September 22, 2008
Operating System |
Platform |
Application(s) |
Database(s) |
Other |
|
|
|
|
|
This document describes the process of setting up an Apache 2 Web Server with Sun SPARC hardware, Solaris 10, PHP5, OpenSSL and support for either PostgreSQL, MySQL, Oracle and/or DB2 databases. I call this setup SAPS_DB (Solaris, Apache, PHP and SSL).
Test Platform:
- Sun 420R
- 4x 450Mhz UltraSPARC-II / 4GB RAM
- Solaris 10 OE 05/08
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
Also, you will need root access to do most of these tasks. For the most part, this guide assumes access to the system through a terminal or SSH, with no attached keyboard or monitor.
Follow my guide titled Installing a GNU C / C++ Development / Compilation Environment to lay the foundation for what we will be doing here. You may want to nudge up the size on the /var partition, depending on your estimated log sizes and /var/www (Web directory) needs.
For Oracle (InstantClient Software & SDK):
Download, extract and install the Oracle InstantClient software. If you are using your full Oracle package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install. This process also assumes you are using Oracle10g. The files should go in the /export/home directory.
Grab the following files from the Instant Client downloads for Solaris (64-bit) site:
- Instant Client Package - Basic Lite
- Instant Client Package - SDK
Actually, screw that. Oracle's site barely works on Linux browsers. Just do this:
# cd /export/home
# wget http://www.procyonlabs.com/mirrors/oracle/basiclite-10.2.0.4.0-solaris-sparc64.zip
# wget http://www.procyonlabs.com/mirrors/oracle/sdk-10.2.0.4.0-solaris-sparc64.zip
# unzip basiclite-10.2.0.4.0-solaris-sparc64.zip
# unzip sdk-10.2.0.4.0-solaris-sparc64.zip
# rm *.zip |
There is a bug in PHP5 that is easy to fix, however it is very annoying. The PHP5 compile, when built against the 10g client libraries, is looking for files named libclntsh.so and libocci.so. Well, it is a simple matter of creating a soft link to solve this:
# ln -s /export/home/instantclient_10_2/libclntsh.so.10.1 \
/export/home/instantclient_10_2/libclntsh.so
# ln -s /export/home/instantclient_10_2/libocci.so.10.1 \
/export/home/instantclient_10_2/libocci.so |
For IBM DB2 Client:
Downloand, extract and install the DB2 version 9 client (~260MB) software (use the defaults and follow the prompts!). If you are using your full DB2 Enterprise 9 package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.
# cd /usr/src
# wget ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2sunv9/fixpack/FP5_U815923/v9fp5_sunos_client.tar.gz
# gunzip v9fp5_sunos_client.tar.gz
# tar -xvf v9fp5_sunos_client.tar
# rm v9fp5_sunos_client.tar
# ./client/disk1/db2_install |
To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose.
# useradd -m -d /export/home/plabs -s /bin/bash plabs
# passwd plabs
# /opt/IBM/db2/V9.1/instance/db2icrt -s CLIENT plabs
# . /export/home/plabs/sqllib/db2profile |
Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:
For PostgreSQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://ftp9.us.postgresql.org/pub/mirrors/postgresql/source/v8.3.3/postgresql-8.3.3.tar.bz2
# bunzip2 postgresql-8.3.3.tar.bz2
# tar -xvf postgresql-8.3.3.tar
# rm postgresql-8.3.3.tar && cd postgresql-8.3.3
# ./configure --without-readline
# make && make install |
For MySQL Client:
Rather than fetch and install a pre-packaged binary, let's do it from source. This will allow us to have the latest version, compiled with only what we need:
# wget http://mysql.mirrors.pair.com/Downloads/MySQL-5.0/mysql-5.0.67.tar.gz
# gunzip mysql-5.0.67.tar.gz
# tar -xvf mysql-5.0.67.tar
# rm mysql-5.0.67.tar && cd mysql-5.0.67
# ./configure --without-server
# make && make install |
Apache 2
The Apache2 version supplied with Solaris 10 is old and misconfigured. We will compile our own. Also, the latest release (2.2.9) is full of bugs, so we will use 2.2.8 until a new/fixed version is released.
