Friday, September 4, 2009

layman data II

related links
Apache   PHP   PostgreSQl
security modifications to avoid root
LAPP on Redhat (very helpful)
clear PHP/Apache compile notes

A difficult intercomplexity, combined with an annoying resource drain of running Apache, PostgreSQL (or MySQL), PHP, and a browser (taken together, a LAMP) are required these days. If one has photos or a lot of other files, something besides file folders are needed and they cannot be managed without a LAMP unless one has a CS degree or can afford Oracle. I run a LAMP on my website to make files accessible, but the provider where I park the site has older versions of all this software. This makes the LAMP vanilla and slower (eg., no InnoDB). Additionally, there are no options for PostgreSQL.

Since I prefer PostgreSQL, for the LAMP on my local drive, I created a LAPP, substituting Postgres for MySQL. Even on a local drive, security issues arise. Apache, Postgresql, PHP, and some browsers require ports. I want to be sure no ports are open to the outside. Learning how to lock-down Apache, PostgreSQL, and PHP to make them only localhost accessible is a work in progress. Configuration files need to be altered for localhost only, but it appears there is more to it than this, if one is simultaneously connected on the Web.

On this local drive, running hybridized Slackware (Zenwalk), a reliable LAMP exists out of the box, but morphing it to a PostgreSQL LAPP required compiling PostgreSQL and PHP (see "Notes" below). The kernel didn't require alteration and a recompile, thankfully.


Install PostgreSQL(source, don't use netpkg) and MySQL(netpkg) first. In Zenwalk, PHP is precompiled without PostgreSQL support. PHP must therefor be recompiled with it: "--with-pgsql=/usr/local".

Default Users, Ports, Home

Postgresql - user:postgres, port 5432, /usr/local/pgsql. Apache - user:root, port 80, /etc/httpd.conf. PHP - /usr/local/lib/php. MySQL - user?, port 3306, usr/share/mysql. I compile Postgresql instead of netpkging it because of a Catch-22 that occurs after installation. One would have to log in and out every time they wanted to use the database or create group permission trees. On a standalone, it's easier to compile Postgresql and initialize with the user as the owner instead of "postgres". Create databases using


FIRSTRUN DBMS - Compiling is easier downstream than Zenwalk. When compiling, simply supply one's username during initdb, eg. if one's username were "foo": $ initdb foo --encoding=utf8 --locale=POSIX .Then just make some directory in /home like "/home/pgsql" and # chown -R 1000:100 /home/pgsql so "foo" can use it at will. If using Zenwalk, postgresql.conf and pg_hba.conf must be configured prior to first run. Zenwalk also makes the default user postgres, so its password needs to be created: # passwd postgres, and enter a simple password. A note of confusion for Zenwalk is that "postgres" is both the god user of the DBMS, but also a command to start the DBMS ("postmaster" is deprecated).
START/STOP DBMS - # service start/stop postgresql (Zenwalk), or # postgres -D /var/lib/pgsql/data/ -r logname.txt. This second command starts the database at its default location and provides a logname of choice.
DATABASE FILES Zenwalk installs a PostgreSQL tablespace at /var/lib/pgsql/data, but if installing from source they go to /usr/lib/pgsql. # createdb -U postgres -W -D /var/lib/pgsql/data/sub01 -E utf8 -e employees.


SECURITY Once it's running, if Apache's listening for connections, it's a significant security problem. Set it to only listen on port 80, so it only listens to localhost. Skype also uses Port 80, but you can reset Skype to, say, Port 81, in its advanced settings. Meanwhile, to change Apache:
# nano /etc/apache2/ports.conf
START/STOP - # service start/stop httpd (Zenwalk), or # apachectl start/stop (any distro). Checkit by pointing browser to "http://localhost".
CONFIG FILES - Netpkg handles it, but following PHP recompile, Apache configuration tweaks are necessary for PHP serving. A short list is here. Additionally, one must open /etc/apache/mod_php.conf and provide the complete path to, typically /usr/libexec/apache/, if it's not in there. Following changes, restart httpd, which should initialize PHP.
HTML FILES - (Zenwalk) We can serve files from anywhere on our hardisk through the browser, but it's easiest to put them in /var/www/htdocs/, because this is the default. To write to here from logs or anything, it can't be done easily since /var/www/ is owned by root. A solution is to create a new group.


START/STOP - # php -v. This command checks for the version. PHP loads as an Apache module, not as a separate program. I used #netpkg remove php to remove the Zenwalk version of PHP. I did this because the netpkg (Zenwalk) version fails to support PostgreSQL.

COMPILE - necessary for PostgreSQL; netpkg PHP does not support Postgres. The configuration phase, prior to "make", is critical. The correct syntax for the PostgreSQL functionality is --with-pgsql=/usr/local. However other options, can be useful. Taking most situations into account, a reasonable configure string might be:
$ ./configure --with-apxs2=/usr/sbin/apxs \
--with-pgsql=/usr/local \
--with-mysql=/usr/share \
--with-libxml-dir=/usr/lib \
--with-curl=/usr/bin/curl \
--with-zlib \
--with-gettext \
--with-gdbm \
--enable-inline-optimization \

"Make", then root "make install"; it installs to /usr/local/lib/php. Copy the ini files to there: # cp php.ini* /usr/local/lib/php/. Pick one of the two to be the ini file, eg # cp php.ini-development /etc/apache/php.ini. It can be tweaked later.


No comments: