LAMP Server Installation Guide on Debian 6 Squeeze

From Acenet Knowledgebase
Jump to navigation Jump to search

Update your Repository

Let's ensure our repository information is up to date

<syntaxhighlight lang="bash">apt-get update</syntaxhighlight>

Install Apache and PHP

Login to your server via SSH as the root user. If you are using a privileged user instead, precede each command with 'sudo' to run it with root privileges.

tasksel is a tool for selecting tasks for installation on Debian. This tool makes it easy to install all of the packages associated with a specific server environment. Let's install tasksel:

Install tasksel

<syntaxhighlight lang="bash">apt-get install tasksel</syntaxhighlight>

Do not use tasksel to remove tasks. tasksel should be used only to install tasks. Removing tasks through tasksel may remove core packages and may cause problems on your system. For more information see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=587046

Install Apache and PHP

With tasksel installed, we can now install the Apache and PHP in one command.

<syntaxhighlight lang="bash">tasksel install web-server</syntaxhighlight>

Configure Apache to start on boot

<syntaxhighlight lang="bash">update-rc.d apache2 defaults</syntaxhighlight>

At this point, you have everything you need to serve content from your server. By default, apache2 is installed and configured to serve web pages from the /var/www/ directory. You can upload all of your content into the folder /var/www/ and Apache will serve your webpages. We recommend configuring your server for name-based virtual hosts and Apache makes this extremely easy.

Configuring Name-based Virtual Hosts

Name-based virtual hosts allow Apache to serve multiple web sites from a single IP. Whereas IP-based virtual hosts require each site to have its own unique IP address, name-based virtual hosts allow Apache to serve the correct website content based on the domain requested. Name-based virtual hosts are recommended whenever possible unless your needs specifically require IP-based hosting.

Before we begin configuring Apache, we're going to setup a new user and a directory on /home for serving our content. In this example, we're going to be setting up a new user and website:

Our username will be: mywebsite

Our domain name will be: mywebsite.example.com

Through this guide, replace the username and domain name values as appropriate for your username and domain name.

Add a new user

Let's add the new user:

<syntaxhighlight lang="bash">useradd mywebsite</syntaxhighlight>

Create and chown the user's home directory

Make this user's /home directory and public_html/ directory. While we're at it, we're going to create a directory for our new site's access log and error log.

<syntaxhighlight lang="bash"> mkdir /home/mywebsite mkdir /home/mywebsite/public_html mkdir /home/mywebsite/logs chown mywebsite.mywebsite /home/mywebsite chown mywebsite.www-data /home/mywebsite/public_html chown mywebsite.mywebsite /home/mywebsite/logs chmod 711 /home/mywebsite/ chmod 750 /home/mywebsite/public_html/ chmod 750 /home/mywebsite/logs </syntaxhighlight>

Create a new VirtualHost file

Now that we have a new user and directory added, we can tell Apache to serve requests for mywebsite.example.com from our new folder. Apache works by storing a list of website virtual hosts in /etc/apache2/sites-available/. Each website gets its own file for its virtual host which makes it easy to configure each domain separately. Let's create a new virtual host file for this website in your favorite text editor. We'll use nano in these examples:

<syntaxhighlight lang="bash">nano /etc/apache2/sites-available/mywebsite.example.com</syntaxhighlight>

Within this file, enter these directives:

<syntaxhighlight lang="bash"> <VirtualHost *:80> ServerAdmin [email protected] ServerName mywebsite.example.com ServerAlias www.mywebsite.example.com DocumentRoot /home/mywebsite/public_html/ ErrorLog /home/mywebsite/logs/error.log CustomLog /home/mywebsite/logs/access.log combined </VirtualHost> </syntaxhighlight>

Enable the VirtualHost

Apache has a mechanism for disabling or enabling sites as needed. Once you've configured your virtual host for a website, you need to tell Apache to bring it live by enabling it.

<syntaxhighlight lang="bash">a2ensite mywebsite.example.com</syntaxhighlight>

This command will create a symlink in /etc/apache2/sites-enabled/ to your virtual host file for mywebsite.example.com in /etc/apache2/sites-available/.

