Reboot 772 Posted January 18, 2015 Share Posted January 18, 2015 Hello, today I will introduce steps to install a web server under FreeBSD. We need to install some programs: Main Programs -MySql56 Server -Appache24 -PHP 5.6 -Php 5.6 extensions -php 5.6 extra-extensions Advanced Firewall -IP Filter -mod_security -mod_antiloris -mod_evasive Before you begin configuring the web server you must install PKG. In FreeBSD console type: Command1: pkg after Y -> ENTER ( to confirm install) After : pkg update Installing and configuring MySQL. Now the mysql server : In the freebsd console type these commands : pkg install mysql56-server echo 'mysql_enable="YES"' >> /etc/rc.conf service mysql-server start --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now create the mysql " root " user : mysql -u root GRANT ALL PRIVILEGES ON *.* TO root@"%" IDENTIFIED BY 'password' WITH GRANT OPTION; flush privileges; exit Where does the password, you put your desired password. DONE mysql Installing and configuring Apache24. pkg install apache24 The following command: echo 'apache24_enable="YES"' >> /etc/rc.conf --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now open winscp and navigate to /usr/local/etc/apache22/httpd.conf In httpd.conf looking for the following line: # ServerName www.yourdomain.com:80 And delete # from you httpd.conf (# ServerName www.yourdomain.com:80 ) Delete # --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now start the service : service apache24 start READY. Now to test if it works. Open a webpagee, and type the ip adress used for VDS (VPS ) If everything is OK should appear in the website: It Works !! Installing and configuring PHP 5.6 The command : pkg install php56 pkg install mod_php56 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Open /usr/local/etc/apache24/httpd.conf : And verifi if you have this line : LoadModule php5_module libexec/apache24/libphp5.so If there is no add manually. --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- You open the FreeBSD console and put it and ENTER command: cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now let’s configure Apache. Open the file /usr/local/etc/apache24/httpd.conf and look for the following line: DirectoryIndex index.html And change it so it reads as follows: DirectoryIndex index.html index.php --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Now apache just needs to know what it should parse the PHP files with. These two lines should be added to the httpd.conf file, and can be put at the bottom if needed: Or search in httpd.conf lines that start with new line AddType and start with these two: AddType application/x-httpd-php .php AddType application/x-httpd-php-source .phps --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- If want to use PHP code inside of .htm files you can just add on those extensions. AddType application/x-httpd-php .php .htm .html --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- As an optional step, if you’d like to add multilanguage support to Apache, uncomment the following line( in httpd.conf) : Include etc/apache24/extra/httpd-languages.conf service apache24 restart service mysql-server restart --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Okay, now to test if it works php. Type this command in freebsd console : # echo "<? phpinfo(); ?>" >> /usr/local/www/apache24/data/index.php http://your_server_IP_address/index.php And type the ip on used by VDS (VPS) on a web browser. Installing and configuring php 5.6 extensions and extra extensions. pkg install php56-extensions pkg install php56-mysqli pkg install php56-mysql pkg install php56-gd pkg install php56-openssl DONE Varnish cache > Best Http accelerator pkg install varnish Then rc.conf : echo 'varnishd_enable="YES"' >> /etc/rc.conf Starting varnish . /usr/local/etc/rc.d/varnishd start Check if varnish really run? /usr/local/etc/rc.d/varnishd status varnishd is not running. Now, View varnish configuration ee /usr/local/etc/varnish/default.vcl Inside the file I see these : # Default backend definition. Set this to point to your content # server. # # backend default { # .host = “127.0.0.1”; # .port = “8080”; # } It means the content need to run on port 8080. Remove all # mark to be like this : backend default { .host = “127.0.0.1”; .port = “8080”; } 127.0.0.1 =replace with you ip host (vps, vds ) etc... save the file. Change apache configuration to run on port 8080. ee /usr/local/etc/apache22/httpd.conf Changer : Listen 80 with : Listen 8080 save the file. Restart apache : service apche24 restart Now retry to run varnish ? /usr/local/etc/rc.d/varnishd start Chech varnish : /usr/local/etc/rc.d/varnishd status P.S : you can enable varnish log echo 'varnishlog_enable="YES"' >> /etc/rc.conf /usr/local/etc/rc.d/varnishlog start Security Antiloris protection Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at This is the hidden content, please Sign In or Sign Up Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients. Install this : pkg install mod_antiloris Find the following line in your httpd.conf ( and uncomment it If there is this line after installing mod_antiloris add manually. #LoadModule antiloris_module libexec/apache24/mod_antiloris.so ModSecurity pkg install www/mod_security ModSecurity requires firewall rule definitions. Most people use the OWASP ModSecurity Core Rule Set (CRS). The easiest way to track the OWASP CRS repository right now is to use