Support #432
Updated by Daniel Curtis about 9 years ago
{{>toc}}
Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly.
h1. Pre-Installation Tasks
* Before installation of the components, make sure the ports tree and packages are up to date using the following command:
<pre>
pkg update && pkg upgrade
portsnap fetch extract
</pre>
* Install portmaster:
<pre>
pkg install portmaster
pkg2ng
</pre>
*NOTE*: pkgng is great, however I need the flexibility of the ports tree. So portmaster will be useful for upgrading and installing packages.
* Edit the @/etc/hosts@ file and add the following line:
<pre>
192.168.1.1 www.example.com www
</pre>
---
h1. Install Apache 2.4
* Install Apache 2.4
<pre>
portmaster www/apache24
</pre>
* Edit the apache configuration file, i.e. @/usr/local/etc/apache24/httpd.conf@, and make the following changes:
<pre>
ServerRoot "/usr/local"
ServerAdmin you@your.address
ServerName www.example.com:80
DocumentRoot "/usr/local/www"
Listen :80
NameVirtualHost *:80
<Directory "/usr/local/www">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
Include etc/apache22/Includes/*.conf
</pre>
* *(Optional)* Create a file named /boot/loader.conf or edit it if it is already present and add the following line:
<pre>
accf_http_load="YES"
</pre>
* *(Optional)* Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module):
<pre>
<IfDefine NOHTTPACCEPT>
AcceptFilter http none
AcceptFilter https none
</IfDefine>
</pre>
* Run the following line to enable apache24 to start at boot:
<pre>
echo 'apache24_enable="YES"' >> /etc/rc.conf
</pre>
* Test the apache server installation using the following command:
<pre>
service apache24 start
</pre>
h2. Optional Worker Modules
h3. MPM Prefork
* Edit the apache24 config file:
<pre>
vi /usr/local/etc/apache24/httpd.conf
</pre>
#* And add the following:
<pre>
## Apache prefork mpm module
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
</pre>
#* And uncomment the mpm include:
<pre>
# Server-pool management (MPM specific)
Include etc/apache24/extra/httpd-mpm.conf
</pre>
* Restart apache:
<pre>
service apache24 restart
</pre>
h3. MPM Worker
* Edit the apache24 config file:
<pre>
vi /usr/local/etc/apache24/httpd.conf
</pre>
#* And add the following:
<pre>
## Apache worker mpm module
LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
</pre>
#* And uncomment the mpm include:
<pre>
# Server-pool management (MPM specific)
Include etc/apache24/extra/httpd-mpm.conf
</pre>
* Restart apache:
<pre>
service apache24 restart
</pre>
h3. MPM Event
* Edit the apache24 config file:
<pre>
vi /usr/local/etc/apache24/httpd.conf
</pre>
#* And add the following:
<pre>
## Apache event mpm module
LoadModule mpm_event_module libexec/apache24/mod_mpm_prefork.so
</pre>
#* And uncomment the mpm include:
<pre>
# Server-pool management (MPM specific)
Include etc/apache24/extra/httpd-mpm.conf
</pre>
* Restart apache:
<pre>
service apache24 restart
</pre>
h2. Securing Apache24 with SSL
* Make the directory for apache24 ssl files:
<pre>
mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl
</pre>
* Generate a strong SSL key and a CSR to send for signing by a CA:
<pre>
openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key
</pre>
* Make sure to securely copy the SSL certificate to *www.example.com.crt*
* Edit the apache24 config file:
<pre>
vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf
</pre>
#* Make sure to uncomment the Include for the SSL configuration:
<pre>
Include etc/apache24/extra/httpd-ssl.conf
</pre>
#* And Add the following:
<pre>
<VirtualHost *:443>
ServerName www.example.com
DocumentRoot /usr/local/www/www.example.com
<Directory /usr/local/www/www.example.com>
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
SSLEngine on
SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt
SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</pre>
# Edit the apache24 SSL config file:
<pre>
vi /usr/local/etc/apache24/extras/httpd-ssl.conf
</pre>
#* And modify the following parameters:
<pre>
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+
ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA R
C4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt"
SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key"
SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle"
</pre>
* Restart apache24:
<pre>
