How to build a FreeBSD server Jump to: navigation, search

A server is not all things to all people. The server described here is intended primarily for serving web-based applications and providing Microsoft Windows file sharing to a local or distributed work team, either connected directly to the internet through an ISP or through an enterprise IT infrastructure. DNS or DHCP, if available, are assumed to be provided by the ISP or enterprise IT infrastructure. Print services are assumed to be provided through local printers, the enterprise IT infrastructure, or by workstation peer-to-peer printer sharing (i.e., not by this server).

It is generally assumed that client workstations will use Microsoft Windows, and if an enterprise infrastructure exists, it will be based primariy on Microsoft Windows servers. However, this doesn't need to be the case. Contents [show] References

This procedure is based on FreeBSD 8.2-RELEASE, taking direction from a number of sources, primarily:

Bulding a Server with FreeBSD 7 by Bryan Hong ("Hong"), [1] Absolute FreeBSD by Michael Lucas ("Lucas"), [2] The FreeBSD Handbook by the FreeBSD Project ("Handbook"), [3]

Other sources include the FreeBSD Diary (http://www.freebsddiary.org), FreeBSD Made Easy (http://www.freebsdmadeeasy.com), and numerous blogs and forum postings. Base System

Provision a basic x86 platform Popular proven motherboard (e.g., Intel brand desktop board with onboard graphics and on-board LAN), x86 processor and RAM. A single-core 2GHz P4 with 512MB RAM can be adequate for a low-traffic website with an Apache/MySQL/PHP web stack. Primary system drive (e.g., 500GB) Secondary backup drive with the same or greater capacity as the primary drive DVD drive to simplify installing FreeBSD (with BIOS support for booting from the DVD, also possible are USB complete and bootstrapped network installs)

Download the FreeBSD 8.2-RELEASE CD/DVD ISO using the torrent available on http://www.freebsd.org and perform a basic system install, using automatic settings for disk partition and slices. Refer to the Handbook, Hong, Lucas, or any number of on-line tutorials.

Use sysinstall to configure the backup drive (partition and slice), and add the drive and mount point to /etc/fstab so it is automatically mounted during system boot. See Hong.

Update FreeBSD using freebsd-update and reboot.

# freebsd-update fetch # freebsd-update install # shutdown -r now

Update FreeBSD ports tree using portsnap instead of csvsup.

Initial update:

# portsnap fetch # portsnap extract

Subsequent updates (before installing or updating a port): # portsnap fetch # portsnap update

Install portmaster (/usr/ports/ports-mgmt/portmaster) for performing ports maintenance, such as upgrading a port.

Install portaudit (/usr/ports/ports-mgmt/portaudit), for automatically reporting security issues with installed ports.

DDNS Client

Install a DDNS client if the server will use a dynamic IP address and DDNS service (e.g., No-IP.com)

E.g. install No-IP.com DDNS client # cd /usr/ports/dns/noip # make install clean follow instructions to create /usr/local/etc/no-ip2.conf and enable DDNS client by editing /etc/rc.conf

OpenSSL

Keep the version of OpenSSL included in the base system instead of replacing it with the current version in the ports tree (the base system includes

OpenSSL v0.9.8, the version in the ports tree as of 2011-10-09 is v1.0.0).

Add WITH_OPENSSL_BASE="YES" to /etc/make.conf to prevent the Ports Collection from building the security/openssl port if a port has an OpenSSL dependency (see Handbook, Section 15.8)

Create SSL hostkey and self-signed certificate for SSL over HTTP.

# openssl version OpenSSL 0.9.8q 2 Dec 2010 # make search name=openssl | grep Port ... Port: openssl-1.0.0_6 ... #

edit defaults in /etc/ssl/openssl.cnf

default_days

= 1095

countryName_default = CA stateOrProvinceName_default = Alberta O.organizationName_default = dalescott.net

localityName_default = Calgary organizationUnitName_default = Authorial Division commonName_default = www.dalescott.net

emailAdress_default = [email protected]

Create a self-signed SSL host certificate either using openssl directly, or using the CA.pl script

Use openssl directly

# cd /etc/ssl/

generate SSL host key, make read/write only by root # openssl genrsa 1024 > host.key # chmod 600 host.key

create certificate request, don't enter challenge password or optional company name # openssl req -new -key host.key -out csr.pem

self-sign certificate # openssl x509 -req -days 1095 -in csr.pem -signkey host.key -out selfsigned.crt

