Note: These instructions use “www.example.com” as an example.

To Install Apache2:

After the UpdatePorts, install apache2 as follows:

cd /usr/ports/www/apache2

make install clean

Enable Apache2 in /etc/rc.conf by adding the following…

apache2_enable="YES"

apache2ssl_enable="YES"

Setup the certificates:

mkdir /usr/local/etc/apache2/ssl.crt

mkdir /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/ssl.conf and set the following…

SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key

After saving the certificates in their appropriate directories run:

chmod -R 700 /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/httpd.conf and set the following:

ServerAdmin mshurst@engmail.uwaterloo.ca
UseCanonicalName On
DocumentRoot "/homepages"
UserDir disabled
ServerSignature Off

In <Directory "/homepages"> set…

Options FollowSymlinks Multiview Includes ExecCGI

AllowOverride All

Comment out the <Directory /home/*/public_html> section and replace it with…

<Directory /u1/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u2/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u3/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u4/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

Restart apache2 to start using the new certificate…


/usr/local/etc/rc.d/apache2.sh stop
/usr/local/etc/rc.d/apache2.sh start


To enable CGIWrap
Allows execution of cgi scripts using user permissions

To install cgiwrap…

cd /usr/ports/www/cgiwrap
make
make install

Add AddHandler cgi-script .cgi to /usr/local/etc/apache2/httpd.conf.

Access control files are required for cgiwrap. To allow open access…

touch /usr/local/etc/cgiwrap.deny

To enable the “debug” version of cgiwrap…

chmod 4755 /usr/local/www/cgi-bin/cgiwrapd

In <Directory "/usr/local/www/cgi-bin"> set…

  Options ExecCGI

To restrict “debug” access to on-campus only, add the following to httpd.conf…

<Location /cgi-bin/cgiwrapd>

     order deny,allow
     deny from all
     allow from 129.97
</Location>

<Location /cgi-bin/nph-cgiwrapd>
     order deny,allow
     deny from all
     allow from 129.97
</Location>

To enable Server Side Includes
Allows server side parsing of html files.

Make the following changes in /usr/local/etc/apache2/httpd.conf…

uncomment (or add)

AddType text/html .shtml

AddHandler server-parsed .shtml

Allow index.shtml to be a default page

DirectoryIndex index.html ... index.shtml

Add the “Includes” option

Options Indexes FollowSymLinks MultiViews ExecCGI Includes

Customized Virtual Host settings

   * Make the following changes to /usr/local/etc/apache2/ssl.conf...

#<VirtualHost _default_:443>

<VirtualHost www.eng.uwaterloo.ca:443>
DocumentRoot "/homepages"
ServerName www.eng.uwaterloo.ca

ServerAdmin mshurst@engmail.uwaterloo.ca

   * Configure logging to include the virtual host name by adding %v to the end of the LogFormat entry in httpd.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

   * Add the following CustomLog entry to the www.example.com virtual host entry.

CustomLog /var/log/httpd-sydewww.log combined

   * Update the rollapachelogs.csh script to include the httpd-sydewww.log files.

==
Rolling the Apache logs ==
The logs must be rolled occasionally to prevent the disk from filling with logs. This isn’t as trivial as it should be, because:

   * If you roll the logs, and send a SIGTERM to httpd, all httpd processes will abort, possibly resulting in incomplete database updates etc

   * If you roll the logs, and send a SIGUSR1 to httpd, you must wait some unknown period of time to allow all child httpd processes to complete, before compressing logs.

Alternatives:

   * Don't compress the logs, and use newsyslog with signal 30 (USR1)

   * pipe the logs in httpd.conf through some other process

   * use a custom log roller script

To do the latter, run:

fetch -o /usr/local/bin/rollapachelogs.csh http://www.freebsd.uwaterloo.ca/rollapachelogs.csh

chmod u+x /usr/local/bin/rollapachelogs.csh

Add to /etc/crontab:

# rotate apache logs

0       3       *       *       *       root    /usr/local/bin/rollapachelogs.csh

Configuring Name-based virtual hosting

Set the folloowing in /usr/local/etc/apache2/httpd.conf…

NameVirtualHost *

# Default VirtualHost is listed here

# others are listed in /usr/local/etc/apache2/Includes/vhosts.conf

<VirtualHost *>
   ServerName www.eng.uwaterloo.ca
   ServerAlias www.eng
   DocumentRoot /homepages
   UserDir public_html
   ErrorDocument 403 /lookup.cgi
   ErrorDocument 404 /lookup.cgi
   ErrorDocument 410 /lookup.cgi
</VirtualHost>

Then add the other virtual hosts to /usr/local/etc/apache2/Includes/vhosts.conf…

   ServerName www.engcomp.uwaterloo.ca
   ServerAlias www.engcomp www.engineeringcomputing.uwaterloo.ca www.engineeringcomputing
   DocumentRoot /u2/engcomp/public_html

   <Directory /u2/engcomp/public_html>      Options All
      AllowOverride All
      Order allow,deny
      Allow from all
   </Directory>

   ScriptAlias /cgi-bin/ "/u2/eng_comp/public_html/cgi-bin/"
   <Directory "/u2/eng_comp/public_html/cgi-bin/">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
   </Direcotry>

Restrict access to printman pages

<Directory "/u2/eng_comp/public_html/printers">
   Order deny,allow
   Deny from all
   Allow from 129.97
</Directory>

cd /usr/ports/databases/mysql50-server

Compile and install with custom options

The following should be typed all on one line, the double backslash (\\) indicates that it has been broken up for better viewing on the internet.

make WITH_CSV=yes WITH_FEDERATED=yes WITH_ARCHVIVE=yes \\
WITH_CHARSET=utf8 WITH_COLLATION=utf8__general_ci install clean

This sets it up to use UTF8 as the default character sets and collations, of course you can change these. It also gives support to alternative database formats such as CSV, I don’t actually use them at the moment but thought I’d add them for good measure. For a production system it is good practice to install only what is absolutely necessary, so if you don’t need them for a production environment you might want to leave them out.

Starting MySQL on boot

To start the server you will need to make sure it is enabled in rc.conf, this will also make it start on boot-up:

echo 'mysql_enable="YES"' >> /etc/rc.conf

Now you will be able to start the server:

/usr/local/etc/rc.d/mysql-server start

Securing MySQL

By default MySQL is installed in an insecure way. The root user (different to the system root) can authenticate without a password. It is best to set a good password for the MySQL root user…

mysql -u root -p

It will now prompt you for the current password. After you enter the current password, you will enter the mysql client where you should use something like the following query to change your password:

SET PASSWORD FOR root = PASSWORD('secret');

In this case root’s password is changed to the word “secret”. There is only one problem with this. It will only change root’s password for connections from wherever you are currently connected from, probably localhost. mysql usually has another entry for root for myhost.www.example.org. To change this you can use the following query:

SET PASSWORD FOR root@"myhost.www.example.org" = PASSWORD('secret');

Of course you could also use a different password if you would like, although I’m not sure what purpose this would serve. If you want to try out this second password you can connect in the following way:

mysql -h myhost.www.example.org -u root -p

If you want to check for all root entries you can do the following:

mysql -u root -p mysql

Then enter the following query:

SELECT Host, User, Password FROM user WHERE User = 'root';

MySQL Config File

If you want to use a config file for MySQL you can copy either my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf to /etc:

cp /usr/local/share/mysql/my-small.cnf /etc/my.cnf

Edit at will!