Note: These instructions use “www.example.com” as an example.

To Install Apache2:

After the UpdatePorts, install apache2 as follows:

cd /usr/ports/www/apache2

make install clean

Enable Apache2 in /etc/rc.conf by adding the following…

apache2_enable="YES"

apache2ssl_enable="YES"

Setup the certificates:

mkdir /usr/local/etc/apache2/ssl.crt

mkdir /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/ssl.conf and set the following…

SSLCertificateFile /usr/local/etc/apache2/ssl.crt/server.crt

SSLCertificateKeyFile /usr/local/etc/apache2/ssl.key/server.key

After saving the certificates in their appropriate directories run:

chmod -R 700 /usr/local/etc/apache2/ssl.key

Edit /usr/local/etc/apache2/httpd.conf and set the following:

ServerAdmin mshurst@engmail.uwaterloo.ca
UseCanonicalName On
DocumentRoot "/homepages"
UserDir disabled
ServerSignature Off

In <Directory "/homepages"> set…

Options FollowSymlinks Multiview Includes ExecCGI

AllowOverride All

Comment out the <Directory /home/*/public_html> section and replace it with…

<Directory /u1/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u2/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u3/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

<Directory /u4/*/public_html>
   Options All -Indexes
   AllowOverride All
   Order allow,deny
   Allow from all
</Directory>

Restart apache2 to start using the new certificate…


/usr/local/etc/rc.d/apache2.sh stop
/usr/local/etc/rc.d/apache2.sh start


To enable CGIWrap
Allows execution of cgi scripts using user permissions

To install cgiwrap…

cd /usr/ports/www/cgiwrap
make
make install

Add AddHandler cgi-script .cgi to /usr/local/etc/apache2/httpd.conf.

Access control files are required for cgiwrap. To allow open access…

touch /usr/local/etc/cgiwrap.deny

To enable the “debug” version of cgiwrap…

chmod 4755 /usr/local/www/cgi-bin/cgiwrapd

In <Directory "/usr/local/www/cgi-bin"> set…

  Options ExecCGI

To restrict “debug” access to on-campus only, add the following to httpd.conf…

<Location /cgi-bin/cgiwrapd>

     order deny,allow
     deny from all
     allow from 129.97
</Location>

<Location /cgi-bin/nph-cgiwrapd>
     order deny,allow
     deny from all
     allow from 129.97
</Location>

To enable Server Side Includes
Allows server side parsing of html files.

Make the following changes in /usr/local/etc/apache2/httpd.conf…

uncomment (or add)

AddType text/html .shtml

AddHandler server-parsed .shtml

Allow index.shtml to be a default page

DirectoryIndex index.html ... index.shtml

Add the “Includes” option

Options Indexes FollowSymLinks MultiViews ExecCGI Includes

Customized Virtual Host settings

   * Make the following changes to /usr/local/etc/apache2/ssl.conf...

#<VirtualHost _default_:443>

<VirtualHost www.eng.uwaterloo.ca:443>
DocumentRoot "/homepages"
ServerName www.eng.uwaterloo.ca

ServerAdmin mshurst@engmail.uwaterloo.ca

   * Configure logging to include the virtual host name by adding %v to the end of the LogFormat entry in httpd.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %v" combined

   * Add the following CustomLog entry to the www.example.com virtual host entry.

CustomLog /var/log/httpd-sydewww.log combined

   * Update the rollapachelogs.csh script to include the httpd-sydewww.log files.

==
Rolling the Apache logs ==
The logs must be rolled occasionally to prevent the disk from filling with logs. This isn’t as trivial as it should be, because:

   * If you roll the logs, and send a SIGTERM to httpd, all httpd processes will abort, possibly resulting in incomplete database updates etc

   * If you roll the logs, and send a SIGUSR1 to httpd, you must wait some unknown period of time to allow all child httpd processes to complete, before compressing logs.

Alternatives:

   * Don't compress the logs, and use newsyslog with signal 30 (USR1)

   * pipe the logs in httpd.conf through some other process

   * use a custom log roller script

To do the latter, run:

fetch -o /usr/local/bin/rollapachelogs.csh http://www.freebsd.uwaterloo.ca/rollapachelogs.csh

chmod u+x /usr/local/bin/rollapachelogs.csh

Add to /etc/crontab:

# rotate apache logs

0       3       *       *       *       root    /usr/local/bin/rollapachelogs.csh

Configuring Name-based virtual hosting

Set the folloowing in /usr/local/etc/apache2/httpd.conf…

NameVirtualHost *

# Default VirtualHost is listed here

# others are listed in /usr/local/etc/apache2/Includes/vhosts.conf

<VirtualHost *>
   ServerName www.eng.uwaterloo.ca
   ServerAlias www.eng
   DocumentRoot /homepages
   UserDir public_html
   ErrorDocument 403 /lookup.cgi
   ErrorDocument 404 /lookup.cgi
   ErrorDocument 410 /lookup.cgi
</VirtualHost>

Then add the other virtual hosts to /usr/local/etc/apache2/Includes/vhosts.conf…

   ServerName www.engcomp.uwaterloo.ca
   ServerAlias www.engcomp www.engineeringcomputing.uwaterloo.ca www.engineeringcomputing
   DocumentRoot /u2/engcomp/public_html

