/Guides/FreeBSD/Webserver/

General Information

I'm sure many of you have been wondering how people host secure sites using Secure Sockets Layer (SSL).  This guide will show you how to set up a web server with SSL, PHP, and MySQL support.

Requirements

1. In order for public access to your website, you must have a valid domain name.
   
2. A text editor (for this guide we will use Nano)

Installation

Section A -- Apache+mod_ssl

First thing we need to do is install the Apache web server.  Currently there are two main versions available: 1.3.x and 2.x.  I will be teaching from the 1.3x branch, but many of the steps are the same for 2.x.  I will also make notes for those of you who choose to use the 2.x branch.

# #	cd /usr/ports/www/apache13-modssl make install distclean

Apache now gets started on system boot from rc.conf so let's add the respective entry:

# #	echo 'apache_enable="YES"' >> /etc/rc.conf echo 'apache_flags="-DSSL"' >> /etc/rc.conf

Note:  For Apache2 users:  You only need to install the apache2 port, but then you have to manually create the directories for the SSL Certificate and Key.

# # # # # # # #

cd /usr/ports/www/apache2 make install distclean echo 'apache2_enable="YES"' >> /etc/rc.conf echo 'apache2_flags="-DSSL"' >> /etc/rc.conf mkdir /usr/local/etc/apache2/ssl.key mkdir /usr/local/etc/apache2/ssl.crt chmod 0700 /usr/local/etc/apache2/ssl.key chmod 0700 /usr/local/etc/apache2/ssl.crt

Section B -- MySQL

# # #

cd /usr/ports/databases/mysql41-server make install WITH_OPENSSL=yes distclean echo 'mysql_enable="YES"' >> /etc/rc.conf

Take a break while it downloads, compiles, and installs.  It'll take about 45 minutes on a K6-2 350MHz.

Section C -- PHP

# #	cd /usr/ports/lang/php4 make config

You will be prompted to add module support.  At this time select the Apache support.

# # #

make install distclean cd /usr/ports/lang/php4-extensions make install distclean

Now, when you get to the PHP configuration screen, you just need to check the OpenSSL box and leave the rest of the default values alone, unless you plan on installing other applications, such as the IMP Webmail, that require other PHP modules.  Time to take another break.

PHP should be installed by now.  At the end of the installation, you will need to edit Apache's configuration file to add two lines after all the "LoadModule" lines for PHP support.

# nano -w /usr/local/etc/apache/httpd.conf AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps

Configuration

Section A -- Create Certificate

It is now time to create your own certificate using the openssl utility.  Now, you need to understand that one server can hold multiple certificates, but only one per listening IP address.  So, if your server is listening on one IP address, you can only have one certificate for the server.  All of your virtual domains can share the same certificate, but clients will get warning prompts when they connect to a secure site where the certificate does not match the domain name.  If your server is listening on multiple IP addresses, your virtual hosts have to be IP-based -- not name-based.  This is something to consider when creating your certificate.

Change to any directory you would like to save your certficate in.  I chose root's home directory.  We will then copy the necessary files to the correct directory later.  This way we have a back up in case something happens.

# #	cd ~ openssl genrsa -des3 -out server.key 1024

You will be prompted to enter a password for this key.  Remember it because we will need it later.  Now we need to make a Certificate Signing Request (CSR) from the key we just generated.

#	openssl req -new -key server.key -out server.csr

Enter your password you had used as this is where you get to enter all the fun information about the certificate, like your name and Fully Qualified Domain Name (FQDN).  Make sure you enter your FQDN for the "Common Name" portion.  For example, if the certificate is for https://webmail.domain.tld/, then your CommonName should be webmail.domain.tld.

Alright, your certificate is ready to be signed.  The following steps are to self-sign the certificate, but you could pay money and have it signed by Verisign or Thawte.

#	openssl x509 -req -days 365 -in /root/server.csr -signkey /root/server.key -out /root/server.crt

Ok, your certificate is signed and valid for 365 days, which you could have changed if you wanted.  We now need to copy the files to the appropriate directory for Apache to use them.

