he OpenBSD operating system claims to ship “secure by default” and aims to be “the world’s most secured operating system.” OpenBSD also boasts the capability to run on many hardware platforms including amd64, i386, and Sparc machines. What better way to test these claims than to configure and deploy OpenBSD yourself with more familiar web technologies?
This article describes how to add PHP language and MySQL database functionality to OpenBSD. It outlines one method of configuring OpenBSD 4.4 (the latest version at the time of writing) to work with Apache 1.3.29, PHP 5.2.6, and MySQL 5.0.51a, creating an “oBAMP” stack, OpenBSD running the “AMP” portion of the better-known Linux LAMP stack. You can use similar configuration on other architectures as well, although they won’t be identical to the procedures outlined here.
|What You Need|
|This article assumes that you are capable of:|
|1. Installing OpenBSD onto your computer’s hard drive|
|2. Achieving network connectivity|
|3. Acquiring a root prompt|
Getting and Installing the OS
You can acquire OpenBSD by either ordering the OpenBSD CD-ROM from the OpenBSD secured online ordering page or installing it freely as an ftp network install. The CD-ROM package includes three disks, the source code, and two stickers. The OpenBSD team, headed by Theo de Raadt, relies on the sale of CD-ROM packages for its financial survival, but I’ll leave it to your conscience to decide which method you’ll use.
Instructions for installing OpenBSD via CD-ROM are provided inside the CD case. Installation of OpenBSD is also well documented at the OpenBSD official FAQ, Chapter 4 and at the following links:
- OpenBSD 101 Tutorial for Beginners (OpenBSD 4.4)
- “Install OpenBSD to Secure Your Web Server” (ftp install of OpenBSD 3.6)
Preparing Yourself for a Smooth Configuration
After you have bought, borrowed, or downloaded a copy of OpenBSD OpenBSD 4.4, you are ready to configure OpenBSD as an Apache-powered PHP and MySQL web and database server. The configuration process of OpenBSD 4.4 is easier than for any prior release. However, for maximum control of your OpenBSD system, you will need to become familiar with the OpenBSD manual pages. If you find any conflicts between the information provided here and the information in the OpenBSD-provided manual pages, defer to the official manual pages. Posting questions to any OpenBSD forum can also be helpful, but search the manual pages for an answer before doing so.
Access the OpenBSD manual pages online or by typing the following into your OpenBSD console:
// manual page of the recommended after boot procedures# man afterboot// manual page of the manual pages# man man
|Author’s Note: Manual Page Browsing Hints: Page Up and Page Down move you through the manual pages. ENTER and the arrow up and down keys scroll one line; TYPE “q” to quit.|
Configuring OpenBSD with PHP and MySQL
The first thing to do when creating an OpenBSD 4.4, Apache 1.3.29, MySQL 5.0.51a, and PHP 5.2.6 oBAMP web server is to create a user on the OpenBSD system that has sudo privileges.
Next, remain logged in as root and add a user to your OpenBSD 4.4 machine by typing adduser at the root prompt:
Choose the default shell, the default login class, and all the defaults until prompted for a username. I suggest using the blowfish algorithm or triple DES for password encryption.
Enter “ puffy” (without the quotes) as the username, and make this user a member of the group “wheel.” Name the login group “puffy”, and invite puffy into the group “wheel.” Continue with the default settings for  puffy in the group wheel until complete. Next, configure sudo to allow  puffy to have limited system administrator root privileges by typing this at the root prompt:
Scroll to the following lines:
# Uncomment to allow people in the group wheel to run all commands# and set environmental variables# %wheel ALL=(ALL) SETENV: ALL//Delete the pound sign (#) in the third line with the delete key, so it reads as follows: %wheel ALL=(ALL) SETENV: ALL
Next, type :wq enter and then type exit. Now log in with the username and password you have just created.
From now on, to login as sudo root, remember that the password for sudo is not the root password; it is the user password. Store your true root password in a safe place or memorize it.
