Support #432
Install A FreeBSD, Apache 2.4, MariaDB 5.5, PHP 5 (FAMP) Server
Description
- Table of contents
- Pre-Installation Tasks
- Install Apache 2.4
- Install MariaDB
- Install PHP
- Install Phusion Passenger
- Virtual Hosts With Different Users
Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly.
Pre-Installation Tasks¶
- Before installation of the components, make sure the ports tree and packages are up to date using the following command:
pkg update && pkg upgrade portsnap fetch extract
- Install portmaster:
pkg install portmaster pkg2ng
NOTE: pkgng is great, however I need the flexibility of the ports tree. So portmaster will be useful for upgrading and installing packages.
- Edit the
/etc/hosts
file and add the following line:192.168.1.1 www.example.com www
Install Apache 2.4¶
- Install Apache 2.4
portmaster www/apache24
- Edit the apache configuration file, i.e.
/usr/local/etc/apache24/httpd.conf
, and make the following changes:ServerRoot "/usr/local" ServerAdmin you@your.address ServerName www.example.com:80 DocumentRoot "/usr/local/www" Listen :80 NameVirtualHost *:80 <Directory "/usr/local/www"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> Include etc/apache22/Includes/*.conf
- (Optional) Create a file named /boot/loader.conf or edit it if it is already present and add the following line:
accf_http_load="YES"
- (Optional) Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module):
<IfDefine NOHTTPACCEPT> AcceptFilter http none AcceptFilter https none </IfDefine>
- Run the following line to enable apache24 to start at boot:
echo 'apache24_enable="YES"' >> /etc/rc.conf
- Test the apache server installation using the following command:
service apache24 start
Optional Worker Modules¶
MPM Prefork¶
- Edit the apache24 config file:
vi /usr/local/etc/apache24/httpd.conf
- And add the following:
## Apache prefork mpm module LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
- And uncomment the mpm include:
# Server-pool management (MPM specific) Include etc/apache24/extra/httpd-mpm.conf
- And add the following:
- Restart apache:
service apache24 restart
MPM Worker¶
- Edit the apache24 config file:
vi /usr/local/etc/apache24/httpd.conf
- And add the following:
## Apache worker mpm module LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
- And uncomment the mpm include:
# Server-pool management (MPM specific) Include etc/apache24/extra/httpd-mpm.conf
- And add the following:
- Restart apache:
service apache24 restart
MPM Event¶
- Edit the apache24 config file:
vi /usr/local/etc/apache24/httpd.conf
- And add the following:
## Apache event mpm module LoadModule mpm_event_module libexec/apache24/mod_mpm_prefork.so
- And uncomment the mpm include:
# Server-pool management (MPM specific) Include etc/apache24/extra/httpd-mpm.conf
- And add the following:
- Restart apache:
service apache24 restart
Securing Apache24 with SSL¶
- Make the directory for apache24 ssl files:
mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl
- Generate a strong SSL key and a CSR to send for signing by a CA:
openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key
- Make sure to securely copy the SSL certificate to www.example.com.crt
- Edit the apache24 config file:
vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf
- Make sure to uncomment the Include for the SSL configuration:
Include etc/apache24/extra/httpd-ssl.conf
- And Add the following:
<VirtualHost *:443> ServerName www.example.com DocumentRoot /usr/local/www/www.example.com <Directory /usr/local/www/www.example.com> Options FollowSymLinks AllowOverride All Require all granted </Directory> SSLEngine on SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost>
- Make sure to uncomment the Include for the SSL configuration:
- Edit the apache24 SSL config file:
vi /usr/local/etc/apache24/extras/httpd-ssl.conf
- And modify the following parameters:
SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA R C4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt" SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key" SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle"
- And modify the following parameters:
- Restart apache24:
service apache24 restart
Forcing SSL on a Website¶
- Enable forced SSL connection by setting the two lines from earlier in the
.htaccess
file. Open the file for editing:vi /usr/local/www/apache24/data/.htaccess
- Look for the following two lines, and remove the
#
characters before them:RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
- Look for the following two lines, and remove the
- Restart apache2:
service apache2 restart
Install MariaDB¶
- Install MariaDB 5.5 Server and Client
portmaster databases/mariadb55-{server,client}
Configure MariaDB¶
- Enable MariaDB to start at boot:
echo 'mysql_enable="YES"' >> /etc/rc.conf
- Start MariaDB
service mysql-server start
- Do some basic security to harden the MariaDB server:
mysql_secure_installation
- Restart mysql using the following commands:
service mysql-server restart
- Use the following command:
cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf
Configure a new database¶
- Log into the MySQL console:
mysql -h localhost -u root -p
- Create the webappuser user with the SuperSecretPassword password and the webappdb database:
CREATE USER 'webappuser'@'localhost' IDENTIFIED BY 'SuperSecretPassword'; CREATE DATABASE IF NOT EXISTS `webappdb` CHARACTER SET utf8 COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON `webappdb`.* TO 'webbappuser'@'localhost'; flush privileges; exit
- Create the webappuser user with the SuperSecretPassword password and the webappdb database:
Install PHP¶
NOTE: If using a threaded apache worker module like event or worker mpm, enable [X]ZTS for lang/php5 and www/mod_php5
- Install PHP5 and mod_php:
portmaster lang/php5 www/mod_php5
- Install a few PHP modules:
portmaster textproc/php5-xml textproc/php5-dom security/libgpg-error textproc/php5-xmlreader textproc/php5-simplexml textproc/php5-ctype sysutils/php5-fileinfo security/php5-openssl security/php5-hash security/php5-filter graphics/php5-exif devel/php5-json databases/php5-sqlite3 databases/php5-pdo lang/php5-extensions converters/php5-iconv archivers/php5-zlib archivers/php5-zip archivers/php5-bz2 www/php5-session security/libgcrypt textproc/php5-wddx net/php5-ldap ftp/php5-curl databases/php5-pdo_sqlite databases/php5-mysql databases/php5-mysqli databases/php5-pdo_mysql converters/php5-mbstring textproc/php5-xsl graphics/php5-gd devel/php5-gettext security/php5-mcrypt
NOTE: These are just a few PHP modules, there are many more; and not all of the above are necessary, it just suits my use case.
