Actions

Configuring a LAMPP server for PHP development/Linux desktop

From Joomla! Documentation

< Configuring a LAMPP server for PHP development
Revision as of 14:31, 6 August 2012 by Enav (Talk | contribs)

Contents

Configuration

Enabling mod_rewrite

The mod_rewrite module uses a rule-based rewriting engine, based on a PCRE regular-expression parser, to rewrite requested URLs on the fly. By default, mod_rewrite maps a URL to a filesystem path. However, it can also be used to redirect one URL to another URL, or to invoke an internal proxy fetch.

for more information visit http://httpd.apache.org/docs/current/mod/mod_rewrite.html

  • open a terminal and type
a2enmod rewrite
  • now that the rewrite module is enabled we need to restart apache
service apache2 restart
  • done

Deploying a new site location

By default the web server is hosting the files in the location "/var/www" but for security reason and for the sake of avoid ownership problems we are going to use another place to host our web site files

Lets create a new folder to store the web files and the log files of the server

  • open a terminal and type
mkdir /home/youruser/lamp/
mkdir /home/youruser/lamp/public_html/
mkdir /home/youruser/lamp/logs/

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

To store the web site files we are going to use the folder "plublic_html" and for our log files we are going to use the folder "logs"

Creating the new site

To create and enable a new site in your server follow this steps:

NOTE: gedit is a common Linux editor but you can use any other alternative you like such as geany, nano, vim, pico, etc...

  • open a terminal an type
sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/mydevsite

NOTE: "mydevsite" is the name of the new site used in this example, you can use any other name you like

  • Open the site configuration
sudo gedit /etc/apache2/sites-available/mydevsite
  • The content of that file should be something like this
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /var/www
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

  • Make some modifications to make it looks like this, or simply copy and paste it
<VirtualHost *:80>
        ServerAdmin webmaster@localhost

        DocumentRoot /home/youruser/lamp/public_html
        <Directory />
                Options FollowSymLinks
                AllowOverride All
        </Directory>
        <Directory /home/youruser/lamp/public_html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride All
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>

        ErrorLog /home/youruser/lamp/logs/error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /home/youruser/lamp/logs/access.log combined

    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride All
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

</VirtualHost>

NOTE: Replace "youruser" with your current user name

  • Save changes
  • Now we need to enable the site, in a terminal type
sudo a2ensite mydevsite
  • Lets disable the default site, we don't need it anymore
sudo a2dissite default
  • Restart Apache to complete the process, in a terminal type
sudo service apache2 restart
  • To test out our new site lets create a quick test file, in a terminal type
echo "<?php echo 'Hello world, today is is: '.date('Y/m/d'); ?>" | tee /home/youruser/lamp/public_html/today.php 

NOTE: Replace "yourname" with your current user name

  • Open your browser an navigate to "localhost/today.php"
  • If everything is working ok you should see something like this
Hello world, today is is: 2012/05/05

Enabling additional ports

Note: If you have no plans to show your local site to another person over Internet just skip this section.

With the last configuration you should be able to access your page and access it from another computer connected to your LAN, if your computer is connected to Internet and also have assigned a Public IP you can access your site using that IP from any web browser, but for some reason some ISPs does not allow HTTP traffic (HTTP = port 80) over dynamic IPs, to solve this you just need to configure Apache to reply requests from a different port, in this case we are going to use the port number 8080 which is easy to remember.

If you are using a router to connect to Internet you should have to configure a port forwarding setting on your router to let other people see your local site, Google "how to do port forwarding" on your current router model. If you don't now what is the difference between a Static IP, Dynamic IP, Private IP and a Public IP we recommend you to do a Wikipedia reading about these topics.

  • Open a terminal and type:
sudo gedit /etc/apache2/ports.conf
  • Find the line "listen: 80" and insert this line underneath
Listen: 8080
  • Save changes
  • Open your new site configuration
sudo gedit /etc/apache2/sites-available/mydevsite
  • Find this directive "<VirtualHost *:80>" and make the following modification

<VirtualHost *:80 *:8080>

  • Save changes
  • Restart Apache to complete the process, in a terminal type
sudo service apache2 restart
  • To test your new configuration try to access your site from another computer over Internet, just type your IP in the browser's address bar and press enter, if the request fails try the new alternative port like this xxx.xxx.xxx.xxx:8080

Enforcing security

Since your computer is now running web services, this services are listening for requests and will reply to anyone who have the correct IP and port, in other words other people in your LAN and Internet can access your local site without your permission or they can even try to crack/hack your workstation. To prevent this you just need to install a firewall and "deny" by default any external incoming requests to your computer.

