Support #432
Updated by Daniel Curtis almost 10 years ago
{{>toc}} Here is a procedure to install a FAMP, FreeBSD with Apache, MariaDB and PHP, server. The following setup runs Apache 2.4, MariaDB 5.5, and PHP 5 on FreeBSD 9.2-RELEASE. If any version of the packages needs to be changed, replace the versions in the commands accordingly. h1. Pre-Installation Tasks * Before installation of the components, make sure the ports tree and packages are up to date using the following command: <pre> pkg update && pkg upgrade portsnap fetch extract </pre> * Install portmaster: <pre> pkg install portmaster pkg2ng </pre> *NOTE*: pkgng is great, however I need the flexibility of the ports tree. So portmaster will be useful for upgrading and installing packages. * Edit the @/etc/hosts@ file and add the following line: <pre> 192.168.1.1 www.example.com www </pre> --- h1. Install Apache 2.4 * Install Apache 2.4 with mod_php5 <pre> portmaster www/apache24 pkg install apache24 php5 mod_php5 php5-xml php5-dom libgpg-error php5-xmlreader php5-simplexml php5-ctype php5-fileinfo php5-openssl php5-hash php5-filter openldap-client xproto xextproto libXau libXdmcp libpthread-stubs kbproto libICE freetype2 png jpeg printproto php5-exif curl php5-json php5-sqlite3 php5-pdo php5-mysql php5-mysqli php5-pdo_mysql oniguruma4 php5-iconv mp3info php5-zlib php5-zip php5-bz2 php5-session libgcrypt php5-wddx php5-ldap libxcb libSM php5-curl php5-pdo_sqlite php5-mbstring libxslt libX11 libXt php5-xsl libXext libXp libXmu libXpm libXaw t1lib php5-gd openssl </pre> NOTE: This installs a few PHP extensions, add or remove as needed. * Edit the apache configuration file, i.e. @/usr/local/etc/apache24/httpd.conf@, and make the following changes: <pre> ServerRoot "/usr/local" ServerAdmin you@your.address ServerName www.example.com:80 DocumentRoot "/usr/local/www" Listen :80 NameVirtualHost *:80 <Directory "/usr/local/www"> Options Indexes FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> Include etc/apache22/Includes/*.conf </pre> * *(Optional)* Then create /usr/local/etc/apache24/Includes/mod_php5.conf: <pre> vi /usr/local/etc/apache24/Includes/mod_php5.conf </pre> #* And add the following: <pre> <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> </pre> * Edit the @/etc/hosts@ file and add the following line: > <ip-address> <hostname>.<domain> #* eg: > 192.168.1.1 www.example.com * (Optional) Create a file named /boot/loader.conf or edit it if it is already present and add the following line: <pre> > accf_http_load="YES" </pre> * *(Optional)* (Optional) Create a file named /usr/local/etc/apache24/Includes/no-accf.conf or edit it if it is already present and add the following lines to disable ACCF (I do this since I am in a jail that does not have the reuired kernel module): <pre> <IfDefine NOHTTPACCEPT> AcceptFilter http none AcceptFilter https none </IfDefine> </pre> * Run the following line to enable apache24 to start at boot: <pre> echo 'apache24_enable="YES"' >> /etc/rc.conf </pre> * Test the apache server installation using the following command: <pre> service apache24 start </pre> h2. Install PHP * Install PHP5 and other supporting packages: <pre> pkg install php5 php5-extensions </pre> * Copy the PHP configuration file using the following command <pre> cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini </pre> * Configure the mysql module for PHP: <pre> pkg install php5-mysql php5-mysqli php5-pdo_mysql </pre> * Install the php5-session package <pre> pkg install php5-session </pre> * Install and configuring apache module for PHP: <pre> pkg install mod_php5 </pre> * Edit @/usr/local/etc/apache24/httpd.conf@ file and add the following lines: <pre> LoadModule php5_module libexec/apache24/libphp5.so </pre> * Once completed, a simple call to the apachectl command for a graceful restart is needed to load the PHP module: <pre> service apache24 graceful </pre> For future upgrades of PHP, the make config command will not be required; the selected OPTIONS are saved automatically by the FreeBSD Ports framework. The PHP support in FreeBSD is extremely modular so the base install is very limited. It is