How to build a FreeBSD server

A server is not all things to all people. The server described here is intended primarily for serving web-based applications and providing Microsoft Windows file sharing to a local or distributed work team, either connected directly to the internet through an ISP or through an enterprise IT infrastructure. DNS or DHCP, if available, are assumed to be provided by the ISP or enterprise IT infrastructure. Print services are assumed to be provided through local printers, the enterprise IT infrastructure, or by workstation peer-to-peer printer sharing (i.e., not by this server).

It is generally assumed that client workstations will use Microsoft Windows, and if an enterprise infrastructure exists, it will be based primariy on Microsoft Windows servers. However, this doesn't need to be the case.

Base System

 * Provision a basic x86 platform
 * Popular proven motherboard (e.g., Intel brand desktop board with on-board graphics and on-board LAN), x86 processor and RAM. A single-core 2GHz P4 with 512MB RAM can be adequate for a low-traffic website with an Apache/MySQL/PHP web stack.
 * Primary system drive (e.g., 500GB)
 * Secondary backup drive with the same or greater capacity as the primary drive
 * DVD drive to simplify installing FreeBSD (with BIOS support for booting from the DVD, also possible are USB complete and bootstrapped network installs)


 * Download the FreeBSD 8.2-RELEASE CD/DVD ISO using the torrent available on http://www.freebsd.org and perform a basic system install, using automatic settings for disk partition and slices. Refer to the Handbook, Hong, Lucas, or any number of on-line tutorials.


 * Use sysinstall to configure the backup drive (partition and slice), and add the drive and mount point to /etc/fstab so it is automatically mounted during system boot. See Hong.


 * Update FreeBSD using freebsd-update and reboot.


 * 1) freebsd-update fetch
 * 2) freebsd-update install
 * 3) shutdown -r now


 * Update FreeBSD ports tree using portsnap instead of csvsup.

Initial update: Subsequent updates (before installing or updating a port):
 * 1) portsnap fetch
 * 2) portsnap extract
 * 1) portsnap fetch
 * 2) portsnap update


 * Install portmaster (/usr/ports/ports-mgmt/portmaster) for performing ports maintenance, such as upgrading a port.


 * Install portaudit (/usr/ports/ports-mgmt/portaudit), for automatically reporting security issues with installed ports.

DDNS Client
Install a DDNS client if the server will use a dynamic IP address and DDNS service (e.g., No-IP.com)

E.g. install No-IP.com DDNS client follow instructions to create /usr/local/etc/no-ip2.conf and enable DDNS client by editing /etc/rc.conf
 * 1) cd /usr/ports/dns/noip
 * 2) make install clean

OpenSSL
Keep the version of OpenSSL included in the base system instead of replacing it with the current version in the ports tree (the base system includes OpenSSL v0.9.8, the version in the ports tree as of 2011-10-09 is v1.0.0).


 * Add WITH_OPENSSL_BASE="YES" to /etc/make.conf to prevent the Ports Collection from building the security/openssl port if a port has an OpenSSL dependency (see Handbook, Section 15.8)


 * Create SSL hostkey and self-signed certificate for SSL over HTTP.

OpenSSL 0.9.8q 2 Dec 2010 ... Port:  openssl-1.0.0_6 ... #
 * 1) openssl version
 * 1) make search name=openssl | grep Port


 * edit defaults in /etc/ssl/openssl.cnf

default_days   = 1095 countryName_default = CA stateOrProvinceName_default = Alberta O.organizationName_default = dalescott.net localityName_default = Calgary organizationUnitName_default = Authorial Division commonName_default = www.dalescott.net emailAdress_default = dale@dalescott.net


 * Create a self-signed SSL host certificate either using openssl directly, or using the CA.pl script

Use openssl directly
generate SSL host key, make read/write only by root create certificate request, don't enter challenge password or optional company name self-sign certificate
 * 1) cd /etc/ssl/
 * 1) openssl genrsa 1024 > host.key
 * 2) chmod 600 host.key
 * 1) openssl req -new -key host.key -out csr.pem
 * 1) openssl x509 -req -days 1095 -in csr.pem -signkey host.key -out selfsigned.crt

