freebsd start.rtf

7/27/2019 freebsd start.rtf

1/38

How to build a FreeBSD server

Jump to: navigation, search

A server is not all things to all people. The server described here is intendedprimarily for serving web-based applications and providing Microsoft Windows

file sharing to a local or distributed work team, either connected directly to

the internet through an ISP or through an enterprise IT infrastructure. DNS or

DHCP, if available, are assumed to be provided by the ISP or enterprise IT

infrastructure. Print services are assumed to be provided through local

printers, the enterprise IT infrastructure, or by workstation peer-to-peer

printer sharing (i.e., not by this server).

It is generally assumed that client workstations will use Microsoft Windows,and if an enterprise infrastructure exists, it will be based primariy on

Microsoft Windows servers. However, this doesn't need to be the case.

Contents

[show]

References

This procedure is based on FreeBSD 8.2-RELEASE, taking direction from anumber of sources, primarily:

Bulding a Server with FreeBSD 7 by Bryan Hong ("Hong"), [1]

Absolute FreeBSD by Michael Lucas ("Lucas"), [2]

The FreeBSD Handbook by the FreeBSD Project ("Handbook"), [3]

Other sources include the FreeBSD Diary (http://www.freebsddiary.org),

FreeBSD Made Easy (http://www.freebsdmadeeasy.com), and numerous blogs

and forum postings.

Base System
http://www.freebsddiary.org/http://www.freebsdmadeeasy.com/http://www.freebsdmadeeasy.com/http://www.freebsddiary.org/


2/38

Provision a basic x86 platform

Popular proven motherboard (e.g., Intel brand desktop board with on-

board graphics and on-board LAN), x86 processor and RAM. A single-core

2GHz P4 with 512MB RAM can be adequate for a low-traffic website with an

Apache/MySQL/PHP web stack.Primary system drive (e.g., 500GB)

Secondary backup drive with the same or greater capacity as the

primary drive

DVD drive to simplify installing FreeBSD (with BIOS support for booting

from the DVD, also possible are USB complete and bootstrapped network

installs)

Download the FreeBSD 8.2-RELEASE CD/DVD ISO using the torrent

available on http://www.freebsd.org and perform a basic system install, using

automatic settings for disk partition and slices. Refer to the Handbook, Hong,

Lucas, or any number of on-line tutorials.

Use sysinstall to configure the backup drive (partition and slice), and add

the drive and mount point to /etc/fstab so it is automatically mounted during

system boot. See Hong.

Update FreeBSD using freebsd-update and reboot.

# freebsd-update fetch

# freebsd-update install

# shutdown -r now

Update FreeBSD ports tree using portsnap instead of csvsup.

Initial update:
http://www.freebsd.org/http://www.freebsd.org/


3/38

# portsnap fetch

# portsnap extract

Subsequent updates (before installing or updating a port):

# portsnap fetch

# portsnap update

Install portmaster (/usr/ports/ports-mgmt/portmaster) for performing ports

maintenance, such as upgrading a port.

Install portaudit (/usr/ports/ports-mgmt/portaudit), for automatically

reporting security issues with installed ports.

DDNS Client

Install a DDNS client if the server will use a dynamic IP address and DDNS

service (e.g., No-IP.com)

E.g. install No-IP.com DDNS client

# cd /usr/ports/dns/noip

# make install clean

follow instructions to create /usr/local/etc/no-ip2.conf and enable DDNS client

by editing /etc/rc.conf

OpenSSL

Keep the version of OpenSSL included in the base system instead of replacing

it with the current version in the ports tree (the base system includes


4/38

OpenSSL v0.9.8, the version in the ports tree as of 2011-10-09 is v1.0.0).

Add WITH_OPENSSL_BASE="YES" to /etc/make.conf to prevent the Ports

Collection from building the security/openssl port if a port has an OpenSSL

dependency (see Handbook, Section 15.8)

Create SSL hostkey and self-signed certificate for SSL over HTTP.

# openssl version

OpenSSL 0.9.8q 2 Dec 2010

# make search name=openssl | grep Port

...

