Haproxy with SSL doesn't works - ssl

I trying to use the new haproxy with ssl(1.5-dev12). But I have an error with this new feature.
I've installed with:
make TARGET=linux2632 USE_OPENSSL=yes
make PREFIX=/opt/haproxy-ssl install
But when I check my config file, I've this error:
[ALERT] 275/135959 (10998) : parsing [/opt/haproxy-ssl/haproxy.conf:31] : 'bind' : 'ssl' option not implemented.
[ALERT] 275/135959 (10998) : parsing [/opt/haproxy-ssl/haproxy.conf:69] : 'server' expects and [:] as arguments.
[ALERT] 275/135959 (10998) : Error(s) found in configuration file : /opt/haproxy-ssl/haproxy.conf
[WARNING] 275/135959 (10998) : Proxy 'ha_stats': in multi-process mode, stats will be limited to process assigned to the current request.
[WARNING] 275/135959 (10998) : stats socket will not work correctly in multi-process mode (nbproc > 1).
[ALERT] 275/135959 (10998) : Fatal errors found in configuration.
And the haproxy -vv command return:
HA-Proxy version 1.5-dev12 2012/09/10
Built without OpenSSL support (USE_OPENSSL not set)
I don't understand why openssl is not set though I haven't any error during installation.
OS: Debian 2.6.32-5-xen-amd64
OPENSSL: OpenSSL 0.9.8o 01 Jun 2010
Do you have an idea?
Thanks
UPDATE:
Solved with the install of:
libssl-dev
And then, new make target, new prefix and its works.

Install libssl-dev before execute the make command and haproxy with ssl should be works.

You can install latest OpenSSL in both Centos and Ubuntu.
RHEL :
yum install -y make GCC Perl pcre-devel zlib-devel
Ubuntu :
apt-get install build-essential make g++ libssl-dev
Now,
# wget -O /tmp/openssl.tgz https://www.openssl.org/source/openssl-1.0.2-latest.tar.gz
# tar -zxf /tmp/openssl.tgz -C /tmp
# cd /tmp/openssl-*
# ./config --prefix=/usr --openssldir=/etc/ssl --libdir=lib no-shared zlib-dynamic
# make
# make install_sw
You can check that OpenSSL version by below command,
# openssl version
OpenSSL 1.0.2j 26 Sep 2016

Related

redis-cli: Unrecognized option or bad number of args for: '--tls'

I'm trying to start a redis server with the support for tls. Based on the documentation (https://redis.io/topics/rediscli) I execute this command:
redis-cli -a xxxxxxxxx --tls --cacert ../config/certs/test-ca.crt
But it return this error:
Unrecognized option or bad number of args for: '--tls'
My redis-cli version is 6.0.9
I can't figure out what am I missing. How can I fix this?
When you performed make of the redis, you should run as:
make BUILD_TLS=yes
Install dependencies
update package information from repo
sudo apt update
install build dependencies
sudo apt install -y build-essential pkg-config libssl-dev tcl libjemalloc-dev wget
Download and extract the redis-cli source file
download the package
wget http://download.redis.io/redis-stable.tar.gz
extract the package
tar xvzf redis-stable.tar.gz
go inside the extracted directory
cd redis-stable
Build with tls enabled
remove previously generated build files
make distclean
build with tls option
make BUILD_TLS=yes
Once completed you can validate the build and connect to Redis-server
validate the redis-cli
Redis-CLI -h localhost -p 6379 --tls
localhost:6379> INFO SSL
SSL
ssl_enabled:yes
ssl_current_certificate_not_before_date:Jul 27 00:00:00 2021 GMT
ssl_current_certificate_not_after_date:Aug 25 23:59:59 2022 GMT
ssl_current_certificate_serial:ABCDEFGKKSHDJKAHSD05A15BF008A57002E8

