May 14, 2009
Operating System |
Platform |
Application(s) |
Database(s) |
Other |
|
|
|
|
|
This document describes the process of setting up an Apache 2 Web Server on CentOS Linux x86_64 with PHP5, OpenSSL and support for either PostgreSQL, MySQL, Oracle and/or DB2 databases.
Test Platform:
- IBM eServer 325
- x2 AMD Opteron SledgeHammer 246 / 3GB RAM
- CentOS Linux 5.3 (x86_64)
For this task, we will compile most applications from source (so we can have the latest releases, compiled to our taste).
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks.
Go through the installation procedure and set things up according to your network and needs. You may want to nudge up the size on the /var partition, depending on your estimated needs. This guide uses /var/www as the home for the Web directory.
When you get to the package selection process, uncheck all the general support package collections (like Desktop, Server, etc.) and select "Customize Now." Click next.
Make sure you have at least the following packages (the defaults within each should be sufficient):
|
Development Libraries
Development Tools |
After the installation is complete, reboot.
If you did like me, and installed without X support (no GUIs), after rebooting you will get a "Setup Agent" screen. Be fast, it goes away if you ignore it for too long. Select "Firewall configuration" and then select "Customize." Here, make sure you allow for incoming WWW (HTTP) and Secure WWW (HTTPS). I use SFTP to transfer files to the Web server, so SSH needs to be enabled for that (instead of FTP). I also disable SELinux, but if you are comfortable with the detailed configurations necessary for this feature, by all means, leave it on Enforcing and pay attention!
For "Services," I disabled Bluetooth, firstboot and Sendmail.
Once you log in as root, the first thing you should do is run yum update. It is important to keep your system as up to date as possible. When this process is finished, reboot and continue on!
For Oracle (InstantClient Software & SDK):
Download, extract and install the Oracle InstantClient software. If you are using your full Oracle package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install. This process also assumes you are using Oracle11g. The files should go in the /opt directory.
Grab the following files from the Instant Client Downloads for Linux x86-64 site and put them in /opt:
- Instant Client Package - Basic Lite
- Instant Client Package - SDK
# cd /opt
# unzip basiclite-11.1.0.7.0-linux-x86_64.zip
# unzip sdk-11.1.0.7.0-linux-x86_64.zip
# rm *.zip |
There is a bug in PHP5 that is easy to fix, however it is very annoying. The PHP5 compile, when built against the 11g client libraries, is looking for a file named libclntsh.so. Well, it is a simple matter of creating a soft link to solve this:
# ln -s /opt/instantclient_11_1/libclntsh.so.11.1 \
/opt/instantclient_11_1/libclntsh.so
|
For IBM DB2 Client:
Downloand, extract and install the DB2 version 9.5 client (~260MB) software (use the defaults and follow the prompts!). If you are using your full DB2 Enterprise 9 package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.
# yum install compat-libstdc++-33 libaio
# cd /usr/src
# wget ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxAMD64v95/fixpack/FP3b_MI00299/v9.5fp3b_linuxx64_client.tar.gz
# tar -xvfz v9.5fp3b_linuxx64_client.tar.gz
# rm v9.5fp3b_linuxx64_client.tar.gz
# ./client/db2_install |
To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose.
# useradd -m plabs
# passwd plabs
# /opt/ibm/db2/V9.5/instance/db2icrt -s CLIENT plabs
# echo ". /home/plabs/sqllib/db2profile" >> /etc/profile |
Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:
For PostgreSQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://www.procyonlabs.com/mirrors/postgresql/postgresql-8.3.7.tar.bz2
# tar -xvfj postgresql-8.3.7.tar.bz2
# rm postgresql-8.3.7.tar.bz2 && cd postgresql-8.3.7
# ./configure --without-readline --with-openssl
# make && make install |
For MySQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://www.procyonlabs.com/mirrors/mysql/mysql-5.1.34.tar.gz
# tar -zxvf mysql-5.1.34.tar.gz
# rm mysql-5.1.34.tar.gz && cd mysql-5.1.34
# ./configure --without-server --with-ssl=/usr/bin
# make && make install |
Apache 2
Your configure flags may vary - this works for me:
# cd /usr/src
# wget http://archive.apache.org/dist/httpd/httpd-2.2.11.tar.bz2
# tar -xvfj httpd-2.2.11.tar.bz2
# rm httpd-2.2.11.tar.bz2 && cd httpd-2.2.11
# ./configure --enable-ssl --enable-dav --disable-userdir --enable-so
# make && make install |
PHP 5
There are all kinds of things you can do to configure PHP. These are all examples, starting points. Salt to taste. You can add or remove options for your specific needs. See the PHP 5 compile options for more detail (./configure --help).
