Post on 14-Apr-2018
7/27/2019 freebsd start.rtf
1/38
How to build a FreeBSD server
Jump to: navigation, search
A server is not all things to all people. The server described here is intendedprimarily for serving web-based applications and providing Microsoft Windows
file sharing to a local or distributed work team, either connected directly to
the internet through an ISP or through an enterprise IT infrastructure. DNS or
DHCP, if available, are assumed to be provided by the ISP or enterprise IT
infrastructure. Print services are assumed to be provided through local
printers, the enterprise IT infrastructure, or by workstation peer-to-peer
printer sharing (i.e., not by this server).
It is generally assumed that client workstations will use Microsoft Windows,and if an enterprise infrastructure exists, it will be based primariy on
Microsoft Windows servers. However, this doesn't need to be the case.
Contents
[show]
References
This procedure is based on FreeBSD 8.2-RELEASE, taking direction from anumber of sources, primarily:
Bulding a Server with FreeBSD 7 by Bryan Hong ("Hong"), [1]
Absolute FreeBSD by Michael Lucas ("Lucas"), [2]
The FreeBSD Handbook by the FreeBSD Project ("Handbook"), [3]
Other sources include the FreeBSD Diary (http://www.freebsddiary.org),
FreeBSD Made Easy (http://www.freebsdmadeeasy.com), and numerous blogs
and forum postings.
Base System
http://www.freebsddiary.org/http://www.freebsdmadeeasy.com/http://www.freebsdmadeeasy.com/http://www.freebsddiary.org/7/27/2019 freebsd start.rtf
2/38
Provision a basic x86 platform
Popular proven motherboard (e.g., Intel brand desktop board with on-
board graphics and on-board LAN), x86 processor and RAM. A single-core
2GHz P4 with 512MB RAM can be adequate for a low-traffic website with an
Apache/MySQL/PHP web stack.Primary system drive (e.g., 500GB)
Secondary backup drive with the same or greater capacity as the
primary drive
DVD drive to simplify installing FreeBSD (with BIOS support for booting
from the DVD, also possible are USB complete and bootstrapped network
installs)
Download the FreeBSD 8.2-RELEASE CD/DVD ISO using the torrent
available on http://www.freebsd.org and perform a basic system install, using
automatic settings for disk partition and slices. Refer to the Handbook, Hong,
Lucas, or any number of on-line tutorials.
Use sysinstall to configure the backup drive (partition and slice), and add
the drive and mount point to /etc/fstab so it is automatically mounted during
system boot. See Hong.
Update FreeBSD using freebsd-update and reboot.
# freebsd-update fetch
# freebsd-update install
# shutdown -r now
Update FreeBSD ports tree using portsnap instead of csvsup.
Initial update:
http://www.freebsd.org/http://www.freebsd.org/7/27/2019 freebsd start.rtf
3/38
# portsnap fetch
# portsnap extract
Subsequent updates (before installing or updating a port):
# portsnap fetch
# portsnap update
Install portmaster (/usr/ports/ports-mgmt/portmaster) for performing ports
maintenance, such as upgrading a port.
Install portaudit (/usr/ports/ports-mgmt/portaudit), for automatically
reporting security issues with installed ports.
DDNS Client
Install a DDNS client if the server will use a dynamic IP address and DDNS
service (e.g., No-IP.com)
E.g. install No-IP.com DDNS client
# cd /usr/ports/dns/noip
# make install clean
follow instructions to create /usr/local/etc/no-ip2.conf and enable DDNS client
by editing /etc/rc.conf
OpenSSL
Keep the version of OpenSSL included in the base system instead of replacing
it with the current version in the ports tree (the base system includes
7/27/2019 freebsd start.rtf
4/38
OpenSSL v0.9.8, the version in the ports tree as of 2011-10-09 is v1.0.0).
Add WITH_OPENSSL_BASE="YES" to /etc/make.conf to prevent the Ports
Collection from building the security/openssl port if a port has an OpenSSL
dependency (see Handbook, Section 15.8)
Create SSL hostkey and self-signed certificate for SSL over HTTP.
# openssl version
OpenSSL 0.9.8q 2 Dec 2010
# make search name=openssl | grep Port
...
Port: openssl-1.0.0_6
...
