July 31, 2008

Setting up LAMP on FreeBSD

Author: Martin Münch

Setting up a LAMP server is a common task for systems administrators, and FreeBSD is one of the most reliable and stable operating systems available. You can swap out the L in LAMP with F for FreeBSD to build a fast and reliable Web server.

In this article I assume FreeBSD is already installed. If not, make sure you download the latest stable production version of FreeBSD and run the installer. I recommend choosing the MINIMUM option at the installer screen to quickly install only the most basic and necessary things.

To install applications on FreeBSD, use the ports files. Ports are plain text files that know where to download source code, so that the software will be compiled on your computer. This way you can change settings (including or excluding specific modules) as you want, and the software will fit perfectly to the specifications of your computer. First, you have to make sure that the latest ports files are installed. If you've never installed the ports, issue portsnap fetch extract in the shell; otherwise, issue portsnap fetch update. This will download the latest ports files. After a bunch of messages that show you what files have been downloaded, you're ready to go.

Apache

Next you need to compile and install Apache, the Web server itself, using command like those below. After changing to the right location (the first command), the second command brings up a configuration screen where you can change settings. You might want to enable IPv6 support or activate the proxy module, but the standard settings are usually fine. After you have accepted the settings, Apache will automatically be compiled and installed. The last three lines make sure Apache and the required modules start automatically with the operating system:

cd /usr/ports/www/apache22/
make config install distclean
echo 'apache2_enable="YES"' >> /etc/rc.conf
echo 'apache2ssl_enable="YES"' >> /etc/rc.conf
echo 'accf_http_ready="YES"' >> /etc/rc.conf && kldload accf_http

Once Apache is installed properly, you must configure your server. First, enable SSL support and create the certificate and key files. The SSL key file is your private file for changing the password and restoring certificates. The SSL certificate file is the certificate itself, which will be used to assure visitors' Web browsers that your server is the server they want to talk to. By default, the SSL certificate file is /usr/local/etc/apache22/server.crt, and the SSL key file is /usr/local/etc/apache22/server.key. You can check or change this by searching for SSLCertificateFile or SSLCertificateKeyFile, respectively, in /usr/local/etc/apache22/extra/httpd-ssl.conf. Since version 2 of Apache, the main configuration file is divided into several extra files in /usr/local/etc/apache22/extra/. This makes it easier to find specific options and reduces the size of the main configuration file. If you don't find an option in the main configuration, you should check the extra files.

Now you need to change to the right location and generate the key file. With that key, you can generate a certificate-signing request, which tells a certificate authority to sign your key. You can either send a request to an authority such as VeriSign, or sign it yourself. If the certificate is signed by a professional authority, it will cost money, but assure visitors that this Web server definitely belongs to you and not somebody else. Self-signing the certificate will cause a warning to appear in visitors' browsers when they enter your site that the certificate is self-signed, but will cost nothing at all. The following code shows you how to self-sign the certificate:

cd /usr/local/etc/apache22/
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
chmod 0400 server.key server.crt

The key and certificate files are generated and in the right place with the proper permissions. However, you still need to configure some things. You have to make sure the server administrator's email address is set correctly by searching for ServerAdmin in /usr/local/etc/apache22/httpd.conf. DocumentRoot specifies where the Web documents are located; set it to /srv/www/01 on your server. Letting users host their own private Web content can cause some harm, so disable it by commenting out Include etc/apache22/extra/httpd-userdir.conf. Finally, enable SSL support by activating Include etc/apache22/extra/httpd-ssl.conf. In /usr/local/etc/apache22/extra/httpd-default.conf, disable ServerSignature to prevent the server from showing more information than it has to. Make sure the server-status and the server-info sections in /usr/local/etc/apache22/extra/httpd-info.conf are commented out. The less information others have about the Web server, the better it is for the security staff.

In usr/local/etc/apache22/extra/httpd-vhosts.conf, set the directory for every SSL connection to the server. Note that lawrencium is the name of the server in this example; you should change this to the name of your own server:

NameVirtualHost *:443
<VirtualHost *:443>
ServerName lawrencium
ServerAlias lawrencium.ipc.net
DocumentRoot /srv/www/02/
<Directory /src/www/02/>
Order allow,deny
Allow from all
</Directory>
SSLEngine On
SSLCertificateFile /usr/local/etc/apache22/ssl.crt/server.crt
SSLCertificateKeyFile /usr/local/etc/apache22/ssl.key/server.key
AllowOverride None
Order Deny, Allow
</VirtualHost>

You now have one directory (/srv/www/01) for all connections on port 80, and one directory (/srv/www/02) for all connections on port 443.