cloudflare install error on apache : httpd is needed by mod_cloudflare

I tried to install mod_cloudflare on Apache.
but it says :
# rpm -i mod_cloudflare-el6-x86_64.latest.rpm
mod_cloudflare-el6-x86_64.latest.rpm: Header V4 DSA/SHA1 Signature, key ID 8e5f9a5d: NOKEY
error: Failed dependencies:
httpd is needed by mod_cloudflare-1.2.0-1360806316.el6.x86_64
but I have apache installed :
# httpd -v
Server version: Apache/2.4.12 (Unix)
Server built: Apr 16 2015 16:27:46
Cpanel::Easy::Apache v3.28.7 rev9999
How can I make it work?!
have you install glibc
try yum install glibc.i686 and try rpm -i mod_cloudflare-el6-x86_64.latest.rpm again. hope it works
For CentOS:
# yum install libtool httpd-devel
# wget https://www.cloudflare.com/static/misc/mod_cloudflare/mod_cloudflare.c
# apxs -a -i -c mod_cloudflare.c
Add the following line within the Webuzo Apache Configuration:
LoadModule cloudflare_module /usr/lib64/httpd/modules/mod_cloudflare.so
Restart Apache.
mod_cloudflare is now working
You are probably better off following the manual installation guide on cloudflares site for mod_apache:
http://www.cloudflare.com/resources-downloads

Ubuntu 10.04 updating openssl for apache

My company's website is on an EC2 instance. The os is ubuntu 10.04. Currently we are using packages installed through apt-get. We have apache 2.2.14 and openssl 0.9.8k. After some security audit, I was told to update the version of openssl. The latest version of openssl on the 0.9.8 line is 0.9.8y. Is it compatible with apache 2.2.14 ? If so, Is it easy or at least possible to upgrade the openssl only ? I read it on somewhere that some people simply recommend to upgrade the whole os. Any comments ?
I did try to upgrade by downloading the tarball of
httpd-2.2.24 + openssl 0.9.8y
I installed them both under
/usr/local/apache2
/usr/local/ssl
I configured apache by
./configure --enable-modules=all --enable-mods-shared="all ssl" \
--with-ssl=/usr/local/ssl/ --enable-ssl
the /usr/local/ssl/bin/openssl does show 0.9.8y
but my web service shows apache 2.2.24 + openssl 0.9.8k
Any idea how to fix it ? Thanks.
$ ldd /usr/local/apache2/bin/httpd
...
libssl.so.0.9.8 => /lib/libssl.so.0.9.8
libcrypto.so.0.9.8 => /lib/libcrypto.so.0.9.8
...
The libssl.so.0.9.8 is still found in /lib/ system directory by the loader, not /usr/local/ssl. So you need to set LD_LIBRARY_PATH before running httpd:
$ export LD_LIBRARY_PATH=/usr/local/ssl/lib && /usr/local/apache2/bin/httpd
See also this document for more info on compatibility between apache & openssl. See this table for info on binary compatibility of openssl 0.9.8k and 0.9.8y.

