Document
last modified 09/06/2006, 4:30pm - see bottom for details
Installing FreeBSD 6.1
web server with PHP and MySQL
Note 0: This page was
written to document the procedure I use to build my web servers. If you notice any errors or have any suggestions
for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.
Note 1 : I use the terms
“folder” and “directory”. They mean the same thing. Also terms placed in
<>’s are usually variables, meaning don’t type in the <>’s. The
exception to this is the httpd.conf file.
Note 3 : I’ll be adding
special notes for those rebuilding a current FreeBSD box. These notes will be
in red. I should state that by rebuilding I mean use new or different hardware
to create an updated version of an old server. Change the hostname on the old
box or new box during the build process. I change the hostname on the new box
till I’m done then change it to the true server name after I’ve tested it to
make sure that everything is working. Then I rebuild the old box to be exactly
the same as the new box and keep it in case the new one dies. This way I always
have a backup mail server ready to go with the exact same versions of all
software. The config files that contain hostname are: /etc/rc.conf,
/etc/hosts.allow, /usr/local/etc/apache/httpd.conf and
/usr/local/www/data/phpmyadmin/config.inc.php. I register backup server names
(www2.bio.fsu.edu) so that I can test the server while I’m rebuilding).
Install FreeBSD v6.1. I usually do a “Average user, binaries and docs only”, no xwindows.
If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.
I usually just download
the bootonly.iso,
boot from that and install via network interface.
Don’t install ports when
asked. I download the latest from the link on the FreeBSD website to make sure
I get latest version.
Add bash v3.x
and no-login when asked if you want to install additional software (packages).
If you didn’t include
sources in your initial install, use sysinstall and choose
Configure->Distributions->src to download sources for everything (ALL).
Recompile the kernel to
get rid of all the stuff it contains you don’t need. This cuts my kernel size
to less than half it’s previous size. Directions for recompiling the kernel are
at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
and here’s a link to my “KERNCONF” file. Note
that yours will almost certainly be different. You’ll definitely want to look
at cpu type and ethernet card, mine is set for pentium >= II and Intel
EtherExpress Pro. Other than that it’s a standard pc with one floppy drive,
hard drives on both channels and no cd. Note: If you remove the inet6 stuff
from the kernel you’ll want to comment out the “0 DaemonPortOptions=Name=Ipv6,
Family=inet6, Modifiers=0” line in /etc/mail/sendmail.cf.
Basic procedure for
building and installing new kernel is:
- cd to /usr/src/sys/i386/conf
- cp GENERIC to <your
host name in caps>
- edit <your host name
in caps> to reflect your hardware
- cd to /usr/src and run
“make buildkernel KERNCONF=<your host name in caps>
- run “make installkernel
KERNCONF=<your hostname in caps>
-
reboot to use new
kernel (run “shutdown –r now”)
- run “mv /boot/kernel.old
/boot/kernel.ORIG” to backup your original kernel
Hint: install all
applicable security patches from http://www.freebsd.org/security
before compiling kernel. That way any
patches that require kernel rebuild are completed in above step.
Download latest ports.tar.gz
and install it by moving the file to /usr, gunzipping and untarring it.
Make a directory for
installing stuff. I use /usr/install thus “mkdir /usr/install”
Copy /etc/hosts.allow /etc/hosts.allow.ORIG
and edit /etc/hosts.allow to make one much more secure. I only allow ssh from select
ip’s. I deny all else. So mine looks like:
#
hosts.allow access control file for "tcp wrapped" applications.
#
$FreeBSD: src/etc/hosts.allow,v 1.8.2.3 2000/07/20 15:17:44 ume Exp $
#
#
NOTE: The hosts.deny file is deprecated.
#
Place both 'allow' and 'deny' rules in the hosts.allow file.
#
See hosts_options(5) for the format of this file.
#
hosts_access(5) no longer fully applies.
#
Allow anything from localhost
ALL
: localhost 127.0.0.1 : allow
ALL
: www.bio.fsu.edu 128.186.38.121 : allow
# Prevent those with no reverse DNS
from connecting.
