Project

General

Profile

Support #633

Updated by Daniel Curtis over 9 years ago

This is a guide for installing Magento on FreeBSD with Nginx as the web server. 

 h1. Pre-installation requirements 

 * Before installation of the components, make sure everything is up to date using the following command: 
 <pre> 
 pkg update -f && pkg upgrade 
 </pre> 

 * Install portmaster: 
 <pre> 
 cd /usr/ports/ports-mgmt/portmaster 
 make install clean 
 pkg2ng 
 </pre> 

 * Edit the @/etc/hosts@ file  
 <pre> 
 vi /etc/hosts 
 </pre> 
 #* And add/modify the following line: 
 <pre> 
 192.168.1.100                 magento.example.com 
 </pre> 

 --- 

 h1. Install Nginx 

 * Install Nginx 
 <pre> 
 portmaster www/nginx 
 </pre> 

 * Start and enable nginx at boot: 
 <pre> 
 echo 'nginx_enable="YES"' >> /etc/rc.conf 
 service nginx start 
 </pre> 

 * Create a configuration directory to make managing individual server blocks easier 
 <pre> 
 mkdir /usr/local/etc/nginx/conf.d 
 </pre> 

 * Edit the main nginx config file: 
 <pre> 
 vi /usr/local/etc/nginx/nginx.conf 
 </pre> 
 #* And strip down the config file and add the include statement at the end to make it easier to handle various server blocks: 
 <pre> 
 #user    nobody; 
 worker_processes    1; 
 error_log    /var/log/nginx-error.log; 

 events { 
   worker_connections    1024; 
 } 

 http { 
   include         mime.types; 
   default_type    application/octet-stream; 

   sendfile          on; 
   #tcp_nopush       on; 

   #keepalive_timeout    0; 
   keepalive_timeout    65; 

   #gzip    on; 

   # Load config files from the /etc/nginx/conf.d directory 
   include /usr/local/etc/nginx/conf.d/*.conf; 

 } 
 </pre> 

 --- 

 h1. Install PHP 

 The PHP support in FreeBSD is extremely modular so the base install is very limited. It is very easy to add support using the _lang/php5-extensions_ port. This port provides a menu driven interface to PHP extension installation. Alternatively, individual extensions can be installed using the appropriate port. 

 *NOTE*: Magento currently supports +PHP 5.5 only+. 

 * Install PHP 5.5 and other supporting packages: 
 <pre> 
 portmaster lang/php5 
 </pre> 

 * Install PHP extensions and a few modules: 
 <pre> 
 portmaster lang/php56-extensions databases/php5-mysqli databases/php5-pdo_mysql www/php5-session 
 </pre> 

 *NOTE*: There are many more PHP modules, to search for more PHP modules run: 
 <pre> 
 find /usr/ports/ -name "php5-*" 
 </pre> 

 *NOTE*: PHP capabilities can be further extended by using PECL packages, to search for more PECL packages run: 
 <pre> 
 find /usr/ports/ -name "pecl-*" 
 </pre> 

 * Configure the default PHP settings 
 <pre> 
 cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini 
 </pre> 

 h2. Configure PHP-FPM 

 * Edit @/usr/local/etc/php-fpm.conf@: 
 <pre> 
 vi /usr/local/etc/php-fpm.conf 
 </pre> 
 #* Make the following changes: 
 <pre> 
 events.mechanism = kqueue 
 listen = /var/run/php-fpm.sock 
 listen.owner = www 
 listen.group = www 
 listen.mode = 0666 
 </pre> 

 * Start and enable PHP-FPM at boot: 
 <pre> 
 echo 'php_fpm_enable="YES"' >> /etc/rc.conf 
 service php-fpm start 
 </pre> 

 * Restart nginx: 
 <pre> 
 service nginx restart 
 </pre> 

 --- 

 h1. Install Magento 

 * Install Magento: 
 <pre> 
 portmaster www/magento 
 </pre> 

 * Add a *magento.example.com server block*: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/magento.example.com.conf 
 </pre> 
 #* Add the following: 
 <pre> 
 server { 
   listen         80; 
   server_name    magento.example.com; 
   root           /usr/local/www/magento; 
   access_log     /var/log/magento.example.com-access.log; 
   error_log      /var/log/magento.example.com-error.log; /var/log/magento.example.com-error.log 

   ## Allow a static html file to be shown first 
   location / { 
     index index.html index.php;  
     try_files $uri $uri/ @handler; ## If missing pass the URI to Magento's front handler 
     expires 30d; ## Assume all files are cachable 
   } 