Git. Let's make a directory for all our ModSecurity related stuff, and clone the CRS repository under it. pkg install git mkdir -p /usr/local/etc/modsecurity cd /usr/local/etc/modsecurity git clone https://github.com/SpiderLabs/owasp-modsecurity-crs crs Copy the default ModSecurity config file, and fetch a necessary file which is currently not included in the package: cp /usr/local/etc/modsecurity.conf-example modsecurity.conf fetch https://raw.github.com/SpiderLabs/ModSecurity/master/unicode.mapping cp crs/modsecurity_crs_10_setup.conf.example modsecurity_crs_10_setup.conf Now we create an Apache configuration snippet in Apache's modules.d directory. It loads the ModSecurity module, and includes the configurations and CRS: ee << EOF > /usr/local/etc/apache22/modules.d/000_modsecurity.conf # Load ModSecurity # Comment out the next line to temporarily disable ModSecurity: LoadModule security2_module libexec/apache22/mod_security2.so <IfModule security2_module> # Include ModSecurity configuration Include etc/modsecurity/modsecurity.conf # Include OWASP Core Rule Set (CRS) configuration and base rules Include etc/modsecurity/modsecurity_crs_10_setup.conf Include etc/modsecurity/crs/base_rules/*.conf # Add custom configuration and CRS exceptions here. Example: # SecRuleRemoveById 960015 </IfModule> EOF When the configuration is all set, simply restart Apache, and confirm that ModSecurity is loaded by checking Apache's log file: service apache22 restart Log file saved to : /var/log/httpd-error.log Hopefully, the log will show something like this: ModSecurity for Apache/2.4.2 (http://www.modsecurity.org/) configured. ModSecurity: APR compiled version="1.4.8"; loaded version="1.4.8" ModSecurity: PCRE compiled version="8.34 "; loaded version="8.34 2013-12-15" ModSecurity: LIBXML compiled version="2.8.0" What log says is diferent by appache version Now that ModSecurity is active, try making a suspicious request to your web server, for instance browse to a URL http://www.example.com/?foo=/etc/passwd. The CRS has a rule against this type of request. After browsing to the URL, you should now see this request logged in /var/log/modsec_audit.log. You'll notice that the request succeeds, and the response is sent to the browser normally. The reason is that ModSecurity runs in DetectionOnly mode by default, in order to prevent downtime from misconfiguration or heavy-handed blocking. You can enable blocking mode simply by editing modsecurity.conf and changing the following line : SecRuleEngine On Again, restart Apache. Now, make the same suspicious request to your web server. You should now see a "403 Forbidden" error! In practice, it's probably best to keep SecRuleEngine DetectionOnly for some time, while your users exercise the web applications. Meanwhile, you should keep an eye on /var/log/modsec_audit.log to see what is being blocked. If there are any false positives, you need to mitigate this by writing custom exceptions. Mod_evasive -DOS Hash Table Size -DOS Page Count -DOS Site Count -DOS Page Interval -DOS Site Interval -DOS Blocking Period -DOS Email Notify -DOS System Command -DOS Log Dir -Whitelisting IP Addresses Coming soon If you know other vulnerabilities leave a message and i edit solving. Going to edit my post time. When I have time,about security. If you need to install more extensions, leave message in topic. And I'll edit the post and fill you: D If you have errors, such as missing libraries or other errors will ask something in the topic. All steps tested on FreeBSD 10.1 5 3 17 Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 (edited) Thanks for tutorial but i have 1 problem. I configure PHP5 but i have 1 error. He can´t read .php files. My configuration: Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 (edited) Thanks for tutorial but i have 1 problem. I configure PHP5 but i have 1 error. He can´t read .php files. My configuration: I forgot something, I think: D I edited the post check everything. Open /usr/local/etc/apache24/httpd.conf : And verifi if you have this line : LoadModule php5_module libexec/apache24/libphp5.so If there is no add manually. Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal 1 4 Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 (edited) Yes you right, this dont create the line i add them manually but .... Other error xD I go to cd /usr/local/libexec/apache24 and i dont have libphp5.so into this directory. Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 Unable probably unsuccessful in your attempts you broke something in FreeBSD. After installing mod_php56. You really need to be that way libphp5.so Use a clean FreeBSD, resume steps in the tutorial. 3 Link to comment Share on other sites More sharing options...
Remix 45 Posted January 18, 2015 Share Posted January 18, 2015 Why install mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache nginx runs as an event (apache as a process) so it can handle that better 1 Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 Why installing mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache Appache best. MySQL is necessary for the database. Mysql is necessary to use extension MYsqli. With good Appache protection and a perfect setup, ngix is weak compared to Appache. My opinion: D In FreeBSD there are about 100 ways to protect web server. I know them all: D I just do not have time to do tutorials. 3 Link to comment Share on other sites More sharing options...
