Introduction

The ubiquitous LAMP (Linux / Apache / MySQL / PHP) Stack that runs on just about every private or SOHO, and even enterprise level, deployment has scores of guides available across the Internet. If you are establishing your own web server for the first time, you can google "LAMP Stack $linux_flavour" and Google will return thousands of results; many of them up-to-date and accurate enough that you can reliably follow the steps provided to deploy a secure production environment where you can serve anything from your WordPress blog to private cloud storage with webmail and online calendar application. Attempting to do the same on OpenBSD, however, is not as fruitful; current, correct, and comprehensive guides are not as forthcoming from a Google search. To start, there is no comparable search pattern. For example, "OAMP Stack" (OpenBSD / Apache / MySQL / PHP) returns 23 results, most of which aren’t relevant, and less than a handful that are current and correct albeit short of comprehensive. Further, the base system web server included in an OpenBSD installation is named httpd, which presents more of a challenge in searching for quality content. There is, however, a silver lining for OpenBSD users: quality documentation and rock solid design. The official OpenBSD documentation is clear and concise; it's super easy to follow and always correct. And certainly much more reliable than the commonly praised and exhaustive, albeit garrulous, official documentation of its better known cousin, FreeBSD. Further, installation of OpenBSD ported packages provides additional system specific information in /usr/local/share/doc/pkg-readmes with step-by-step instructions that produce sane configuration and a working setup out of the box. OpenBSD developers have put in a lot of work to ensure users are met with a precision in documentation that is equal to the stability and security of the system. It is an example of quality trumping quantity and engineering brilliance!

With that in mind, you will find these pages presenting information sourced from the official OpenBSD documentation, provided in the website FAQ, as well as software official documentation. Proper use of these two sources combined with ad hoc use of relevant Manual pages are more often than not all that is needed for successful installation, configuration, and deployment of all services.

HTTP Daemon Setup

OpenBSD comes with its own web server: httpd. It is secure, lightweight and very simple to use.

In OpenBSD, rcctl is used to configure and control daemons and services; to enable and start httpd enter:

# rcctl enable httpd
# rcctl start httpd

The enable command adds an entry to /etc/rc.conf.local, which is where all the scripts that control the system daemons and services are either set or unset to run during system startup. The start command, as you would suspect, starts the httpd daemon.

OpenBSD provides an example configuration file in /etc/examples/httpd.conf that you can peruse if not use for yourself. Creating your own, though, is really very simple and can be done in as little as a half dozen non-whitespace lines.

Create a new /etc/httpd.conf file with your editor of choice, and add the following (replacing domain.tld with your site particulars):

server "domain.tld" {
     alias "www.domain.tld"
     listen on * port 80
     root "/site_name"
     directory index index.php

     location "/*.php*" { fastcgi socket "/run/php-fpm.sock" }

     location "/.well-known/acme-challenge/*" {
             root "/htdocs/acme"
             root strip 2
     }
}

The meanings of each line can be ascertained from the httpd.conf(5) man page. In short, the above will serve regular http (i.e., port 80) domain.tld and www.domain.tld requests from /var/www/site_name, and will process all PHP requests through a unix socket connection to the FastCGI Process Manager. The second location directive handles acme challenges that will be received when generating a HTTPS certificate with acme-client(1), which is described in detail in this post.

Before moving onto MariaDB installation, check that the syntax is correct with:

# httpd -vnf /etc/httpd.conf
configuration OK

That concludes the rather simple setup of the OpenBSD HTTP daemon, httpd.

Database Installation

OpenBSD offers both PostgreSQL and MariaDB, the open source MySQL fork, as binary packages available through pkg_add. PostgreSQL is an excellent (likely superior) alternative to MySQL, but its configuration is not as widely covered by the official documentation of many third-party applications. Plus, for most personal and SOHO environments it is arguably overkill, with any real advantage not being utilised. In contrast, MySQL/MariaDB installations share common syntax with most documentation from third-party apps. In short, MySQL/MariaDB is simpler than PostgreSQL and more than enough firepower for this use case so it will be installed with:

# pkg_add mariadb-server

Once downloaded, use the install script provided before enabling and starting the daemon:

# mysql_install_db
# rcctl enable mysqld
# rcctl start mysqld

MariaDB provides a post-install script to secure the daemon and create a root superuser account, which should be run with:

# mysql_secure_installation

A series of easily answered questions will follow; set the root password and answer yes to each question.