Use CA.pl

Although OpenSSL is installed as part of the FreeBSD base, the complete contents of the OpenSSL port is not installed, including the popular CA.pl perl script for using openssl. If you installed FreeBSD with its sources, CA.pl can probably be found here:

/usr/src/crypto/openssl/apps/CA.pl

or alternatively, CA.pl can be extracted from an OpenSSL tarball:

# cd /usr/ports/security/openssl # make fetch # mkdir ~/temp/ # cd ~/temp/ # tar -xzf /usr/ports/distfiles/openssl-1.0.0e/openssl-1.0.0e.tar.gz # mkdir /etc/ssl/certs # cp ~/temp/openssl-1.0.0e/apps/CA.pl /etc/ssl/certs/ # chmod 744 /etc/ssl/certs/CA.pl # rm -r ~/temp/

and then proceed with creating keys and certificates.

# cd /etc/ssl/certs/

create a certificate authority (CA) - Common Name can be company name (i.e., not server name) - enter same PEM passphrase at 2nd prompt as entered at 1st prompt # ./CA.pl -newca

create an encrypted host key and certificate request - Common Name must be server name - for convenience, same PEM passphrase can be entered at prompt as used

for CA # ./CA.pl -newreq

sign encrypted host key with certificate authority - enter same PEM passphrase at prompt as used to create host key # ./CA.pl -signreq

copy CA and private keys certificates, signed certificate and encrypted host key to meaningful filenames # cp newcert.pem host.example.com-cert.pem # cp newkey.pem host.example.com-encrypted-key.pem # cp demoCA/cacert.pem example.com-CAcert.pem # cp demoCA/private/cakey.pem example.com-encrypted-CAkey.pem

unencrypt host key and change permissions for security - enter PEM passphrase used to create host key at prompt # openssl rsa -in host.example.com-encrypted-key.pem -out host.example.com-unencrypted-key.pem # chmod 400 host.example.com-unencrypted-key.pem

convert CA certificate to DER format for Microsoft Windows clients # openssl x509 -in example.com-CAcert.pem -inform PEM -out example.comCAcert.cer -outform DER

copy DER-encoded certificate to users (e.g., email) - the 2nd filename given will not be physically created (i.e., the 1st file won't be overwriten) # uuencode example.com-CAcert.cer example.com-CAcert.cer | mail -s

"Subject-text" [email protected]

- some mail clients may block the certificate file for security reasons (e.g., MS Outlook), in this case, zip the binary certificate first before emailing it # zip example.com-CAcert.cer.zip example.com-CAcert.cer # uuencode example.com-CAcert.cer.zip example.com-CAcert.cer.zip | mail -s "Subject-text" [email protected]

TODO

consider any clarity gained to use CA.pl to to create keys for SSL over HTTP (as per Hong), especially if CA.pl will be used to create keys for OpenVPN add creating server keys for OpenVPN (describe creation of create keys under OpenVPN section) consider any consolidation possible between keys for SSL over HTTP and keys for OpenVPN consider publishing CA public key and server public key on enterprise website (e.g., SCC QMS)

OpenSSH

Keep the version of OpenSSH included in the base system instead of replacing it with the current version in the ports tree (the base system includes OpenSSH v5.4, the version in the ports tree as 2011-10-09 is v5.2). No configuration is required.

# telnet localhost 22 Trying 127.0.0.1... Connected to localhost.

Escape character is '^]'. SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308 ... # make search name=openssh | grep Port ... Port: openssh-portable-5.2.p1_4,1 ... #

TODO

consider publishing public server SSH key on enterprise website (e.g., SCC QMS)

NTP

Use the version of NTP included in the base system instead of installing a newer version from the ports tree (the version base system includes v4.2.4, the version in the ports tree as of 2011-10-09 is v4.2.6). The only cofiguration required is to enable the ntpd daemon in rc.conf (although editing the list of NTP servers used in /etc/ntp.conf may improve timing synchronization).

ntpd_enable="YES"

Backups

Implement a basic backup procedure using a daily full system dump

Create a shell script to backup the system drive file system to the backup drive. THIS SCRIPT DOES NOT DELETE OLD BACKUP DUMPS, YOU MUST MONITOR BACKUP DRIVE CAPACITY AND DELETE OLD DUMPS MANUALLY AS NEEDED. Adding deleting old backup dumps to the script is left as an exercise for the reader (and sharing back your solution would be sincerely appreciated!).