Use CA.pl

 * Although OpenSSL is installed as part of the FreeBSD base, the complete contents of the OpenSSL port is not installed, including the popular CA.pl perl script for using openssl. If you installed FreeBSD with its sources, CA.pl can probably be found here:

/usr/src/crypto/openssl/apps/CA.pl

or alternatively, CA.pl can be extracted from an OpenSSL tarball:


 * 1) cd /usr/ports/security/openssl
 * 2) make fetch
 * 3) mkdir ~/temp/
 * 4) cd ~/temp/
 * 5) tar -xzf /usr/ports/distfiles/openssl-1.0.0e/openssl-1.0.0e.tar.gz
 * 6) mkdir /etc/ssl/certs
 * 7) cp ~/temp/openssl-1.0.0e/apps/CA.pl /etc/ssl/certs/
 * 8) chmod 744 /etc/ssl/certs/CA.pl
 * 9) rm -r ~/temp/

and then proceed with creating keys and certificates.

create a certificate authority (CA) - Common Name can be company name (i.e., not server name) - enter same PEM passphrase at 2nd prompt as entered at 1st prompt create an encrypted host key and certificate request - Common Name must be server name - for convenience, same PEM passphrase can be entered at prompt as used for CA sign encrypted host key with certificate authority - enter same PEM passphrase at prompt as used to create host key copy CA and private keys certificates, signed certificate and encrypted host key to meaningful filenames unencrypt host key and change permissions for security ''- enter PEM passphrase used to create host key at prompt convert CA certificate to DER format for Microsoft Windows clients copy DER-encoded certificate to users (e.g., email) ''- the 2nd filename given will not be physically created (i.e., the 1st file won't be overwriten) - some mail clients may block the certificate file for security reasons (e.g., MS Outlook), in  this case, zip the binary certificate first before emailing it
 * 1) cd /etc/ssl/certs/
 * 1) ./CA.pl -newca
 * 1) ./CA.pl -newreq
 * 1) ./CA.pl -signreq
 * 1) cp newcert.pem host.example.com-cert.pem
 * 2) cp newkey.pem host.example.com-encrypted-key.pem
 * 3) cp demoCA/cacert.pem example.com-CAcert.pem
 * 4) cp demoCA/private/cakey.pem example.com-encrypted-CAkey.pem
 * 1) openssl rsa -in host.example.com-encrypted-key.pem -out host.example.com-unencrypted-key.pem
 * 2) chmod 400 host.example.com-unencrypted-key.pem
 * 1) openssl x509 -in example.com-CAcert.pem -inform PEM -out example.com-CAcert.cer -outform DER
 * 1) uuencode example.com-CAcert.cer example.com-CAcert.cer | mail -s "Subject-text" user@example.com
 * 1) zip example.com-CAcert.cer.zip example.com-CAcert.cer
 * 2) uuencode example.com-CAcert.cer.zip example.com-CAcert.cer.zip | mail -s "Subject-text" user@example.com

TODO
 * consider any clarity gained to use CA.pl to to create keys for SSL over HTTP (as per Hong), especially if CA.pl will be used to create keys for OpenVPN
 * add creating server keys for OpenVPN (describe creation of create keys under OpenVPN section)
 * consider any consolidation possible between keys for SSL over HTTP and keys for OpenVPN
 * consider publishing CA public key and server public key on enterprise website (e.g., SCC QMS)

OpenSSH
Keep the version of OpenSSH included in the base system instead of replacing it with the current version in the ports tree (the base system includes OpenSSH v5.4, the version in the ports tree as 2011-10-09 is v5.2). No configuration is required.

Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. SSH-2.0-OpenSSH_5.4p1 FreeBSD-20100308 ... ... Port:  openssh-portable-5.2.p1_4,1 ... #
 * 1) telnet localhost 22
 * 1) make search name=openssh | grep Port

TODO
 * consider publishing public server SSH key on enterprise website (e.g., SCC QMS)

NTP
Use the version of NTP included in the base system instead of installing a newer version from the ports tree (the version base system includes v4.2.4, the version in the ports tree as of 2011-10-09 is v4.2.6). The only cofiguration required is to enable the ntpd daemon in rc.conf (although editing the list of NTP servers used in /etc/ntp.conf may improve timing synchronization).

ntpd_enable="YES"

Backups
Implement a basic backup procedure using a daily full system dump


 * Create a shell script to backup the system drive file system to the backup drive. THIS SCRIPT DOES NOT DELETE OLD BACKUP DUMPS, YOU MUST MONITOR BACKUP DRIVE CAPACITY AND DELETE OLD DUMPS MANUALLY AS NEEDED. Adding deleting old backup dumps to the script is left as an exercise for the reader (and sharing back your solution would be sincerely appreciated!).

# # echo Backup Started `date` >> /backup/backuplog mkdir /backup/`date +%Y%m%d` dump -0 -a -L -f /backup/`date +%Y%m%d`/root.ad4s1a.dump / dump -0 -a -L -f /backup/`date +%Y%m%d`/var.ad4s1d.dump /var dump -0 -a -L -f /backup/`date +%Y%m%d`/usr.ad4s1f.dump /usr echo Backup Completed `date` >> /backup/backuplog #
 * 1) cat /root/bin/mydump_daily
 * 2) !/bin/sh
 * 1) Create filesystem backup dump
 * 2) - creates dated backup dir and separately dumps /, /var, and /usr
 * 3) - execution must start AND complete on same calendar day!
 * 4) - does not cleanup old backup dir's - manage diskspace manually!


 * (backup procedure)
 * Edit the system crontab file (/etc/crontab) to schedule the backup for running daily by appending the following:

# # 1      2       *       *       *       root    /root/bin/mydump_daily #
 * 1) Custom system maintenance
 * 1) 2011-07-11  dale scott  backup system @ 02:01 daily (2:01 AM)

Convenient Utilities
Install convenient utilities ("# rehash" may be required after installation before use)

flip - Convert text file line endings between Unix and DOS formats unzip - List, test and extract compressed files in a ZIP archive ''zip - Create/update ZIP files compatible with pkzip tree - Display a tree-view of directories ytree - DOS-XTREE(tm) look-a-like file manager lynx - A non-graphical, text-based World-Wide Web client wget - Retrieve files from the Net via HTTP(S) and FTP webmin - Web-based interface for system administration
 * 1) cd /usr/ports/textproc/flip
 * 2) make config ; make install clean
 * 1) cd /usr/ports/archivers/unzip
 * 2) make config ; make install clean
 * 1) cd /usr/ports/archivers/zip
 * 2) make config ; make install clean
 * 1) cd /usr/ports/sysutils/tree
 * 2) make config ; make install clean
 * 1) cd /usr/ports/misc/ytree
 * 2) make config ; make install clean
 * 1) cd /usr/ports/www/lynx
 * 2) make config ; make install clean
 * 1) cd /usr/ports/ftp/wget
 * 2) make config ; make install clean
 * 1) cd /usr/ports/sysutils/webmin
 * 2) make config ; make install clean

Webmin Server Management
Webmin is a a web-based interface for administrating Unix systems. For many tasks, Webmin can simplify administration and reduce errors. Webmin can also provide remote administration in environments where ssh access is blocked by a firewall. Webmin will by default be available at http://www.server.dom:10000

Configure Webmin (accept all defaults for a basic install) webmin_enable="YES" start Webmin for the first time
 * 1) cd /usr/ports/sysutils/webmin
 * 2) make config ; make install clean
 * 1) /usr/local/lib/webmin/setup.sh
 * 1) vi /etc/rc.conf and add following line
 * 1) /usr/local/etc/rc.d/webmin start

Most Webmin modules will be automatically configured, but some must be manually configured for FreeBSD.

Apache Web Server Module
The Webmin Apache Web Server Module must be manually configured after installing the Web Stack.

Login into Webmin, access the Apache Web Server module under Un-used Modules and enter the following configuration values:

Path to httpd.conf: /usr/local/etc/apache22/httpd.conf Path to srm.conf:   /usr/local/etc/apache22/Includes/srm.conf Path to access.conf: /usr/local/etc/apache22/Includes/access.conf Path to mime.types: /usr/local/etc/apache22/mime.types

srm.conf and access.conf files will not be present unless created manually (they are not created as part of a basic Apache2 install).