Once finished, before accessing the database, change the environment to delete MySQL input rather than have it logged in clear text by adding the following to /etc/rc.conf.local
export MYSQL_HISTFILE=/dev/null

Now access MariaDB as the superuser to create a database for the upcoming WordPress installation:

# mysql -u root -p

Enter the root password when prompted, then:

CREATE DATABASE wordpress;
GRANT ALL ON wordpress.* to 'wp-admin'@'localhost' IDENTIFIED BY '$password';
FLUSH PRIVILEGES;
quit;

To ensure MariaDB can communicate with httpd through a unix socket, edit /etc/my.cnf and change the socket location under both the client and mysqld sections to the absolute path of the file located within the chroot:

[client]
socket = /var/www/var/run/mysql/mysql.sock
[mysqld]
socket = /var/www/var/run/mysql/mysql.sock

Restart the daemon to make changes take effect before moving onto the PHP installation:

# rcctl restart mysqld

PHP Configuration

In OpenBSD, like all applications provided via pkg, PHP is offered as a pre-compiled binary package in one configuration, and any desired extensions that aren't built in the default provision can be installed as additional packages. Given that not all commonly required extensions are available in the latest available version, at this point in time, it is best to select version 5.6.31 when prompted by the interactive pkg prompt. In addition to the MySQL PHP extensions needed for this deployment, we will install some additional extensions commonly used by other popular applications:

# pkg_add php php-gd php-mysql php-mysqli php-bz2 php-curl php-intl php-mcrypt php-zip php-pdo_dblib php-pdo_mysql

The web server is already configured to handle PHP requests so we can move straight onto PHP configuration by enabling all installed extensions:

# cp /etc/php-5.6.sample/* /etc/php-5.6/.

Some minor adjustments to the default php-fpm.conf file will be made for runtime optimisation. Bring up /etc/php-fpm.conf in your favourite editor and search for the string 'pm =' to make the following edits:

pm = ondemand
pm.max_children = 50
pm.max_requests = 500

Next, to cache compiled PHP files and improve performance, activate Zend OpCache by either uncommenting and editing, or simply appending, the following entries to /etc/php-5.6.ini:

[opcache]
opcache.enable=1
opcache.enable_cli=1
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.memory_consumption=128
opcache.save_comments=1
opcache.revalidate_freq=1

Now enable and start php-fpm:

# rcctl enable php56_fpm
# rcctl start php56_fpm

Testing

At this point, httpd is up and serving out of /var/www/site_name, MariaDB has been installed and is ready to create databases required by different web applications, and PHP is configured with FastCGI Process Manager handling requests made through the httpd web server. To test that the setup is working as intended, bring up a new file /var/www/site_name/info.php in your favourite editor and add:

<?
phpinfo();
?>

Now enter domain.tld/info.php in a browser and you should be greeted with the easily recognisable PHP info page.

Web Deployment

To standup a basic website and blog, download the latest WordPress tarball into the /var/www directory:

# ftp -S do https://en-au.wordpress.org/wordpress-4.9.4-en_AU.tar.gz

Extract the contents, then open /etc/httpd.conf to change the root of domain.tld requests to the wordpress directory at its relative path located within the chroot:

root "/wordpress"

Now restart the daemon for changes to take effect:

# rcctl restart httpd

Point your browser to domain.tld where you will be greeted by the WordPress setup screen. Enter the previously created database name, user, password, and host. Leave the database table prefix as is and click Let's go! You should immediately be met by WordPress advising that it cannot create the wp-config.php file, but providing you with the contents of this file instead. Copy the provided text, and open up /var/www/wordpress/wp-config.php in your favourite editor. Enter the text provided by WordPress, then save and exit the file.0 Now point your browser again to domain.tld where you will be presented with your newly created WordPress site.

If you have any issues following this guide, don't hesitate to comment or email mark [at] bsdbox [dot] org.

Alternatively, before pointing your browser to your WordPress installation for the first time, you can chmod 775 /var/www/wordpress and chown :www /var/www/wordpress so that WordPress itself can configure the wp-config.php file without further manual intervention.

Comments

comments powered by Disqus