Apache httpd setup and installation

I am trying to install Apache HTTP server locally in my box as a regular user (non-root).
I have downloaded Apache 2.4.1 version of Apache HTTP server [http://httpd.apache.org/download.cgi]. However when I am trying to build and install locally in my box I am getting below error:
httpd/httpd-2.4.1 1059> ./configure
checking for chosen layout... Apache
checking for working mkdir -p... yes
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking target system type... x86_64-unknown-linux-gnu
Configuring Apache Portable Runtime library ...
checking for APR... no
configure: error: APR not found. Please read the documentation.
I am not sure what dependency it is looking for - I mean the download package does not contains it? What I need to do to build / deploy Apache HTTP server?
When it tells you Please read documentation it means that you should go read Apache documentation ( http://httpd.apache.org/docs/2.4/install.html ) which tells you to
download the latest versions of both APR and APR-Util from Apache APR,
unpack them into ./srclib/apr and ./srclib/apr-util (be sure the
domain names do not have version numbers; for example, the APR
distribution must be under ./srclib/apr/)
then do
./configure --with-included-apr
For Ubuntu 11.10 this option seems to be working well:
# APR
wget http://mirrors.axint.net/apache//apr/apr-1.4.6.tar.gz
tar -xvzf apr-1.4.6.tar.gz
cd apr-1.4.6/
./configure
make
make install
cd ..
# APR Utils
wget http://mirrors.axint.net/apache//apr/apr-util-1.4.1.tar.gz
tar -xvzf apr-util-1.4.1.tar.gz
cd apr-util-1.4.1
./configure --with-apr=/usr/local/apr
make
make install
cd ..
# Apache
wget http://apache.petsads.us//httpd/httpd-2.4.1.tar.gz
tar -xvzf httpd-2.4.1.tar.gz
cd httpd-2.4.1
./configure --enable-file-cache --enable-cache --enable-disk-cache --enable-mem-cache --enable-deflate --enable-expires --enable-headers --enable-usertrack --enable-ssl --enable-cgi --enable-vhost-alias --enable-rewrite --enable-so --with-apr=/usr/local/apr/
make
make install
cd ..
You can find more about it below
Source: VaporCreations.com
If you have Debian/Ubuntu you can just:
apt-get install libapr1-dev libaprutil1-dev
Then ./configure
Done
Here are the steps of how I installed apache-httpd on a non-root users:
Download and extract apache-httpd-2.4.2 (but before ./configuring,
making and installing it, follow the steps below:)
Download and extract APR & APR-UTIL into "./srclib/apr" &
"./srclib/apr-util" folders. This requires ./configure
--with-apr=./apache/httpd-2.4.2/srclib/apr (and) --with-included-apr (options).
Download, extract, ./configure (with) --prefix=localURL, make and
make install PCRE into "./pcre" folder. This requires ./configure
--with-pcre=/home/username/apache/pcre (option).
Configure apache-httpd by entring following command (I like to
enable certain options as written in the command below):
./configure --enable-file-cache --enable-cache --enable-disk-cache
--enable-mem-cache --enable-deflate --enable-expires --enable-headers --enable-usertrack --enable-cgi --enable-vhost-alias --enable-rewrite --enable-so --with-apr=/home/username/apache/httpd-2.4.2/srclib/apr --prefix=/home/username/apache/httpd-2.4.2/ --with-included-apr --with-pcre=/home/username/apache/pcre
Note: When configuring apache-httpd, use option "--enable-ssl" ONLY if OpenSSL is installed otherwise DON'T enable it.
Now on the command-line, enter 'make' and 'make install' command.
Open and configure the 'httpd.conf' file e.g.:
"vi /home/eddie_kumar/apache/httpd-2.4.2/conf/httpd.conf"
IMPORTANT: don't forget to change the default port from 80 to something else e.g. 8080, this is especially important for non-root
user. (How to? open httpd.conf -> search "Listen 80" -> change it
to "Listen 8080".
And that's it, now open your browser enter "localhost:8080", it should display "It works!".
If you are using fedora, you can use yum to install APR, APR-Util and PCRE. You'll also need to download apr-devel, apr-util-devel and pcre-devel.
That being said, you can just run the following command on your terminal and no more "configure: error: APR not found.. ..APR-Util and PCRE" errors.
yum -y install arp apr-devel apr-util apr-util-devel pcre pcre-devel
I'm using fedora 17 and planning on using a shell script to setup apache 2.4.3. So yum works pretty slick instead of manually downloading apr, apr-util, and pcre.
1, You need APR (apache portable runtime), which is core component of apache web server
2, If you wnat to do make install, you may need root account
3, Even if not, apache can not start to listen on unprivileged port (lower then 1024) without root account
4, gain root or ask someone with root to install apache from official repo(I don;t know which distro you run) like using yum, apt-get, etc...
