Archiv für den Monat: November 2013

Apache 2.4.7 kompilieren und lokal installieren

Der bei Ubuntu 12.04.3 LTS eingesetzte Apache ist derzeit noch die Version 2.2.22, und dieser unterstützt leider keine „Forward Secrecy„. Um zumindest testweise zu ermitteln, wie gut oder wie schlecht sich eine kompatible Version (z.B. 2.4.7) kompilieren und nutzen lässt, habe ich mich durch die Konfiguration auf einem Ubuntu 12.04.3 LTS Server gearbeitet und heraus kam dieses Skript „compile_apache.sh“.

Damit der Test-Apache keine Konflikte mit meiner regulären Installation bekommt, ändert dieses Skript auch direkt die Ports (80 -> 65080 und 443 -> 65443) und aktiviert die von SSL Labs empfohlenen SSL-Einstellungen. Damit der Apache mit SSL funktioniert, müssen noch die SSL-Keys hinterlegt werden:

${TARGETINSTALLDIR}/conf/server.crt
${TARGETINSTALLDIR}/conf/server.key

Am Ende des Skripts werden noch zwei Shell-Skripte im Zielverzeichnis erstellt, und die SSL-Keys vom regulären Server kopiert. Möchte man diesen Apache in einer produktiven Umgebung nutzen, müssen natürlich das TARGETINSTALLDIR und die Start/Stop-Skripte angepasst werden.

Das Skript hat den Stand 24. November 2013, die Versionen von Apache, APR, APRUtil, PCRE und OpenSSL sind miteinander kompatibel und können mit den gegebenen Konfigurationseinstellungen erfolgreich kompiliert werden. Eine Aktualisierung auf neuere Versionen ist möglich, aber muss manuell im Skript angepasst werden.

Wenn alles funktioniert hat, ist unter dem aktuellen Hostnamen der Apache auf dem Port 65443 via HTTPS erreichbar. Ein sslscan liefert dann folgendes Ergebnis:

user@host: sslscan hostname | grep Accepted
    Accepted  TLSv1  256 bits  ECDHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-AES256-SHA
    Accepted  TLSv1  256 bits  DHE-RSA-CAMELLIA256-SHA
    Accepted  TLSv1  128 bits  ECDHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-AES128-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-SEED-SHA
    Accepted  TLSv1  128 bits  DHE-RSA-CAMELLIA128-SHA

Und hier das eigentliche Skript „compile_apache.sh“:

#!/bin/bash
 
# Einfaches Skript, welches die Sourcen besorgt, korrekt auspackt, configure korrekt startet
# und damit den Apache 2.4 kompiliert. Das Zielverzeichnis ist:
TARGETINSTALLDIR=~/localapache/
APACHEVERSION="2.4.7"
APRVERSION="1.5.0"
APRUTILVERSION="1.5.3"
PCREVERSION="8.33"
OPENSSLVERSION="1.0.1e"
USEMIRROR="http://ftp-stud.hs-esslingen.de/pub/Mirrors/ftp.apache.org/dist/"
HTTPAPACHE="/httpd/httpd-${APACHEVERSION}.tar.bz2"
HTTPAPR="/apr/apr-${APRVERSION}.tar.bz2"
HTTPAPRUTIL="/apr/apr-util-${APRUTILVERSION}.tar.bz2"
FTPPCRE="ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-${PCREVERSION}.tar.gz"
HTTPOPENSSL="http://www.openssl.org/source/openssl-${OPENSSLVERSION}.tar.gz"
THISDIR="${PWD}"
THISHOST=`hostname`
 
# Clean up
# rm -Rf httpd-${APACHEVERSION}
# rm -Rf pcre-${PCREVERSION}
rm -Rf ${TARGETINSTALLDIR}
 
# Download
wget -nc ${USEMIRROR}${HTTPAPACHE}
wget -nc ${USEMIRROR}${HTTPAPR}
wget -nc ${USEMIRROR}${HTTPAPRUTIL}
wget -nc ${FTPPCRE}
wget -nc ${HTTPOPENSSL}
 