# cat /root/bin/mydump_daily #!/bin/sh #################################### # # Create filesystem backup dump # - creates dated backup dir and separately dumps /, /var, and /usr # - execution must start AND complete on same calendar day! # - does not cleanup old backup dir's - manage diskspace manually! # ####################################

echo Backup Started `date` >> /backup/backuplog mkdir /backup/`date +%Y%m%d`

dump -0 -a -L -f /backup/`date +%Y%m%d`/root.ad4s1a.dump / dump -0 -a -L -f /backup/`date +%Y%m%d`/var.ad4s1d.dump /var dump -0 -a -L -f /backup/`date +%Y%m%d`/usr.ad4s1f.dump /usr

echo Backup Completed `date` >> /backup/backuplog #

(backup procedure) Edit the system crontab file (/etc/crontab) to schedule the backup for running daily by appending the following:

####### # # Custom system maintenance # # 2011-07-11 dale scott backup system @ 02:01 daily (2:01 AM) 1 # 2 * * * root /root/bin/mydump_daily

Convenient Utilities

Install convenient utilities ("# rehash" may be required after installation before use)

flip - Convert text file line endings between Unix and DOS formats # cd /usr/ports/textproc/flip # make config ; make install clean

unzip - List, test and extract compressed files in a ZIP archive # cd /usr/ports/archivers/unzip # make config ; make install clean

zip - Create/update ZIP files compatible with pkzip # cd /usr/ports/archivers/zip

# make config ; make install clean

tree - Display a tree-view of directories # cd /usr/ports/sysutils/tree # make config ; make install clean

ytree - DOS-XTREE(tm) look-a-like file manager # cd /usr/ports/misc/ytree # make config ; make install clean

lynx - A non-graphical, text-based World-Wide Web client # cd /usr/ports/www/lynx # make config ; make install clean

wget - Retrieve files from the Net via HTTP(S) and FTP # cd /usr/ports/ftp/wget # make config ; make install clean

webmin - Web-based interface for system administration # cd /usr/ports/sysutils/webmin # make config ; make install clean

Webmin Server Management

Webmin is a a web-based interface for administrating Unix systems. For many tasks, Webmin can simplify administration and reduce errors. Webmin can also provide remote administration in environments where ssh access is

blocked by a firewall. Webmin will by default be available at http://www.server.dom:10000

# cd /usr/ports/sysutils/webmin # make config ; make install clean

Configure Webmin (accept all defaults for a basic install) # /usr/local/lib/webmin/setup.sh

# vi /etc/rc.conf and add following line webmin_enable="YES"

start Webmin for the first time # /usr/local/etc/rc.d/webmin start

Most Webmin modules will be automatically configured, but some must be manually configured for FreeBSD. Apache Web Server Module

The Webmin Apache Web Server Module must be manually configured after installing the Web Stack.

Login into Webmin, access the Apache Web Server module under Un-used Modules and enter the following configuration values:

Path to httpd.conf: /usr/local/etc/apache22/httpd.conf Path to srm.conf: /usr/local/etc/apache22/Includes/srm.conf

Path to access.conf: /usr/local/etc/apache22/Includes/access.conf Path to mime.types: /usr/local/etc/apache22/mime.types

srm.conf and access.conf files will not be present unless created manually (they are not created as part of a basic Apache2 install). Mercurial Version Control System

Mercurial - Fast, lightweight distributed source control management system

# cd /usr/ports/devel/mercurial # make config ; make install clean # rehash

Postfix MTA

This procedure also borrows from http://linuxgravity.com/postfix-send-onlyconfiguration-for-non-local-domains

Postfix is installed for web applications to send mail. It is assumed that web applications on the server will originate mail for either local delivery, or which will be relayed through an existing mail server in an enterprise environment. In an enterprise environment, it is also assumed that the enterprise mail server will not require either authentication or encryption to relay mail.