For Linux users there is a nice and simple firewall called "Uncomplicated Firewall" to install the user interface and manage the firewall from your desktop just follow these steps

  • open a terminal and type:
 sudo apt-get install gufw 

Note: you can also install the application from the software center

  • Open the application when the installation finishes
  • Press the "unlock" button and type your administrative password
  • Make sure "status = On" and "Incoming = Deny" leave the rest in their default values
  • To test your firewall just try to connect to your local site from a local computer on your LAN or a remote computer over Internet when the firewall status is "Status = On", your shouldn't be able to connect whatsoever
  • Now "temporally" change the status of your firewall to "Status = Off" and try to connect again, people should be able to see your local site just fine, remember to set "Status = On" after this test

Note: In this tutorial we are denying any incoming external requests to any port, as a side note you can also Deny all incoming requests and manually allow incoming requests to few specific ports if you wish, but that kind of settings are up to you, since a PC workstation is not a server is ok to deny all incoming traffic by default

Preventing ownership problems

By default in some Linux installations the Apache server runs under the user "www-data" which is also in the "www-data" group, this behavior will bring us problems in the future because any file modified or created by the server will have a different ownership, in other words you wouldn't be able to edit some files created or modified by the server unless you manually change the permissions of each file to something like 777 or execute your editor as "super user" which both are really bad ideas.

Method 1: Implementing suPHP

suPHP is an Apache module used to execute PHP scripts with the permissions of their file owners

This is how the server will work thanks to suPHP

  • If a PHP file have the owner "dexter" suPHP will execute that file as "dexter" and not as the Apache user aka "www-data",
  • If another file PHP file have the owner "adam" suPHP will execute that file as "adam" and not as the Apache user aka "www-data"
  • If another file PHP file have the owner "www-data" suPHP will execute that file as "www-data" which is the Apache user
  • If a folder have the owner "dexter" and it have a PHP file inside it with the owner "adam" the server will throw a "500" error when some one tries to request that file because it does not belong to "dexter"
  • If a any PHP script tries to read or write files or folders outside the server's document root, then the server will deny the action
  • If a file have too permissive permissions such as "chmod 666", then the server will throw a "500" error because suPHP don't allow too permissive permissions for security reasons

We already have suPHP installed, to Configure it follow this steps:

  • Open a terminal and Type
sudo gedit /etc/suphp/suphp.conf
  • Find the option "docroot" and set the location of your public_html folder, like this
docroot= /home/youruser/lamp/public_html

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

  • Save changes
  • Type in your terminal
sudo gedit /etc/apache2/mods-available/php5.conf
  • On your editor create a new empty line at the first line of the document and add this text there
<Directory /usr/share>
  • Then at the end of the document create another empty line and add this text there
</Directory>
  • As you can see we just enclosed the original content withing those lines
  • Save changes
  • Type in your terminal
sudo service apache2 restart
  • Lets create a file to do a quick test to see if suPHP is working correctly, type in your terminal
echo "<?php echo 'whoim = '.exec('/usr/bin/whoami');?>" | tee /home/youruser/lamp/public_html/whomi.php
  • Open your browser and navigate to "localhost/whomi.php", most likely the browser will show you a "500" server error, this is because suPHP does not allow too permissive file and folder permissions and also does not allow mixed file and folder ownership, to correct this type in your terminal
sudo find /home/youruser/lamp/ -type f -exec chmod 644 {} \;
sudo find /home/youruser/lamp/ -type d -exec chmod 755 {} \;
sudo chown youruser:youruser -R /home/youruser/lamp/

NOTE: You can place your new site folders on any location you desire, this is just an example, replace "youruser" with your actual Linux username

Those commands enforce a secure and correct file and folder permission and also set a correct user and group ownership for all of them

  • Open your browser and navigate to "localhost/whomi.php", you should see something like this
whomi = youruser

That means the script is being executed with your user and not the Apache user unless you specified so

Method 2: Changing Apache user and group

NOTE:This method is highly discouraged, do not implement it in a computer with personal or sensitive information if you are not sure what are you doing, to complement the security install a firewall to block external incoming traffic to your web server, you may also should change some directives on your site configuration to only serve request to the localhost address.

To make Apache execute under your current user and group you got to edit some parameters in the Apache configuration file and make it execute under our current user and group, this will solve our file ownership problems but opens a severe security hole.

To change the user and group of the Apache service, follow these instructions:

  • open a terminal and type
sudo gedit /etc/apache2/envvars
  • Find the lines
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
  • Replace the "www-data" with your current username in both lines
  • Save changes
  • Type in your terminal
sudo service apache2 restart
  • Lets create a file to do a quick test to see if the new configuration is working correctly, type in your terminal
echo "<?php echo 'whoim = '.exec('/usr/bin/whoami');?>" | tee /home/youruser/lamp/public_html/whomi.php
  • Open your browser and navigate to "localhost/whomi.php", you should see something like this
whomi = youruser

That means the script is being executed with the new user (you)