Announcement

How To Install Nginx, MariaDB and PHP (FEMP Stack) on FreeBSD 11


This step by step guide will walk you through the steps to install and configure the FEMP Stack on FreeBSD 11.

 

Prerequisites:

  • A physical or virtual machine with minimal installation of FreeBSD 11
  • A static IP Address configured for a network interface.
  • A regular account created with root privileges or direct access to the system using root account.
  • A DNS server to maintain (A and CNAME records).

 

Installing MariaDB Database

To begin, first we’ll install the MariaDB database system, which is the FEMP component that will be used for storing and managing the dynamic data of the website. MariaDB can be installed in FreeBSD directly from the binaries provided by PORTS repositories. However, a simple search using ls command in FreeBSD Ports databases section reveals multiple versions of MariaDB, as shown in the following command output. Also, running Package Manager pkg command displays the same results.

ls -al /usr/ports/databases/ | grep mariadb
pkg search mariadb


Now we will install the latest version of the MariaDB database and client by using the pkg command as shown in the example below.

pkg install mariadb102-server mariadb102-client

Once MariaDB installation completed in the system, run the following command in order to enable the MySQL server system-wide. Also, make sure MariaDB daemon started manually as shown below.

sysrc mysql_enable=”YES”
service mysql-server start 

Now we need to secure MariaDB database by running mysql_secure_installation script which set up a root password for MySQL root user, remove the anonymous user, disable remote login for root user and delete the test database. After choosing a strong password for the MySQL root user, answer with yes on all questions, as shown in the below example of the script. Do not confuse the MariaDB database root user with the system root user. Although these accounts have the same name, root, they are not equivalent and are used for different purposes, one for system administration and the other for database administration.

/usr/local/bin/mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB

      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current

password for the root user.  If you've just installed MariaDB, and

you haven't set the root password yet, the password will be blank,

so you should just press enter here.


Enter current password for root (enter for none):

OK, successfully used password, moving on...


Setting the root password ensures that nobody can log into the MariaDB

root user without the proper authorisation.

Set root password? [Y/n] y

New password:

Re-enter new password:

Password updated successfully!

Reloading privilege tables..

 ... Success!

By default, a MariaDB installation has an anonymous user, allowing anyone

to log into MariaDB without having to have a user account created for

them.  This is intended only for testing, and to make the installation

go a bit smoother.  You should remove them before moving into a

production environment.

Remove anonymous users? [Y/n] y

 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This

ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] y

 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can

access.  This is also intended only for testing, and should be removed

before moving into a production environment.

Remove test database and access to it? [Y/n] y

 - Dropping test database...

 ... Success!

 - Removing privileges on test database...

 ... Success!

Reloading the privilege tables will ensure that all changes made so far

will take effect immediately.

Reload privilege tables now? [Y/n] y

 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB

installation should now be secure.

Thanks for using MariaDB!

When done securing MariaDB database, test if you are allowed to perform local login to the database from root account using the the following command. Once connected to the database prompt, just type quit or exit in order to leave the database console and return to system user console prompt as shown in example below.

mysql -u root -p
MariaDB> quit


Running sockstat command in FreeBSD quickly reveals the fact that MariaDB is opened to external network connections and can be remotely accessed from any network via 3306/TCP port.

sockstat -4 -6

To disable completely from remote network connections to MariaDB, you need to force mysql network socket to bind to the loopback interface only by adding the following line to /etc/rc.conf file with the below command.

sysrc mysql_args="--bind-address=127.0.0.1"

Afterwards, restart MariaDB daemon to effect the changes and execute sockstat command again to display the network socket for mysql service. This time, MariaDB service should listen for network connections on localhost:3306 socket only.

service mysql-server restart
sockstat -4 -6|grep mysql


If you are developing a remote web application that needs access to the database on this machine, revert MySQL socket changes by removing or commenting the line mysql_args="--bind-address=127.0.0.1" from /etc/rc.conf file and restarting the database to apply changes. In this case, you should take into consideration other alternatives to limit or disallow remote access to MySQL, such as running a firewall locally and filter the IP addresses of clients who need remote login or create MySQL users with the proper IP addresses grants to login to the server.