Port: openssl-1.0.0_6

...

#

edit defaults in /etc/ssl/openssl.cnf

default_days = 1095

countryName_default = CA

stateOrProvinceName_default = Alberta

O.organizationName_default = dalescott.net

localityName_default = Calgary

organizationUnitName_default = Authorial Division

commonName_default = www.dalescott.net
http://var/www/apps/conversion/tmp/scratch_5/www.dalescott.nethttp://var/www/apps/conversion/tmp/scratch_5/www.dalescott.net


5/38

emailAdress_default = [email protected]

Create a self-signed SSL host certificate either using openssl directly, or

using the CA.pl script

Use openssl directly

# cd /etc/ssl/

generate SSL host key, make read/write only by root

# openssl genrsa 1024 > host.key

# chmod 600 host.key

create certificate request, don't enter challenge password or optional

company name

# openssl req -new -key host.key -out csr.pem

self-sign certificate

# openssl x509 -req -days 1095 -in csr.pem -signkey host.key -out

selfsigned.crt

Use CA.pl

Although OpenSSL is installed as part of the FreeBSD base, the complete

contents of the OpenSSL port is not installed, including the popular CA.pl perl

script for using openssl. If you installed FreeBSD with its sources, CA.pl can

probably be found here:


6/38

/usr/src/crypto/openssl/apps/CA.pl

or alternatively, CA.pl can be extracted from an OpenSSL tarball:

# cd /usr/ports/security/openssl

# make fetch

# mkdir ~/temp/

# cd ~/temp/

# tar -xzf /usr/ports/distfiles/openssl-1.0.0e/openssl-1.0.0e.tar.gz

# mkdir /etc/ssl/certs

# cp ~/temp/openssl-1.0.0e/apps/CA.pl /etc/ssl/certs/

# chmod 744 /etc/ssl/certs/CA.pl

# rm -r ~/temp/

and then proceed with creating keys and certificates.

# cd /etc/ssl/certs/

create a certificate authority (CA)

- Common Name can be company name (i.e., not server name)

- enter same PEM passphrase at 2nd prompt as entered at 1st prompt

# ./CA.pl -newca

create an encrypted host key and certificate request

- Common Name must be server name

- for convenience, same PEM passphrase can be entered at prompt as used


7/38

for CA

# ./CA.pl -newreq

sign encrypted host key with certificate authority

- enter same PEM passphrase at prompt as used to create host key

# ./CA.pl -signreq

copy CA and private keys certificates, signed certificate and encrypted host

key to meaningful filenames

# cp newcert.pem host.example.com-cert.pem

# cp newkey.pem host.example.com-encrypted-key.pem

# cp demoCA/cacert.pem example.com-CAcert.pem

# cp demoCA/private/cakey.pem example.com-encrypted-CAkey.pem

unencrypt host key and change permissions for security

- enter PEM passphrase used to create host key at prompt

# openssl rsa -in host.example.com-encrypted-key.pem -out

host.example.com-unencrypted-key.pem

# chmod 400 host.example.com-unencrypted-key.pem

convert CA certificate to DER format for Microsoft Windows clients

# openssl x509 -in example.com-CAcert.pem -inform PEM -out example.com-

CAcert.cer -outform DER

copy DER-encoded certificate to users (e.g., email)

- the 2nd filename given will not be physically created (i.e., the 1st file won't

be overwriten)

# uuencode example.com-CAcert.cer example.com-CAcert.cer | mail -s


8/38

"Subject-text" [email protected]

- some mail clients may block the certificate file for security reasons (e.g., MS

Outlook), in

this case, zip the binary certificate first before emailing it

# zip example.com-CAcert.cer.zip example.com-CAcert.cer

# uuencode example.com-CAcert.cer.zip example.com-CAcert.cer.zip | mail -s

"Subject-text" [email protected]

TODO

consider any clarity gained to use CA.pl to to create keys for SSL over HTTP

(as per Hong), especially if CA.pl will be used to create keys for OpenVPN

add creating server keys for OpenVPN (describe creation of create keys

under OpenVPN section)

consider any consolidation possible between keys for SSL over HTTP and

keys for OpenVPN

consider publishing CA public key and server public key on enterprise

website (e.g., SCC QMS)

OpenSSH

Keep the version of OpenSSH included in the base system instead of

replacing it with the current version in the ports tree (the base system

includes OpenSSH v5.4, the version in the ports tree as 2011-10-09 is v5.2).

