Project

General

Profile

Support #432

Updated by Daniel Curtis almost 10 years ago

{{>toc}} 

 Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly. 

 h1. Pre-Installation Tasks 

 * Before installation of the components, make sure the ports tree and packages are up to date using the following command: 
 <pre> 
 pkg update && pkg upgrade 
 portsnap fetch extract 
 </pre> 

 h1. Install Apache 2.4 

 * Install Apache 2.4 with mod_php5 
 <pre> 
 pkg install apache24 php5 mod_php5 php5-xml php5-dom libgpg-error php5-xmlreader php5-simplexml php5-ctype php5-fileinfo php5-openssl php5-hash php5-filter openldap-client xproto xextproto libXau libXdmcp libpthread-stubs kbproto libICE freetype2 png jpeg printproto php5-exif curl php5-json php5-sqlite3 php5-pdo php5-mysql php5-mysqli php5-pdo_mysql oniguruma4 php5-iconv mp3info php5-zlib php5-zip php5-bz2 php5-session libgcrypt php5-wddx php5-ldap libxcb libSM php5-curl php5-pdo_sqlite php5-mbstring libxslt libX11 libXt php5-xsl libXext libXp libXmu libXpm libXaw t1lib php5-gd openssl 
 </pre> 

 NOTE: This installs a few PHP extensions, add or remove as needed. 

 * Edit the apache configuration file, i.e. @/usr/local/etc/apache24/httpd.conf@, and make the following changes: 
 <pre> 
 ServerRoot "/usr/local" 
 ServerAdmin you@your.address 
 ServerName www.example.com:80 
 DocumentRoot "/usr/local/www" 
 Listen :80 
 NameVirtualHost *:80 

 <Directory "/usr/local/www"> 
     Options Indexes FollowSymLinks 

     AllowOverride None 

     Order allow,deny 
     Allow from all 
 </Directory> 

 Include etc/apache22/Includes/*.conf 
 </pre> 

 * Then create /usr/local/etc/apache24/Includes/mod_php5.conf: 
 <pre> 
 vi /usr/local/etc/apache24/Includes/mod_php5.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 <IfModule dir_module> 
     DirectoryIndex index.php index.html 
 </IfModule> 

 <FilesMatch "\.php$"> 
     SetHandler application/x-httpd-php 
 </FilesMatch> 
 <FilesMatch "\.phps$"> 
     SetHandler application/x-httpd-php-source 
 </FilesMatch> 
 </pre> 

 * Edit the @/etc/hosts@ file and add the following line: 
 > <ip-address>                    <hostname>.<domain> 
 #* eg: 
 > 192.168.1.1                 www.example.com 

 * (Optional) Create a file named /boot/loader.conf or edit it if it is already present and add the following line: 
 > accf_http_load="YES" 
 * (Optional) Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module): 
 <pre> 
 <IfDefine NOHTTPACCEPT> 
    AcceptFilter http none 
    AcceptFilter https none 
 </IfDefine> 
 </pre> 

 * Run the following line to enable apache24 to start at boot: 
 <pre> 
 echo 'apache24_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Test the apache server installation using the following command: 
 <pre> 
 service apache24 start 
 </pre> 

 h2. Install PHP 

 * Install PHP5 and other supporting packages: 
 <pre> 
 pkg install php5 php5-extensions 
 </pre> 

 * Copy the PHP configuration file using the following command 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 * Configure the mysql module for PHP: 
 <pre> 
 pkg install php5-mysql php5-mysqli php5-pdo_mysql 
 </pre> 

 * Install the php5-session package 
 <pre> 
 pkg install php5-session 
 </pre> 

 * Install and configuring apache module for PHP: 
 <pre> 
 pkg install mod_php5 
 </pre> 

 * Edit @/usr/local/etc/apache24/httpd.conf@ file and add the following lines: 
 <pre> 
 LoadModule php5_module          libexec/apache24/libphp5.so 
 </pre> 

 * Once completed, a simple call to the apachectl command for a graceful restart is needed to load the PHP module: 
 <pre> 
 service apache24 graceful 
 </pre> 

 For future upgrades of PHP, the make config command will not be required; the selected OPTIONS are saved automatically by the FreeBSD Ports framework. 

 The PHP support in FreeBSD is extremely modular so the base install is very limited. It is very easy to add support using the _lang/php5-extensions_ port. This port provides a menu driven interface to PHP extension installation. Alternatively, individual extensions can be installed using the appropriate port. 

