Monday, August 2, 2010

RHCE study notes: Apache web server


system admin Dave intend to install web server with apache

a:install apache server and configure single website in /var/www/index.html

# yum install httpd*
# chkconfig httpd on
# service httpd start
firefox http://192.168.0.11    //test page,apache install successful
# vim /etc/httpd/conf/httpd.conf      // configure apache
NameVurtualHost  *:80                 //start to this function
DocumentRoot: /var/www/html/
ServerName:   station11.example.com
Errorlog:    logs/station11.example.com_errolog
Customlog:   logs/station11….
# vim /var/www/html/index.html
# service httpd restart
firefox http://192.168.0.11   //test index.html

b: configure virtual host with /myweb/index.html

# vim /etc/httpd/conf/httpd.conf
DocumentRoot: /myweb/
ServerName: www.163.com
…..
…..
# vim /etc/hosts
192.168.0.11   www.163.com
# mkdir myweb
# vim /myweb/index.html
# service httpd restart
# chgrp apache /myweb
# chgrp apache /myweb/index.html
# chcon -R –reference=/var/www/html  /myweb
# ls -LZ
# service httpd restart
firefox http://www.163.com   //test index.html

c: Security–Certificate

# yum install mod_ssl
# cd /etc/pki/tls/certs–>localhost.crt    //original cert
# rm -f localhost.crt
# make testcert
CN->JS->NJ->Wanho->IT->common name(station11.example.com)
# vim /etc/httpd/conf.d/ssl.conf           //check detail, recommend no modify this file
# service httpd restart

d:Control access website with adding user and pin

# vim /etc/httpd/conf/httpd.conf
               //setting in /myweb/test
AllowOverride All
AuthName “http test”
AuthType basic
AuthUserFile  /etc/httpd/.htpasswd
Require valid-user
# htpasswd -cm /etc/httpd/.htpasswd user1
# service httpd restart
# chkconfig httpd on
firefox http://www.163.com/test   //type user and pin

Apache: How to install Apache through source

All Linux distributions comes with Apache. However, it is recommended to download latest Apache source code, compile and install on Linux. This will make it easier to upgrade Apache on a ongoing basis immediately after a new patch or release is available for download from Apache. This article explains how to install Apache2 from source on Linux.

1. Download Apache

Download the latest version from Apache HTTP Server Project . Current stable release of Apache is 2.2.9. Move the source to /usr/local/src and extract it as shown below.

# cd /usr/local/src
# gzip -d httpd-2.2.9.tar.gz
# tar xvf httpd-2.2.9.tar

2. Install Apache

View all configuration options available for Apache using ./configure –help (two hyphen in front of help). The most commonly used option is –prefix={install-dir-name} to install Apache on a user defined directory.

# cd httpd-2.2.9
# ./configure --help

In the following example, Apache will be compiled and installed to the default location /usr/local/apache2 with the DSO capability. Using the –enable-so option, you can load modules to Apache at runtime via the Dynamic Shared Object (DSO) mechanism, rather than requiring a recompilation.

# ./configure --enable-so
# make
# make install

Note: During the ./configure, you may get the following error message.

# ./configure --enable-so
configure: error: no acceptable C compiler found in $PATH
See `config.log' for more details.
configure failed for srclib/apr

Install the gcc and the dependent modules as shown below and try ./configure again to fix the above issue.

# rpm -ivh gcc-4.1.2-14.el5.i386.rpm glibc-devel-2.5-18.i386.rpm glibc-headers-2.5-18.i38
6.rpm kernel-headers-2.6.18-53.el5.i386.rpm
Preparing... ########################################### [100%]
1:kernel-headers ########################################### [ 25%]
2:glibc-headers ########################################### [ 50%]
3:glibc-devel ########################################### [ 75%]
4:gcc ########################################### [100%]

3. Start Apache and verify installation

# cd /usr/local/apache2/bin
# ./apachectl start

Go to http://local-host, which should display the default message “It Works!”
4. Start Apache automatically during system startup

Modify the /etc/rc.d/init.d/httpd script and change apachectl and httpd variable to point to the appropriate new location as shown below. Please note that this httpd script was originally installed as part of the default Apache from the Linux distribution.

apachectl=/usr/local/apache2/bin/apachectl
httpd=${HTTPD-/usr/local/apache2/bin/httpd}

Now, you can perform the following to stop and start the Apache

# service httpd stop
# service httpd start

Setup the Apache to automatically startup during reboot as shown below.

# chkconfig --list httpd
httpd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
# chkconfig --level 2345 httpd on
# chkconfig --list httpd
httpd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

Apache:How to install ANT tool under Linux

In this tutorial I will show you how you can install ant tool on your linux box. This installing ant in linux is based on the practical work.
Step 1:
Download ant from http://ant.apache.org/bindownload.cgi. I have downloaded apache-ant-1.7.1-bin.zip for this tutorial.

Step 2:

Login to your Linux box and create a directory "ant" under /usr/local.

[root@RoseIndiaLinux local]# mkdir ant
[root@RoseIndiaLinux local]# cd ant
[root@RoseIndiaLinux ant]# pwd
/usr/local/ant
[root@RoseIndiaLinux ant]#

Step 3:

Copy apache-ant-1.7.1-bin.zip onto your Linux box in /usr/local/ant directory.

Step 4:

Extract the zip file apache-ant-1.7.1-bin.zip) using unzip command.

[root@RoseIndiaLinux ant]# unzip apache-ant-1.7.1-bin.zip

above command will extract the content of the zip file and will create a new directory apache-ant-1.7.1

Step 5:

Set path in the .bash_profile

Open the file /root/.bash_profile and add the following codes:

export ANT_HOME=/usr/local/ant/apache-ant-1.7.1
export JAVA_HOME=/opt/java/jdk1.6.0_06
export PATH=${PATH}:${ANT_HOME}/bin

Step 6:

Logout and login again to your Linux box. Now ant available on your box.

Tomcat: Troubleshoot the Tomcat?

In order to run Tomcat, you will need to install JDK and set the JAVA_HOME environment variable to identify the location of the JDK environment on your system. I have chosen to use JDK 5.0.

