Super Server APACHE+MYSQL+PHP+SSL Complete installation strategy (2)

apache|mysql| Server | Introduction PHP installation (UNIX)

Now install the PHP language. You have downloaded the latest beta version, but you may have to download a non beta version. Remember that the beta version requires GNU make.

You still assume that root, if not, SU returns to root.

PHP requires that you have preconfigured Apache so that it knows where it needs to be. You will be back here when you install the Apache server later. Change to the directory where you have the source code.

# Cd/tmp/download

# gunzip-c Apache_1.3.x.tar.gz | Tar XF-

# CD apache_1.3.x

#./configure

# CD ...

OK, now you can start the installation of PHP. Extracts the source code file and enters its directory. If you download version 3, there's a change in numbers and commands that doesn't change much.

# gunzip-c Php-4.0.x.tar.gz | Tar XF-

# CD php-4.0.x

If you are compiling code, configure will always be your friend. :-) Therefore, configure has many options. Use configure--HELP to determine what you want to add. I just need MySQL and LDAP, and of course Apache.

#./configure--with-mysql=/usr/local/mysql

--with-xml

--with-apache=.. /apache_1.3.x

--enable-track-vars

--with-ldap

Make and install binary code.

# make

# make Install

Copy the INI file to the Lib directory.

# CP Php.ini-dist/usr/local/lib/php.ini

You can edit php files to set PHP options, such as you can add PHP max_execution_time by inserting the following line into your php.ini file.

Max_execution_time = 60;

Note: php3 users will use Php3.ini, and PHP4 users will use php.ini files.

Apache and Mod_ssl

This configuration and install Mod_ssl and Apache. For this, you will need to have rsaref-2.0 files. Search for "Rsaref20.tar.z" on the http://ftpsearch.lycos.com/. If you don't like Lycos, you can choose other search engines to search for files. Of course, only you need this document in the United States. (Tube It, you can also download from elsewhere, first in http://ftpsearch.ntnu.no/look for "Rsaref20.tar.z", a lot of ah!.) ）

Create the Rasref directory, and you will extract the files in that directory. Attention. This assumes that you have downloaded a temporary directory and you are in this directory.

# mkdir rsaref-2.0

# CD rsaref-2.0

# gzip-d-C. /rsaref20.tar.z | Tar xvf-

The OpenSSL library is now configured and constructed.

# CD rsaref-2.0

# CP-RP Install/unix Local

# CD Local

# make

# MV RSAREF.A LIBRSAREF.A

# CD ... /..

Install OpenSSL. Remember, you will use it to create temporary certificates and CSR files. The--prefix option specifies the primary installation directory.

# CD openssl-0.9.x

#./config-prefix=/usr/local/ssl

-l ' pwd '/... /rsaref-2.0/local/rsaref-fpic

Now make, test, and install it.

# make

# Make Test

# make Install

# CD ...

We will configure the Mod_ssl module and then specify it as a loadable module with the Apache configuration.

# CD mod_ssl-2.5.x-1.3.x

#./configure

--with-apache=.. /apache_1.3.x

# CD ...

Now we can add more Apache modules to the Apache source code tree. The optional--ENABLE-SHARED=SSL option makes the MOD_SSL construct a DSO "libssl.so". For more information on supporting DSO in Apache, read the install and htdocs/manual/dso.html documentation in the Apache source tree. I strongly recommend that ISPs and software packaging maintainers use the DSO tool for the most flexible use of mod_ssl, but note that DSO is not supported on all platforms Apache.

# CD apache_1.3.x

# ssl_base=. /openssl-0.9.x

Rsa_base=.. /rsaref-2.0/local

./configure--enable-module=ssl

--activate-module=src/modules/php4/libphp4.a

--ENABLE-MODULE=PHP4--prefix=/usr/local/apache

--enable-shared=ssl

[... You can add more options ...]

Generate Apache, then build the certificate, and install ...

# make

If you have done it correctly, you will get information similar to the following:

+-----------------------------------------------------------------------+

| Before you install the package your now should prepare the SSL |

| Certificate system by running the ' Make Certificate ' command. |

| For different situations the following variants are provided: |

| |

| % make certificate type=dummy (dummy self-signed Snake oil cert) |

| % make certificate type=test (test cert signed by Snake oil CA) |

| % make certificate Type=custom (custom cert signed by own CA) |

| % make certificate type=existing (existing cert) |

| CRT=/PATH/TO/YOUR.CRT [Key=/path/to/your.key] |

| |

| Use Type=dummy ' re a vendor package maintainer, |

| The type=test when you ' re a admin but want to does tests only, |

| The Type=custom the ' re an admin willing to run a real server |

| and type=existing when you ' re an admin who upgrades a server. |

| (the default is Type=test) |

| |

| Additionally add Algo=rsa (default) or ALGO=DSA to select |

| The signature algorithm used for the generated certificate. |

| |

| Use ' Make certificate view=1 ' to display the generated data. |

| |

| The for using Apache & Mod_ssl. Ralf S. Engelschall |

| rse@engelschall.com |

| www.engelschall.com |

+-----------------------------------------------------------------------+

Now you can create a custom certificate. This option prompts you to enter your address, company, and other items. For certificates, see the end of this article.