Mercurial Version Control System

 * Mercurial - Fast, lightweight distributed source control management system


 * 1) cd /usr/ports/devel/mercurial
 * 2) make config ; make install clean
 * 3) rehash

Postfix MTA
This procedure also borrows from http://linuxgravity.com/postfix-send-only-configuration-for-non-local-domains

Postfix is installed for web applications to send mail. It is assumed that web applications on the server will originate mail for either local delivery, or which will be relayed through an existing mail server in an enterprise environment. In an enterprise environment, it is also assumed that the enterprise mail server will not require either authentication or encryption to relay mail.

The Sendmail MTA (Mail Transfer Agent) is included in the FreeBSD base system, but configuring it can be complicated. A number of simple MTAs exist, but are generally only suitable for the specific situations they were created for. Postfix is a popular general purpose MTA, and simpler to configure than Sendmail.


 * Install Postfix


 * 1) cd /usr/ports/mail/postfix
 * 2) make config accept defaults
 * 3) make install clean activate Postfix in /etc/mail/mailer.conf


 * Edit /usr/local/etc/postfix/main.cf to configure Postfix

keep default mydestination ($myhostname + localhost.$mydomain) keep default mynetworks_style mynetworks_style = host edit relayhost to specify the system mail server relayhost = [servername.domain.tld] edit home_mailbox to enable delivery of mail to local users home_mailbox = Maildir/


 * Create alias to forward root mail to the external system administrator

root: username@example.com
 * 1) vi /etc/mail/aliases and add root alias

update aliases.db
 * 1) /usr/local/bin/newaliases


 * edit /etc/rc.conf to enable Postfix at boot and disable Sendmail

postfix_enable="YES" sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO"


 * Create /etc/periodic.conf to override defaults in /etc/defaults/periodic.conf

daily_clean_hoststat_enable="NO" daily_status_mail_rejects_enable="NO" daily_status_include_submit_mailq="NO" daily_submit_queuerun="NO"


 * Stop Sendmail, delete Sendmail queue and start Postfix


 * 1) killall sendmail
 * 2) rm /var/spool/mqueue/*
 * 3) /usr/local/etc/rc.d/postfix restart


 * Verify Postfix works correctly by sending test emails.

mail should be delivered mail should be delivered mail should NOT be delivered
 * 1) echo "testing local delivery" | mail -s "test email to local root user" root
 * 1) echo "testing ext domain delivery" | mail -s "test email to outside user" user@mailserver.dom
 * 1) echo "testing ext domain delivery" | mail -s "test email to outside user" user@extdomain.dom

OpenVPN Server
OpenVPN is installed to provide Windows workstations connected to the internet access to shared files on the server (shared using Samba). OpenVPN is not required if internet workstations do not need to access shared files, or in an enterprise environment where a VPN server already exists.

''See SSL section for creating server keys, this section will only describe how to specify the server keys as part of the OpenVPN configuration. The procedure for creating client keys is given here.''


 * 1) cd /usr/ports/security/openvpn
 * 2) make config accept defaults
 * 3) make install clean
 * 4) rehash


 * find IP address of local default gateway and network device name, and configured DNS servers


 * 1) netstat -rn | grep default
 * 2) grep nameserver /etc/resolv.conf


 * create directory and copy configuration file


 * 1) mkdir /usr/local/etc/openvpn
 * 2) cd /usr/local/etc/openvpn
 * 3) cp /usr/local/share/doc/openvpn/sample-config-files/server.conf.


 * create directory for SSL certificates and keys


 * 1) mkdir /usr/local/etc/openvpn/keys

OpenLDAP Server
TODO - complete procedure

OpenLDAP can be used by web applications to authenticate users against a common source of truth. In an enterprise environment, the web applications may be configured to authenticate using a Microsoft Active Directory server (also an LDAP implementation).