Apr or pcre related errors require the source to be downloaded and Apache HTTPD "configure" process needs to be made aware of these source locations on your file system. For instance: if you downloaded the source for APR at ./srclib (relative to apache httpd) then you would use
--with-included-apr
as the configure option.
On the other hand if you want to not build but install APR / APR-UTIL, then you need the following on CentOS / RedHat:
yum install apr-util-devel apr-devel
However it might so happen that the APR version provided by yum does not match what is expected by this version of Apache httpd. In that case you could download APR and APR-UTIL and use the --with-included-apr option.
You could also build PCRE utilizing the same "configure, make, make install" process and then continue where you left off building Apache httpd.
Or you could install pcre:
yum install pcre-devel
If while building PCRE: you see "compile: unrecognized option" then perhaps you would need other dependencies as well: Please see the details at:
http://khanna111.com/wordPressBlog/2012/09/11/94087-2/
It also covers "mod_deflate" and "zlib" as well.
Basic steps
tar -xvf httpd-2.4.1-customized.tar -C ../
#Balancer folder will be created
tar -xvzf openssl-1.0.1.tar.gz -C /balancer/
cd ->/balancer/openssl-1.0.1
./config --prefix=/usr/local/ssl/ shared zlib-dynamic enable-camellia
make depend
make
make install
tar -xvzf pcre-8.30.tar.gz -C ../balancer/
/balancer/pcre-8.30
./configure --prefix=/usr/local/pcre/
make
make install
remove pcre and openssl
Installing and compiling the Apache server on Ubuntu machine
step 1:Install the Java JDK
sudo apt install openjdk-11-jdk
sudo gedit /etc/environment
JAVA_HOME="/usr/lib/jvm/openjdk-11"
source /etc/environment
echo $JAVA_HOME
verify the java version
javac --version
**** install Other required packages:**
sudo apt-get install apache2-dev -y
sudo apt-get install libpcre3 libpcre3-dev
Step 2 :To Install Apache HTTP Server
#1 For ubuntu ,install development tools including the C compiler:
sudo apt-get install build-essential checkinstall
#2 Download and Extract the required files
assuming that all the files have been downloaded into the ~/Downloads directory
Download the Apache HTTP Server httpd-2.4.41.tar.gz from Apache download page (https://httpd.apache.org/download.cgi)
and following required libraries for compiling the apache HTTP server:
apr-1.7.0.tar.gz(http://apr.apache.org/download.cgi)
apr-util-1.6.1.tar.gz(http://apr.apache.org/download.cgi)
pcre2-10.34.tar.gz (ftp://ftp.pcre.org/pub/pcre/) http://pcre.org/
****Read Requirements Section(http://httpd.apache.org/docs/2.4/install.html)***
#3 Extract the tar files
tar -xvf httpd-2.4.41.tar.gz
tar -xvf apr-1.7.0.tar.gz
tar -xvf apr-util-1.6.1.tar.gz
tar -xvf pcre2-10.34.tar.gz
after extraction you should see following list of directories in ~/Downloads
httpd-2.4.41
apr-1.7.0
apr-util-1.6.1
pcre2-10.34
#4 Create a directory for the apache HTTP Server
*make sure to give all rights to this directory so that while compiling files can be read/written
sudo mkdir /home{your username here}/apache
To give all permissions to a apache directory :
sudo chmod -R 777 /home{your username here}/apache
#5 copy the arp and arp-util directory into the ~/Downloads/httpd-2.4.41/srclib/
cd ~/Downloads
mv apr-util-1.6.1 ~/Downloads/httpd-2.4.41/srclib/apr-util
mv apr-1.7.0 ~/Downloads/httpd-2.4.41/srclib/apr
#6 Configure the sources for compilation.
The --prefix option can be used to install the Web server in a location where you can write files.
cd ~/Downloads/httpd-2.4.41/
./configure --prefix=/home/{username here}/apache --with-pcre=~/Downloads/pcre2-10.34
NOTE:
If you have some problems while running above command,you can also try
insallting pcre in /usr/local/pcre, using
./configure --prefix=/usr/local/pcre
make
sudo make install
commands and then by running folllowing commands:
cd ~/Downloads/httpd-2.4.41/
./configure --prefix=/home/{username here}/apache --with-pcre=/usr/local/pcre
make
sudo make install
If you still face some problems ,make sure that ~/apache and its nested directory have read/write permissions. if not run **sudo chmod -R 777 /home{your username here}/apache** command again.
#7 Compile Apache HTTP Server.
cd ~/Downloads/httpd-2.2.25
sudo make
#8 Install Apache HTTP Server.
cd ~/Downloads/httpd-2.2.25
sudo make install
Optional
#9 To Prepare Your Hosts File
sudo gedit /etc/hosts
27.0.0.1 localhost www.example.com
sudo gedit /home/{your username here}/apache/conf/httpd.conf
and copy:
Listen 8000
ServerName www.example.com:8000
#10 Test the installation to ensure Apache HTTP Server is working.
/home/{your username here}//apache/bin/apachectl -k start

