FreeBSD 12.0 Release is here, and this is how we upgraded from 11.2 to 12.0

How to upgrade your FreeBSD 11.x system to 12.0 Step by step.

FreeBSD Post

First we’ll make a note of our current system version by running the following commands

# freebsd-version
# uname -mrs

Update base and port system

# freebsd-update fetch install
# pkg update && pkg upgrade
screendump_freebsd-upgrade_1
alert

WARNING: Make sure you backup all important data, config files, and database tables/DBS. The author or Thorshammare.org is not responsible for any data loss, and upgrading FreeBSD should only be attempted after backing up all data.

Upgrading from FreeBSD 11.2 to 12.0 using binary method

Binary upgrades between RELEASE versions are supported using freebsd-update

Type the following freebsd-update command:

# freebsd-update -r 12.0-RELEASE upgrade 
screendump_freebsd-upgrade_2

After evaluating your system, the freebsd-update utility will download lots of patches

Most files will be automatically merged, but you might get prompted to edit some by hand.

Once everything is merged and edited, comit the changes by running the command :

# freebsd-update install

Then reboot your system

# reboot

When your box is back online again, restart freebsd-update using the following command to remove all old shared libraries and object files :

# freebsd-update install

You’ll will then see some output like the following:

Installing updates...
Completing this upgrade requires removing old shared object files.
Please rebuild all installed 3rd party software (e.g., programs
installed from the ports tree) and then run "/usr/sbin/freebsd-update install"
again to finish installing updates.

Now base system has been updated, and it is time to update all binary packages too. Simply run the following pkg command:

pkg-static install -f pkg
pkg update
pkg upgrade

The pkg tool will update your ports tree and update your installed ports as needed

One more last time and you are done:

# /usr/sbin/freebsd-update install 

The only hitcup I experienced was I had to reinstall my Postfix port .
Overall, as usual with FreeBSD, a very pleasant experience.

FreeBSD 11.2 Apache24 Let’s Encrypt

How to add let’s encrypt free ssl certificate to your FreeBSD Apache system.

FreeBSD Post

TLS/SSL certificates are used by Apache web server to encrypt the communication between end nodes, or more ordinary between the server and client in order to provide security. Let’s Encrypt provides certbot command line utility, which is an application that can facilitate the way you can obtain trusted certificates for free.

lets_encrypt

Let’s Encrypt is a free, automated and open certificate authority developed by the Internet Security Research Group (ISRG). Certificates issued by Let’s Encrypt are valid for 90 days from the issue date and are trusted by all major browsers today.

In this tutorial, we will cover the steps necessary to install a free Let’s Encrypt SSL certificate on a FreeBSD 11.2 server running Apache24 as a web server. We will use the certbot utility to obtain and renew Let’s Encrypt certificates.

Prerequisites

Ensure that you have met the following prerequisites before continuing with this tutorial:

  • Have a domain name pointing to your public server IP. We will use example.com.
  • Have Apache installed and running on your server.
  • Have Apache virtual host for your domain.
  • Have port 80 and 443 open in your firewall.

Install Certbot

Certbot is a tool that simplifies the process of obtaining SSL certificates from Let’s Encrypt and auto-enabling HTTPS on your server and excists in your ports collection.

$ cd /usr/ports/security/py-certbot && sudo make install clean

After the compilation process has finished, issue the below command in order to update certbot utility and certbot required dependencies.

$ sudo pkg install py27-certbot
$ sudo pkg install py27-acme

Configure Apache SSL on FreeBSD

On Freebsd 11.x default apache24 install, you’ll have to enable 2 aditional modules to to get ssl working in this setup. mod_socache_shmcb.so and mod_ssl.so and make a check that the Includes folder are uncommented in your /usr/local/etc/apache24/httpd.conf file.

$ sudo vi /usr/local/etc/apache24/httpd.conf
apache24_Include_enabled

Open ports 80 and 443 in your firewall

pf_webserver_enabled

Obtaining a Let’s Encrypt SSL certificate

To obtain an SSL certificate for our domain we’re going to use the Apache plugin that works by creating a temporary file for the requested domain in the ${webroot-path}/.well-known/acme-challenge directory and the Let’s Encrypt validation server makes HTTP requests to validate that the DNS for the requested domain resolves to the server where certbot runs.

To make it more simple we’re going to map all HTTP requests for .well-known/acme-challengeto a single directory, /usr/local/www/apache24/letsencrypt. The following commands will create the directory and make it writable for the Apache server.

