Document last modified 3/8/2012, 4pm – see bottom for details.
This is latest version (v5) of freebsd-web-server pages.
Installing FreeBSD 8 or 9 web server with Apache, PHP and MySQL.
Note 0: This page was written to document the procedure I use to build my web servers. If you notice any errors or have any suggestions for changes to this page I would like to hear them. You can email me at astuy@bio.fsu.edu.
Note 1 : Terms placed in <>’s are usually variables, meaning don’t type in the <>’s. Examples
<your_userid> is the username you su to root from (ex: sysbrian)
<server_fqdn> is the fully qualified domain name of the web server you are building (ex: www.mydomainname.com)
<server_name> is the name of the server you are building (ex: www)
<server_name_in_caps> is the name of the server you are building in capital letters (ex: WWW)
<server_ip> is the IP address of the web server you are building (ex: 145.23.128.7)
The exception to terms placed in <>'s being variables is the httpd.conf file.
Note 2 (Important): When installing ports these instructions may list options to add on the port’s configuration page. In all cases leave any default checked options checked and only add the options indicated. If instructions don’t say to change options accept the defaults.
Install FreeBSD 8 or 9. Do a “Average user, binaries and docs only”, no xwindows. If you haven’t installed freebsd before instructions are at:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/index.html.
Download the bootonly.iso, burn it to cd, boot from cd, and go from there to install via network interface.
For version 9.0 on intel/amd 64 bit architecture get:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/FreeBSD-9.0-RELEASE-amd64-bootonly.iso
For version 9.0 on intel/amd 32 bit architecture get:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/9.0/FreeBSD-9.0-RELEASE-i386-bootonly.iso
For version 8.2 on intel/amd 64 bit architecture get:
For version 8.2 on intel/amd 32 bit architecture get:
ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/ISO-IMAGES/8.2/FreeBSD-8.2-RELEASE-i386-bootonly.iso
Get the latest release of the version you want, either 8 or 9. Either should work fine. If your intel/amd hardware supports 64 bit use the amd64 architecture release. Boot from the CD, partition your hard drive, configure your network card, choose the “network install through firewall” option, choose the “Average user, binaries and docs only” option.
Don’t install ports when asked. We’ll be csuping the ports shortly.
Don’t install the FreeBSD documentation package. You can install it later if you like.
Install src and security patches.
Two methods for installing src and security patches, choose one. I usually use Method 2. If later you have a running box that just needs an additional patch that doesn’t involve buildworld then Method 1 might be a good choice, at that point though assuming you’ve already downloaded src you wouldn’t redownload src, just install the patch. If it’s early on in the history of a release and there aren’t many security patches Method 1 is usually faster, though in the case of 8.3 and 9.0 the first patch released required a buildworld, which means you might as well go with Method 2.
Method 1:
If you didn’t include sources in your initial install, type “sysinstall” and choose Configure->Distributions->src to download sources for everything (ALL). This will download the exact src tree for the release version installed, no patches, you will need to install them yourself.
Install all applicable security patches from http://www.freebsd.org/security/advisories.html .
If required by any of the security patches recompile the kernel, see the “Compile Custom Kernel” step below. Note very rarely security patches require a makeworld. In that case you could abandon Method 1 and use Method 2. It’s ok if you have already installed some patches.
Method 2:
Create a sup
file to track the security branch of your release, download the src for the branch and compile and install. This will download the patched version of src for your release and compile and install it.
- “vi <sup_file_name>” (ex “vi cvsup_8_3”), and insert the supfile info, example supfile for 8.3 security branch below.
- “csup -g -L 2 <sup_file_name>”
- “cd /usr/src”
- "make clean"
- “make buildworld”
- “make buildkernel KERNCONF=GENERIC” you can also go ahead and follow the instructions below for compiling a custom kernel here
- “make installkernel KERNCONF=GENERIC” you can also go ahead and follow the instructions below for compiling a custom kernel here
- “shutdown –r now”
- Go into single user mode (press 4 key at boot menu)
- “adjkerntz –i”
- “mount –a –t ufs”
- “cd /usr/src”
- “make installworld”
- “shutdown –r now”
Example supfile for 8.3 security branch (insert similar contents into <sup_file_name>, change tag to match your release)
*default host=cvsup.freebsd.org
*default base=/var/db
*default prefix=/usr
*default release=cvs tag=RELENG_8_3
*default delete use-rel-suffix
*default compress
src-all
Note: You
can also use Method 2 to upgrade versions of FreeBSD but don’t try to jump
major versions (ie 8.2 -> 9.0), doing that
requires using merge_master, and personally I’d just
reinstall FreeBSD from scratch. Stay
within the major version (ie 8.1 -> 8.3) and it
should work fine.