No configuration is required.

# telnet localhost 22

Trying 127.0.0.1...

Connected to localhost.


9/38

Escape character is '^]'.

SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308

...

# make search name=openssh | grep Port

...

Port: openssh-portable-5.2.p1_4,1

...

#

TODO

consider publishing public server SSH key on enterprise website (e.g., SCC

QMS)

NTP

Use the version of NTP included in the base system instead of installing a

newer version from the ports tree (the version base system includes v4.2.4,

the version in the ports tree as of 2011-10-09 is v4.2.6). The only cofiguration

required is to enable the ntpd daemon in rc.conf (although editing the list of

NTP servers used in /etc/ntp.conf may improve timing synchronization).

ntpd_enable="YES"

Backups

Implement a basic backup procedure using a daily full system dump


10/38

Create a shell script to backup the system drive file system to the backup

drive. THIS SCRIPT DOES NOT DELETE OLD BACKUP DUMPS, YOU MUST

MONITOR BACKUP DRIVE CAPACITY AND DELETE OLD DUMPS MANUALLY AS

NEEDED. Adding deleting old backup dumps to the script is left as an exercise

for the reader (and sharing back your solution would be sincerely

appreciated!).

# cat /root/bin/mydump_daily

#!/bin/sh

####################################

#

# Create filesystem backup dump

# - creates dated backup dir and separately dumps /, /var, and /usr

# - execution must start AND complete on same calendar day!

# - does not cleanup old backup dir's - manage diskspace manually!

#

####################################

echo Backup Started `date` >> /backup/backuplog

mkdir /backup/`date +%Y%m%d`

dump -0 -a -L -f /backup/`date +%Y%m%d`/root.ad4s1a.dump /

dump -0 -a -L -f /backup/`date +%Y%m%d`/var.ad4s1d.dump /var

dump -0 -a -L -f /backup/`date +%Y%m%d`/usr.ad4s1f.dump /usr

echo Backup Completed `date` >> /backup/backuplog

#


11/38

(backup procedure)

Edit the system crontab file (/etc/crontab) to schedule the backup for

running daily by appending the following:

#######

#

# Custom system maintenance

#

# 2011-07-11 dale scott backup system @ 02:01 daily (2:01 AM)

1 2 * * * root /root/bin/mydump_daily

#

Convenient Utilities

Install convenient utilities ("# rehash" may be required after installation

before use)

flip - Convert text file line endings between Unix and DOS formats

# cd /usr/ports/textproc/flip

# make config ; make install clean

unzip - List, test and extract compressed files in a ZIP archive

# cd /usr/ports/archivers/unzip


zip - Create/update ZIP files compatible with pkzip

# cd /usr/ports/archivers/zip


12/38


tree - Display a tree-view of directories

# cd /usr/ports/sysutils/tree


ytree - DOS-XTREE(tm) look-a-like file manager

# cd /usr/ports/misc/ytree


lynx - A non-graphical, text-based World-Wide Web client

# cd /usr/ports/www/lynx


wget - Retrieve files from the Net via HTTP(S) and FTP

# cd /usr/ports/ftp/wget


webmin - Web-based interface for system administration

# cd /usr/ports/sysutils/webmin


Webmin Server Management

Webmin is a a web-based interface for administrating Unix systems. For many

tasks, Webmin can simplify administration and reduce errors. Webmin can

also provide remote administration in environments where ssh access is


13/38

blocked by a firewall. Webmin will by default be available at

http://www.server.dom:10000

# cd /usr/ports/sysutils/webmin


Configure Webmin (accept all defaults for a basic install)

# /usr/local/lib/webmin/setup.sh

# vi /etc/rc.conf and add following line

webmin_enable="YES"

start Webmin for the first time

# /usr/local/etc/rc.d/webmin start

Most Webmin modules will be automatically configured, but some must be

manually configured for FreeBSD.