very easy to add support using the _lang/php5-extensions_ port. This port provides a menu driven interface to PHP extension installation. Alternatively, individual extensions can be installed using the appropriate port. * Now restart the apache server by using the following command: <pre> service apache24 restart </pre> h2. Install the Phusion Passenger module Install and compile Phusion Passenger <pre> pkg install rubygem-passenger passenger-install-apache2-module </pre> #* Then add the module in @/usr/local/etc/apache24/httpd.conf@: <pre> LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41 PassengerDefaultRuby /usr/local/bin/ruby19 </IfModule> </pre> #* And now ruby web applications can be used by using the following template: <pre> <VirtualHost *:80> ServerName www.example.com # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /usr/local/www/rubyapp/public <Directory /usr/local/www/rubyapp/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews </Directory> </VirtualHost> </pre> h2. Securing Apache24 with SSL * Make the directory for apache24 ssl files: <pre> mkdir /usr/local/etc/apache24/ssl && cd /usr/local/etc/apache24/ssl </pre> * Generate a strong SSL key and a CSR to send for signing by a CA: <pre> openssl req -sha512 -out www.example.com.csr -new -newkey rsa:4096 -nodes -keyout www.example.com.key </pre> * Make sure to securely copy the SSL certificate to *www.example.com.crt* * Edit the apache24 config file: <pre> vi /usr/local/etc/apachdirectory "cache" must be writeablee24/httpd.conf </pre> #* Make sure to uncomment the Include for the SSL configuration: <pre> Include etc/apache24/extra/httpd-ssl.conf </pre> #* And Add the following: <pre> <VirtualHost *:443> ServerName www.example.com DocumentRoot /usr/local/www/www.example.com <Directory /usr/local/www/www.example.com> Options FollowSymLinks AllowOverride All Require all granted </Directory> SSLEngine on SSLCertificateFile /usr/local/etc/apache24/ssl/www.example.com.crt SSLCertificateKeyFile /usr/local/etc/apache24/ssl/www.example.com.key <FilesMatch "\.(cgi|shtml|phtml|php)$"> SSLOptions +StdEnvVars </FilesMatch> BrowserMatch "MSIE [2-6]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0 BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown </VirtualHost> </pre> # Edit the apache24 SSL config file: <pre> vi /usr/local/etc/apache24/extras/httpd-ssl.conf </pre> #* And modify the following parameters: <pre> SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ ECDSA+SHA256 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA R C4 !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" !DSS" SSLCertificateFile "/usr/local/etc/apache24/ssl/www.example.com.crt" SSLCertificateKeyFile "/usr/local/etc/apache24/ssl/www.example.com.key" SSLCertificateChainFile "/usr/local/etc/apache24/ssl/www.example.com.bundle" </pre> * Restart apache24: <pre> service apache24 restart </pre> h3. Forcing SSL on a Website * Enable forced SSL connection by setting the two lines from earlier in the @.htaccess@ file. Open the file for editing: <pre> vi /usr/local/www/apache24/data/.htaccess </pre> #* Look for the following two lines, and remove the @#@ characters before them: <pre> RewriteCond %{HTTPS} !=on RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301] </pre> * Restart apache2: <pre> service apache2 restart </pre> --- h1. Install MariaDB * Install MariaDB 5.5 Server and Client <pre> portmaster databases/mariadb55-{server,client} pkg install mariadb55-{server,client} </pre> h2. Configure MariaDB * Enable MariaDB to start at boot: <pre> echo 'mysql_enable="YES"' >> /etc/rc.conf </pre> * Start MariaDB <pre> service mysql-server start </pre> * Do some basic security to harden the MariaDB server: <pre> mysql_secure_installation </pre> * Restart mysql using the following commands: <pre> service mysql-server restart </pre> h2. Configure MariaDB * Use the following command: <pre> cp /usr/local/share/mysql/my-small.cnf /var/db/mysql/my.cnf /usr/local/etc/my.cnf </pre> h2. Configure a new database * Log into the MySQL console: <pre> Restart mysql -h localhost -u root -p </pre> #* Create the *webappuser* user with the *SuperSecretPassword* password and the *webappdb* database: <pre> CREATE USER 'webappuser'@'localhost' IDENTIFIED BY 'SuperSecretPassword'; CREATE DATABASE IF NOT EXISTS `webappdb` CHARACTER SET utf8 COLLATE utf8_general_ci; GRANT ALL PRIVILEGES ON `webappdb`.