Date: Sun, 4 Oct 2020 05:07:49 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54573 - head/en_US.ISO8859-1/books/handbook/network-servers Message-ID: <202010040507.09457nto014584@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Sun Oct 4 05:07:49 2020 New Revision: 54573 URL: https://svnweb.freebsd.org/changeset/doc/54573 Log: Update the PHP and SSL subsections of the Apache section. PR: 240956 Reviewed by: bcr Sponsored by: https://reviews.freebsd.org/D26386 Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 4 03:55:59 2020 (r54572) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 4 05:07:49 2020 (r54573) @@ -3526,7 +3526,7 @@ freebsd.org. (A) modules.</para> <sect3> - <title><filename>mod_ssl</filename></title> + <title>SSL support</title> <indexterm> <primary>web servers</primary> @@ -3535,19 +3535,59 @@ freebsd.org. (A) <indexterm><primary>SSL</primary></indexterm> <indexterm><primary>cryptography</primary></indexterm> - <para>The <filename>mod_ssl</filename> module uses the - <application>OpenSSL</application> library to provide strong - cryptography via the Secure Sockets Layer - (<acronym>SSLv3</acronym>) and Transport Layer Security - (<acronym>TLSv1</acronym>) protocols. This module provides - everything necessary to request a signed certificate from a - trusted certificate signing authority to run a secure web - server on &os;.</para> + <para>At one in point in time, support for <acronym>SSL</acronym> + inside of Apache required a secondary module called + <filename>mod_ssl</filename>. This is no longer the case and + the default install of Apache comes with <acronym>SSL</acronym> + built into the web server. An example of how to enable + support for <acronym>SSL</acronym> websites is available + in the installed file, <filename>httpd-ssl.conf</filename> + inside of the + <filename role="directory">/usr/local/etc/apache24/extra</filename> + directory. Inside this directory is also a sample file called + named <filename>ssl.conf-sample</filename>. It is recommended + that both files be evaluated to properly set up secure websites + in the Apache web server.</para> - <para>In &os;, <filename>mod_ssl</filename> module is enabled - by default in both the package and the port. The available - configuration directives are explained at <uri - xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para>; + <para>After the configuration of <acronym>SSL</acronym> is + complete, the following line must be uncommented in the main + <filename>http.conf</filename> to activate the changes on the + next restart or reload of Apache:</para> + + <programlisting>#Include etc/apache24/extra/httpd-ssl.conf</programlisting> + + <warning> + <para><acronym>SSL</acronym> version two and version three have + known vulnerability issues. It is highly recommended TLS version + 1.2 and 1.3 be enabled in place of the older SSL options. + This can be accomplished by setting the following options in the + <filename>ssl.conf</filename>:</para> + </warning> + + <programlisting>SSLProtocol all -SSLv3 -SSLv2 +TLSv1.2 +TLSv1.3 +SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1</programlisting> + + <para>To complete the configuration of <acronym>SSL</acronym> + in the web server, uncomment the following line to ensure that + the configuration will be pulled into Apache during restart or + reload:</para> + + <programlisting># Secure (SSL/TLS) connections +Include etc/apache24/extra/httpd-ssl.conf</programlisting> + + <para>The following lines must also be uncommented in the + <filename>httpd.conf</filename> to fully support + <acronym>SSL</acronym> in Apache:</para> + + <programlisting>LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so +LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so +LoadModule ssl_module libexec/apache24/mod_ssl.so</programlisting> + + <para>The next step is to work with a certificate authority + to have the appropriate certificates installed on the + system. This will set up a chain of trust for the site + and prevent any warnings of self-signed certificates.</para> + </sect3> <sect3> @@ -3601,52 +3641,88 @@ freebsd.org. (A) allowing web developers to write dynamically generated webpages quickly.</para> - <para>To gain support for <acronym>PHP</acronym>5 for the - <application>Apache</application> web server, install the - <package>www/mod_php56</package> package or port. This will - install and configure the modules required to support - dynamic <acronym>PHP</acronym> applications. The - installation will automatically add this line to - <filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para> + <para>Support for <acronym>PHP</acronym> for + <application>Apache</application> and any other feature + written in the language, can be added + by installing the appropriate port.