交叉编译构建带有SSL模块的Apache服务器
任务:在mips处理器上构建文件系统并要求带有SSL模块的Apache服务器。
以下将按步骤的介绍实现过程:
一. 构建交叉编译环境
1. 下载最新的buildroot软件包buildroot-snapshot.tar.bz2,下载地址http://buildroot.uclibc.org/downloads/snapshots/,若有对buildroot不熟悉的请查阅http://buildroot.uclibc.org/buildroot.html,稍后我会将该文档翻译并贴出来供参考
2. 将buildroot-snapshot.tar.bz2包移动到/home目录,并执行:
#tar xvf buildroot-snapshot.tar.bz2
该操作完成后,将产生buildroot目录
3. #cd buildroot
进入到buildroot目录中
4. #make menuconfig
进行buildroot的配置,主要的配置界面如下:
其中对于busybox的配置可以暂时忽略,以后再进行详细的设置,具体的步骤在这里就暂时略过
5. #make
编译buildroot,这个过程是一个耗费时间的过程,因为编译的所有工具包都需要从网上下载,在编译结束以后,可以查看该目录下的./dl目录中的内容,里面保存了buildroot编译时所需要的所有软件包,在我们编译结束以后,我们应该将目录下的所有软件包拷贝至其他地方备份,以免以后需要时再去网上下载
6. 等待了一段时间以后,编译结束。但此时还没有完全结束,需要我们重新编译一次buildroot,为编译apache做准备,具体步骤如下
7. #make uclibc-menuconfig
重新进行uclibc库的配置,主要界面如下:
在上图中选中其中的:
String and Stdio Support--à
然后回车,在该选项的子选项里面选中下面的选项:
[*] Support sys_siglist[] (bsd-compat),如下图:
8. #cd toolchain_build_mips/uClibc-x.y.zz
其中的x、y、z是相关的版本数字号;
9. #rm –rf ./lib
该操作删除以前生成的临时库文件,该操作如不执行,将不会把第7步中的配置编译到新的库中
10. #make clean
由于在第9步中删除了生成的临时库,如果直接进行编译的话会出现错误,执行该操作后可以避免错误的产生
11. #cd ../../
回到buildroot的主目录
12. #make
重新执行编译,可能有人有疑惑,为什么不在意开始就进行上面的配置,非要等到第一次编译结束以后再进行这样的操作,原因是一开始的时候uclibc包根本还没有被下载下来,哪里去谈配置呢
13. #cd ./build_mips/staging_dir/usr/bin/
进入该目录查看里面生成的工具,所有生成的交叉编译工具都放置在该目录下面
14. 添加交叉编译工具至环境变量中,如:
#vi ~/.bash_profile
在该文件中添加下面一行:
PATH=$PATH:/home/buildroot/build_mips/staging_dir/usr/bin
15. 退出登录,重新进入系统,在终端中输入mips-,然后使用Tab键,可以看到刚才生成的交叉编译工具,如mips-linux-uclibc-gcc
16. 检验交叉编译工具,
vi hello.c
内容如下:
main()
{
printf(“Hello, Uclibc/n”);
}
然后编译该程序,
#mips-linux-uclibc-gcc hello.c
生成可执行的a.out文件,检查该文件如下:
# file a.out
a.out: ELF 32-bit MSB executable, MIPS, version 1 (SYSV), dynamically linked (uses shared libs), not stripped
至此,交叉编译环境建立完成
二. 编译apache
1. 准备工作目录
#mkdir –p /apache
#mkdir –p /home/tmp
#mkdir –p /www
apache中存放软件包,tmp目录是临时目录,www目录是apache的安装目录
2. 下载apache_ 1.3.39 .tar.bz2软件包,,存放到/apache目录,下载地址:http://archive.apache.org/dist/httpd/
3. 下载mod_ssl- 2.8.29 -1.3.39.tar.gz软件包,存放到/apache目录,下载地址:ftp://ftp.modssl.org/source/
4. #tar xvf apache_
1.3.39
.tar.bz2
#tar xvf mod_ssl-2.8.29-1.3.39.tar.gz
解压软件包
5. #cd /home/tmp
进入到临时目录
6. #tar xvf ../apache/ apache_
1.3.39
.tar.bz2
将apache_1.3.39.tar.bz2解压到临时目录
7. #cd apache_
1.3.39
进入到临时目录下的apache目录
8. #./configure
进行apache的默认配置
9. #make
编译apache_
1.3.39
,值得注意的是,在编译结束以后,并不需要执行make install操作
10. #export CC=mips-linux-uclibc-gcc
设置CC环境变量,交叉编译apache
11. #cd ../../apache/mod_ssl-
2.8.29
-1.3.39
进入到mod_ssl目录
12. #./configure --with-apache=../apache_
1.3.39
进行mod_ssl的配置,并将apache的目录指向上一级目录中的apache文件的顶层目录,运行结果如下:
+---------------------------------------------------------------------+
| Configuring mod_ssl/2.8.29 for Apache/1.3.39 |
| + Apache location: ../apache_
1.3.39
(Version 1.3.39) |
| + Auxiliary patch tool: ./etc/patch/patch (local) |
| + Applying packages to Apache source tree: |
| o Extended API (EAPI) |
| o Distribution Documents |
| o SSL Module Source |
| o SSL Support |
| o SSL Configuration Additions |
| o SSL Module Documentation |
| o Addons |
| Done: source extension and patches successfully applied. |
