From Fedora core the yum is replaced by dnf (DaNiFied Yum) partly due python support. To setup php mysql and perl cgi-bin (for CMS system such as wordpress, drupal), dnf install httpd php mariadb mariadb-server php-mysql php-gd php-ldap php-odbc dnf install php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap dnf install phpmyadmin curl curl-devel dnf install perl mod_perl perl-DBD-mysql nmap dnf install mod_ssl openssl systemctl enable sshd.service systemctl start sshd.service # fc23 sshd is not turned on by default systemctl enable httpd.service systemctl start httpd.service Enable firewall to allow httpd If you install with fedora workstation version (not the sever) the zone is not public as before in early version. We should use FedoraWorkstation as zone name. You can also use firewall-cmd --get-zone-of-interface=enp0s25 to find out the zone associated with the interface. The fc22 assign the ethernet card with enp0s25 (strange name). firewall-cmd --permanent --zone=FedoraWorkstation --add-service http firewall-cmd --permanent --zone=FedoraWorkstation --add-service https Note that current firwall may not activate http and https until reboot. you may want to try firewall-cmd --add-service http firewall-cmd --add-service https To setup vnc-server first dnf -y install tigervnc-server setup vnc password with vncpasswd Then firewall-cmd --permanent --zone=FedoraWorkstation --add-service vnc-server To test if php works, try copy info.php and test it. cd /var/www/html scp root@walrus.uccs.edu:/home/cs3110/public_html/php/info.php . Allow individual user to have public and run scripts such as php The block directory no long in /etc/httpd/conf/httpd.conf enable individual public_html access by cd /etc/httpd/conf.d/ edit userdir.conf To allow individual user to have public and run scripts such as php The block directory no long in /etc/httpd/conf/httpd.conf enable individual public_html access by cd /etc/httpd/conf.d/ edit userdir.conf comment out line 17 UserDir disabled uncomment line 24 #UserDir public_html run "systemctl restart httpd.service Recent Fedora Core OS turns on the SELinux for better protection. For infomration related to SEBoolean visit https://docs.fedoraproject.org/en-US/Fedora/12/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Booleans.html setsebool -P httpd_enable_homedirs true test the access on individual web page We install suphp dnf install mod_suphp edit /etc/httpd/conf.d/mod_suphp.conf Add the folowing directive at the top and wrap up with so that suphp onlys applies to the individual directory and not that on /var/www/cgi-bin or html otherwise those php script in system directories will not work. AddHandler x-httpd-php .php ### Uncomment to activate mod_suphp suPHP_Engine on AddHandler x-httpd-php .php .php5 .php3 .php4 suPHP_AddHandler x-httpd-php # used to have a typo x-http-php instead of x-httpd-php missing a d # it cause the suphp not exected The commented line "suPHP_AddHandler x-httpd-php" has to be uncommented, for mod_suphp to work. uncommet suPHP_ConfigPath /etc Add block directive at the end of mod_suphp.conf edit /etc/httpd/conf.d/php.conf Add the following line after line 11 so that php in /var/www/html/ will use starndard php interpret without using added suphp function. AddHandler php5-script .php make sure Line 26 is comment out. normal php is handled by application/php5-script # SetHandler application/x-httpd-php edit /etc/suphp.conf hange the log file directory to consolidate in /var/log/httpd not /var/log logfile=/var/log/httpd/suphp_log ; Security Option Change to the following settings allow_file_group_writeable=true allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=falseet check_vhost_docroot=false set umask to 0022 instead of 0077 so that apache can navigate there in the newly create directories. comment out handle_userdir; It is deprecated ;handle_userdir=true change hander for php-scripts from php5-script to x-httpd-php as follows: Note that the value is wrapped with ". [handlers] ;Handler for php-scripts ;application/x-httpd-php="php:/usr/bin/php-cgi" x-httpd-php="php:/usr/bin/php-cgi" ;Handler for CGI-scripts x-suphp-cgi="execute:!self" after editing the file, restart httpd systemctl restart httpd.service