1. You can download JDK 5.0 at http://java.sun.com/j2se/1.5.0/download.jsp.

2. Click on Download JDK 5.0 Update 6 to go to the download page.

3. Click Accept to accept the license agreement.

4. Next choose the Linux self-extracting file. This is the download for the self-extracting binary file rather than the rpm.

5. Download to your preferred download directory. Change to that directory and make it executable by executing the following command:

chmod +x jdk-1_5_0_06-linux-i586.bin

6. Now execute the file:

./jdk-1_5_0_06-linux-i586.bin

7. You should now have a new directory called j2sdk1.5-sun. Now move this directory to the location where it should be run. I chose /usr/lib/.

mv j2sdk1.5-sun /usr/lib

8. Now create a symbolic link called jdk to JAVA_HOME by the following command. This allows you to easily switch back and forth between different jvms should you ever need to

cd /usr/lib

ln -s j2sdk1.5-sun jdk

8. Now we need to set the JAVA_HOME environment variable. Add the following at the end of /etc/profile just after export PATH.

JAVA_HOME="/usr/lib/jdk"

export JAVA_HOME

/etc/profile is executed at startup and when a user logs into the system. In order to update the environment you will need to log out and log back in to the system.

10. Check to make sure JAVA_HOME is defined correctly by executing the command below. This should report the location of the Java SDK which should be /usr/lib/jdk.

echo $JAVA_HOME

11. Now test Java with the following command. You should be returned with /usr/bin/java. If so, you have successfully completed this section.

which java
export JAVA_HOME=/usr/java/jdk1.6.0_15
export PATH=$PATH:$HOME/bin:/bin:/usr/local/bin:/usr/bin:/usr/java/jdk1.6.0_15/bin/


Setting Tomcat

Download the binary version to your preferred download directory from here: http://tomcat.apache.org/download-55.cgi. Choose the tar.gz from the core section for 5.5.15.
Now change to that directory and extract the files using the following command:

cd /mydownloads (be sure to change to your download directory)

tar xvzf apache-tomcat-5.5.15.tar.gz

You should now have a new directory called apache-tomcat-5.5.15. Now move this directory to the location where it should be installed. Again, I chose /usr/lib/. Note that this location will be referred to as CATALINA_HOME in the Tomcat documentation.

mv apache-tomcat-5.5.15 /usr/lib

Next change to the /usr/lib/ directory.

cd /usr/lib

Now create a symbolic link called apache-tomcat to CATALINA_HOME by the following command.

ln -s apache-tomcat-5.5.15 apache-tomcat

[root@linuxguy bin]# echo $CATALINA_HOME
/usr/lib/apache-tomcat
[root@linuxguy bin]# pwd
/usr/lib/apache-tomcat/bin



[root@linuxguy bin]# ./startup.sh
The BASEDIR environment variable is not defined correctly
This environment variable is needed to run this program


How to troubleshoot?


[root@linuxguy bin]# chmod +x *.sh
[root@linuxguy bin]# ./startup.sh
Using CATALINA_BASE: /usr/lib/apache-tomcat
Using CATALINA_HOME: /usr/lib/apache-tomcat
Using CATALINA_TMPDIR: /usr/lib/apache-tomcat/temp
Using JRE_HOME: /usr/java/jdk1.6.0_15
Using CLASSPATH: /usr/lib/apache-tomcat/bin/bootstrap.jar
[root@linuxguy bin]#
[root@linuxguy bin]#

Apache: Secure Your Apache in 20 Ways

Here are 20 things you can do to make your apache configuration more secure.

Disclaimer: The thing about security is that there are no guarantees or absolutes. These suggestions should make your server a bit tighter, but don't think your server is necessarily secure after following these suggestions.

Additionally some of these suggestions may decrease performance, or cause problems due to your environment. It is up to you to determine if any of the changes I suggest are not compatible with your requirements. In other words proceed at your own risk.

First, make sure you've installed latest security patches
There is no sense in putting locks on the windows, if your door is wide open. As such, if you're not patched up there isn't really much point in continuing any longer on this list. Go ahead and bookmark this page so you can come back later, and patch your server.

Hide the Apache Version number, and other sensitive information.
By default many Apache installations tell the world what version of Apache you're running, what operating system/version you're running, and even what ApacheModules are installed on the server. Attackers can use this information to their advantage when performing an attack. It also sends the message that you have left most defaults alone.

There are two directives that you need to add, or edit in your httpd.conf file:

ServerSignature Off
ServerTokens Prod

The ServerSignature appears on the bottom of pages generated by apache such as 404 pages, directory listings, etc.

The ServerTokens directive is used to determine what Apache will put in the Server HTTP response header. By setting it to Prod it sets the HTTP response header as follows:

Server: ApacheIf you're super paranoid you could change this to something other than "Apache" by editing the source code, or by using mod_security (see below).

Make sure apache is running under its own user account and group
Several apache installations have it run as the user nobody. So suppose bothApache, and your mail server were running as nobody an attack through Apachemay allow the mail server to also be compromised, and vise versa.

User apache
Group apache

Ensure that files outside the web root are not served
We don't want apache to be able to access any files out side of its web root. So assuming all your web sites are placed under one directory (we will call this /web), you would set it up as follows:


Order Deny,Allow
Deny from all
Options None
AllowOverride None


Order Allow,Deny
Allow from all

“Note that because we set Options None and AllowOverride None this will turn off all options and overrides for the server. You now have to add them explicitly for each directory that requires an Option or Override.”
Turn off directory browsing
You can do this with an Options directive inside a Directory tag. Set Options to either None or -Indexes

Options -IndexesTurn off server side includes
This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -IncludesTurn off CGI execution
If you're not using CGI turn it off with the Options directive inside a Directory tag. Set Options to either None or -ExecCGI

Options -ExecCGIDon't allow apache to follow symbolic links
This can again can be done using the Options directive inside a Directory tag. Set Options to either None or -FollowSymLinks

Options -FollowSymLinksTurning off multiple Options
If you want to turn off all Options simply use:

Options NoneIf you only want to turn off some separate each option with a space in your Options directive:

Options -ExecCGI -FollowSymLinks -IndexesTurn off support for .htaccess files
This is done in a Directory tag but with the AllowOverride directive. Set it to None.