The Sendmail MTA (Mail Transfer Agent) is included in the FreeBSD base system, but configuring it can be complicated. A number of simple MTAs exist, but are generally only suitable for the specific situations they were created for. Postfix is a popular general purpose MTA, and simpler to configure than Sendmail.

Install Postfix

# cd /usr/ports/mail/postfix # make config accept defaults # make install clean activate Postfix in /etc/mail/mailer.conf

Edit /usr/local/etc/postfix/main.cf to configure Postfix

keep default mydestination ($myhostname + localhost.$mydomain)

keep default mynetworks_style mynetworks_style = host

edit relayhost to specify the system mail server relayhost = [servername.domain.tld]

edit home_mailbox to enable delivery of mail to local users home_mailbox = Maildir/

Create alias to forward root mail to the external system administrator

# vi /etc/mail/aliases and add root alias root: [email protected]

update aliases.db # /usr/local/bin/newaliases

edit /etc/rc.conf to enable Postfix at boot and disable Sendmail

postfix_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"

Create /etc/periodic.conf to override defaults in /etc/defaults/periodic.conf

daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"

Stop Sendmail, delete Sendmail queue and start Postfix

# killall sendmail # rm /var/spool/mqueue/* # /usr/local/etc/rc.d/postfix restart

Verify Postfix works correctly by sending test emails.

mail should be delivered # echo "testing local delivery" | mail -s "test email to local root user" root

mail should be delivered # echo "testing ext domain delivery" | mail -s "test email to outside user" [email protected]

mail should NOT be delivered # echo "testing ext domain delivery" | mail -s "test email to outside user" [email protected]

OpenVPN Server

OpenVPN is installed to provide Windows workstations connected to the internet access to shared files on the server (shared using Samba). OpenVPN is not required if internet workstations do not need to access shared files, or in an enterprise environment where a VPN server already exists.

See SSL section for creating server keys, this section will only describe how to specify the server keys as part of the OpenVPN configuration. The procedure for creating client keys is given here.

# cd /usr/ports/security/openvpn # make config accept defaults # make install clean # rehash

find IP address of local default gateway and network device name, and configured DNS servers

# netstat -rn | grep default

# grep nameserver /etc/resolv.conf

create directory and copy configuration file

# mkdir /usr/local/etc/openvpn # cd /usr/local/etc/openvpn # cp /usr/local/share/doc/openvpn/sample-config-files/server.conf .

create directory for SSL certificates and keys

# mkdir /usr/local/etc/openvpn/keys

OpenLDAP Server

TODO - complete procedure

OpenLDAP can be used by web applications to authenticate users against a common source of truth. In an enterprise environment, the web applications may be configured to authenticate using a Microsoft Active Directory server (also an LDAP implementation).

# cd /usr/ports/net/openldap24-server # make config ; make install clean # rehash

phpLDAPAdmin

phpLDAPAdmin requires the web application stack. Complete the web stack installation first, then return here and continue installing phpLDAPAdmin.

# cd /usr/ports/net/phpldapadmin # make config # make install clean

Edit /usr/local/www/phpldapadmin/config/config.php Create /usr/local/etc/apache22/Includes/phpldapadmin.conf (force SSL connection)

IMAP Server and WebMail Portal

This procedure is not required if there will be no local system users. The Procmail MDA (Mail Delivery Agent) is installed to deliver mail to local system users and Courier-authlib / Courier-IMAP and SquirrelMail installed to provide web-based access to local mail. Procmail

Spam filtering will not be configured because the system does not accept external mail

# cd /usr/ports/mail/procmail # make install clean

edit Postfix mail.cnf to specify Procmail as the local MDA

# vi /usr/local/etc/postfix/main.cnf and add

mailbox_command = /usr/local/bin/procmail

# postfix reload

Courier-authlib

Install Courier-authlib to provide required Courier-IMAP authentication (required for a client to connect to the Courier-IMAP server)

# cd /usr/ports/security/courier-authlib # make config ; make install clean # rehash

# vi /usr/local/etc/authlib/authdaemonrc and edit authmodulelist authmodulelist="authpam"

edit /etc/rc.conf and add following lines: courier_authdaemond_enable="YES"

start the Courier-authlib daemon # /usr/local/etc/rc.d/courier-authdaemond start

Courier-IMAP

# cd /usr/ports/mail/courier-imap

# make config accept defaults # make install clean

edit /etc/rc.conf and add following lines: courier_imap_imapd_enable="YES"

start the IMAP daemon # /usr/local/etc/rc.d/courier-imap-imapd start

SquirrelMail

SquirrelMail requires the web application stack. Complete the web stack installation first, then return here and continue installing SquirrelMail.

