• Table of contents
• Pre-Installation Tasks
• Install Apache 2.4
  • Optional Worker Modules
    • MPM Prefork
    • MPM Worker
    • MPM Event
  • Securing Apache24 with SSL
    • Forcing SSL on a Website
• Install MariaDB
  • Configure MariaDB
  • Configure a new database
• Install PHP
  • Install phpMyAdmin
    • Configure phpMyAdmin
• Install Phusion Passenger
• Virtual Hosts With Different Users
  • Recompile Apache 2.4 with Suexec
    • WordPress
  • Resources

Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly.

Pre-Installation Tasks¶

• Before installation of the components, make sure the ports tree and packages are up to date using the following command:
  

  pkg update && pkg upgrade
  portsnap fetch extract
  

• Install portmaster:
  

  pkg install portmaster
  pkg2ng
  

  
  NOTE: pkgng is great, however I need the flexibility of the ports tree. So portmaster will be useful for upgrading and installing packages.

• Edit the /etc/hosts file and add the following line:
  

  192.168.1.1               www.example.com www
  

---

Install Apache 2.4¶

• Install Apache 2.4
  

  portmaster www/apache24
  

• Edit the apache configuration file, i.e. /usr/local/etc/apache24/httpd.conf, and make the following changes:
  

  ServerRoot "/usr/local" 
  ServerAdmin you@your.address
  ServerName www.example.com:80
  DocumentRoot "/usr/local/www" 
  Listen :80
  NameVirtualHost *:80
  
  <Directory "/usr/local/www">
      Options Indexes FollowSymLinks
  
      AllowOverride None
  
      Order allow,deny
      Allow from all
  </Directory>
  
  Include etc/apache22/Includes/*.conf
  

• (Optional) Create a file named /boot/loader.conf or edit it if it is already present and add the following line:
  

  accf_http_load="YES" 
  

• (Optional) Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module):
  

  <IfDefine NOHTTPACCEPT>
     AcceptFilter http none
     AcceptFilter https none
  </IfDefine>
  

• Run the following line to enable apache24 to start at boot:
  

  echo 'apache24_enable="YES"' >> /etc/rc.conf
  

• Test the apache server installation using the following command:
  

  service apache24 start
  

Optional Worker Modules¶

MPM Prefork¶

• Edit the apache24 config file:
  

  vi /usr/local/etc/apache24/httpd.conf
  

  • And add the following:
    

    ## Apache prefork mpm module
    LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
    

  • And uncomment the mpm include:
    

    # Server-pool management (MPM specific)
    Include etc/apache24/extra/httpd-mpm.conf
    

• Restart apache:
  

  service apache24 restart
  

MPM Worker¶

• Edit the apache24 config file:
  

  vi /usr/local/etc/apache24/httpd.conf
  

  • And add the following:
    

    ## Apache worker mpm module
    LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
    

  • And uncomment the mpm include:
    

    # Server-pool management (MPM specific)
    Include etc/apache24/extra/httpd-mpm.conf
    

• Restart apache:
  

  service apache24 restart
  

MPM Event¶

• Edit the apache24 config file:
  

  vi /usr/local/etc/apache24/httpd.conf
  

  • And add the following:
    

    ## Apache event mpm module
    LoadModule mpm_event_module libexec/apache24/mod_mpm_prefork.so
    

  • And uncomment the mpm include:
    

    # Server-pool management (MPM specific)
    Include etc/apache24/extra/httpd-mpm.conf
    

• Restart apache:
  

  service apache24 restart
  

Securing Apache24 with SSL¶

• Make the directory for apache24 ssl files:
  

  mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl
  

• Generate a strong SSL key and a CSR to send for signing by a CA:
  

  openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key
  

• Make sure to securely copy the SSL certificate to www.example.com.crt

• Edit the apache24 config file:
  

  vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf
  

  • Make sure to uncomment the Include for the SSL configuration:
    

    Include etc/apache24/extra/httpd-ssl.conf
    

  • And Add the following:
    

    <VirtualHost *:443>
        ServerName www.example.com
    
        DocumentRoot /usr/local/www/www.example.com            
        <Directory /usr/local/www/www.example.com>
            Options FollowSymLinks
            AllowOverride All
            Require all granted
        </Directory>
    
        SSLEngine on
    
        SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt
        SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key
    
        <FilesMatch "\.(cgi|shtml|phtml|php)$">
            SSLOptions +StdEnvVars
        </FilesMatch>
    
        BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
    </VirtualHost>
    

1. Edit the apache24 SSL config file:
   

   vi /usr/local/etc/apache24/extras/httpd-ssl.conf
   

   • And modify the following parameters:
     

     SSLProtocol all -SSLv2 -SSLv3
     
     SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+
     ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA R
     C4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
     
     SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt" 
     
     SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key" 
     
     SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle" 
     

• Restart apache24:
  

  service apache24 restart
  

Forcing SSL on a Website¶

• Enable forced SSL connection by setting the two lines from earlier in the .htaccess file. Open the file for editing:
  

  vi /usr/local/www/apache24/data/.htaccess
  

  • Look for the following two lines, and remove the # characters before them:
    

    RewriteCond %{HTTPS} !=on
    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
    

• Restart apache2:
  

  service apache2 restart
  

---

Install MariaDB¶

• Install MariaDB 5.5 Server and Client
  

  portmaster databases/mariadb55-{server,client}
  

Configure MariaDB¶

• Enable MariaDB to start at boot:
  

  echo 'mysql_enable="YES"' >> /etc/rc.conf
  

• Start MariaDB
  

  service mysql-server start
  

• Do some basic security to harden the MariaDB server:
  

  mysql_secure_installation
  

• Restart mysql using the following commands:
  

  service mysql-server restart
  

• Use the following command:
  

  cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf
  

Configure a new database¶

• Log into the MySQL console:
  

  mysql -h localhost -u root -p
  

  • Create the webappuser user with the SuperSecretPassword password and the webappdb database:
    

    CREATE USER 'webappuser'@'localhost' IDENTIFIED BY 'SuperSecretPassword';   
    CREATE DATABASE IF NOT EXISTS  `webappdb` CHARACTER SET utf8 COLLATE utf8_general_ci;
    GRANT ALL PRIVILEGES ON `webappdb`.* TO 'webbappuser'@'localhost';
    
    flush privileges;
    exit
    

---

Install PHP¶

NOTE: If using a threaded apache worker module like event or worker mpm, enable [X]ZTS for lang/php5 and www/mod_php5

• Install PHP5 and mod_php:
  

  portmaster lang/php5 www/mod_php5
  

• Install a few PHP modules:
  

  portmaster textproc/php5-xml textproc/php5-dom security/libgpg-error textproc/php5-xmlreader textproc/php5-simplexml textproc/php5-ctype sysutils/php5-fileinfo security/php5-openssl security/php5-hash security/php5-filter graphics/php5-exif devel/php5-json databases/php5-sqlite3 databases/php5-pdo lang/php5-extensions converters/php5-iconv archivers/php5-zlib archivers/php5-zip archivers/php5-bz2 www/php5-session security/libgcrypt textproc/php5-wddx net/php5-ldap ftp/php5-curl databases/php5-pdo_sqlite databases/php5-mysql databases/php5-mysqli databases/php5-pdo_mysql converters/php5-mbstring textproc/php5-xsl graphics/php5-gd devel/php5-gettext security/php5-mcrypt
  

  
  NOTE: These are just a few PHP modules, there are many more; and not all of the above are necessary, it just suits my use case.

• Then create /usr/local/etc/apache24/Includes/mod_php5.conf:
  

  vi /usr/local/etc/apache24/Includes/mod_php5.conf
  

  • And add the following:
    

    <IfModule dir_module>
        DirectoryIndex index.php index.html
    </IfModule>
    
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
    

• Copy the PHP configuration file using the following command
  

  cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
  

• Edit /usr/local/etc/apache24/httpd.conf file and add the following lines:
  

  LoadModule php5_module        libexec/apache24/libphp5.so
  

• Now restart the apache server by using the following command:
  

  service apache24 restart
  

Install phpMyAdmin¶

• Install phpmyadmin:
  

  portmaster databases/phpmyadmin
  

Configure phpMyAdmin¶

• Setup phpMyAdmin for Apache 2.4 by creating /usr/local/etc/apache24/Includes/phpmyadmin.conf and add the following:
  

  Alias /phpmyadmin "/usr/local/www/phpMyAdmin/" 
  
  <Directory "/usr/local/www/phpMyAdmin/">
      Options none
      AllowOverride Limit
      Order Deny,Allow
      Require ip 127.0.0.1
      Require ip ::1
      #Require ip 192.168.1.0/255.255.255.0
  </Directory>
  

Now its time to configure phpMyAdmin. Do this by creating the file /usr/local/www/phpMyAdmin/config.inc.php, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified /usr/local/www/phpMyAdmin/config.inc.php, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.

• Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script:
  

  mkdir /usr/local/www/phpMyAdmin/config
  chmod o+w /usr/local/www/phpMyAdmin/config
  

• Then make /usr/local/www/phpMyAdmin/config.inc.php readable by the phpMyAdmin setup script:
  

  chmod o+r /usr/local/www/phpMyAdmin/config.inc.php
  

• Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup Overview page.
  • I use SSH tunnels for sensitive tasks like this:
    

    ssh -L 8081:localhost:80 www.example.com
    

  • NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has Require ip 127.0.0.1, all connections will be forbidden except from 127.0.0.1.

• Select New Server and then select the Authentication tab.
  1. Under the Authentication type choose http from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php)
  2. And remove root from the User for config auth.

• Now select Apply and you will be returned you to the Overview page where you should see a new server listed.

• Select Save again in the Overview page to save your configuration as /usr/local/www/phpMyAdmin/config/config.inc.php.

• Now move that file up one directory to /usr/local/www/phpMyAdmin where phpMyAdmin can make use of it.
  

  mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin  
  

• Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.
  Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.

• We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php:
  

  rm -r /usr/local/www/phpMyAdmin/config
  chmod o-r /usr/local/www/phpMyAdmin/config.inc.php
  

• And wrap up by restarting the Apache and MySQL servers:
  

  service apache24 restart
  service mysql-server restart
  

---

Install Phusion Passenger¶

• Install and compile Phusion Passenger
  

  portmaster www/rubygem-passenger
  passenger-install-apache2-module
  

  • Then add the module in /usr/local/etc/apache24/httpd.conf:
    

    LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so
    <IfModule mod_passenger.c>
      PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41
      PassengerDefaultRuby /usr/local/bin/ruby19
    </IfModule>
    

  • And now ruby web applications can be used by using the following template:
    

    <VirtualHost *:80>
       ServerName www.example.com
       # !!! Be sure to point DocumentRoot to 'public'!
       DocumentRoot /usr/local/www/rubyapp/public    
       <Directory /usr/local/www/rubyapp/public>
          # This relaxes Apache security settings.
          AllowOverride all
          # MultiViews must be turned off.
          Options -MultiViews
       </Directory>
    </VirtualHost>
    

Virtual Hosts With Different Users¶

Recompile Apache 2.4 with Suexec¶

• Refresh the ports tree:
  

  portsnap fetch extract
  

• Recompile Apache 2.4
  

  cd /usr/ports/www/apache24
  make config
  make reinstall clean
  

  
  NOTE: Make sure to enable [X] SUEXEC during make config.

• Make a directory for each Vhost:
  

  mkdir /usr/local/etc/apache24/Vhosts
  

• Create webapp group:
  

  pw add group webapp
  

• Edit the apache config:
  

  vi /usr/local/etc/apache24/httpd.conf
  

  • And add the following:
    

    LoadModule suexec_module        libexec/apache24/mod_suexec.so
    
    ## Include Vhosts directory:
    Include etc/apache24/Vhosts/*.conf
    

WordPress¶

• Install wordpress:
  

  portmaster www/wordpress
  

• Add the wordpress user
  

  pw add user -n wordpress -g webapp -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress" 
  

• Make a temporary storage directory for wordpress:
  

  mkdir /var/tmp/wordpress
  chown wordpress:webapp /usr/local/www/wordpress
  chown wordpress:webapp /var/tmp/wordpress/
  chmod o-rwx /var/tmp/wordpress
  

• Setting up a virtual Host to use suEXEC
  

  vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf
  

  • And add the following:
    

    <VirtualHost *:80>
      ServerName wordpress.example.com
      DocumentRoot /usr/local/www/wordpress
    
      SuexecUserGroup wordpress webapp
    
      php_admin_value open_basedir /usr/local/www/wordpress
      php_admin_value upload_tmp_dir  /var/tmp/wordpress
    
      <Directory "/usr/local/www/wordpress">
        AllowOverride All
        Require all granted
        Options +SymlinksIfOwnerMatch +Includes
      </Directory>
    </VirtualHost>
    

  • NOTE: The upload_tmp_dir is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.

• Restart apache:
  

  service apache24 restart
  

Resources¶

• http://fosskb.wordpress.com/2014/04/10/famp-installing-apache2-4-mysql-php-on-freebsd-10/