PLABS
softwareguideswar roomaboutgo-home

RHEL: Apache 2 Web Server w/ PHP5, OpenSSL, Suhosin and PostgreSQL, MySQL, IBM DB2 and/or Oracle Databases
August 23, 2016

Operating System
Platform
Applications
Databases
RHEL
x86_64
Apache HTTPD Server
PHP
OpenSSL
Suhosin
Suhosin PHP Protection System
PostgreSQL
IBM DB2
MariaDB
Oracle Database

I. Abstract

This document describes the process of setting up an Apache 2 Web Server on Red Hat Enterprise Linux with PHP5, OpenSSL (HTTPS), the Suhosin PHP Protection extension and support for PostgreSQL, IBM DB2, MariaDB and/or Oracle databases.

Test Platform:

  • VMware ESXi 6.0
  • 2x CPU Cores / 4GB RAM
  • Red Hat Enterprise Linux 7.2

Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.


II. Install and Setup the Operating Environment

Go through the installation procedure and set things up according to your network and needs. You may want to nudge up the size on the /var partition, depending on your estimated needs. This guide uses /var/www as the home for the Web directory.

When you are presented with the software sets screen, select "Web Server" and then "Customize now" - click Next.

Next is the part where I either use Kickstart or just spend a while de-selecting/selecting packages I know I will or will not need (the package selection screen).

Make sure you have at least the following packages (the defaults within each should be sufficient):

Web Services PHP Support
Web Server

FYI, the database and other modules will be attended to later, don't worry about it here. After the installation is complete, reboot.

Configure Services

Log in as root, and enter the command ntsysv. This will start the services management application. Here you can select or de-select the services you want started at boot. Go through the list and edit as your environment requires. One obvious selection would be httpd, unless you want to start this manually all the time. Any changes will go into effect after rebooting (but don't do that yet).

Configure Firewall

As root, enter the command system-config-firewall-tui. This will start the Firewall Configuration tool. Tab to the Customize field and hit enter. Here, make sure you allow for incoming WWW (HTTP) and Secure WWW (HTTPS). I use SFTP to transfer files to the Web server, so SSH needs to be enabled for that (instead of FTP). Unless you have more advanced firewall needs, you can select Close here to finish. Changes will go into effect immediately.

SELinux

I also disable SELinux, but if you are comfortable with the detailed configurations necessary for this feature, by all means, leave it on Enforcing and pay attention! To disable this feature, edit the /etc/selinux/config file so the SELINUX variable is "disabled" instead of "enforcing." A reboot is necessary for this change.

Update and Reboot

Finally, you should run yum update. It is important to keep your system as up to date as possible. When this process is finished, reboot and continue on!


III. Configure Database Client Support

PHP Support for PostgreSQL

# yum install php-pgsql

PHP Support for MySQL

# yum install php-mysql

PHP Support for IBM DB2

Downloand, extract and install the DB2 client version for your environment from the DB2 Fix Packs FTP site at IBM.com.

In this example, I'll use the v9.5fp5 DB2 Client for Linux x86 (~242MB). When installing, use the defaults and follow the prompts! If you are using your full DB2 Enterprise package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.

# yum install compat-libstdc++-33 libaio
# cd /usr/src
# wget ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxIA32v95/fixpack/FP5_MI00315/v9.5fp5_linuxia32_client.tar.gz
# tar zxvf v9.5fp5_linuxia32_client.tar.gz
# rm v9.5fp5_linuxia32_client.tar.gz
# ./client/db2_install

To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose.

# useradd -m plabs
# passwd plabs
# /opt/ibm/db2/V9.5/instance/db2icrt -s CLIENT plabs
# echo ". /home/plabs/sqllib/db2profile" >> /etc/profile
# source /etc/profile

Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:

# db2 CATALOG TCPIP NODE db2node REMOTE 192.168.0.25 SERVER 50000
  (more info on this)
# db2 CATALOG DATABASE ccorders AT NODE db2node
  (more info on this)

Now for the PECL stuff:

# yum install gcc
# pecl install ibm_db2

When asked to enter the DB2 Installation Directory, enter /home/plabs/sqllib and hit enter.

After it installs, create a text file named ibm_db2.ini in the /etc/php.d directory that contains the following:

; Enable IBM DB2 extension module
extension=ibm_db2.so

PHP Support for Oracle (InstantClient Software & SDK)

Download, extract and install the Oracle InstantClient software. If you are using your full Oracle package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install. This process also assumes you are using Oracle11g on x86. The files should go in the /opt directory.

