Sun Cluster Data Service for Apache Guide for Solaris OS

Installing and Configuring Apache

The Apache webserver can be installed and set up as either a non secure or a secure webserver. This section provides procedures for both types of installations. To install a non secure version of the webserver, see one of the following procedures.

To install a secure version of the webserver, see one of the following procedures.

Sun Cluster HA for Apache works with the Apache software configured as either a web server or a proxy server.

See Apache documentation at http://www.apache.org for standard installation instructions. Contact your Sun sales representative for a complete list of Apache versions that are supported with the Sun Cluster software.


Note –

The Sun Cluster HA for Apache can be configured to run in a whole root or a sparse root non-global zone, if required.


Installing a Non-Secure Apache Webserver

This section provides procedures for installing a non-secure Apache webserver. For procedures for installing a secure Apache webserver, see Installing a Secure Apache Webserver.

ProcedureHow to Install and Configure the Apache Software From the Solaris CD-ROM

This procedure installs a non secure version of the Apache webserver. For procedures for installing a secure Apache webserver, see Installing a Secure Apache Webserver.

The Apache binaries are included in three packages—SUNWapchr, SUNWapchu, and SUNWapchd—that form the SUNWCapache package metacluster. You must install the SUNWapchr package before you install the SUNWapchu package.

Place the Web server binaries on the local file system on each of your cluster nodes or on a cluster file system.


Note –

If you are using the clsetup utility to configure Sun Cluster HA for Apache, skip Step 2 in this procedure. The clsetup utility automates Step 2.


  1. Run the pkginfo(1) command to determine if the Apache packages SUNWapchr, SUNWapchu, and SUNWapchd have been installed.

    If these packages have not been installed, install them as follows.

    • Starting with Solaris 9, run the following command.


      # pkgadd -d Solaris-product-directory SUNWapchr SUNWapchu SUNWapchd
      
    • Starting with Solaris 10, run the following command.


      # pkgadd -G -d Solaris-product-directory SUNWapchr SUNWapchu SUNWapchd
      

    The output from the command is as follows.


    ...
    Installing Apache Web Server (root) as SUNWapchr
    ...
    [ verifying class initd ]
    /etc/rc0.d/K16apache linked-pathname
    /etc/rc1.d/K16apache linked-pathname
    /etc/rc2.d/K16apache linked-pathname
    /etc/rc3.d/S50apache linked-pathname
    /etc/rcS.d/K16apache linked-pathname
    ...
  2. Disable the START and STOP run control scripts that were just installed as part of the SUNWapchr package.

    This step is necessary because Sun Cluster HA for Apache starts and stops the Apache application after you have configured the data service. Perform the following steps.

    1. List the Apache run control scripts.

    2. Rename the Apache run control scripts.

    3. Verify that all the Apache-related scripts have been renamed.

      The following example changes the first letter in the name of the run control script from uppercase to lowercase. However, you can rename the scripts to be consistent with your normal administration practices.


      # ls -1 /etc/rc?.d/*apache
      /etc/rc0.d/K16apache
      /etc/rc1.d/K16apache
      /etc/rc2.d/K16apache
      /etc/rc3.d/S50apache
      /etc/rcS.d/K16apache
       
      # mv /etc/rc0.d/K16apache  /etc/rc0.d/k16apache
      # mv /etc/rc1.d/K16apache  /etc/rc1.d/k16apache
      # mv /etc/rc2.d/K16apache  /etc/rc2.d/k16apache
      # mv /etc/rc3.d/S50apache  /etc/rc3.d/s50apache
      # mv /etc/rcS.d/K16apache  /etc/rcS.d/k16apache
       
      # ls -1 /etc/rc?.d/*apache
      /etc/rc0.d/k16apache
      /etc/rc1.d/k16apache
      /etc/rc2.d/k16apache
      /etc/rc3.d/s50apache
      /etc/rcS.d/k16apache

ProcedureHow to Install and Configure the Apache Software from the Apache Web Site

This procedure installs a non secure version of the Apache webserver. For procedures for installing a secure Apache webserver, see Installing a Secure Apache Webserver.

Place the web server binaries on the local file system on each of your cluster nodes or on a cluster file system.

  1. On a cluster member, become superuser or assume a role that provides solaris.cluster.admin RBAC authorization.

  2. Install the Apache software using the installation procedures found in the Apache installation documentation.

    Install the Apache software using the Apache installation documentation you received with your Apache software or see the installation instructions at http://www.apache.org.

