From Fedora core the yum is replaced by dnf (DaNiFied Yum) partly due python support. To setup php mysql and perl cgi-bin (for CMS system such as wordpress, drupal), dnf install httpd php mariadb mariadb-server dnf install php-pecl-apcu php-cli php-pear php-pdo php-mysqlnd php-pgsql php-pecl-mongodb php-pecl-memcache php-pecl-memcached php-gd php-mbstring php-mcrypt php-xml dnf install phpmyadmin curl curl-devel dnf install perl mod_perl perl-DBD-mysql nmap dnf install mod_ssl openssl systemctl enable sshd.service systemctl start sshd.service # fc23 sshd is not turned on by default systemctl enable httpd.service systemctl start httpd.service Enable firewall to allow httpd If you install with fedora workstation version (not the sever) the zone is not public as before in early version. We should use FedoraWorkstation as zone name. You can also use #firewall-cmd --get-active-zones FedoraWorkstation interfaces: ens32 to find out the zone associated with the interface. The fc28 assign the ethernet card with ens32 (strange name). firewall-cmd --permanent --zone=FedoraWorkstation --add-service http firewall-cmd --permanent --zone=FedoraWorkstation --add-service https Note that current firwall may not activate http and https until reboot. you may want to try firewall-cmd --add-service http firewall-cmd --add-service https To setup vnc-server first dnf -y install tigervnc-server setup vnc password with vncpasswd Then firewall-cmd --permanent --zone=FedoraWorkstation --add-service vnc-server To test if php works, create the following test.php on /var/www/html Allow individual user to have public and run scripts such as php The block directory no long in /etc/httpd/conf/httpd.conf enable individual public_html access by cd /etc/httpd/conf.d/ edit userdir.conf To allow individual user to have public and run scripts such as php The block directory no longer in /etc/httpd/conf/httpd.conf enable individual public_html access by cd /etc/httpd/conf.d/ edit userdir.conf comment out line 17 UserDir disabled uncomment line 24 #UserDir public_html in fc25, we need to add additonal Options +Indexes for directory browsing to work. AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS Make it as AllowOverride FileInfo AuthConfig Limit Indexes Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Options +Indexes Require method GET POST OPTIONS run "systemctl restart httpd.service Recent Fedora Core OS turns on the SELinux for better protection. For infomration related to SEBoolean visit https://docs.fedoraproject.org/en-US/Fedora/12/html/Managing_Confined_Services/sect-Managing_Confined_Services-The_Apache_HTTP_Server-Booleans.html setsebool -P httpd_enable_homedirs true test the access on individual web page We install suphp dnf install mod_suphp edit /etc/httpd/conf.d/mod_suphp.conf Add the folowing directive at the top and wrap up with so that suphp onlys applies to the individual directory and not that on /var/www/cgi-bin or html otherwise those php script in system directories will not work. Substitute #suPHP_AddHandler php5-script with suPHP_AddHandler x-httpd-php (rename php5-script with x-httpd-php) AddHandler x-httpd-php .php ### Uncomment to activate mod_suphp suPHP_AddHandler x-httpd-php # make sure no typo: x-httpd-php instead of x-http-php missing a 'd' cause grief # This option tells mod_suphp if a PHP-script requested on this server (or # VirtualHost) should be run with the PHP-interpreter or returned to the # browser "as it is". suPHP_Engine on # This option tells mod_suphp which path to pass on to the PHP-interpreter # (by setting the PHPRC environment variable). # Do *NOT* refer to a file but to the directory the file resists in. # # E.g.: If you want to use "/path/to/server/config/php.ini", use "suPHP_Config # /path/to/server/config". # # If you don't use this option, PHP will use its compiled in default path. suPHP_ConfigPath /etc edit /etc/httpd/conf.d/php.conf Add the following line after line 11 so that php in /var/www/html/ will use starndard php interpret without using added suphp function. AddHandler php5-script .php make sure Line 26 is comment out. normal php is handled by