Grab the following files from the Instant Client Downloads site for your platform and put them in /opt:

  • Instant Client Package - Basic Lite
  • Instant Client Package - SDK
# cd /opt
# unzip instantclient-basiclite-linux32-11.2.0.2.0.zip
# unzip instantclient-sdk-linux32-11.2.0.2.0.zip
# rm *.zip

There is a bug in PHP5 that is easy to fix, however it is very annoying. The PHP5 compile, when built against the 11g client libraries, is looking for a file named libclntsh.so. Well, it is a simple matter of creating a soft link to solve this:

# ln -s /opt/instantclient_11_2/libclntsh.so.11.1 /opt/instantclient_11_2/libclntsh.so

Now for the PECL stuff:

# yum install libaio gcc
# pecl install oci8

When prompted, enter 1 to update the first (and only) setting. The OCI8 configuration prompt will then be shown:

Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib' if you're compiling with Oracle Instant Client [autodetect] :

Enter the path as: instantclient,/opt/instantclient_11_2

After it installs, create a text file named oci8.ini in the /etc/php.d directory that contains the following:

; Enable Oracle (oci8) extension module
extension=oci8.so

You will also have to edit your LD_LIBRARY_PATH environment variable by doing the following:

# echo "LD_LIBRARY_PATH=/opt/instantclient_11_2/lib:$LD_LIBRARY_PATH" >> /etc/profile
# echo "export LD_LIBRARY_PATH" >> /etc/profile
# source /etc/profile


IV. Configure Apache and PHP Modules / Suhosin Extension

Apache 2

mod_ssl may already be installed. Just to make sure, go ahead and install it:

# yum install mod_ssl

PHP 5

NOTE: The RHEL Server Optional channel must be added to your entitlement for some of these packages

There are all kinds of things you can do to configure PHP. These are all examples, starting points. Salt to taste. You can add or remove modules and options for your specific needs.

FYI, some of these may already be installed. First, for the basics (again, your requirements may differ):

# yum install php-gd php-imap php-mbstring php-pdo php-xml php-devel gcc

Suhosin

I love this software. It is included with OpenBSD and some other BSD/Linux distributions, but missing in RHEL. Here we will compile and configure the extension to work with out PHP server:

# cd /usr/src
# wget http://download.suhosin.org/suhosin-0.9.33.tgz
# tar zxvf suhosin-0.9.33.tgz
# rm suhosin-0.9.33.tgz
# cd suhosin-0.9.33
# phpize
# ./configure && make && make install

After it installs, create a text file named suhosin.ini in the /etc/php.d directory that contains the following:

; Enable Suhosin extension module
extension=suhosin.so


V. Configure Apache (for SSL, site-specific settings, etc.)

Edit the Apache configuration file:

# vi /etc/httpd/conf/httpd.conf

If you'll be using port 80, then you want to pay attention to the settings here. You will also want to add index.php to the DirectoryIndex section!

I use /var/www/http for the port 80 traffic. If you edit your httpd.conf to use this directory for DocumentRoot, then I suggest doing this:

# mv /var/www/html /var/www/http

Next, edit the Apache SSL configuration file:

# vi /etc/httpd/conf.d/ssl.conf

Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.

I use /etc/httpd/ssl to store the SSL files, for simplicity. If you choose to do the same (as this guide will later use), change the SSL certificate definitions to:

SSLCertificateFile /etc/httpd/ssl/https.crt
SSLCertificateKeyFile /etc/httpd/ssl/https.key

Also, I use /var/www/https for the port 443 (SSL) traffic. If you edit your ssl.conf to use this directory for DocumentRoot, then I suggest doing this:

# mkdir /var/www/https

SSL Certificate / Key Pair

First, create the directory to store these files:

# mkdir /etc/httpd/ssl

Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended restart purposes), don't enter the -aes256 flag:

# openssl genrsa -out /etc/httpd/ssl/https.key -aes256 2048

Next, create a CSR certificate request:

# openssl req -new -key /etc/httpd/ssl/https.key -out /etc/httpd/ssl/https.csr

Now, you can either send the certificate request (https.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:

# openssl req -x509 -days 730 -key /etc/httpd/ssl/https.key -in /etc/httpd/ssl/https.csr > /etc/httpd/ssl/https.crt


VI. Test It!

Now we should test our Apache & PHP install. Create a file named info.php in the /var/www/http (or whichever area you configured as your www folder) directory. Place the following lines in that file:

<?php
phpinfo();
?>

Now start an instance of the httpd server as follows:

# /etc/init.d/httpd restart 

Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.

VII. Helpful Links

 


© 2001-2017 Procyon Labs / Randal T. Rioux