 

Installing Nginx Web Server

The Nginx web server can be installed from the binaries provided by FreeBSD 11 Ports. A simple search through Ports repositories in the www section can show a list of what pre-compiled versions are available for Nginx software, as shown in the example below.

ls /usr/ports/www/ | grep nginx
Running the package management command can display the same results as shown in the image below.

pkg search –o nginx


To install the most common release of Nginx in FreeBSD, execute the following command. To avoid the prompt add the –y flag while issuing the command:

pkg -y install nginx


After Nginx web server software has been installed on your system, you should enable and run the service by issuing the following commands.

sysrc nginx_enable=”yes”
service nginx start


Run sockstat command in order to check if Nginx service is started on your system and on what network sockets it binds on. Normally, it should bind by default on *:80 TCP socket. You can use the grep command line filter to display only the sockets that match nginx server.

sockstat -4 -6 | grep nginx


Open a browser on a computer in your network and navigate to the IP address of your server via HTTP protocol. In case you’ve registered a domain name or you use a local DNS server, you can write the fully qualified domain name of your machine or the domain name in browser’s URI filed. A title message saying "Welcome to nginx!" alongside a few HTML lines should be displayed in your browser, as shown in the following figure.


The location where web files are stored for Nginx in FreeBSD 11 is /usr/local/www/nginx/ directory. This directory is a symbolic link to the nginx-dist directory. To deploy a website, copy the html or php script files into this directory. In order to change Nginx default webroot directory, open Nginx configuration file from /usr/local/etc/nginx/ directory and update root statement line as shown in the below example.

nano /usr/local/etc/nginx/nginx.conf

This will be the new webroot path for Nginx:

root    /usr/local/www/new_html_directory;

 

Install PHP Programming Language

By default, Nginx web server cannot directly parse PHP scripts, Nginx needs to pass the PHP code trough the FastCGI gateway to the PHP-FPM daemon, which interprets and executes the PHP scripts. In order to install the PHP-FPM daemon in FreeBSD, search for available PHP pre-compiled binary packages by running the below commands.

ls /usr/ports/lang/ | grep php
pkg search –o php


From the multitude of PHP versions available in FreeBSD Ports repositories, choose to install the latest version of PHP interpreter, currently PHP 7.1 release, by issuing the following command.

pkg install php71

In order to install some extra PHP extensions, which might be needed for deploying complex web applications, issue the below command. A list of officially supported PHP extensions can be found by visiting the following link: http://php.net/manual/en/extensions.alphabetical.php

If you're planning to build a website based on a content management system, review the CMS documentation in order to find out the requirements for your system, especially what PHP modules or extensions are needed.

php71-mcrypt mod_php71 php71-mbstring php71-curl php71-zlib php71-gd php71-json

Because we are running a database server in our setup, we should also install the PHP database driver extension, which is used by PHP interpreter to connect to MariaDB database.

pkg install php71-mysqli

Next, update the PHP-FPM user and group to match the Nginx runtime user by editing PHP-FPM configuration file. Change the user and group lines variables to www as shown in the below excerpt.

cp /usr/local/etc/php-fpm.d/www.conf{,.backup}

nano /usr/local/etc/php-fpm.d/www.conf

Change the following lines to look as below.

user = www
group = www


By default, Nginx daemon runs with privileges of the 'nobody' system user. Change Nginx runtime user to match PHP-FPM runtime user, by editing /usr/local/etc/nginx/nginx.conf file and update the following line:

user www;


PHP-FPM daemon in FreeBSD opens a network socket on localhost:9000 TCP port in listening state. To display this socket you can use sockstat command as shown in the below example.

sockstat -4 -6| grep php-fpm


To exchange PHP scripts with PHP FastCGI gateway on 127.0.0.1:9000 network socket, open Nginx configuration file and update the PHP-FPM block as shown in the below sample.

PHP FastCGI gateway example for Nginx:

        location ~ \.php$ {
        root               /usr/local/www/nginx;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param SCRIPT_FILENAME $request_filename;   
        include        fastcgi_params;
               }


When you are done with all the above changes, create a configuration file for PHP based on the default production file by running the following command. You can change the PHP runtime settings by editing the variables present in php.ini file.

ln -s /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Finally, in order to apply all changes made so far, enable the PHP-FPM daemon system-wide and restart PHP-FPM and Nginx services by issuing the below commands.

sysrc php_fpm_enable=yes
service php-fpm restart


Test nginx configurations for syntax errors:

nginx –t 
service nginx restart


To get the current PHP information available for your FEMP stack in FreeBSD, create a phpinfo.php file in your server document root directory by issuing the following command.

echo "" | tee /usr/local/www/nginx/phpinfo.php

Now, open a browser and navigate to the phpinfo.php page by visiting your server's domain name or IP address followed /phpinfo.php file, as shown in the below screenshot.

 

Conclusion

We’ve successfully installed and configured FEMP Stack in FreeBSD 11. The server is now ready and fully functional to start deploying dynamic web applications in your environment.