#
edit defaults in /etc/ssl/openssl.cnf
default_days = 1095
countryName_default = CA
stateOrProvinceName_default = Alberta
O.organizationName_default = dalescott.net
localityName_default = Calgary
organizationUnitName_default = Authorial Division
commonName_default = www.dalescott.net
http://var/www/apps/conversion/tmp/scratch_5/www.dalescott.nethttp://var/www/apps/conversion/tmp/scratch_5/www.dalescott.net7/27/2019 freebsd start.rtf
5/38
emailAdress_default = dale@dalescott.net
Create a self-signed SSL host certificate either using openssl directly, or
using the CA.pl script
Use openssl directly
# cd /etc/ssl/
generate SSL host key, make read/write only by root
# openssl genrsa 1024 > host.key
# chmod 600 host.key
create certificate request, don't enter challenge password or optional
company name
# openssl req -new -key host.key -out csr.pem
self-sign certificate
# openssl x509 -req -days 1095 -in csr.pem -signkey host.key -out
selfsigned.crt
Use CA.pl
Although OpenSSL is installed as part of the FreeBSD base, the complete
contents of the OpenSSL port is not installed, including the popular CA.pl perl
script for using openssl. If you installed FreeBSD with its sources, CA.pl can
probably be found here:
7/27/2019 freebsd start.rtf
6/38
/usr/src/crypto/openssl/apps/CA.pl
or alternatively, CA.pl can be extracted from an OpenSSL tarball:
# cd /usr/ports/security/openssl
# make fetch
# mkdir ~/temp/
# cd ~/temp/
# tar -xzf /usr/ports/distfiles/openssl-1.0.0e/openssl-1.0.0e.tar.gz
# mkdir /etc/ssl/certs
# cp ~/temp/openssl-1.0.0e/apps/CA.pl /etc/ssl/certs/
# chmod 744 /etc/ssl/certs/CA.pl
# rm -r ~/temp/
and then proceed with creating keys and certificates.
# cd /etc/ssl/certs/
create a certificate authority (CA)
- Common Name can be company name (i.e., not server name)
- enter same PEM passphrase at 2nd prompt as entered at 1st prompt
# ./CA.pl -newca
create an encrypted host key and certificate request
- Common Name must be server name
- for convenience, same PEM passphrase can be entered at prompt as used
7/27/2019 freebsd start.rtf
7/38
for CA
# ./CA.pl -newreq
sign encrypted host key with certificate authority
- enter same PEM passphrase at prompt as used to create host key
# ./CA.pl -signreq
copy CA and private keys certificates, signed certificate and encrypted host
key to meaningful filenames
# cp newcert.pem host.example.com-cert.pem
# cp newkey.pem host.example.com-encrypted-key.pem
# cp demoCA/cacert.pem example.com-CAcert.pem
# cp demoCA/private/cakey.pem example.com-encrypted-CAkey.pem
unencrypt host key and change permissions for security
- enter PEM passphrase used to create host key at prompt
# openssl rsa -in host.example.com-encrypted-key.pem -out
host.example.com-unencrypted-key.pem
# chmod 400 host.example.com-unencrypted-key.pem
convert CA certificate to DER format for Microsoft Windows clients
# openssl x509 -in example.com-CAcert.pem -inform PEM -out example.com-
CAcert.cer -outform DER
copy DER-encoded certificate to users (e.g., email)
- the 2nd filename given will not be physically created (i.e., the 1st file won't
be overwriten)
# uuencode example.com-CAcert.cer example.com-CAcert.cer | mail -s
7/27/2019 freebsd start.rtf
8/38
"Subject-text" user@example.com
- some mail clients may block the certificate file for security reasons (e.g., MS
Outlook), in
this case, zip the binary certificate first before emailing it
# zip example.com-CAcert.cer.zip example.com-CAcert.cer
# uuencode example.com-CAcert.cer.zip example.com-CAcert.cer.zip | mail -s
"Subject-text" user@example.com
TODO
consider any clarity gained to use CA.pl to to create keys for SSL over HTTP
(as per Hong), especially if CA.pl will be used to create keys for OpenVPN
add creating server keys for OpenVPN (describe creation of create keys
under OpenVPN section)
consider any consolidation possible between keys for SSL over HTTP and
keys for OpenVPN
consider publishing CA public key and server public key on enterprise
website (e.g., SCC QMS)
OpenSSH
Keep the version of OpenSSH included in the base system instead of
replacing it with the current version in the ports tree (the base system
includes OpenSSH v5.4, the version in the ports tree as 2011-10-09 is v5.2).