| |
| Now proceed with the following commands (Bourne-Shell syntax): |
| $ cd ../apache_1.3.39 |
| $ SSL_BASE=/path/to/openssl ./configure ... --enable-module=ssl |
| $ make |
| $ make certificate |
| $ make install |
+---------------------------------------------------------------------+
13. #cd ../apache_
1.3.39
进入到apapche的目录中
14. #./configure --enable-module=ssl --prefix=/www
配置apache,并加载ssl模块,设置apache的安装目录为:/www,运行结果如下:
+---------------------------------------------------------------------+
| Configuring for Apache, Version
1.3.39
|
| + using installation path layout: Apache (config.layout) |
| Creating Makefile |
| Creating Configuration.apaci in src |
| Creating Makefile in src |
| + configured for Linux platform |
| + setting C pre-processor to mips-linux-uclibc-gcc –E |
| + using "tr [a-z] [A-Z]" to uppercase |
| + checking for system header files |
| + adding selected modules |
| o ssl_module uses ConfigStart/End |
| + SSL interface: mod_ssl/2.8.29 |
| + SSL interface build type: OBJ |
| + SSL interface compatibility: enabled |
| + SSL interface experimental code: disabled |
| + SSL interface conservative code: disabled |
| + SSL interface vendor extensions: disabled |
| + SSL interface plugin: Built-in SDBM |
| + SSL library path: [SYSTEM] |
| + SSL library version: OpenSSL
0.9.8
b 04 May 2006 |
| + SSL library type: installed package (system-wide) |
| + enabling Extended API (EAPI) |
| + using builtin Expat |
| + checking sizeof various data types |
| ./helpers/TestCompile: line 294: |
| /apache/apache_1.3.39/src/helpers/testfunc: cannot execute binary file|
|./helpers/TestCompile: line 294: |
| /apache/apache_1.3.39/src/helpers/testfunc: cannot execute binary file|
| ./helpers/TestCompile: line 294: |
| /apache/apache_1.3.39/src/helpers/testfunc: cannot execute binary file|
| ./helpers/TestCompile: line 294: |
| /apache/apache_1.3.39/src/helpers/testfunc: cannot execute binary file|
| ./helpers/TestCompile: line 294: |
| /apache/apache_1.3.39/src/helpers/testfunc: cannot execute binary file|
| + doing sanity check on compiler and options |
| Creating Makefile in src/support |
| Creating Makefile in src/regex |
| Creating Makefile in src/os/unix |
| Creating Makefile in src/ap |
| Creating Makefile in src/main |
| Creating Makefile in src/lib/expat-lite |
| Creating Makefile in src/modules/standard |
| Creating Makefile in src/modules/ssl |
+---------------------------------------------------------------------+
在上面的运行结果中的最后一行,我们可以清楚的看到ssl模块被编译到了apache中
15. #make
编译apache,在编译的过程中,会出现两次错误,第一次的如下:
+---------------------------------------------------------------------+
| ………………………………… |
| ./gen_test_char >test_char.h |
| /bin/sh: ./gen_test_char: cannot execute binary file |
| ………………………………… |
+---------------------------------------------------------------------+
解决的方法是:
cp /home/tmp/apache_
1.3.39
/src/main/gen_test_char ./src/main/
然后继续编译,重新执行make,紧接着出现类似的第二次错误,解决办法如下
cp /home/tmp/apache_1.3.39/src/main/gen_uri_delims ./src/main/
然后再执行make,继续重新编译,完成以后会得到如下的提示信息:
+---------------------------------------------------------------------+
| Before you install the package you now should prepare the SSL |
| certificate system by running the 'make certificate' command. |
| For different situations the following variants are provided: |
| |
| % make certificate TYPE=dummy (dummy self-signed Snake Oil cert) |
| % make certificate TYPE=test (test cert signed by Snake Oil CA) |
| % make certificate TYPE=custom (custom cert signed by own CA) |
| % make certificate TYPE=existing (existing cert) |
| CRT=/path/to/your.crt [KEY=/path/to/your.key] |
| |
| Use TYPE=dummy when you're a vendor package maintainer, |
| the TYPE=test when you're an admin but want to do tests only, |
| the TYPE=custom when you're an admin willing to run a real server |
| and TYPE=existing when you're an admin who upgrades a server. |
| (The default is TYPE=test) |
| |
| Additionally add ALGO=RSA (default) or ALGO=DSA to select |
| the signature algorithm used for the generated certificate. |
| |
| Use 'make certificate VIEW=1' to display the generated data. |
| |
| Thanks for using Apache & mod_ssl. Ralf S. Engelschall |
| rse@engelschall.com |
| www.engelschall.com |
+---------------------------------------------------------------------+
16. #make certificate TYPE=custom
执行如下:
STEP 0: Decide the signature algorithm used for certificates
The generated X.509 certificates can contain either
RSA or DSA based ingredients. Select the one you want to use.
Signature Algorithm ((R)SA or (D)SA) [R]:按回车
STEP 0是选择加密算法,选择默认的R/RSA就可以了。
STEP 1: Generating RSA private key for CA (1024 bit) [ca.key]
4337667 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
等待系统随机生成ca.key(CA-“证书颁发机构”的私钥)
STEP 2: Generating X.509 certificate signing request for CA [ca.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:输入CN(国家名称缩写)
2. State or Province Name (full name) [Snake Desert]:输入GuangDong(所在省份)
3. Locality Name (eg, city) [Snake Town]:输入GuangZhou(所在地市)
4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net(组织名)
5. Organizational Unit Name (eg, section) [Certificate Authority]:输入demonalex.net(组织单元名)
6. Common Name (eg, CA name) [Snake Oil CA]:输入demonalex.net(日常使用名称)
7. Email Address (eg, name@FQDN) [ca@snakeoil.dom]:输入demonalex@163.com(管理员邮件)
8. Certificate Validity (days) [365]:输入3650(CA的有效期,我这里输入了10年)
STEP 3: Generating X.509 certificate for CA signed by itself [ca.crt]
Certificate Version (1 or 3) [3]:按回车
STEP 4: Generating RSA private key for SERVER (1024 bit) [server.key]
4337667 semi-random bytes loaded
Generating RSA private key, 1024 bit long modulus
等待系统随机生成server.key(服务器的私钥)
STEP 5: Generating X.509 certificate signing request for SERVER [server.csr]
Using configuration from .mkcert.cfg
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
1. Country Name (2 letter code) [XY]:输入CN
2. State or Province Name (full name) [Snake Desert]:输入GuangDong
3. Locality Name (eg, city) [Snake Town]:输入GuangZhou
4. Organization Name (eg, company) [Snake Oil, Ltd]:输入demonalex.net
5. Organizational Unit Name (eg, section) [Webserver Team]:输入demonalex.net