Compile custom kernel
Recompile
the kernel to add the Apache accept filters, and change the “ident” line. Also
(optionally) comment out the hardware that your system does not have, this can
cut the kernel size to less than half it’s previous
size.
At the very least add
options ACCEPT_FILTER_HTTP # Apache accept enable
options ACCEPT_FILTER_DATA # Apache accept enable
to the options section
and change
ident <server_name_in_caps>
Basic procedure for compiling and installing a custom kernel is:
- cd to /usr/src/sys/i386/conf or /usr/src/sys/amd64/conf depending on whether you installed i386 or amd64 release.
- cp GENERIC to <server_name_in_caps>
- edit <server_name_in_caps> and change ident, add the Apache options, and comment out non present hardware
- cd to /usr/src and run “make buildkernel KERNCONF=<server_name_in_caps>
- run “make installkernel KERNCONF=<server_name_in_caps>
- reboot to use new kernel (run “shutdown –r now”)
- mv /boot/kernel.old /boot/kernel.ORIG # ORIG assumes this is your first kernel recompile. Else change ORIG to something appropriate.
Here’s a link to my “KERNCONF” file. Note
that yours will almost certainly be different. You’ll definitely want to look
at the ethernet card, scsi and raid controllers (if applicable), mine is
set for an Intel GB Ethernet card (em), other than
that it’s standard core2quad Asus motherboard hardware using SATA hard
drives. All non present hardware is commented
out. It’s an edited version of GENERIC
from the 8.3 release and can be used to compile a kernel for 8.3, don’t use it for any other release. When changing releases always
start with GENERIC from the new release.
Additional instructions for recompiling the kernel are at
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kernelconfig-building.html
Install ports tree
Check to make sure the FreeBSD documentation package didn’t get installed. To check type “pkg_info”. If it returns something like “en-freebsd-doc-20110110 Documentation from the FreeBSD Documentation Project” delete the package with “pkg_delete en-freebsd-doc-20110110”.
Download and install ports tree with "portsnap fetch extract".
Install Berkeley Database Version 4.2 with “cd /usr/ports/databases/db42” and “make install”.
Install portupgrade with
“cd /usr/ports/ports-mgmt/portupgrade” and a “make install”
When the perl options come up leave default options checked and add “THREADS”.
Upgrading ports. If your box is not a new install you can upgrade the installed ports. Please note I only recommend the following on a new or very recent box. Updating ports on an old box can result in broken ports. On a recent box it works pretty well, though sometimes some tweaking is required. This document describes a new, clean install, the instructions below are to setup the system for future port upgrades.
Backup your current ports db with
“cd /var/db” and “tar cvfz var.db.pkg.<todays_date>.tgz pkg”
Find and fix stale dependencies
“/usr/local/sbin/pkgdb -F” # Answer "YES" to fix questions, there should not be any.
Recompile/Upgrade ports, this should drop right through
“/usr/local/sbin/portupgrade -ra”
Edit hosts.allow, hosts, rc.conf
Copy hosts.allow hosts.allow.ORIG and edit hosts.allow to make one more secure. Only allow ssh from workstations you control. Allow anything from localhost. Deny all else.
# hosts.allow access control file for "tcp wrapped" applications.
# $FreeBSD: src/etc/hosts.allow,v 1.0.7 2005/12/07 15:17:44 sysalex Exp $
#
# Allow anything from localhost. Note that an IP address (not a host
# name) *MUST* be specified for portmap(8).
# This also allows imapd from localhost for IMP
ALL : localhost 127.0.0.1 : allow
ALL : <server_fqdn> <server_ip> : allow
# Prevent those with no reverse DNS from connecting.
ALL : PARANOID : RFC931 20 : deny
# Prevent unregistered IP’s from connecting.
ALL : UNKNOWN : RFC931 20 : deny
# Allow ssh from IP’s from which you will be sshing to this server
sshd : XXX.XXX.XXX.XXX YYYY.YYYY.YYYY.YYYY : allow
sshd : ALL : deny
# Deny all else
ALL : ALL : deny
Replace XXX’s and YYY’s with actual IP addresses.
Copy /etc/hosts /etc/hosts.ORIG and edit /etc/hosts. Change the “my.domain” in localhost.my.domain (2 places) to your domain name (ex “localhost.mydomainname.com).
Backup /etc/rc.conf with “cp /etc/rc.conf /etc/rc.conf.ORIG” or something similar. Edit /etc/rc.conf and add
apache22_enable="YES"
apache22_ssl_enable="YES"
apache22_http_accept_enable="YES"
mysql_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="YES"
sshd_enable="YES"
The sendmail entries assume this server is not going to be a mail server and set it to only allow outgoing mail.