# Compile PCRE
cd ${THISDIR}
if [ ! -d pcre-${PCREVERSION} ]; then
  tar xfz pcre-${PCREVERSION}.tar.gz
fi
if [ ! -f ${TARGETINSTALLDIR}/lib/libpcre.so ]; then
  cd pcre-${PCREVERSION}
  ./configure --prefix=${TARGETINSTALLDIR}
        if [[ $? -ne 0 ]] ; then exit 1; fi
  make
        if [[ $? -ne 0 ]] ; then exit 1; fi
  make install
        if [[ $? -ne 0 ]] ; then exit 1; fi
fi
 
# Compile OpenSSL
cd ${THISDIR}
if [ ! -d openssl-${OPENSSLVERSION} ]; then
        tar xfz openssl-${OPENSSLVERSION}.tar.gz
fi
if [ ! -f ${TARGETINSTALLDIR}/lib/libssl.so ]; then
        cd openssl-${OPENSSLVERSION}
        if [ ! -e config.status ]; then
                ./config shared --prefix=${TARGETINSTALLDIR}
                if [[ $? -ne 0 ]] ; then exit 1; fi
        fi
        make
        if [[ $? -ne 0 ]] ; then exit 1; fi
        make install
        if [[ $? -ne 0 ]] ; then exit 1; fi
fi
 
# Prepare APR for APACHE
cd ${THISDIR}
if [ ! -d httpd-${APACHEVERSION} ]; then
  tar xfj httpd-${APACHEVERSION}.tar.bz2
fi
cd httpd-${APACHEVERSION}/srclib
 
if [ ! -d apr ]; then
  tar xfj ../../apr-${APRVERSION}.tar.bz2
  mv apr-${APRVERSION} apr
fi
 
if [ ! -d apr-util ]; then
  tar xfj ../../apr-util-${APRUTILVERSION}.tar.bz2
  mv apr-util-${APRUTILVERSION} apr-util
fi
 
# Compile APACHE
cd ${THISDIR}/httpd-${APACHEVERSION}
if [ ! -e config.status ]; then
  ./configure --with-included-apr --prefix=${TARGETINSTALLDIR} --with-pcre=${TARGETINSTALLDIR} --enable-file-cache --enable-cache --enable-disk-cache --enable-mem-cache --enable-deflate --enable-expires --enable-headers --enable-usertrack --enable-ssl --enable-cgi --enable-vhost-alias --enable-rewrite --enable-so --with-ssl=${TARGETINSTALLDIR}
  if [[ $? -ne 0 ]] ; then exit 1; fi
fi
echo "apache: make..."
make >log_apache_make
if [[ $? -ne 0 ]] ; then exit 1; fi
echo "apache: make install..."
make install >log_apache_make_install
if [[ $? -ne 0 ]] ; then exit 1; fi
 
# Change port and add ssl in config
mv ${TARGETINSTALLDIR}/conf/httpd.conf ${TARGETINSTALLDIR}/conf/httpd.conf-old
if [[ $? -ne 0 ]] ; then exit 1; fi
sed "
s/Listen 80/Listen 65080/
s/#LoadModule ssl_module modules\/mod_ssl.so/LoadModule ssl_module modules\/mod_ssl.so/
s/#Include conf\/extra\/httpd-ssl\.conf/Include conf\/extra\/httpd-ssl\.conf/
s/#LoadModule socache_shmcb_module modules\/mod_socache_shmcb.so/LoadModule socache_shmcb_module modules\/mod_socache_shmcb.so/
" ${TARGETINSTALLDIR}/conf/httpd.conf-old >${TARGETINSTALLDIR}/conf/httpd.conf
if [[ $? -ne 0 ]] ; then exit 1; fi
 