Reload Apache

Once your site is enabled, reload Apache for the changes to take effect.

<syntaxhighlight lang="bash">service apache2 reload</syntaxhighlight>

If you have properly pointed the DNS for your domain, you should now be able to visit your website in a browser and have your content served from your new Debian LAMP server.

Install suPHP

After getting your site up and running, we generally advise that suPHP be enabled for additional security.

suPHP is a tool for executing PHP scripts with the permissions of their owners. It consists of an Apache module (mod_suphp) and a setuid root binary (suphp) that is called by the Apache module to change the uid of the process executing the PHP interpreter. suPHP helps increase the security of your server. With scripts run as the owner, abusive processes can more easily be tracked back to a given user. Stricter script permissions are enforced since scripts are no longer run as the apache user.

We'll now show you how to install suPHP on your Debian 6 server with the package manually compiled from source. suPHP has three different modes of operation which must be specified at compile time:

owner: Run scripts with owner UID/GID
force: Run scripts with UID/GID specified in Apache configuration
paranoid: Run scripts with owner UID/GID but also check if they match the UID/GID specified in the Apache configuration

The suPHP documentation states:

"The default is "paranoid" mode. You should *NEVER* use "force" mode as it is very dangerous. 
While "owner" mode is not as dangerous as "force" mode its use is disadvised and 
"paranoid" mode should be preferred."

In this guide we manually compile suPHP, but there is a pre-built package available for apt-get. This package is libapache2-mod-suphp.

Although suPHP states that the default mode is "paranoid", the libapache2-mod-suphp is installed in "owner" mode by default. When suPHP is installed in "owner" mode, the directive suPHP_UserGroup is not recognized which is required for "force" or "paranoid" mode. When attempting to use the suPHP_UserGroup directive with suPHP in "owner" mode, you will encounter this error while restarting apache2:

<syntaxhighlight lang="bash">Invalid command 'suPHP_UserGroup', perhaps misspelled or defined by a module not included in the server configuration</syntaxhighlight>

For this reason, we opt to install suPHP directly from source rather than use the pre-compile Debian package.

Install suPHP Prerequisites

<syntaxhighlight lang="bash">apt-get install apache2-prefork-dev make gcc g++ php5-cgi wget</syntaxhighlight>

Disable PHP5

We're changing the interpretter that handles PHP scripts. We'll need to disable PHP5.

<syntaxhighlight lang="bash">a2dismod php5</syntaxhighlight>

Installation

Download suPHP

Get the suPHP source. The current version is 0.7.1.

<syntaxhighlight lang="bash"> cd / wget http://suphp.org/download/suphp-0.7.1.tar.gz tar -zxf suphp-0.7.1.tar.gz cd suphp-0.7.1 </syntaxhighlight>

Compile suPHP

This will configure suPHP to use /etc as the configuration directory and set the mode to "paranoid".

<syntaxhighlight lang="bash"> ./configure --prefix=/usr --sysconfdir=/etc --with-apache-user=www-data --with-setid-mode=paranoid --with-apxs=/usr/bin/apxs2 make make install </syntaxhighlight>

Copy the suphp.conf file

The suPHP package comes with an example suphp.conf file. We're going to copy this to /etc.

<syntaxhighlight lang="bash"> cp /suphp-0.7.1/doc/suphp.conf-example /etc/suphp.conf </syntaxhighlight>

Clean up our installation files

<syntaxhighlight lang="bash"> rm -rf /suphp-0.7.1 rm -rf /suphp-0.7.1.tar.gz </syntaxhighlight>

Configuring suphp.conf

Let's modify /etc/suphp.conf for our server environment. Open the config file in your favorite editor. Throughout the course of this guide, we'll use nano.

