Mac OS X Unleashed

By John Ray and William C. Ray

• Table of Contents
  • Copyright
  • About the Author
  • Acknowledgments
  • Tell Us What You Think!
  • Introduction
  • Part I: Introduction to Mac OS X
  • Chapter 1. Mac OS X Component Architecture
  • Chapter 2. Installing Mac OS X
  • Chapter 3. Mac OS X Basics
  • Chapter 4. The Finder: Working with Files and Applications
  • Chapter 5. Running Classic Mac OS Applications
  • Part II: Inside Mac OS X
  • Chapter 6. Native Utilities and Applications
  • Chapter 7. Internet Communications
  • Chapter 8. Installing Third-Party Applications
  • Part III: User-Level OS X Configuration
  • Chapter 9. Network Setup
  • Chapter 10. Printer and Font Management
  • Chapter 11. Additional System Components
  • Part IV: Introduction to BSD Applications
  • Chapter 12. Introducing the BSD Subsystem
  • Chapter 13. Common Unix Shell Commands: File Operations
  • Part V: Advanced Command-Line Concepts
  • Chapter 14. Advanced Shell Concepts and Commands
  • Chapter 15. Command-Line Applications and Application Suites
  • Chapter 16. Command-Line Software Installation
  • Chapter 17. Troubleshooting Software Installs, and Compiling and Debugging Manually
  • Chapter 18. Advanced Unix Shell Use: Configuration and Programming (Shell Scripting)
  • Part VI: Server/Network Administration
  • Chapter 19. X Window System Applications
  • Chapter 20. Command-Line Configuration and Administration
  • Chapter 21. AppleScript
  • Chapter 22. Perl Scripting and SQL Connectivity
  • Chapter 23. File and Resource Sharing with NetInfo
  • Chapter 24. User Management and Machine Clustering
  • Chapter 25. FTP Serving
  • Chapter 26. Remote Access and Administration
  • Chapter 27. Web Serving
    • Apache
    • Apache Configuration
    • Rebuilding and Securing Apache
    • WebDAVmod_dav
    • Streaming MP3smod_mp3
    • Summary
  • Part VII: Server Health
  • Chapter 28. Web Programming
  • Chapter 29. Creating a Mail Server
  • Chapter 30. Accessing and Serving a Windows Network
  • Chapter 31. Server Security and Advanced Network Configuration
  • Chapter 32. System Maintenance
  • Appendix A. Command-Line Reference
  • Appendix B. Administration Reference

Rebuilding and Securing Apache

Many of today's hot Web sites include e-commerce or other private areas that require secure communications. Unfortunately, although Mac OS X does ship with SSL support built into Apache, it is neither enabled nor easily configured. In addition, the version of Apache shipped with Mac OS X lags behind the current release by several version numbers. Don't worry, this isn't cause for great alarm, but it does make things tricky for system administrators who want to stay current with the supplied BSD software.

There are two goals to rebuilding and securing Apache. The first is to, obviously, rebuild Apache with the latest source code from Apache.org. The second, and intimately related, goal is to configure Apache for SSL communications during the rebuild process. If you have no need for secure Web services, just skip this section.

Building Apache

To build Apache with SSL support, we need a few components before we can get started. Unlike most Apache modules, the mod_ssl software must be compiled at the same time as the Apache source code. In addition, you will need to download the OpenSSL software that mod_ssl uses for security. Some of this software is included on Mac OS X, but is missing the necessary header files to complete the installation. Rather than muddling with partially broken software, it's easiest to just install from scratch.

First, download the latest Apache source from http://www.apache.org/, the most current version of mod_ssl from http://www.modssl.org, and the Darwin-patched OpenSSL distribution from http://www.stepwise.org. Place them in a common build directory:

[localhost:~] jray% mkdir apachebuild
[localhost:~] jray% cd apachebuild/
[localhost:~/apachebuild] jray% wget http://www.modssl.org/source/mod_ssl-2.8.4-1.3.20.tar.gz
[localhost:~/apachebuild] jray% wget http://httpd.apache.org/dist/httpd/apache_1.3.20.tar.gz
[localhost:~/apachebuild] jray% wget http://www3.stepwise.com/Articles/Workbench/OpenSSL-0

      
   .9.5a-3.1.tar.gz

Now, decompress and untar (tar zxf <filename> ) each of the archives:

[localhost:~/apachebuild] jray% tar zxf apache_1.3.20.tar.gz
[localhost:~/apachebuild] jray% tar zxf mod_ssl-2.8.4-
1.3.20.tar.gz
[localhost:~/apachebuild] jray% tar zxf OpenSSL-0.9.5a-3.1.tar.gz

All done! Let's move on.