Apache Web Server Module

The Webmin Apache Web Server Module must be manually configured after

installing the Web Stack.

Login into Webmin, access the Apache Web Server module under Un-used

Modules and enter the following configuration values:

Path to httpd.conf: /usr/local/etc/apache22/httpd.conf

Path to srm.conf: /usr/local/etc/apache22/Includes/srm.conf
http://www.server.dom:10000/http://www.server.dom:10000/


14/38

Path to access.conf: /usr/local/etc/apache22/Includes/access.conf

Path to mime.types: /usr/local/etc/apache22/mime.types

srm.conf and access.conf files will not be present unless created manually(they are not created as part of a basic Apache2 install).

Mercurial Version Control System

Mercurial - Fast, lightweight distributed source control management system

# cd /usr/ports/devel/mercurial


# rehash

Postfix MTA

This procedure also borrows from http://linuxgravity.com/postfix-send-only-

configuration-for-non-local-domains

Postfix is installed for web applications to send mail. It is assumed that web

applications on the server will originate mail for either local delivery, or which

will be relayed through an existing mail server in an enterprise environment.

In an enterprise environment, it is also assumed that the enterprise mail

server will not require either authentication or encryption to relay mail.

The Sendmail MTA (Mail Transfer Agent) is included in the FreeBSD base

system, but configuring it can be complicated. A number of simple MTAs

exist, but are generally only suitable for the specific situations they were

created for. Postfix is a popular general purpose MTA, and simpler to

configure than Sendmail.
http://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domainshttp://linuxgravity.com/postfix-send-only-configuration-for-non-local-domains


15/38

Install Postfix

# cd /usr/ports/mail/postfix

# make config accept defaults

# make install clean activate Postfix in /etc/mail/mailer.conf

Edit /usr/local/etc/postfix/main.cf to configure Postfix

keep default mydestination ($myhostname + localhost.$mydomain)

keep default mynetworks_style

mynetworks_style = host

edit relayhost to specify the system mail server

relayhost = [servername.domain.tld]

edit home_mailbox to enable delivery of mail to local users

home_mailbox = Maildir/

Create alias to forward root mail to the external system administrator

# vi /etc/mail/aliases and add root alias

root: [email protected]

update aliases.db

# /usr/local/bin/newaliases


16/38

edit /etc/rc.conf to enable Postfix at boot and disable Sendmail

postfix_enable="YES"

sendmail_enable="NO"

sendmail_submit_enable="NO"

sendmail_outbound_enable="NO"

sendmail_msp_queue_enable="NO"

Create /etc/periodic.conf to override defaults in /etc/defaults/periodic.conf

daily_clean_hoststat_enable="NO"

daily_status_mail_rejects_enable="NO"

daily_status_include_submit_mailq="NO"

daily_submit_queuerun="NO"

Stop Sendmail, delete Sendmail queue and start Postfix

# killall sendmail

# rm /var/spool/mqueue/*

# /usr/local/etc/rc.d/postfix restart

Verify Postfix works correctly by sending test emails.

mail should be delivered

# echo "testing local delivery" | mail -s "test email to local root user" root


17/38

mail should be delivered

# echo "testing ext domain delivery" | mail -s "test email to outside user"

[email protected]

mail should NOT be delivered

# echo "testing ext domain delivery" | mail -s "test email to outside user"

[email protected]

OpenVPN Server

OpenVPN is installed to provide Windows workstations connected to the

internet access to shared files on the server (shared using Samba). OpenVPN

is not required if internet workstations do not need to access shared files, or

in an enterprise environment where a VPN server already exists.

See SSL section for creating server keys, this section will only describe how to

specify the server keys as part of the OpenVPN configuration. The procedure

for creating client keys is given here.