  3. Update the httpd.conf configuration file.

    • Set the ServerName directive. (In Version 2.0 of Apache, the ServerName directive specifies the hostname and the port.)

    • Set the BindAddress directive (optional). (The BindAddress directive only exists in versions prior to Apache 2.0. For Apache 2.0, see the following bullet for the Listen directive.)

    • Set the Listen directive. The Listen directive must use the address of the logical host or shared address. (The Listen directive only exists in Apache 2.0 and beyond. For Apache versions prior to Apache 2.0, see the previous bullet for the BindAddress directive.)

    • Set the ServerType, ServerRoot, DocumentRoot, ScriptAlias, and LockFile directives.


      Note –

      The ServerType directive does not exist in Apache 2.0.


    • Set the Port directive to the same number as the Port_list standard resource property. See Step 4 for more information.

    • Make changes to run as a proxy server if you choose to run the Apache software as a proxy server. See the Apache documentation for more information. If you will run the Apache software as a proxy server, the CacheRoot setting must point to a location on the cluster file system.


    Note –

    If you are using the clsetup utility to configure Sun Cluster HA for Apache, you do not need to update the BindAddress, ServerRoot, and Port directives. These directives are automatically updated when you run the clsetup utility.


  4. Verify that the port number or numbers in the httpd.conf file match those of the Port_list standard resource property.

    You can edit the httpd.conf configuration file to change its port number or numbers to match the standard Sun Cluster resource property default (port 80). Alternatively, while you configure Sun Cluster HA for Apache, you can set the Port_list standard property to match the setting in the httpd.conf file.

  5. Update the paths in the Apache start/stop script file (Bin_dir/apachectl).

    You must change the paths from the Apache defaults to match your Apache directory structure. For example, change the line in the BIN_dir/apachectl script beginning with HTTPD=/usr/local/apache/bin/httpd to the following.


    HTTPD='/usr/local/apache/bin/httpd -f /global/foo/apache/conf/httpd.conf'
    
  6. Perform the following tasks to verify your configuration changes.

    1. Run apachectl configtest to check the Apache httpd.conf file for correct syntax.


      Note –

      If you are using the clsetup utility to configure Sun Cluster HA for Apache, skip this step. This step is automatically executed when you run the clsetup utility.


    2. Ensure that any logical hostnames or shared addresses that Apache uses are configured and online.

    3. Issue apachectl start to start up your Apache server by hand.

      If Apache does not start up correctly, correct the problem.

    4. After Apache has started, stop it before moving to the next procedure.

Installing a Secure Apache Webserver

This section provides procedures for installing a secure Apache webserver. For procedures for installing a non-secure Apache webserver, see Installing a Non-Secure Apache Webserver.

ProcedureHow to Install and Configure the Apache Software Using mod_ssl

This procedure installs a secure version of the Apache webserver. For procedures for installing a non-secure Apache webserver, see Installing a Non-Secure Apache Webserver.

  1. On a cluster member, become superuser or assume a role that provides solaris.cluster.admin RBAC authorization.

  2. Install the Apache software, including mod_ssl.

    To install mod_ssl, see the Apache installation documentation or the installation instructions at http://www.modssl.org.

  3. Update the httpd.conf configuration file.

    • Set the ServerName directive.

    • Set the BindAddress directive (optional).

    • Set the ServerType, ServerRoot, DocumentRoot, ScriptAlias, and LockFile directives.

    • Set the Port directive to the same number as the Port_list standard resource property. See Step 4 for more information.

    • Make changes to run as a proxy server if you choose to run the Apache software as a proxy server. See the Apache documentation for more information. If you plan to run the Apache software as a proxy server, the CacheRoot setting must point to a location on the cluster file system.

  4. Verify that the port number or numbers in the httpd.conf file match those of the Port_list standard resource property.

    You can edit the httpd.conf configuration file to change its port number or numbers to match the standard Sun Cluster resource property default (port 80). Alternatively, while you configure Sun Cluster HA for Apache, you can set the Port_list standard property to match the setting in the httpd.conf file.

  5. Install all certificates and keys.

  6. In Bin_dir directory, create a file called keypass. Make sure that no one other than the owner has any permissions for this file.


    # cd Bin_dir
    # touch keypass
    # chmod 700 keypass
    
  7. If you are using an encrypted private key or keys, perform the following Step a and Step b.

    1. In the httpd.conf file, look for SSLPassPhraseDialog directive and modify it as follows.


      # SSLPassPhraseDialog exec:/Bin_dir/keypass
      

      See the mod_ssl documentation for details about the SSLPassPhraseDialog directive.

    2. Edit the keypass file so that it prints the pass phrase for the encrypted key corresponding to a host and a port.

      This file will be called with server:port algorithm as arguments. Make sure that the file can print the pass phrase for each of your encrypted keys when called with the correct parameters.

      Later, when you attempt to start the web server manually, it must not prompt you for a pass phrase. For example, for a secure web server listening on ports 8080 and 8888, with private keys for both encrypted using RSA, the keypass file could be the following.


      # !/bin/ksh
      host=`echo $1 | cut -d: -f1`
      port=`echo $1 | cut -d: -f2`
      algorithm=$2
      
      if [ "$host" = "phys-schost-1.example.com" -a "$algorithm" = "RSA" ]; then
         case "$port" in
         8080) echo passphrase-for-8080;;
         8888) echo passphrase-for-8888;;
         esac
      fi

      Note –

      The keypass file must not be readable, writable, or executable by anyone other than the owner.


  8. In the httpd.conf file, set the SSLLogLevel to warn to avoid logging a message every time the web server is probed by Sun Cluster HA for Apache.


    SSLLogLevel warn
  9. Update the paths in the Apache start/stop script file (Bin_dir/apachect1).

    You must change the paths from the Apache defaults to match your Apache directory structure.

  10. Perform the following tasks to verify your configuration changes.

    1. Run apachectl configtest to check the Apache httpd.conf file for correct syntax.

    2. Ensure that any logical hostnames or shared addresses that Apache uses are configured and online.

    3. Issue apachectl start to start up your Apache server by hand.

      Make sure that the web server does not ask you for a passphrase.

      If Apache does not start up correctly, correct the problem.

    4. After Apache has started, stop it before moving to the next procedure.

ProcedureHow to Install and Configure the Apache Software Using apache-ssl

This procedure installs a secure version of the Apache webserver. For procedures for installing a non-secure Apache webserver, see Installing a Non-Secure Apache Webserver.

  1. On a cluster member, become superuser or assume a role that provides solaris.cluster.admin RBAC authorization.

  2. Install the Apache software, including apache-ssl, using the installation procedures found in the Apache installation documentation.

    To install apache-ssl, see the Apache installation documentation or the installation instructions at http://www.apache-ssl.org.

  3. Update the httpd.conf configuration file.

    • Set the ServerName directive.

    • Set the BindAddress directive (optional).

    • Set the ServerType, ServerRoot, DocumentRoot, ScriptAlias, and LockFile directives.

    • Set the Port directive to the same number as the Port_list standard resource property. See Step 4 for more information.

    • Make changes to run as a proxy server if you choose to run the Apache software as a proxy server. See the Apache documentation for more information. If you will run the Apache software as a proxy server, the CacheRoot setting must point to a location on the cluster file system.

  4. Verify that the port number or numbers in the httpd.conf file match those of the Port_list standard resource property.

    You can edit the httpd.conf configuration file to change its port number or numbers to match the standard Sun Cluster resource property default (port 80). Alternatively, while you configure Sun Cluster HA for Apache, you can set the Port_list standard property to match the setting in the httpd.conf file.

  5. Install all certificates and keys.

  6. Make sure that all your private keys are stored unencrypted.

    Later, when you attempt to start the web server manually, it must not prompt you for a pass phrase.

  7. Update the paths in the Apache start/stop script file (Bin_dir/httpsdct1).

    You must change the paths from the Apache defaults to match your Apache directory structure.

  8. Perform the following tasks to verify your configuration changes.

    1. Run httpsdctl configtest to check the Apache httpd.conf file for correct syntax.

    2. Ensure that any logical hostnames or shared addresses that Apache uses are configured and online.

    3. Issue httpsdctl start to start up your Apache server by hand.

      If Apache does not start up correctly, correct the problem.

    4. After Apache has started, stop it before moving to the next procedure.

Next Steps

If you did not install the Sun Cluster HA for Apache during your initial Sun Cluster installation, go to Installing the Sun Cluster HA for Apache Packages. Otherwise, go to Registering and Configuring Sun Cluster HA for Apache.