This option sets the maximum allowable age "freshness" for OCSP responses. The default value -1 does not enforce a maximum age, which means that OCSP responses are considered valid as long as their nextUpdate field is in the future. This option sets the maximum allowable time skew for OCSP responses when checking their thisUpdate and nextUpdate fields.
This option determines whether queries to OCSP responders should contain a nonce or not. By default, a query nonce is always used and checked against the response's one. When the responder does not use nonces e. This directive can be used to control various run-time options on a per-directory basis. Normally, if multiple SSLOptions could apply to a directory, then the most specific one is taken completely; the options are not merged. This per default is disabled for performance reasons, because the information extraction step is a rather expensive operation.
These contain the PEM-encoded X. Additionally all other certificates of the client certificate chain are provided, too. This bloats up the environment a little bit which is why you have to use this option to enable it on demand. This means that the standard Apache authentication methods can be used for access control. The user name is just the Subject of the Client's X Certificate can be determined by running OpenSSL's openssl x command: openssl x -noout -subject -in certificate.
Note that no password is obtained from the user. By default a strict scheme is enabled where every per-directory reconfiguration of SSL parameters causes a full SSL renegotiation handshake. Nevertheless these granular checks sometimes may not be what the user expects, so enable this on a per-directory basis only, please. Since version 2. This uses commas as delimiters between the attributes, allows the use of non-ASCII characters which are converted to UTF8 , escapes various special characters with backslashes, and sorts the attributes with the "C" attribute last.
This query can be done in two ways which can be configured by type :. This is the default where an interactive terminal dialog occurs at startup time just before Apache detaches from the terminal.
Here the administrator has to manually enter the Pass Phrase for each encrypted Private Key file. Because a lot of SSL-enabled virtual hosts can be configured, the following reuse-scheme is used to minimize the dialog: When a Private Key file is encrypted, all known Pass Phrases at the beginning there are none, of course are tried. If one of those known Pass Phrases succeeds no dialog pops up for this particular Private Key file. If none succeeded, another Pass Phrase is queried on the terminal and remembered for the next round where it perhaps can be reused.
This mode allows an external program to be used which acts as a pipe to a particular input device; the program is sent the standard prompt text used for the builtin mode on stdin , and is expected to write password strings on stdout. If several passwords are needed or an incorrect password is entered , additional prompt text will be written subsequent to the first password being returned, and more passwords must then be written back.
Here an external program is configured which is called at startup for each encrypted Private Key file. In versions 2. The intent is that this external program first runs security checks to make sure that the system is not compromised by an attacker, and only when these checks were passed successfully it provides the Pass Phrase. Both these security checks, and the way the Pass Phrase is determined, can be as complex as you like.
Nothing more or less! So, if you're really paranoid about security, here is your interface. Anything else has to be left as an exercise to the administrator, because local security requirements are so different. The reuse-algorithm above is used here, too. In other words: The external program is called only once per unique Pass Phrase.
It is supported by nearly every client. A revision of the TLS 1. Before OpenSSL 1. For compatibility with previous versions, if no SSLProtocol is configured in a name-based virtual host, the one from the base virtual host still applies, unless SSLProtocol is configured globally in which case the global value applies this latter exception is more sensible than compatible, though. This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities CA whose remote servers you deal with.
These are used for Remote Server Authentication. This directive sets the directory where you keep the Certificates of Certification Authorities CAs whose remote servers you deal with. These are used to verify the remote server certificate on Remote Server Authentication.
Enables certificate revocation list CRL checking for the remote servers you deal with. With the introduction of this directive, the behavior has been changed: when checking is enabled, CRLs must be present for the validation to succeed - otherwise it will fail with an "unable to get certificate CRL" error. These are used to revoke the remote server certificate on Remote Server Authentication.
This directive sets whether the remote server certificate's CN field is compared against the hostname of the request URL. If both are not equal a status code Bad Gateway is sent. In all releases 2. In these releases, both directives must be set to off to completely avoid remote server certificate name validation. Many users reported this to be very confusing. As of release 2. Only the following configuration will trigger the legacy certificate CN comparison in 2.