6. Common Name (eg, FQDN) [www.snakeoil.dom]:输入demonalex.3322.org(注意:这个值一定要是你的网站实际使用的域名)
7. Email Address (eg, name@fqdn) [www@snakeoil.dom]:输入demonalex@163.com
8. Certificate Validity (days) [365]:输入365(注意:这个值不宜输入太大)
STEP 6: Generating X.509 certificate signed by own CA [server.crt]
Certificate Version (1 or 3) [3]:按回车
STEP 7: Enrypting RSA private key of CA with a pass phrase for security [ca.key]
The contents of the ca.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: 输入Y(使用一个字符串为ca.key加密)
read RSA key
writing RSA key
Enter PEM pass phrase:输入一个加密字符串,如“demonalex”
Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串
Fine, you're using an encrypted private key.
STEP 8: Enrypting RSA private key of SERVER with a pass phrase for security [server.key]
The contents of the server.key file (the generated private key) has to be
kept secret. So we strongly recommend you to encrypt the server.key file
with a Triple-DES cipher and a Pass Phrase.
Encrypt the private key now? [Y/n]: 输入Y(使用一个字符串为ca.key加密)
read RSA key
writing RSA key
Enter PEM pass phrase:输入一个加密字符串
Verifying password - Enter PEM pass phrase:重新输入上一步的加密字符串
Fine, you're using an encrypted RSA private key.
最后得到的提示如下:
RESULT: CA and Server Certification Files
o conf/ssl.key/ca.key
The PEM-encoded RSA private key file of the CA which you can
use to sign other servers or clients. KEEP THIS FILE PRIVATE!
o conf/ssl.crt/ca.crt
The PEM-encoded X.509 certificate file of the CA which you use to
sign other servers or clients. When you sign clients with it (for
SSL client authentication) you can configure this file with the
'SSLCACertificateFile' directive.
o conf/ssl.key/server.key
The PEM-encoded RSA private key file of the server which you configure
with the 'SSLCertificateKeyFile' directive (automatically done
when you install via APACI). KEEP THIS FILE PRIVATE!
o conf/ssl.crt/server.crt
The PEM-encoded X.509 certificate file of the server which you configure
with the 'SSLCertificateFile' directive (automatically done
when you install via APACI).
o conf/ssl.csr/server.csr
The PEM-encoded X.509 certificate signing request of the server file which
you can send to an official Certificate Authority (CA) in order
to request a real server certificate (signed by this CA instead
of our own CA) which later can replace the conf/ssl.crt/server.crt
file.
Congratulations that you establish your server with real certificates
17. #make install
执行安装,将apache安装到/www目录
18. 一直apache服务器,将产生的/www目录移动到目标板的根文件系统里面,重新将根文件系统加载到目标板上
19. #/www/bin/apachectl startssl
目标板启动后,执行以上操作启动apache服务器,提示信息如下:
Apache/
1.3.37
mod_ssl/2.8.28 (Pass Phrase Dialog)
Some of your private key files are encrypted for security reasons.
In order to read them you have to provide us with the pass phrases.
Server server5.demonalex:443 (RSA)
Enter pass phrase:输入make certificate中STEP 8中设定的加密字符串
若输入成功的话将提示:
Ok: Pass Phrase Dialog successful.
/www/bin/apachectl startssl: httpd started
结束语
到现在,交叉编译带有ssl模块的apache服务器完成,是不是很有成就感!
2523
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