AllowOverride NoneIf you require Overrides ensure that they cannot be downloaded, and/or change the name to something other than .htaccess. For example we could change it to .httpdoverride, and block all files that start with .ht from being downloaded as follows:

AccessFileName .httpdoverride

Order allow,deny
Deny from all
Satisfy All

Run mod_security
mod_security is a super handy Apache module written by Ivan Ristic, the author of Apache Security from O'Reilly press.

You can do the following with mod_security:

•Simple filtering
•Regular Expression based filtering
•URL Encoding Validation
•Unicode Encoding Validation
•Auditing
•Null byte attack prevention
•Upload memory limits
•Server identity masking
•Built in Chroot support
•And more
Disable any unnecessary modules
Apache typically comes with several modules installed. Go through the apachemodule documentation and learn what each module you have enabled actually does. Many times you will find that you don't need to have the said module enabled.

Look for lines in your httpd.conf that contain LoadModule. To disable the module you can typically just add a # at the beginning of the line. To search for modules run:

grep LoadModule httpd.confHere are some modules that are typically enabled but often not needed: mod_imap, mod_include, mod_info, mod_userdir, mod_status, mod_cgi, mod_autoindex.

Make sure only root has read access to apache's config and binaries
This can be done assuming your apache installation is located at /usr/local/apache as follows:

chown -R root:root /usr/local/apache
chmod -R o-rwx /usr/local/apache
Lower the Timeout value
By default the Timeout directive is set to 300 seconds. You can decrease help mitigate the potential effects of a denial of service attack.

Timeout 45Limiting large requests
Apache has several directives that allow you to limit the size of a request, this can also be useful for mitigating the effects of a denial of service attack.

A good place to start is the LimitRequestBody directive. This directive is set to unlimited by default. If you are allowing file uploads of no larger than 1MB, you could set this setting to something like:

LimitRequestBody 1048576If you're not allowing file uploads you can set it even smaller.

Some other directives to look at are LimitRequestFields, LimitRequestFieldSize and LimitRequestLine. These directives are set to a reasonable defaults for most servers, but you may want to tweak them to best fit your needs. See the documentation for more info.

Limiting the size of an XML Body
If you're running mod_dav (typically used with subversion) then you may want to limit the max size of an XML request body. The LimitXMLRequestBody directive is only available on Apache 2, and its default value is 1 million bytes (approx 1mb). Many tutorials will have you set this value to 0 which means files of any size may be uploaded, which may be necessary if you're using WebDAV to upload large files, but if you're simply using it for source control, you can probably get away with setting an upper bound, such as 10mb:

LimitXMLRequestBody 10485760Limiting Concurrency
Apache has several configuration settings that can be used to adjust handling of concurrent requests. The MaxClients is the maximum number of child processes that will be created to serve requests. This may be set too high if your server doesn't have enough memory to handle a large number of concurrent requests.

Other directives such as MaxSpareServers, MaxRequestsPerChild, and on Apache2 ThreadsPerChild, ServerLimit, and MaxSpareThreads are important to adjust to match your operating system, and hardware.

Restricting Access by IP
If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 176.16 network:


Order Deny,Allow
Deny from all
Allow from 176.16.0.0/16

Or by IP:

Order Deny,Allow
Deny from all
Allow from 127.0.0.1
Adjusting KeepAlive settings
According to the Apache documentation using HTTP Keep Alive's can improve client performance by as much as 50%, so be careful before changing these settings, you will be trading performance for a slight denial of service mitigation.

KeepAlive's are turned on by default and you should leave them on, but you may consider changing the MaxKeepAliveRequests which defaults to 100, and the KeepAliveTimeout which defaults to 15. Analyze your log files to determine the appropriate values.

Run Apache in a Chroot environment
chroot allows you to run a program in its own isolated jail. This prevents a break in on one service from being able to effect anything else on the server.

It can be fairly tricky to set this up using chroot due to library dependencies. I mentioned above that the mod_security module has built in chroot support. It makes the process as simple as adding a mod_security directive to your configuration:

SecChrootDir /chroot/apache

How to setup Nginx WebServer on Linux?

I wasn’t happy with Apache Memory footprint and low stability. I was looking out for some good lightweight webserver and then some colleague suggested me to use Nginx. After struggling for couple of days, finally I was successful in setting up LEMP on Linux.

This Howto is all about setting up Nginx with PHP, MySQL and FastCGI.So Lets Start:

Installing Nginx from Source?

If you use Debian-based distributive as usual you can use command:

$ sudo apt-get install nginx

For Other Linux Flavours,

$ cd ~/user$mkdir server
$cd server
$wget http://sysoev.ru/nginx/nginx-0.7.59.tar.gz

Unpack archives:

$ tar xvf nginx-0.7.59$ cd nginx-0.7.59

You must have C compiler to compile a program. If you don’t have please do the next:

$sudo aptitude install build-essential
$sudo aptitude install linux-headers-`uname -r

Configure

$./configure

In the end, 100% you’ll have the next messages:

./configure: error: the HTTP rewrite module requires the PCRE library.You can either disable the module by using --without-http_rewrite_moduleoption, or install the PCRE library into the system, or build the PCRE librarystatically from the source with nginx by using --with-pcre= option. It’s normal, you can’t have all the libraries on your computer. We can install it.

$sudo aptitude install libpcre3 libpcre3-dev libpcrecpp0 libssl-dev zlib1g-dev

Start to compile it once again

$sudo make clean
$sudo ./configure --with-http_ssl_module
$sudo make
$sudo make install

Now, everything will be ok and server will be installed in your system. If you want you can change some default options doing command “./configure” for example:

--prefix=
- to set the directory where the server files will be located. This directory will be used for all ways you’ll set by command “./configure” and in configuration file nginx.conf too. Default it’s /usr/local/nginx.

--sbin-path=
- to set the name of the Nginx executive file. This name is used just for stage of installing. Default it’s /usr/local/nginx/sbin/nginx.

--conf-path=
- to set the name for the nginx.conf configuration file. In any time you can run Nginx with another configuration file which will be located in another directory with option “-c “. Default it’s /usr/local/nginx/conf/nginx.conf

--pid-path=
- to set the name for PID file. But after installing of the server in any time you can change the name in the nginx.conf configuration file. Default it’s /usr/local/nginx/logs/nginx.pid

--error-log-path=- to set the name for the error log file. After installing you can change the name in the nginx.conf configuration file. Default it’s /usr/local/nginx/logs/error.log

--http-log-path=
- to set the name for the access.log file. Access.log:it’s the file for registration of requests from the server. Default it’s /usr/local/nginx/logs/access.log.