 * 1) cd /usr/ports/net/openldap24-server
 * 2) make config ; make install clean
 * 3) rehash

phpLDAPAdmin
phpLDAPAdmin requires the web application stack. Complete the web stack installation first, then return here and continue installing phpLDAPAdmin.


 * 1) cd /usr/ports/net/phpldapadmin
 * 2) make config
 * 3) make install clean


 * Edit /usr/local/www/phpldapadmin/config/config.php
 * Create /usr/local/etc/apache22/Includes/phpldapadmin.conf (force SSL connection)

IMAP Server and WebMail Portal
This procedure is not required if there will be no local system users. The Procmail MDA (Mail Delivery Agent) is installed to deliver mail to local system users and Courier-authlib / Courier-IMAP and SquirrelMail installed to provide web-based access to local mail.

Procmail
Spam filtering will not be configured because the system does not accept external mail


 * 1) cd /usr/ports/mail/procmail
 * 2) make install clean


 * edit Postfix mail.cnf to specify Procmail as the local MDA

mailbox_command = /usr/local/bin/procmail
 * 1) vi /usr/local/etc/postfix/main.cnf and add
 * 1) postfix reload

Courier-authlib
Install Courier-authlib to provide required Courier-IMAP authentication (required for a client to connect to the Courier-IMAP server)


 * 1) cd /usr/ports/security/courier-authlib
 * 2) make config ; make install clean
 * 3) rehash

authmodulelist="authpam"
 * 1) vi /usr/local/etc/authlib/authdaemonrc and edit authmodulelist

edit /etc/rc.conf and add following lines: courier_authdaemond_enable="YES"

start the Courier-authlib daemon
 * 1) /usr/local/etc/rc.d/courier-authdaemond start

Courier-IMAP

 * 1) cd /usr/ports/mail/courier-imap
 * 2) make config accept defaults
 * 3) make install clean

edit /etc/rc.conf and add following lines: courier_imap_imapd_enable="YES"

start the IMAP daemon
 * 1) /usr/local/etc/rc.d/courier-imap-imapd start

SquirrelMail
SquirrelMail requires the web application stack. Complete the web stack installation first, then return here and continue installing SquirrelMail.

Mail attachments are limited to 2MB by the default PHP default file upload limit.


 * 1) cd /usr/ports/mail/squirrelmail
 * 2) make config
 * 3) make -D WITH_LDAP install clean


 * Execute the Squirrelmail configuration utility and configure the following (minimum) settings:

Server Settings / Domain - domain.dom or server.domain.dom ''Server Settings / Update IMAP Settings / Server Software - courier
 * 1) cd /usr/local/www/squirrelmail
 * 2) ./configure


 * Create /usr/local/etc/apache22/Includes/squirrelmail.conf force SSL connection

Samba CIFS Server
TODO - complete procedure

Enterprises IT infrastructures typically include Microsoft Windows servers and workstations. Installing Samba will provide access to shared directories in the server file system to Microsoft Windows workstations. Samba can also provide access to shared directories on a Windows server if permitted.

MDB Tools
MDB Tools is an open source project to document the MDB file format by Microsoft Jet databases, and provide a set of tools and applications to make data in Jet databases available on other platforms (built-in access is provided on current Microsoft Windows platforms). MDB Tools currently has read-only support for Access 97 (Jet 3) and Access 2000/2002 (Jet 4) formats.

Microsoft Access is a popular RAD (Rapid Application Development) environment for creating Jet-based database applications. An "Access database" can be easily developed and deployed within an organization to solve a specific problem, and generally without involving corporate IT. However, this often results in a proliferation of incompatible applications and data repositories, which must eventually be integrated as an enterprise matures.


 * Download and extract mdbtools source to a temporary directory for building
 * Check out https://github.com/brianb/mdbtools for latest version of sources.
 * Check out http://mdbtools.sourceforge.net for mailing list and similar.