No configuration is required.
# telnet localhost 22
Trying 127.0.0.1...
Connected to localhost.
7/27/2019 freebsd start.rtf
9/38
Escape character is '^]'.
SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308
...
# make search name=openssh | grep Port
...
Port: openssh-portable-5.2.p1_4,1
...
#
TODO
consider publishing public server SSH key on enterprise website (e.g., SCC
QMS)
NTP
Use the version of NTP included in the base system instead of installing a
newer version from the ports tree (the version base system includes v4.2.4,
the version in the ports tree as of 2011-10-09 is v4.2.6). The only cofiguration
required is to enable the ntpd daemon in rc.conf (although editing the list of
NTP servers used in /etc/ntp.conf may improve timing synchronization).
ntpd_enable="YES"
Backups
Implement a basic backup procedure using a daily full system dump
7/27/2019 freebsd start.rtf
10/38
Create a shell script to backup the system drive file system to the backup
drive. THIS SCRIPT DOES NOT DELETE OLD BACKUP DUMPS, YOU MUST
MONITOR BACKUP DRIVE CAPACITY AND DELETE OLD DUMPS MANUALLY AS
NEEDED. Adding deleting old backup dumps to the script is left as an exercise
for the reader (and sharing back your solution would be sincerely
appreciated!).
# cat /root/bin/mydump_daily
#!/bin/sh
####################################
#
# Create filesystem backup dump
# - creates dated backup dir and separately dumps /, /var, and /usr
# - execution must start AND complete on same calendar day!
# - does not cleanup old backup dir's - manage diskspace manually!
#
####################################
echo Backup Started `date` >> /backup/backuplog
mkdir /backup/`date +%Y%m%d`
dump -0 -a -L -f /backup/`date +%Y%m%d`/root.ad4s1a.dump /
dump -0 -a -L -f /backup/`date +%Y%m%d`/var.ad4s1d.dump /var
dump -0 -a -L -f /backup/`date +%Y%m%d`/usr.ad4s1f.dump /usr
echo Backup Completed `date` >> /backup/backuplog
#
7/27/2019 freebsd start.rtf
11/38
(backup procedure)
Edit the system crontab file (/etc/crontab) to schedule the backup for
running daily by appending the following:
#######
#
# Custom system maintenance
#
# 2011-07-11 dale scott backup system @ 02:01 daily (2:01 AM)
1 2 * * * root /root/bin/mydump_daily
#
Convenient Utilities
Install convenient utilities ("# rehash" may be required after installation
before use)
flip - Convert text file line endings between Unix and DOS formats
# cd /usr/ports/textproc/flip
# make config ; make install clean
unzip - List, test and extract compressed files in a ZIP archive
# cd /usr/ports/archivers/unzip
# make config ; make install clean
zip - Create/update ZIP files compatible with pkzip
# cd /usr/ports/archivers/zip
7/27/2019 freebsd start.rtf
12/38
# make config ; make install clean
tree - Display a tree-view of directories
# cd /usr/ports/sysutils/tree
# make config ; make install clean
ytree - DOS-XTREE(tm) look-a-like file manager
# cd /usr/ports/misc/ytree
# make config ; make install clean
lynx - A non-graphical, text-based World-Wide Web client
# cd /usr/ports/www/lynx
# make config ; make install clean
wget - Retrieve files from the Net via HTTP(S) and FTP
# cd /usr/ports/ftp/wget
# make config ; make install clean
webmin - Web-based interface for system administration
# cd /usr/ports/sysutils/webmin
# make config ; make install clean
Webmin Server Management
Webmin is a a web-based interface for administrating Unix systems. For many
tasks, Webmin can simplify administration and reduce errors. Webmin can
also provide remote administration in environments where ssh access is
7/27/2019 freebsd start.rtf
13/38
blocked by a firewall. Webmin will by default be available at
http://www.server.dom:10000
# cd /usr/ports/sysutils/webmin
# make config ; make install clean
Configure Webmin (accept all defaults for a basic install)
# /usr/local/lib/webmin/setup.sh
# vi /etc/rc.conf and add following line
webmin_enable="YES"
start Webmin for the first time
# /usr/local/etc/rc.d/webmin start
Most Webmin modules will be automatically configured, but some must be
manually configured for FreeBSD.
Apache Web Server Module
The Webmin Apache Web Server Module must be manually configured after
installing the Web Stack.
Login into Webmin, access the Apache Web Server module under Un-used
Modules and enter the following configuration values:
Path to httpd.conf: /usr/local/etc/apache22/httpd.conf
Path to srm.conf: /usr/local/etc/apache22/Includes/srm.conf
http://www.server.dom:10000/http://www.server.dom:10000/7/27/2019 freebsd start.rtf
14/38
Path to access.conf: /usr/local/etc/apache22/Includes/access.conf
Path to mime.types: /usr/local/etc/apache22/mime.types
srm.conf and access.conf files will not be present unless created manually(they are not created as part of a basic Apache2 install).
Mercurial Version Control System
Mercurial - Fast, lightweight distributed source control management system
# cd /usr/ports/devel/mercurial
# make config ; make install clean
# rehash
Postfix MTA
This procedure also borrows from http://linuxgravity.com/postfix-send-only-
configuration-for-non-local-domains
Postfix is installed for web applications to send mail. It is assumed that web
applications on the server will originate mail for either local delivery, or which
will be relayed through an existing mail server in an enterprise environment.
In an enterprise environment, it is also assumed that the enterprise mail
server will not require either authentication or encryption to relay mail.
The Sendmail MTA (Mail Transfer Agent) is included in the FreeBSD base
system, but configuring it can be complicated. A number of simple MTAs
exist, but are generally only suitable for the specific situations they were
created for. Postfix is a popular general purpose MTA, and simpler to
configure than Sendmail.
http://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domains7/27/2019 freebsd start.rtf
15/38
Install Postfix
# cd /usr/ports/mail/postfix
# make config accept defaults
# make install clean activate Postfix in /etc/mail/mailer.conf
Edit /usr/local/etc/postfix/main.cf to configure Postfix
keep default mydestination ($myhostname + localhost.$mydomain)
keep default mynetworks_style
mynetworks_style = host
edit relayhost to specify the system mail server
relayhost = [servername.domain.tld]
edit home_mailbox to enable delivery of mail to local users
home_mailbox = Maildir/
Create alias to forward root mail to the external system administrator
# vi /etc/mail/aliases and add root alias
root: username@example.com
update aliases.db
# /usr/local/bin/newaliases
7/27/2019 freebsd start.rtf
16/38
edit /etc/rc.conf to enable Postfix at boot and disable Sendmail
postfix_enable="YES"
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"
Create /etc/periodic.conf to override defaults in /etc/defaults/periodic.conf
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
Stop Sendmail, delete Sendmail queue and start Postfix
# killall sendmail
# rm /var/spool/mqueue/*
# /usr/local/etc/rc.d/postfix restart
Verify Postfix works correctly by sending test emails.
mail should be delivered
# echo "testing local delivery" | mail -s "test email to local root user" root
7/27/2019 freebsd start.rtf
17/38
mail should be delivered
# echo "testing ext domain delivery" | mail -s "test email to outside user"
user@mailserver.dom
mail should NOT be delivered
# echo "testing ext domain delivery" | mail -s "test email to outside user"
user@extdomain.dom
OpenVPN Server
OpenVPN is installed to provide Windows workstations connected to the
internet access to shared files on the server (shared using Samba). OpenVPN
is not required if internet workstations do not need to access shared files, or
in an enterprise environment where a VPN server already exists.
See SSL section for creating server keys, this section will only describe how to
specify the server keys as part of the OpenVPN configuration. The procedure
for creating client keys is given here.