Your configure flags may vary - this works for me:
# cd /usr/src
# wget http://archive.apache.org/dist/httpd/httpd-2.2.8.tar.bz2
# bunzip2 httpd-2.2.8.tar.bz2
# tar -xvf httpd-2.2.8.tar
# rm httpd-2.2.8.tar && cd httpd-2.2.8
# ./configure --enable-ssl --enable-dav --disable-userdir --enable-so
# make && make install |
PHP 5
For this part, I will be using some common configuration options. You can add or remove options for your specific needs. See the PHP 5 compile options for more detail (./configure --help).
For the ./configure line below, add the following depending on the database(s) you plan to support:
PostgreSQL:
--with-pgsql=/usr/local/pgsql
Oracle:
--enable-sigchild --with-oci8=instantclient,/export/home/instantclient_10_2
--enable-sigchild --with-oci8=/export/home/instantclient_10_2
IBM DB2:
--with-pdo-odbc=ibm-db2,/export/home/plabs/sqllib
--with-ibm-db2=/export/home/plabs/sqllib
MySQL:
--with-mysql
# cd /usr/src
# wget http://www.php.net/get/php-5.2.6.tar.gz/from/this/mirror
# gunzip php-5.2.6.tar.gz
# tar -xvf php-5.2.6.tar
# rm php-5.2.6.tar && cd php-5.2.6
# ./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-zlib --with-bz2 \
--with-gettext --with-openssl=/usr/sfw --with-gd --with-jpeg-dir=/usr/lib \
--with-png-dir=/usr/lib --with-xpm-dir=/usr/openwin --enable-gd-native-ttf \
--with-freetype-dir=/usr/sfw
# make && make install
# cp /usr/share/src/php-5.2.6/php.ini-recommended /usr/local/lib/php.ini
|
Edit the Apache configuration file (httpd.conf):
| # vi /usr/local/apache2/conf/httpd.conf |
To allow Apache to use index.php files for index pages, change the following line like so (bold type is the addition):
<IfModule dir_module>
DirectoryIndex index.html index.php
</IfModule> |
Tell Apache to parse the .php extension by adding this line in the AddType area (bold type is the addition):
<IfModule mime_module>
....blah.blah.blah....
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType application/x-httpd-php .php
....blah.blah.blah....
</IfModule> |
For SSL to work, we need to un-comment the following Include directive like so (near the very end of the file):
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf |
Edit the Apache SSL configuration file (httpd-ssl.conf):
| # vi /usr/local/apache2/conf/extra/httpd-ssl.conf |
Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.
Now, we need to create the SSL key / certificate pair!
Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended reboot purposes), don't enter the -aes256 flag:
| # openssl genrsa -out /usr/local/apache2/conf/server.key -aes256 2048 |
Next, create a CSR certificate request:
# openssl req -new -key /usr/local/apache2/conf/server.key -out \
/usr/local/apache2/conf/server.csr |
Now, you can either send the certificate request (server.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:
# openssl req -x509 -days 730 -key /usr/local/apache2/conf/server.key -in \
/usr/local/apache2/conf/server.csr > /usr/local/apache2/conf/server.crt |
Now we should test our Apache & PHP install. Create a file named info.php in the /usr/local/apache2/htdocs (or whichever area you configured as your www folder) directory. Place the following lines in that file:
Now start an instance of the httpd server as follows:
| # /usr/local/apache2/bin/apachectl start |
Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.
If you get a "Forbidden - You don't have permission to access / on this server" message when loading SSL pages, try replacing the word Deny with Allow in the line "Deny from all" within the <Directory> block of the httpd.conf file. Restart apachectl and try again.
|