Issue the following commands to create the directory, change group to www and set the proper permissions to make it writeable. 

sudo mkdir -p /usr/local/www/apache24/letsencrypt/.well-known
sudo chgrp www /usr/local/www/apache24/letsencrypt
sudo chmod g+s /usr/local/www/apache24/letsencrypt

Create the following two configurations snippets:

$ sudo vi /usr/local/etc/apache24/Includes/letsencrypt.conf

Alias /.well-known/acme-challenge/ "/usr/local/www/apache24/letsencrypt/.well-known/acme-challenge/"
<Directory "/usr/local/www/apache24/letsencrypt/">
AllowOverride None
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Require method GET POST OPTIONS
</Directory>
$ sudo vi /usr/local/etc/apache24/Includes/ssl-params.conf
SSLRandomSeed startup file:/dev/urandom 512
Listen 443
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4:!3DES
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3
SSLPassPhraseDialog builtin
SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
SSLSessionCacheTimeout 300
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"
SSLSessionTickets Off

The snippet above is using the chippers recommended by Cipherli.st, enables OCSP Stapling, HTTP Strict Transport Security (HSTS) and enforces few security‑focused HTTP headers.

Reload the Apache configuration for changes to take effect:

$ sudo service apache24 reload

Now, we can run the Certbot tool with the webroot plugin and obtain the SSL certificate files by typing:

$ sudo certbot certonly --agree-tos --email admin@example.com --webroot -w /usr/local/www/apache24/letsencrypt/ -d example.com -d www.example.com

If the SSL certificate is successfully obtained, certbot will print the following message:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2018-12-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now that everything is setup, edit your domain virtual host configuration as follows: 
of course, substituting “example.com” with your registered domain name.

$ sudo vi /usr/local/etc/apache24/Includes/vhosts.conf
<VirtualHost *:80> 
  ServerName example.com
  ServerAlias www.example.com

  Redirect permanent / https://www.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com

  <If "%{HTTP_HOST} == 'example.com'">
    Redirect permanent / https://www.example.com/
  </If>

  DocumentRoot /usr/local/www/apache24/data/example.com
  ErrorLog /var/log/httpd/example.com-error.log
  CustomLog /var/log/httpd/example.com-access.log combined

  SSLEngine On
  SSLCertificateFile /usr/local/etc/letsencrypt/live/example.com/cert.pem
  SSLCertificateKeyFile /usr/local/etc/letsencrypt/live/example.com/privkey.pem
  SSLCertificateChainFile /usr/local/etc/letsencrypt/live/example.com/chain.pem

  # Other Apache Configuration

</VirtualHost>

With the configuration above we are forcing HTTPS and redirecting from www to non www version. Feel free to adjusts the configuration according to your needs.

Restart the Apache service for changes to take effect:

$ sudo service apache24 restart

You can now open your website using https://www.example.com
 and you’ll notice a green lock icon.

If you test your domain using the SSL Labs Server Test, you’ll get an A+ grade as shown bellow:

webserver_grade_a+

Auto-renewing Let’s Encrypt SSL certificate

Let’s Encrypt’s certificates are valid for 90 days. To automatically renew the certificates before they expire, we will create a cronjob which will runs twice a day and will automatically renew any certificate 30 days before its expiration.

Run the crontab command to create a new cronjob which will renew the certificate,
and restart apache :

$ sudo vi /etc/crontab
0 */12 * * * certbot renew --cert-name example.com && service apache24 restart

To test the renewal process, you can use the certbot --dry-run switch:

$ sudo certbot renew --cert-name example.com --dry-run

If there are no errors, it means that the renewal process was successful.

Conclusion

In this tutorial, you used the Let’s Encrypt client, certbot to download SSL certificates for your domain. You have also created Apache snippets to avoid duplicating code and configured Apache to use the certificates. At the end of the tutorial you have set up a cronjob for automatic certificate renewal.

FreeBSD 11.2 Apache24 Vhosts GZip

How to configure your Apache24 webserver with vhosts and gzip compression.
On FreeBSD 11.2, fresh Apache24 install, the folder /usr/local/etc/apache24/Includes
are enabled by default. Meaning, the apache-server automatically read all files in that folder ending by *.conf on boot or reboot. This makes it very easy for us to enable virtual hosts.
For the GZIP part, we’re going to enable the mod_deflate module and also create a small configuration file to put in the above mentioned Include folder.

You’ll need  registered domain names pointing at your servers IP address to get the vhosts configuration to work.

A good precaution is to make a copy of the original file before making any alterations.

$ sudo cp /usr/local/etc/apache24/httpd.conf /usr/local/etc/apache24/httpd.conf.orig
$ sudo vi /usr/local/etc/apache24/httpd.conf

and uncomment the line LoadModule deflate_module libexec/apache24/mod_deflate.so
move to end of filedoublecheck that the Includes folder is indeed activated.

Create the two files in the Include/ folder, vhosts.conf and mod_deflate.conf
You can add as many domainnames as you like.