Test with http:///~cs3110/php/whoami.php Assume whoami.php is The web server should return cs3110 as the user (not apache) that runs the php script. !!! note that in suphp.conf file, mod_suphp uses ; as comment character. ; use # will caurse an error for httpd operation!!! What a convention! make sure unmask 0022 instead of 0077 so that the directory can be read by apache (even though it is created by the local user). When upload.php gets "open grade.txt failed!", it could be the raster file was copied to the home directory and inherit the "user_home_t" type instead of httpd_user_content_t [root@viva cs526]# ls -Z CS526S2014Grade.txt -rwx------. cs526 cs526 unconfined_u:object_r:user_home_t:s0 CS526S2014Grade.txt We can change the type with chcon -R -t httpd_user_content_t /home/cs526/CS526S2014Grade.txt When the upload.php gets "Possible file upload attack" or cannot create directory on /home/gsc/public_html/pub/ directory, it could be caused by SELINUX or /etc/php.ini upload_max_filesize = 2M line 811 was set to only 2MB default size. You need to increase that upload size. You can change the context chcon -R -t public_content_rw_t /home/gsc/public_html/pub/ setsebool -P allow_smbd_anon_write 1 setsebool -P allow_httpd_anon_write 1 Also the public_html directory where the scripts resides cannot have group writable, change it to 711. [mysql section] #mysql is now replaced by mariadb (an opensource group from previous founder) systemctl enable mariadb.service systemctl start mariadb.service It is important to setup root password and configured for secure operation. Run the following command mysql_secure_installation See detail in http://www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-fedora-19-lamp [root@cs591 data]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] Y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] Y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] Y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] Y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! set mysql root password shell> mysql -u root mysql mysql> UPDATE user SET Password=PASSWORD('new_mysqlrootpassword') WHERE user='root'; mysql> FLUSH PRIVILEGES; Try not to use password with # or $ as passowrd. They often interfere with the mysql command and result in root password not accepted by mariadb later on!! If you got locked out due to mysql root password incorrect. Try to follow the instruction in http://www.rackspace.com/knowledge_center/article/mysql-resetting-a-lost-mysql-root-password by stopping the mariadb, then issue sudo mysqld_safe --skip-grant-tables & mysql -uroot (without password). use mysq; Then use update user set password=PASSWORD("mynewpassword") where User='root'; flush privileges; to change the root password. create cs3110 mysql account for php-mysql script showUserDB.php demo cd /home/cs3110/public_html/mysql ./cmysql.pl cs3110 cs3110db get a copy of mysql from an old fedora core server using mysqldump [root@walrus wiki]# mysqldump -u root -p --all-databases > walrusdb.sql Copy .sql file to the new machine [root@walrus wiki]# scp walrusdb.sql root@viva.uccs.edu:. Run mysql command to import the databases. [root@viva ~]# mysql -u root -p < walrusdb.sql [Email] Fedora offers two primary MTAs: Postfix and Sendmail. Postfix is configured as the default MTA and Sendmail is considered deprecated. dnf install postfix with selinux if we would like to send email through the Mail::sendmail we need to setsebool in two places: setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1 Take a while to debug this. Especailly the first one. getsebool -a |grep httpd Restart the postfix service after changing any options in the configuration files under the /etc/postfix directory in order for those changes to take effect. To do so, run the following command as root: ~]# systemctl restart postfix 10.3.1.2. Basic Postfix Configuration By default, Postfix does not accept network connections from any host other than the local host. Perform the following steps as root to enable mail delivery for other hosts on the network: Edit the /etc/postfix/main.cf file with a text editor, such as vi. Uncomment the mydomain line by removing the hash sign (#), and replace domain.tld with the domain the mail server is servicing, such as example.com. Uncomment the myorigin = $mydomain line. Uncomment the myhostname line, and replace host.domain.tld with the host name for the machine. Uncomment the mydestination = $myhostname, localhost.