application/php5-script # SetHandler application/x-httpd-php edit /etc/suphp.conf hange the log file directory to consolidate in /var/log/httpd not /var/log logfile=/var/log/httpd/suphp_log ; Security Option Change to the following settings allow_file_group_writeable=true allow_file_others_writeable=false allow_directory_group_writeable=true allow_directory_others_writeable=falseet check_vhost_docroot=false set umask to 0022 instead of 0077 so that apache can navigate there in the newly create directories. comment out handle_userdir; It is deprecated ;handle_userdir=true change hander for php-scripts from php5-script to x-httpd-php as follows: Note that the value is wrapped with ". [handlers] ;Handler for php-scripts ;application/x-httpd-php="php:/usr/bin/php-cgi" x-httpd-php="php:/usr/bin/php-cgi" ;Handler for CGI-scripts x-suphp-cgi="execute:!self" after editing the file, restart httpd systemctl restart httpd.service Test with http:///~cs3110/php/whoami.php Assume whoami.php is The web server should return cs3110 as the user (not apache) that runs the php script. !!! note that in suphp.conf file, mod_suphp uses ; as comment character. ; use # will caurse an error for httpd operation!!! What a convention! make sure unmask 0022 instead of 0077 so that the directory can be read by apache (even though it is created by the local user). When upload.php gets "open grade.txt failed!", it could be the raster file was copied to the home directory and inherit the "user_home_t" type instead of httpd_user_content_t [root@viva cs526]# ls -Z CS526S2014Grade.txt -rwx------. cs526 cs526 unconfined_u:object_r:user_home_t:s0 CS526S2014Grade.txt We can change the type with chcon -R -t httpd_user_content_t /home/cs526/CS526S2014Grade.txt When the upload.php gets "Possible file upload attack" or cannot create directory on /home/gsc/public_html/pub/ directory, it could be caused by SELINUX or /etc/php.ini upload_max_filesize = 2M line 811 was set to only 2MB default size. You need to increase that upload size. You can change the context. Same for post_max_size. chcon -R -t public_content_rw_t /home/gsc/public_html/pub/ setsebool -P allow_httpd_anon_write 1 setsebool allow_httpd_anon_write 1 # may need to reboot with -P for it to take effect Also the public_html directory where the scripts resides cannot have group writable, change it to 711. [mysql section] #mysql is now replaced by mariadb (an opensource group from previous founder) systemctl enable mariadb.service systemctl start mariadb.service It is important to setup root password and configured for secure operation. Run the following command mysql_secure_installation See detail in http://www.howtoforge.com/installing-apache2-with-php5-and-mysql-support-on-fedora-19-lamp [root@cs591 data]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] Y New password: Re-enter new password: Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] Y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] Y ... Success! By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] Y - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] Y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB! set mysql root password shell> mysql -u root mysql mysql> UPDATE user SET Password=PASSWORD('new_mysqlrootpassword') WHERE user='root'; mysql> FLUSH PRIVILEGES; Try not to use password with # or $ as passowrd. They often interfere with the mysql command and result in root password not accepted by mariadb later on!! If you got locked out due to mysql root password incorrect. Try to follow the instruction in http://www.rackspace.com/knowledge_center/article/mysql-resetting-a-lost-mysql-root-password by stopping the mariadb, then issue sudo mysqld_safe --skip-grant-tables & mysql -uroot (without password). use mysq; Then use update user set password=PASSWORD("mynewpassword") where User='root'; flush privileges; to change the root password. create cs3110 mysql account for php-mysql script showUserDB.php demo cd /home/cs3110/public_html/mysql ./cmysql.pl cs3110 cs3110db get a copy of mysql from an old fedora core server using mysqldump [root@walrus wiki]# mysqldump -u root -p --all-databases > walrusdb.sql Copy .sql file to the new machine [root@walrus wiki]# scp walrusdb.sql root@viva.uccs.edu:. Run mysql command to import the databases. [root@viva ~]# mysql -u root -p < walrusdb.sql [Email] Fedora offers two primary MTAs: Postfix and Sendmail. Postfix is configured as the default MTA and Sendmail is considered deprecated. dnf install postfix with selinux if we would like to send email through the Mail::sendmail we need to setsebool in two places: setsebool -P httpd_can_network_connect 1 setsebool -P httpd_can_sendmail 1 Take a while to debug this. Especailly the first one. getsebool -a |grep httpd Restart the postfix service after changing any options in the configuration files under the /etc/postfix directory in order for those changes to take effect. To do so, run the following command as root: ~]# systemctl restart postfix 10.3.1.2. Basic Postfix Configuration By default, Postfix does not accept network connections from any host other than the local host. Perform the following steps as root to enable mail delivery for other hosts on the network: Edit the /etc/postfix/main.cf file with a text editor, such as vi. Uncomment the mydomain line by removing the hash sign (#), and replace domain.tld with the domain the mail server is servicing, such as example.com. Uncomment the myorigin = $mydomain line. Uncomment the myhostname line, and replace host.domain.tld with the host name for the machine. Uncomment the mydestination = $myhostname, localhost.$mydomain line. Uncomment the mynetworks line, and replace 168.100.189.0/28 with a valid network setting for hosts that can connect to the server. Uncomment the inet_interfaces = all line. Comment the inet_interfaces = localhost line. Restart the postfix service. mail program was not installed by default. we will install mailx pkg dnf install mailx Test by sending email "mail -s 'test' cchow@uccs.edu" Setting up SSH without password On client: 1. run ssh-keygen (it generates public key and private key) 2. run ssh-copy-id -i ~/.ssh/id_rsa.pub remote-host 3. ssh remote-host (or scrp or rsync) [phpMyAdmin setup] We would like to access phpmyadmin web app from any uccs machine. Edit /etc/httpd/conf.d/phpMyAdmin.conf Replace Line 17: Require ip 127.0.0.1 with Require ip 128.198 same for Line 34. systemctl restart httpd.service 1. Make sure to edit the config.inc.php file and specified the blowfish_secret for cookie authentication. The default key there is too big. [Sun Sep 22 15:02:31.823524 2013] [:error] [pid 10072] [client 128.198.16.135:49645] PHP Warning: mcrypt_encrypt(): Size of key is too large for this algorithm in /var/www/html/phpmyadmin/libraries/mcrypt.lib.php on line 71, referer: http://walrus.uccs.edu/phpmyadmin/ Change the following $cfg['blowfish_secret'] = 'directives are explained in Documentation.html and on phpMyAdmi'; to $cfg['blowfish_secret'] = 'my devoted servant walrus'; # pick on that is decent size but not too long. 2. copy /usr/share/phpMyAdmin to /var/www/html/phpMyAdmin may need to change SELinux type so httpd can read it chcon -R -t httpd_sys_content_t phpMyAdmin/ 3. edit /etc/httpd/conf.d/phpMyAdmin.conf change /usr/share to /var/www/html [mod_auth_mysql] mod_auth_mysql is an Apache module to authenticate users and authorize access through a MySQL database. It is flexible and support several encryption methods. The module will work on both Apache 1.x and Apache 2.x. This package allows to use .htaccess file to guard a web directory with credential from mysql database. http://modauthmysql.sourceforge.net/README Download the mod_auth_mysql-3.0.0.tar.gz from http://sourceforge.net/projects/modauthmysql/files/modauthmysql/3.0.0/ To compile with apxs you need to install mysql-devel package for include file and library. dnf install mysql-devel (actually it is mariadb-devel) Also the original source code is for apache 1. To work with 2.4, you need apply a patch from http://sourceforge.net/p/modauthmysql/patches/13/attachment/mod_auth_mysql_3.0.0_patch_apache2.4.diff (cited in http://sourceforge.net/p/modauthmysql/patches/13/) In the mod_auth_mysql-3.0.0 directory apply the following command: patch < mod_auth_mysql_3.0.0_patch_apache2.4.diff Then apply the compile command in http://modauthmysql.sourceforge.net/BUILD apxs -c -L/usr/lib64/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c If it runs into error cannot find the libmysqlclient.so file, it could be the library in different directory. By running repoquery -q -l --plugins mariadb-devel we find the libary path is /usr/lib64/mysql now. now successful. We can install the .la file to the /etc/httpd/modules with apxs -i mod_auth_mysql.la restart httpd systemctl restart httpd.service we can now test mod_auth_mysql on http://cs526rs1.csnet.uccs.edu/sec/ Use the credential in chowdb member1 table. you can access with http://cs526rs1.csnet.uccs.edu/phpmyadmin/ upload.php Make sure the studentproj directory token type is changed to writable by apache chcon -R -t public_content_rw_t studentproj also set the selinux flag to allow httpd to write setsebool -P allow_httpd_anon_write 1 Note that for rw directory at /var/www/html or cgi-bin area you need to use httpd_sys_rw_content_t public_content_rw_t will not work!! They are getting pickier. php upload file size is restricted by two settings in /etc/php.ini post_max_size and upload_max_filesize They are set at default of 8M and 2M. You need to change the settings you would like to upload bigger files. ; Maximum allowed size for uploaded files. ; http://php.net/upload-max-filesize upload_max_filesize = 200M ; Maximum size of POST data that PHP will accept. ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. ; http://php.net/post-max-size post_max_size = 200M Covert ^M dos file to \r unix line feed with vi command :s/^M/\r/g use control-v control M to get ^M character [Using authn_dbd mysql database to verify password access secure web directory] We used to use AuthMySQL software to implement this. But compiling source code getting difficult and not well supported. It is recommended to use authn_dbd apache module!! See https://www.experts-exchange.com/articles/3270/Enabling-and-Administering-Apache's-HTTPD-authn-dbd-MySQL-authentication-through-PHP-on-Suse.html Password Format (we will use SHA1) https://www.experts-exchange.com/articles/3270/Enabling-and-Administering-Apache's-HTTPD-authn-dbd-MySQL-authentication-through-PHP-on-Suse.html https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html mysql dbd driver is not included in default apache modules distribution in /etc/httpd/modules directory. We need to install using dnf install apr-util-mysql We then found out where apr_dbd_mysql.so is installed with [root@fc28 modules]# rpm -ql apr-util-mysql /usr/lib/.build-id /usr/lib/.build-id/ee /usr/lib/.build-id/ee/487227c66facae272998409498ec733fed823a /usr/lib64/apr-util-1/apr_dbd_mysql-1.so /usr/lib64/apr-util-1/apr_dbd_mysql.so Copy the .so file to /etc/httpd/modules with cp /usr/lib64/apr-util-1/apr_dbd_mysql.so /etc/httpd/modules We add the following lines to /etc/httpd/conf/httpd.conf at the end before the # Supplemental configuration! DBDriver mysql DBDParams "host=127.0.0.1 dbname=chowdb user=chow pass=#Uc2013lions$" DBDMin 4 DBDKeep 8 DBDMax 20 DBDExptime 300 # mod_authn_core and mod_auth_basic configuration # for mod_authn_dbd AuthType Basic AuthName "Secure Access Using AuthnDBD" # To cache credentials, put socache ahead of dbd here AuthBasicProvider socache dbd # Also required for caching: tell the cache to cache dbd lookups! AuthnCacheProvideFor dbd AuthnCacheContext my-server # mod_authz_core configuration Require valid-user # mod_authn_dbd SQL query to authenticate a user AuthDBDUserPWQuery "SELECT password FROM member2 WHERE email = %s" Restart httpd with systemctl restart httpd.service We use htpasswd to generate the encrypted password with SHA1 format [root@fc28 authdbd]# htpasswd -bns cchow@uccs.edu cs00net cchow@uccs.edu:{SHA}eodYrlFnBZu2DTm79X3g8HmlyMw= [root@fc28 authdbd]# htpasswd -bns jk@uccs.edu cs00net jk@uccs.edu:{SHA}eodYrlFnBZu2DTm79X3g8HmlyMw= We then put {SHA}eodYrlFnBZu2DTm79X3g8HmlyMw= in the password field of the member2 table. Note that .htaccess does not seem to work. We need to put these directives in section. In my case [secretDir] is authdbd