Project

General

Profile

Support #432

Install A FreeBSD, Apache 2.4, MariaDB 5.5, PHP 5 (FAMP) Server

Added by Daniel Curtis over 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Web Server
Target version:
Start date:
05/02/2014
Due date:
% Done:

100%

Estimated time:
3.00 h
Spent time:

Description

Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly.

Pre-Installation Tasks

  • Before installation of the components, make sure the ports tree and packages are up to date using the following command:
    pkg update && pkg upgrade
    portsnap fetch extract
    
  • Install portmaster:
    pkg install portmaster
    pkg2ng
    

    NOTE: pkgng is great, however I need the flexibility of the ports tree. So portmaster will be useful for upgrading and installing packages.
  • Edit the /etc/hosts file and add the following line:
    192.168.1.1               www.example.com www
    

Install Apache 2.4

  • Install Apache 2.4
    portmaster www/apache24
    
  • Edit the apache configuration file, i.e. /usr/local/etc/apache24/httpd.conf, and make the following changes:
    ServerRoot "/usr/local" 
    ServerAdmin you@your.address
    ServerName www.example.com:80
    DocumentRoot "/usr/local/www" 
    Listen :80
    NameVirtualHost *:80
    
    <Directory "/usr/local/www">
        Options Indexes FollowSymLinks
    
        AllowOverride None
    
        Order allow,deny
        Allow from all
    </Directory>
    
    Include etc/apache22/Includes/*.conf
    
  • (Optional) Create a file named /boot/loader.conf or edit it if it is already present and add the following line:
    accf_http_load="YES" 
    
  • (Optional) Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module):
    <IfDefine NOHTTPACCEPT>
       AcceptFilter http none
       AcceptFilter https none
    </IfDefine>
    
  • Run the following line to enable apache24 to start at boot:
    echo 'apache24_enable="YES"' >> /etc/rc.conf
    
  • Test the apache server installation using the following command:
    service apache24 start
    

Optional Worker Modules

MPM Prefork

  • Edit the apache24 config file:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add the following:
      ## Apache prefork mpm module
      LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
      
    • And uncomment the mpm include:
      # Server-pool management (MPM specific)
      Include etc/apache24/extra/httpd-mpm.conf
      
  • Restart apache:
    service apache24 restart
    

MPM Worker

  • Edit the apache24 config file:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add the following:
      ## Apache worker mpm module
      LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
      
    • And uncomment the mpm include:
      # Server-pool management (MPM specific)
      Include etc/apache24/extra/httpd-mpm.conf
      
  • Restart apache:
    service apache24 restart
    

MPM Event

  • Edit the apache24 config file:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add the following:
      ## Apache event mpm module
      LoadModule mpm_event_module libexec/apache24/mod_mpm_prefork.so
      
    • And uncomment the mpm include:
      # Server-pool management (MPM specific)
      Include etc/apache24/extra/httpd-mpm.conf
      
  • Restart apache:
    service apache24 restart
    

Securing Apache24 with SSL

  • Make the directory for apache24 ssl files:
    mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl
    
  • Generate a strong SSL key and a CSR to send for signing by a CA:
    openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key
    
  • Make sure to securely copy the SSL certificate to www.example.com.crt
  • Edit the apache24 config file:
    vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf
    
    • Make sure to uncomment the Include for the SSL configuration:
      Include etc/apache24/extra/httpd-ssl.conf
      
    • And Add the following:
      <VirtualHost *:443>
          ServerName www.example.com
      
          DocumentRoot /usr/local/www/www.example.com            
          <Directory /usr/local/www/www.example.com>
              Options FollowSymLinks
              AllowOverride All
              Require all granted
          </Directory>
      
          SSLEngine on
      
          SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt
          SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key
      
          <FilesMatch "\.(cgi|shtml|phtml|php)$">
              SSLOptions +StdEnvVars
          </FilesMatch>
      
          BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0
          BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
      </VirtualHost>
      
  1. Edit the apache24 SSL config file:
    vi /usr/local/etc/apache24/extras/httpd-ssl.conf
    
    • And modify the following parameters:
      SSLProtocol all -SSLv2 -SSLv3
      
      SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+
      ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA R
      C4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" 
      
      SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt" 
      
      SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key" 
      
      SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle" 
      
  • Restart apache24:
    service apache24 restart
    

Forcing SSL on a Website

  • Enable forced SSL connection by setting the two lines from earlier in the .htaccess file. Open the file for editing:
    vi /usr/local/www/apache24/data/.htaccess
    