How do I manage the server?

If you did’t change the default directories when you were installing the server, you can run the server by command:

$sudo /usr/local/nginx/sbin/nginx

Check the server.
ps -ef grep nginx

root 14999 1 0 16:44 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx
nobody 15000 14999 0 16:44 ? 00:00:00 nginx: worker process
booch 15084 29644 0 16:45 pts/0 00:00:00 grep nginx

Great! Now you can open your browser and put http://localhost/
If server works you’ll see “Welcome”

Shutting down the server is possible by sending QUIT signal to the master process.

$kill -QUIT
Upgrading the server in the work process is possible by sending USR2 signal to the master process.

$kill -USR2
If you have already changed some options in the nginx.conf and you want to apply it you have to send HUP signal to the master process.

$kill -HUP
Log rotation. All log files have to be renamed, after this USR1 signal has to be sent to the master process. The master process will open all opened files once again and set them as unprivileged user. All worker processes work under this user. After successful opening master process will close all opened files and will send messages to worker processes to reopen files too. They also will open new files and in the same time will close all old files. In result all old files will be ready for further processing, for example, to compress them.

$kill -USR1

Important Signals:

QUIT - normal shut down
TERM, INT - fast shut down
HUP - reconfiguration, update the changed time zone, launch of new worker processes with the new configuration, normal shut down of worker processes.
USR1 - to reopen log files
USR2 - to upgrade executive file
How to run web site on the server?
Let’s start to do our server. We have to create new user (www), new group (www) and new structure for the site. Let’s begin from the group.

$sudo groupadd www

New user

$sudo useradd www -g www

Add www user to www group.

$sudo usermod -a -G www

Create password for www user.

$sudo passwd www

Let’s create a structure for the web site. I think it will be like this.

$sudo mkdir /home/www/
$sudo mkdir -p /home/www/linuxspace.org/{log, private, public, backups, archives, stats}

log - directory for log files
private - private data
public - directory for the site
backups - directory for backup data
stats - directory for stats
archives - for archives

Please, be attentive with the rights. For all directories it’s (rw+r+r), and for public it’s (rwx+r+r).And now you have to correct configuration file nginx.conf

$sudo nano /usr/local/nginx/conf/nginx.conf

#useruser www;
#numbers of work process
worker_processes ;
#address of PID file
pid /home/www/linuxspace.org/nginx.pid; events
{
worker_connections ;
}
http
{
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
tcp_nopush on;
#keepalive_timeout ;
keepalive_timeout ;
#compression
gzip on;
gzip_min_length ;
gzip_buffers k;
gzip_types text/plain;
gzip_comp_level ;
gzip_proxied any;
#configure the virtual hostserver
{
#port listen *:;
#name of server server_name localhost;
#coding charset utf-;
#it's general directory, when will be site
root /home/www/linuxspace.org/public;
#LOGS #------------------------------------------------------------------
access_log /home/www/linuxspace.org/log/localhost.access.log;
error_log /home/www/linuxspace.org/log/error.log;
access_log /home/www/linuxspace.org/log/access.log;
#------------------------------------------------------------------
#files which server will read in the general directory location /
{
root /home/www/linuxspace.org/public;
index index.html index.htm index.php;
}
error_page /.html;
# redirect server error pages to the static page /x.html
# error_page /x.html; location = /x.html { root html; }
# proxy the PHP scripts to Apache listening on ...:
#
#location ~ \.php$
{
# proxy_pass http://...;
#
}
# pass the PHP scripts to FastCGI server listening on ...:
#
#location ~ \.php$
{
# root html;
# fastcgi_pass ...:;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#
}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen ;
# listen somename:;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
#
}
#
}
# HTTPS server
#
#server
{
# listen ;
# server_name localhost;
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout m;
# ssl_protocols SSLv SSLv TLSv;
# ssl_ciphers ALL:!ADH:!EXPORT:RC+RSA:+HIGH:+MEDIUM:+LOW:+SSLv:+EXP;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
#
}
#
}
}

It’s enough to run the html site on the server. But, please, don’t delete another options, you’ll need it in the future.
Remember, if you want to use another nginx.conf file, you can run server using option “-c”
sudo /usr/local/nginx/sbin/nginx -c /home/user/nginx.conf
Let’s run the server
sudo /usr/local/nginx/sbin/nginx
If everything is ok, you’ll see the server is in the process.
ps -ef grep nginx
root 7146 1 0 02:19 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx
www 7147 7146 0 02:19 ? 00:00:00 nginx: worker process
www 7148 7146 0 02:19 ? 00:00:00 nginx: worker process
Great. It works. The master process has root rights and worker processes have rights from the www user. So, now you can put html page index.html into the /home/www/linuxspace.org/public directory. Then, please, open browser and print http://localhostYou’ll see your site.

Nagios: Setting up Nagios on RHEL 5.3

Last week I thought of setting up Nagios on my Linux Box.I installed a fresh piece of RHEL on my Virtualbox and everything went fine. I thought of putting this complete setup on my blog and here it is : "A Complete Monitoring Tool for your Linux Box"

Here is my Machine Configuration:

[root@irc ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.3 (Tikanga)
[root@irc ~]#

[root@irc ~]# uname -arn
Linux irc.chatserver.com 2.6.18-128.el5 #1 SMP Wed Dec 17 11:41:38 EST 2008 x86_64 x86_64 x86_64 GNU/Linux
[root@irc ~]#

1) Create Account Information 

Become the root user.


su -l


Create a new nagios user account and give it a password.


/usr/sbin/useradd -m nagios

passwd nagios


Create a new nagcmd group for allowing external commands to be submitted through the web interface. Add both the nagios user and the apache user to the group.