Install bash and make your default shell bash (optional)
Install bash. Cd to /usr/ports/shells/bash and “make install”. Change your shell to “/usr/local/bin/bash” with vipw. Run adduser –C and set default shell to bash. Type “rehash;bash” to change to the bash shell, or logout and log back in.
If you installed portupgrade perl5.12 was probably installed as a dependency. Check to see with “pkg_info | grep perl”. If not install it with “cd /usr/ports/lang/perl5.12” and “make install”. When the perl options come up leave default options checked and add “THREADS”.
Check results with “perl –v”. You may have to do a “rehash” first, depending on your shell.
Install cclient
Cd to /usr/ports/mail/cclient and install with a “make install”. On it’s config page add the “SSL_AND_PLAINTEXT” option.
Cd to /usr/ports/www/apache22 and run “make install”.
Make or buy a SSL cert for your server. If you choose to make a self signed cert, follow the next set of instructions. If this is a production server strongly consider buying a cert.
Self Signed
Certs
Cd to /usr/local/etc/apache22 and “mkdir certs”. Cd to certs. Generate a certificate for your webserver by running the following commands. You can copy and paste them into something like /usr/local/sbin/mkwebcerts, replacing <server_fqdn> with your fqdn, chmod /usr/local/sbin/mkwebcerts to 700 and then run it.
openssl genrsa -des3 -out <server_fqdn>.key 1024
openssl rsa -noout -text -in <server_fqdn>.key
openssl rsa -in <server_fqdn>.key -out <server_fqdn>.key.unsecure
openssl req -new -x509 -nodes -sha1 -days 365 -key <server_fqdn>.key -out <server_fqdn>.crt
openssl x509 -noout -text -in <server_fqdn>.crt
When asked for “Common Name” enter <server_fqdn>. The other questions the common sense answer is correct. When asked for a password or passphrase type in the same thing each time.
Chown the cert files to www:www and chmod
them to 440.
Purchased Certs
Cd
to /usr/local/etc/apache22
and “mkdir certs”. Cd to certs and copy your certs
into the directory. Chown
the cert files to www:www
and chmod them to 440.
Configure Apache
(FreeBSD
Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a
different name then run diff between you old one and your new one and add in
the things needed from the old one to the new one. Ignore the php stuff for now. If you are upgrading from
apache1.3.x then be aware that the old httpd.conf
file has been split up between /usr/local/etc/apache22/httpd.conf and /usr/local/etc/apache22/extra/*.conf.
Cd to /usr/local/etc/apache22
Edit httpd.conf and change
ServerName <server_fqdn>:80
ServerAdmin <your_email_address>
Include etc/apache22/extra/httpd-userdir.conf # Remove leading ‘#’
Include etc/apache22/extra/httpd-default.conf # Remove leading ‘#’
Include etc/apache22/extra/httpd-ssl.conf # Remove leading ‘#’
Optional: Enable cgi scripts:
Change the “None” in Options to “ExecCGI” in the cgi-bin entry as follows.
<Directory "/usr/local/www/cgi-bin">
AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
and uncomment
AddHandler cgi-script .cgi
Cd to /usr/local/etc/apache22/extra
Edit httpd-ssl.conf and change
ServerName <server_fqdn>:443
ServerAdmin <your_email_address>
SSLCertificateFile /usr/local/etc/apache22/certs/<server_fqdn>.crt
SSLCertificateKeyFile /usr/local/etc/apache22/certs/<server_fqdn>.key.unsecure
Note: if
you purchased certs the last two lines above should use your
purchased cert names instead of <server_fqdn>.crt and <server_fqdn>.key.unsecure which are from the self
signed cert section.
Change the allowed CipherSuites by commenting out the old entry and adding two new lines
#SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLProtocol -All +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:!LOW:+HIGH:+MEDIUM:!SSLv2:!EXP
Edit httpd-default.conf and change
HostnameLookups
On
(FreeBSD Server Rebuild?: don’t just copy over the httpd.conf file from your old box. Copy it over with a different name then run diff between you old one and your new one and add in the things needed from the old one to the new one. Ignore the php stuff for now.
Cd to /usr/ports/databases/mysql55-server and run “make install”. This will install both server and client.
Make sure that /etc/rc.conf has an entry for:
mysql_enable=”YES”
Start mysql with “/usr/local/etc/rc.d/mysql-server start”.
Set the MySQL root password with “mysqladmin -u root password <mysql_root_password>”
Cd to /usr/ports/lang/php5 and run “make install”. On the options page add APACHE, DEBUG, MULTIBYTE to the list of options.
