April 13, 2010
Operating System |
Application(s) |
Database(s) |
Other |
|
|
|
|
Platform |
|
This document describes the process of setting up an Apache 2 Web Server on Slackware Linux with PHP5, OpenSSL and support for either PostgreSQL and/or DB2 databases (native and PDO).
Test Platform:
- IBM eServer 325
- 2x AMD Opteron SledgeHammer 246 2Ghz CPUs
- Slackware Linux 13.0 (AMD64)
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It may be in a very vulnerable position, facing that filthy and scary Internet.
You will need root access to do most of these tasks.
I believe in an operating system configuration that is as minimal as possible. Because of this, I've created a set of "tagfiles" tailored specifically for this system's purpose. Download tagfiles.tar and extract the contents to a floppy or USB thumb drive... whichever your system can support. Now plug in the drive or insert the floppy into the target system.
After booting the installation media, you will be asked to login as root. After this, you need to mount the media that contains the tagfiles from that .tar file. If you're using a floppy, do this:
root@slackware:/# mkdir /tagfiles
root@slackware:/# mount /dev/fd0 /tagfiles |
If you're using a USB drive, enter fdisk -l to find out the device name of your drive. For example, mine is /dev/sda1:
root@slackware:/# mkdir /tagfiles
root@slackware:/# mount /dev/sda1 /tagfiles |
Don't forget to setup your hard drive(s) using fdisk. I won't go into those details, just make sure /usr and /var have a decent amount of space in each.
Now type setup and continue the normal installation process. When prompted for the PACKAGE SERIES SELECTION, choose the following:
[*] |
A |
Base Linux system |
[*] |
AP |
Various Applications that do not need X |
[*] |
D |
Program Development (C, C++, Lisp, Perl, etc.) |
[ ] |
E |
GNU Emacs |
[ ] |
F |
FAQ lists, HOWTO documentation |
[*] |
K |
Linux kernel source |
[ ] |
KDE |
Qt and the K Desktop Environment for X |
[ ] |
KDEI |
International language support for KDE |
[*] |
L |
System Libraries (needed by KDE, GNOME, X, and more) |
[*] |
N |
Networking (TCP/IP, UUCP, Mail, News) |
[ ] |
T |
TeX typesetting software |
[ ] |
TCL |
Tcl/Tk script languages |
[*] |
X |
X Window System |
[ ] |
XAP |
X Applications |
[ ] |
Y |
Games |
When asked about the prompting mode, select tagpath and hist enter. Now enter the following path line:
/tagfiles
The automated installation should now begin. Go get a sandwich. When it finishes installing the file sets, pull the USB drive! I've noticed it messes up the LILO/MBR installation if left in for the rest of the installation.
When asked which services to run at startup, select only what you need (sshd and syslog). When finished, reboot and continue.
We want to stay current, with a stable and secure operating environment. The newer releases of Slackware make this simple. First, edit the /etc/slackpkg/mirrors file by un-commenting a mirror close to you (be sure to edit the "Slackware64 13.0" section). Then, do the following:
| # slackpkg update && slackpgk upgrade-all |
This command will hunt down updates applicable to your environment. A dialog should pop-up prompting you to select the desired packages for update. Keep them all selected and hit enter (OK).
Time accuracy is very important for any system. I do this in a simple way, by just adding the following script to the /etc/cron.daily directory (so it updates the time once per day):
# echo "/usr/sbin/ntpdate time.nist.gov" >> /etc/cron.daily/ntpupdate
# chmod +x /etc/cron.daily/ntpupdate |
I use the NIST server because it is close and always works for me. I recommend you check out the NTP Pool Project for the one best for you.
Now that we are updated and the time settings are complete, you should reboot.
IBM DB2 Support |
Slackware is probably the only Linux/UNIX distribution that does not come with PAM support. Yeah, they're actually more paranoid than the OpenBSD folks on this issue. Anyway, we need PAM for the DB2 client (and there is no way to continue without out it, which is annoying). This isn't really a functioning installation, we just need to make the PAM libraries available to DB2.
# cd /usr/src
# wget http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-0.99.10.0.tar.bz2
# tar xvfj Linux-PAM-0.99.10.0.tar.bz2
# rm Linux-PAM-0.99.10.0.tar.bz2 && cd Linux-PAM-0.99.10.0
# ./configure && make && make install |
Next, downloand, extract and install the DB2 version 9.5 client (~245MB) software (use the defaults and follow the prompts!). If you are using your full DB2 Enterprise 9 package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.