Preparing mod_ssl

The next step is to prepare mod_ssl—this can be skipped if you are simply upgrading Apache and have no desire to add SSL support. Use the command ./configure --with-apache=< path to apache source distribution> from within the mod_ssl distribution directory, substituting in the appropriate name of your Apache distribution:

[localhost:~/apachebuild/mod_ssl-2.8.4-1.3.20] jray% ./configure --with-apache=.
./apache_1.3.20
Configuring mod_ssl/2.8.4 for Apache/1.3.20
 + Apache location: ../apache_1.3.20 (Version 1.3.20)
 + Auxiliary patch tool: ./etc/patch/patch (local)
 + Applying packages to Apache source tree:
   o Extended API (EAPI)
   o Distribution Documents
   o SSL Module Source
   o SSL Support
   o SSL Configuration Additions
   o SSL Module Documentation
   o Addons
Done: source extension and patches successfully applied.

The mod_ssl configuration will include several additional instructions on how to finish the Apache installation—do not follow them or your compiled Apache server will be missing some important functions.

Preparing OpenSSL

Now it's time to set up the OpenSSL system—again, skip this step if you have no intention of running an SSL-enabled server. Compiling might take quite awhile, depending on your system speed. You might want to start this process, then walk away for a few minutes. To configure OpenSSL for compilation, cd into the distribution directory (OpenSSL-3-1/openssl) and type ./config:

[localhost:~/apachebuild/OpenSSL-3-1/openssl] jray% ./config
Operating system: powerpc-apple-darwin1.3.3
Configuring for Darwin
IsWindows=0
...

After the software has been configured, use make to compile OpenSSL:

[localhost:~/apachebuild/OpenSSL-3-1/openssl] jray% make
making all in crypto...
( echo "#ifndef MK1MF_BUILD"; echo "  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */"; echo "  #define CFLAGS \"cc -O3 -fomit-frame-pointer -Wall\""; echo "  #define PLATFORM \"Darwin\""; echo "  #define DATE \"`date`\""; echo "#endif" ) >buildinf.h
...
and on...
and on...
...

Finally, it's time to compile and install Apache.

Building Apache

Building Apache is straightforward—Apple has worked with the Apache group to incorporate information about the Mac OS X (Darwin) operating system into the source code distribution. What this means to you is that Apache, when compiled and installed, will correctly integrate itself with the Mac OS X operating system.

To configure Apache for installation, first cd into the source distribution directory. If you are compiling with SSL support, you must set the SSL_BASE environment variable to point to the directory containing the OpenSSL source distribution:

[localhost:~/apachebuild/apache_1.3.20] jray% setenv SSL_BASE=../OpenSSL-3-1/openssl

Next, use ./configure --enable-module=all --enable-shared=max to setup the distribution for the Mac OS X environment:

[localhost:~/apachebuild/apache_1.3.20] jray% sudo ./configure --enable-module=a
ll --enable-shared=max
Password:
Configuring for Apache, Version 1.3.20
 + using installation path layout: Darwin (config.layout)
Creating Makefile
Creating Configuration.apaci in src
Creating Makefile in src
 + configured for Darwin platform
 + setting C compiler to cc
 + setting C pre-processor to cc -E -traditional-cpp
 + checking for system header files
 + adding selected modules
    o rewrite_module uses ConfigStart/End
      enabling DBM support for mod_rewrite
    o dbm_auth_module uses ConfigStart/End
    o db_auth_module uses ConfigStart/End
      using Berkeley-DB/1.x for mod_auth_db (-lc)
    o ssl_module uses ConfigStart/End
      + SSL interface: mod_ssl/2.8.4
...

If an error occurs, make sure that you have correctly set the SSL_BASE and typed the command-line options exactly as they appear here.

Now, one tiny correction needs to be made to the SSL module Makefile. From within the main Apache source distribution, cd into src/modules/ssl/. Open the file Makefile in your favorite text editor, and look for the line that reads:

SSL_LIBS= ldbm -lssl -lcrypto

Change it to

SSL_LIBS= -lssl -lcrypto

If you fail to follow these steps, the compilation process will complain of a missing library.

Finally, compile your new version of Apache by typing make from within the root level of the Apache source directory:

[localhost:~/apachebuild/apache_1.3.20] jray% make
===> src
===> src/regex
<=== src/regex
===> src/os/unix
cc -c  -I../../os/unix -I../../include   -DDARWIN - DMOD_SSL=208104 -DUSE_HSREGEX -DEAPI

      
    -DUSE_EXPAT - I../../lib/expat-lite `../../apaci` os.c
...