</para> - <programlisting>LoadModule php5_module libexec/apache24/libphp5.so</programlisting> + <para>For all supported versions, search the package database + using <command>pkg</command>. Here is an example of the + available <acronym>PHP</acronym> packages as of the time + of this writing:</para> -<!-- -I do not think this is still needed -AddModule mod_php5.c - <IfModule mod_php5.c> - DirectoryIndex index.php index.html - </IfModule> - <IfModule mod_php5.c> - AddType application/x-httpd-php .php - AddType application/x-httpd-php-source .phps - </IfModule></programlisting> + <screen>&prompt.root; <userinput>pkg search php</userinput></screen> - --> + <para>A list will be displayed including the versions and + additional features they provide. The components are + completely modular, meaning features are enabled by + installing the appropriate port. To install + <acronym>PHP</acronym> version 7.4 for Apache, issue + the following command:</para> - <para>Then, perform a graceful restart to load the - <acronym>PHP</acronym> module:</para> + <screen>&prompt.root; <userinput>pkg install mod_php74</userinput></screen> - <screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> + <para>If any dependency packages need to be installed, they will + be installed as well.</para> - <para>The <acronym>PHP</acronym> support provided by - <package>www/mod_php56</package> is limited. Additional - support can be installed using the - <package>lang/php56-extensions</package> port which provides - a menu driven interface to the available - <acronym>PHP</acronym> extensions.</para> + <para>By default, <acronym>PHP</acronym> will not be + enabled. The following lines will need to be added to + the Apache configuration file located in + <filename role="directory">/usr/local/etc/apache24</filename> + to make it active:</para> - <para>Alternatively, individual extensions can be installed - using the appropriate port. For instance, to add - <acronym>PHP</acronym> support for the - <application>MySQL</application> database server, install - <package>databases/php56-mysql</package>.</para> + <programlisting><FilesMatch "\.php$"> + SetHandler application/x-httpd-php +</FilesMatch> +<FilesMatch "\.phps$"> + SetHandler application/x-httpd-php-source +</FilesMatch></programlisting> - <para>After installing an extension, the - <application>Apache</application> server must be reloaded to - pick up the new configuration changes:</para> + <para>In addition, the <option>DirectoryIndex</option> in + the configuration file will also need to be updated + and Apache will either need to be restarted or reloaded + for the changes to take effect.</para> + <para>Support for many of the <acronym>PHP</acronym> + features may also be installed by using + <command>pkg</command>. For example, to install + support for <acronym>XML</acronym> or + <acronym>SSL</acronym>, install their respective + ports:</para> + + <screen>&prompt.root; <userinput>pkg install php74-xml php74-openssl</userinput></screen> + + <para>As before, the Apache configuration will need to be + reloaded for the changes to take effect, even in cases + where it was just a module install.</para> + + <para>To perform a graceful restart to reload the + configuration, issue the following command:</para> + <screen>&prompt.root; <userinput>apachectl graceful</userinput></screen> + + <para>Once the install is complete, there are two methods of + obtaining the installed <acronym>PHP</acronym> support modules + and the environmental information of the build. The first is + to install the full <acronym>PHP</acronym> binary and running + the command to gain the information:</para> + + <screen>&prompt.root; <userinput>pkg install php74</userinput></screen> + <screen>&prompt.root; <userinput>php -i |less</userinput></screen> + + <para>It is necessary to pass the output to a pager, such as + the <command>more</command> or <command>less</command> to + easier digest the amount of output.</para> + + <para>Finally, to make any changes to the global configuration + of <acronym>PHP</acronym> there is a well documented file + installed into + <filename role="directory">/usr/local/etc/php.ini</filename>. + At the time of install, this file will not exist because there + are two versions to choose from, one is + <filename>php.ini-development</filename> and the other is + <filename>php.ini-production</filename>. These are starting + points to assist administrators in their deployment.</para> </sect3> </sect2>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202010040507.09457nto014584>