Document last modified 3/8/2012, 4pm – see bottom for details.

This is latest version (v5) of freebsd-web-server pages.

Installing FreeBSD 8 or 9 web server with Apache, PHP and MySQL.

Note 0: This page was written to document the procedure I use to build my web servers. If you notice any errors or have any suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.

Note 1 : Terms placed in <>’s are usually variables, meaning don’t type in the <>’s. Examples

<your_userid> is the username you su to root from (ex: sysbrian)

<server_fqdn> is the fully qualified domain name of the web server you are building (ex: www.mydomainname.com)

<server_name> is the name of the server you are building (ex: www)

<server_name_in_caps> is the name of the server you are building in capital letters (ex: WWW)

<server_ip> is the IP address of the web server you are building (ex: 145.23.128.7)

The exception to terms placed in <>'s being variables is the httpd.conf file.

Note 2 (Important): When installing ports these instructions may list options to add on the port’s configuration page. In all cases leave any default checked options checked and only add the options indicated. If instructions don’t say to change options accept the defaults.

Install FreeBSD 8 or 9. Do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.

Download the bootonly.iso, burn it to cd, boot from cd, and go from there to install via network interface.

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES for version 8 32bit.
ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/ISO-IMAGES for version 8 64 bit.
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0 for version 9 32bit and 64bit.

For version 9.0 on intel/amd 64 bit architecture get:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/FreeBSD-9.0-RELEASE-amd64-bootonly.iso

For version 9.0 on intel/amd 32 bit architecture get:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/FreeBSD-9.0-RELEASE-i386-bootonly.iso

For version 8.2 on intel/amd 64 bit architecture get:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/amd64/ISO-IMAGES/8.2/FreeBSD-8.2-RELEASE-amd64-bootonly.iso

For version 8.2 on intel/amd 32 bit architecture get:

ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.2/FreeBSD-8.2-RELEASE-i386-bootonly.iso

Get the latest release of the version you want, either 8 or 9. Either should work fine. If your intel/amd hardware supports 64 bit use the amd64 architecture release. Boot from the CD, partition your hard drive, configure your network card, choose the “network install through firewall” option, choose the “Average user, binaries and docs only” option.

Don’t install ports when asked. We’ll be csuping the ports shortly.

Don’t install the FreeBSD documentation package. You can install it later if you like.

Install src and security patches.

Two methods for installing src and security patches, choose one. I usually use Method 2. If later you have a running box that just needs an additional patch that doesn’t involve buildworld then Method 1 might be a good choice, at that point though assuming you’ve already downloaded src you wouldn’t redownload src, just install the patch. If it’s early on in the history of a release and there aren’t many security patches Method 1 is usually faster, though in the case of 8.3 and 9.0 the first patch released required a buildworld, which means you might as well go with Method 2.

Method 1:

If you didn’t include sources in your initial install, type “sysinstall” and choose Configure->Distributions->src to download sources for everything (ALL). This will download the exact src tree for the release version installed, no patches, you will need to install them yourself.

Install all applicable security patches from http://www.freebsd.org/security/advisories.html .

If required by any of the security patches recompile the kernel, see the “Compile Custom Kernel” step below. Note very rarely security patches require a makeworld. In that case you could abandon Method 1 and use Method 2. It’s ok if you have already installed some patches.

Method 2:

Create a sup file to track the security branch of your release, download the src for the branch and compile and install. This will download the patched version of src for your release and compile and install it.

- “vi <sup_file_name>” (ex “vi cvsup_8_3”), and insert the supfile info, example supfile for 8.3 security branch below.

- “csup -g -L 2 <sup_file_name>”

- “cd /usr/src”

- "make clean"

- “make buildworld”

- “make buildkernel KERNCONF=GENERIC” you can also go ahead and follow the instructions below for compiling a custom kernel here

- “make installkernel KERNCONF=GENERIC” you can also go ahead and follow the instructions below for compiling a custom kernel here

- “shutdown –r now”

- Go into single user mode (press 4 key at boot menu)

- “adjkerntz –i”

- “mount –a –t ufs”

- “cd /usr/src”

- “make installworld”

- “shutdown –r now”

Example supfile for 8.3 security branch (insert similar contents into <sup_file_name>, change tag to match your release)

*default host=cvsup.freebsd.org

*default base=/var/db

*default prefix=/usr

*default release=cvs tag=RELENG_8_3

*default delete use-rel-suffix

*default compress

src-all

Note: You can also use Method 2 to upgrade versions of FreeBSD but don’t try to jump major versions (ie 8.2 -> 9.0), doing that requires using merge_master, and personally I’d just reinstall FreeBSD from scratch. Stay within the major version (ie 8.1 -> 8.3) and it should work fine.

