Actions

Difference between revisions of "Configuring a LAMPP server for PHP development/Linux desktop"

From Joomla! Documentation

< Configuring a LAMPP server for PHP development
m (Method 1: Implementing suPHP)
m (Method 2: Changing Apache user and group)
Line 321: Line 321:
 
<span style="color:red; font-weight:bold;"> '''NOTE:'''This method is highly discouraged, do not implement in a computer with personal or sensitive information, install a firewall to block external incoming traffic to your web server.</span>
 
<span style="color:red; font-weight:bold;"> '''NOTE:'''This method is highly discouraged, do not implement in a computer with personal or sensitive information, install a firewall to block external incoming traffic to your web server.</span>
  
To make Apache execute under your current user and group you got to  edit some parameters in the Apache configuration file and make it execute under our current user and group, this will solve our file ownership problems '''but opens a severe security hole'''.
+
To make Apache execute under your current user and group you got to  edit some parameters in the Apache configuration file and make it execute under our current user and group, this will solve our file ownership problems <span style="color:red; font-weight:bold;"> but opens a severe security hole</span>.
  
 
To change the user and group of the Apache service, follow these instructions:
 
To change the user and group of the Apache service, follow these instructions:

Revision as of 18:56, 6 May 2012

Quill icon.png
Page Actively Being Edited!

This article is actively undergoing a major edit for a short while.
As a courtesy, please do not edit this page while this message is displayed. The user who added this notice will be listed in the page history. This message is intended to help reduce edit conflicts; please remove it between editing sessions to allow others to edit the page. If this page has not been edited for several hours, please remove this template, or replace it with {{underconstruction}} or {{incomplete}}.

Contents

Introduction

This article provides detailed instructions for configuring a LAMPP server, not only for Joomla! it also should work fine for PHP development in general.

Theses instructions should work fine on any Debian based distribution such as Debian, Ubuntu, LinuxMint, Xubuntu, Kbuntu and others.

Installation

NOTE: You need a stable Internet connection for this tutorial

The installation of a LAMPP server on Linux is extremely easy, just follow this instructions:

  • Open a terminal and type:
sudo apt-get install apache2 php5-mysql libapache2-mod-php5 mysql-server phpmyadmin libapache2-mod-suphp
  • Say yes [Y] when the package manager ask you download and install the packages, this step will take some time depending on your connection speed
  • At some point the installer will ask you for the MySQL root password use any password you like, but for this example we are going to use "myadmin"
  • The installer will ask for "the web server that should be automatically configured to run phpmyadmin", press [spacebar] to choose "apache2" and press [enter], NOTE: make sure the selection is marked with and asterisk [*]
  • The installer will ask for "Configure database for phpmyadmin with dbconfig-common", choose "<yes>" and press [enter]
  • The installer will ask for "password of the database's administrative user", use any password you like, but for this example we are going to use "myadmin"
  • The installer will ask for "mysql application password for phpmyadmin", use any password you like, but for this example we are going to use "myadmin"
  • If no errors have being displayed then the installation is finish

1st test for Apache

  • Open your web browser and type in the address bar "localhost" and press [enter]
  • Normally Apache display a test page with some text like this:
It works!
This is the default web page for this server.
The web server software is running but no content has been added, yet.

1st test for PHP server

To test if PHP server is working lets create a quick test file using the command line

  • Open a terminal and type
echo "<?php phpinfo(); ?>" | sudo tee /var/www/test.php 
  • Open your web browser and type in the address bar "localhost/test.php" and press [enter]
  • The next thing you should see in your browser is a really long page displaying information about the PHP server, if not then something went wrong
  • Now that we know the PHP server is working fine we don't need that test file anymore, type the following command in your terminal to delete the file
sudo rm /var/www/test.php

1st test for phpMyAdmin

  • Open your web browser and type in the address bar "localhost/phpmyadmin" and press [enter]
  • The next thing you should see is the phpMyadmin login page, if not then something went wrong, most likely you skip or not marked the option "apache2" at the question "web server that should be automatically configured to run phpmyadmin", to fix this problem just purge the installation and start over again the installation steps
  • Login to phpmyadmin with the following credentials
    • username = root
    • password = myadmin
  • You should be able to login normally and have no error messages at all

Understanding the folder structure

There are several folders and files that the LAMP server uses to store the configurations of the LAMP services and to store the files of your hosted websites

Apache default web site folder

Location: "/var/www/"

Description: by default the Apache server enables a test website and store the website files in that location, so every time you visit the page local host, the browser display the html page located there..

With your file browser navigate to "/var/www/" there should be a file called "index.html", change the content of the file for whatever you want and refresh the web page to see the changes.

Apache web sites configuration files

Location: "/etc/apache2/sites-available/"

Description: You can host multiples sites in the same server, this folder a configuration file for each site.

Apache configuration file

Location: "/etc/apache2/apache2.conf" Location: "/etc/apache2/envvars"

Description: This files contains very important information about the Apache service.

Apache ports configuration file

Location: "/etc/apache2/ports.conf"

Description: This files configure what port will Apache server listen to for http requests, by default http request are assigned to the port 80 but you can modify or add more ports.

Apache log files

Location: "/var/log/apache2/"

Description: That folder contain several files to keep track of several events on your Apache web server, such as errors in the services, errors in code of your site, failed authentication attempts and more, this is a good place to look at when something is not working file or you suspect some is trying to breach your server security

Configuration

Deploying a new site location

By default the web server is hosting the files in the location "/var/www" but for security reason and for the sake of avoid ownership problems we are going to use another place to host our web site files

Lets create a new folder to store the web files and the log files of the server

  • open a terminal and type
mkdir /home/youruser/lamp/
mkdir /home/youruser/lamp/public_html/
mkdir /home/youruser/lamp/logs/

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

To store the web site files we are going to use the folder "plublic_html" and for our log files we are going to use the folder "logs"

Creating the new site

To create and enable a new site in your server follow this steps:

NOTE: gedit is a common Linux editor but you can use any other alternative you like such as geany, nano, vim, pico, etc...

