Setting Up a Server Using the LAMP (Linux, Apache, MySQL, PHP/Perl) Model

by Lisa Lovchik

Note from Ed:  I consider myself very fortunate to have some bright friends.  This document was written by someone very near and dear to me, Lisa Lovchik, who by the way, has also worked incessantly (completely as a labor of love) in designing this website in a way that will make it easy for me to modify.  She's been taking classes in LAMP (Linux, Apache, MySQL, and PHP) so she took some notes on getting it up and running.  I asked her if she'd post it here, and she's obliged out of the kindness of her heart.  Thanks so much, Lisa!

The following is a combination of two documents I created while taking a class on web servers using a LAMP platform. I don't pretend to be a guru on this subject, but I do hope it will be of some help to you while struggling to get your web server project off the ground.

Most of the documentation (including the textbooks) that I was able to find on this subject provided a complete overkill of information and was not explained very well to begin with. I wanted something that would help me get a LAMP-based web server up and running quickly, with simple explanations of what was being done and why, leaving the advanced features and theory lessons for another time.  After all, most of us who are trying to set up a web server for the first time are probably far more concerned with just getting the system running in the first place. Once the platform is working properly, we can always add more advanced features as necessary.

When I was doing these projects I gave security the highest priority whenever possible.  One document describes the thought process of planning which modules and directives to configure Apache with for a particular project.  The second describes how to configure and test the various components of your server. Our group ran too short on time to implement SSL for our project, so as I add notes to this document I will include the SSL topic.

These documents were originally written with my classmates in mind, and therefore assume an understanding of topics that were covered in class. I will modify them on an ongoing basis to make this more of a general purpose help page. In addition, these examples use Red Hat 8.0,  Apache 2.0.40,  MySQL 3.23.55,  PHP 4.2.2,  and Perl 5.8.0. Your configuration and directories may differ depending on the versions or distributions of software you may be using.

There may well be things I have missed or am mistaken on here. If so, please do e-mail me and let me know.  Thanks, and enjoy!

Apache Installation Plan

Objective

To build a web server with an order form and shopping cart, and ultimately, a database for the catalog.  In order to support our anticipated needs, I believe we will need to install SSL, Perl, MySQL, and PHP.

Installation

One of the things I believe to be most important due to the likelihood that we will be reconfiguring our server often is the ability to use DSO’s. The 20% performance sacrifice when starting the server is, I feel, a small price to pay in lieu of repeatedly recompiling the server every time we needed to make a change.  During my research, I found it quite difficult to determine from available documentation whether an Apache binary can be found with mod_so pre-compiled into it.  I finally resorted to running a test install of Red Hat 8.0, specifying the included Apache 2.0.40 to be installed, and running httpd –l (that's an L), at which time I was able to confirm that RH8 does in fact install Apache 2.0 with mod_so statically compiled.

SSL, Perl, MySQL, and PHP support are also included with the Red Hat 8.0 distribution.  RH8 includes mod_ssl 2.0.40, Perl 5.8.0, MySQL 3.23.52, and PHP 4.2.2.  Selecting these during RH8 installation would obviously be the easiest way to go, although due to time constraints I was not able to determine which, if any, modules are statically compiled into the Apache core.  Perl, MySQL, and PHP can be installed as DSO’s and from RPM’s, and SSL must be statically compiled.  From my research I would assume that RH8 follows suit, and although I was not able to confirm this, the tradeoff of fast and easy initial installation outweighs the unlikely possibility that we would for some reason find it necessary to reconfigure and recompile Apache later.

It appears that we can get all the functionality we would initially need merely from selecting the appropriate options during RH8 installation and make adjustments later when our needs become clearer.

Directives

In light of threats that could be posed by would-be intruders, I feel it is important to strive for as much security as possible.  Following are directives that seemed prudent with these things in mind.  All of the following are directives for /etc/httpd/conf/httpd.conf .

AllowOverride None (in system root / directory container)

Secure the system by disabling the use of .htaccess files altogether, so that the subversion of a subdirectory wouldn’t mean subversion of the entire system.

Options IncludesNOEXEC  (in document root /var/www/html/ directory container)

Allow SSI without enabling the more dangerous exec and include commands.

Options +ExecCGI (in cgi-bin /var/www/cgi-bin/ directory container)

Allow CGI execution solely in the protected cgi-bin directory

AccessConfig /dev/null (at beginning of httpd.conf)
ResourceConfig /dev/null (at beginning of httpd.conf)

Disable Apache’s search for these obsolete files whose functions are now incorporated into httpd.conf, so that a fake AccessConfig or ResourceConfig file cannot be created and used to subvert the server.

ServerName yourhostname.yourdomainname

For server to use when creating self-referential URL’s. Default is localhost.localdomain

I understand that since this setup doesn’t use .htaccess files at all we would have to restart the Apache server should it be necessary to change the Options configuration.  The tradeoff for increased security is, in my opinion, worth any inconvenience.  I researched the other directives, such as DocumentRoot, ScriptAlias, and ServerType, and feel they are suitable left at their default values.

We will ensure that the permission settings for /var/www/cgi-bin/ are set so that only specifically authorized users can write to the cgi-bin directory.  We can do this by creating a web administration group such as webadmin , and recursively changing ownership and permissions as follows:

# chown –r nobody.webadmin /var/www/cgi-bin
# chmod –r 750 /var/www/cgi-bin

As a precaution, we will keep a backup copy of httpd.conf and config.status so that we can easily revert to previous settings should problems arise during configuration.