# cd /usr/ports/security/openvpn
# make config accept defaults
# make install clean
# rehash
find IP address of local default gateway and network device name, and
configured DNS servers
# netstat -rn | grep default
7/27/2019 freebsd start.rtf
18/38
# grep nameserver /etc/resolv.conf
create directory and copy configuration file
# mkdir /usr/local/etc/openvpn
# cd /usr/local/etc/openvpn
# cp /usr/local/share/doc/openvpn/sample-config-files/server.conf .
create directory for SSL certificates and keys
# mkdir /usr/local/etc/openvpn/keys
OpenLDAP Server
TODO - complete procedure
OpenLDAP can be used by web applications to authenticate users against a
common source of truth. In an enterprise environment, the web applications
may be configured to authenticate using a Microsoft Active Directory server
(also an LDAP implementation).
# cd /usr/ports/net/openldap24-server
# make config ; make install clean
# rehash
phpLDAPAdmin
7/27/2019 freebsd start.rtf
19/38
phpLDAPAdmin requires the web application stack. Complete the web stack
installation first, then return here and continue installing phpLDAPAdmin.
# cd /usr/ports/net/phpldapadmin
# make config
# make install clean
Edit /usr/local/www/phpldapadmin/config/config.php
Create /usr/local/etc/apache22/Includes/phpldapadmin.conf (force SSL
connection)
IMAP Server and WebMail Portal
This procedure is not required if there will be no local system users. The
Procmail MDA (Mail Delivery Agent) is installed to deliver mail to local system
users and Courier-authlib / Courier-IMAP and SquirrelMail installed to provide
web-based access to local mail.
Procmail
Spam filtering will not be configured because the system does not accept
external mail
# cd /usr/ports/mail/procmail
# make install clean
edit Postfix mail.cnf to specify Procmail as the local MDA
# vi /usr/local/etc/postfix/main.cnf and add
7/27/2019 freebsd start.rtf
20/38
mailbox_command = /usr/local/bin/procmail
# postfix reload
Courier-authlib
Install Courier-authlib to provide required Courier-IMAP authentication
(required for a client to connect to the Courier-IMAP server)
# cd /usr/ports/security/courier-authlib
# make config ; make install clean
# rehash
# vi /usr/local/etc/authlib/authdaemonrc and edit authmodulelist
authmodulelist="authpam"
edit /etc/rc.conf and add following lines:
courier_authdaemond_enable="YES"
start the Courier-authlib daemon
# /usr/local/etc/rc.d/courier-authdaemond start
Courier-IMAP
# cd /usr/ports/mail/courier-imap
7/27/2019 freebsd start.rtf
21/38
# make config accept defaults
# make install clean
edit /etc/rc.conf and add following lines:
courier_imap_imapd_enable="YES"
start the IMAP daemon
# /usr/local/etc/rc.d/courier-imap-imapd start
SquirrelMail
SquirrelMail requires the web application stack. Complete the web stack
installation first, then return here and continue installing SquirrelMail.
Mail attachments are limited to 2MB by the default PHP default file upload
limit.
# cd /usr/ports/mail/squirrelmail
# make config
# make -D WITH_LDAP install clean
Execute the Squirrelmail configuration utility and configure the following
(minimum) settings:
# cd /usr/local/www/squirrelmail
# ./configure
Server Settings / Domain - domain.dom or server.domain.dom
7/27/2019 freebsd start.rtf
22/38
Server Settings / Update IMAP Settings / Server Software - courier
Create /usr/local/etc/apache22/Includes/squirrelmail.conf force SSL
connection
Samba CIFS Server
TODO - complete procedure
Enterprises IT infrastructures typically include Microsoft Windows servers and
workstations. Installing Samba will provide access to shared directories in theserver file system to Microsoft Windows workstations. Samba can also provide
access to shared directories on a Windows server if permitted.
MDB Tools
MDB Tools is an open source project to document the MDB file format by
Microsoft Jet databases, and provide a set of tools and applications to make
data in Jet databases available on other platforms (built-in access is provided
on current Microsoft Windows platforms). MDB Tools currently has read-onlysupport for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats.
Microsoft Access is a popular RAD (Rapid Application Development)
environment for creating Jet-based database applications. An "Access
database" can be easily developed and deployed within an organization to
solve a specific problem, and generally without involving corporate IT.
However, this often results in a proliferation of incompatible applications and
data repositories, which must eventually be integrated as an enterprise
matures.