# Make Certificate Type=custom

Now install Apache ...

# make Install

If everything works, you should see something similar to the following:

+----------------------------------------------------------------------------------+

| You are now have successfully built and installed |

| Apache 1.3 HTTP server. To verify that Apache actually |

| Works correctly your now should check the |

| (initially created or preserved) configuration files |

| |

| /usr/local/apache/conf/httpd.conf |

| And then you should are able to immediately fire up |

| Apache the "A" by running: |

| |

| /usr/local/apache/bin/apachectl Start |

| Want to run it with SSL-enabled use: |

| |

| /usr/local/apache/bin/apachectl Startssl |

| The for using Apache. The Apache Group |

| Http://www.apache.org/|

+----------------------------------------------------------------------------------+

Now verify that Apache and PHP are working. However, we need to edit srm.conf and httpd.conf to make sure we add PHP types to the configuration. View the httpd.conf and remove the comments from the following lines. If you follow the instructions in this article exactly, your httpd.conf file will be located in the/usr/local/apache/conf directory. The file has a row for PhP4 AddType added comments, now remove the annotation. httpd.conf file--fragments

>

> # and for PHP 4.x, use:

> #

---> AddType application/x-httpd-php. php

---> AddType application/x-httpd-php-source phps

>

>

Now we're ready to start the Apache server to see if it's working. First we will start a server that does not support SSL to see if it starts. We will check the support for PHP and then we will stop the server and start the SSL enabled server and check if we are all right. Configtest will check that all configurations are set correctly.

# Cd/usr/local/apache/bin

#./apachectl Configtest

Syntax OK

#./apachectl Start

./apachectl START:HTTPD started

To test our work

is Apache working?

If it works properly, when you connect to the server with Netscape, you will see a screen similar to the one captured on this screen. This is essentially the Apache default installation page.

Note: You can connect to the server using the domain name or the actual IP address of the machine. Check both of these situations to make sure everything is working properly.

is PHP support working??

Now test the PHP support ... Create a file (named: test.php) that has the following information. The file needs to be located under the document root path and it should be set by default to/usr/local/apache/htdocs. Note that this depends on the prefix we chose previously, however, this can be changed in httpd.conf. Setting up multiple virtual hosts will be less in another article, please note, as it will involve some very basic options for installing Apache and its instructions.

test.php file

?

Phpinfo ();

?>

It displays information about the server, PHP, and the environment. Below is the screen grab at the top of the output page.

It's cool, PHP works.

is the SSL selection working??

OK, now we're ready to test SSL. First stop the server and restart it with the option to enable SSL.

#/usr/local/apache/bin/apachectl Stop

#/usr/local/apache/bin/apachectl Startssl

Test whether it works: by connecting to the server with a Netscape and selecting the HTTPS protocol, namely: Https://youserver.yourdomain.com or http://yoursever.yourdomain.com:443, You can also try your server's IP address, namely: Https://xxx.xxx.xxx.xxx and http://xxx.xxx.xxx.xxx:443.

If it works, the server sends the certificate to the browser to establish a secure connection. This will let the browser prompt you to accept the certificate you signed. , if it is a certificate from VeriSign or Thawte, the browser will not prompt you because the certificate is from a trusted certificate authority (CA). In our case, we create and sign our own certificates ... We don't want to buy one right away. First of all, we want to ensure that we can make everything normal.

You'll see it in Netscape. The following options are enabled. This will tell you that a secure connection has been established.

can PHP and MySQL work together??

Now, we can be sure that PHP works with MySQL, by creating a simple script that inserts and deletes data from the "Test2" database. It's just a simple script to test whether it's working. In another article we will discuss PHP scripts to connect to a MySQL database. Remember we have created a database and a table. We can finish it now, but I choose not to. I want to check it again. Root has permissions to create databases and tables, however, PHP provides for MySQL, so I can easily write code to create a test database and several records.

Remember we created the book database before. If you skip the previous content, this section will not work. We created a test2 database with a "books" table and inserted a record for a book.