PHP

At this point, the Web server is ready to serve static documents. However, most Web sites contain dynamic PHP content, such as forums, chats, and galleries.

PHP installation is quick and easy. Compile and install the PHP package itself and the PHP extensions and make sure that the Apache module is compiled when you install PHP v5:

cd /usr/ports/lang/php5
make config install distclean
cd /usr/ports/lang/php5-extensions
make config install distclean

To make Apache serve PHP sites, you have to tell it how to handle PHP files. Add the following entries to /usr/local/etc/apache2/httpd.conf directly after all the LoadModule lines:

AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Add index.php as the directory index:

<IfModule mod_dir.c>
DirectoryIndex index.php index.html index.htm
</IfModule>

PHP includes a recommended configuration file that is secure for most purposes. Disable allow_url_fopen (which allows you to operate on remote FTP/HTTP sites just like on local files), because it can become harmful when used incorrectly:

cp /usr/local/etc/php-ini-recommended /usr/local/etc/php.ini

MySQL

PHP is now installed and configured. However, most PHP applications use databases as well. MySQL, a database system, is stable, open source, and doesn't cost a penny.

Compile and install MySQL with SSL support and add an entry to /etc/rc.conf to start the MySQL server automatically with the operating system:

cd /usr/ports/databases/mysql51-server
make install WITH_OPENSSL=yes
make distclean
echo 'mysql_enable="YES"' >> /etc/rc.conf

Set a root password (p3Df1IsT in the commands below). Note that because you're specifying the password on the shell, it is stored in
the shell history (e.g., ~/.bash_history or ~/.histfile, depending on which shell you used), so for security reasons clearing the shell history is a good idea, especially if the root account is shared:

/usr/local/etc/rc.d/mysql-server start
mysqladmin -u root password p3Df1IsT
mysql -u root -p
rm /root/.history

Now remove all anonymous accounts by typing the following commands at the MySQL command prompt after you've logged in. The fourth command gives you a list of users without passwords; you can either set each password or delete the users. The last command changes the name of the default root account to mmu002. Changing the root account to an account of your choice is a good idea in case someone wants to try to get your root password. Typically a cracker tries the user name root and some default or dictionary passwords. In this case the default root account does not exist, which makes it a lot harder to break in. Be sure to choose a name not everybody could guess; things like your name or your dog's name are bad examples:

use mysql
DELETE FROM user WHERE user="";
FLUSH PRIVILEGES;
SELECT * FROM user WHERE Password="";
UPDATE user SET user='mmu002' WHERE user='root';

FreeBSD doesn't create a MySQL configuration file by default, so you have to do this yourself by creating /etc/my.cnf, which changes the default port to 29912. The server allows connections made only from 127.0.0.1 (i.e., localhost). The last command shows only databases the user actually has read and write access to; without this option, MySQL would show all users all databases:

[client]
port=29912
[mysqld]
port=29912
bind-address=127.0.0.1
skip-name-resolve
safe-show-database

This article could end here, but it would be unforgivable to not mention phpMyAdmin in an article about LAMP.

phpMyAdmin

phpMyAdmin makes database administration a lot easier. It is used so frequently that it's almost a standard. You need to install it and set the links. In the commands below, we set up http://localhost/phpMyAdmin to access phpMyAdmin (that is, we link the installed phpMyAdmin directory in wwwroot), then use a configuration skeleton as the default configuration, and make sure the secret passphrase (which will be used to encrypt passwords), the root user, and the root password are set corresponding to your MySQL options:

cd /usr/ports/databases/phpmyadmin
make config install distclean
ln -s /usr/local/www/phpMyAdmin /usr/local/www/apache22/data
cd /usr/local/www/phpMyAdmin && cp config.sample.inc.php
config.inc.php
vim config.inc.php
$cfg['blowfish_secret'] = 'kJ76Fgeak98h6thjd6';
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'p3Df1IsT';

Your new multifunctional FreeBSD server is now installed, configured, secured, and ready to go. When managing a server, keep a few things in mind. First, keep the server up-to-date. FreeBSD offers great tools to keep the FreeBSD kernel, the FreeBSD user space, and all installed applications on it up-to-date and secure. An obsolete server is a security risk. Second, make sure you read the configuration files and the man pages when changing settings, reconfiguring applications, or if you just want to know what a specific command or file is there for.

Your server can now host static Web pages and dynamic Web pages, such as forums, chats, and picture galleries, securely, and you have phpMyAdmin to help you configure the databases that often play a central role in Web hosting.

Categories:

  • Internet & WWW
  • BSD
Click Here!