Setup a FreeBSD production Web Server
Here is presented the quick way, using packages. If you really want a secure
web server and also you have a lot of time, than you should install
Apache from ports and patch it.
1. Install FreeBSD version 5.4 and needed packages
--------------------------------------------------
(do not install X.org, install ports also)
1.1 Install Apache
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/apache-1.3.33_1.tbz
add apache_enable="YES" in rc.conf to start apache at boot
1.2 Install PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-4.3.10_2.tbz
Add the following line to your apache configuration file (/usr/local/etc/apache/httpd.conf):
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
1.3. Install PHP extensions
1.3.1 Install gd extension for PHP
It is important to install some PHP extensions so you could host PHP scripts that will need that modules, for different purposes (PNG or JPEG conversion for example).
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-gd-4.3.10_2.tbz
(it will also automaticaly install library for manipulating PNG files and JPEG library)
(some other libraries will be installed, following dependencies)
1.3.2 Install MySQL shared extension for PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-mysql-4.3.10_2.tbz
This pkg_add command will also install MySQL client.
(mysql-client-4.0.24.tbz)
1.3.3 Install pcre shared extension for PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-pcre-4.3.10_2.tbz
1.3.4 Install session shared extension for PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-session-4.3.10_2.tbz
1.3.5 Install XML shared extension for PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-xml-4.3.10_2.tbz
1.3.6 Install zlib shared extension for PHP
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/php4-zlib-4.3.10_2.tbz
1.4. Install MySQL Server
#pkg_add ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-5.4-release/All/mysql-server-4.0.24.tbz
At this point you should setup a root password for mysql.
(MySQL also store passwords for users, different from unix system accounts)
2. Optimizing your Web Server for speed
Add the following settings to your /boot/....
kern.ipc.nmbclusters=16384
kern.ipc.maxsockets=16384
For a maximum performance here are some tips of optimizing your web server:
- use a dedicated server (stability, performance,)
- use enough memory (1 GB or more, but not less)
- set httpd controls very high (maximul simultaneous connections)
- always knows your performance characteristics, monitor your server to discover
bottlenecks
- in Apache httpd.conf, StartServers should be high (default is 5 but is not enough),
MaxClients should be 256, MaxRequestPerChild should be 10000, disable FancyIndexing, set Timeout - timeout
to get a TCP ACK for a complete GET request to 60 (default is set to 300).
3. Security issues
- Install a firewall, block traffic to all ports, except 80.
- The Apache web server must be the only service available on the server
(of course we will also have mysql)
- Turn off any diagnostic/error message webpage (security by obscurity)
- Apache must have limited access to filesystem
Monitor user actifity, looking for PHP scripts, if you host phpbb2 or other forums,
or CMS programs like PostNuke, PHPNuke, Mambo always keep your scripts updated.
Deactivate shell for all users except admin user (not root, root does not have default access
to ssh) (add 'AllowUsers username' to /etc/ssh/sshd_config so only username will have ssh access).
Permit SSH for that user only from known IPs.
Use /etc/ftpchroot to force users that have ftp account to see only their home directory.
(some admins even deactivate ftp since is unencrypted service, but major hosting
companies permit ftp because is used on large scale to upload files by their customers.
Remember: using PHP JSP and CGI may pose security threats.
(scripts could contain security vulnerabilities, like sql injection, also vulnerabilities
can be found in packages like php, modules etc.)
Installing Zend Optimizer
If you run scripts on your web server that are encoded with Zend Encoder (or want to offer to your customer support for Zend encoded PHP scripts) you should install Zend Optimizer, downloaded for free from www.zend.com (you will need to create an account).
After downloading Zend Optimizer, unzip it and run install.sh.
On FreeBSD 5.4 you might get an error when installing Zend Optimizer:
/usr/libexec/ld-elf.so.1: Shared object "libm.so.2" not found, required by "php"
To fix the problem and go on with installation just create a symbolic link:
#ln -s /lib/libm.so.3 /lib/libm.so.2
then continue with Zend installation.
Now you have an ready to use Web Server.
Tuesday, 28 May 2013
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment