RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Creating an oBAMP Stack: OpenBSD, Apache, MySQL, and PHP : Page 4

The OpenBSD, Apache, MySQL, and PHP (oBAMP) platform provides a powerful point of departure for the creation of dynamic web content. Learn the procedures for running OpenBSD 4.4 with Apache SSL, MySQL 5, and PHP 5.

Enabling Apache SSL
OpenBSD has Apache mod SSL enabled by default, but to activate https:// you must manually create or purchase an SSL certificate. Three certificate authorities are VeriSign, Thawte, and GoDaddy. Godaddy has a one-year free SSL certificate for qualifying open source projects.

The following is a nearly verbatim outline of the steps necessary to create a self-signed certificate from the OpenBSD https FAQ:

// generate a certificate that does not require a passphrase
$ sudo openssl genrsa -out /etc/ssl/private/server.key 2048
// generate a Certificate signing request following the onscreen prompts
$ sudo openssl req -new -key /etc/ssl/private/server.key -out /etc/ssl/private/server.csr
// Note: It is necessary to pay a third-party certificate authority to verify your certificate.

// self-sign the certificate (becoming your own authority) [Note: A warning prompt will display if this is used on 
the public www. This type of certificate is useful for computer-to-computer authentication across a LAN.]. $ sudo openssl x509 -req -days 730 -in /etc/ssl/private/server.csr -signkey
/etc/ssl/private/server.key -out /etc/ssl/server.crt // edit /etc/rc.conf.local to startup Apache with SSL $ sudo vi /etc/rc.conf.local // add the following to the httpd_flags="" httpd_flags="-DSSL" // restart Apache $ sudo apachectl stop $ sudo apachectl start

Now you are able to serve https:// requests across port 443. Test this out and notice the warnings about the self-signed certificate:

// test https:// with lynx
$ lynx
//  and test https:// from across your LAN or from a fully qualified domain name or https://your.fullyqualifieddomainname.com

Configuring OpenSSH
Perhaps the single most important contribution the OpenBSD team has given to the world is OpenSSH. OpenSSH is a method of encrypting data for secure network file transfer. OpenSSH uses a client/server model and controls configuration with two main files:

  • /etc/ssh/sshd_config (server parameters)
  • /etc/ssh/ssh_config (client parameters)

While the defaults are perfectly fine for a first-boot setup, I recommend a few post-install changes:

  1. Edit sshd_config by changing the default #PermitRootLogin yes to PermitRootLogin no.
  2. Create a custom banner for the Secure Shell (ssh) login and place your custom login message on it:
    $ sudo vi /etc/ssh/banner.txt
  3. Restart the OpenSSH daemon as follows:
    $ sudo kill -HUP 'cat /var/run/sshd.pid'
  4. For extra control of logins, use public and private key authentication. Read the manual pages for more details, and alter the OpenSSH configuration files to suit your privacy needs:
    $ man sshd

At this point, you may be wondering why OpenSSH root logins are enabled by default. Imagine trying to do a headless remote network install without root access and you will have your answer.

Using OpenSSH
To log in to your OpenBSD-powered computer console over the network, use ssh:

$ ssh username@ipaddress
// for example ssh puffy@
// The password is the users password.

To transfer files over the network, use the Secure File Transfer Protocol (sftp):

  1. Edit /etc/sshd_config by adding the line AllowUsers puffy.
  2. Activate the secure file transfer protocol:
    $ sftp username@ipaddress
  3. Get a file from the remote machine:
    $  get file1.txt
  4. Put a file on the remote machine:
    $ put file2.txt

To transfer folders across the network, use the Secure Copy Program (scp). For example, the following code would send an entire folder named desktopfolder from your desktop computer to the home directory of the user you created on your OpenBSD server machine:

$ scp -r  desktopfolder puffy@servername:/home/puffy/

Use only the particular functionality that you require for your particular PHP applications. If you do want to expand the PHP server's functionality, you can find more PHP5 extensions in the OpenBSD packages collection under PHP5:

  • Image manipulation graphic digest extensions for php5:
    $ sudo pkg_add -v php5-gd-5.2.6-no_x11.tgz
  • Curl URL library extensions for php5:
    $ sudo pkg_add -v php5-curl-5.2.6.tgz
  • Imap, pop3 and nntp email extensions for php5:
    $ sudo pkg_add -v php5-imap-5.2.6.tgz
  • Mcrypt encryption/decryption extensions for php5:
    $ sudo pkg_add -v php5-mcrypt-5.2.6.tgz
  • Mhash supports a wide variety of hash algorithms (including MD5, SHA1 and GOST):
    $ sudo pkg_add -v php5-mhash-5.2.6.tgz
  • Open Database Connectivity (ODBC) database access extensions for php5:
    $ sudo pkg_add -v php5-odbc-5.2.6.tgz
  • PostgreSQL database access extensions for php5:
    $ sudo pkg_add -v php5-pgsql-5.2.6.tgz
  • Simple Object Access Protocol (SOAP) functions for php5 and XML web services interaction:
    $ sudo pkg_add -v php5-soap-5.2.6.tgz
  • Cross-platform XML standards based distributed computing:
    $ sudo pkg_add -v php5-xmlrpc-5.2.6.tgz
  • Extensible Stylesheet Language (XSL):
    $ sudo pkg_add -v php5-xsl-5.2.6.tgz

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date