ALL
: PARANOID : RFC931 20 : deny
#
Prevent unregistered IP’s from connecting.
#ALL
: UNKNOWN : RFC931 20 : deny
#
Allow ssh from select IP’s
sshd
: 128.186.23.34 : allow
#
Deny all else
ALL
: ALL : deny
(FreeBSD Server
Rebuild?: just scp hosts.allow from old box instead and change the local
hostname if necessary).
Copy /etc/hosts
/etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in
localhost.my.domain (2 places) to your domain name (ex “localhost.bio.fsu.edu).
(FreeBSD Server
Rebuild?: If I’m rebuilding a system this is where I copy over the user
accounts and data. I usually just copy and paste the entry’s from both the
passwd and master.passwd to the same files on the new system using: ssh shell
on a windows box, vi and copy and paste. Then run vipw, make a meaningless
change and quit, which rebuilds the database.).
FreeBSD 6.1 does not come
with perl.
Cd to
/usr/ports/lang/perl5.8 and install with a “make install”.
Cd to /usr/ports/www/apache13-modssl
and run “make install”.
Cd to
/usr/local/etc/apache. Inside this
folder are the apache configuration files.
The main one is httpd.conf.
If you had a previous
version of httpd.conf you will want to enable any special options you had in
the new httpd.conf. I usually run a diff between the new file and old file to
spot any differences.
Generating a self signed
certificate has gotten a little more complicated. First find sign.sh which should be in the
work section of the apache port. My
exact path was: /usr/ports/www/apache13-modssl/work/mod_ssl-2.8.25-1.3.34/pkg.contrib/sign.sh. Copy sign.sh to /usr/local/sbin/sign.sh and
chmod it to 700 with “chmod 700 /usr/local/sbin/sign.sh”.
Cd to
/usr/local/etc/apache and “mkdir certs”. Cd to certs. Generate a certificate for your webserver by
running the following commands. Probably
best to copy and paste them into something like /usr/local/sbin/mkwebcerts,
chmod that to 700 and then run it.
openssl
genrsa -des3 -out webserver.key.encrypted 1024
openssl
rsa -in webserver.key.encrypted -out webserver.key
openssl
req -new -key webserver.key -out webserver.csr
openssl
genrsa -des3 -out ca.key.encrypted 1024
openssl
rsa -in ca.key.encrypted -out ca.key
openssl
req -new -x509 -days 3650 -key ca.key -out ca.crt
/usr/local/sbin/sign.sh
webserver.csr
When asked for
Organization name and Organizational Unit the second time do NOT enter the same
values as for the first time. The second
time the question pertains to the signing authority, which cannot be the same
as the organization whose cert is being signed.
When asked for “Common
Name” enter the FQDN you registered for your web server (ex. www.<your
domain name>). The other questions the common sense answer is correct. When
asked for a password or passphrase type in the same thing each time.
Move the resulting
webserver.* files to /usr/local/etc/apache. Chown them to www:www and chmod
them to 550.
(FreeBSD Server
Rebuild?: just scp the .crt and .key files from your old machine to the new
box). Though you may need to create
certs for the temporary name you are using if doing a rebuild under another
machine name.
Edit httpd.conf and change
ServerName <your host
name>
ServerAdmin <your email
address>
SSLCertificateFile
/usr/local/etc/apache/certs/webserver.crt
SSLCertificateKeyFile
/usr/local/etc/apache/certs/webserver.key
Edit /etc/rc.conf and add
apache_enable=”YES”
Here’s a couple of hints
for those of you new to apache.
The default install of
apache does not have cgi-scripts enabled. To enable cgi scripts:
Change the “None” in
Options to “ExecCGI” in the cgi-bin entry as follows.
<Directory
"/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
(FreeBSD Server
Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it
over with a different name then run diff between you old one and your new one
and add in the things needed from the old one to the new one. Ignore the php
stuff for now.
Cd to
/usr/ports/databases/mysql41-server and run “make install”. This will install
both server and client.
Cd to /usr/ports/lang/php4
and run “make install”. On the options screen enable "build apache module" and if you compiled your kernel w/o
IP6 support, remove it here as well, also enable debug.
