This document describes the process of setting up an Apache 2 Web Server on Red Hat Enterprise Linux with PHP5, OpenSSL (HTTPS), the Suhosin PHP Protection extension and support for PostgreSQL, IBM DB2, MySQL and/or Oracle databases.
- VMware ESXi 5.0
- 2x CPU Cores / 3GB RAM
- Red Hat Enterprise Linux 6.4 - i686 (Server)
Keep in mind that this document does not cover hardening the system. That process is outlined in other documents from myself or others. This machine needs to be well protected. It will be in a very vulnerable position, facing that filthy and scary Internet.
II. Install and Setup the Operating Environment
Go through the installation procedure and set things up according to your network and needs. You may want to nudge up the size on the /var partition, depending on your estimated needs. This guide uses /var/www as the home for the Web directory.
When you are presented with the software sets screen, select "Web Server" and then "Customize now" - click Next.
Next is the part where I either use Kickstart or just spend a while de-selecting/selecting packages I know I will or will not need (the package selection screen).
Make sure you have at least the following packages (the defaults within each should be sufficient):
FYI, the database and other modules will be attended to later, don't worry about it here. After the installation is complete, reboot.
Log in as root, and enter the command ntsysv. This will start the services management application. Here you can select or de-select the services you want started at boot. Go through the list and edit as your environment requires. One obvious selection would be httpd, unless you want to start this manually all the time. Any changes will go into effect after rebooting (but don't do that yet).
As root, enter the command system-config-firewall-tui. This will start the Firewall Configuration tool. Tab to the Customize field and hit enter. Here, make sure you allow for incoming WWW (HTTP) and Secure WWW (HTTPS). I use SFTP to transfer files to the Web server, so SSH needs to be enabled for that (instead of FTP). Unless you have more advanced firewall needs, you can select Close here to finish. Changes will go into effect immediately.
I also disable SELinux, but if you are comfortable with the detailed configurations necessary for this feature, by all means, leave it on Enforcing and pay attention! To disable this feature, edit the /etc/selinux/config file so the SELINUX variable is "disabled" instead of "enforcing." A reboot is necessary for this change.
Update and Reboot
Finally, you should run yum update. It is important to keep your system as up to date as possible. When this process is finished, reboot and continue on!
III. Configure Database Client Support
PHP Support for PostgreSQL
PHP Support for MySQL
PHP Support for IBM DB2
Downloand, extract and install the DB2 client version for your environment from the DB2 Fix Packs FTP site at IBM.com.
In this example, I'll use the v9.5fp5 DB2 Client for Linux x86 (~242MB). When installing, use the defaults and follow the prompts! If you are using your full DB2 Enterprise package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install.
|# yum install compat-libstdc++-33 libaio
# cd /usr/src
# wget ftp://ftp.software.ibm.com/ps/products/db2/fixes2/english-us/db2linuxIA32v95/fixpack/FP5_MI00315/v9.5fp5_linuxia32_client.tar.gz
# tar zxvf v9.5fp5_linuxia32_client.tar.gz
# rm v9.5fp5_linuxia32_client.tar.gz
To install a DB2 client instance, you will need a dedicated system account and home directory (client instances are tied to a user account). You will also need to source the instance (set environment variables). IBM supplies a script for this purpose.
|# useradd -m plabs
# passwd plabs
# /opt/ibm/db2/V9.5/instance/db2icrt -s CLIENT plabs
# echo ". /home/plabs/sqllib/db2profile" >> /etc/profile
# source /etc/profile
Next we need to setup the client connection to the DB2 server. This is an example. You can use any arbitrary name for the NODE, I usually just use db2node:
Now for the PECL stuff:
|# yum install gcc
# pecl install ibm_db2
When asked to enter the DB2 Installation Directory, enter /home/plabs/sqllib and hit enter.
After it installs, create a text file named ibm_db2.ini in the /etc/php.d directory that contains the following:
|; Enable IBM DB2 extension module
PHP Support for Oracle (InstantClient Software & SDK)
Download, extract and install the Oracle InstantClient software. If you are using your full Oracle package, the process is similar but different. Also, I'm assuming the database will live on another system, so I only detail the client install. This process also assumes you are using Oracle11g on x86. The files should go in the /opt directory.