The compile should finish in roughly five minutes on a base 500MHz G4. When the compile finishes, Apache will display a success message with the following instructions:

+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL       |
| certificate system by running the 'make certificate' command.       |
| For different situations the following variants are provided:       |
|                                                                     |
| % make certificate TYPE=dummy    (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test     (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom   (custom cert signed by own CA)     |
| % make certificate TYPE=existing (existing cert)                    |
|        CRT=/path/to/your.crt [KEY=/path/to/your.key]                |
|                                                                     |
| Use TYPE=dummy    when you're a  vendor package maintainer,         |
| the TYPE=test     when you're an admin but want to do tests only,   |
| the TYPE=custom   when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server.       |
| (The default is TYPE=test)                                          |
|                                                                     |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select           |
| the signature algorithm used for the generated certificate.         |
|                                                                     |
| Use 'make certificate VIEW=1' to display the generated data.        |
|                                                                     |
| Thanks for using Apache & mod_ssl.       Ralf S. Engelschall        |
|                                          rse@engelschall.com        |
|                                          www.engelschall.com        |
+---------------------------------------------------------------------+

You now have the most recent version of Apache, and it is ready to start handling secure Web traffic! All that remains is a few more minutes of setting up a basic certificate. If you are not using SSL, you can type sudo make install start using the new version of Apache immediately.

Creating a Certificate and Installing

Secure Web servers rely on a CA (Certifying Authority) signed certificate to prove their identity and open a secure connection with a client. Unfortunately, obtaining a certificate isn't as simple as going to a Web site and buying one. An official certificate can be issued only by a CA, and only after generating and sending a CSR (Certificate Signing Request) to it. Luckily, for the purposes of testing SSL-enabled Apache, you can sign your own certificate. This will create a secure server, but most Web browsers will display a dialog box when accessing a server that isn't signed by a known CA. For the purposes of this chapter, we'll assume that you want to get up and running quickly, and that you'll want to use a VeriSign or other CA signed certificate later on.

Assuming that you're still in the Apache distribution directory, type make ce r tificate TYPE=test. This will take you through the steps of setting up a certificate, automatically signing it using a fictional CA so that it can be used immediately, and then creating a CSR file so that you can send in a request for a real certificate in the future. Sound good? Let's give it a shot. During the certification creation, you'll be asked a series of questions related to your business or organization. Of all the questions, it is most important to correctly answer the Common Name prompt. This is the hostname of your Web server (for example, www.poisontooth.com). Any questions you are unsure of can be left with their default values:

[localhost:~/apachebuild/apache_1.3.20] jray% make certificate TYPE=test
SSL Certificate Generation Utility (mkcert.sh)
Copyright (c) 1998-2000 Ralf S. Engelschall, All Rights Reserved.

Generating test certificate signed by Snake Oil CA [TEST]
WARNING: Do not use this for real-life/production systems
______________________________________________________________________

STEP 0: Decide the signature algorithm used for certificate
The generated X.509 CA certificate can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:
______________________________________________________________________

STEP 1: Generating RSA private key (1024 bit) [server.key]
2529186 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
...........................++++++
......++++++
e is 65537 (0x10001)
______________________________________________________________________

STEP 2: Generating X.509 certificate signing request [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name             (2 letter code) [XY]:US
2. State or Province Name   (full name)     [Snake Desert]:Ohio
3. Locality Name            (eg, city)      [Snake Town]:Dublin
4. Organization Name        (eg, company)   [Snake Oil, Ltd]:PoisonTooth, Ent.
5. Organizational Unit Name (eg, section)   [Webserver Team]:
6. Common Name           (eg, FQDN)      [www.snakeoil.dom]:www.poisontooth.com
7. Email Address        (eg, name@FQDN) [www@snakeoil.dom]:jray@poisontooth.com
8. Certificate Validity     (days)          [365]:
______________________________________________________________________

STEP 3: Generating X.509 certificate signed by Snake Oil CA [server.crt]
Certificate Version (1 or 3) [3]:
Signature ok
subject=/C=US/ST=Ohio/L=Dublin/O=PoisonTooth, Ent./OU=Webserver Team/CN=www.poisontooth

      
   .com/Email=jray@poisontooth.com
Getting CA Private Key
Verify: matching certificate & key modulus
read RSA key
Verify: matching certificate signature
../conf/ssl.crt/server.crt: OK
______________________________________________________________________