This directive sets whether it is checked if the remote server certificate is expired or not. If the check fails a status code Bad Gateway is sent. The check will succeed if the host name from the request URI matches one of the CN attribute s of the certificate's subject, or matches the subjectAltName extension. This feature was introduced in 2. This directive sets the all-in-one file where you keep the certificate chain for all of the client certs in use.
This directive will be needed if the remote server presents a list of CA certificates that are not direct signers of one of the configured client certificates. This referenced file is simply the concatenation of the various PEM-encoded certificate files.
Upon startup, each client certificate configured will be examined and a chain of trust will be constructed. This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers. Posted: Fri 24 Aug '18 Post subject:. Updated to: ActivePerl 5. ActivePerl haven't released a 5. Note: These releases should be good for future ActivePerl 5. But there are some errors. Is there an easy way to build with visual studio, while Strawberry Perl is build with gcc?
I would appreciate some hints, if possible. Posted: Fri 05 Mar '21 Post subject:. We suggest you add this entry at the end of the Configuration file if you want your callback hooks to have precedence over core handlers. Add other options if required. Now you may proceed with the plain Apache build process. All in one step. This is the normal situation where you want to be flexible while building.
Now you have a chance to prepare third-party modules. Note that the files activated by --activate-module do not exist at this time.
They will be generated during compilation. Presumably your new server includes third-party components, otherwise you probably won't choose this method of building. It also gives you the freedom to add third-party modules. Perl versions prior to 5.
When httpd restarts happens at startup too , any references in the main program to free and malloc become invalid, and this causes memory leaks and segfaults. If you are running Perl older than 5. If you are running Perl 5. To find out, run:. We recommend that you rebuild Perl with -Ubincompat if Perl's malloc is a better choice for your OS.
What does it mean? When you want to build libperl. Don't confuse the libperl. They are two different things. It is unfortunate that they happen to have the same name. There is also a libperl. That's different too. You have two options here, depending on which way you have chosen above: If you choose the All-In-One way from above then add. This will build the DSO libperl. Since all the steps are simple, and assuming that you now understand how the build process works, I'll show only the commands to be executed with no comments unless there is something we haven't discussed before.
All these scenarios were tested on a Linux platform, you might need to refer to the specific component's documentation if something doesn't work for you as described below. Also, notice that the links I've used below are very likely to have changed by the time you read this document.
That's why I have used the x. Remember to replace the xx place-holders with the version numbers of the distributions you are about to use. To find out the latest stable version number, visit the components' sites.
So if the instructions say:. Unless otherwise noted, all the components install themselves into a default location. When you run make install the installation program tells you where it's going to install the files. Young and Tim J. PL' on a single command line. This topic is out of scope of this document. As always, replace xx with the proper version numbers. And replace i with the identifier for your platform if it is different.
It is licensed under a BSD-style license which means, in short, that you are free to use it for commercial or non-commercial purposes, so long as you retain the copyright notices. Note that you might need to modify the 'make test' stage, as it takes much longer for this server to get started and make test waits only a few seconds for Apache to start before it times out.
Stronghold is a secure SSL Web server for Unix which allows you to give your web site full-strength, bit encryption. Note: libperl. The first thing first is to download the Apache source code and unpack it into a directory -- the name of which you will need very soon. If it's the first time that you have used it, CPAN. It's quite easy to accomplish this task, and very helpful hints come along with the questions. When you are finished you will see the CPAN prompt:.
Installation is as simple as typing:. You will see I'll use x. Here, unless the CPAN shell found it and suggested the right directory, you need to type the directory into which you unpacked Apache. The next question is about the src directory, which resides at the root level of the unpacked Apache distribution. In most cases the CPAN shell will suggest the correct directory. Quit the CPAN shell, or use another terminal. Go to the Apache sources root directory and run:. The only caveat of the process I've described is that you don't have control over the configuration process.