Download and extract mdbtools source to a temporary directory for
building
Check out https://github.com/brianb/mdbtools for latest version of
https://github.com/brianb/mdbtoolshttps://github.com/brianb/mdbtools7/27/2019 freebsd start.rtf
23/38
sources.
Check out http://mdbtools.sourceforge.net for mailing list and similar.
# mkdir /usr/home/dale/src/
# cd /usr/home/dale/src/
# tar -xzf brianb-mdbtools-3280842-2011-03-22.tar.gz
# cd mdbtools
Install GNU build toolchain needed for mdbtools (review mdbtools INSTALL
file)
install libtool
install automake
install autoconf
# cd /usr/ports/devel/libtool
# make config
# make install clean
# rehash
#
# cd /usr/ports/devel/automake
# make config
# make install clean
# rehash
#
# cd /usr/ports/devel/autoconf
# make config
http://mdbtools.sourceforge.net/http://mdbtools.sourceforge.net/7/27/2019 freebsd start.rtf
24/38
# make install clean
# rehash
Update glib with portmaster
# portmaster glib
Install txt2man (/usr/ports/textproc/txt2man) which is used by mdbtools to
create man pages (but not a dependency of the port)
Build and install MDB Tools
# cd /usr/home/dale/src/mdbtools
# gmake clean
# ./autogen.sh
# ./configure
# gmake
# gmake install
Web Stack (Apache/MySQL/PHP)
Apache 2.2.x Web Server
Install Apache22 port
# cd /usr/ports/www/apache22
# make config accept defaults
7/27/2019 freebsd start.rtf
25/38
# make install clean accept defaults for any dependency configurations
# rehash
Basic config
# vi /usr/local/etc/apache22/httpd.conf
edit following lines for basic config
ServerAdmin you@example.com
ServerName host.example.com:80
uncomment following line to enable SSL over HTTP (Lucas, Chapter 17)
#Include etc/apache22/extra/httpd-ssl.conf
Configure keys for SSL over HTTP (Lucas, Chapter 17). Client browsers will
report self-signed keys as untrusted, which can be avoided by either having
the key signed by a commercial CA (Certificate Authority), or by configuringclient browsers to trust the certificate (see How to trust a self-signed SSL
browser certificate).
# vi /usr/local/etc/apache22/extra/httpd-ssl.conf
edit following values (same hostname as Common Name in cert)
ServerName host.example.com:443
ServerAdmin you@example.com
SSLCertificateFile "/etc/ssl/selfsigned.crt"
SSLCertificateKeyFile "/etc/ssl/host.key"
7/27/2019 freebsd start.rtf
26/38
Stop and restart Apache
# /usr/local/etc/rc.d/apache22 stop
# /usr/local/etc/rc.d/apache22 start
PHP 5.3.x
Install PHP
# cd /usr/ports/lang/php5
# make config select Apache module
# make install clean
Basic config
# cd /usr/local/etc/
# cp php.ini-production php.ini or php.ini-developmnent for rigorous error
reporting
# vi /usr/local/etc/php.ini
uncomment following line:
session.save_path=:/tmp"
edit line to specify timezone:
date.timezone="America/Edmonton"
7/27/2019 freebsd start.rtf
27/38
Restart Apache
# /usr/local/etc/rc.d/apache restart
Install php5-extensions (/usr/ports/lang/php5-extensions). Accept defaults
Install PHP
# cd /usr/ports/lang/php5-extensions
# make config confirm selection as below
# make install clean
php5-extensions configuration
D - selected default
Y - select additional
X - unselect default
CTYPE D
DOM D
FILTER D
GD YHASH D
ICONV D
JSON D
MYSQL Y
7/27/2019 freebsd start.rtf
28/38
MYSQLI Y
PDO D
PDO_SQLITE D
SESSION D
SIMPLEXML D
SQLITE D
SQLITE3 D
TOKENIZER D
XML D
XMLREADER D
XMLWRITER D
MySQL 5.5.x
Install MySQL port
# cd /usr/ports/databases/mysql55-server
# make config accept defaults
# make -D BUILD-OPTIMIZED install clean build of previous version failed
when not specified
# rehash
Basic config
set grant tables, start MySQL daemon, configure local and remote root
password, copy my.cnf file, disable TCP networking, add mysql_enable="YES"
to /etc/rc.conf and restart server daemon
verify MySQL support is enabled in /usr/local/etc/php/extentions.ini
7/27/2019 freebsd start.rtf
29/38
# cd /usr/local
# mysql_install_db --user=mysql
# mysqld_safe &
# mysqladmin -u root password 'localpassword'
# mysqladmin -u root -h server.domain.dom password 'remotepassword'
# cp /usr/local/share/mysql/my-medium.cnf /var/db/mysql/my.cnf
# vi /var/db/mysql/my.cnf uncomment skip-networking
# vi /etc/rc.conf add mysql_enable="YES"
# /usr/local/etc/rc.d/mysql-server restart
phpMyAdmin 3.3.x
phpMyAdmin is a convenient web-based application for managing MySQL
databases.