STEP 4: Enrypting RSA private key with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: n
Warning, you're using an unencrypted RSA private key.
Please notice this fact and do this on your own risk.
______________________________________________________________________

RESULT: Server Certification Files

o  conf/ssl.key/server.key
   The PEM-encoded RSA private key file which you configure
   with the 'SSLCertificateKeyFile' directive (automatically done
   when you install via APACI). KEEP THIS FILE PRIVATE!

o  conf/ssl.crt/server.crt
   The PEM-encoded X.509 certificate file which you configure
   with the 'SSLCertificateFile' directive (automatically done
   when you install via APACI).

o  conf/ssl.csr/server.csr
   The PEM-encoded X.509 certificate signing request file which
   you can send to an official Certificate Authority (CA) in order
   to request a real server certificate (signed by this CA instead
   of our demonstration-only Snake Oil CA) which later can replace
   the conf/ssl.crt/server.crt file.

WARNING: Do not use this for real-life/production systems

In this example, there is only one nonintuitive response—the use of encryption for the server key (Encrypt the private key now? [Y/n]: n). If the server key is encrypted, you will have to manually enter a password to unlock the key each time the server is started, or write a script to supply the password to the server. When the key is left unencrypted, the assumption is made that your server protection is sufficient to keep the file safe from prying eyes. The Apache server and certificate are ready to install. Type sudo make install to prepare the software:

[localhost:~/apachebuild/apache_1.3.20] jray% sudo make install
===> [mktree: Creating Apache installation tree]
./src/helpers/mkdir.sh /usr/bin
./src/helpers/mkdir.sh /usr/sbin
...
+--------------------------------------------------------+
| You now have successfully built and installed the      |
| Apache 1.3 HTTP server. To verify that Apache actually |
| works correctly you now should first check the         |
| (initially created or preserved) configuration files   |
|                                            |
|   /etc/httpd/httpd.conf
|                                                        |
| and then you should be able to immediately fire up     |
| Apache the first time by running:                      |
|                                                        |
|   /usr/sbin/apachectl start
|                                                        |
| Or when you want to run it with SSL enabled use:       |
|                                                        |
|   /usr/sbin/apachectl startssl
|                                                        |
| Thanks for using Apache.       The Apache Group        |
|                                http://www.apache.org/  |
+--------------------------------------------------------+

Unfortunately, the installation of the newly compiled Apache needs a modified version of the configuration file, so there are still two final changes to be made before we're done. Open the file /etc/httpd/httpd.conf.default and add the following line to the bottom of the file:

Include /private/etc/httpd/users

Next, search for the directive

UserDir public_html

and change it to

UserDir Sites

Save the configuration file, and copy it to take the place of /etc/httpd/httpd.conf. Now we're ready to go. Stop the existing Apache server (apachectl stop) and start the new SSL-enabled server with apachectl startssl.

Include /private/etc/httpd/users
[localhost:/etc/httpd] root# /usr/sbin/apachectl stop
/usr/sbin/apachectl stop: httpd stopped
[localhost:/etc/httpd] root# /usr/sbin/apachectl startssl
Processing config directory: /private/etc/httpd/users
 Processing config file: /private/etc/httpd/users/jray.conf
 Processing config file: /private/etc/httpd/users/robyn.conf
 Processing config file: /private/etc/httpd/users/test.conf
 Processing config file: /private/etc/httpd/users/test2.conf
/usr/sbin/apachectl startssl: httpd started

To configure Mac OS X to automatically start Apache in SSL mode each time it boots, edit the file /System/Library/StartupItems/Apache/Apache and change the line

apachectl start

to read

apachectl startssl

That wasn't so bad, was it? Your Mac OS X machine is now a full- fledged secure Web server. To test it, open a Web browser and point to a URL on the machine, prefacing the URL with https:// rather than the usual http://. Your browser might display a message about the certificate and signing authority not being recognized. You can expect to see these messages until you send in a certificate-signing request to a recognized CA.

Certifying Authorities

When you created your server certificate, you also created a CSR that can be sent to a CA to generate a real certificate. The certificate signing request file is stored in /etc/httpd/ssl.csr/server.csr. This file can be sent to a CA, such as

• VeriSign— http://digitalid.verisign.com/server/apachenotice.htm
• Thawte— www.thawte.com/certs/server/request.html

After processing your request, the CA will return a new digitally signed certificate file. Replace the existing /etc/httpd/ssl.crt/server.crt certificate with the CA signed certificate, and your server will be official.

Share This