This script basically browses the table and lists all the field names, and it's really simple.

?

$dbuser = "root";

$dbhost = "localhost";

$dbpass = "password";

$dbname = "Test2";

$dbtble = "Books";

$mysql _link = mysql_connect ($dbhost, $dbuser, $dbpass);

$column = Mysql_list_fields ($dbname, $dbtble, $mysql _link);

for ($i =0; $i < Mysql_num_fields ($column); $i + +)

{

Print Mysql_field_name ($column, $i). " <br> ";

}

?>


A more complex example will show you some of PHP's fantastic features.




<title>example 2--More details</title>


<body bgcolor= "White" >

?

$dbuser = "root";

$dbhost = "localhost";

$dbpass = "password";

$dbname = "Test2";

$dbtable = "Books";

------DATABASE CONNECTION--------//

$mysql _link = mysql_connect ($dbhost, $dbuser, $dbpass);

$column = Mysql_list_fields ($dbname, $dbtable, $mysql _link);

$sql = "SELECT * from $dbtable";

$result = Mysql_db_query ($dbname, $sql);

?>

<table bgcolor= "BLACK" >

<tr><td>

<table>

</td></tr>

</table>

</body>


Notice that we can have both HTML and PHP commands in the same file. This is the magic of PHP scripts.

Settings for Virtual hosts

It's time to set up Apache to handle some virtual hosts. Because of the flexibility that Apache offers, the virtual host can do it very simply. First you need a DNS server to point the domain name of the virtual host to the IP address of the Web server. Use a CNAME record in DNS to point your_virtual_domain.com to the IP of the server. Second you need to modify the Apache profile httpd.conf to add new virtual domain names. Remember, this is just a very basic example of how you have the courage to read Apache's instructions.

Let's look at a httpd.conf example.

httpd.conf Fragment

#--------------------------------------------------------#

# VIRTUAL HOST Section Non-ssl

#--------------------------------------------------------#

# virtualhost directive allows to specify another virtual

# domain on your server. Most Apache options can be specified

# within this section.

# Mail to this address on errors

ServerAdmin webmaster@domain1.com

# Where documents are kept in the virtual domain

# This is a absolute path. So I want to put

# in a location where the owner can get to it.

documentroot/home/vhosts/domain1.com/www/

# Since We'll use the PHP to create basically

# All our file we have put a directive to the Index file.

DirectoryIndex index.php

# Name of the server

ServerName www.domain1.com

# Log files relative to ServerRoot option

ErrorLog Logs/domain1.com-error_log

Transferlog Logs/domain1.com-access_log

Refererlog Logs/domain1.com-referer_log

AgentLog Logs/domain1.com-agent_log


# Use CGI scripts in this domain. In the next case

# can, and it does not have CGI scripts. Please

# read up in the security issues relating to cgi-scripting.

scriptalias/cgi-bin//var/www/cgi-bin/domain1.com/

AddHandler Cgi-script. CGI

AddHandler cgi-script. pl

# This is another domain. Note this you could host

# Multiple domains this way ...

# Mail to this address on errors

ServerAdmin webmaster@domain2.com

# Where documents are kept in the virtual domain

Documentroot/virtual/domain2.com/www/html

# Name of the server

ServerName www.domain2.com

# Log files relative to ServerRoot option

ErrorLog Logs/domain2.com-error_log

Transferlog Logs/domain2.com-access_log

Refererlog Logs/domain2.com-referer_log

AgentLog Logs/domain2.com-agent_log

# No CGI ' s for this host

# end:virtual Host Section

Use the example above to create your own virtual host on your server. If you want to read each instruction from the Apache website, its URL is: http://www.apache.org.

SSL Virtual Host

Creating an SSL virtual host is similar to non-SSL. In addition to specifying additional instructions, you need to add a DNS record and modify the httpd.conf. Here's an example.