// become pseudo root$ sudo su
Next, type exit to return to your user’s default shell. Now you can access applications as pseudo root by typing:
Using OpenBSD Packages to Install Third-Party Software
OpenBSD packages are the preferred way of installing third-party software to the OpenBSD base system. When acquiring these packages, it is best to use a mirror server that is geographically close to your computer’s location and, of course, to select the packages section that corresponds with your computer’s architecture. For example, I am using Canada as my geographic location and I selected the i386 architecture.
To ensure that your settings are accurate for your scenario, you can hard-code the ftp addresses of OpenBSD mirror servers into your new user’s .profile file. OpenBSD has the vi editor and the mg (Emacs-like) editor installed by default. Here’s how you would edit your .profile file with the vi editor:
$ vi .profile// hint: i is for insert// Complete listing of official OpenBSD world ftp mirrorshttp://www.openbsd.org/ftp.html
For my settings (i386 architecture in Canada), you could use something like the following in your .profile file:
To select the i386 architecture in the United States, you could use something like this in your .profile file. Realize that connecting to one ftp server is enough.
See Sidebar 1. Complete Listing of ftp Servers and Master Fanout Sites for a complete listing of ftp servers and Master fanout sites in Australia, Canada, the United Kingdom, and the United States.
When you have chosen the appropriate settings, write the new file and exit your chosen code editor. To escape vi, type :wq.
Log out and then log back in to have these settings take effect with your user’s .profile:
Next, test out the package system by adding a third party network auditing software package in verbose mode. Dsniff is password sniffing software and is one example of why a person should always use OpenSSL or OpenSSH when sending passwords over any network.
// install dsniff as a package$ sudo pkg_add -v dsniff-2.3p5-no_x11.tgz
Check out the following links to further explore OpenBSD packages:
Installation of the oBAMP Stack in Nine Steps
Now it’s time to get down to business: Installing the basic oBAMP stack via the OpenBSD packages collection This procedure works on either i386 (Intel) or amd64 (64-bit) architectures:
- Install MySQL 5.0.51 as a package:
$ sudo pkg_add -v mysql-server-5.0.51ap1.tgz
Read the detailed instructions on how to install a MySQL database in /usr/local/share/doc/mysql/README.OpenBSD.
- Build the initial MySQL databases:
$ sudo /usr/local/bin/mysql_install_db
- Start the MySQL 5 database server:
$ sudo /usr/local/bin/mysqld_safe &
- Activate your MySQL production settings and follow the onscreen prompts to set a MySQL root password, removing anonymous users:
- Add the Suhosin Hardened PHP 5.2.6 package as an Apache module:
$ sudo pkg_add -v php5-core-5.2.6.tgz
- Enable the php5 module with a symbolic link:
$ sudo ln -s /var/www/conf/modules.sample/php5.conf /var/www/conf/modules
Read the /var/www/conf/php.ini file for PHP hardening details and configuration options.
- Enable the PHP mySQLi functions to access MySQL servers version 4.1 and above:
$ sudo pkg_add -v php5-mysqli-5.2.6.tgz
- Create a symbolic link to enable the mySQLi extension:
$ sudo ln -fs /var/www/conf/php5.sample/mysqli.ini /var/www/conf/php5/mysqli.ini
- Edit the Section 2 ‘Main’ Apache 1.3.29 /var/www/conf/httpd.conf file as follows:
- Change the email address for ServerAdmin to [email protected].
- Change your ServerName to a valid DNS entry. If you do not have a valid DNS name for your host, enter the IP address associated with your LAN (eg 192.168.1.16). Type ifconfig –a to find the INET address associated with your working Ethernet card.
- Add index.php to the DirectoryIndex as follows:
DirectoryIndex index.html index.php
- Find the line AddType application/x-httpd-php .php and delete the comment tag (#).
Congratulations. You have now installed the basic oBAMP stack via the packages collection.