For the ./configure line below, add the following depending on the database(s) you plan to support:
PostgreSQL:
--with-pgsql=/usr/local/pgsql
Oracle:
See post-compile instructions...
IBM DB2:
--with-ibm-db2=/home/plabs/sqllib
MySQL:
--with-mysql=/usr/local
# cd /usr/src
# wget http://www.php.net/get/php-5.2.9.tar.gz/from/this/mirror
# tar -xvfz php-5.2.9.tar.gz
# rm php-5.2.9.tar.gz && cd php-5.2.9
# yum install libjpeg-devel libpng-devel libXpm-devel libc-client-devel \
libmcrypt-devel libmhash-devel
# ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-zlib \
--with-bz2 --with-gettext --with-openssl --with-gd --enable-exif \
--with-jpeg-dir=/usr/lib64 --with-png-dir=/usr/lib64 \
--with-xpm-dir=/usr/lib64 --enable-gd-native-ttf --with-iconv \
--enable-mbstring=all --enable-mbregex --with-imap=/usr/lib64 \
--with-imap-ssl=/usr/lib64 --with-kerberos --with-mcrypt \
--with-mhash
# make && make install
# cp /usr/src/php-5.2.9/php.ini-recommended /usr/local/lib/php.ini
|
If you want Oracle database support, do the following:
When prompted, enter 1 to update the first (and only) setting. The OCI8 configuration prompt will then be shown:
Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib'
if you're compiling with Oracle Instant Client [autodetect] :
Enter the path as:
instantclient,/opt/instantclient_11_1
After that is finished, just hit enter to exit the menu. Next, add the following line in the section called "Dynamic Extensions" in /usr/local/lib/php.ini:
extension=oci8.so
You will also have to edit your LD_LIBRARY_PATH environment variable by doing the following:
# echo "LD_LIBRARY_PATH=/opt/instantclient_11_1/lib:$LD_LIBRARY_PATH" >> /etc/profile
# echo "export LD_LIBRARY_PATH" >> /etc/profile
# source /etc/profile |
Edit the Apache configuration file (httpd.conf):
| # vi /usr/local/apache2/conf/httpd.conf |
To allow Apache to use index.php files for index pages, change the following line like so (bold type is the addition):
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule> |
Tell Apache to parse the .php extension by adding this line in the AddType area (within the <IfModule mime_module> section):
| AddType application/x-httpd-php .php |
For SSL to work, we need to un-comment the following Include directive like so (near the very end of the file):
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf |
Edit the Apache SSL configuration file (httpd-ssl.conf):
| # vi /usr/local/apache2/conf/extra/httpd-ssl.conf |
Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.
Now, we need to create the SSL key / certificate pair!
Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended reboot purposes), don't enter the -aes256 flag:
| # openssl genrsa -out /usr/local/apache2/conf/server.key -aes256 2048 |
Next, create a CSR certificate request:
# openssl req -new -key /usr/local/apache2/conf/server.key -out \
/usr/local/apache2/conf/server.csr |
Now, you can either send the certificate request (server.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:
# openssl req -x509 -days 730 -key /usr/local/apache2/conf/server.key \
-in /usr/local/apache2/conf/server.csr > \
/usr/local/apache2/conf/server.crt |
Now we should test our Apache & PHP install. Create a file named info.php in the /usr/local/apache2/htdocs (or whichever area you configured as your www folder) directory. Place the following lines in that file:
Now start an instance of the httpd server as follows:
| # /usr/local/apache2/bin/apachectl start |
Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.
If you get a "Forbidden - You don't have permission to access / on this server" message when loading SSL pages, try replacing the word Deny with Allow in the line "Deny from all" within the <Directory> block of the httpd.conf file. Restart apachectl and try again.
|