Summary

The steps we will take to install this server are as follows:

1. Install Red Hat 8.0, selecting support for SSL, Perl, MySQL, and PHP to be included during installation.
2. Add or edit the appropriate directives in the httpd.conf file using emacs or a similar text editor.
3. Restrict ownership and permission settings for the cgi-bin directory.
4. Keep a backup of our configuration files.
5. Change directory to /usr/sbin/   ( cd /usr/sbin ).
6. Start Apache server   ( ./httpd )
7. Open a browser such as Mozilla, point it to http://yourhostname.yourdomainname and ensure that it does bring up the Apache placeholder web page.
8. Test functionality and troubleshoot any problems.

Setting up Apache, MySQL, PHP, CGI, and Perl

Defaults as configured by Red Hat 8.0 RPM's

Apache

httpd.conf – Apache configuration file - /etc/httpd/conf/
htdocs – Apache HTML documents - /var/www/html/
cgi-bin – Apache cgi-bin - /var/www/cgi-bin/
error_log – Apache error log file - /etc/httpd/logs/
apachectl – Apache control utility - /usr/sbin/apachectl/

MySQL

mysql_install_db – MySQL setup - /usr/bin/
safe_mysqld – MySQL executable if running as root - /usr/bin/
mysqld – MySQL executable if running as a user - /usr/libexec/
mysql – MySQL login - /usr/bin/
/var/lib/mysql/ - Database folder
mysqlshow – MySQL test - /usr/bin/

PHP

php.ini – PHP configuration file - /etc/
localhost.localdomain – Default host name

Starting and stopping Apache

root]# apachectl start
root]# apachectl stop

Setting up CGI

Remove the # from in front of this line in httpd.conf and add .pl at the end for Perl support:
       #AddHandler cgi-script .cgi .pl
Stop and restart Apache - See above
Type up CGI scripts in text editor (such as gedit) and save in cgi-bin folder
cgi-bin]# chown root.root yourcginame.cgi
cgi-bin]# chmod 755 yourcginame.cgi

Starting MySQL (as root)

root]# cd /usr/bin
bin]# ./mysql_install_db
bin]# ./safe_mysqld --user=root &
bin]# ./mysqladmin -u root password yourpassword

Checking MySQL

bin]# ./mysqlshow -p
If MySQL is working you should see a test database called mysql

bin]# ./mysql -h yourhostname -u root -p
Enter your password

mysql> show databases;
You should see two test databases and are ready to set up a new database; quit MySQL

mysql> quit;

Setting up your MySQL database

Create the file in which your data will be stored and start MySQL with the new file

bin]# ./mysqladmin -p create yourdbfilename
bin]# ./mysql -p yourdbfilename

Create the table for your database

The following example will create a table with columns named fieldname1, fieldname2, and fieldname3.  Fieldname1 has been allotted 10 characters, fieldname2 gets 25 characters, fieldname3 gets 5 characters.  Fieldname1 has been designated as a primary key, meaning that this is the key field you will be using to search for specific data in your database.  For example, for an e-commerce site this is often a customer ID number, with the remaining fields holding the name, address and phone number corresponding to that customer ID number.  Any field can be designated as a primary key, but it must also be designated as NOT NULL , meaning that it's a required field that cannot be left blank because it's being used to search the database.

Additional note:  Do not rely on MySQL to reject the addition of data that is missing information for the primary key field.  Instead, your CGI script or PHP program should check form data to ensure that all data submitted by a user is valid and in the proper format, and that any required fields have been filled, before the data is ever submitted to MySQL.

mysql> create table yourtablename
     > (fieldname1 char(10) NOT NULL, primary key (fieldname1),
     > fieldname2 char(25),
     > fieldname3 char(5) );

Load the table with data

For the purposes of this project, we are loading data from a simple comma-separated values (CSV) text file (also called a flat text file).  The following example loads the contents of a flat text file named data.txt into the table you created.

mysql> LOAD DATA LOCAL INFILE "data.txt"
     > INTO TABLE yourtablename
     > FIELDS TERMINATED BY ', ';

Checking your MySQL database

mysql> show tables;
This should now reflect the new table you created.

mysql> show databases;
This should now reflect the new database you created.

mysql> describe yourtablename;
mysql> select * from yourtablename;
You should see the contents of your database in a table format.

Starting MySQL with an existing database

bin]# ./safe_mysqld --user=root &
bin]# ./mysql -h yourhostname -u root -p yourdbfilename
Enter your password

Configuring PHP

Add to httpd.conf:
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps

Optional:
Change php.ini to allow short tags in PHP code ( <?  instead of  <?php  )
short_open_tag = On

Optional:
Change php.ini to pass HTML form data to your scripts automatically, but it's a potential security risk:
register_globals = On

If you leave this set to default Off , it will be more secure but you will need to use:
$HTTP_GET_VARS for GET method and
$HTTP_POST_VARS for POST method to pass values to your scripts, for example:
$custname = $HTTP_POST_VARS[customername];

Checking PHP

Create a file in htdocs named test.php with the following contents:
<?php phpinfo() ?>

Make sure Apache is running, and then open a browser and enter
http://yourhostname.yourdomain/test.php
into the address bar.  You should see all of the PHP configuration info displayed.