To start Apache, use the following command:
$ sudo apachectl start (c as in current, t as in table, l as in Linux)
To stop Apache, use this command:
$ sudo apachectl stop (c as in current, t as in table, l as in Linux)
Start Apache now. Test your PHP installation by navigating to the htdocs directory, the default location from which Apache serves public files to the world:
$ sudo apachectl start// change to the Apache public htdocs directory$ cd /var/www/htdocs// list all files in the directory$ ls
To confirm that Apache is running locally, start the OpenBSD default text browser Lynx (http and https) to surf from your console to the Apache server running as localhost.
$ lynx 127.0.0.1
You should see the Apache default index.html congratulations screen. Enter q to quit Lynx.
Test PHP by creating a new index.php file that includes the line $ sudo vi index.html.
Beneath the tag, insert the line:
Then save the index.php file with your changes:
|Figure 1. Running OpenBSD-powered Apache, MySQL, and PHP Web Server: Apache is now loaded with the PHP module, and mySQLi provides the functions for MySQL database connectivity.|
Test this out from the server console with the default installed Lynx text browser. For security reasons, OpenBSD does not ship with a graphical browser enabled. To further test that your Apache-powered OpenBSD machine is serving documents, enter the IP address of your server machine into a LAN-connected computer’s browser URL field. Enter the server’s LAN IP address or fully qualified domain name into your client machine browser URL field (this value was entered into the Apache httpd.conf file previously):
// secure lynx browser on localhost$ lynx 127.0.0.1/index.php// LAN connected Client Browser URL http://192.168.1.16 or http://www.fullyqualifieddomain.com
Depending on your configuration choices, you should now be serving the Apache congratulations screen with PHP information across your LAN or to the Internet at large.
Test index.php by using another computer on your local network and entering the IP address of the ServerName or DNS-resolving ServerName that was set in the Apache configuration file /var/www/conf/httpd.conf (for example, http://192.168.1.16).
Congratulations! Apache is now loaded with the PHP module, and mySQLi provides the functions for MySQL database connectivity (see Figure 1). You are now running an OpenBSD-powered Apache, MySQL, and PHP web server! See Listing 1. Auto Loading MySQL and Apache Https on Boot for an auto-load enhancement to your configuration.
Enabling Apache SSL
OpenBSD has Apache mod SSL enabled by default, but to activate https:// you must manually create or purchase an SSL certificate. Three certificate authorities are VeriSign, Thawte, and GoDaddy. Godaddy has a one-year free SSL certificate for qualifying open source projects.
The following is a nearly verbatim outline of the steps necessary to create a self-signed certificate from the OpenBSD https FAQ:
// generate a certificate that does not require a passphrase$ sudo openssl genrsa -out /etc/ssl/private/server.key 2048// generate a Certificate signing request following the onscreen prompts$ sudo openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr// Note: It is necessary to pay a third-party certificate authority to verify your certificate.// self-sign the certificate (becoming your own authority) [Note: A warning prompt will display if this is used on
the public www. This type of certificate is useful for computer-to-computer authentication across a LAN.].$ sudo openssl x509 -req -days 730 -in /etc/ssl/private/server.csr -signkey
/etc/ssl/private/server.key -out /etc/ssl/server.crt// edit /etc/rc.conf.local to startup Apache with SSL$ sudo vi /etc/rc.conf.local// add the following to the httpd_flags=""httpd_flags="-DSSL"// restart Apache$ sudo apachectl stop$ sudo apachectl start
Now you are able to serve https:// requests across port 443. Test this out and notice the warnings about the self-signed certificate:
// test https:// with lynx$ lynx https://127.0.0.1// and test https:// from across your LAN or from a fully qualified domain namehttps://192.168.1.16 or https://your.fullyqualifieddomainname.com
Perhaps the single most important contribution the OpenBSD team has given to the world is OpenSSH. OpenSSH is a method of encrypting data for secure network file transfer. OpenSSH uses a client/server model and controls configuration with two main files:
- /etc/ssh/sshd_config (server parameters)
- /etc/ssh/ssh_config (client parameters)
While the defaults are perfectly fine for a first-boot setup, I recommend a few post-install changes:
- Edit sshd_config by changing the default #PermitRootLogin yes to PermitRootLogin no.