service apache24 restart
</pre>
h3. Forcing SSL on a Website
* Enable forced SSL connection by setting the two lines from earlier in the @.htaccess@ file. Open the file for editing:
<pre>
vi /usr/local/www/apache24/data/.htaccess
</pre>
#* Look for the following two lines, and remove the @#@ characters before them:
<pre>
RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</pre>
* Restart apache2:
<pre>
service apache2 restart
</pre>
---
h1. Install MariaDB
* Install MariaDB 5.5 Server and Client
<pre>
portmaster databases/mariadb55-{server,client}
</pre>
h2. Configure MariaDB
* Enable MariaDB to start at boot:
<pre>
echo 'mysql_enable="YES"' >> /etc/rc.conf
</pre>
* Start MariaDB
<pre>
service mysql-server start
</pre>
* Do some basic security to harden the MariaDB server:
<pre>
mysql_secure_installation
</pre>
* Restart mysql using the following commands:
<pre>
service mysql-server restart
</pre>
* Use the following command:
<pre>
cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf
</pre>
h2. Configure a new database
* Log into the MySQL console:
<pre>
mysql -h localhost -u root -p
</pre>
#* Create the *webappuser* user with the *SuperSecretPassword* password and the *webappdb* database:
<pre>
CREATE USER 'webappuser'@'localhost' IDENTIFIED BY 'SuperSecretPassword';
CREATE DATABASE IF NOT EXISTS `webappdb` CHARACTER SET utf8 COLLATE utf8_general_ci;
GRANT ALL PRIVILEGES ON `webappdb`.* TO 'webbappuser'@'localhost';
flush privileges;
exit
</pre>
---
h1. Install PHP
*NOTE*: If using a threaded apache worker module like event or worker mpm, enable *[X]ZTS* for lang/php5 and www/mod_php5
* Install PHP5 and mod_php:
<pre>
portmaster lang/php5 www/mod_php5
</pre>
* Install a few PHP modules:
<pre>
portmaster textproc/php5-xml textproc/php5-dom security/libgpg-error textproc/php5-xmlreader textproc/php5-simplexml textproc/php5-ctype sysutils/php5-fileinfo security/php5-openssl security/php5-hash security/php5-filter graphics/php5-exif devel/php5-json databases/php5-sqlite3 databases/php5-pdo lang/php5-extensions converters/php5-iconv audio/mp3info archivers/php5-zlib archivers/php5-zip archivers/php5-bz2 www/php5-session security/libgcrypt textproc/php5-wddx net/php5-ldap ftp/php5-curl databases/php5-pdo_sqlite databases/php5-mysql databases/php5-mysqli databases/php5-pdo_mysql converters/php5-mbstring textproc/php5-xsl graphics/php5-gd
</pre>
*NOTE*: These are just a few PHP modules, there are many more; and not all of the above are necessary, it just suits my use case.
* Then create /usr/local/etc/apache24/Includes/mod_php5.conf:
<pre>
vi /usr/local/etc/apache24/Includes/mod_php5.conf
</pre>
#* And add the following:
<pre>
<IfModule dir_module>
DirectoryIndex index.php index.html
</IfModule>
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>
</pre>
* Copy the PHP configuration file using the following command
<pre>
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
</pre>
* Edit @/usr/local/etc/apache24/httpd.conf@ file and add the following lines:
<pre>
LoadModule php5_module libexec/apache24/libphp5.so
</pre>
* Now restart the apache server by using the following command:
<pre>
service apache24 restart
</pre>
h2. Install phpMyAdmin
* Install phpmyadmin:
<pre>
portmaster databases/phpmyadmin
</pre>
h3. Configure phpMyAdmin
* Setup phpMyAdmin for Apache 2.4 by creating @/usr/local/etc/apache24/Includes/phpmyadmin.conf@ and add the following:
<pre>
Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"
<Directory "/usr/local/www/phpMyAdmin/">
Options none
AllowOverride Limit
Order Deny,Allow
Require ip 127.0.0.1
Require ip ::1
#Require ip 192.168.1.0/255.255.255.0
</Directory>
</pre>
Now its time to configure phpMyAdmin. Do this by creating the file @/usr/local/www/phpMyAdmin/config.inc.php@, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified @/usr/local/www/phpMyAdmin/config.inc.php@, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.
* Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script:
<pre>
mkdir /usr/local/www/phpMyAdmin/config
chmod o+w /usr/local/www/phpMyAdmin/config
</pre>
* Then make @/usr/local/www/phpMyAdmin/config.inc.php@ readable by the phpMyAdmin setup script:
<pre>
chmod o+r /usr/local/www/phpMyAdmin/config.inc.php
</pre>
* Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup _Overview_ page.