Install phpMyAdmin port
# cd /usr/ports/databases/phpmyadmin
# make config add MYSQLI to configuration
# make install clean
Configure Apache to serve phpMyAdmin using SSL over HTTP (i.e., https:)
# vi /usr/local/etc/apache22/Includes/phpmyadmin and add following lines
7/27/2019 freebsd start.rtf
30/38
Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"
Options none
AllowOverride All
Order Allow,Deny
Allow from All
RewriteEngine On
RewriteCond %{HTPS} off
RewriteCond %{REQUEST_URI} /phpmyadmin
RewriteRule (.*) https://www.domain.dom/phpmyadmin/ [R]
restart Apache
# /usr/local/etc/rc.d/apache22 restart
Create MySQL user "pma" with all permissions on "phpmyadmin" database
create MySQL user "pma"
# mysql -u root -p
mysql> grant select, insert, update, delete on phpmyadmin.* to \
pma@localhost identified by 'password';
mysql> quit;
https://www.domain.dom/phpmyadmin/https://www.domain.dom/phpmyadmin/7/27/2019 freebsd start.rtf
31/38
Prepare to update the phpMyAdmin config file using the phpMyAdmin
configuration wizard (see http://www.phpmyadmin.net)
# mkdir /usr/local/www/phpMyAdmin/config/
# cp config.inc.php config/
# chmod -R o+rw config give config file world read-write permission
Browse to http://www.domain.dom/phpmyadmin/setup to run the
configuration wizard, save the configuration and manually move it back to
the phpMyAdmin root directory
auth_type cookie
extension mysqli
# cd /usr/local/www/phpMyAdmin
# mv config/config.inc.php .
# chmod o-rw config.inc.php remove world read-write permissions
# rm -rf config
Enable phpMyAdmin special features (e.g., bookmarks, comments, SQL-
history, tracking mechanism, PDF-generation, column contents
transformation, ...)
# cd /usr/local/www/phpMyAdmin
# mysql -u root -p < scripts/create_tables.sql
# vi config.inc.php and add following lines
http://www.phpmyadmin.net/http://www.domain.dom/phpmyadmin/setuphttp://www.phpmyadmin.net/http://www.domain.dom/phpmyadmin/setup7/27/2019 freebsd start.rtf
32/38
$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';
$cfg['Servers'][$i]['relation'] = 'pma_relation';
$cfg['Servers'][$i]['userconfig'] = 'pma_userconfig';
$cfg['Servers'][$i]['table_info'] = 'pma_table_info';
$cfg['Servers'][$i]['column_info'] = 'pma_column_info';
$cfg['Servers'][$i]['history'] = 'pma_history';
$cfg['Servers'][$i]['tracking'] = 'pma_tracking';
$cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';
$cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';
if phpMyAdmin later reports new special features are not enabled,
re-edit config.inc.php and add the directed table references.
If the server is for development (not production!), it may be convenient to
prevent phpMyAdmin from automatically logging out users after the default
timeout (5 minutes?).
# vi /usr/local/www/phpMyAdmin/config.inc.php and add add following lines
/// increase login timeout (ok because this is a local Dev server!)
