January 3, 2010
Operating System |
Application(s) |
Database(s) |
Other |
|
|
|
|
Platform |
|
This document describes the process of setting up an Apache 2 Web Server with Sun SPARC hardware, Solaris 10, PHP5, OpenSSL and support for either PostgreSQL, MySQL, Oracle and/or DB2 databases (via PDO and/or direct). I call this setup SAPS_DB (Solaris, Apache, PHP and SSL).
Test Platform:
- Sun v210
- 2x 1.0Ghz UltraSPARC-IIIi / 2GB RAM
- Solaris 10 OE 10/09
For this task, we will compile everything from source (so we can have the latest releases, compiled to our taste).
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks. For the most part, this guide assumes access to the system through a terminal or SSH, with no attached keyboard or monitor.
Follow my guide titled Configuring a Solaris 10 JumpStart Server to lay the foundation for what we will be doing here. This guide has an example JumpStart profile with the required clusters and packages needed for development.
You may want to nudge up the size on the /var partition, depending on your estimated needs. This guide uses /var/www as the home for the Web directory.
I also suggest you add /usr/local/bin to your system's PATH. I do this by adding the following line just above export LOGNAME PATH in /etc/profile:
MySQL / Oracle / DB2:
PATH=/usr/local/bin:/usr/local/apache2/bin:/usr/sfw/bin:/usr/ccs/bin:$PATH
or
PostgreSQL:
PATH=/usr/local/bin:/usr/local/apache2/bin:/usr/local/pgsql/bin:
/usr/sfw/bin:/usr/ccs/bin:$PATH
This will allow easier access to some programs we will need later.
For Oracle (Instant Client Software & SDK):
Download, extract and install the Oracle Instant Client software. If you are using your full Oracle package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install. This process also assumes you are using Oracle11g. The files should go in the /opt directory.
Grab the following files from the Instant Client Downloads for Solaris Operating System (32-bit) site and put them in /opt:
- Instant Client Package - Basic Lite
- Instant Client Package - SDK
# cd /opt
# unzip basiclite-11.1.0.7.0-solaris-sparc32.zip
# unzip sdk-11.1.0.7.0-solaris-sparc32.zip
# rm *.zip |
There is a bug in PHP5 that is easy to fix, however it is very annoying. The PHP5 compile, when built against the 11g client libraries, is looking for a file named libclntsh.so. Well, it is a simple matter of creating a soft link to solve this:
# ln -s /opt/instantclient_11_1/libclntsh.so.11.1 \
/opt/instantclient_11_1/libclntsh.so
# ln -s /opt/instantclinet_11_1/libnnz11.so /usr/lib/libnnz11.so |
For IBM DB2 Client:
Downloand, extract and install the DB2 version 9.5 (or whichever one you require) client (~260MB) software (use the defaults and follow the prompts!). If you are using your full DB2 Enterprise 9 package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.
# cd /usr/src
# wget ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2sunv95/fixpack/FP5_U829463/v9.5fp5_sun64_client.tar.gz
# gunzip v9.5fp5_sun64_client.tar.gz
# tar -xvf v9.5fp5_sun64_client.tar
# rm v9.5fp5_sun64_client.tar
# ./client/db2_install |
To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose.
# useradd -m -d /export/home/plabs plabs
# passwd plabs
# /opt/IBM/db2/V9.5/instance/db2icrt -s CLIENT plabs
# . /export/home/plabs/sqllib/db2profile
# echo ". /export/home/plabs/sqllib/db2profile" >> /etc/profile |
Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:
For PostgreSQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://www.procyonlabs.com/mirrors/postgresql/postgresql-8.4.2.tar.bz2
# bunzip2 postgresql-8.4.2.tar.bz2
# tar -xvf postgresql-8.4.2.tar
# rm postgresql-8.4.2.tar && cd postgresql-8.4.2
# ./configure --without-readline --with-openssl
# gmake && gmake install |
For MySQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://www.procyonlabs.com/mirrors/mysql/mysql-5.1.42.tar.gz
# gunzip mysql-5.1.42.tar.gz
# tar -xvf mysql-5.1.42.tar
# rm mysql-5.1.42.tar && cd mysql-5.1.42
# ./configure --without-server --with-ssl=/usr/sfw
# make && make install |
Apache 2
Your configure flags may vary - this works for me:
# cd /usr/src
# wget http://archive.apache.org/dist/httpd/httpd-2.2.14.tar.bz2
# bunzip2 httpd-2.2.14.tar.bz2
# tar -xvf httpd-2.2.14.tar
# rm httpd-2.2.14.tar && cd httpd-2.2.14
# ./configure --enable-ssl --disable-userdir --enable-so
# make && make install |
PHP 5
There are all kinds of things you can do to configure PHP. These are all examples, starting points. Salt to taste. You can add or remove options for your specific needs. See the PHP 5 compile options for more detail (./configure --help).
Optional Features |
|
The UW IMAP toolkit is a dirty, dirty collection of Makefiles. To get it to compile right on this platform (using the Sun included OpenSSL), you need to manually edit /usr/src/imap-2007e/src/osdep/unix/Makefile and change the following:
SSLDIR=/usr/local/ssl
to
SSLDIR=/usr/sfw
It also doesn't even automate the installation - so we'll just leave the files there to include with PHP. Besides, we'll have to re-compile PHP anyways if we ever want to upgrade (IMAP and/or PHP).