/usr/sbin/groupadd nagcmd

/usr/sbin/usermod -a -G nagcmd nagios

/usr/sbin/usermod -a -G nagcmd apache

2) Download Nagios and the Plugins

Create a directory for storing the downloads.


mkdir ~/downloads

cd ~/downloads


Download the source code tarballs of both Nagios and the Nagios plugins (visit http://www.nagios.org/download/ for links to the latest versions). These directions were tested with Nagios 3.1.1 and Nagios Plugins 1.4.11.


wget http://prdownloads.sourceforge.net/sourceforge/nagios/nagios-3.2.0.tar.gz

wget http://prdownloads.sourceforge.net/sourceforge/nagiosplug/nagios-plugins-1.4.11.tar.gz


3) Compile and Install Nagios 

Extract the Nagios source code tarball.


cd ~/downloads

tar xzf nagios-3.2.0.tar.gz

cd nagios-3.2.0


Run the Nagios configure script, passing the name of the group you created earlier like so:


./configure --with-command-group=nagcmd


Compile the Nagios source code.


make all


Install binaries, init script, sample config files and set permissions on the external command directory.


make install

make install-init

make install-config

make install-commandmode


Don't start Nagios yet - there's still more that needs to be done...

4) Customize Configuration

Sample configuration files have now been installed in the /usr/local/nagios/etc directory. These sample files should work fine for getting started with Nagios. You'll need to make just one change before you proceed...

Edit the /usr/local/nagios/etc/objects/contacts.cfg config file with your favorite editor and change the email address associated with the nagiosadmin contact definition to the address you'd like to use for receiving alerts.


vi /usr/local/nagios/etc/objects/contacts.cfg


5) Configure the Web Interface 

Install the Nagios web config file in the Apache conf.d directory.


make install-webconf


Create a nagiosadmin account for logging into the Nagios web interface. Remember the password you assign to this account - you'll need it later.


htpasswd -c /usr/local/nagios/etc/htpasswd.users nagiosadmin


Restart Apache to make the new settings take effect.


service httpd restart


Note: Consider implementing the ehanced CGI security measures described here to ensure that your web authentication credentials are not compromised.

6) Compile and Install the Nagios Plugins

Extract the Nagios plugins source code tarball.


cd ~/downloads

tar xzf nagios-plugins-1.4.11.tar.gz

cd nagios-plugins-1.4.11


Compile and install the plugins.


./configure --with-nagios-user=nagios --with-nagios-group=nagios

make

make install


7) Start Nagios 

Add Nagios to the list of system services and have it automatically start when the system boots.


chkconfig --add nagios

chkconfig nagios on


Verify the sample Nagios configuration files.


/usr/local/nagios/bin/nagios -v /usr/local/nagios/etc/nagios.cfg


If there are no errors, start Nagios.


service nagios start


8) Modify SELinux Settings 

Fedora ships with SELinux (Security Enhanced Linux) installed and in Enforcing mode by default. This can result in "Internal Server Error" messages when you attempt to access the Nagios CGIs.

See if SELinux is in Enforcing mode.


getenforce


Put SELinux into Permissive mode.


setenforce 0


To make this change permanent, you'll have to modify the settings in /etc/selinux/config and reboot.

Instead of disabling SELinux or setting it to permissive mode, you can use the following command to run the CGIs under SELinux enforcing/targeted mode:


chcon -R -t httpd_sys_content_t /usr/local/nagios/sbin/

chcon -R -t httpd_sys_content_t /usr/local/nagios/share/


For information on running the Nagios CGIs under Enforcing mode with a targeted policy, visit the Nagios Support Portal or Nagios Community Wiki.

9) Login to the Web Interface 

You should now be able to access the Nagios web interface at the URL below. You'll be prompted for the username (nagiosadmin) and password you specified earlier.


http://localhost/nagios/


Click on the "Service Detail" navbar link to see details of what's being monitored on your local machine. It will take a few minutes for Nagios to check all the services associated with your machine, as the checks are spread out over time.

10) Other Modifications 

Make sure your machine's firewall rules are configured to allow access to the web server if you want to access the Nagios interface remotely.

Configuring email notifications is out of the scope of this documentation. While Nagios is currently configured to send you email notifications, your system may not yet have a mail program properly installed or configured. Refer to your system documentation, search the web, or look to the Nagios Support Portal or Nagios Community Wiki for specific instructions on configuring your system to send email messages to external addresses. More information on notifications can be found here.

11) You're Done

Congratulations! You sucessfully installed Nagios. Your journey into monitoring is just beginning.


Example:

Say, If You Nagios Server is 10.14.236.140. You need to monitor the Linux Machine with IP: 10.14.236.70. You need to follow up like this:

[root@irc objects]# pwd
/usr/local/nagios/etc/objects
[root@irc objects]#
[root@irc objects]# ls
commands.cfg localhost.cfg printer.cfg switch.cfg timeperiods.cfg
contacts.cfg localhost.cfg.orig remotehost.cfg templates.cfg windows.cfg
[root@irc objects]#

The File should looks like:


# HOST DEFINITION
#
###############################################################################
###############################################################################

# Define a host for the local machine

define host{
use linux-server ; Name of host template to use
; This host definition will inherit all variab les that are defined
; in (or inherited by) the linux-server host t emplate definition.
host_name localhost
alias localhost
address 127.0.0.1
}

define host{
use linux-server ; Name of host template to use
; This host definition will inherit all variab les that are defined
; in (or inherited by) the linux-server host t emplate definition.
host_name ideath.logic.com
alias ideath
address 10.14.236.140
}


###############################################################################
###############################################################################
#
# HOST GROUP DEFINITION
#
###############################################################################
###############################################################################

# Define an optional hostgroup for Linux machines

define hostgroup{
hostgroup_name linux-server ; The name of the hostgroup
alias Linux Servers ; Long name of the group
members localhost ; Comma separated list of hosts that belong to this group
}



###############################################################################
###############################################################################
#
# SERVICE DEFINITIONS
#
###############################################################################
###############################################################################


# Define a service to "ping" the local machine

define service{
use local-service ; Name of service template to use
host_name localhost
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}

define service{
use local-service ; Name of service template to use
host_name ideath.logica.com
service_description PING
check_command check_ping!100.0,20%!500.0,60%
}

# Define a service to check the disk space of the root partition
# on the local machine. Warning if < 20% free, critical if # < 10% free space on partition. define service{ use local-service ; Name of service template to use host_name localhost service_description Root Partition check_command check_local_disk!20%!10%!/ } define service{ use local-service ; Name of service template to use host_name ideath.logic.com service_description Root Partition check_command check_local_disk!20%!10%!/ } # Define a service to check the number of currently logged in # users on the local machine. Warning if > 20 users, critical
# if > 50 users.