 * 1) mkdir /usr/home/dale/src/
 * 2) cd /usr/home/dale/src/
 * 3) tar -xzf brianb-mdbtools-3280842-2011-03-22.tar.gz
 * 4) cd mdbtools


 * Install GNU build toolchain needed for mdbtools (review mdbtools INSTALL file)
 * install libtool
 * install automake
 * install autoconf

# #
 * 1) cd /usr/ports/devel/libtool
 * 2) make config
 * 3) make install clean
 * 4) rehash
 * 1) cd /usr/ports/devel/automake
 * 2) make config
 * 3) make install clean
 * 4) rehash
 * 1) cd /usr/ports/devel/autoconf
 * 2) make config
 * 3) make install clean
 * 4) rehash


 * Update glib with portmaster


 * 1) portmaster glib


 * Install txt2man (/usr/ports/textproc/txt2man) which is used by mdbtools to create man pages (but not a dependency of the port)


 * Build and install MDB Tools


 * 1) cd /usr/home/dale/src/mdbtools
 * 2) gmake clean
 * 3) ./autogen.sh
 * 4) ./configure
 * 5) gmake
 * 6) gmake install

Apache 2.2.x Web Server

 * Install Apache22 port


 * 1) cd /usr/ports/www/apache22
 * 2) make config accept defaults
 * 3) make install clean accept defaults for any dependency configurations
 * 4) rehash


 * Basic config

edit following lines for basic config ServerAdmin you@example.com ServerName host.example.com:80
 * 1) vi /usr/local/etc/apache22/httpd.conf

''uncomment following line to enable SSL over HTTP (Lucas, Chapter 17)
 * 1) Include etc/apache22/extra/httpd-ssl.conf


 * Configure keys for SSL over HTTP (Lucas, Chapter 17). Client browsers will report self-signed keys as untrusted, which can be avoided by either having the key signed by a commercial CA (Certificate Authority), or by configuring client browsers to trust the certificate (see How to trust a self-signed SSL browser certificate).

edit following values (same hostname as Common Name in cert) ServerName host.example.com:443 ServerAdmin you@example.com SSLCertificateFile "/etc/ssl/selfsigned.crt" SSLCertificateKeyFile "/etc/ssl/host.key"
 * 1) vi /usr/local/etc/apache22/extra/httpd-ssl.conf


 * Stop and restart Apache


 * 1) /usr/local/etc/rc.d/apache22 stop
 * 2) /usr/local/etc/rc.d/apache22 start

PHP 5.3.x

 * Install PHP


 * 1) cd /usr/ports/lang/php5
 * 2) make config select Apache module
 * 3) make install clean


 * Basic config

uncomment following line: session.save_path=:/tmp" edit line to specify timezone: date.timezone="America/Edmonton"
 * 1) cd /usr/local/etc/
 * 2) cp php.ini-production php.ini or php.ini-developmnent for rigorous error reporting
 * 3) vi /usr/local/etc/php.ini


 * Restart Apache


 * 1) /usr/local/etc/rc.d/apache restart


 * Install php5-extensions (/usr/ports/lang/php5-extensions). Accept defaults


 * Install PHP


 * 1) cd /usr/ports/lang/php5-extensions
 * 2) make config confirm selection as below
 * 3) make install clean

php5-extensions configuration D - selected default  Y - select additional X - unselect default CTYPE      D DOM         D FILTER      D GD          Y HASH        D ICONV       D JSON        D MYSQL       Y MYSQLI      Y PDO         D PDO_SQLITE  D SESSION     D SIMPLEXML   D SQLITE      D SQLITE3     D TOKENIZER   D XML         D XMLREADER   D XMLWRITER   D

MySQL 5.5.x

 * Install MySQL port


 * 1) cd /usr/ports/databases/mysql55-server
 * 2) make config accept defaults
 * 3) make -D BUILD-OPTIMIZED install clean  build of previous version failed when not specified
 * 4) rehash


 * Basic config
 * set grant tables, start MySQL daemon, configure local and remote root password, copy my.cnf file, disable TCP networking, add mysql_enable="YES" to /etc/rc.conf and restart server daemon
 * verify MySQL support is enabled in /usr/local/etc/php/extentions.ini


 * 1) cd /usr/local
 * 2) mysql_install_db --user=mysql
 * 3) mysqld_safe &
 * 4) mysqladmin -u root password 'localpassword'
 * 5) mysqladmin -u root -h server.domain.dom password 'remotepassword'
 * 6) cp /usr/local/share/mysql/my-medium.cnf /var/db/mysql/my.cnf
 * 7) vi /var/db/mysql/my.cnf uncomment skip-networking
 * 8) vi /etc/rc.conf add mysql_enable="YES"
 * 9) /usr/local/etc/rc.d/mysql-server restart

phpMyAdmin 3.3.x
phpMyAdmin is a convenient web-based application for managing MySQL databases.


