From owner-svn-doc-all@freebsd.org Sun Oct 4 05:07:50 2020 Return-Path: Delivered-To: svn-doc-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 6727A3FA66E; Sun, 4 Oct 2020 05:07:50 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C3sDk1rGrz4F8W; Sun, 4 Oct 2020 05:07:50 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 1ECD91ED4A; Sun, 4 Oct 2020 05:07:50 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09457nx6014585; Sun, 4 Oct 2020 05:07:49 GMT (envelope-from trhodes@FreeBSD.org) Received: (from trhodes@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09457nto014584; Sun, 4 Oct 2020 05:07:49 GMT (envelope-from trhodes@FreeBSD.org) Message-Id: <202010040507.09457nto014584@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: trhodes set sender to trhodes@FreeBSD.org using -f From: Tom Rhodes Date: Sun, 4 Oct 2020 05:07:49 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r54573 - head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Group: doc-head X-SVN-Commit-Author: trhodes X-SVN-Commit-Paths: head/en_US.ISO8859-1/books/handbook/network-servers X-SVN-Commit-Revision: 54573 X-SVN-Commit-Repository: doc MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 04 Oct 2020 05:07:50 -0000 Author: trhodes Date: Sun Oct 4 05:07:49 2020 New Revision: 54573 URL: https://svnweb.freebsd.org/changeset/doc/54573 Log: Update the PHP and SSL subsections of the Apache section. PR: 240956 Reviewed by: bcr Sponsored by: https://reviews.freebsd.org/D26386 Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 4 03:55:59 2020 (r54572) +++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml Sun Oct 4 05:07:49 2020 (r54573) @@ -3526,7 +3526,7 @@ freebsd.org. (A) modules. - <filename>mod_ssl</filename> + SSL support web servers @@ -3535,19 +3535,59 @@ freebsd.org. (A) SSL cryptography - The mod_ssl module uses the - OpenSSL library to provide strong - cryptography via the Secure Sockets Layer - (SSLv3) and Transport Layer Security - (TLSv1) protocols. This module provides - everything necessary to request a signed certificate from a - trusted certificate signing authority to run a secure web - server on &os;. + At one in point in time, support for SSL + inside of Apache required a secondary module called + mod_ssl. This is no longer the case and + the default install of Apache comes with SSL + built into the web server. An example of how to enable + support for SSL websites is available + in the installed file, httpd-ssl.conf + inside of the + /usr/local/etc/apache24/extra + directory. Inside this directory is also a sample file called + named ssl.conf-sample. It is recommended + that both files be evaluated to properly set up secure websites + in the Apache web server. - In &os;, mod_ssl module is enabled - by default in both the package and the port. The available - configuration directives are explained at http://httpd.apache.org/docs/current/mod/mod_ssl.html. + After the configuration of SSL is + complete, the following line must be uncommented in the main + http.conf to activate the changes on the + next restart or reload of Apache: + + #Include etc/apache24/extra/httpd-ssl.conf + + + SSL version two and version three have + known vulnerability issues. It is highly recommended TLS version + 1.2 and 1.3 be enabled in place of the older SSL options. + This can be accomplished by setting the following options in the + ssl.conf: + + + SSLProtocol all -SSLv3 -SSLv2 +TLSv1.2 +TLSv1.3 +SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 + + To complete the configuration of SSL + in the web server, uncomment the following line to ensure that + the configuration will be pulled into Apache during restart or + reload: + + # Secure (SSL/TLS) connections +Include etc/apache24/extra/httpd-ssl.conf + + The following lines must also be uncommented in the + httpd.conf to fully support + SSL in Apache: + + LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so +LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so +LoadModule ssl_module libexec/apache24/mod_ssl.so + + The next step is to work with a certificate authority + to have the appropriate certificates installed on the + system. This will set up a chain of trust for the site + and prevent any warnings of self-signed certificates. + @@ -3601,52 +3641,88 @@ freebsd.org. (A) allowing web developers to write dynamically generated webpages quickly. - To gain support for PHP5 for the - Apache web server, install the - www/mod_php56 package or port. This will - install and configure the modules required to support - dynamic PHP applications. The - installation will automatically add this line to - /usr/local/etc/apache24/httpd.conf: + Support for PHP for + Apache and any other feature + written in the language, can be added + by installing the appropriate port. - LoadModule php5_module libexec/apache24/libphp5.so + For all supported versions, search the package database + using pkg. Here is an example of the + available PHP packages as of the time + of this writing: - + A list will be displayed including the versions and + additional features they provide. The components are + completely modular, meaning features are enabled by + installing the appropriate port. To install + PHP version 7.4 for Apache, issue + the following command: - Then, perform a graceful restart to load the - PHP module: + &prompt.root; pkg install mod_php74 - &prompt.root; apachectl graceful + If any dependency packages need to be installed, they will + be installed as well. - The PHP support provided by - www/mod_php56 is limited. Additional - support can be installed using the - lang/php56-extensions port which provides - a menu driven interface to the available - PHP extensions. + By default, PHP will not be + enabled. The following lines will need to be added to + the Apache configuration file located in + /usr/local/etc/apache24 + to make it active: - Alternatively, individual extensions can be installed - using the appropriate port. For instance, to add - PHP support for the - MySQL database server, install - databases/php56-mysql. + <FilesMatch "\.php$"> + SetHandler application/x-httpd-php +</FilesMatch> +<FilesMatch "\.phps$"> + SetHandler application/x-httpd-php-source +</FilesMatch> - After installing an extension, the - Apache server must be reloaded to - pick up the new configuration changes: + In addition, the in + the configuration file will also need to be updated + and Apache will either need to be restarted or reloaded + for the changes to take effect. + Support for many of the PHP + features may also be installed by using + pkg. For example, to install + support for XML or + SSL, install their respective + ports: + + &prompt.root; pkg install php74-xml php74-openssl + + As before, the Apache configuration will need to be + reloaded for the changes to take effect, even in cases + where it was just a module install. + + To perform a graceful restart to reload the + configuration, issue the following command: + &prompt.root; apachectl graceful + + Once the install is complete, there are two methods of + obtaining the installed PHP support modules + and the environmental information of the build. The first is + to install the full PHP binary and running + the command to gain the information: + + &prompt.root; pkg install php74 + &prompt.root; php -i |less + + It is necessary to pass the output to a pager, such as + the more or less to + easier digest the amount of output. + + Finally, to make any changes to the global configuration + of PHP there is a well documented file + installed into + /usr/local/etc/php.ini. + At the time of install, this file will not exist because there + are two versions to choose from, one is + php.ini-development and the other is + php.ini-production. These are starting + points to assist administrators in their deployment.