Compile custom kernel

Recompile the kernel to add the Apache accept filters, and change the “ident” line. Also (optionally) comment out the hardware that your system does not have, this can cut the kernel size to less than half it’s previous size.

At the very least add

options ACCEPT_FILTER_HTTP # Apache accept enable

options ACCEPT_FILTER_DATA # Apache accept enable

to the options section

and change

ident <server_name_in_caps>

Basic procedure for compiling and installing a custom kernel is:

- cd to /usr/src/sys/i386/conf or /usr/src/sys/amd64/conf depending on whether you installed i386 or amd64 release.

- cp GENERIC to <server_name_in_caps>

- edit <server_name_in_caps> and change ident, add the Apache options, and comment out non present hardware

- cd to /usr/src and run “make buildkernel KERNCONF=<server_name_in_caps>

- run “make installkernel KERNCONF=<server_name_in_caps>

- reboot to use new kernel (run “shutdown –r now”)

- mv /boot/kernel.old /boot/kernel.ORIG # ORIG assumes this is your first kernel recompile. Else change ORIG to something appropriate.

Here’s a link to my “KERNCONF” file. Note that yours will almost certainly be different. You’ll definitely want to look at the ethernet card, scsi and raid controllers (if applicable), mine is set for an Intel GB Ethernet card (em), other than that it’s standard core2quad Asus motherboard hardware using SATA hard drives. All non present hardware is commented out. It’s an edited version of GENERIC from the 8.3 release and can be used to compile a kernel for 8.3, don’t use it for any other release. When changing releases always start with GENERIC from the new release.

Additional instructions for recompiling the kernel are at

http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html

Install ports tree

Check to make sure the FreeBSD documentation package didn’t get installed. To check type “pkg_info”. If it returns something like “en-freebsd-doc-20110110 Documentation from the FreeBSD Documentation Project” delete the package with “pkg_delete en-freebsd-doc-20110110”.

Download and install ports tree with "portsnap fetch extract".

Install Berkeley Database Version 4.2 with “cd /usr/ports/databases/db42” and “make install”.

Install portupgrade with

“cd /usr/ports/ports-mgmt/portupgrade” and a “make install”

When the perl options come up leave default options checked and add “THREADS”.

Upgrading ports. If your box is not a new install you can upgrade the installed ports. Please note I only recommend the following on a new or very recent box. Updating ports on an old box can result in broken ports. On a recent box it works pretty well, though sometimes some tweaking is required. This document describes a new, clean install, the instructions below are to setup the system for future port upgrades.

Backup your current ports db with

“cd /var/db” and “tar cvfz var.db.pkg.<todays_date>.tgz pkg”

Find and fix stale dependencies

“/usr/local/sbin/pkgdb -F” # Answer "YES" to fix questions, there should not be any.

Recompile/Upgrade ports, this should drop right through

“/usr/local/sbin/portupgrade -ra”

Edit hosts.allow, hosts, rc.conf

Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one more secure. Only allow ssh from workstations you control. Allow anything from localhost. Deny all else.

# hosts.allow access control file for "tcp wrapped" applications.

# $FreeBSD: src/etc/hosts.allow,v 1.0.7 2005/12/07 15:17:44 sysalex Exp $

# Allow anything from localhost. Note that an IP address (not a host

# name) *MUST* be specified for portmap(8).

# This also allows imapd from localhost for IMP

ALL : localhost 127.0.0.1 : allow

ALL : <server_fqdn> <server_ip> : allow

# Prevent those with no reverse DNS from connecting.

ALL : PARANOID : RFC931 20 : deny

# Prevent unregistered IP’s from connecting.

ALL : UNKNOWN : RFC931 20 : deny

# Allow ssh from IP’s from which you will be sshing to this server

sshd : XXX.XXX.XXX.XXX YYYY.YYYY.YYYY.YYYY : allow

sshd : ALL : deny

# Deny all else

ALL : ALL : deny

Replace XXX’s and YYY’s with actual IP addresses.

Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.mydomainname.com).

Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.ORIG” or something similar. Edit /etc/rc.conf and add

apache22_enable="YES"

apache22_ssl_enable="YES"

apache22_http_accept_enable="YES"

mysql_enable="YES"

sendmail_enable="NO"

sendmail_submit_enable="YES"

sshd_enable="YES"

The sendmail entries assume this server is not going to be a mail server and set it to only allow outgoing mail.