<syntaxhighlight lang="bash">nano /etc/suphp.conf</syntaxhighlight>

Change the line:

<syntaxhighlight lang="bash">webserver_user=wwwrun</syntaxhighlight>

to:

<syntaxhighlight lang="bash">webserver_user=www-data</syntaxhighlight>

Change the line:

<syntaxhighlight lang="bash">x-httpd-php="php:/usr/bin/php"</syntaxhighlight>

to:

<syntaxhighlight lang="bash">application/x-httpd-suphp="php:/usr/bin/php-cgi"</syntaxhighlight>

Loading suPHP in apache2

suphp.load

Create a suphp.load file for apache2

<syntaxhighlight lang="bash">nano /etc/apache2/mods-available/suphp.load</syntaxhighlight>

Place this line in the file and save:

<syntaxhighlight lang="bash">LoadModule suphp_module /usr/lib/apache2/modules/mod_suphp.so</syntaxhighlight>

apache2 suPHP config file

Create an apache2 conf file for suPHP:

<syntaxhighlight lang="bash">nano /etc/apache2/mods-available/suphp.conf</syntaxhighlight>

Place these lines in the file and save.

<syntaxhighlight lang="bash"> <IfModule mod_suphp.c>

 AddType application/x-httpd-suphp .php .php3 .php4 .php5 .phtml
 suPHP_AddHandler application/x-httpd-suphp
 <Directory />
   suPHP_Engine on
 </Directory>
  1. By default, disable suPHP for debian packaged web applications as files
  2. are owned by root and cannot be executed by suPHP because of min_uid.
 <Directory /usr/share>
   suPHP_Engine off   
 </Directory>
  1. Use a specific php config file (a dir which contains a php.ini file)
  2. suPHP_ConfigPath /etc/php4/cgi/suphp/
  3. Tells mod_suphp NOT to handle requests with the type <mime-type>.
  4. suPHP_RemoveHandler <mime-type>

</IfModule> </syntaxhighlight>

Enable suPHP in apache2

<syntaxhighlight lang="bash">a2enmod suphp</syntaxhighlight>

We now need to edit our site's VirtualHost entry to include the suPHP_UserGroup directive. Continuing from our previous guide, our site is called mywebsite.example.com. Our username is 'mywebsite'. We're going to edit the appropriate apache2 Virtual Host file:

<syntaxhighlight lang="bash">nano /etc/apache2/sites-available/mywebsite.example.com</syntaxhighlight>

Within this file, before the closing </VirtualHost> tag at the bottom, add these lines:

<syntaxhighlight lang="bash"> <IfModule mod_suphp.c>

 suPHP_UserGroup mywebsite mywebsite

</IfModule> </syntaxhighlight>

Restart Apache

<syntaxhighlight lang="bash">service apache2 restart</syntaxhighlight>

At this point, suPHP is enabled and active. Let's create a test php file in our directory to ensure it's working properly. Again, we're going to use the document root as described in our LAMP setup tutorial.

Testing suPHP

Create the PHP file for testing

<syntaxhighlight lang="bash">nano /home/mywebsite/public_html/index.php</syntaxhighlight>

Enter this line and save:

<syntaxhighlight lang="bash"> <?php echo 'whoim = '.exec('/usr/bin/whoami');?> </syntaxhighlight>

chown the file properly. We're using the username 'mywebsite' in this example.

<syntaxhighlight lang="bash"> chown mywebsite.mywebsite /home/mywebsite/public_html/index.php </syntaxhighlight>

You should now be able to navigate to this file in a browser and see the output. In our case, we visit mywebsite.example.com and can see:

whoim = mywebsite

This shows us that the PHP script is running as the user 'mywebsite' instead of the Apache user 'www-data'.

suPHP is now installed and ready for use.

Install MySQL

Use apt-get to install the necessary packages for MySQL

<syntaxhighlight lang="bash">apt-get install mysql-server mysql-client php5-mysql</syntaxhighlight>

During the installation, you'll be prompted to configure the MySQL "root" password.

You should set this to a secure, strong password different from your server's root password.

Congratulations, you've just setup a Debian 6 LAMP server. You're now ready to install your favorite PHP-based web script and begin designing your website.