- Then create /usr/local/etc/apache24/Includes/mod_php5.conf:
vi /usr/local/etc/apache24/Includes/mod_php5.conf
- And add the following:
<IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch>
- And add the following:
- Copy the PHP configuration file using the following command
cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
- Edit
/usr/local/etc/apache24/httpd.conf
file and add the following lines:LoadModule php5_module libexec/apache24/libphp5.so
- Now restart the apache server by using the following command:
service apache24 restart
Install phpMyAdmin¶
- Install phpmyadmin:
portmaster databases/phpmyadmin
Configure phpMyAdmin¶
- Setup phpMyAdmin for Apache 2.4 by creating
/usr/local/etc/apache24/Includes/phpmyadmin.conf
and add the following:Alias /phpmyadmin "/usr/local/www/phpMyAdmin/" <Directory "/usr/local/www/phpMyAdmin/"> Options none AllowOverride Limit Order Deny,Allow Require ip 127.0.0.1 Require ip ::1 #Require ip 192.168.1.0/255.255.255.0 </Directory>
Now its time to configure phpMyAdmin. Do this by creating the file /usr/local/www/phpMyAdmin/config.inc.php
, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified /usr/local/www/phpMyAdmin/config.inc.php
, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.
- Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script:
mkdir /usr/local/www/phpMyAdmin/config chmod o+w /usr/local/www/phpMyAdmin/config
- Then make
/usr/local/www/phpMyAdmin/config.inc.php
readable by the phpMyAdmin setup script:chmod o+r /usr/local/www/phpMyAdmin/config.inc.php
- Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup Overview page.
- I use SSH tunnels for sensitive tasks like this:
ssh -L 8081:localhost:80 www.example.com
- NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has
Require ip 127.0.0.1
, all connections will be forbidden except from 127.0.0.1.
- I use SSH tunnels for sensitive tasks like this:
- Select New Server and then select the Authentication tab.
- Under the Authentication type choose http from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php)
- And remove root from the User for config auth.
- Now select Apply and you will be returned you to the Overview page where you should see a new server listed.
- Select Save again in the Overview page to save your configuration as
/usr/local/www/phpMyAdmin/config/config.inc.php
.
- Now move that file up one directory to
/usr/local/www/phpMyAdmin
where phpMyAdmin can make use of it.mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin
- Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.
Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.
- We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php:
rm -r /usr/local/www/phpMyAdmin/config chmod o-r /usr/local/www/phpMyAdmin/config.inc.php
- And wrap up by restarting the Apache and MySQL servers:
service apache24 restart service mysql-server restart
Install Phusion Passenger¶
- Install and compile Phusion Passenger
portmaster www/rubygem-passenger passenger-install-apache2-module
- Then add the module in
/usr/local/etc/apache24/httpd.conf
:LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41 PassengerDefaultRuby /usr/local/bin/ruby19 </IfModule>
- And now ruby web applications can be used by using the following template:
<VirtualHost *:80> ServerName www.example.com # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /usr/local/www/rubyapp/public <Directory /usr/local/www/rubyapp/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews </Directory> </VirtualHost>
- Then add the module in
Virtual Hosts With Different Users¶
Recompile Apache 2.4 with Suexec¶
- Refresh the ports tree:
portsnap fetch extract
- Recompile Apache 2.4
cd /usr/ports/www/apache24 make config make reinstall clean
NOTE: Make sure to enable [X] SUEXEC during make config.
- Make a directory for each Vhost:
mkdir /usr/local/etc/apache24/Vhosts
- Create webapp group:
pw add group webapp
- Edit the apache config:
vi /usr/local/etc/apache24/httpd.conf
- And add the following:
LoadModule suexec_module libexec/apache24/mod_suexec.so ## Include Vhosts directory: Include etc/apache24/Vhosts/*.conf
- And add the following:
WordPress¶
- Install wordpress:
portmaster www/wordpress
- Add the wordpress user
pw add user -n wordpress -g webapp -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress"
- Make a temporary storage directory for wordpress:
mkdir /var/tmp/wordpress chown wordpress:webapp /usr/local/www/wordpress chown wordpress:webapp /var/tmp/wordpress/ chmod o-rwx /var/tmp/wordpress
- Setting up a virtual Host to use suEXEC
vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf
- And add the following:
<VirtualHost *:80> ServerName wordpress.example.com DocumentRoot /usr/local/www/wordpress SuexecUserGroup wordpress webapp php_admin_value open_basedir /usr/local/www/wordpress php_admin_value upload_tmp_dir /var/tmp/wordpress <Directory "/usr/local/www/wordpress"> AllowOverride All Require all granted Options +SymlinksIfOwnerMatch +Includes </Directory> </VirtualHost>
- NOTE: The
upload_tmp_dir
is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.
- And add the following:
- Restart apache:
service apache24 restart
Resources¶
Related issues