# cd /usr/src
# wget ftp://ftp.cac.washington.edu/imap/imap-2007e.tar.gz
# gunzip imap-2007e.tar.gz
# tar -xvf imap-2007e.tar
# rm imap-2007e.tar && cd imap-2007e
# make gso EXTRACFLAGS=-fPIC c-client |
If you select this option, add the following to the ./configure flags for PHP later.
--with-imap=/usr/src/imap-2007e --with-imap-ssl=/usr/sfw
Mcrypt is a general-purpose cryptography library which is broader and significantly more efficient (FASTER!) than PHP's own cryptographic code. Building PHP without mcrypt support will force it to use weaker (and much slower) encryption.
| # cd /usr/src
# wget http://superb-east.dl.sourceforge.net/sourceforge/mcrypt/libmcrypt-2.5.8.tar.bz2
# bunzip2 libmcrypt-2.5.8.tar.bz2
# tar -xvf libmcrypt-2.5.8.tar
# rm libmcrypt-2.5.8.tar && cd libmcrypt-2.5.8
# ./configure --prefix=/usr/local/lib/libmcrypt --enable-dynamic-loading
#
make && make install |
If you select this option, add --with-mcrypt=/usr/local/lib/libmcrypt to the ./configure flags for PHP later.
Aspell, a comand-line program, and is used as the spell-checking engine for many Web applications. The --disable-wide-curses flag is necessary because of incompatibilities with the curses implementation in Solaris (see E.3 Curses Notes).
This does not need to be compiled into PHP, as the applications access it directly.
# cd /usr/src
# wget ftp://ftp.gnu.org/gnu/aspell/aspell-0.60.6.tar.gz
# gunzip aspell-0.60.6.tar.gz
# tar -xvf aspell-0.60.6.tar
# rm aspell-0.60.6.tar && cd aspell-0.60.6
# ./configure --disable-wide-curses && make && make install |
You'll also need a language dictionary file for aspell. Here I will use English:
# cd /usr/src
# wget ftp://ftp.gnu.org/gnu/aspell/dict/en/aspell6-en-6.0-0.tar.bz2
# bunzip2 aspell6-en-6.0-0.tar.bz2
# tar -xvf aspell6-en-6.0-0.tar
# rm aspell6-en-6.0-0.tar && cd aspell6-en-6.0-0
# ./configure && make && make install |
|
For the ./configure line below, add the following depending on the database(s) you plan to support:
Standard: --with-pgsql=/usr/local/pgsql
PDO: --with-pdo-pgsql=/usr/local/pgsql
Standard: --with-oci8=instantclient,/opt/instantclient_11_1
PDO: --with-pdo-oci=instantclient,/opt/instantclient_11_1,11.1.0.7
Standard: --with-ibm-db2=/export/home/plabs/sqllib
PDO: --with-pdo-odbc=ibm-db2,/export/home/plabs/sqllib
Standard: --with-mysql=/usr/local
PDO: --with-pdo-mysql=/usr/local
# cd /usr/src
# wget http://www.php.net/get/php-5.3.1.tar.gz/from/this/mirror
# gunzip php-5.3.1.tar.gz
# tar -xvf php-5.3.1.tar
# rm php-5.3.1.tar && cd php-5.3.1
# ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-zlib \
--with-bz2 --with-gettext --with-openssl=/usr/sfw --with-gd \
--with-jpeg-dir=/usr/lib --with-png-dir=/usr/lib \
--with-xpm-dir=/usr/openwin --enable-gd-native-ttf \
--with-freetype-dir=/usr/sfw --with-iconv --enable-mbregex
# make && make install
# cp /usr/share/src/php-5.3.1/php.ini-production /usr/local/lib/php.ini
# ln -s /usr/local/bin/php /usr/bin/php
(linking is optional - some apps look here for the php executable)
|
Edit the Apache configuration file (httpd.conf):
| # vi /usr/local/apache2/conf/httpd.conf |
To allow Apache to use index.php files for index pages, change the following line like so (bold type is the addition):
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule> |
Tell Apache to parse the .php extension by adding this line in the AddType area (bold type is the addition):
<IfModule mime_module>
....blah.blah.blah....
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php
....blah.blah.blah....
</IfModule> |
For SSL to work, we need to un-comment the following Include directive like so (near the very end of the file):
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf |
Edit the Apache SSL configuration file (httpd-ssl.conf):
| # vi /usr/local/apache2/conf/extra/httpd-ssl.conf |
Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.
Now, we need to create the SSL key / certificate pair!
Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended reboot purposes), don't enter the -aes256 flag:
| # openssl genrsa -out /usr/local/apache2/conf/server.key -aes256 2048 |
Next, create a CSR certificate request:
# openssl req -new -key /usr/local/apache2/conf/server.key -out \
/usr/local/apache2/conf/server.csr |
Now, you can either send the certificate request (server.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:
# openssl req -x509 -days 730 -key /usr/local/apache2/conf/server.key \
-in /usr/local/apache2/conf/server.csr > \
/usr/local/apache2/conf/server.crt |
Now we should test our Apache & PHP install. Create a file named info.php in the /usr/local/apache2/htdocs (or whichever area you configured as your www folder) directory. Place the following lines in that file:
Now start an instance of the httpd server as follows:
| # /usr/local/apache2/bin/apachectl start |
Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.
If you get a "Forbidden - You don't have permission to access / on this server" message when loading SSL pages, try replacing the word Deny with Allow in the line "Deny from all" within the <Directory> block of the httpd.conf file. Restart apachectl and try again.
|