- Create a custom banner for the Secure Shell (ssh) login and place your custom login message on it:
$ sudo vi /etc/ssh/banner.txt
- Restart the OpenSSH daemon as follows:
$ sudo kill -HUP 'cat /var/run/sshd.pid'
- For extra control of logins, use public and private key authentication. Read the manual pages for more details, and alter the OpenSSH configuration files to suit your privacy needs:
$ man sshd
At this point, you may be wondering why OpenSSH root logins are enabled by default. Imagine trying to do a headless remote network install without root access and you will have your answer.
To log in to your OpenBSD-powered computer console over the network, use ssh:
$ ssh [email protected]// for example ssh [email protected]// The password is the users password.
To transfer files over the network, use the Secure File Transfer Protocol (sftp):
- Edit /etc/sshd_config by adding the line AllowUsers puffy.
- Activate the secure file transfer protocol:
$ sftp [email protected]
- Get a file from the remote machine:
$ get file1.txt
- Put a file on the remote machine:
$ put file2.txt
To transfer folders across the network, use the Secure Copy Program (scp). For example, the following code would send an entire folder named desktopfolder from your desktop computer to the home directory of the user you created on your OpenBSD server machine:
$ scp -r desktopfolder [email protected]:/home/puffy/
Use only the particular functionality that you require for your particular PHP applications. If you do want to expand the PHP server’s functionality, you can find more PHP5 extensions in the OpenBSD packages collection under PHP5:
- Image manipulation graphic digest extensions for php5:
$ sudo pkg_add -v php5-gd-5.2.6-no_x11.tgz
- Curl URL library extensions for php5:
$ sudo pkg_add -v php5-curl-5.2.6.tgz
- Imap, pop3 and nntp email extensions for php5:
$ sudo pkg_add -v php5-imap-5.2.6.tgz
- Mcrypt encryption/decryption extensions for php5:
$ sudo pkg_add -v php5-mcrypt-5.2.6.tgz
- Mhash supports a wide variety of hash algorithms (including MD5, SHA1 and GOST):
$ sudo pkg_add -v php5-mhash-5.2.6.tgz
- Open Database Connectivity (ODBC) database access extensions for php5:
$ sudo pkg_add -v php5-odbc-5.2.6.tgz
- PostgreSQL database access extensions for php5:
$ sudo pkg_add -v php5-pgsql-5.2.6.tgz
- Simple Object Access Protocol (SOAP) functions for php5 and XML web services interaction:
$ sudo pkg_add -v php5-soap-5.2.6.tgz
- Cross-platform XML standards based distributed computing:
$ sudo pkg_add -v php5-xmlrpc-5.2.6.tgz
- Extensible Stylesheet Language (XSL):
$ sudo pkg_add -v php5-xsl-5.2.6.tgz
One way you can help improve OpenBSD is to send the output of dmesg to one of your email addresses:
$ sudo dmesg | mail -s "Dell P-3 Laptop Works Great" [email protected]
Then forward that email message to [email protected].
Your oBAMP Platform Lives!
By following the preceding procedures, you now have a computer running OpenBSD 4.4 with Apache SSL, MySQL 5, and PHP 5. For today’s increasingly hostile Internet environment, the oBAMP platform provides a powerful point of departure for the creation of dynamic web content. This article should prove useful for exploring the world of PHP development in a somewhat secured environment. By default the OpenBSD PHP package uses the Suhosin patch, which protects the Apache server from several known vulnerabilities and from weaknesses in the PHP core itself.
Using mySQLi for PHP-to-MySQL database interaction offers improvements in both system speed and connection security. Meanwhile, PHP5 enables the web application developers to use object-oriented programming techniques. If nothing else, you would be wise to run OpenBSD for system backup?that is, if you value your data at more than $50 USD.