======================================= freebsd apache mysql php letsencrypt ======================================= Example config to setup a web stack to host multiple domains. - apache - php - mysql - phpmyadmin - certbot - logrotate LAN: 192.168.99.100 dog WAN: 97.98.99.100 www.example.com You will want to write some scripts to automate the management of things such as creating and deleting customers as well as their sites. ======================================= dns server zone record ======================================= https://www.genunix.com/o1/freebsd_bind9.txt --------------------------------------- @ A 97.98.99.100 www A 97.98.99.100 ======================================= update the server ======================================= freebsd-version -kru freebsd-update fetch freebsd-update install shutdown -r now pkg update pkg upgrade ======================================= install apache ======================================= pkg install apache24 ======================================= /etc/rc.conf --------------------------------------- # apache apache24_enable="YES" ======================================= /usr/local/etc/apache24/httpd.conf --------------------------------------- LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so LoadModule ssl_module libexec/apache24/mod_ssl.so LoadModule rewrite_module libexec/apache24/mod_rewrite.so CustomLog "/var/log/httpd-access.log" combined Include etc/apache24/extra/httpd-autoindex.conf Include etc/apache24/extra/httpd-default.conf Include etc/apache24/extra/httpd-ssl.conf Include etc/apache24/vhosts/*.conf ======================================= /usr/local/etc/apache24/extra/httpd-default.conf --------------------------------------- ServerTokens Prod ServerSignature Off ======================================= create self signed certificate --------------------------------------- openssl req -new -x509 -days 36500 -nodes -keyout /usr/local/etc/apache24/server.key -out /usr/local/etc/apache24/server.crt ======================================= /usr/local/etc/apache24/extra/httpd-ssl.conf --------------------------------------- Listen 443 SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES SSLHonorCipherOrder on SSLProtocol all -SSLv3 SSLProxyProtocol all -SSLv3 SSLPassPhraseDialog builtin SSLSessionCache "shmcb:/var/run/ssl_scache(512000)" SSLSessionCacheTimeout 300 DocumentRoot "/usr/local/www/apache24/data" ServerName 192.168.99.100 ServerAlias 97.98.99.100 ServerAdmin admin@example.com ErrorLog "/var/log/httpd-error.log" TransferLog "/var/log/httpd-access.log" SSLEngine on SSLCertificateFile "/usr/local/etc/apache24/server.crt" SSLCertificateKeyFile "/usr/local/etc/apache24/server.key" SSLOptions +StdEnvVars SSLOptions +StdEnvVars BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog "/var/log/httpd-ssl_request.log" \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" ======================================= /usr/local/etc/apache24/vhosts/000.conf --------------------------------------- # If the server ip address is hit then the FIRST named virtual host will respond therefore we need this to direct it away. ServerName 192.168.99.100 ServerAlias 97.98.99.100 ErrorLog "/var/log/httpd-error.log" CustomLog "/var/log/httpd-access.log" combined RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=302,L,QSA] --------------------------------------- mkdir /usr/local/etc/apache24/vhosts mkdir /usr/local/etc/apache24/auth touch /usr/local/etc/apache24/auth/passwd touch /usr/local/etc/apache24/auth/group apachectl configtest service apache24 start ======================================= Confirm it works --------------------------------------- http://192.168.99.100 https://192.168.99.100 http://97.98.99.100 https://97.98.99.100 ======================================= install php ======================================= pkg install mod_php84 php84 php84-bcmath php84-brotli php84-bsdconv php84-bz2 php84-calendar php84-ctype php84-curl php84-dba php84-dom php84-enchant php84-exif php84-ffi php84-fileinfo php84-filter php84-gd php84-geos php84-gettext php84-gmp php84-iconv php84-intl php84-ldap php84-lz4 php84-mbstring php84-mysqli php84-odbc php84-opcache php84-pcntl php84-pdo php84-pecl-imagick php84-pecl-pspell php84-phar php84-posix php84-readline php84-session php84-shmop php84-simplexml php84-soap php84-sockets php84-sodium php84-sqlite3 php84-sysvmsg php84-sysvsem php84-sysvshm php84-tidy php84-tokenizer php84-xml php84-xmlreader php84-xmlwriter php84-xsl php84-zip php84-zlib php84-zstd cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini ======================================= /usr/local/etc/php.ini --------------------------------------- expose_php = Off ======================================= /usr/local/etc/apache24/httpd.conf --------------------------------------- LoadModule php_module libexec/apache24/libphp.so DirectoryIndex index.php index.html ======================================= /usr/local/etc/apache24/Includes/php.conf --------------------------------------- SetHandler application/x-httpd-php SetHandler application/x-httpd-php-source ======================================= /usr/local/www/apache24/data/phpinfo.php --------------------------------------- --------------------------------------- apachectl configtest apachectl restart ======================================= Confirm it works --------------------------------------- https://192.168.99.100/phpinfo.php --------------------------------------- rm /usr/local/www/apache24/data/phpinfo.php zpool create -f -m /export -o autoexpand=off -O compression=lz4 -O checksum=sha512 -O atime=on tank ada1 zfs create tank/http ======================================= creating vhosts ======================================= zfs create tank/http/owner chown -R root:wheel /export/http/owner chmod 755 /export/http/owner ======================================= creating vhost sites --------------------------------------- zfs create tank/http/owner/www.example.com chmod 755 /export/http/owner/www.example.com mkdir "/export/http/owner/www.example.com/logs" mkdir "/export/http/owner/www.example.com/tmp" mkdir "/export/http/owner/www.example.com/htdocs" chown root:wheel "/export/http/owner/www.example.com" chown root:wheel "/export/http/owner/www.example.com/logs" ======================================= /export/http/owner/www.example.com/htdocs/index.php --------------------------------------- Hello World ======================================= /usr/local/etc/apache24/vhosts/owner.www.example.com.conf --------------------------------------- DocumentRoot "/export/http/owner/www.example.com/htdocs" ServerName www.example.com ServerAlias example.com ServerAdmin admin@example.com Options +FollowSymLinks -Indexes AllowOverride All Require all granted ErrorLog /export/http/owner/www.example.com/logs/www.example.com-error.log CustomLog /export/http/owner/www.example.com/logs/www.example.com-access.log combined --------------------------------------- apachectl configtest apachectl restart ======================================= Confirm it works --------------------------------------- http://example.com http://www.example.com ======================================= install certbot letsencrypt ======================================= pkg search certbot pkg install py39-certbot-apache ======================================= Get certificates --------------------------------------- certbot --apache certonly ======================================= Renew certificates by hand --------------------------------------- certbot renew --dry-run ======================================= crontab -e --------------------------------------- @weekly /usr/local/bin/certbot renew ======================================= /usr/local/etc/apache24/vhosts/www.example.com.conf --------------------------------------- ServerName www.example.com ServerAlias example.com Redirect / https://www.example.com/ ServerName www.example.com ServerAdmin admin@example.com DocumentRoot "/export/http/owner/www.example.com/htdocs" Options +FollowSymLinks -Indexes AllowOverride All Require all granted SSLEngine on Include /usr/local/etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /usr/local/etc/letsencrypt/live/www.example.com/cert.pem SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/www.example.com/privkey.pem SSLCertificateChainFile /usr/local/etc/letsencrypt/live/www.example.com/chain.pem SSLOptions +StdEnvVars BrowserMatch ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ErrorLog /export/http/owner/www.example.com/logs/www.example.com-error.log CustomLog /export/http/owner/www.example.com/logs/www.example.com-access.log combined --------------------------------------- apachectl configtest apachectl restart ======================================= confirm it works --------------------------------------- http://example.com https://example.com http://www.example.com https://www.example.com ======================================= install mariadb (mysql) ======================================= pkg install mariadb114-server mariadb114-client ======================================= /etc/rc.conf --------------------------------------- # mariadb mysql_enable="YES" mysql_optfile="/usr/local/etc/mysql/my.cnf" mysql_dbdir="/export/mysql" ======================================= /usr/local/etc/mysql/conf.d/server.cnf --------------------------------------- [mysqld] datadir = /export/mysql sql_mode = ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION --------------------------------------- rm -rf /var/db/mysql zfs create tank/mysql chown mysql:mysql /export/mysql chmod 700 /export/mysql service mysql-server start mysql_secure_installation mysql -u root -p -e "show variables like '%datadir%';" Enter password: +---------------+----------------+ | Variable_name | Value | +---------------+----------------+ | datadir | /export/mysql/ | +---------------+----------------+ mysql -u root -p -e "show variables like '%sql_mode%';" Enter password: +---------------+-----------------------------------------------------------------------+ | Variable_name | Value | +---------------+-----------------------------------------------------------------------+ | sql_mode | ERROR_FOR_DIVISION_BY_ZERO,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION | +---------------+-----------------------------------------------------------------------+ mysql -u root -p -e "CREATE USER 'owner'@'localhost' IDENTIFIED VIA mysql_native_password USING '';GRANT USAGE ON *.* TO 'owner'@'localhost' REQUIRE NONE WITH MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0;GRANT ALL PRIVILEGES ON `owner\_%`.* TO 'owner'@'localhost';" ======================================= install phpmyadmin ======================================= pkg install phpMyAdmin5-php81 ======================================= /usr/local/etc/apache24/Includes/phpmyadmin.conf --------------------------------------- Alias /myphpmyadminalias "/usr/local/www/phpMyAdmin/" Options None AllowOverride Limit Require ip 192.168.0.0/16 10.0.0.0/8 172.16.0.0/12 --------------------------------------- apachectl configtest apachectl restart rm /usr/local/www/phpMyAdmin/config.inc.php ======================================= phpmyadmin setup --------------------------------------- https://192.168.99.100/myphpmyadminalias/setup/ ======================================= /usr/local/www/phpMyAdmin/config.inc.php ---------------------------------------