# #	cp ~/server.key /usr/local/etc/apache/ssl.key/ cp ~/server.crt /usr/local/etc/apache/ssl.crt/

If you want to read more about SSL Certificates, you can read the FAQs at http://httpd.apache.org/docs-2.0/ssl/ssl_faq.html#aboutcerts.

Note:  Apache2 users: The correct permissions must be set.

# #	chmod 0400 /usr/local/etc/apache2/ssl.key/server.key chmod 0400 /usr/local/etc/apache2/ssl.crt/server.crt

Section B -- Configure VirtualHosts

VirtualHosts are neat because they allow you to host many domains on the same server and the same IP address.  For this example, we will make three VirtualHost entries -- one for http and two for https (SSL).

This section will be modifying /usr/local/etc/apache/httpd.conf so you can pull that up in your favorite editor now.  The normal VirtualHosts can be placed at the beginning of the file for easy access and should be set up like this:

ServerName domain.tld NameVirtualHost 192.168.0.2:80 <VirtualHost 192.168.0.2:80>      ServerName domain.tld      ServerAlias www.domain.tld      ServerAdmin admin@domain.tld      DocumentRoot /path/to/website/files </VirtualHost>

Now at the bottom of httpd.conf, you should see a whole bunch of lines relating to SSL.  Insert the following line just before the default VirtualHost for SSL like this:

NameVirtualHost 192.168.0.2:443 <VirtualHost _default_:443>

NameVirtualHost tells Apache that there are several virtual hosts under the same IP.  So, at the bottom of httpd.conf you will want to put your VirtualHosts just before </IfDefine>.

<VirtualHost 192.168.0.2:443>      ServerName domain.tld      ServerAlias www.domain.tld      ServerAdmin admin@domain.tld      DocumentRoot /path/to/website/files      SSLEngine on      SSLCertificateFile /usr/local/etc/apache/ssl.crt/server.crt      SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server.key </VirtualHost>

Now, if you had a server listening on another IP address, you could set up another certificate for that IP address to use.  Then, your second VirtualHost could look like this:

<VirtualHost 192.168.0.3:443>      ServerName domain2.tld      ServerAlias www.domain2.tld      ServerAdmin admin@domain2.tld      DocumentRoot /path/to/website/files      SSLEngine on      SSLCertificateFile /usr/local/etc/apache/ssl.crt/server2.crt      SSLCertificateKeyFile /usr/local/etc/apache/ssl.key/server2.key </VirtualHost>

If you notice, SSLCertificateFile and SSLCertificateKeyFile are only paths to the certificate and key.  Just remember that you would have to use IP-based VirtualHosts, like we did, and not name-based.

Note:  Apache2 users: All of your SSL configuration is in a separate file at /usr/local/etc/apache2/ssl.conf so edit that for your SSL-aware VirtualHosts.

Section C -- Start Services

Your server is now ready to start MySQL and Apache with SSL.

# #	/usr/local/etc/rc.d/mysql-server.sh start /usr/local/sbin/apachectl startssl

When you start apache with ssl, you will be prompted to enter that password you were supposed to remember.  The reason for entering it everytime apache starts is because the RSA private key is stored in encrypted format.  You can remove the encryption to eliminate the password prompt if you would like, but it's not recommended for security reasons.  If you removed the encryption and somebody was able to control your box, they could take your certificate and impersonate you.  But, if you are annoyed by the password prompt and feel confident that your server is secure, these are the steps to remove the encryption:

# # #

cd /usr/local/etc/apache/ssl.key cp server.key server.key.orig openssl rsa -in server.key.orig -out server.key

Point your favorite browser to https://domain.tld and you should have a 128-bit secure connection.  That's all there is to setting up a standard web server with SSL support.  Happy hosting!

Author: Jon LaBass
jon at bsdguides dot org

Thanks for the info. I'll give it a go later.

Hey i dont get the options to install anything else with mod_php4.How can i install mod_php4 with some of the options it had before (that i could have picked but now cant)?
thnx

As of 07/19/2004, the php4 and php5 port structure has changed.  The lang/php4, lang/php5, www/mod_php4, and www/mod_php5 ports are only the "base" php.  You can install individual php extensions under the names of php4-<name of extension> or you can install php4-extensions which will give you the familiar look and feel that you are used to.