define service{
use local-service ; Name of service template to use
host_name localhost
service_description Current Users
check_command check_local_users!20!50
}

define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description Current Users
check_command check_local_users!20!50
}


# Define a service to check the number of currently running procs
# on the local machine. Warning if > 250 processes, critical if
# > 400 users.

define service{
use local-service ; Name of service template to use
host_name localhost
service_description Total Processes
check_command check_local_procs!250!400!RSZDT
}


define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description Total Processes
check_command check_local_procs!250!400!RSZDT
}
# Define a service to check the load on the local machine.

define service{
use local-service ; Name of service template to use
host_name localhost
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}

define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description Current Load
check_command check_local_load!5.0,4.0,3.0!10.0,6.0,4.0
}

# Define a service to check the swap usage the local machine.
# Critical if less than 10% of swap is free, warning if less than 20% is free

define service{
use local-service ; Name of service template to use
host_name localhost
service_description Swap Usage
check_command check_local_swap!20!10
}

define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description Swap Usage
check_command check_local_swap!20!10
}

# Define a service to check SSH on the local machine.
# Disable notifications for this service by default, as not all users may have SSH enabled.

define service{
use local-service ; Name of service template to use
host_name localhost
service_description SSH
check_command check_ssh
notifications_enabled 0
}

define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description SSH
check_command check_ssh
check_period 24x7
notifications_enabled 0
is_volatile 0
max_check_attempts 4
normal_check_interval 5
retry_check_interval 1
contact_groups admins
notification_options w,c,u,r
notification_interval 960
notification_period 24x7
check_command check_ssh
}



# Define a service to check HTTP on the local machine.
# Disable notifications for this service by default, as not all users may have HTTP enabled.

define service{
use local-service ; Name of service template to use
host_name localhost
service_description HTTP
check_command check_http
notifications_enabled 0
}

define service{
use local-service ; Name of service template to use
host_name ideath.logic.com
service_description HTTP
check_command check_http
notifications_enabled 0
is_volatile 0
max_check_attempts 4
normal_check_interval 5
retry_check_interval 1
contact_groups admins
notification_options w,c,u,r
notification_interval 960
notification_period 24x7
check_command check_http
}


Ideath.logic.com is the hostname of 10.14.236.70.
Do make entry in /etc/hosts if it is unable to resolve the IP(or else check the DNS).

Apache: Setting up JBoss on Linux

This blog decribes how to install and setup jboss to start automatically on RedHat Linux

Step1: Install Java and set environment variables

Please follow this link for instructions
http://easylinuxstuffs.blogspot.com/2009/08/installing-java-on-linux.html

Step2: Create a user called jboss

It always advisable to create a user "jboss" that can be used to start/stop jboss and can be assign permissions
#useradd jboss

Step3: Download appropriate package from Jboss and Install it
#tar -xvxf jboss-5.1.0.GA-jdk6.zip
#mv jboss-5.1.0.GA /usr/local/
#chown -R jboss:jboss /usr/local/jboss-5.1.0.GA

Step4: Set Environment variables for JBOSS

Create a file /etc/profile.d/jboss
# touch /etc/profile.d/jboss
# chmod +x /etc/profile.d/jboss

#vi /etc/profile.d/jboss ( Add the following entries)

#***** Set Env Variables for Jboss

JBOSS_HOME=/usr/local/jboss-5.1.0.GA
export JBOSS_HOME
export PATH=$JBOSS_HOME/bin:$PATH
export LAUNCH_JBOSS_IN_BACKGROUND=1

Step5: Logout from shell to get the above path settings updated

Note: [Instead of creating /etc/profile.d/jboss we can always update the variables in /etc/profile]

Step6: Configure Jboss to script start automatically on restart

Starting from JBoss 4.0.1 and above a sample start-up script ( eq: jboss_init_redhat.sh for redhat) is supplied with the package , we just need to modify it.

Copy the script to /etc/init.d and name it as jboss

#cp /usr/local/jboss-5.1.0.GA/bin/jboss_init_redhat.sh /etc/init.d/jboss

#chmod +x /etc/init.d/jboss

Step7: create links

The links will be used to identify at which run levels JBoss should be started and stopped.
#ln -s /etc/rc.d/init.d/jboss /etc/rc3.d/S84jboss
#ln -s /etc/rc.d/init.d/jboss /etc/rc5.d/S84jboss
#ln -s /etc/rc.d/init.d/jboss /etc/rc4.d/S84jboss

#ln -s /etc/rc.d/init.d/jboss /etc/rc6.d/K15jboss
#ln -s /etc/rc.d/init.d/jboss /etc/rc0.d/K15jboss
#ln -s /etc/rc.d/init.d/jboss /etc/rc1.d/K15jboss
#ln -s /etc/rc.d/init.d/jboss /etc/rc2.d/K15jboss
Linux will execute the equivalent of "service jboss start" for the "S" links and "service jboss stop" for the K links.

Red Hat has a chkconfig command to manage these links, which may or may not work (it uses comments in the top of the script to determine which run-levels it should be started/stopped in)

Step8: Modify the script to work with chkconfig command in Redhat

Add the following entries just after #!/bin/sh in the script

#
# JBoss Control Script
#
# chkconfig: 345 80 20
# description: JBoss Startup File
#
#
# To use this script run it as root - it will switch to the specified user
#
Step9: Modify the script with JJboss,JavaPath, User and Host details
Find out the following entries and change according to you installation directories and path

#define where jboss is - this is the directory containing directories log, bin, conf etc
JBOSS_HOME=${JBOSS_HOME:-"/usr/local/jboss-5.1.0.GA"}

#define the user under which jboss will run, or use 'RUNASIS' to run as the current user
JBOSS_USER=${JBOSS_USER:-"jboss"}

#make sure java is in your path
JAVAPTH=${JAVAPTH:-"/usr/java/jdk1.6.0_14/bin"}
#bind jboss services to a specific IP address - added by rasith

JBOSS_HOST=${JBOSS_HOST:-"yourserver.yourdomain.com"} Note:[Either give FQDN of your server or IP Address]

Step10: set chkconfig to start jboss in different runlevel

#chkconfig --level 345 jboss on
Step11: Start Jboss and Verify whether it is running properly

#/sbin/service jboss start
You should be able to see jboss up and running at http:://yourserver.yourdomain.com:8080
Use /sbin/service jboss start|stop|restart to start , stop and to restart jboss

Stept12: Restart your server and verify jboss is running automatically after the restart


There You Go !! A Well-settled JBoss on your Cute Linux Box.