mv ${TARGETINSTALLDIR}/conf/extra/httpd-ssl.conf ${TARGETINSTALLDIR}/conf/extra/httpd-ssl.conf-old
if [[ $? -ne 0 ]] ; then exit 1; fi
sed "
s/Listen 443/Listen 65443/
s/<VirtualHost _default_:443>/<VirtualHost _default_:65443>/
s/ServerName www.example.com:443/ServerName ${THISHOST}:65443/
s/SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5/SSLProtocol all -SSLv2 -SSLv3\nSSLHonorCipherOrder on\nSSLCipherSuite \"EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4\"/
" ${TARGETINSTALLDIR}/conf/extra/httpd-ssl.conf-old >${TARGETINSTALLDIR}/conf/extra/httpd-ssl.conf
if [[ $? -ne 0 ]] ; then exit 1; fi
 
# Create start script
echo "#!/bin/bash
${TARGETINSTALLDIR}/bin/apachectl -f ${TARGETINSTALLDIR}/conf/httpd.conf -k start" >${TARGETINSTALLDIR}/run.sh
echo "#!/bin/bash
${TARGETINSTALLDIR}/bin/apachectl -f ${TARGETINSTALLDIR}/conf/httpd.conf -k stop" >${TARGETINSTALLDIR}/stop.sh
chmod u+x ${TARGETINSTALLDIR}/run.sh ${TARGETINSTALLDIR}/stop.sh

Prepare a self-written script and include the data in CACTI

I’m using cacti to keep track of Inbound and Outbound Traffic, Load on the Linux Server, Ping-Time to my webserver in the internet, etc. But I also use it for other everyday usages, like „How many users are on my TS3-Server?“ or „How much power does my desktop system consume?“

For these type of questions, I’ve written some scripts which output a single information. These scripts can be written in different languages, like perl or php, but I prefer writing them directly in bash.

Here’s an example which keeps track of how many users are on my TeamSpeak 3 Server at any given time:

#!/bin/bash
PASSWORD="yourpassword"
TS3HOSTNAME="localhost"
arr=($(echo "use sid=1
login client_login_name=serveradmin client_login_password=${PASSWORD}
serverinfo" | nc ${TS3HOSTNAME} 10011 | grep virtualserver_clientsonline))
for ((i=0; i<${#arr[@]}; i++))
do
        if [[ ${arr[${i}]} == virtualserver_clientsonline* ]]; then
                now=$(sed 's/virtualserver_clientsonline=//' <<< ${arr[${i}]})
                let "now -= 1"
                echo "now:${now}"
                break
        fi
done

The output is simply „now:3“, when three users were logged in at that time. As our connect to the TS3-server also counts, we must decrease the number of clients (let "now -= 1").

When the script works as expected, put it into the CACTI-scripts-directory:

/usr/share/cacti/site/scripts

And make sure that it is executable by the cacti user (i.e. make it executable for everyone):

root@host:/usr/share/cacti/site/scripts# ls -lA ts3.sh
-rwxr-xr-x 1 root root 388 Sep 26 11:22 ts3.sh

Now log into your cacti, switch to the console-tab and follow these steps:

  1. Data Input Methods: Add a new one, reference to the script (Input Type: Script/Command) with this Input String: /bin/bash /scripts/ts3.sh
    Make sure to add all „Output fields“ as well, these are the data that’s coming from your script. In the example of TS3-Users above, this would me „now“.
  2. Data Template: Choose as „Data Input Method“ the just added Data Input Method. As „Data Source Item“ create ALL which are relevant for this graph, choose the fields which were created in step 1 accordingly as Output Field.
  3. Graph Template: Create all necessary graphs. Remember that you can easily peek at other graphs which values might be useful: The Graph itself („AREA“) and the printed values below („GPRINT“).
  4. Data Sources: Add our Data Template as a Data Source. Remember to SAVE.
  5. Graph Management: –> ADD, the newly created Data Sources are available now.
  6. Devices: Associated Graph Templates: Add the new template (from 4) to the device