* TO 'webbappuser'@'localhost'; flush privileges; exit </pre> --- h1. Install PHP * Install PHP5 and mod_php: <pre> portmaster lang/php5 www/mod_php5 </pre> * Install a few PHP modules: <pre> portmaster textproc/php5-xml textproc/php5-dom security/libgpg-error textproc/php5-xmlreader textproc/php5-simplexml textproc/php5-ctype sysutils/php5-fileinfo security/php5-openssl security/php5-hash security/php5-filter graphics/php5-exif devel/php5-json databases/php5-sqlite3 databases/php5-pdo lang/php5-extensions converters/php5-iconv audio/mp3info archivers/php5-zlib archivers/php5-zip archivers/php5-bz2 www/php5-session security/libgcrypt textproc/php5-wddx net/php5-ldap ftp/php5-curl databases/php5-pdo_sqlite databases/php5-mysql databases/php5-mysqli databases/php5-pdo_mysql converters/php5-mbstring textproc/php5-xsl graphics/php5-gd </pre> *NOTE*: These are just a few PHP modules, there are many more; and not all of the above are necessary, it just suits my use case. * Then create /usr/local/etc/apache24/Includes/mod_php5.conf: <pre> vi /usr/local/etc/apache24/Includes/mod_php5.conf </pre> #* And add the following: <pre> <IfModule dir_module> DirectoryIndex index.php index.html </IfModule> <FilesMatch "\.php$"> SetHandler application/x-httpd-php </FilesMatch> <FilesMatch "\.phps$"> SetHandler application/x-httpd-php-source </FilesMatch> </pre> * Copy the PHP configuration file using the following command commands: <pre> cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini </pre> * Edit @/usr/local/etc/apache24/httpd.conf@ file and add the following lines: <pre> LoadModule php5_module libexec/apache24/libphp5.so </pre> * Now restart the apache server by using the following command: <pre> service apache24 mysql-server restart </pre> h2. h3. Install and configure phpMyAdmin * Install phpmyadmin: <pre> portmaster databases/phpmyadmin pkg install phpmyadmin </pre> h3. Configure phpMyAdmin * Setup phpMyAdmin for Apache 2.4 by creating @/usr/local/etc/apache24/Includes/phpmyadmin.conf@ and add the following: <pre> Alias /phpmyadmin "/usr/local/www/phpMyAdmin/" <Directory "/usr/local/www/phpMyAdmin/"> Options none AllowOverride Limit Order Deny,Allow Require ip 127.0.0.1 Require ip ::1 #Require ip 192.168.1.0/255.255.255.0 </Directory> </pre> Now its time to configure phpMyAdmin. Do this by creating the file @/usr/local/www/phpMyAdmin/config.inc.php@, the basic configuration file for phpMyAdmin. Traditionally, users have manually created or modified @/usr/local/www/phpMyAdmin/config.inc.php@, but now phpMyAdmin includes a nice setup script, making it much easier to create this file with the settings you want. * Start by creating the directory /usr/local/www/phpMyAdmin/config and make it writable by the phpMyAdmin setup script: <pre> mkdir /usr/local/www/phpMyAdmin/config chmod o+w /usr/local/www/phpMyAdmin/config </pre> * Then make @/usr/local/www/phpMyAdmin/config.inc.php@ readable by the phpMyAdmin setup script: <pre> chmod o+r /usr/local/www/phpMyAdmin/config.inc.php </pre> * Now open your web browser and navigate to http://www.example.com/phpmyadmin/setup where you will see the phpMyAdmin setup _Overview_ page. #* I use SSH tunnels for sensitive tasks like this: <pre> ssh -L 8081:localhost:80 www.example.com </pre> #* NOTE: This will make connections sent to the local computer on port 8081 be sent over SSH and appear as connections from the server itself. Since the above config has @Require ip 127.0.0.1@, all connections will be forbidden except from 127.0.0.1. * Select *New Server* and then select the *Authentication* tab. *# Under the *Authentication type* choose +http+ from the drop-down list (using HTTP-Auth to sign-in into phpMyAdmin will avoid storing login/password credentials directly in config.inc.php) *# And remove +root+ from the *User for config auth*. * Now select *Apply* and you will be returned