I got a error message whene I completed the installation and try to start the mysql:
#mysql
ERROR 2002:Can't connect to local MySQL server through cocket '/tmp/mysql.sock'(2)

How can I solve this problem?

You do not have mysql running when you tried to access the mysql commandline.  You first need to run

# /usr/local/etc/rc.d/mysql-server.sh start

and then you will be able to connect to mysql.

For Apache2, the copy commands:
# cp ~/server.key /usr/local/etc/apache/ssl.key/
# cp ~/server.crt /usr/local/etc/apache/ssl.crt/

need to be modified to
# cp ~/server.key /usr/local/etc/apache2/ssl.key/
# cp ~/server.crt /usr/local/etc/apache2/ssl.crt/

If you want to use the PEAR libraries you will want to install lang/php4 instead of mod_php4.  Since pear requires it and mod_php4 clashes with lang/php4 even though lang/php4 installs the mod_php4 libraries for apache.

You should also mention that to create the default databases you need to run

mysql_install_db --user=mysql

And to start mysql automatically on boot

echo 'mysql_enable="YES"' >> /etc/rc.conf

/usr/local/etc/rc.d/mysql-server.sh start did not load up the mysql came up with command not found any ideas

forgot to ask how would you recompile.

I have a server here in the UK but i need to enable the FTP functions for php as they are not enabled any ideas? also need to add email support as well.

Looks like the latest version of the mysql port now uses the following command:

# /usr/local/etc/rc.d/mysql-server start

I will update the guide to reflect this.

In terms of adding FTP functionality to PHP, just use the phpX-extensions.  For example:

# cd /usr/ports/lang/php4-extensions
# make config
# make install clean

Or you can install php4-ftp by itself:

# cd /usr/ports/ftp/php4-ftp
# make install clean

Of course, use php5 if that's the version you are using.

thanks jon the update would be great
as for the FTP bit i am connected via SSH, I cant remove php4 and the ports are not on the system i have seen you can use ./configure to do it but it keeps coming back with invalid command

You should definitely install the ports tree and use it to install software.  It will make your life so much easier.  You can find a guide on getting the ports tree installed at http://www.bsdguides.org/guides/freebsd/beginners/portsnap.php

thanks for that jon but when i issue the command it says command not found :S
the server is running

FreeBSD here.dedicated.turbodns.co.uk 4.11-STABLE FreeBSD 4.11-STABLE #7: Thu Mar i386

pkg_add -r portsnap

That should get you going.

Is there any way of NOT getting the machine to ask you for the security word when it reboots.  As I found out if my linux machine at home reboots for any reason my clients cant get onto their sites and I start loosing money :( but I need SSL

aaaahhhhh

Yes there is.  The last paragraph of this guide talks about just that.

I used the same procedure, except that I installed PHP5 and on FreeBSD 6.1. Now on accessing index.php the browser prompts me to save the file. It works fine with html. Any Idea what I did wrong?

Forget the question - I found the error, a syntax error in my addition of AddType. Sorry.

I just want to say that i love this tutoiral. Keep up the good work

~Melvinchi

what about apache13-modssl and apache2 ?

You can get a free Signed cert at http://cert.startcom.org

When you install php, do a "make install clean" instead of "make install distclean".  Otherwise php source is deleted and downloaded again when you install php-extensions

Hi there, I'm a newbie and trying to following the guide. But I don't know nano so i can't add the 2 lines required after the "LoadModule".

Can someone help to confirm if the lines are these:

AddType application httpd php .php

AddType application http php source .phps


I need to get this up by tonight so please kindly help here.

Thanks all.

donanak, you can use any other text editor which suits you best. I think edit is pretty easy to use and comes with FreeBSD base system (I think:)).

Thanks therek,

I got pico to use, it's kinda easy to use for a newbie but i'm learning vi as I've heard it pretty cool.

Thanks