$mydomain line. Uncomment the mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server. Uncomment the inet_interfaces = all line. Comment the inet_interfaces = localhost line. Restart the postfix service. mail program was not installed by default. we will install mailx pkg dnf install mailx Test by sending email "mail -s 'test' cchow@uccs.edu" Setting up SSH without password On client: 1. run ssh-keygen (it generates public key and private key) 2. run ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host 3. ssh remote-host (or scrp or rsync) [phpMyAdmin setup] We would like to access phpmyadmin web app from any uccs machine. Edit /etc/httpd/conf.d/phpMyAdmin.conf Replace Line 17: Require ip 127.0.0.1 with Require ip 128.198 same for Line 34. systemctl restart httpd.service 1. Make sure to edit the config.inc.php file and specified the blowfish_secret for cookie authentication. The default key there is too big. [Sun Sep 22 15:02:31.823524 2013] [:error] [pid 10072] [client 128.198.16.135:49645] PHP Warning: mcrypt_encrypt(): Size of key is too large for this algorithm in /var/www/html/phpmyadmin/libraries/mcrypt.lib.php on line 71, referer: http://walrus.uccs.edu/phpmyadmin/ Change the following $cfg['blowfish_secret'] = 'directives are explained in Documentation.html and on phpMyAdmi'; to $cfg['blowfish_secret'] = 'my devoted servant walrus'; # pick on that is decent size but not too long. 2. copy /usr/share/phpMyAdmin to /var/www/html/phpMyAdmin may need to change SELinux type so httpd can read it chcon -R -t httpd_sys_content_t phpMyAdmin/ 3. edit /etc/httpd/conf.d/phpMyAdmin.conf change /usr/share to /var/www/html [mod_auth_mysql] mod_auth_mysql is an Apache module to authenticate users and authorize access through a MySQL database. It is flexible and support several encryption methods. The module will work on both Apache 1.x and Apache 2.x. This package allows to use .htaccess file to guard a web directory with credential from mysql database. http://modauthmysql.sourceforge.net/README Download the mod_auth_mysql-3.0.0.tar.gz from http://sourceforge.net/projects/modauthmysql/files/modauthmysql/3.0.0/ To compile with apxs you need to install mysql-devel package for include file and library. dnf install mysql-devel (actually it is mariadb-devel) Also the original source code is for apache 1. To work with 2.4, you need apply a patch from http://sourceforge.net/p/modauthmysql/patches/13/attachment/mod_auth_mysql_3.0.0_patch_apache2.4.diff (cited in http://sourceforge.net/p/modauthmysql/patches/13/) In the mod_auth_mysql-3.0.0 directory apply the following command: patch < mod_auth_mysql_3.0.0_patch_apache2.4.diff Then apply the compile command in http://modauthmysql.sourceforge.net/BUILD apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c If it runs into error cannot find the libmysqlclient.so file, it could be the library in different directory. By running repoquery -q -l --plugins mariadb-devel we find the libary path is /usr/lib64/mysql now. now successful. We can install the .la file to the /etc/httpd/modules with apxs -i mod_auth_mysql.la restart httpd systemctl restart httpd.service we can now test mod_auth_mysql on http://cs526rs1.csnet.uccs.edu/sec/ Use the credential in chowdb member1 table. you can access with http://cs526rs1.csnet.uccs.edu/phpmyadmin/ upload.php Make sure the studentproj directory token type is changed to writable by apache chcon -R -t public_content_rw_t studentproj also set the selinux flag to allow httpd to write setsebool -P allow_httpd_anon_write 1 php upload file size is restricted by two settings in /etc/php.ini post_max_size and upload_max_filesize They are set at default of 8M and 2M. You need to change the settings you would like to upload bigger files. ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 200M ; Maximum size of POST data that PHP will accept. ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. ; http://php.net/post-max-size post_max_size = 200M