# cd /usr/ports/security/openvpn



# rehash

find IP address of local default gateway and network device name, and

configured DNS servers

# netstat -rn | grep default


18/38

# grep nameserver /etc/resolv.conf

create directory and copy configuration file

# mkdir /usr/local/etc/openvpn

# cd /usr/local/etc/openvpn

# cp /usr/local/share/doc/openvpn/sample-config-files/server.conf .

create directory for SSL certificates and keys

# mkdir /usr/local/etc/openvpn/keys

OpenLDAP Server

TODO - complete procedure

OpenLDAP can be used by web applications to authenticate users against a

common source of truth. In an enterprise environment, the web applications

may be configured to authenticate using a Microsoft Active Directory server

(also an LDAP implementation).

# cd /usr/ports/net/openldap24-server


# rehash

phpLDAPAdmin


19/38

phpLDAPAdmin requires the web application stack. Complete the web stack

installation first, then return here and continue installing phpLDAPAdmin.

# cd /usr/ports/net/phpldapadmin

# make config


Edit /usr/local/www/phpldapadmin/config/config.php

Create /usr/local/etc/apache22/Includes/phpldapadmin.conf (force SSL

connection)

IMAP Server and WebMail Portal

This procedure is not required if there will be no local system users. The

Procmail MDA (Mail Delivery Agent) is installed to deliver mail to local system

users and Courier-authlib / Courier-IMAP and SquirrelMail installed to provide

web-based access to local mail.

Procmail

Spam filtering will not be configured because the system does not accept

external mail

# cd /usr/ports/mail/procmail


edit Postfix mail.cnf to specify Procmail as the local MDA

# vi /usr/local/etc/postfix/main.cnf and add


20/38

mailbox_command = /usr/local/bin/procmail

# postfix reload

Courier-authlib

Install Courier-authlib to provide required Courier-IMAP authentication

(required for a client to connect to the Courier-IMAP server)

# cd /usr/ports/security/courier-authlib


# rehash

# vi /usr/local/etc/authlib/authdaemonrc and edit authmodulelist

authmodulelist="authpam"

edit /etc/rc.conf and add following lines:

courier_authdaemond_enable="YES"

start the Courier-authlib daemon

# /usr/local/etc/rc.d/courier-authdaemond start

Courier-IMAP

# cd /usr/ports/mail/courier-imap


21/38



edit /etc/rc.conf and add following lines:

courier_imap_imapd_enable="YES"

start the IMAP daemon

# /usr/local/etc/rc.d/courier-imap-imapd start

SquirrelMail

SquirrelMail requires the web application stack. Complete the web stack

installation first, then return here and continue installing SquirrelMail.

Mail attachments are limited to 2MB by the default PHP default file upload

limit.

# cd /usr/ports/mail/squirrelmail

# make config

# make -D WITH_LDAP install clean

Execute the Squirrelmail configuration utility and configure the following

(minimum) settings:

# cd /usr/local/www/squirrelmail

# ./configure

Server Settings / Domain - domain.dom or server.domain.dom


22/38

Server Settings / Update IMAP Settings / Server Software - courier

Create /usr/local/etc/apache22/Includes/squirrelmail.conf force SSL

connection

Samba CIFS Server

TODO - complete procedure

Enterprises IT infrastructures typically include Microsoft Windows servers and

workstations. Installing Samba will provide access to shared directories in theserver file system to Microsoft Windows workstations. Samba can also provide

access to shared directories on a Windows server if permitted.

MDB Tools

MDB Tools is an open source project to document the MDB file format by

Microsoft Jet databases, and provide a set of tools and applications to make

data in Jet databases available on other platforms (built-in access is provided

on current Microsoft Windows platforms). MDB Tools currently has read-onlysupport for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats.

Microsoft Access is a popular RAD (Rapid Application Development)

environment for creating Jet-based database applications. An "Access

database" can be easily developed and deployed within an organization to

solve a specific problem, and generally without involving corporate IT.

However, this often results in a proliferation of incompatible applications and

data repositories, which must eventually be integrated as an enterprise

matures.