Install bash and make your default shell bash (optional)

Install bash. Cd to /usr/ports/shells/bash and “make install”. Change your shell to “/usr/local/bin/bash” with vipw. Run adduser –C and set default shell to bash. Type “rehash;bash” to change to the bash shell, or logout and log back in.

Install newer Perl

If you installed portupgrade perl5.12 was probably installed as a dependency. Check to see with “pkg_info | grep perl”. If not install it with “cd /usr/ports/lang/perl5.12” and “make install”. When the perl options come up leave default options checked and add “THREADS”.

Check results with “perl –v”. You may have to do a “rehash” first, depending on your shell.

Install cclient

Cd to /usr/ports/mail/cclient and install with a “make install”. On it’s config page add the “SSL_AND_PLAINTEXT” option.

Install apache-modssl

Cd to /usr/ports/www/apache22 and run “make install”.

Make or buy a SSL cert for your server. If you choose to make a self signed cert, follow the next set of instructions. If this is a production server strongly consider buying a cert.

Self Signed Certs

Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs. Generate a certificate for your webserver by running the following commands. You can copy and paste them into something like /usr/local/sbin/mkwebcerts, replacing <server_fqdn> with your fqdn, chmod /usr/local/sbin/mkwebcerts to 700 and then run it.

openssl genrsa -des3 -out <server_fqdn>.key 1024

openssl rsa -noout -text -in <server_fqdn>.key

openssl rsa -in <server_fqdn>.key -out <server_fqdn>.key.unsecure

openssl req -new -x509 -nodes -sha1 -days 365 -key <server_fqdn>.key -out <server_fqdn>.crt

openssl x509 -noout -text -in <server_fqdn>.crt

When asked for “Common Name” enter <server_fqdn>. The other questions the common sense answer is correct. When asked for a password or passphrase type in the same thing each time.

Chown the cert files to www:www and chmod them to 440.

Purchased Certs

Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs and copy your certs into the directory. Chown the cert files to www:www and chmod them to 440.

Configure Apache

(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now. If you are upgrading from apache1.3.x then be aware that the old httpd.conf file has been split up between /usr/local/etc/apache22/httpd.conf and /usr/local/etc/apache22/extra/*.conf.

Cd to /usr/local/etc/apache22

Edit httpd.conf and change

ServerName <server_fqdn>:80

ServerAdmin <your_email_address>

Include etc/apache22/extra/httpd-userdir.conf # Remove leading ‘#’

Include etc/apache22/extra/httpd-default.conf # Remove leading ‘#’

Include etc/apache22/extra/httpd-ssl.conf # Remove leading ‘#’

Optional: Enable cgi scripts:

Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.

AllowOverride None

Options ExecCGI

Order allow,deny

Allow from all

</Directory>

and uncomment

AddHandler cgi-script .cgi

Cd to /usr/local/etc/apache22/extra

Edit httpd-ssl.conf and change

ServerName <server_fqdn>:443

ServerAdmin <your_email_address>

SSLCertificateFile /usr/local/etc/apache22/certs/<server_fqdn>.crt

SSLCertificateKeyFile /usr/local/etc/apache22/certs/<server_fqdn>.key.unsecure

Note: if you purchased certs the last two lines above should use your purchased cert names instead of <server_fqdn>.crt and <server_fqdn>.key.unsecure which are from the self signed cert section.

Change the allowed CipherSuites by commenting out the old entry and adding two new lines

#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5

SSLProtocol -All +SSLv3 +TLSv1

SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:!LOW:+HIGH:+MEDIUM:!SSLv2:!EXP

Edit httpd-default.conf and change

HostnameLookups On

Install MySQL (server and client)

Cd to /usr/ports/databases/mysql55-server and run “make install”. This will install both server and client.

Make sure that /etc/rc.conf has an entry for:

mysql_enable=”YES”

Start mysql with “/usr/local/etc/rc.d/mysql-server start”.

Set the MySQL root password with “mysqladmin -u root password <mysql_root_password>”

Install php5

Cd to /usr/ports/lang/php5 and run “make install”. On the options page add APACHE, DEBUG, MULTIBYTE to the list of options.

Cd to /usr/ports/lang/php5-extensions and run “make install”. On the options page add CALENDAR, CURL, FILEINFO, FTP, GD, GETTEXT, ICONV, IMAP, LDAP, MBSTRING, MCRYPT, MYSQL, OPENSSL, PDF, PSPELL to the list of options.