 * Install phpMyAdmin port


 * 1) cd /usr/ports/databases/phpmyadmin
 * 2) make config add MYSQLI to configuration
 * 3) make install clean


 * Configure Apache to serve phpMyAdmin using SSL over HTTP (i.e., https:)

Alias /phpmyadmin "/usr/local/www/phpMyAdmin/"  Options none AllowOverride All Order Allow,Deny Allow from All      RewriteEngine On     RewriteCond %{HTPS} off RewriteCond %{REQUEST_URI} /phpmyadmin RewriteRule (.*) https://www.domain.dom/phpmyadmin/ [R]  restart Apache
 * 1) vi /usr/local/etc/apache22/Includes/phpmyadmin and add following lines
 * 1) /usr/local/etc/rc.d/apache22 restart


 * Create MySQL user "pma" with all permissions on "phpmyadmin" database

''create MySQL user "pma" mysql> grant select, insert, update, delete on phpmyadmin.* to \ pma@localhost identified by 'password'; mysql> quit;
 * 1) mysql -u root -p


 * Prepare to update the phpMyAdmin config file using the phpMyAdmin configuration wizard (see http://www.phpmyadmin.net)


 * 1) mkdir /usr/local/www/phpMyAdmin/config/
 * 2) cp config.inc.php config/
 * 3) chmod -R o+rw config give config file world read-write permission


 * Browse to http://www.domain.dom/phpmyadmin/setup to run the configuration wizard, save the configuration and manually move it back to the phpMyAdmin root directory
 * auth_type cookie
 * extension mysqli


 * 1) cd /usr/local/www/phpMyAdmin
 * 2) mv config/config.inc.php.
 * 3) chmod o-rw config.inc.php remove world read-write permissions
 * 4) rm -rf config


 * Enable phpMyAdmin special features (e.g., bookmarks, comments, SQL-history, tracking mechanism, PDF-generation, column contents transformation, ...)

$cfg['Servers'][$i]['bookmarktable'] = 'pma_bookmark'; $cfg['Servers'][$i]['relation'] = 'pma_relation'; $cfg['Servers'][$i]['userconfig'] = 'pma_userconfig'; $cfg['Servers'][$i]['table_info'] = 'pma_table_info'; $cfg['Servers'][$i]['column_info'] = 'pma_column_info'; $cfg['Servers'][$i]['history'] = 'pma_history'; $cfg['Servers'][$i]['tracking'] = 'pma_tracking'; $cfg['Servers'][$i]['table_coords'] = 'pma_table_coords'; $cfg['Servers'][$i]['pdf_pages'] = 'pma_pdf_pages'; $cfg['Servers'][$i]['designer_coords'] = 'pma_designer_coords'; if phpMyAdmin later reports new special features are not enabled,  re-edit config.inc.php and add the directed table references.
 * 1) cd /usr/local/www/phpMyAdmin
 * 2) mysql -u root -p < scripts/create_tables.sql
 * 1) vi config.inc.php and add following lines


 * If the server is for development (not production!), it may be convenient to prevent phpMyAdmin from automatically logging out users after the default timeout (5 minutes?).