Mail attachments are limited to 2MB by the default PHP default file upload limit.

# cd /usr/ports/mail/squirrelmail # make config # make -D WITH_LDAP install clean

Execute the Squirrelmail configuration utility and configure the following (minimum) settings:

# cd /usr/local/www/squirrelmail # ./configure Server Settings / Domain - domain.dom or server.domain.dom

Server Settings / Update IMAP Settings / Server Software - courier

Create /usr/local/etc/apache22/Includes/squirrelmail.conf force SSL connection

Samba CIFS Server

TODO - complete procedure

Enterprises IT infrastructures typically include Microsoft Windows servers and workstations. Installing Samba will provide access to shared directories in the server file system to Microsoft Windows workstations. Samba can also provide access to shared directories on a Windows server if permitted. MDB Tools

MDB Tools is an open source project to document the MDB file format by Microsoft Jet databases, and provide a set of tools and applications to make data in Jet databases available on other platforms (built-in access is provided on current Microsoft Windows platforms). MDB Tools currently has read-only support for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats.

Microsoft Access is a popular RAD (Rapid Application Development) environment for creating Jet-based database applications. An "Access database" can be easily developed and deployed within an organization to solve a specific problem, and generally without involving corporate IT. However, this often results in a proliferation of incompatible applications and data repositories, which must eventually be integrated as an enterprise matures.

Download and extract mdbtools source to a temporary directory for building Check out https://github.com/brianb/mdbtools for latest version of

sources. Check out http://mdbtools.sourceforge.net for mailing list and similar.

# mkdir /usr/home/dale/src/ # cd /usr/home/dale/src/ # tar -xzf brianb-mdbtools-3280842-2011-03-22.tar.gz # cd mdbtools

Install GNU build toolchain needed for mdbtools (review mdbtools INSTALL file) install libtool install automake install autoconf

# cd /usr/ports/devel/libtool # make config # make install clean # rehash # # cd /usr/ports/devel/automake # make config # make install clean # rehash # # cd /usr/ports/devel/autoconf # make config

# make install clean # rehash

Update glib with portmaster

# portmaster glib

Install txt2man (/usr/ports/textproc/txt2man) which is used by mdbtools to create man pages (but not a dependency of the port)

Build and install MDB Tools

# cd /usr/home/dale/src/mdbtools # gmake clean # ./autogen.sh # ./configure # gmake # gmake install

Web Stack (Apache/MySQL/PHP) Apache 2.2.x Web Server

Install Apache22 port

# cd /usr/ports/www/apache22 # make config accept defaults

# make install clean accept defaults for any dependency configurations # rehash

Basic config

# vi /usr/local/etc/apache22/httpd.conf

edit following lines for basic config ServerAdmin [email protected] ServerName host.example.com:80

uncomment following line to enable SSL over HTTP (Lucas, Chapter 17) #Include etc/apache22/extra/httpd-ssl.conf

Configure keys for SSL over HTTP (Lucas, Chapter 17). Client browsers will report self-signed keys as untrusted, which can be avoided by either having the key signed by a commercial CA (Certificate Authority), or by configuring client browsers to trust the certificate (see How to trust a self-signed SSL browser certificate).

# vi /usr/local/etc/apache22/extra/httpd-ssl.conf

edit following values (same hostname as Common Name in cert) ServerName host.example.com:443 ServerAdmin [email protected] SSLCertificateFile "/etc/ssl/selfsigned.crt" SSLCertificateKeyFile "/etc/ssl/host.key"

Stop and restart Apache

# /usr/local/etc/rc.d/apache22 stop # /usr/local/etc/rc.d/apache22 start

PHP 5.3.x

Install PHP

# cd /usr/ports/lang/php5 # make config select Apache module # make install clean

Basic config

# cd /usr/local/etc/ # cp php.ini-production php.ini or php.ini-developmnent for rigorous error reporting # vi /usr/local/etc/php.ini

uncomment following line: session.save_path=:/tmp"

edit line to specify timezone: date.timezone="America/Edmonton"