How to determine if OpenSSL and mod_ssl are installed on Apache2

Does anyone know the command to determine if OpenSSL and mod_ssl are installed on Apache2?
If you have PHP installed on your server, you can create a php file, let's called it phpinfo.php and add this <?php echo phpinfo();?>, and open the file in your browser, this shows information about your system environment, to quickly find info about your Apache loaded modules, locate 'Loaded Modules' on the resulting page.
If you have PHP installed on your server, you can chek it in runtime using "extension_loaded" funciontion. Just like this:
<?php
if (!extension_loaded('openssl')) {
// no openssl extension loaded.
}
?>
Usually, when you compile your apache2 server (or install it by packages facility stuff), you can check any directive that're available to be used by tapping this command:
~# $(which httpd) -L | grep SSL # on RHEL/CentOS/Fedora
~# $(which apache2) -L | grep SSL # on Ubuntu/Debian
~# $(which httpd2) -L | grep SSL # on SUSE
If you don't see any SSL* directive, it means that you don't have apache2 with mod_ssl compiled.
The default Apache install is configured to send this information on the Server header line. You can view this for any server using the curl command.
$ curl --head http://localhost/
HTTP/1.1 200 OK
Date: Fri, 04 Sep 2009 08:14:03 GMT
Server: Apache/2.2.8 (Unix) mod_ssl/2.2.8 OpenSSL/0.9.8a DAV/2 PHP/5.2.6 SVN/1.5.4 proxy_html/3.0.0
Use the following commands.
$ openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013 (or similar output)
For RHEL/CentOS/Fedora:
$ httpd -t -D DUMP_MODULES | grep ssl
ssl_module (shared)
For Ubuntu/Debian
$ apache2 -t -D DUMP_MODULES | grep ssl
ssl_module (shared)
For SUSE
$ httpd2 -t -D DUMP_MODULES 2>&1 | grep ssl
ssl_module (shared)
Using Apache 2, you can see what modules are currently loaded by the HTTP daemon by running the following command:
apache2ctl -M
The -M option is really just a parameter passed to httpd.
apache2ctl is a front end to the Apache HyperText Transfer Protocol
(HTTP) server. It is
designed to help the administrator control the functioning of the Apache apache2 daemon.
NOTE: The default Debian configuration requires the environment variables APACHE_RUN_USER,
APACHE_RUN_GROUP, and APACHE_PID_FILE to be set in /etc/apache2/envvars.
The apache2ctl script returns a 0 exit value on success, and >0 if an error occurs. For
more details, view the comments in the script.
Fortunately, Most flavors of Linux have OpenSSL "out of the box".
To verify installation:
openssl version
Response:
OpenSSL 1.0.1t 3 May 2016
Note: version OpenSSL 1.0.1 through 1.0.1f (inclusive)
are vulnerable to the OpenSSL Heartbleed Bug.
Versions 1.0.1g and greater are fixed.
For additional install info:
Ubuntu/Debian
dpkg -l | grep -i openssl
Response:
ii libcrypt-openssl-random-perl 0.04-2+b1 amd64 module to access the OpenSSL pseudo-random number generator
ii libcurl3:amd64 7.38.0-4+deb8u5 amd64 easy-to-use client-side URL transfer library (OpenSSL flavour)
