Web Server with Apache 2, PHP 5, OpenSSL and Database Support
December 27, 2009

Operating System	Platform	Application(s)	Database(s)	Other

I. Abstract

This document describes the process of setting up an Apache 2 Web Server with AMD64 (or i386, just change some locations) hardware, OpenBSD 4.6, PHP5, OpenSSL and support for PostgreSQL 8.3 and/or MySQL 5. We will be using the ports method to setup this system.

Test Platform:

• IBM eServer 325
• 2x AMD Opteron SledgeHammer 246 2Ghz CPUs
• OpenBSD 4.6 AMD64 (bsd.mp)

II. Setup the Operating Environment

During installation of the OS, say yes when asked to start sshd by default and no when asked if you expect to run the X Window System. When selecting the installation sets stick with the defaults, but remove the game46.tgz set. FYI, the xbase46.tgz and xshare46.tgz sets are needed for the gd PHP extension.

If you are using an SMP (multi-processor) system, be sure to keep the bsd.mp kernel selected. 4.6 introduces this clever feature where it will automatically replace the stock bsd kernel after installation (you don't have to manually move /bsd.mp over /bsd after the first boot anymore).

When the installation is finished, remove the install media (CD, floppy, whatever) and reboot!

Now we need to fetch the ports tree. FYI, this could take a while:

And now the latest OpenBSD 4.6 ports tree is on your system and ready to use.

III. Install Apache2 and PHP5

Apache2:

PHP5:

As configured, the make install command for the PHP port will use the CONFIGURE_ARGS as defined in the default make files. This is fine for everything except the default is to compile for Apache 1.x, and we're using 2.x. You will get a ton of messages like this:

blah blah blah....
/usr/local/sbin/httpd2:/usr/local/lib/php/libphp5.so: undefined symbol 'ap_table_set'
/usr/local/sbin/httpd2:/usr/local/lib/php/libphp5.so: undefined symbol 'ap_hard_timeout'
/usr/local/sbin/httpd2:/usr/local/lib/php/libphp5.so: undefined symbol 'ap_reset_timeout'
/usr/local/sbin/httpd2:/usr/local/lib/php/libphp5.so: undefined symbol 'ap_unblock_alarms'
httpd2: Syntax error on line 112 of /etc/apache2/httpd2.conf:
Cannot load /usr/local/lib/php/libphp5.so into server:
Cannot load specified object

if you don't change this line like so:

in these files:

• /usr/ports/www/php5/core/Makefile
• /usr/ports/www/php5/extensions/Makefile

When running make install below for PHP, it will automagically compile all extensions (database clients, gd, bz2, etc) and place their packages in the amd64 (or i386) packages folder. You can fine tune the extensions that get compiled by specifying the flavors to exclude like so:

env FLAVORS="no_x11 no_snmp" make install

This is just an example. Type make show=FLAVORS to view all possibilities.

Now we get to select which extensions will be installed. You can do this to install all the ones we just created (or you can do one by one):

Once that is done, we have to tell PHP where the .so files are so they are initialized when Apache 2 is started (by linking the individual .ini files). Do this for each one you require:

PEAR:

PEAR is a framework and distribution system for reusable PHP components. It is very handy and I highly recommend installing it!

IV. Configure Apache for PHP and SSL

Edit the Apache configuration file (httpd2.conf):

First, add the PHP5 module directive by entering this line in the Dynamic Shared Object (DSO) Support section. There will be a bunch of similar lines there, just tack this on at the end of the list:

To allow Apache to use index.php files for index pages, change the following line like so (bold type is the addition):

Tell Apache to parse the .php extension by adding this line in the AddType area (bold type is the addition):

For SSL to work, we need to un-comment the following Include directive like so (near the very end of the file):

Edit the Apache SSL configuration file (httpd-ssl.conf):

Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.

Now, we need to create the SSL key / certificate pair!

Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended reboot purposes), don't enter the -aes256 flag:

Next, create a CSR certificate request:

Now, you can either send the certificate request (server.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:

V. Test It and Configure to Start at Boot

Now we should test our Apache & PHP install. Create a file named info.php in the /usr/local/apache2/htdocs (or whichever area you configured as your www folder) directory. Place the following lines in that file:

Now start an instance of the httpd server as follows:

Go to any Web browser networked to this machine and enter its URL (https://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.

Finally, to have Apache2 start automatically when OpenBSD boots, add the following lines to /etc/rc.local:

VI. Errata

If you get a "Forbidden - You don't have permission to access / on this server" message when loading SSL pages, try replacing the word Deny with Allow in the line "Deny from all" within the <Directory> block of the httpd2.conf file. Restart apachectl2 and try again.

VII. Helpful Links

• OpenBSD PHP5 Extensions Information / List
• Generating a Certificate Signing Request (CSR) using Apache Mod_SSL/OpenSSL (Instant SSL)
• Secure TCP/IP Connections for PostgreSQL with SSL
• Hardened-PHP Project Homepage