Monthly Archives: August 2018

FAMP – FreeBSD, Apache, Mysql, and PHP

Here is a quick overview to properly do a FAMP install on FreeBSD 11.

I will be using the pkg system for this install, but first lets understand a little bit about pkg. For years, FreeBSD used the ports repository – a file tree that contained Makefiles and all the necessary info needed to build any software package from source. In recent years, FreeBSD has put more emphasize on precompiled packages, the pkg utility does just this, it downloads the latest version of the precompiled package and installs it. The syntax is simple:

# pkg install package_name

You can search by using the command:

# pkg search name

For example, “pkg search apache”, will return this list:

apache-ant-1.10.3 Java- and XML-based build tool, conceptually similar to make
apache-forrest-0.9 Tool for rapid development of small sites
apache-mode.el-2.0_1 Emacs major mode for editing Apache configuration files
apache-openoffice-4.1.5_6 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser
apache-openoffice-devel-4.2.1833124,4 Integrated wordprocessor/dbase/spreadsheet/drawing/chart/browser (developer version)
apache-poi-3.15 Java API To Access Microsoft Format Files
apache-rat-0.12 Release audit tool
apache-solr-7.1.0 High performance search server built using Lucene Java
apache-solr3-3.6.2 High performance search server built using Lucene Java
apache-spark-2.1.1_1 Fast big data processing engine
apache-xml-security-c-1.7.3_1 Apache XML security libraries - C++ version
apache24-2.4.34 Version 2.4.x of Apache web server
apachetop-0.12.6_5 Apache realtime log stats
p5-Apache-ASP-2.63 Active Server Pages for Apache
p5-Apache-Admin-Config-0.95_1 Perl module to manipulate Apache configuration files
p5-Apache-AuthCookie-3.27 Perl module to provide custom forms for reauthentication

and so on…

When doing a pkg install, you only need the name portion not the full name with version number. So lets begin with our FAMP tutorial.

Step 1 – Install Apache

# pkg install apache24

Once this is completed, you need to add apache24_enable=”YES” to the /etc/rc.conf file. This can be done manually, or with the command:

# sysrc apache24_enable="YES"

Lastly, start apache with either “/usr/local/etc/rc.d/apache24 start” or “service apache24 start”

Step 2 – Install PHP

Which version? You’ll notice that “pkg search php” returns a few different options. For core PHP, your options are:

php56-5.6.36_1
php70-7.0.31
php71-7.1.20
php72-7.2.8

Lets assume you want the latest 7.2 stable, here is the install command, note in addition to PHP core I am going to install a few other popular PHP add-ons. These add-ons were in the output of “pkg search php72”.

# pkg install php72 php72-gd mod_php72 php72-mysqli php72-zlib

NOTE: If you wanted an older version, say 5.6, you would have used the command:

# pkg install php56 php56-gd mod_php56 php56-mysqli php56-zlib

Once PHP is installed, add the following to /usr/local/etc/apache/Includes/php.conf:

<IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>

Its also important to install the proper php.ini file. The distribution comes with a sample production and development .ini file, choose the one thats appropriate and move it into position as follows:

# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Now lets test everything before we continue:

# echo '<?php phpinfo(); ?>' > /usr/local/www/apache24/data/phpinfo.php
# service apache24 restart

Visit your server via http://IP-ADDRESS/phpinfo.php and you should see something like this:

Step 3 – Install Mysql

Just as we have done before, we do a “pkg search mysql” and find several versions:

mysql55-client-5.5.60
mysql55-server-5.5.60
mysql56-client-5.6.40
mysql56-server-5.6.40
mysql57-client-5.7.22_1
mysql57-server-5.7.22_2
mysql80-client-8.0.11_1
mysql80-server-8.0.11_1

Lets go with version 5.7, so to install we do:

# pkg install mysql57-client mysql57-server

Next, we add the startup syntax to /etc/rc.conf and startup Mysql:

# sysrc mysql_enable="YES"
# service mysql-server start

Now that MySQL us running, we execute the following script:

# mysql_secure_installation

This script allows you to setup the initial root user password for access to mysql via the command line.

/56 Subnet – Delegating IPv6 Reverse Authority

Recently I had a client that wanted a /56 IPv6 WAN range. The idea behind this was he wanted to be able to provision multiple /64’s within his /56 to assign to clients.

Before we go any further, lets clarify what a /56 is, I will use the following sample range:

2600:AB00:1000:2000::/56

This is really the range of IPs from 2600:AB00:1000:2000:0000:0000:0000:0000 through 2600:AB00:1000:20FF:FFFF:FFFF:FFFF:FFFF, in other words, its 256 /64s. Delegating reverse authority of this beast is not so straight forward. Here is how we do it in BIND v9.

The most difficult aspect of this is the /56 delegation has to occur from within the /32 zone file. Huh? So if you were only ever doing DNS yourself (no delegation), you probably never created a zone for the /32, instead you just had all your /64 zone files as is. You can’t declare a /56 in-arpa zone file and delegate, it has to be done from the newly created /32. But dont worry, the /32 will have a catch all that redirects everything back to itself, so all your existing /64’s zones will be fine, no changes needed.

So sticking with the above ranges, assume we are an ISP, our /32 is 2600:AB00::/32, our DNS servers are ns1 and ns2.isp.com. Furthermore, say we have a client with a /64 of 2600:AB00:1234:4000::/64 and we do the DNS for them (no delegation), then lastly, we have client /56 of 2600:AB00:1000:2000::/56 that is going to be delegated to their name servers, ns1 and ns2.client.com.

Assume this is a watered down config snippet, we’re just showing the pertinent info. Here is my master BIND config file showing the zone declarations:


zone "0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa";
};

zone "0.0.f.b.4.0.6.2.ip6.arpa" {
type master;
file "/etc/bind/master/0.0.b.a.0.0.6.2.ip6.arpa";
};

The first zone is my /64 client, here is that zone file with some sample PTRs:


$ORIGIN 0.0.0.4.4.3.2.1.0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2014022621 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

5.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR web01.isp.com.
5.9.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR mail01.isp.com.

The second zone is the /32 zone, and this is where we do the delegation for the /56 and the catch all for everything else, see below:


$ORIGIN 0.0.b.a.0.0.6.2.ip6.arpa.
$TTL 3600
@ IN SOA ns1.isp.com. hostmaster.isp.com. (
2018080107 ; Serial
10800 ; Refresh
3600 ; Retry
2419200 ; Expire
604800 ) ; Default TTL

IN NS ns1.isp.com.
IN NS ns2.isp.com.

0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns1.client.com.
0.2.0.0.0.1.0.0.b.a.0.0.6.2.ip6.arpa. IN NS ns2.client.com.

So looking at this zone file, the first two NS lines is the catch all, basically, anything that doesn’t match below will delegate back to itself. This is why my /64 zone in the master config will work. But we do match the /56 that needs delegation, and its forwarded to those 3rd party NS servers.