ii libgnutls-openssl27:amd64 3.3.8-6+deb8u4 amd64 GNU TLS library - OpenSSL wrapper
ii openssl 1.0.1t-1+deb8u6 amd64 Secure Sockets Layer toolkit - cryptographic utility
ii python-ndg-httpsclient 0.3.2-1 all enhanced HTTPS support for httplib and urllib2 using PyOpenSSL
ii python-openssl 0.14-1 all Python 2 wrapper around the OpenSSL library
ii ssl-cert 1.0.35 all simple debconf wrapper for OpenSSL
Yea, OpenSSL is installed!
To install OpenSSL if you don't have it, try:
Debian/Ubuntu:
sudo apt-get install openssl
RedHat/CentOS:
yum install openssl
To determine openssl & ssl_module
# rpm -qa | grep openssl
openssl-libs-1.0.1e-42.el7.9.x86_64
openssl-1.0.1e-42.el7.9.x86_64
openssl098e-0.9.8e-29.el7.centos.2.x86_64
openssl-devel-1.0.1e-42.el7.9.x86_64
mod_ssl
# httpd -M | grep ssl
or
# rpm -qa | grep ssl
You should install this Apache mod, http://httpd.apache.org/docs/2.0/mod/mod_info.html, it basically gives you a run down of the mods you're using and the Apache settings.
I have this enabled on my Apache and it gives me this info for my website,
Server Version: Apache/2.2.3 (Debian) mod_jk/1.2.18 PHP/5.2.0-8+etch13 mod_ssl/2.2.3 OpenSSL/0.9.8c mod_perl/2.0.2 Perl/v5.8.8
If you just run openssl in your terminal it should present the openSSL shell. My first clue to knowing that I didn't have mode_ssl was when I got the following error after adding SSLEngine on in my virtualhost file:
Invalid command 'SSLEngine', perhaps misspelled or defined by a module not included in the server configuration
In centos I just had to install it via yum install mod_ssl
Just look in the ssl_engine.log in your Apache log directory where you should find something like:
[ssl:info] [pid 5963:tid 139718276048640] AH01876: mod_ssl/2.4.9 compiled against Server: Apache/2.4.9, Library: OpenSSL/1.0.1h
Create a test.php file with the following code in a www folder:
<?php echo phpinfo();?>
When you navigate to that page/URL in the browser. You will see something similar if you have openssl enabled:
Enable mod_ssl in httpd.conf and restart the apache. You will see the openssl information in error.log as below
[Fri Mar 23 15:13:38.448268 2018] [mpm_worker:notice] [pid 8891:tid 1] AH00292: Apache/2.4.29 (Unix) OpenSSL/1.0.2n configured -- resuming normal operations
[Fri Mar 23 15:13:38.448502 2018] [core:notice] [pid 8891:tid 1] AH00094: Command line: '/opt/apps/apache64/2.4.29/bin/httpd'
to verify in php command lie
$php -i | grep openssl
In my case this is how I got the information:
find where apache logs are located, and go there, in my case:
cd /var/log/apache2
find in which log openssl information can be found:
grep -i apache.*openssl *_log
e.g. error_log ...
to get fresh information, restart apache, e.g.
rcapache2 restart # or service apache2 restart
check for last entries in the log, e.g.
/var/log/apache2 # tail error_log
[Thu Jun 09 07:42:24 2016] [notice] Apache/... (Linux/...) mod_ssl/2.2.22 OpenSSL/1.0.1t ...
To find the ssl version
Go to Apache bin folder in command prompt
Enter these commands "openssl version"