# vi /usr/local/www/phpMyAdmin/config.inc.php and add add following lines'' /// increase login timeout (ok because this is a local Dev server!) // must also increase session.gc_maxlifetime (garbage collection) in php.ini $cfg['LoginCookieValidity'] = 3600 * 9; // = 60 sec/min * 60 min/hr * 9 hrs # vi /usr/local/etc/php.ini and edit following lines'' ;session.gc_maxlifetime = 1440 ; max session set to 9 hrs for phpMyAdmin (see LoginCookieValidity in ;  /usr/local/www/phpMyAdmin/config.inc.php). For this to work, max garbage ;  collection time must be set here to >9hrs = 32500 sec = (60x60x9)+100 session.gc_maxlifetime = 32500


 * Fyi, phpMyAdmin installs the following ports:

php5-mbstring-5.3.8 php5-bz2-5.3.8 php5-openssl-5.3.8 pecl-pdflib-2.1.8 php5-zlib-5.3.8 php5-mcrypt-5.3.8 php5-zip-5.3.8 pecl-APC-3.1.9_1 oniguruma-4.7.1 pdflib-7.0.4 libmcrypt-2.5.8 libltdl-2.4

Utilities
The following tools and commands maintain the additional software installed on the server not including component projects. For upgrading component projects, refer to the individual component project setup and maintenance pages.


 * portaudit - portaudit periodically checks the version of installed ports for reported vulnerabilities in a database maintained by the FreeBSD security team and e-mails the system root a report of any vulnerabilities found. For a current report, portaudit can be run manually from the command line:


 * 1) portaudit -Fda


 * portsnap - portsnap updates the ports tree with current port information.

Use "portsnap extract" instead of "portsnap update" the first time portsnap is used
 * 1) portsnap fetch
 * 2) portsnap update


 * portmaster - portmaster is used to manage installed ports and upgrade them to the current version without breaking dependencies or links to other programs. Current port configurations must be correct because portmaster will use existing configurations when building upgraded ports.

General Guidelines
Following are general guidelines for updating ports (e.g., due to reported security vulnerability). Before starting any work, first backup the server, then manually stop relevant daemons or disable in /etc/rc.conf and reboot (after the maintenance is complete, re-enable the daemons in /etc/rc.conf and reboot)
 * 1) apache22_enable="YES"
 * 2) apache22_http_accept_enable="YES"
 * 3) courier_authdaemond_enable="YES"
 * 4) courier_imap_imapd_enable="YES"
 * 5) courier_imap_pop3d_enable="YES"
 * 6) mysql_enable="YES"
 * OpenSSL


 * 1) cd /usr/ports
 * 2) portmaster security/openssl


 * Apache

Backup Apache configuration files: /usr/local/etc/apache22/httpd.conf /usr/local/etc/apache22/Includes/* /usr/local/etc/apache22/extra/*
 * 1) cd /usr/ports
 * 2) portmaster www/apache22


 * MySQL Server

Backup MySQL Server configuration file /var/db/mysql/my.cnf Backup all databases using mysqldump mysql> show databases; Test MySQL Server Starting mysql.
 * 1) mysql -u root -p
 * 1) mysqldump -u root -p --all-databases >/backup/backup_mysql_all_databases.sql
 * 1) cd /usr/ports
 * 2) portmaster databases/mysql51-server/
 * 1) /usr/local/etc/rc.d/mysql-server start
 * 2) mysql_upgrade --datadir=/var/db/mysql -u root -psTr@ty


 * PHP5

Backup PHP configuration files /usr/local/etc/php.ini /usr/local/etc/php.conf /usr/local/etc/php/extensions.ini PHP5 extension After upgrade, diff config files to backups and new default files and edit as needed.
 * 1) cd /usr/ports
 * 2) portmaster lang/php5
 * 1) cd /usr/ports
 * 2) portmaster lang/php5-extensions


 * Cyrus-SASL


 * 1) cd /usr/ports
 * 2) portmaster security/cyrus-sasl2
 * 3) portmaster security/cyrus-sasl2-saslauthd


 * Png


 * 1) cd /usr/ports
 * 2) portmaster graphics/png


 * Curl


 * 1) cd /usr/ports
 * 2) portmaster ftp/curl/


 * phpMyAdmin

Backup phpMyAdmin configuration file /usr/local/www/phpMyAdmin/config.inc.php
 * 1) cd /usr/ports
 * 2) portmaster databases/phpmyadmin


 * Squirrelmail


 * 1) cd /usr/ports
 * 2) portmaster mail/squirrelmail
 * 3) cd /usr/local/www/squirrelmail
 * 4) ./configure


 * Pcre


 * 1) cd /usr/ports
 * 2) portmaster devel/pcre