# cd /usr/src
# wget http://www.procyonlabs.com/mirrors/IBM/v9.5fp5_linuxx64_client.tar.gz
# tar xvfz v9.5fp5_linuxx64_client.tar.gz
# rm v9.5fp5_linuxx64_client.tar.gz
# ./client/db2_install |
To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose. Notice, the "l" in db2inst1 below is the number one (1).
# groupadd db2inst1
# useradd -g db2inst1 -m db2inst1
# passwd db2inst1
# /opt/ibm/db2/V9.5/instance/db2icrt -s CLIENT db2inst1
# echo ". /home/db2inst1/sqllib/db2profile" >> /etc/profile
# source /etc/profile |
Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:
# db2 CATALOG TCPIP NODE db2node REMOTE 192.168.0.25 SERVER 50000
# db2 CATALOG DATABASE ccorders AT NODE db2node |
If you are configuring for IBM DB2 support, add one (or both) of these to your ./configure flags when we get to the PHP section:
| --with-ibm-db2 |
--with-pdo-odbc=ibm-db2 |
For details on using the PDO method of PHP/DB2, click here.
For details on using the native method of PHP/DB2, click here. |
PostgreSQL Support |
# wget http://www.procyonlabs.com/mirrors/postgresql/postgresql-8.4.3.tar.bz2
# tar xvfj postgresql-8.4.3.tar.bz2
# rm postgresql-8.4.3.tar.bz2 && cd postgresql-8.4.3
# ./configure --with-openssl
# make && make install |
For PostgreSQL support, add one (or both) of these to your ./configure flags:
| --with-pgsql=/usr/local/pgsql |
--with-pdo-pgsql=/usr/local/pgsql |
|
Apache 2
Your configure flags may vary - this works for me:
# cd /usr/src
# wget http://archive.apache.org/dist/httpd/httpd-2.2.15.tar.bz2
# tar xvfj httpd-2.2.15.tar.bz2
# rm httpd-2.2.15.tar.bz2 && cd httpd-2.2.15
# ./configure --enable-ssl --disable-userdir --enable-so
# make && make install |
PHP 5
There are all kinds of things you can do to configure PHP. These are all really just examples, starting points. Salt to taste. You can add or remove options for your specific needs. See the PHP 5 compile options for more detail (./configure --help).
# cd /usr/src
# wget http://www.php.net/get/php-5.3.2.tar.gz/from/this/mirror
# tar xvfz php-5.3.2.tar.gz
# rm php-5.3.2.tar.gz && cd php-5.3.2
|
The basic ./configure line I use is as follows (add/subtract as you need):
# ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-zlib \
--with-bz2 --with-gettext --with-openssl --with-gd --enable-exif \
--with-jpeg-dir --with-png-dir --with-xpm-dir --enable-gd-native-ttf \
--with-iconv --enable-mbstring=all --enable-mbregex --with-mhash \
--with-mcrypt --with-curl --with-libdir=lib64 |
After running your entire ./configure routine, it is time to compile and install!:
# make && make install
# cp /usr/src/php-5.3.2/php.ini-production /usr/local/lib/php.ini
|
Edit the Apache configuration file (httpd.conf):
| # vi /usr/local/apache2/conf/httpd.conf |
To allow Apache to use index.php files for index pages, change the following line like so (bold type is the addition):
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule> |
Tell Apache to parse the .php extension by adding this line in the AddType area (within the <IfModule mime_module> section):
| AddType application/x-httpd-php .php |
For SSL to work, we need to un-comment the following Include directive like so (near the very end of the file):
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf |
Edit the Apache SSL configuration file (httpd-ssl.conf):
| # vi /usr/local/apache2/conf/extra/httpd-ssl.conf |
Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.
Now, we need to create the SSL key / certificate pair!
Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended reboot purposes), don't enter the -aes256 flag:
| # openssl genrsa -out /usr/local/apache2/conf/server.key -aes256 2048 |
Next, create a CSR certificate request:
# openssl req -new -key /usr/local/apache2/conf/server.key -out \
/usr/local/apache2/conf/server.csr |
Now, you can either send the certificate request (server.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:
# openssl req -x509 -days 730 -key /usr/local/apache2/conf/server.key \
-in /usr/local/apache2/conf/server.csr > \
/usr/local/apache2/conf/server.crt |
Now we should test our Apache & PHP install. Create a file named info.php in the /usr/local/apache2/htdocs (or whichever area you configured as your www folder) directory. Place the following lines in that file:
Now start an instance of the httpd server as follows:
| # /usr/local/apache2/bin/apachectl start |
Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.
If you get a "Forbidden - You don't have permission to access / on this server" message when loading SSL pages, try replacing the word Deny with Allow in the line "Deny from all" within the <Directory> block of the httpd.conf file. Restart apachectl and try again.
|