Remix 45 Posted January 18, 2015 Share Posted January 18, 2015 Why installing mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache Appache best. MySQL is necessary for the database. Mysql is necessary to use extension MYsqli. With good Appache protection and a perfect setup, ngix is weak compared to Appache. My opinion: D In FreeBSD there are about 100 ways to protect web server. I know them all: D I just do not have time to do tutorials. You can install the php mysql extension without installing mysql It's a fact that nginx is better than apache An opinion doesn't matter Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 Unable probably unsuccessful in your attempts you broke something in FreeBSD. After installing mod_php56. You really need to be that way libphp5.so Use a clean FreeBSD, resume steps in the tutorial. Ok, i go reinstall my freebsd and try again and after i come here leave 1 comment =) Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 On 1/18/2015 at 9:55 PM, iRemix said: Why installing mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache Appache best. MySQL is necessary for the database. Mysql is necessary to use extension MYsqli. With good Appache protection and a perfect setup, ngix is weak compared to Appache. My opinion: D In FreeBSD there are about 100 ways to protect web server. I know them all: D I just do not have time to do tutorials. You can install the php mysql extension without installing mysql It's a fact that nginx is better than apache An opinion doesn't matter We tested and apache and nginx. In any case I do tutorial for nginx. 3 Link to comment Share on other sites More sharing options...
Remix 45 Posted January 18, 2015 Share Posted January 18, 2015 On 1/18/2015 at 10:01 PM, Reboot said: Why installing mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache Appache best. MySQL is necessary for the database. Mysql is necessary to use extension MYsqli. With good Appache protection and a perfect setup, ngix is weak compared to Appache. My opinion: D In FreeBSD there are about 100 ways to protect web server. I know them all: D I just do not have time to do tutorials. You can install the php mysql extension without installing mysql It's a fact that nginx is better than apache An opinion doesn't matter We tested and apache and nginx. edit: what do you want to show? nginx has better stats on the pic Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 On 1/18/2015 at 10:02 PM, iRemix said: Why installing mysql? And why using apache instead of nginx? Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache Appache best. MySQL is necessary for the database. Mysql is necessary to use extension MYsqli. With good Appache protection and a perfect setup, ngix is weak compared to Appache. My opinion: D In FreeBSD there are about 100 ways to protect web server. I know them all: D I just do not have time to do tutorials. You can install the php mysql extension without installing mysql It's a fact that nginx is better than apache An opinion doesn't matter We tested and apache and nginx. edit: what do you want to show? nginx has better stats on the pic Some statistics show that nginx is better, other that Appachi. Not all the time is correct, I tested apache performed better: D 3 Link to comment Share on other sites More sharing options...
Remix 45 Posted January 18, 2015 Share Posted January 18, 2015 You can use apache if you want but dont wonder if your homepage is offline Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 (edited) I restart my freebsd server and now when start apache have this error: i think you forgive some steps in apache24 instalation xD Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 (edited) I restart my freebsd server and now when start apache have this error: converters/iconv Charset conversion library and utilities converters/iconv-extra Additional charsets for the iconv library (those from the Unicode site) converters/iconv-rfc1345 Additional charset modules for the iconv library (from RFC1345) converters/libiconv A character set conversion library pkg install iconv pkg install iconv-extra pkg install iconv-rfc1345 pkg install libiconv ALL steps tested on freebsd 10.1 Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal 4 Link to comment Share on other sites More sharing options...
Pepineitor 69 Posted January 18, 2015 Share Posted January 18, 2015 Installing and configuring MySQL. Now the mysql server : In the freebsd console type these commands : ? pkg install mysql56-server ? echo 'apache24_enable="YES"' >> /etc/rc.conf I think it is echo 'mysql_enable="YES"' >> /etc/rc.conf Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 Installing and configuring MySQL. Now the mysql server : In the freebsd console type these commands : ? pkg install mysql56-server ? echo 'apache24_enable="YES"' >> /etc/rc.conf I think it is echo 'mysql_enable="YES"' >> /etc/rc.conf OMG, I think because they are drunk. ))))))) Thanks )))))) 3 Link to comment Share on other sites More sharing options...