Restart Apache

# /usr/local/etc/rc.d/apache restart

Install php5-extensions (/usr/ports/lang/php5-extensions). Accept defaults

Install PHP

# cd /usr/ports/lang/php5-extensions # make config confirm selection as below # make install clean

php5-extensions configuration D - selected default Y - select additional X - unselect default

CTYPE DOM FILTER GD HASH ICONV JSON MYSQL

D D D Y D D D Y

MYSQLI PDO

Y D

PDO_SQLITE D SESSION D

SIMPLEXML D SQLITE SQLITE3 D D

TOKENIZER D XML D

XMLREADER D XMLWRITER D

MySQL 5.5.x

Install MySQL port

# cd /usr/ports/databases/mysql55-server # make config accept defaults # make -D BUILD-OPTIMIZED install clean build of previous version failed when not specified # rehash

Basic config set grant tables, start MySQL daemon, configure local and remote root password, copy my.cnf file, disable TCP networking, add mysql_enable="YES" to /etc/rc.conf and restart server daemon verify MySQL support is enabled in /usr/local/etc/php/extentions.ini

# cd /usr/local # mysql_install_db --user=mysql # mysqld_safe & # mysqladmin -u root password 'localpassword' # mysqladmin -u root -h server.domain.dom password 'remotepassword' # cp /usr/local/share/mysql/my-medium.cnf /var/db/mysql/my.cnf # vi /var/db/mysql/my.cnf uncomment skip-networking # vi /etc/rc.conf add mysql_enable="YES" # /usr/local/etc/rc.d/mysql-server restart

phpMyAdmin 3.3.x

phpMyAdmin is a convenient web-based application for managing MySQL databases.

Install phpMyAdmin port

# cd /usr/ports/databases/phpmyadmin # make config add MYSQLI to configuration # make install clean

Configure Apache to serve phpMyAdmin using SSL over HTTP (i.e., https:)

# vi /usr/local/etc/apache22/Includes/phpmyadmin and add following lines

Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"

<Directory "/usr/local/www/phpMyAdmin/"> Options none AllowOverride All Order Allow,Deny Allow from All </Directory>

<IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{HTPS} off RewriteCond %{REQUEST_URI} /phpmyadmin RewriteRule (.*) https://www.domain.dom/phpmyadmin/ [R] </IfModule>

restart Apache # /usr/local/etc/rc.d/apache22 restart

Create MySQL user "pma" with all permissions on "phpmyadmin" database

create MySQL user "pma" # mysql -u root -p mysql> grant select, insert, update, delete on phpmyadmin.* to \ pma@localhost identified by 'password'; mysql> quit;

Prepare to update the phpMyAdmin config file using the phpMyAdmin configuration wizard (see http://www.phpmyadmin.net)

# mkdir /usr/local/www/phpMyAdmin/config/ # cp config.inc.php config/ # chmod -R o+rw config give config file world read-write permission

Browse to http://www.domain.dom/phpmyadmin/setup to run the configuration wizard, save the configuration and manually move it back to the phpMyAdmin root directory auth_type cookie extension mysqli

# cd /usr/local/www/phpMyAdmin # mv config/config.inc.php . # chmod o-rw config.inc.php remove world read-write permissions # rm -rf config

Enable phpMyAdmin special features (e.g., bookmarks, comments, SQLhistory, tracking mechanism, PDF-generation, column contents transformation, ...)

# cd /usr/local/www/phpMyAdmin # mysql -u root -p < scripts/create_tables.sql

# vi config.inc.php and add following lines

$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; $cfg['Servers'][$i]['relation'] = 'pma_relation'; $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig'; $cfg['Servers'][$i]['table_info'] = 'pma_table_info'; $cfg['Servers'][$i]['column_info'] = 'pma_column_info'; $cfg['Servers'][$i]['history'] = 'pma_history'; $cfg['Servers'][$i]['tracking'] = 'pma_tracking'; $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords';

if phpMyAdmin later reports new special features are not enabled, re-edit config.inc.php and add the directed table references.

If the server is for development (not production!), it may be convenient to prevent phpMyAdmin from automatically logging out users after the default timeout (5 minutes?).