Cd to /usr/ports/lang/php5-extensions and run “make install”. On the options page add CALENDAR, CURL, FILEINFO, FTP, GD, GETTEXT, ICONV, IMAP, LDAP, MBSTRING, MCRYPT, MYSQL, OPENSSL, PDF, PSPELL to the list of options.
After install cd to /usr/local/etc and copy php.ini-recommended to php.ini and php.ini.ORIG. Edit php.ini and change
upload_max_filesize = 32M
post_max_size = 32M
memory_limit = 256M ; Maximum amount of memory a script may consume (8MB)
Cd to /usr/ports/databases/pear-DB and run “make install”.
Cd to /usr/ports/sysutils/pear-Log and run “make install”. On it’s config page enable PEAR_DB and PEAR_Mail support.
Cd to /usr/ports/graphics/GraphicsMagick and install with "make install".
Cd to /usr/ports/www/php5-session and install with "make install".
Cd to /usr/ports/databases/php5-mysqli and install with “make install”.
Check to make sure that the php install added the php application code to your /usr/local/etc/apache22/httpd.conf file. The chunk of code it was supposed to add is:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
and it goes right under the
#AddType application/x-gzip .tgz
block of code. If it didn’t put it in (and it usually doesn’t) go ahead and paste it in.
Add index.php and index.htm to the list of index pages in the DirectoryIndex section.
<IfModule dir_module>
DirectoryIndex index.php index.html index.htm
</IfModule>
Create a password protected phpMyAdmin directory. Edit /usr/local/etc/apache22/httpd.conf and add an entry for the phpMyAdmin directory (This example uses phpmyadmin as the directory name and has replaced the ip’s with X’s and Y’s):
<Directory /usr/local/www/apache22/data/phpmyadmin>
AllowOverride AuthConfig
Order deny,allow
Deny from all
Allow from XXX.XXX.XXX.XXX YYY.YYY.YYY.YYY
AuthName "Any blurb you want, gets displayed in login dialog box"
AuthType Basic
AuthUserFile /usr/local/etc/apache22/http_pws/phpMyAdmin.dat
Require valid-user
Satisfy All
</Directory>
Put this underneath your other “Directory” entries. Replace the XXX’s and YYY’s with the ip address(s) from which you want to be able to access phpMyAdmin.
Create the /usr/local/etc/apache22/http_pws directory with “mkdir /usr/local/etc/apache22/http_pws”.
Create the password file with “htpasswd –c /usr/local/etc/apache22/http_pws/phpMyAdmin.dat <username>”.
Download latest version gz archive of phpMyAdmin from http://www.phpmyadmin.net.
Cd to /usr/local/www/apache22/data and untar the phpmyadmin gz archive with “tar xfz <path_to_mysqladminarchive>”. This will create a phpMyAdmin directory with a very long unfriendly name.
Rename the phpMyAdmin directory with “mv <phpmyadmin_directory_unfriendly_name> phpmyadmin”.
Cd into the phpmyadmin directory and “cp config.sample.inc.php config.inc.php”.
Generate a Blowfish secret at: http://www.question-defense.com/tools/phpmyadmin-blowfish-secret-generator
Edit config.inc.php and add your blowfish secret
$cfg['blowfish_secret'] = 'H-s|X8w0h*E6_8K4I2[UBeK[S0|oReRYK{T_'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
Don’t use the example blowfish secret I used above, use the one you generated.
Check your apache configuration with “apachectl configtest”.
Make sure
that /etc/rc.conf has
apache22_enable="YES"
apache22_ssl_enable="YES"
apache22_http_accept_enable="YES"
then, start apache with “apachectl start”.
Launch a browser on one of the computers whose ip you put in the phpmyadmin Directory definition and go to https://<server_fqdn>/phpmyadmin. The htpasswd login should appear. Enter the username and password you entered above using the htpasswd command. The phpMySQL login box should appear. Enter “root” for the userid and the password you set for the root MySQL password. After entering both the htpasswd userid and password and the root MySQL password phpMyAdmin should load. If it doesn’t try editing config.inc.php and change
$cfg['PmaAbsoluteUri'] = 'http://<server_fqdn>/phpmyadmin';
Click on Privileges and delete all the users except root on localhost.
Add
kern_securelevel_enable="YES"
kern_securelevel="1"
syslogd_flags="-ss"
to /etc/rc.conf. You’ll need to reboot for this to take effect.
To enforce minimum password requirements add
:minpasswordlen=8:\
:mixpasswordcase:\
to /etc/login.conf under the “default” section and rebuild database with “cap_mkdb /etc/login.conf”.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Change log
You
are visitor since 1/11/2006.