Building a FreeBSD web server

From SoftwarePractice.org

This is a summary of how to build a web server on FreeBSD from scratch. It's a condensed and FreeBSD-specific version of this series of articles:

• Building a web server
• Configuring a web server
• Securing a web server
• Optimizing a web server
• Backing up a web server

Contents 1 FreeBSD resources 2 Setting up the base system 3 Install ports 4 Configuring and securing FreeBSD 5 Build MySQL, Apache, PHP 5.1 FreeBSD-specific notes...

FreeBSD resources

Useful resources for this purpose:

• FreeBSD Handbook
• Configuring FreeBSD Part I
• Configuring FreeBSD Part II
• How To Install a Secure BSD System

Setting up the base system

Our goal here is to set up the FreeBSD machine to that we can easily update it with security patches and so on. Apart from 1 and 2, this section is somewhat optional in order to actually get a working server, so if you're not a pedant like me you could just proceed to the next section without rebuilding the whole system from scratch.

1. Install FreeBSD 6.1 from a CD. Don't install the ports collection or X-windows etc (assuming that this is a server).
2. Get the ports collection using portsnap:

   portsnap fetch
   portsnap extract
   

3. Install CVSup:

   cd /usr/ports/net/cvsup-without-gui
   make install
   make clean
   

4. Create the CVSup configuration file, as /usr/local/etc/conf/supfile:

   *default tag=RELENG_6_1
   *default host=cvsup14.FreeBSD.org
   *default prefix=/usr
   *default base=/var/db
   *default release=cvs delete use-rel-suffix compress
   
   src-all
   

   Note that this supfile is telling CVSup to get the RELENG_6_1 branch of FreeBSD. This branch is the 6.1 release, plus any security updates. For running a production webserver, we want the most stable branch possible, plus essential security updates. As of June 2006, this is it :)

5. Go get 'em!!

   rehash
   cvsup /usr/local/etc/conf/supfile
   

6. Create a kernel configuration file. Let's call it SERVER1:

   cd /usr/src/sys/i386/conf
   cp GENERIC /usr/local/etc/conf/SERVER1
   ln -s /usr/local/etc/conf/SERVER1 .
   

7. (This part is optional.) At some point, you may want to modify this configuration file, as described here. My changes were fairly minimal: I changed the ident line, and commented out the I486_CPU and I586_CPU support. I also removed some things that I was sure are not needed for this server: NFS support, MSDOS partition, and silly stuff like PCMCIA cards and wireless. You can get hints on what is or is not needed by looking at /var/log/dmesg.today and /etc/defaults/rc.conf. (I'm not really sure that these changes are very important, but anyway.)
8. Rebuild the "world." But first read the file /usr/src/UPDATING and this section of the FreeBSD handbook.

   cd /usr/src
   make -j4 buildworld
   

9. Build and install the kernel:

   make buildkernel KERNCONF=SERVER1
   make installkernel KERNCONF=SERVER1
   

10. Now here's where you want to be sure that the sysadmin in your datacenter is available in case something went wrong...

    reboot

11. Assuming your machine came back up into multi-user mode :), you can check the kernel version like this:

    uname -a
    

12. Then install the "world":

    mergemaster -p
    make installworld
    mergemaster
    reboot
    

13. Clean up:

    cd /usr/obj
    chflags -R noschg *
    rm -rf *
    

That's it! Subscribe to the freebsd-security-notifications mailing list. When you get notification of a security issue, follow the instructions to rebuild a module or your kernel, as required.

Install ports

The following list of ports should be installed next. These ports are either important for managing your server, or needed for typical web applications. Some of them will automatically install other packages.

/usr/ports/security/sudo
/usr/ports/security/portaudit
/usr/ports/lang/perl5.8
/usr/ports/textproc/libxml
/usr/ports/textproc/libxml2
/usr/ports/graphics/tiff
/usr/ports/graphics/gd
/usr/ports/archivers/bzip2
/usr/ports/archivers/unzip
/usr/ports/www/lynx
/usr/ports/www/http_load
/usr/ports/net/rsync
/usr/ports/sysutils/cronolog

You may (or may not) wish to install the following (because they aren't essential and take time and/or install a bunch of other stuff you might not want):

/usr/ports/sysutils/portupgrade

You can see the list of installed ports with pkg_info. You can check installed ports for security issues with

portaudit -Fa

The following package should (IMHO) be installed from the original sources:

• autoconf
• zlib (for zip/unzip support)
• ImageMagick (See Installing ImageMagick. Note: you don't need to install png, jpeg, and tiff, as they are already there.)

The reason for not using BSD ports is that the port thinks (via dependencies) that ImageMagick needs X11, and I don't want to install X11... In my opinion, this is the big problem with package systems with dependencies, before you know it you've sucked everything in the Universe into your system.

Configuring and securing FreeBSD

Here are a few random things that you should do, either now or a little later.

1. Set your hostname. In /etc/rc.conf, edit the hostname= line to have the name (and domain) you want your server to have. You will also want to add this name to your DNS, if you haven't already.
2. Disable insecure services like ftp and telnet, if you have them running. To see what services you are running:

   sockstat -l
   

3. Prevent syslogd from listening to remote hosts. Add the following line to /etc/rc.conf:

   syslogd_flags="-ss"
   

   (Then restart syslog: /etc/rc.d/syslogd restart.

4. Create accounts for your admin users, using adduser. (If this is really a production web server, you don't want to allow anyone but trusted admins access to it.)
5. Use visudo to edit the sudoers file, and give your admin users access to root-like commands. Here's a very basic configuration:

   User_Alias     ADMINS = admin1, admin2
   ADMINS  ALL = ALL
   

   (This will allow the login accounts admin1 and admin2 to run sudo -s to gain super-user privileges.)

6. Disable root logins by adding this line to /etc/ssh/sshd_config:

   PermitRootLogin no
   

   (Then restart sshd: /etc/rc.d/sshd restart. You should not close your root shell until you have verified that you can log in using your user account and sudo -s successfully.)

More information:

• Securing FreeBSD (in the FreeBSD Handbook)
• Securing FreeBSD (OnLAMP.com)

Build MySQL, Apache, PHP

OK, I am going to get it from FreeBSD fanatics, but I think you should build these applications from source distributions. See:

• Building a web server

• Configuring a web server

• Securing a web server

• Optimizing a web server

• Backing up a web server

That's about it, really. Happy serving!!

FreeBSD-specific notes...

When the above pages say that you need to install a package from source, you should already have it, from the above list of ports. (If not, then see if there is a port for it first.)

Here is some more information about compiling MySQL 5.0 for FreeBSD: FreeBSD Notes. In particular, you probably want to take note of the recommended FreeBSD-specific compile commands:

CC=gcc CFLAGS="-O2 -fno-strength-reduce" \
    CXX=gcc CXXFLAGS="-O2 -fno-rtti -fno-exceptions \
    -felide-constructors -fno-strength-reduce" \
    ./configure --prefix=/usr/local/mysql --enable-assembler \
    --localstatedir=/usr/var
gmake -j4
gmake install