After install cd to /usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change

upload_max_filesize = 32M

post_max_size = 32M

memory_limit = 256M ; Maximum amount of memory a script may consume (8MB)

Cd to /usr/ports/databases/pear-DB and run “make install”.

Cd to /usr/ports/sysutils/pear-Log and run “make install”. On it’s config page enable PEAR_DB and PEAR_Mail support.

Cd to /usr/ports/graphics/GraphicsMagick and install with "make install".

Cd to /usr/ports/www/php5-session and install with "make install".

Cd to /usr/ports/databases/php5-mysqli and install with “make install”.

Check to make sure that the php install added the php application code to your /usr/local/etc/apache22/httpd.conf file. The chunk of code it was supposed to add is:

AddType application/x-httpd-php .php

AddType application/x-httpd-php-source .phps

and it goes right under the

#AddType application/x-gzip .tgz

block of code. If it didn’t put it in (and it usually doesn’t) go ahead and paste it in.

Add index.php and index.htm to the list of index pages in the DirectoryIndex section.

DirectoryIndex index.php index.html index.htm

</IfModule>

Install phpMySqlAdmin

Create a password protected phpMyAdmin directory. Edit /usr/local/etc/apache22/httpd.conf and add an entry for the phpMyAdmin directory (This example uses phpmyadmin as the directory name and has replaced the ip’s with X’s and Y’s):

AllowOverride AuthConfig

Order deny,allow

Deny from all

Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY

AuthName "Any blurb you want, gets displayed in login dialog box"

AuthType Basic

AuthUserFile /usr/local/etc/apache22/http_pws/phpMyAdmin.dat

Require valid-user

Satisfy All

</Directory>

Put this underneath your other “Directory” entries. Replace the XXX’s and YYY’s with the ip address(s) from which you want to be able to access phpMyAdmin.

Create the /usr/local/etc/apache22/http_pws directory with “mkdir /usr/local/etc/apache22/http_pws”.

Create the password file with “htpasswd –c /usr/local/etc/apache22/http_pws/phpMyAdmin.dat <username>”.

Download latest version gz archive of phpMyAdmin from http://www.phpmyadmin.net.

Cd to /usr/local/www/apache22/data and untar the phpmyadmin gz archive with “tar xfz <path_to_mysqladminarchive>”. This will create a phpMyAdmin directory with a very long unfriendly name.

Rename the phpMyAdmin directory with “mv <phpmyadmin_directory_unfriendly_name> phpmyadmin”.

Cd into the phpmyadmin directory and “cp config.sample.inc.php config.inc.php”.

Generate a Blowfish secret at: http://www.question-defense.com/tools/phpmyadmin-blowfish-secret-generator

Edit config.inc.php and add your blowfish secret

$cfg['blowfish_secret'] = 'H-s|X8w0h*E6_8K4I2[UBeK[S0|oReRYK{T_'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */

Don’t use the example blowfish secret I used above, use the one you generated.

Check your apache configuration with “apachectl configtest”.

Make sure that /etc/rc.conf has

apache22_enable="YES"

apache22_ssl_enable="YES"

apache22_http_accept_enable="YES"

then, start apache with “apachectl start”.

Launch a browser on one of the computers whose ip you put in the phpmyadmin Directory definition and go to https://<server_fqdn>/phpmyadmin. The htpasswd login should appear. Enter the username and password you entered above using the htpasswd command. The phpMySQL login box should appear. Enter “root” for the userid and the password you set for the root MySQL password. After entering both the htpasswd userid and password and the root MySQL password phpMyAdmin should load. If it doesn’t try editing config.inc.php and change

$cfg['PmaAbsoluteUri'] = 'http://<server_fqdn>/phpmyadmin';

Click on Privileges and delete all the users except root on localhost.

Additional Security Steps

Add

kern_securelevel_enable="YES"

kern_securelevel="1"

syslogd_flags="-ss"

to /etc/rc.conf. You’ll need to reboot for this to take effect.

To enforce minimum password requirements add

:minpasswordlen=8:\

:mixpasswordcase:\

to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Change log

3-22-2013: Added make install for php5-session.

You are visitor $Description: Description: Description: Description: Description: Description: Description: Description: D:\cgi-bin\Count.cgi?srgb=00ff00&prgb=101010&ft=0&df=freebsd-mail-server_v6.dat&trgb=000000$ since 1/11/2006.