   <Directory /u2/engcomp/public_html>      Options All
      AllowOverride All
      Order allow,deny
      Allow from all
   </Directory>

   ScriptAlias /cgi-bin/ "/u2/eng_comp/public_html/cgi-bin/"
   <Directory "/u2/eng_comp/public_html/cgi-bin/">
      AllowOverride None
      Options None
      Order allow,deny
      Allow from all
   </Direcotry>

Restrict access to printman pages

<Directory "/u2/eng_comp/public_html/printers">
   Order deny,allow
   Deny from all
   Allow from 129.97
</Directory>

Introduction to DNS

DNS stands for Domain Name System. In simple terms it’s like this: people are good at remembering and writing names. Computers are great with numbers and calculations. When you open your browser you may type in an address such as google.com or fartymarty.com, but that is not what the computers use. They use numbers, each and every computer on the internet has a unique number assigned to it. This is called an IP address. This is where DNS comes in to play, it translates your names into numbers (computer addresses). For example if you go to google.com your browser will send a DNS query, the reply comes back has the numeric IP address of the google server, which in my case is 72.14.207.99. If you were to go to this IP or type in google.com you would get to the same place!

If you have your own domain name you may need to configure the DNS for it, so people typing in yourdomain.com are given back the correct IP address of your server – otherwise they won’t be able to find your site!

‘A’ record

Firstly we will concern ourselves with three DNS record types, the most commonly used ones. Perhaps the most useful is the A record. This is what will convert your domain mydomain.com in to a numbered address that computers use (IP address). Thus, if you have a web server (for example) listening at the address 12.34.56.78 and you want to be able to type in mydomain.com to your browser to visit it, you will need to create an A record. The cool thing is that mail servers will fall back to using it in the event you haven’t created an MX record… something that we are going to move on to.

MX record

MX record stands for ‘mail exchanger’ and it is unique to email servers. If you have an email server at 12.34.56.78 and you want it to be able to receive emails that people address to you at mydomain.com you will want to create an MX DNS record. This record includes the hostname, the priority and the domain. Your first MX entry will probably want to have a priority of 0 or 10. The hostname for the mail server can be (for example) mail.mydomain.com and your domain can be mydomain.com. Whatever hostname you use for the mail server must also have an appropriate A record. So you might end up with something like this:

Notice the ’10′ for the MX server, denoting priority. You can configure backup mail servers in case the primary one fails. You would create another MX record for the same name, with a higher priority (20 for example) and the address of another server. So ultimately you could have:

CNAME record

That leaves CNAME records. These are easy and are basically aliases. They come in useful when you want to create wildcards and subdomains. It is normally a good idea to create at least one CNAME for www so that if someone types in www.mydomain.com they will still get to mydomain.com:

And that’s it for the basics. Just be sure you use IP addresses for some things and hostnames for the others. ‘A’ records always resolve to an IP address. MX and CNAME records resolve to a hostname. Hope that helps you.

cd /usr/ports/databases/mysql50-server

Compile and install with custom options

The following should be typed all on one line, the double backslash (\\) indicates that it has been broken up for better viewing on the internet.

make WITH_CSV=yes WITH_FEDERATED=yes WITH_ARCHVIVE=yes \\
WITH_CHARSET=utf8 WITH_COLLATION=utf8__general_ci install clean

This sets it up to use UTF8 as the default character sets and collations, of course you can change these. It also gives support to alternative database formats such as CSV, I don’t actually use them at the moment but thought I’d add them for good measure. For a production system it is good practice to install only what is absolutely necessary, so if you don’t need them for a production environment you might want to leave them out.

Starting MySQL on boot

To start the server you will need to make sure it is enabled in rc.conf, this will also make it start on boot-up:

echo 'mysql_enable="YES"' >> /etc/rc.conf

Now you will be able to start the server:

/usr/local/etc/rc.d/mysql-server start

Securing MySQL

By default MySQL is installed in an insecure way. The root user (different to the system root) can authenticate without a password. It is best to set a good password for the MySQL root user…

mysql -u root -p

It will now prompt you for the current password. After you enter the current password, you will enter the mysql client where you should use something like the following query to change your password:

SET PASSWORD FOR root = PASSWORD('secret');

In this case root’s password is changed to the word “secret”. There is only one problem with this. It will only change root’s password for connections from wherever you are currently connected from, probably localhost. mysql usually has another entry for root for myhost.www.example.org. To change this you can use the following query:

SET PASSWORD FOR root@"myhost.www.example.org" = PASSWORD('secret');

Of course you could also use a different password if you would like, although I’m not sure what purpose this would serve. If you want to try out this second password you can connect in the following way:

mysql -h myhost.www.example.org -u root -p

If you want to check for all root entries you can do the following:

mysql -u root -p mysql

Then enter the following query:

SELECT Host, User, Password FROM user WHERE User = 'root';

MySQL Config File

If you want to use a config file for MySQL you can copy either my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf to /etc:

cp /usr/local/share/mysql/my-small.cnf /etc/my.cnf

Edit at will!