Actually, that problem is easy to solve -- you can tell CPAN. Just list all the parameters as if you were passing them to the familiar perl Makefile. Of course you must give the correct path to the Apache source distribution. To see the original value, use:. You install them all by typing a singe command:. To accomplish this the command autobundle can be used on the CPAN shell command line.
This command writes a bundle definition file for all modules that are installed for the currently running perl interpreter. You may wish to build httpd once, then copy it to other machines. To avoid dragging and build Apache on all your other machines, there are a few Makefile targets to help you out:. If you really want to make your life easy you should use one of the more advanced packaging systems.
For example, almost all Linux OS distributions use packaging tools on top of plain tar. All you have to do is prepare a SRPM source distribution package , then build a binary release. This can be installed on any number of machines in a matter of seconds.
It will even work on live machines! If you have two identical machines identical software and hardware, although depending on your setup hardware may be less critical. Let's say that one is a live server and the other is in development. You can then install the RPM package on the live server without any fear. Make sure that httpd. When you have installed the package, just restart the server.
It can be a good idea to keep a package of the previous system, in case something goes wrong. You can then easily remove the installed package and put the old one back. Please submit info about other available packages if you use such. If you know what you are doing, this is probably Old Hat - contributing your past experiences is, as always, welcomed by the community.
Not only will you find that this is less daunting than you suspect, but it will probably save you a few headaches down the line for several reasons. First, given the pace at which the open source community produces software, RPMs, especially those found on distribution CDs, are often several versions out of date.
The most recent version will not only be more stable, but will likely incorporate some new functionality that you will eventually want to play with. It is also unlikely that the file system layout of an RPM package will match what you see in the Eagle Book and this Guide. Sticking with one format or the other at first will result in fewer headaches and more hair.
You will find the link to David's site from Binary distributions. Includes the four header files required for building libapreq Apache::Request. Libapreq provides the Apache::Request module. It just requires a few additional steps. Make certain you have the apache-devel-x. Also, download the latest version of libapreq from CPAN. NOTE: Steps 2. The method shown above is more "pure" because you're grabbing the header files from the same tree that built the RPM. But this does not matter because RedHat is not patching that file.
Less fuss and mess. Let's tackle the tasks one at a time. It's easy. First you have to decide where to install the modules. Actually we need only two directories:. We don't have to create them, since that will be done automatically when the first module is installed.
Occasionally, when some module distribution comes with Perl scripts, these will go into the bin directory. This directory will be created if it doesn't exist. Let's install the CGI. As usual, download the package from the CPAN repository, unpack it and chdir to the newly-created directory. Now do a standard perl Makefile. PL to prepare a Makefile , but this time tell MakeMaker to use your Perl installation directories instead of the defaults.
Note that if you don't like how MakeMaker chooses the rest of the directories, or if you are using an older version of it which requires an explicit declaration of all the target directories, you should do this:. Note that all the missing directories are created automatically, so there is no need to create them in first place.
Here slightly edited is what it does :. Using this method you can easily maintain several Perl module repositories. For example, you could have one for production Perl and another for development:. The output contains important information about your Perl installation. At the end you will see:. It shows us the content of the Perl special variable INC , which is used by Perl to look for its modules. It is equivalent to the PATH environment variable in Unix shells which is used to find executable programs.
Notice that Perl looks for modules in the. It's the last entry in the above output. Of course this example is from version 5. That's why you see ilinux and 5. If your system runs a different version of Perl, operating system, processor or chipset architecture, then some of the directories will have different names. Note that it's still Linux , but the newer Perl version uses the version of my Pentium processor thus the i and not i This makes use of compiler optimizations for Pentium processors when the binary Perl extensions are created.
Important: As we have installed the Perl modules into non-standard directories, we have to let Perl know where to look for the four directories. There are two ways to accomplish this. Have comments? Please send them to the modperl users mailing list. Success Stories. Mailing Lists. Maillist Subscription. Maillist Archives. The source. The 1. Starting with 2. Migrating to 2.
Report 1.
0コメント