// must also increase session.gc_maxlifetime (garbage collection) in php.ini
$cfg['LoginCookieValidity'] = 3600 * 9; // = 60 sec/min * 60 min/hr * 9 hrs
# vi /usr/local/etc/php.ini and edit following lines
;session.gc_maxlifetime = 1440
; max session set to 9 hrs for phpMyAdmin (see LoginCookieValidity in
; /usr/local/www/phpMyAdmin/config.inc.php). For this to work, max garbage
7/27/2019 freebsd start.rtf
33/38
; collection time must be set here to >9hrs = 32500 sec = (60x60x9)+100
session.gc_maxlifetime = 32500
Fyi, phpMyAdmin installs the following ports:
php5-mbstring-5.3.8
php5-bz2-5.3.8
php5-openssl-5.3.8
pecl-pdflib-2.1.8
php5-zlib-5.3.8
php5-mcrypt-5.3.8
php5-zip-5.3.8
pecl-APC-3.1.9_1
oniguruma-4.7.1
pdflib-7.0.4
libmcrypt-2.5.8
libltdl-2.4
Maintaining Ports
Utilities
The following tools and commands maintain the additional software installed
on the server not including component projects. For upgrading component
projects, refer to the individual component project setup and maintenance
pages.
portaudit - portaudit periodically checks the version of installed ports for
reported vulnerabilities in a database maintained by the FreeBSD security
7/27/2019 freebsd start.rtf
34/38
team and e-mails the system root a report of any vulnerabilities found. For a
current report, portaudit can be run manually from the command line:
# portaudit -Fda
portsnap - portsnap updates the ports tree with current port information.
# portsnap fetch
# portsnap update
Use "portsnap extract" instead of "portsnap update" the first time portsnap is
used
portmaster - portmaster is used to manage installed ports and upgrade
them to the current version without breaking dependencies or links to other
programs. Current port configurations must be correct because portmaster
will use existing configurations when building upgraded ports.
General Guidelines
Following are general guidelines for updating ports (e.g., due to reported
security vulnerability). Before starting any work, first backup the server, then
manually stop relevant daemons or disable in /etc/rc.conf and reboot (after
the maintenance is complete, re-enable the daemons in /etc/rc.conf and
reboot)
# apache22_enable="YES"
# apache22_http_accept_enable="YES"
# courier_authdaemond_enable="YES"
7/27/2019 freebsd start.rtf
35/38
# courier_imap_imapd_enable="YES"
# courier_imap_pop3d_enable="YES"
# mysql_enable="YES"
OpenSSL
# cd /usr/ports
# portmaster security/openssl
Apache
Backup Apache configuration files:
/usr/local/etc/apache22/httpd.conf
/usr/local/etc/apache22/Includes/*
/usr/local/etc/apache22/extra/*
# cd /usr/ports
# portmaster www/apache22
MySQL Server
Backup MySQL Server configuration file/var/db/mysql/my.cnf
Backup all databases using mysqldump
# mysql -u root -p
7/27/2019 freebsd start.rtf
36/38
mysql> show databases;
# mysqldump -u root -p --all-databases
>/backup/backup_mysql_all_databases.sql
# cd /usr/ports
# portmaster databases/mysql51-server/
Test MySQL Server
Starting mysql.
# /usr/local/etc/rc.d/mysql-server start
# mysql_upgrade --datadir=/var/db/mysql -u root -psTr@ty
PHP5
Backup PHP configuration files
/usr/local/etc/php.ini
/usr/local/etc/php.conf
/usr/local/etc/php/extensions.ini
# cd /usr/ports
# portmaster lang/php5
PHP5 extension
# cd /usr/ports
# portmaster lang/php5-extensions
After upgrade, diff config files to backups and new default files and edit as
needed.
7/27/2019 freebsd start.rtf
37/38
Cyrus-SASL
# cd /usr/ports
# portmaster security/cyrus-sasl2
# portmaster security/cyrus-sasl2-saslauthd
Png
# cd /usr/ports
# portmaster graphics/png
Curl
# cd /usr/ports
# portmaster ftp/curl/
phpMyAdmin
Backup phpMyAdmin configuration file
/usr/local/www/phpMyAdmin/config.inc.php
# cd /usr/ports
# portmaster databases/phpmyadmin
Squirrelmail
7/27/2019 freebsd start.rtf
38/38
# cd /usr/ports
# portmaster mail/squirrelmail
# cd /usr/local/www/squirrelmail
# ./configure
Pcre
# cd /usr/ports
# portmaster devel/pcre
mwakigwena choir