#* I use SSH tunnels for sensitive tasks like this:
<pre>
ssh -L 8081:localhost:80 www.example.com
</pre>
#* NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has @Require ip 127.0.0.1@, all connections will be forbidden except from 127.0.0.1.
* Select *New Server* and then select the *Authentication* tab.
*# Under the *Authentication type* choose +http+ from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php)
*# And remove +root+ from the *User for config auth*.
* Now select *Apply* and you will be returned you to the Overview page where you should see a new server listed.
* Select *Save* again in the Overview page to save your configuration as @/usr/local/www/phpMyAdmin/config/config.inc.php@.
* Now move that file up one directory to @/usr/local/www/phpMyAdmin@ where phpMyAdmin can make use of it.
<pre>
mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin
</pre>
* Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.
Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.
* We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php:
<pre>
rm -r /usr/local/www/phpMyAdmin/config
chmod o-r /usr/local/www/phpMyAdmin/config.inc.php
</pre>
* And wrap up by restarting the Apache and MySQL servers:
<pre>
service apache24 restart
service mysql-server restart
</pre>
---
h1. Install Phusion Passenger
* Install and compile Phusion Passenger
<pre>
portmaster www/rubygem-passenger
passenger-install-apache2-module
</pre>
#* Then add the module in @/usr/local/etc/apache24/httpd.conf@:
<pre>
LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so
<IfModule mod_passenger.c>
PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41
PassengerDefaultRuby /usr/local/bin/ruby19
</IfModule>
</pre>
#* And now ruby web applications can be used by using the following template:
<pre>
<VirtualHost *:80>
ServerName www.example.com
# !!! Be sure to point DocumentRoot to 'public'!
DocumentRoot /usr/local/www/rubyapp/public
<Directory /usr/local/www/rubyapp/public>
# This relaxes Apache security settings.
AllowOverride all
# MultiViews must be turned off.
Options -MultiViews
</Directory>
</VirtualHost>
</pre>
h1. Virtual Hosts With Different Users
h2. Recompile Apache 2.4 with Suexec
* Refresh the ports tree:
<pre>
portsnap fetch extract
</pre>
* Recompile Apache 2.4
<pre>
cd /usr/ports/www/apache24
make config
make reinstall clean
</pre>
*NOTE*: Make sure to enable [X] SUEXEC during make config.
* Make a directory for each Vhost:
<pre>
mkdir /usr/local/etc/apache24/Vhosts
</pre>
* Create webapp group:
<pre>
pw add group webapp
</pre>
* Edit the apache config:
<pre>
vi /usr/local/etc/apache24/httpd.conf
</pre>
#* And add the following:
<pre>
LoadModule suexec_module libexec/apache24/mod_suexec.so
## Include Vhosts directory:
Include etc/apache24/Vhosts/*.conf
</pre>
h3. WordPress
* Install wordpress:
<pre>
portmaster www/wordpress
</pre>
* Add the wordpress user
<pre>
pw add user -n wordpress -g webapp -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress"
</pre>
* Make a temporary storage directory for wordpress:
<pre>
mkdir /var/tmp/wordpress
chown wordpress:webapp /usr/local/www/wordpress
chown wordpress:webapp /var/tmp/wordpress/
chmod o-rwx /var/tmp/wordpress
</pre>
* Setting up a virtual Host to use suEXEC
<pre>
vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf
</pre>
#* And add the following:
<pre>
<VirtualHost *:80>
ServerName wordpress.example.com
DocumentRoot /usr/local/www/wordpress
SuexecUserGroup wordpress webapp
php_admin_value open_basedir /usr/local/www/wordpress
php_admin_value upload_tmp_dir /var/tmp/wordpress
<Directory "/usr/local/www/wordpress">
AllowOverride All
Require all granted
Options +SymlinksIfOwnerMatch +Includes
</Directory>
</VirtualHost>
</pre>
#* *NOTE*: The @upload_tmp_dir@ is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.
* Restart apache:
<pre>
service apache24 restart
</pre>
h2. Resources
* http://fosskb.wordpress.com/2014/04/10/famp-installing-apache2-4-mysql-php-on-freebsd-10/