Installing mcrypt, mhash on RHEL5 and Apache with PHP5


Get and Install mhash

wget http://internap.dl.sourceforge.net/sourceforge/mhash/mhash-0.9.9.9.tar.gz
or go to sourceforge and find the latest.

tar -xvzf mhash-0.9.9.tar.gz
cd mhash-0.9.9
./configure --prefix=/usr/local/mhash
make
make install

Get and install libmcrypt

wget http://easynews.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.gz
tar -xvzf libmcrypt-2.5.8.tar.gz
cd libmcrypt-2.5.8
./configure --prefix=/usr/local/libmcrypt --disable-posix-threads
make
make install

Get and install mcrypt.

wget http://superb-west.dl.sourceforge.net/sourceforge/mcrypt/mcrypt-2.6.8.tar.gz
or go to source forge and get the latest.

tar -zxvf mcrypt-2.6.8.tar.gz
cd mcrypt-2.6.8
./configure
make
make install


Create the mcrypt php5 module to load.

Find you source code for your php version.

use: find / -name "php"

mine was found here /usr/src/redhat/SOURCES/php-5.1.6/

cd to php-5.2.6/ext/mcrypt
phpize
aclocal
./configure
make clean
make
make install


If you are using a 64 bit computer, create a symbolic link.
cd /usr/lib64/modules
ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mcrypt.so ./mcrypt.so

Create a new file named mcrypt.so in /etc/php.d directory and enter the following.

;Enable mcrypt extension module
extension=mcrypt.so

Create the mhash extension:

cd to php-5.2.6/ext/mhash
phpize
aclocal
./configure
make clean
make
make install

cd /usr/lib64/modules
[root modules]# ln -s /usr/local/lib/php/extensions/no-debug-non-zts-20050922/mhash.so ./mhash.so

Create a new file named mcrypt.so in /etc/php.d directory and enter the following.

;Enable mhash extension module
extension=mhash.so

Bounce Apache
[root /]#service httpd restart
Stopping httpd:                                            [  OK  ]
Starting httpd:                                            [  OK  ]

Check Apache for mcrypt loaded.
Move to your website loaction and create a file named phpinfo.php and enter.



Now open a brower and point it to your site /phpinfo.php

Look for a section named mcrypt and mhash, they should show the version, supported ciphers, enabled, etc.
phpinfo mcrypt mhash picture

Note: If you do not see the section, then the module did not load.

Starting Apache with built in SSL_MOD ( Linux RHEL5)

 First, I generate the certificates, and I copy them over /etc/httpd/conf/


openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Now, since there is no references to SSL on my httpd.conf file, I tried to add the line below to it.
LoadModule ssl_module modules/mod_ssl.so
However, the configtest test complains it is built-in and can't be loaded.
/etc/init.d/httpd configtest

No Nedd if already loaded 
Syntax error on line 8 of /etc/httpd/conf/httpd.conf:
module ssl_module is built-in and can't be loaded
So I tried adding the following parameters.

   Include conf/ssl.conf

Then restart the server.

/etc/init.d/httpd restart
Stopping httpd: [ OK ]

Now, I edited the /etc/httpd/conf.d/ssl.conf file to load my keys

ssl.conf

ServerName server.local
SSLEngine On
SSLCertificateFile /etc/httpd/conf/server.csr
SSLCertificateKeyFile /etc/httpd/conf/server.key

DocumentRoot /httpdocs/site/
ErrorLog "|/usr/sbin/rotatelogs /etc/httpd/logs/server--%Y%m%d 84600"
CustomLog "|/usr/sbin/rotatelogs /etc/httpd/logs/server--%Y%m%d 84600" combined


However, apache won't start, as long I leave the SSLengine ON, 
/etc/init.d/httpd restart 

Apache Web Server










About the HTTP protocol.
HTTP (H Yperen t ext T ransfer P rotocol, or The HyperText Transfer Protocol) is the method used to transfer or convey information on the World Wide Web (WWW,W orld W ide W eb). Its original purpose was to provide a way recupertar depublicar and HTML documents.
HTTP is a protocol request and response via TCP between user agents (browsers, engines index and other tools) and servers regularly using port 80. Among the communication between these servers may act as intermediaries (proxies), gateways and tunnels.
About Apache.
Apache is an HTTP server, open source and free licensing, which runs on Linux, Unix-derived operating systems ™, Windows, Novell Netware and other platforms. It has played an important role in the growth of the global network, and it remains the most widely used HTTP server, and is the de facto server against which they test and compare performance to competing products. Apache is developed and maintained by a community of developers sponsored by the Apache Software Foundation.
Basic Configuration
Installing packages
yum-y install httpd
To start, stop, restart the service:
/ Etc / init.d / httpd start - Starts the Apache service
/ Etc / init.d / httpd stop - Stops the Apache service
/ Etc / init.d / httpd restart - Restart the Apache service
/ Etc / init.d / httpd status - Check the status of Apache
Apache comes with the standard configuration, it is enough to restart the service and go to your browser and typing http://localhost
The apache configuration file defaults to / etc / httpd / conf / httpd.conf.
Any adjustment requires it either to configure virtual Web sites or other additional functionality may be performed without touching the main configuration file using any file with extension *. conf into / etc / httpd / conf.d /.
Virtual Directories.
If, for example, would add the alias for a directory located at / var / FTP / pub / and which we see as the directory / pub / Apache, just enough to create a file which we call arbitrarily as the file called / etc / httpd / conf.d / aliases.conf with the following contents:
Alias / pub / var / ftp / codigolibre
If you try to access to this new virtual directory with the browser, you will notice it is not allowed access. To qualify must have an index document inside (index.html, index.php, etc) or that the directory is configured to display the contents as follows:
Alias / pub / var / ftp / codigolibre Options Indexes Includes FollowSymLinks AllowOve rr ide all 
The index parameter indicates which should display the contents of the directory. FollowSymLinks allows the parameter to place symlinks inside the directory which will be followed. Includes parameter specifies that allows the use of SSI (Server Side Includes) to enable features, such as authentication. The parameterAllowOverride all possible use. Htaccess files.
Restart or reload Apache and access to http://127.0.0.1/pub/ with any web browser and displays the result.
Directory Access Restriction
® Apache 2.x has better security measures than previous versions, because its default is to disable so many things that may be considered a risk. Part of that includes disabling security SSI (S erver S ide I ncludes or Server Side Inclusions) and use. Htaccess files. The latter serve to modify or add features to directories.
Basically you just need to add the following lines to any definition of the directory you wish to use:
Includes AllowOverride All Options