Cd to
/usr/ports/lang/php4-extensions and run “make install”. On the options screen,
leave the defaults all ready checked checked and add:
DOMXML, FTP, GD, GETTEXT,
ICONV, IMAP, LDAP, MCAL, MBSTRING, MCRYPT, OpenSSL, PDF, PSPELL and XML (may be
selected all ready). Use the default options on any dependencies.
After install cd to
/usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG.
Cd to
/usr/ports/graphics/GraphicsMagick and run “make install”
Cd to
/usr/ports/sysutils/pear-DB and run “make install”.
Cd to
/usr/ports/sysutils/pear-Log and run “make install”. Enable pear-DB support.
Check to make sure that
the php install added the php application code to your
/usr/local/etc/apache/httpd.conf file. The chunk of code it was susposed to add
is:
<IfModule
mod_php3.c>
AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source
.php3s
</IfModule>
<IfModule
mod_php4.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
and it goes right under
the
<IfModule
mod_negotiation.c>
LanguagePriority en da nl
et fr de el it ja kr no pl pt pt-br ru ltz ca es sv tw
</IfModule>
block
of code. If it didn’t put it in (and it usually doesn’t) go ahead an paste it in.
Also you’ll want to add index.php to the list of index pages under the
DirectoryIndex section if it didn’t get added. I use both php and shtml so mine
looks like:
<IfModule mod_dir.c>
<IfModule mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php index.php3
index.shtml index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.php3 index.shtml
index.html index.htm
</IfModule>
</IfModule>
<IfModule !mod_php3.c>
<IfModule mod_php4.c>
DirectoryIndex index.php index.shtml
index.html index.htm
</IfModule>
<IfModule !mod_php4.c>
DirectoryIndex index.shtml index.html
index.htm
</IfModule>
</IfModule>
</IfModule>
Download latest version
from http://www.phpmyadmin.net. There
is no install as such for this, just unzip and untar the contents to
/usr/local/www/data/<folder name>. Most people use phpMyAdmin as the
folder name, so I used something else. Chown the folder to www:www with “chown
–R www:www <folder name>”. Go into this folder and copy
./libraries/config.default.php to ./config.inc.php.
OK reboot with a shutdown
–r now and when it comes back up launch a browser on a computer somewhere and
go to http://<your host
name>/<phpMyAdmin folder>. The phpmyadmin page should load. Click on
privileges and delete all the users except root on localhost (2 any’s and a
root at machine name). Edit the root at localhost user and set a password.
Reload the mysql server. At this point it should kick you out. Edit
config.inc.php and put in your new password.
$cfg['Servers'][$i]['password']
= '<your password>'; // MySQL password
You should now be able to
reload the phpmyadmin page. Chown config.inc.php to www:www and chmod it to
550.
Now we must protect the
phpMyAdmin folder. I did this by editing /usr/local/etc/apache/httpd.conf and
adding an entry for the directory that reads (for example purposes I’m using
phpMyAdmin as the folder name and replaced the ip’s with X’s and Y’s):
<Directory
/usr/local/www/data/phpMyAdmin>
Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
</Directory>
Check your config file
with “apachectl configtest” and if OK restart apache with “apachectl restart”.
You should now be able to load the phpMyAdmin page from only the ip’s you
entered. Any other ip should return “Forbidden . . .”.
At this point I add a
.htaccess userid and password to this folder as well. See the apache
documentation for how to do this,
http://httpd.apache.org/docs/howto/auth.html#basicworks.
(FreeBSD Server
Rebuild?: Unless you have the latest version of phpmyadmin on your old box
(unlikely) move your phpMyAdmin folder to somewhere safe and install latest
version).
Copy over users and data from previous system (if
applicable)
Make sure you’ve copied
over your users (password files /etc/passwd and /etc/master.passwd) and rebuilt
the user database (vipw). Then tar up any data (/usr/local/www, /home, etc) on
the old box and move it to the new box and untar. The root www directory on the
box we are building will be /usr/local/www/.
Add
kern_securelevel_enable="YES"
kern_securelevel="3"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll
need to reboot for this to take effect.
To enforce minimum
password requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under
the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log