  • open a terminal an type
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mydevsite

NOTE: "mydevsite" is the name of the new site used in this example, you can use any other name you like

  • Open the site configuration
sudo gedit /etc/apache2/sites-available/mydevsite
  • The content of that file should be something like this
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

  • Make some modifications to make it looks like this, or simply copy and paste it
<VirtualHost *:80 *:8080>
        ServerAdmin webmaster@localhost

        DocumentRoot /home/youruser/lamp/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /home/youruser/lamp/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /home/youruser/lamp/logs/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /home/youruser/lamp/logs/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride All
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

NOTE: Replace "yourname" with your current user name

  • Save changes
  • Now we need to enable the site, in a terminal type
sudo a2ensite mydevsite
  • Lets disable the default site, we don't need it anymore
sudo a2dissite default
  • Restart Apache to complete the process, in a terminal type
sudo service apache2 restart
  • To test out our new site lets create a quick test file, in a terminal type
echo "<?php echo 'Hello world, today is is: '.echo date('Y/m/d'); ?>" | tee /home/youruser/lamp/public_html/today.php 

NOTE: Replace "yourname" with your current user name

  • Open your browser an navigate to "localhost/today.php"
  • If everything is working ok you should see something like this
Hello world, today is is: 2012/05/05

Preventing ownership problems

By default in some Linux installations the Apache server runs under the user "www-data" which is also in the "www-data" group, this behavior will bring us problems in the future because any file modified or created by the server will have a different ownership, in other words you wouldn't be able to edit some files created or modified by the server unless you manually change the permissions of each file to something like 777 or execute your editor as "super user" which both are really bad ideas.

Method 1: Implementing suPHP

suPHP is an Apache module used to execute PHP scripts with the permissions of their file owners

This is how the server will work thanks to suPHP

  • If a PHP file have the owner "dexter" suPHP will execute that file as "dexter" and not as the Apache user aka "www-data",
  • If another file PHP file have the owner "adam" suPHP will execute that file as "adam" and not as the Apache user aka "www-data"
  • If another file PHP file have the owner "www-data" suPHP will execute that file as "www-data" which is the Apache user
  • If a folder have the owner "dexter" and it have a PHP file inside it with the owner "adam" the server will throw a "500" error when some one tries to request that file because it does not belong to "dexter"
  • If a any PHP script tries to read or write files or folders outside the server's document root, then the server will deny the action
  • If a file have too permissive permissions such as "chmod 666", then the server will throw a "500" error because suPHP don't allow too permissive permissions for security reasons

We already have suPHP installed, to Configure it follow this steps:

  • Open a terminal and Type
sudo gedit /etc/suphp/suphp.conf
  • Open a terminal and Type
sudo gedit /etc/suphp/suphp.conf
  • Find the option "docroot" and set the location of your public_html folder, like this
docroot= /home/youruser/lamp/public_html

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

  • Save changes
  • Type in your terminal
sudo gedit /etc/apache2/mods-available/php5.conf
  • On your editor create a new empty line at the first line of the document and add this text there
<Directory /usr/share>
  • Then at the end of the document create another empty line and add this text there
</Directory>
  • Save changes
  • Type in your terminal
sudo service apache2 restart
  • Lets create a file to do a quick test to see if suPHP is working correctly, type in your terminal
echo "<?php echo 'whoim = '.exec('/usr/bin/whoami');?>" | tee /home/myadmin/lamp/public_html/whomi.php
  • Open your browser and navigate to "localhost/whomi.php", most likely the browser will show you a "500" server error, this is because suPHP does not allow too permissive file and folder permissions and also does not allow mixed file and folder ownership, to correct this type in your terminal
sudo find /home/youruser/lamp/public_html/ -type f -exec chmod 644 {} \;
sudo find /home/youruser/lamp/public_html/ -type d -exec chmod 755 {} \;
sudo chown youruser:youruser -R /home/youruser/lamp/public_html/

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

Those commands enforce a secure and correct file and folder permission and also set a correct user and group ownership for all of them

  • Open your browser and navigate to "localhost/whomi.php", you should see something like this
whomi = youruser

That means the script is being executed with your user and not the Apache user unless you specified so

Method 2: Changing Apache user and group

NOTE:This method is highly discouraged, do not implement in a computer with personal or sensitive information, install a firewall to block external incoming traffic to your web server.

To make Apache execute under your current user and group you got to edit some parameters in the Apache configuration file and make it execute under our current user and group, this will solve our file ownership problems but opens a severe security hole.

To change the user and group of the Apache service, follow these instructions:

  • open a terminal and type
sudo gedit /etc/apache2/envvars
  • Find the lines
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
  • Replace the "www-data" with your current username in both lines
  • Save changes
  • Type in your terminal
sudo service apache2 restart
  • Lets create a file to do a quick test to see if the new configuration is working correctly, type in your terminal
echo "<?php echo 'whoim = '.exec('/usr/bin/whoami');?>" | tee /home/myadmin/lamp/public_html/whomi.php
  • Open your browser and navigate to "localhost/whomi.php", you should see something like this
whomi = youruser

That means the script is being executed with the new user (you)

Further reading

  • ApacheMySQLPHP - Community Ubuntu Documentation link
  • Running phpmyadmin and suphp link

Fine tuning

to do ...