   ## These locations would be hidden by .htaccess normally 
   location ^~ /app/                  { deny all; } 
   location ^~ /includes/             { deny all; } 
   location ^~ /lib/                  { deny all; } 
   location ^~ /media/downloadable/ { deny all; } 
   location ^~ /pkginfo/              { deny all; } 
   location ^~ /report/config.xml     { deny all; } 
   location ^~ /var/                  { deny all; } 
 
   ## Allow admins only to view export folder 
   location /usr/local/www/magento/var/export/ {  
     auth_basic             "Restricted"; ## Message shown in login window 
     auth_basic_user_file htpasswd; ## See /etc/nginx/htpassword 
     autoindex              on; 
   } 
 
   ## Disable .htaccess and other hidden files 
   location    /. {  
       return 404; 
   } 
 
   ## Magento uses a common front handler 
   location @handler {  
     rewrite / /index.php; 
   } 
 
   ## Forward paths like /js/index.php/x.js to relevant handler 
   location ~ .php/ {  
     rewrite ^(.*.php)/ $1 last; 
   } 

     ## Execute PHP scripts  
   location ~ .php$ {  
     if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss 
       expires          off; ## Do not cache dynamic content 
       fastcgi_pass     127.0.0.1:9000; 
       fastcgi_param    HTTPS $fastcgi_https; 
       fastcgi_param    SCRIPT_FILENAME    $document_root$fastcgi_script_name; 
       fastcgi_param    MAGE_RUN_CODE default; ## Store code is defined in administration > Configuration > Manage Stores 
       fastcgi_param    MAGE_RUN_TYPE store; 
       include          fastcgi_params; ## See /etc/nginx/fastcgi_params 
   } 
 } 
 </pre> 

 --- 

 h1. Securing Nginx With SSL 

 * Install OpenSSL: 
 <pre> 
 portmaster security/openssl 
 </pre> 

 Enabling SSL in Nginx is simple. First add the ssl directive in the server listen option, then add the SSL certificate and key paths. 

 * The basic SSL server block should be look similar to the following: 
 <pre> 
     server { 
         listen                443 ssl; 
         server_name           www.example.com; 
         ssl_certificate       www.example.com.crt; 
         ssl_certificate_key www.example.com.key; 
         ... 
     } 
 </pre> 

 * Setup the Diffie-Hellman Key Exchange Parameters 
 <pre> 
 cd /usr/local/etc/nginx 
 openssl dhparam -out dhparam.pem 4096 
 </pre> 

 * Generate a strong SSL key and a CSR to send for signing by a CA: 
 <pre> 
 cd /usr/local/etc/nginx 
 openssl req -sha512 -out magento.example.com.csr -new -newkey rsa:4096 -nodes -keyout magento.example.com.key 
 </pre> 
 #* If the received SSL certificate requires additional bundle certificates, add them together like so: 
 <pre> 
 cd /usr/local/etc/nginx 
 cat magento.example.com.crt magento.example.com.bundle > magento.example.com.chained.crt 
 </pre> 

 * Setup the default site configuration: 
 <pre> 
 vi /usr/local/etc/nginx/conf.d/magento.example.com.conf 
 </pre> 
 #* Then add or modify the configuration to look similar to the following: 
 <pre> 
 server { 
   listen 80;  
   listen 443 default ssl; 
   server_name magento.example.com; 

   # Turn on ans set SSL key/cert 
   ssl on; 
   ssl_certificate /usr/local/etc/nginx/magento.example.com.crt; 
   ssl_certificate_key /usr/local/etc/nginx/magento.example.com.key; 

   # Strong SSL configuration 
   ssl_ciphers 'AES128+EECDH:AES128+EDH:!aNULL'; 
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
   ssl_session_cache    builtin:1000    shared:SSL:10m; 
   ssl_stapling on; 
   ssl_stapling_verify on; 
   ssl_prefer_server_ciphers on; 
   ssl_dhparam /usr/local/etc/nginx/dhparam.pem; 
   add_header Strict-Transport-Security max-age=63072000; 
   add_header X-Frame-Options DENY; 
   add_header X-Content-Type-Options nosniff; 

   root /usr/local/www/magento; 
   index index.html index.htm; 
   autoindex on; 

   ## Allow a static html file to be shown first 
   location / { 
     index index.html index.php;  
     try_files $uri $uri/ @handler; ## If missing pass the URI to Magento's front handler 
     expires 30d; ## Assume all files are cachable 
   } 