you to the Overview page where you should see a new server listed. * Select *Save* again in the Overview page to save your configuration as @/usr/local/www/phpMyAdmin/config/config.inc.php@. * Now move that file up one directory to @/usr/local/www/phpMyAdmin@ where phpMyAdmin can make use of it. <pre> mv /usr/local/www/phpMyAdmin/config/config.inc.php /usr/local/www/phpMyAdmin </pre> * Now let’s try out phpMyAdmin to make sure it works. Point your web browser to http://www.example.com/phpmyadmin where you will be presented with a pop-up box requesting you to log in. Use “root” and the MySQL password you set up previously, then you should be directed to the phpMyAdmin administration page. * We no longer need the /usr/local/www/phpMyAdmin/config directory so let’s remove it, and the read permission we added previously to /usr/local/www/phpMyAdmin/config.inc.php: <pre> rm -r /usr/local/www/phpMyAdmin/config chmod o-r /usr/local/www/phpMyAdmin/config.inc.php </pre> * And wrap up by restarting the Apache and MySQL servers: <pre> service apache24 restart service mysql-server restart </pre> --- h1. Install the Phusion Passenger module * Install and compile Phusion Passenger <pre> portmaster www/rubygem-passenger passenger-install-apache2-module </pre> #* Then add the module in @/usr/local/etc/apache24/httpd.conf@: <pre> LoadModule passenger_module /usr/ports/www/rubygem-passenger/work/passenger-4.0.41/buildout/apache2/mod_passenger.so <IfModule mod_passenger.c> PassengerRoot /usr/ports/www/rubygem-passenger/work/passenger-4.0.41 PassengerDefaultRuby /usr/local/bin/ruby19 </IfModule> </pre> #* And now ruby web applications can be used by using the following template: <pre> <VirtualHost *:80> ServerName www.example.com # !!! Be sure to point DocumentRoot to 'public'! DocumentRoot /usr/local/www/rubyapp/public <Directory /usr/local/www/rubyapp/public> # This relaxes Apache security settings. AllowOverride all # MultiViews must be turned off. Options -MultiViews </Directory> </VirtualHost> </pre> h1. Multiple Virtual Hosts As Different Users h2. Recompile Apache 2.4 with Suexec * Refresh the ports tree: <pre> portsnap fetch extract </pre> * Recompile Apache 2.4 <pre> cd /usr/ports/www/apache24 make config make reinstall clean </pre> *NOTE*: Make sure to enable [X] SUEXEC during make config. * Make a directory for each Vhost: <pre> mkdir /usr/local/etc/apache24/Vhosts </pre> * Create webapp group: <pre> pw add group webapp </pre> * Edit the apache config: <pre> vi /usr/local/etc/apache24/httpd.conf </pre> #* And add the following: <pre> LoadModule suexec_module libexec/apache24/mod_suexec.so ## Include Vhosts directory: Include etc/apache24/Vhosts/*.conf </pre> h3. WordPress * Install wordpress: <pre> portmaster www/wordpress pkg install wordpress </pre> * Add the wordpress user <pre> pw add user -n wordpress -g webapp -d /usr/local/www/wordpress -s /usr/sbin/nologin -c "WordPress" </pre> * Make a temporary storage directory for wordpress: <pre> mkdir /var/tmp/wordpress chown wordpress:webapp /usr/local/www/wordpress chown wordpress:webapp /var/tmp/wordpress/ chmod o-rwx /var/tmp/wordpress </pre> * Setting up a virtual Host to use suEXEC <pre> vi /usr/local/etc/apache24/Vhosts/wordpress.example.com.conf </pre> #* And add the following: <pre> <VirtualHost *:80> ServerName wordpress.example.com DocumentRoot /usr/local/www/wordpress SuexecUserGroup wordpress webapp php_admin_value open_basedir /usr/local/www/wordpress php_admin_value upload_tmp_dir /var/tmp/wordpress <Directory "/usr/local/www/wordpress"> AllowOverride All Require all granted Options +SymlinksIfOwnerMatch +Includes </Directory> </VirtualHost> </pre> #* *NOTE*: The @upload_tmp_dir@ is set to a folder that is outside the document root of the wordpress site (not /usr/local/www/wordpress/tmp). It should also be not readable or writable by any other system users. This is for security reasons: this way it cannot be modified or overwritten while PHP is processing it. * Restart apache: <pre> service apache24 restart </pre> h2. Resources * http://fosskb.wordpress.com/2014/04/10/famp-installing-apache2-4-mysql-php-on-freebsd-10/