Download and extract mdbtools source to a temporary directory for

building

Check out https://github.com/brianb/mdbtools for latest version of
https://github.com/brianb/mdbtoolshttps://github.com/brianb/mdbtools


23/38

sources.

Check out http://mdbtools.sourceforge.net for mailing list and similar.

# mkdir /usr/home/dale/src/

# cd /usr/home/dale/src/

# tar -xzf brianb-mdbtools-3280842-2011-03-22.tar.gz

# cd mdbtools

Install GNU build toolchain needed for mdbtools (review mdbtools INSTALL

file)

install libtool

install automake

install autoconf

# cd /usr/ports/devel/libtool

# make config


# rehash

#

# cd /usr/ports/devel/automake

# make config


# rehash

#

# cd /usr/ports/devel/autoconf

# make config
http://mdbtools.sourceforge.net/http://mdbtools.sourceforge.net/


24/38


# rehash

Update glib with portmaster

# portmaster glib

Install txt2man (/usr/ports/textproc/txt2man) which is used by mdbtools to

create man pages (but not a dependency of the port)

Build and install MDB Tools

# cd /usr/home/dale/src/mdbtools

# gmake clean

# ./autogen.sh

# ./configure

# gmake

# gmake install

Web Stack (Apache/MySQL/PHP)

Apache 2.2.x Web Server

Install Apache22 port

# cd /usr/ports/www/apache22



25/38

# make install clean accept defaults for any dependency configurations

# rehash

Basic config

# vi /usr/local/etc/apache22/httpd.conf

edit following lines for basic config

ServerAdmin [email protected]

ServerName host.example.com:80

uncomment following line to enable SSL over HTTP (Lucas, Chapter 17)

#Include etc/apache22/extra/httpd-ssl.conf

Configure keys for SSL over HTTP (Lucas, Chapter 17). Client browsers will

report self-signed keys as untrusted, which can be avoided by either having

the key signed by a commercial CA (Certificate Authority), or by configuringclient browsers to trust the certificate (see How to trust a self-signed SSL

browser certificate).

# vi /usr/local/etc/apache22/extra/httpd-ssl.conf

edit following values (same hostname as Common Name in cert)

ServerName host.example.com:443

ServerAdmin [email protected]

SSLCertificateFile "/etc/ssl/selfsigned.crt"

SSLCertificateKeyFile "/etc/ssl/host.key"


26/38

Stop and restart Apache

# /usr/local/etc/rc.d/apache22 stop

# /usr/local/etc/rc.d/apache22 start

PHP 5.3.x

Install PHP

# cd /usr/ports/lang/php5

# make config select Apache module


Basic config

# cd /usr/local/etc/

# cp php.ini-production php.ini or php.ini-developmnent for rigorous error

reporting

# vi /usr/local/etc/php.ini

uncomment following line:

session.save_path=:/tmp"

edit line to specify timezone:

date.timezone="America/Edmonton"


27/38

Restart Apache

# /usr/local/etc/rc.d/apache restart

Install php5-extensions (/usr/ports/lang/php5-extensions). Accept defaults

Install PHP

# cd /usr/ports/lang/php5-extensions

# make config confirm selection as below


php5-extensions configuration

D - selected default

Y - select additional

X - unselect default

CTYPE D

DOM D

FILTER D

GD YHASH D

ICONV D

JSON D

MYSQL Y


28/38

MYSQLI Y

PDO D

PDO_SQLITE D

SESSION D

SIMPLEXML D

SQLITE D

SQLITE3 D

TOKENIZER D

XML D

XMLREADER D

XMLWRITER D

MySQL 5.5.x

Install MySQL port

# cd /usr/ports/databases/mysql55-server


# make -D BUILD-OPTIMIZED install clean build of previous version failed

when not specified

# rehash

Basic config

set grant tables, start MySQL daemon, configure local and remote root

password, copy my.cnf file, disable TCP networking, add mysql_enable="YES"

