmath --enable-calendar --with-jpeg-dir --with-png-dir --with-gd --enable-dba --enable-freetype-4bit-antialias-hack --enable-gd-native-ttf --with-freetype-dir --with-xslt --with-gettext --enable-magic-quotes --enable-force-cgi-redirect --enable-fastcgi --with-curl --with-mysql=/usr --with-zlib-dir --with-bz2 --enable-trans-sid --enable-sysvsem --enable-sysvshm

configure: error: libpng.(a|so) not found.

A new library place problem that can be corrected with a symbolic link :

ln -s /usr/lib64/libpng.so /usr/lib/libpng.so
ln -s /usr/lib64/libjpeg.so /usr/lib/libjpeg.so
ln -s /usr/lib64/libmysqlclient.so /usr/lib/libmysqlclient.so

New retry :

./configure --with-xml --with-domxml --enable-ftp --enable-bcmath --enable-calendar --with-jpeg-dir --with-png-dir --with-gd --enable-dba --enable-freetype-4bit-antialias-hack --enable-gd-native-ttf --with-freetype-dir --with-xslt --with-gettext --enable-magic-quotes --enable-force-cgi-redirect --enable-fastcgi --with-curl --with-mysql=/usr --with-zlib-dir --with-bz2 --enable-trans-sid --enable-sysvsem --enable-sysvshm

Generating files
updating cache ./config.cache
creating ./config.status
creating php4.spec
creating main/build-defs.h
creating scripts/phpize
creating scripts/man1/phpize.1
creating scripts/php-config
creating scripts/man1/php-config.1
creating sapi/cli/php.1
creating main/php_config.h
creating main/internal_functions.c
creating main/internal_functions_cli.c
+--------------------------------------------------------------------+
| License: |
| This software is subject to the PHP License, available in this |
| distribution in the file LICENSE. By continuing this installation |
| process, you are bound by the terms of this license agreement. |
| If you do not agree with the terms of this license, you must abort |
| the installation process at this point. |
+--------------------------------------------------------------------+
| *** NOTE *** |
| The default for register_globals is now OFF! |
| |
| If your application relies on register_globals being ON, you |
| should explicitly set it to on in your php.ini file. |
| Note that you are strongly encouraged to read |
| http://www.php.net/manual/en/security.globals.php |
| about the implications of having register_globals set to on, and |
| avoid using it if possible. |
+--------------------------------------------------------------------+
Thank you for using PHP.


Then we launch the make command  :

make
Build complete.
(It is safe to ignore warnings about tempnam and tmpnam).

Now the installation :

make install
Installing PHP SAPI module: cgi
Installing PHP CGI into: /usr/local/bin/
Installing PEAR environment: /usr/local/lib/php/
[PEAR] Archive_Tar - installed: 1.3.2
[PEAR] Console_Getopt - installed: 1.2.1
[PEAR] HTML_Template_IT- installed: 1.1
[PEAR] Net_UserAgent_Detect- installed: 2.0.1
warning: pear/PEAR requires package "pear/Structures_Graph" (recommended version 1.0.2)
pear/PEAR can optionally use package "pear/XML_RPC" (version >= 1.4.0)
[PEAR] PEAR - installed: 1.5.0
Wrote PEAR system config file at: /usr/local/etc/pear.conf
You may want to add: /usr/local/lib/php to your php.ini include_path
[PEAR] Structures_Graph- installed: 1.0.2
Installing build environment: /usr/local/lib/php/build/
Installing header files: /usr/local/include/php/
Installing helper programs: /usr/local/bin/
program: phpize
program: php-config
Installing man pages: /usr/local/man/man1/
page: phpize.1
page: php-config.1

All is ok 🙂


Christophe Casalegno
http://twitter.com/Brain0verride
http://www.facebook.com/brain.override

Leave a Comment