    • Look for the following two lines, and remove the # characters before them:
      RewriteCond %{HTTPS} !=on
      RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
      
  • Restart apache2:
    service apache2 restart
    

Install MariaDB

  • Install MariaDB 5.5 Server and Client
    portmaster databases/mariadb55-{server,client}
    

Configure MariaDB

  • Enable MariaDB to start at boot:
    echo 'mysql_enable="YES"' >> /etc/rc.conf
    
  • Start MariaDB
    service mysql-server start
    
  • Do some basic security to harden the MariaDB server:
    mysql_secure_installation
    
  • Restart mysql using the following commands:
    service mysql-server restart
    
  • Use the following command:
    cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf
    

Configure a new database

  • Log into the MySQL console:
    mysql -h localhost -u root -p
    
    • Create the webappuser user with the SuperSecretPassword password and the webappdb database:
      CREATE USER 'webappuser'@'localhost' IDENTIFIED BY 'SuperSecretPassword';   
      CREATE DATABASE IF NOT EXISTS  `webappdb` CHARACTER SET utf8 COLLATE utf8_general_ci;
      GRANT ALL PRIVILEGES ON `webappdb`.* TO 'webbappuser'@'localhost';
      
      flush privileges;
      exit
      

Install PHP

NOTE: If using a threaded apache worker module like event or worker mpm, enable [X]ZTS for lang/php5 and www/mod_php5

  • Install PHP5 and mod_php:
    portmaster lang/php5 www/mod_php5
    
  • Install a few PHP modules:
    portmaster textproc/php5-xml textproc/php5-dom security/libgpg-error textproc/php5-xmlreader textproc/php5-simplexml textproc/php5-ctype sysutils/php5-fileinfo security/php5-openssl security/php5-hash security/php5-filter graphics/php5-exif devel/php5-json databases/php5-sqlite3 databases/php5-pdo lang/php5-extensions converters/php5-iconv archivers/php5-zlib archivers/php5-zip archivers/php5-bz2 www/php5-session security/libgcrypt textproc/php5-wddx net/php5-ldap ftp/php5-curl databases/php5-pdo_sqlite databases/php5-mysql databases/php5-mysqli databases/php5-pdo_mysql converters/php5-mbstring textproc/php5-xsl graphics/php5-gd devel/php5-gettext security/php5-mcrypt
    

    NOTE: These are just a few PHP modules, there are many more; and not all of the above are necessary, it just suits my use case.
  • Then create /usr/local/etc/apache24/Includes/mod_php5.conf:
    vi /usr/local/etc/apache24/Includes/mod_php5.conf
    
    • And add the following:
      <IfModule dir_module>
          DirectoryIndex index.php index.html
      </IfModule>
      
      <FilesMatch "\.php$">
          SetHandler application/x-httpd-php
      </FilesMatch>
      <FilesMatch "\.phps$">
          SetHandler application/x-httpd-php-source
      </FilesMatch>
      
  • Copy the PHP configuration file using the following command
    cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini
    
  • Edit /usr/local/etc/apache24/httpd.conf file and add the following lines:
    LoadModule php5_module        libexec/apache24/libphp5.so
    
  • Now restart the apache server by using the following command:
    service apache24 restart
    

Install phpMyAdmin

  • Install phpmyadmin:
    portmaster databases/phpmyadmin
    

Configure phpMyAdmin

  • Setup phpMyAdmin for Apache 2.4 by creating /usr/local/etc/apache24/Includes/phpmyadmin.conf and add the following:
    Alias /phpmyadmin "/usr/local/www/phpMyAdmin/" 
    
    <Directory "/usr/local/www/phpMyAdmin/">
        Options none
        AllowOverride Limit
        Order Deny,Allow
        Require ip 127.0.0.1
        Require ip ::1
        #Require ip 192.168.1.0/255.255.255.0
    </Directory>
    

Now its time to configure phpMyAdmin. Do this by creating the file /usr/local/www/phpMyAdmin/config.inc.php, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified /usr/local/www/phpMyAdmin/config.inc.php, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.

  • Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script:
    mkdir /usr/local/www/phpMyAdmin/config
    chmod o+w /usr/local/www/phpMyAdmin/config
    
  • Then make /usr/local/www/phpMyAdmin/config.inc.php readable by the phpMyAdmin setup script:
    chmod o+r /usr/local/www/phpMyAdmin/config.inc.php
    
  • Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup Overview page.
    • I use SSH tunnels for sensitive tasks like this:
      ssh -L 8081:localhost:80 www.example.com
      
    • NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has Require ip 127.0.0.1, all connections will be forbidden except from 127.0.0.1.
  • Select New Server and then select the Authentication tab.
    1. Under the Authentication type choose http from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php)
    2. And remove root from the User for config auth.
  • Now select Apply and you will be returned you to the Overview page where you should see a new server listed.
  • Select Save again in the Overview page to save your configuration as /usr/local/www/phpMyAdmin/config/config.inc.php.
  • Now move that file up one directory to /usr/local/www/phpMyAdmin where phpMyAdmin can make use of it.
    mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin  
    
  • Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.
    Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.
  • We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php:
    rm -r /usr/local/www/phpMyAdmin/config
    chmod o-r /usr/local/www/phpMyAdmin/config.inc.php
    
  • And wrap up by restarting the Apache and MySQL servers:
    service apache24 restart
    service mysql-server restart
    

Install Phusion Passenger

  • Install and compile Phusion Passenger
    portmaster www/rubygem-passenger
    passenger-install-apache2-module
    
    • Then add the module in /usr/local/etc/apache24/httpd.conf:
      LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so
      <IfModule mod_passenger.c>
        PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41
        PassengerDefaultRuby /usr/local/bin/ruby19
      </IfModule>
      
    • And now ruby web applications can be used by using the following template:
      <VirtualHost *:80>
         ServerName www.example.com
         # !!! Be sure to point DocumentRoot to 'public'!
         DocumentRoot /usr/local/www/rubyapp/public    
         <Directory /usr/local/www/rubyapp/public>
            # This relaxes Apache security settings.
            AllowOverride all
            # MultiViews must be turned off.
            Options -MultiViews
         </Directory>
      </VirtualHost>
      

Virtual Hosts With Different Users

Recompile Apache 2.4 with Suexec

  • Refresh the ports tree:
    portsnap fetch extract
    
  • Recompile Apache 2.4
    cd /usr/ports/www/apache24
    make config
    make reinstall clean
    

    NOTE: Make sure to enable [X] SUEXEC during make config.
  • Make a directory for each Vhost:
    mkdir /usr/local/etc/apache24/Vhosts
    
  • Create webapp group:
    pw add group webapp
    
  • Edit the apache config:
    vi /usr/local/etc/apache24/httpd.conf
    
    • And add the following:
      LoadModule suexec_module        libexec/apache24/mod_suexec.so
      
      ## Include Vhosts directory:
      Include etc/apache24/Vhosts/*.conf
      

WordPress

  • Install wordpress:
    portmaster www/wordpress
    
  • Add the wordpress user
    pw add user -n wordpress -g webapp -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress" 
    
  • Make a temporary storage directory for wordpress:
    mkdir /var/tmp/wordpress
    chown wordpress:webapp /usr/local/www/wordpress
    chown wordpress:webapp /var/tmp/wordpress/
    chmod o-rwx /var/tmp/wordpress
    
  • Setting up a virtual Host to use suEXEC
    vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf
    
    • And add the following:
      <VirtualHost *:80>
        ServerName wordpress.example.com
        DocumentRoot /usr/local/www/wordpress
      
        SuexecUserGroup wordpress webapp
      
        php_admin_value open_basedir /usr/local/www/wordpress
        php_admin_value upload_tmp_dir  /var/tmp/wordpress
      
        <Directory "/usr/local/www/wordpress">
          AllowOverride All
          Require all granted
          Options +SymlinksIfOwnerMatch +Includes
        </Directory>
      </VirtualHost>
      
    • NOTE: The upload_tmp_dir is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it.
  • Restart apache:
    service apache24 restart
    

Resources


Related issues

Related to FreeBSD Administration - Support #557: Install BeansBooks on FreeBSD FAMP ServerClosedDaniel Curtis02/09/2015

Actions
Copied from FreeBSD Administration - Support #385: Setting Up A FreeBSD, Apache 2.2, MariaDB 5.5, PHP 5.4 (FAMP) ServerClosedDaniel Curtis05/02/2014

Actions
Copied to FreeBSD Administration - Support #433: Setup a FreeBSD, Nginx, MariaDB 5.5, PHP5 Web ServerClosedDaniel Curtis05/02/2014

Actions

Also available in: Atom PDF