# vi /usr/local/www/phpMyAdmin/config.inc.php and add add following lines /// increase login timeout (ok because this is a local Dev server!) // must also increase session.gc_maxlifetime (garbage collection) in php.ini $cfg['LoginCookieValidity'] = 3600 * 9; // = 60 sec/min * 60 min/hr * 9 hrs

# vi /usr/local/etc/php.ini and edit following lines ;session.gc_maxlifetime = 1440 ; max session set to 9 hrs for phpMyAdmin (see LoginCookieValidity in ; /usr/local/www/phpMyAdmin/config.inc.php). For this to work, max garbage

; collection time must be set here to >9hrs = 32500 sec = (60x60x9)+100 session.gc_maxlifetime = 32500

Fyi, phpMyAdmin installs the following ports:

php5-mbstring-5.3.8 php5-bz2-5.3.8 php5-openssl-5.3.8 pecl-pdflib-2.1.8 php5-zlib-5.3.8 php5-mcrypt-5.3.8 php5-zip-5.3.8 pecl-APC-3.1.9_1 oniguruma-4.7.1 pdflib-7.0.4 libmcrypt-2.5.8 libltdl-2.4

Maintaining Ports Utilities

The following tools and commands maintain the additional software installed on the server not including component projects. For upgrading component projects, refer to the individual component project setup and maintenance pages.

portaudit - portaudit periodically checks the version of installed ports for reported vulnerabilities in a database maintained by the FreeBSD security

team and e-mails the system root a report of any vulnerabilities found. For a current report, portaudit can be run manually from the command line:

# portaudit -Fda

portsnap - portsnap updates the ports tree with current port information.

# portsnap fetch # portsnap update

Use "portsnap extract" instead of "portsnap update" the first time portsnap is used

portmaster - portmaster is used to manage installed ports and upgrade them to the current version without breaking dependencies or links to other programs. Current port configurations must be correct because portmaster will use existing configurations when building upgraded ports.

General Guidelines

Following are general guidelines for updating ports (e.g., due to reported security vulnerability). Before starting any work, first backup the server, then manually stop relevant daemons or disable in /etc/rc.conf and reboot (after the maintenance is complete, re-enable the daemons in /etc/rc.conf and reboot)

# apache22_enable="YES" # apache22_http_accept_enable="YES" # courier_authdaemond_enable="YES"

# courier_imap_imapd_enable="YES" # courier_imap_pop3d_enable="YES" # mysql_enable="YES"

OpenSSL

# cd /usr/ports # portmaster security/openssl

Apache

Backup Apache configuration files: /usr/local/etc/apache22/httpd.conf /usr/local/etc/apache22/Includes/* /usr/local/etc/apache22/extra/*

# cd /usr/ports # portmaster www/apache22

MySQL Server

Backup MySQL Server configuration file /var/db/mysql/my.cnf

Backup all databases using mysqldump # mysql -u root -p

mysql> show databases; # mysqldump -u root -p --all-databases >/backup/backup_mysql_all_databases.sql

# cd /usr/ports # portmaster databases/mysql51-server/ Test MySQL Server Starting mysql. # /usr/local/etc/rc.d/mysql-server start # mysql_upgrade --datadir=/var/db/mysql -u root -psTr@ty

PHP5

Backup PHP configuration files /usr/local/etc/php.ini /usr/local/etc/php.conf /usr/local/etc/php/extensions.ini

# cd /usr/ports # portmaster lang/php5

PHP5 extension # cd /usr/ports # portmaster lang/php5-extensions

After upgrade, diff config files to backups and new default files and edit as needed.

Cyrus-SASL

# cd /usr/ports # portmaster security/cyrus-sasl2 # portmaster security/cyrus-sasl2-saslauthd

Png

# cd /usr/ports # portmaster graphics/png

Curl

# cd /usr/ports # portmaster ftp/curl/

phpMyAdmin

Backup phpMyAdmin configuration file /usr/local/www/phpMyAdmin/config.inc.php # cd /usr/ports # portmaster databases/phpmyadmin

Squirrelmail

# cd /usr/ports # portmaster mail/squirrelmail # cd /usr/local/www/squirrelmail # ./configure

Pcre

# cd /usr/ports # portmaster devel/pcre

mwakigwena choir