to /etc/rc.conf and restart server daemon

verify MySQL support is enabled in /usr/local/etc/php/extentions.ini


29/38

# cd /usr/local

# mysql_install_db --user=mysql

# mysqld_safe &

# mysqladmin -u root password 'localpassword'

# mysqladmin -u root -h server.domain.dom password 'remotepassword'

# cp /usr/local/share/mysql/my-medium.cnf /var/db/mysql/my.cnf

# vi /var/db/mysql/my.cnf uncomment skip-networking

# vi /etc/rc.conf add mysql_enable="YES"

# /usr/local/etc/rc.d/mysql-server restart

phpMyAdmin 3.3.x

phpMyAdmin is a convenient web-based application for managing MySQL

databases.

Install phpMyAdmin port

# cd /usr/ports/databases/phpmyadmin

# make config add MYSQLI to configuration


Configure Apache to serve phpMyAdmin using SSL over HTTP (i.e., https:)

# vi /usr/local/etc/apache22/Includes/phpmyadmin and add following lines


30/38

Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"

Options none

AllowOverride All

Order Allow,Deny

Allow from All

RewriteEngine On

RewriteCond %{HTPS} off

RewriteCond %{REQUEST_URI} /phpmyadmin

RewriteRule (.*) https://www.domain.dom/phpmyadmin/ [R]

restart Apache

# /usr/local/etc/rc.d/apache22 restart

Create MySQL user "pma" with all permissions on "phpmyadmin" database

create MySQL user "pma"

# mysql -u root -p

mysql> grant select, insert, update, delete on phpmyadmin.* to \

pma@localhost identified by 'password';

mysql> quit;
https://www.domain.dom/phpmyadmin/https://www.domain.dom/phpmyadmin/


31/38

Prepare to update the phpMyAdmin config file using the phpMyAdmin

configuration wizard (see http://www.phpmyadmin.net)

# mkdir /usr/local/www/phpMyAdmin/config/

# cp config.inc.php config/

# chmod -R o+rw config give config file world read-write permission

Browse to http://www.domain.dom/phpmyadmin/setup to run the

configuration wizard, save the configuration and manually move it back to

the phpMyAdmin root directory

auth_type cookie

extension mysqli

# cd /usr/local/www/phpMyAdmin

# mv config/config.inc.php .

# chmod o-rw config.inc.php remove world read-write permissions

# rm -rf config

Enable phpMyAdmin special features (e.g., bookmarks, comments, SQL-

history, tracking mechanism, PDF-generation, column contents

transformation, ...)

# cd /usr/local/www/phpMyAdmin

# mysql -u root -p < scripts/create_tables.sql

# vi config.inc.php and add following lines
http://www.phpmyadmin.net/http://www.domain.dom/phpmyadmin/setuphttp://www.phpmyadmin.net/http://www.domain.dom/phpmyadmin/setup


32/38

$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark';

$cfg['Servers'][$i]['relation'] = 'pma_relation';

$cfg['Servers'][$i]['userconfig'] = 'pma_userconfig';

$cfg['Servers'][$i]['table_info'] = 'pma_table_info';

$cfg['Servers'][$i]['column_info'] = 'pma_column_info';

$cfg['Servers'][$i]['history'] = 'pma_history';

$cfg['Servers'][$i]['tracking'] = 'pma_tracking';

$cfg['Servers'][$i]['table_coords'] = 'pma_table_coords';

$cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages';

$cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

if phpMyAdmin later reports new special features are not enabled,

re-edit config.inc.php and add the directed table references.

If the server is for development (not production!), it may be convenient to

prevent phpMyAdmin from automatically logging out users after the default

timeout (5 minutes?).

# vi /usr/local/www/phpMyAdmin/config.inc.php and add add following lines

/// increase login timeout (ok because this is a local Dev server!)