lolor2 73 Posted January 18, 2015 Share Posted January 18, 2015 Installing and configuring MySQL. Now the mysql server : In the freebsd console type these commands : ? pkg install mysql56-server ? echo 'apache24_enable="YES"' >> /etc/rc.conf I think it is echo 'mysql_enable="YES"' >> /etc/rc.conf OMG, I think because they are drunk. ))))))) Thanks )))))) would you also please add a turoial about how to prevent slowloris attacks else every webserver can be downed with 250kb/s connection Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 Installing and configuring MySQL. Now the mysql server : In the freebsd console type these commands : ? pkg install mysql56-server ? echo 'apache24_enable="YES"' >> /etc/rc.conf I think it is echo 'mysql_enable="YES"' >> /etc/rc.conf OMG, I think because they are drunk. ))))))) Thanks )))))) would you also please add a turoial about how to prevent slowloris attacks else every webserver can be downed with 250kb/s connection You fill out tomorrow night, when I have time this topic. The tutorial about slowloris. Just wait until tomorrow: D 3 Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 (edited) Yes, solved. In you tutorial you have 1 error. In mysql instalation you say this: echo 'apache24_enable="YES"' >> /etc/rc.conf Its mysql not apache xD Well, when i go create user i have this problem. Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 (edited) Yes, solved. In you tutorial you have 1 error. In mysql instalation you say this: echo 'apache24_enable="YES"' >> /etc/rc.conf Its mysql not apache xD Well, when i go create user i have this problem. read posts, i'am drunk Edited )))))))))))))))))))))) for lolor 2 ( antiloris protection) Update verif my first post Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal 3 Link to comment Share on other sites More sharing options...
danhakhavro 42 Posted January 18, 2015 Share Posted January 18, 2015 (edited) I have this problem when create user in mysql. Do you know how solve? XD Edited August 18, 2022 by Metin2 Dev Core X - External 2 Internal Link to comment Share on other sites More sharing options...
M.Sorin 282 Posted January 18, 2015 Share Posted January 18, 2015 I do not understand why to use apache wich is shitty for me , instead of nginx ( way better and "smart" ). Here a tutorial : https://pyd.io/freebsd-nginx-php-fpm/ EDIT: And you need a packet filter ( PF ) for extra DDoS security. Link to comment Share on other sites More sharing options...
Reboot 772 Posted January 18, 2015 Author Share Posted January 18, 2015 I do not understand why to use apache wich is shitty for me , instead of nginx ( way better and "smart" ). Here a tutorial : https://pyd.io/freebsd-nginx-php-fpm/ EDIT: And you need a packet filter ( PF ) for extra DDoS security. Tommorow. I'll do. 3 Link to comment Share on other sites More sharing options...
Ayaka 300 Posted January 19, 2015 Share Posted January 19, 2015 (edited) @topic: We need to install packages, not programs. First of all: Tutorial work! But: - First install apache then other packages because Apache is the web server, then MySQL, then PHP (because PHP requires some libraries be available) I would do this with PORTS. But already said (). Configurate: What about php.ini settings? I am tired of hearing "I have a Too many connections error"Security: If you list mods like mod_antiloris, you can add: mod_limitipconn, mod qos, mod_evasive, mod_security, mod_noloris. - The most important thing to block Attacks on Ubuntu/Debian is (as far as I can see ) definitly Fail2Ban with IPTABLES but i dont know whats the best for BSD Why install mysql? And why using apache instead of nginx? Apache is the most used webserver. With Apache as your Web server, you'll be assured long and reliable service as it's a solid, configurable and capable Web server so why not?? nginx is faster than Apache in transfer rate but has less of a wait time between receiving the request and passing a response back. Benchmarks proved that. The only question is what you need. i dont think you use apache very often if you ask about why installing mysql. I dont get the the point here: You can install the php mysql extension without installing mysql And that makes nginx better? Cmon Today you need a good ddos protection and in the case of a layer 7 attack nginx is much much much better than apache nginx runs as an event (apache as a process) so it can handle that better I hope you know that the cake hasn't quite turned out as I'd hoped... The disadvantage of process-based servers like apache under heavier loads is that they usually consume far more RAM which significantly degrades performance and has nothing to do with a "good ddos protection". When your server fucked up because of RAM while a DDos attack (CPU trying to process the amount of data that coming in) then i have to say: Leave it all. Without a good hoster (mitigation solution and that is the point against DDoS) your going down with apache and with nginx sooner or later. It's a fact that nginx is better than apache Fact is: The BEST webserver does not exist. The best webserver is the one which is better configurated and better protected. That can be apache or nginx. edit:// I do not understand why to use apache wich is shitty for me , instead of nginx ( way better and "smart" ). why is it shit? Because its not smart to you? Because its not as simple as nginx? too much to install or configurate? Then use LAMP: http://en.wikipedia.org/wiki/LAMP_(software_bundle) Why you guys cant give me a compelling evidence WHY the fuck apache is shit? Its a powerfull web server (over 35% of all websites based on it) if you can configurate and protect it. Cant handel apache doesnt mean its shit. Edited January 19, 2015 by Ayaka 2 F E E L - T H E - A W E S O M E N E S S Link to comment Share on other sites More sharing options...
Recommended Posts