Grab the following files from the Instant Client Downloads site for your platform and put them in /opt:
- Instant Client Package - Basic Lite
- Instant Client Package - SDK
|# cd /opt
# unzip instantclient-basiclite-linux32-18.104.22.168.0.zip
# unzip instantclient-sdk-linux32-22.214.171.124.0.zip
# rm *.zip
There is a bug in PHP5 that is easy to fix, however it is very annoying. The PHP5 compile, when built against the 11g client libraries, is looking for a file named libclntsh.so. Well, it is a simple matter of creating a soft link to solve this:
|# ln -s /opt/instantclient_11_2/libclntsh.so.11.1 /opt/instantclient_11_2/libclntsh.so
Now for the PECL stuff:
|# yum install libaio gcc
# pecl install oci8
When prompted, enter 1 to update the first (and only) setting. The OCI8 configuration prompt will then be shown:
Please provide the path to the ORACLE_HOME directory. Use 'instantclient,/path/to/instant/client/lib'
if you're compiling with Oracle Instant Client [autodetect] :
Enter the path as: instantclient,/opt/instantclient_11_2
After it installs, create a text file named oci8.ini in the /etc/php.d directory that contains the following:
|; Enable Oracle (oci8) extension module
You will also have to edit your LD_LIBRARY_PATH environment variable by doing the following:
|# echo "LD_LIBRARY_PATH=/opt/instantclient_11_2/lib:$LD_LIBRARY_PATH" >> /etc/profile
# echo "export LD_LIBRARY_PATH" >> /etc/profile
# source /etc/profile
mod_ssl may already be installed. Just to make sure, go ahead and install it:
|NOTE: The RHEL Server Optional channel must be added to your entitlement for some of these packages
There are all kinds of things you can do to configure PHP. These are all examples, starting points. Salt to taste. You can add or remove modules and options for your specific needs.
FYI, some of these may already be installed. First, for the basics (again, your requirements may differ):
|# yum install php-gd php-imap php-mbstring php-pdo php-xml php-devel gcc
I love this software. It is included with OpenBSD and some other BSD/Linux distributions, but missing in RHEL. Here we will compile and configure the extension to work with out PHP server:
|# cd /usr/src
# wget http://download.suhosin.org/suhosin-0.9.33.tgz
# tar zxvf suhosin-0.9.33.tgz
# rm suhosin-0.9.33.tgz
# cd suhosin-0.9.33
# ./configure && make && make install
After it installs, create a text file named suhosin.ini in the /etc/php.d directory that contains the following:
|; Enable Suhosin extension module
V. Configure Apache (for SSL, site-specific settings, etc.)
Edit the Apache configuration file:
|# vi /etc/httpd/conf/httpd.conf
If you'll be using port 80, then you want to pay attention to the settings here. You will also want to add index.php to the DirectoryIndex section!
I use /var/www/http for the port 80 traffic. If you edit your httpd.conf to use this directory for DocumentRoot, then I suggest doing this:
|# mv /var/www/html /var/www/http
Next, edit the Apache SSL configuration file:
|# vi /etc/httpd/conf.d/ssl.conf
Edit the <VirtualHost _default_:443> section to match the environment you are using. This should be self explanatory. If you have trouble, check the help files or get a really good book on Apache.
I use /etc/httpd/ssl to store the SSL files, for simplicity. If you choose to do the same (as this guide will later use), change the SSL certificate definitions to:
Also, I use /var/www/https for the port 443 (SSL) traffic. If you edit your ssl.conf to use this directory for DocumentRoot, then I suggest doing this:
SSL Certificate / Key Pair
First, create the directory to store these files:
Generate the SSL server key (keep this extra super secret private). You will have to enter a passphrase for this process, however if you do not wish to use one (for practical / unattended restart purposes), don't enter the -aes256 flag:
|# openssl genrsa -out /etc/httpd/ssl/https.key -aes256 2048
Next, create a CSR certificate request:
|# openssl req -new -key /etc/httpd/ssl/https.key -out /etc/httpd/ssl/https.csr
Now, you can either send the certificate request (https.csr) to a Certificate Authority (CA) to be signed, or you can sign it yourself. CAs can be expensive, but it can be better to gain trust from customers - as the browser warning from a self-signed certificate can scare away some folks. The following process will create a self-signed certificate with a two year expiration:
|# openssl req -x509 -days 730 -key /etc/httpd/ssl/https.key -in /etc/httpd/ssl/https.csr > /etc/httpd/ssl/https.crt
Now we should test our Apache & PHP install. Create a file named info.php in the /var/www/http (or whichever area you configured as your www folder) directory. Place the following lines in that file:
Now start an instance of the httpd server as follows:
|# /etc/init.d/httpd restart
Go to any Web browser networked to this machine and enter its URL (http://name-or-ip/info.php). Review all the settings and make sure it is all correct. You should stop the Apache server process now by executing the same line as starting it, only with the stop parameter instead.
VII. Helpful Links