   ## These locations would be hidden by .htaccess normally 
   location ^~ /app/                  { deny all; } 
   location ^~ /includes/             { deny all; } 
   location ^~ /lib/                  { deny all; } 
   location ^~ /media/downloadable/ { deny all; } 
   location ^~ /pkginfo/              { deny all; } 
   location ^~ /report/config.xml     { deny all; } 
   location ^~ /var/                  { deny all; } 
 
   ## Allow admins only to view export folder 
   location /usr/local/www/magento/var/export/ {  
     auth_basic             "Restricted"; ## Message shown in login window 
     auth_basic_user_file htpasswd; ## See /etc/nginx/htpassword 
     autoindex              on; 
   } 
 
   ## Disable .htaccess and other hidden files 
   location    /. {  
       return 404; 
   } 
 
   ## Magento uses a common front handler 
   location @handler {  
     rewrite / /index.php; 
   } 
 
   ## Forward paths like /js/index.php/x.js to relevant handler 
   location ~ .php/ {  
     rewrite ^(.*.php)/ $1 last; 
   } 

     ## Execute PHP scripts  
   location ~ .php$ {  
     if (!-e $request_filename) { rewrite / /index.php last; } ## Catch 404s that try_files miss 
       expires          off; ## Do not cache dynamic content 
       fastcgi_pass     127.0.0.1:9000; 
       fastcgi_param    HTTPS $fastcgi_https; 
       fastcgi_param    SCRIPT_FILENAME    $document_root$fastcgi_script_name; 
       fastcgi_param    MAGE_RUN_CODE default; ## Store code is defined in administration > Configuration > Manage Stores 
       fastcgi_param    MAGE_RUN_TYPE store; 
       include          fastcgi_params; ## See /etc/nginx/fastcgi_params 
   } 

   # Uncomment to force HTTPS 
 #    if ($scheme = http) { 
 #      return 301 https://$server_name$request_uri; 
 #    } 

 } 
 </pre> 

 h3. Certificate Bundles 

 Some browsers may complain about a certificate signed by a well-known certificate authority, while other browsers may accept the certificate without issues. This occurs because the issuing authority has signed the server certificate using an intermediate certificate that is not present in the certificate base of well-known trusted certificate authorities which is distributed with a particular browser. In this case the authority provides a bundle of chained certificates which should be concatenated to the signed server certificate.  

 * The server certificate must appear before the chained certificates in the combined file: 
 <pre> 
 cat magento.example.com.crt bundle.crt > magento.example.com.chained.crt 
 </pre> 

 * The resulting file should be used in the ssl_certificate directive: 
 <pre> 
     server { 
         listen                443 ssl; 
         server_name           www.example.com; 
         ssl_certificate       www.example.com.chained.crt; 
         ssl_certificate_key www.example.com.key; 
         ... 
     } 
 </pre> 

 --- 

 h1. Install MariaDB 

 * Install MariaDB server and client: 
 <pre> 
 portmaster databases/mariadb10-server databases/mariadb10-client 
 </pre> 

 * Start and enable MariaDB at boot: 
 <pre> 
 echo 'mysql_enable="YES"' >> /etc/rc.conf 
 service mysql-server start 
 </pre> 

 * Secure your installation: 
 <pre> 
 mysql_secure_installation 
 </pre> 

 h2. Configure a new MariaDB database 

 * Log into the MySQL console: 
 <pre> 
 mysql -h localhost -u root -p 
 </pre> 
 #* Create the *magentouser* user with the *SuperSecretPassword* password and the *magentodb* database: 
 <pre> 
 CREATE USER 'magentouser'@'localhost' IDENTIFIED BY 'SuperSecretPassword';    
 CREATE DATABASE IF NOT EXISTS    `magentodb` CHARACTER SET utf8 COLLATE utf8_general_ci; 
 GRANT ALL PRIVILEGES ON `magentodb`.* TO 'magentouser'@'localhost'; 

 flush privileges; 
 exit 
 </pre>  

 * And wrap up by restarting the nginx and mariadb servers: 
 <pre> 
 service nginx restart 
 service mysql-server restart 
 </pre> 

 h2. Resources 

 * http://www.magentocommerce.com/wiki/1_-_installation_and_configuration/configuring_nginx_for_magento 
 * http://www.bsdnow.tv/tutorials/nginx 
 * http://forums.freebsd.org/viewtopic.php?t=30268 
 * https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

Back