#--------------------------------------------#

# SSL Virtual Host Context

#--------------------------------------------#

# General setup for the virtual host

Documentroot/usr/local/apache/htdocs

ServerAdmin webmaster@securedomain1.com

ServerName www.securedomain1.com

Errorloglogs/domain1.com-error_log

Transferlog Logs/domain1.com-transfer_log

# SSL Engine Switch:

# enable/disable SSL for this virtual host.

Sslengine on

# Server Certificate:

# point Sslcertificatefile at a PEM encoded certificate. If

# The certificate is encrypted, then you'll be prompted for a

# Pass phrase. Note that a kill-hup would prompt again. A Test

# certificate can be generated with ' Make certificate ' under

# built time. Keep in mind so if you ' ve both a RSA and a DSA

# certificate can configure both in parallel (to also allow

# The use of DSA ciphers, etc.)

# This I keep my certificate files located in a

# location. You are could change this if your are an ISP, or ASP.

Sslcertificatefile/usr/local/apache/conf/ssl.crt/server.crt


# Server Private Key:

# If The key isn't combined with the certificate

# directive to point at the key file. Keep in mind that if

# you ' ve both a RSA and a DSA private key can configure

# both in parallel (to also allow the use of DSA ciphers, etc.)

Sslcertificatekeyfile/usr/local/apache/conf/ssl.key/server.key

# Per-server Logging:

# The home of a custom SSL log file. Use the When want a

# compact Non-error SSL logfile on a virtual host basis.

Customlog/usr/local/apache/logs/ssl_request_log

"%t%h%{ssl_protocol}x%{ssl_cipher}x"%r "%b"

Remember that you have a lot of instructions to specify. We'll discuss this in another article about configuring Apache, and this article is just an introductory guide.

Generate certificate

This is a step-by-step description of how certificates are generated.

Create an RSA private key for your Apache server (encrypted by triple-des and in PEM format):

# OpenSSL Genrsa-des3-out Server.key 1024

Please back up this server.key file in a safe place. Remember the passing phrase you entered (pass phrase)! You can see the details of this RSA private key with the following command.

# OpenSSL rsa-noout-text-in Server.key

And you can create an encrypted version of PEM for this RSA private key (not recommended) and pass the following command:


# OpenSSL rsa-in server.key-out server.key.unsecure


Generate a Certificate signing request (Csr-certificate signing request) with the server RSA private key (output will be in PEM format):

# OpenSSL Req-new-key server.key-out SERVER.CSR

When OpenSSL prompts you to "CommonName", make sure you enter the FQDN of the server ("fully qualified Domain Name"), that is, when you use https://www.foo.dom/for one later When you visit a Web site to generate a CSR, enter "Www.foo.dom" here. You can use the following command to view the details of the CSR:

# OpenSSL req-noout-text-in SERVER.CSR

Send CSR to a CA

Now you have to send the CSR to a CA to sign, and then the result is a real certificate that can be used for Apache.

There are two options:

First, you can sign a certificate through a commercial CA such as VeriSign or Thawte. Then you usually have to post a CSR in a Web form, pay the signing fee and wait for the signed certificate, and then you can put it in a server.crt file. For more information about commercial CAs, see the following links:

Verisign-http://digitalid.verisign.com/server/apachenotice.htm

Thawte consulting-http://www.thawte.com/certs/server/request.html

Certisign Certificadora Digital Ltda.-http://www.certisign.com.br

IKS GMBH-HTTP://WWW.IKS-JENA.DE/PRODUKTE/CA/

Uptime Commerce Ltd.-http://www.uptimecommerce.com

Belsign nv/sa-http://www.belsign.be

Your own CA

Second, you can take advantage of your own CA and sign the CSR by the CA. You can create your own certification center to sign the certificate. The easiest way to do this is to take advantage of the ca.sh or ca.pl script provided by OpenSSL. The more complex and manual approach is:

Create an RSA private key for your CA (encrypted by triple-des and in PEM format):

# OpenSSL Genrsa-des3-out Ca.key 1024

Please back up this ca.key file in a safe place. Remember the passing phrase you entered (pass phrase)! You can see the details of this RSA private key with the following command.

# OpenSSL rsa-noout-text-in Ca.key

And you can create an encrypted version of PEM for this RSA private key (not recommended) and pass the following command:

# OpenSSL rsa-in ca.key-out ca.key.unsecure

Create a self-signed CA certificate (X509 structure) using the CA's RSA key (output will be in pen format):

# OpenSSL req-new-x509-days 365-key ca.key-out ca.crt

You can view the details of the certificate through the following commands:

# OpenSSL x509-noout-text-in ca.crt

Prepare a signed script because the "OpenSSL CA" command has some strange requirements and the default OpenSSL configuration does not allow simple direct use of the "OpenSSL CA" command, so a script named sign.sh with Mod_ SSL distribution is published together (subdirectory pkg.contrib/). Use this script for signing.

Now you can make this CA sign the server's CSR to create a true SSL certificate for the internal Apache server (assuming you already have a SERVER.CSR on hand):

#./sign.sh SERVER.CSR

It signs the CSR of the server and results in a SERVER.CRT file.

Now you have two files: Server.ket and SERVER.CRT. In your Apache httpd.conf file, use them as follows:

Sslcertificatefile/path/to/this/server.crt

Sslcertificatekeyfile/path/to/this/server.key

SERVER.CSR no longer needed.