 * Now restart the apache server by using the following command: 
 <pre> 
 service apache24 restart 
 </pre> 

 h2. Install the Phusion Passenger module 

 Install and compile Phusion Passenger 
 <pre> 
 pkg install rubygem-passenger 
 passenger-install-apache2-module 
 </pre> 
 #* Then add the module in @/usr/local/etc/apache24/httpd.conf@: 
 <pre> 
 LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so 
 <IfModule mod_passenger.c> 
   PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41 
   PassengerDefaultRuby /usr/local/bin/ruby19 
 </IfModule> 
 </pre> 
 #* And now ruby web applications can be used by using the following template: 
 <pre> 
 <VirtualHost *:80> 
    ServerName www.example.com 
    # !!! Be sure to point DocumentRoot to 'public'! 
    DocumentRoot /usr/local/www/rubyapp/public     
    <Directory /usr/local/www/rubyapp/public> 
       # This relaxes Apache security settings. 
       AllowOverride all 
       # MultiViews must be turned off. 
       Options -MultiViews 
    </Directory> 
 </VirtualHost> 
 </pre> 

 h2. Securing Apache24 with SSL 

 * Make the directory for apache24 ssl files: 
 <pre> 
 mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key 
 </pre> 
 * Make sure to securely copy the SSL certificate to *www.example.com.crt* 

 * Edit the apache24 config file: 
 <pre> 
 vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf /usr/local/etc/apache24/httpd.conf 
 </pre> 
 #* Make sure to uncomment the Include for the SSL configuration: 
 <pre> 
 Include etc/apache24/extra/httpd-ssl.conf 
 </pre> 
 #* And Add the following: 
 <pre> 
 <VirtualHost *:443> 
     ServerName www.example.com 

     DocumentRoot /usr/local/www/www.example.com             
     <Directory /usr/local/www/www.example.com> 
         Options FollowSymLinks 
         AllowOverride All 
         Require all granted 
     </Directory> 

     SSLEngine on 

     SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt 
     SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key 

     <FilesMatch "\.(cgi|shtml|phtml|php)$"> 
         SSLOptions +StdEnvVars 
     </FilesMatch> 

     BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 
     BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown 
 </VirtualHost> 
 </pre> 

 # Edit the apache24 SSL config file: 
 <pre> 
 vi /usr/local/etc/apache24/extras/httpd-ssl.conf 
 </pre> 
 #* And modify the following parameters: 
 <pre> 
 SSLProtocol all -SSLv2 -SSLv3 

 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" 

 SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt" 

 SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key" 

 SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle" 
 </pre> 

 * Restart apache24: 
 <pre> 
 service apache24 restart 
 </pre> 

 --- 

 h1. Install MariaDB 

 * Install MariaDB 5.5 Server and Client 
 <pre> 
 pkg install mariadb55-{server,client} 
 </pre> 

 * Enable MariaDB to start at boot: 
 <pre> 
 echo 'mysql_enable="YES"' >> /etc/rc.conf 
 </pre> 

 * Start MariaDB 
 <pre> 
 service mysql-server start 
 </pre> 

 * Do some basic security to harden the MariaDB server: 
 <pre> 
 mysql_secure_installation 
 </pre>  

 h2. Configure MariaDB 

 * Use the following command: 
 <pre> 
 cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf 
 </pre> 

 * Restart mysql using the following commands: 
 <pre> 
 service mysql-server restart 
 </pre> 

 h3. Install and configure phpMyAdmin 

 * Install phpmyadmin: 
 <pre> 
 pkg install phpmyadmin 
 </pre> 

 * Setup phpMyAdmin for Apache 2.4 by creating @/usr/local/etc/apache24/Includes/phpmyadmin.conf@ and add the following: 
 <pre> 
 Alias /phpmyadmin "/usr/local/www/phpMyAdmin/" 
 
 <Directory "/usr/local/www/phpMyAdmin/"> 
     Options none 
     AllowOverride Limit 
     Order Deny,Allow 
     Require ip 127.0.0.1 
     Require ip ::1 
     #Require ip 192.168.1.0/255.255.255.0 
 </Directory> 
 </pre> 

 Now its time to configure phpMyAdmin. Do this by creating the file @/usr/local/www/phpMyAdmin/config.inc.php@, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified @/usr/local/www/phpMyAdmin/config.inc.php@, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want.  

 * Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script: 
 <pre> 
 mkdir /usr/local/www/phpMyAdmin/config 
 chmod o+w /usr/local/www/phpMyAdmin/config 
 </pre> 

 * Then make @/usr/local/www/phpMyAdmin/config.inc.php@ readable by the phpMyAdmin setup script: 
 <pre> 
 chmod o+r /usr/local/www/phpMyAdmin/config.inc.php 
 </pre> 

 * Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup _Overview_ page.  
 #* I use SSH tunnels for sensitive tasks like this: 
 <pre> 
 ssh -L 8081:localhost:80 www.example.com 
 </pre> 
 #* NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has @Require ip 127.0.0.1@, all connections will be forbidden except from 127.0.0.1. 

 * Select *New Server* and then select the *Authentication* tab.  
 *# Under the *Authentication type* choose +http+ from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php) 
 *# And remove +root+ from the *User for config auth*. 

 * Now select *Apply* and you will be returned you to the Overview page where you should see a new server listed.  

 * Select *Save* again in the Overview page to save your configuration as @/usr/local/www/phpMyAdmin/config/config.inc.php@.  

 * Now move that file up one directory to @/usr/local/www/phpMyAdmin@ where phpMyAdmin can make use of it. 
 <pre> 
 mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin   
 </pre>  

 * Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in.  
 Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page.  

 * We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php: 
 <pre> 
 rm -r /usr/local/www/phpMyAdmin/config 
 chmod o-r /usr/local/www/phpMyAdmin/config.inc.php 
 </pre> 

 * And wrap up by restarting the Apache and MySQL servers: 
 <pre> 
 service apache24 restart 
 service mysql-server restart 
 </pre> 

 --- 

 h1. Multiple Virtual Hosts As Different Users 

 h2. Recompile Apache 2.4 with Suexec 

 * Refresh the ports tree: 
 <pre> 
 portsnap fetch extract 
 </pre> 

 * Recompile Apache 2.4 
 <pre> 
 cd /usr/ports/www/apache24 
 make config 
 make reinstall clean 
 </pre> 
 *NOTE*: Make sure to enable [X] SUEXEC during make config. 

 * Make a directory for each Vhost: 
 <pre> 
 mkdir /usr/local/etc/apache24/Vhosts 
 </pre> 

 * Create webapp group: 
 <pre> 
 pw add group webapp 
 </pre> 

 * Edit the apache config: 
 <pre> 
 vi /usr/local/etc/apache24/httpd.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 LoadModule suexec_module          libexec/apache24/mod_suexec.so 

 ## Include Vhosts directory: 
 Include etc/apache24/Vhosts/*.conf 
 </pre> 

 h3. WordPress 

 * Install wordpress: 
 <pre> 
 pkg install wordpress 
 </pre> 

 * Add the wordpress user 
 <pre> 
 pw add user -n wordpress -g webapp www -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress" 
 </pre>  

 * Make a temporary storage directory for wordpress: 
 <pre> 
 mkdir /var/tmp/wordpress 
 chown wordpress:webapp /usr/local/www/wordpress 
 chown wordpress:webapp wordpress:www /var/tmp/wordpress/ 
 chmod o-rwx /var/tmp/wordpress 
 </pre> 

 * Setting up a virtual Host to use suEXEC 
 <pre> 
 vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf 
 </pre> 
 #* And add the following: 
 <pre> 
 <VirtualHost *:80> 
   ServerName wordpress.example.com 
   DocumentRoot /usr/local/www/wordpress 

   SuexecUserGroup wordpress webapp www 

   php_admin_value open_basedir /usr/local/www/wordpress 
   php_admin_value upload_tmp_dir    /var/tmp/wordpress 

   <Directory "/usr/local/www/wordpress"> 
     AllowOverride All 
     Require all granted 
     Options +SymlinksIfOwnerMatch +Includes 
   </Directory> 
 </VirtualHost> 
 </pre> 
 #* *NOTE*: The @upload_tmp_dir@ is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it. 

 * Restart apache: 
 <pre> 
 service apache24 restart 
 </pre> 

 h2. Resources 

 * http://fosskb.wordpress.com/2014/04/10/famp-installing-apache2-4-mysql-php-on-freebsd-10/

Back