Procedures.
Authentication directories.
Authentication for a directory against a file containing passwords, is done through the following syntax in any. Htaccess file.
AuthName "Access only authorized users" AuthType Basic require valid-user AuthUserFile / any / path / to / file / to / key
Example.
It should create a directory to be viewed from any browser as http://127.0.0.1/privado/ .
Create the file / etc / httpd / conf.d / sample-autenticar.conf with the following contents:
Alias / private / var / www / private "/var/www/privado "> Options Indexes Includes AllowOverride All Order allow, deny Allow from all 
Create the directory / var / www / private / doing the following:
mkdir-p / var / www / private
Create the file / var / www / private / cc e ss .hta doing the following:
touch / var / www / private / cc e ss .hta
Edit the file / var / www / private / cc e ss .hta and add the following content:
AuthName "Authorized Users Only" AuthType Basic require valid-user AuthUserFile / var / www / keys
Generate passwords file as / var / www / passwords, using the following procedure:
touch / var / www / keys
In order to establish the necessary security, change the attributes to read and write only for the apache user:
chmod 600 / var / www / keys chown apache: apache / var / www / keys
Add some virtual users to password file, / var / www / keys, using the following procedure with the htpasswd command:
htpasswd / var / www / keys guy htpasswd / var / www / keys-so
Restart the httpd service:
service httpd restart
Support Apache SSL / TLS
Requirements:
mod_ssl
openssl
Log in as root.
You must create the directory where to store the certificates for all SSL sites. The directory, for security reasons, should be only accessible by root.
mkdir-m 0700 / etc / ssl
In order to maintain some organization and a dedicated directory for each virtual SSL site, it should create a specific directory to store certificates for each SSL virtual site. Also, for safety reasons, should be only accessible by root.
mkdir-m 0700 / etc / ssl / codigolibre.local
Access to the directory you just created.
cd / etc / ssl / codigolibre.local
Generating keys and certificates.
You must create an RSA key of 1024 bytes and structure x509, which is encrypted using Triple DES (D ata S tandard E ncryption), stored in PEM format so that it is interpreted as ASCII text. In the process described below, are used 5 files compressed with gzip, which are used as random seeds to improve the security of the created key (server.key).
openssl des3-rand genrsa-fichero1.gz: fichero2.gz: fichero3.gz: fichero4.gz: fichero5.gz-out server.key 1024
Using this file (server.key) for the virtual site settings will require administrator interaction each time you have to start, or restart the httpd service by entering the password of the RSA key. This is the safest procedure, however, because it would be impractical to have to enter a password each time you start the httpd service, it is convenient to generate a key with Triple DES, which allowed to start normally, without any interaction , the httpd service. In order not to sacrifice too much security is a prerequisite to this key (server.pem file) is accessible only to root. This is the reason you create the directory / etc / ssl / midominio.org allowed access only toroot.
openssl rsa-in server.key-out server.pem
Optionally generates a CSR request file (C ertificate igning R S Equest) being delivered to a RA (R egistration A uthority or Registration Authority) like Verisign,who, after the relevant payment, send back a certificate ( server.crt) signed by that authority.
openssl req-new-key server.key-out server.csr
This will request various data are entered:
Two-letter code for the country.
State or province.
City.
Name of company or business.
Unit or section.
Name of the host.
E-mail.
Optionally you can add another password and again the name of the company.
The output returned will be similar to the following:
You are about to be Asked to enter That information will be   incorporated Into your certificate request.What you are about to enter is What is Called a Distinguished Name or   to DN.   There are quite a FEW dog but you leave fields blank Some   For There Will Be Some fields a default value,   If you enter '.', The field will be left blank.   -----   Country Name (2 letter code) [GB]: DR   State or Province Name (full name) [Berkshire]: National District   Locality Name (eg, city) [Newbury]: Santo Domingo   Organization Name (eg, company) [My Company Ltd]: Code Free   Organizational Unit Name (eg, section) [] FoundationCommon Name (eg, your name or your server's hostname) []: codigolibre.local   Email Address []:webmaster@codigolibre.local   Please enter the Following 'extra' attributes   to be sent with your certificate request   A challenge password []:   An optional company name []:
If you do not want a certificate signed by an RA, you can generate a proper certificate request file using the CSR (server.csr). In the example below creates an X.509 certificate structure establishing valid for 730 days (two years).
openssl x509-req-days 730-in-signkey server.csr server.key-out server.crt
In order that only the root user can access files created, you must change the permissions for them to read only for root.
chmod 400 / etc / ssl / gnulab / server .*
Create the file / etc / httpd / conf.d / midominio.conf with the following contents, where abcd corresponds to an IP address, and midominio.org for the domain name to set for the virtual web site:

Cnunez ServerAdmin @ gnulab 
DocumentRoot / var / ftp / codigolibre 
ServerName gnulab 
Redirect 301 / https://gnulab 
ErrorLog / var / log / httpd / error_log 
CustomLog / var / log / httpd / access_log common 
Cnunez ServerAdmin @ gnulab 
DocumentRoot / var / ftp / codigolibre 
ServerName gnulab 
SSLEngine on 
SSLCertificateFile / etc / ssl / server.crt 
SSLCertificateKeyFile / etc / ssl / server.pem 
ErrorLog / var / log / httpd / error_log 
CustomLog / var / log / httpd / access_log common


Check.



Just enough to direct any gnulab HTTP browser to verify that everything is working properly. After accepting the certificate, in case it has not been signed by an RA, it must be possible to observe a sign on the browser's status bar, which indicates that this is a secure connection. 

Bibliography
Thanks to Joel Barrios Duenas