// must also increase session.gc_maxlifetime (garbage collection) in php.ini

$cfg['LoginCookieValidity'] = 3600 * 9; // = 60 sec/min * 60 min/hr * 9 hrs

# vi /usr/local/etc/php.ini and edit following lines

;session.gc_maxlifetime = 1440

; max session set to 9 hrs for phpMyAdmin (see LoginCookieValidity in

; /usr/local/www/phpMyAdmin/config.inc.php). For this to work, max garbage


33/38

; collection time must be set here to >9hrs = 32500 sec = (60x60x9)+100

session.gc_maxlifetime = 32500

Fyi, phpMyAdmin installs the following ports:

php5-mbstring-5.3.8

php5-bz2-5.3.8

php5-openssl-5.3.8

pecl-pdflib-2.1.8

php5-zlib-5.3.8

php5-mcrypt-5.3.8

php5-zip-5.3.8

pecl-APC-3.1.9_1

oniguruma-4.7.1

pdflib-7.0.4

libmcrypt-2.5.8

libltdl-2.4

Maintaining Ports

Utilities

The following tools and commands maintain the additional software installed

on the server not including component projects. For upgrading component

projects, refer to the individual component project setup and maintenance

pages.

portaudit - portaudit periodically checks the version of installed ports for

reported vulnerabilities in a database maintained by the FreeBSD security


34/38

team and e-mails the system root a report of any vulnerabilities found. For a

current report, portaudit can be run manually from the command line:

# portaudit -Fda

portsnap - portsnap updates the ports tree with current port information.

# portsnap fetch

# portsnap update

Use "portsnap extract" instead of "portsnap update" the first time portsnap is

used

portmaster - portmaster is used to manage installed ports and upgrade

them to the current version without breaking dependencies or links to other

programs. Current port configurations must be correct because portmaster

will use existing configurations when building upgraded ports.

General Guidelines

Following are general guidelines for updating ports (e.g., due to reported

security vulnerability). Before starting any work, first backup the server, then

manually stop relevant daemons or disable in /etc/rc.conf and reboot (after

the maintenance is complete, re-enable the daemons in /etc/rc.conf and

reboot)

# apache22_enable="YES"

# apache22_http_accept_enable="YES"

# courier_authdaemond_enable="YES"


35/38

# courier_imap_imapd_enable="YES"

# courier_imap_pop3d_enable="YES"

# mysql_enable="YES"

OpenSSL

# cd /usr/ports

# portmaster security/openssl

Apache

Backup Apache configuration files:

/usr/local/etc/apache22/httpd.conf

/usr/local/etc/apache22/Includes/*

/usr/local/etc/apache22/extra/*

# cd /usr/ports

# portmaster www/apache22

MySQL Server

Backup MySQL Server configuration file/var/db/mysql/my.cnf

Backup all databases using mysqldump

# mysql -u root -p


36/38

mysql> show databases;

# mysqldump -u root -p --all-databases

>/backup/backup_mysql_all_databases.sql

# cd /usr/ports

# portmaster databases/mysql51-server/

Test MySQL Server

Starting mysql.

# /usr/local/etc/rc.d/mysql-server start

# mysql_upgrade --datadir=/var/db/mysql -u root -psTr@ty

PHP5

Backup PHP configuration files

/usr/local/etc/php.ini

/usr/local/etc/php.conf

/usr/local/etc/php/extensions.ini

# cd /usr/ports

# portmaster lang/php5

PHP5 extension

# cd /usr/ports

# portmaster lang/php5-extensions

After upgrade, diff config files to backups and new default files and edit as

needed.


37/38

Cyrus-SASL

# cd /usr/ports

# portmaster security/cyrus-sasl2

# portmaster security/cyrus-sasl2-saslauthd

Png

# cd /usr/ports

# portmaster graphics/png

Curl

# cd /usr/ports

# portmaster ftp/curl/

phpMyAdmin

Backup phpMyAdmin configuration file

/usr/local/www/phpMyAdmin/config.inc.php

# cd /usr/ports

# portmaster databases/phpmyadmin

Squirrelmail


38/38

# cd /usr/ports

# portmaster mail/squirrelmail

# cd /usr/local/www/squirrelmail

# ./configure

Pcre

# cd /usr/ports

# portmaster devel/pcre

mwakigwena choir

freebsd start.rtf

Documents