$ sudo vi /usr/local/etc/apache24/Includes/vhosts.conf
<VirtualHost *:80>
    ServerName Your_domain.com
    ServerAlias www.Your_domain.com
    ServerAdmin webmaster@Your_domain.com
    DocumentRoot /usr/local/www/apache24/data/Your_domain.com

    <Directory /usr/local/www/apache24/data/Your_domain.com>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog /var/log/httpd/Your_domain.com-error.log
    CustomLog /var/log/httpd/Your_domain.com-access.log combined
</VirtualHost>

<VirtualHost *:80>
    ServerName Your_Other_domain.com
    ServerAlias www.Your_Other_domain.com
    ServerAdmin webmaster@Your_Other_domain.com
    DocumentRoot /usr/local/www/apache24/data/Your_Other_domain.com

    <Directory /usr/local/www/apache24/data/Your_Other_domain.com>
        Options -Indexes +FollowSymLinks
        AllowOverride All
    </Directory>

    ErrorLog /var/log/httpd/Your_Other_domain.com-error.log
    CustomLog /var/log/httpd/Your_Other_domain.com-access.log combined
</VirtualHost>
$ sudo vi /usr/local/etc/apache24/Includes/mod_deflate.conf
<IfModule mod_deflate.c>
        <IfModule mod_filter.c>
                # these are known to be safe with MSIE 6
                AddOutputFilterByType DEFLATE text/html text/plain text/xml

                # everything else may cause problems with MSIE 6
                AddOutputFilterByType DEFLATE text/css
                AddOutputFilterByType DEFLATE application/x-javascript application/javascript application/ecmascript
                AddOutputFilterByType DEFLATE application/rss+xml
                AddOutputFilterByType DEFLATE application/xml
                AddOutputFilterByType DEFLATE image/svg+xml
        </IfModule>
</IfModule>

Create Your domains in apache24 document root folder

$ sudo makedir -p /usr/local/www/apache24/data/Your_domain.com
$ sudo makedir -p /usr/local/www/apache24/data/Your_Other_domain.com

Restart your Apache24 webserver

$ sudo service apache24 restart

In a webbrowser try you vhost domain(s)

http://www.Your_domain.com

Testing Compression

Now as your site has been enabled with gzip compression, let’s use one of below online tools to verify gzip is working correctly.

FreeBSD 11.2 FAMP Install


FreeBSD+Apache+Mysql+PHP=TRUE

FreeBSD Post

I won’t go any closer in to the installation of the FreeBSD base system, as it’s already so well described at the FreeBSD website.Though, just want to mention that during the install of the OS, being a bit paranoid, I prefer to activate the firewall, PF, before the first boot. At the end of the installation process, choose to exit to a  shell and enable a most basic PF for some protection. The editor vi is already activated.

exit_to_shell

Then copy and edit the PF example

cp /usr/share/examples/pf/pf.conf /etc/pf.conf
vi /etc/pf.conf

edit ext_if=”ext0″ to the name of your actual network interface, and uncomment farther down to your likings.
uncomment at least the following lines :

block in
pass out

IMPORTANT NOTICE !
if you’re doing a remote or over the network installation

pass in on $ext_if proto tcp to ($ext_if) port ssh

FreeBSD PF

Edit /etc/rc.conf to enable your firewall

vi /etc/rc.conf
enable_pf="YES"

Before you begin Update your FreeBSD system and ports.

$ sudo freebsd-update fetch install
$ sudo portupdate
$ sudo portupgrade

Search for, and install the latest apache2x port

$ sudo pkg search apache2
$ sudo pkg install apache24

Enable in /etc/rc.conf and start Apache24

$ sudo sysrc apache24_enable="YES"
$ sudo service apache24 start

Point your browser at your server IP address and you’ll see

Apache success

The default webroot directory of Apache web server in FreeBSD 11.x is located in
/usr/local/www/apache24/data/ system path.
There you will find a small index.html file you can edit as you prefer.

At todays writing, php72 is the version we will use.

pkg install php72 mod_php72 php72-pdo_mysql php72-mbstring php72-zlib php72-curl php72-gd php72-json

Next, we need to create the php.conf configuration file for Apache web server in /usr/local/etc/apache24/Includes/ system path with the following content.

sudo vi /usr/local/etc/apache24/Includes/php.conf

Add the following lines to php.conf file.

<IfModule dir_module>
DirectoryIndex index.php index.html
<FilesMatch “.php$”>
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch “.phps$”>
SetHandler application/x-httpd-php-source
</FilesMatch>
</IfModule>

In order to test if PHP gateway is working as expected with Apache web server, create a PHP info.php file in /usr/local/www/apache24/data/system path, which is the default web document root path of Apache web server.

$ sudo echo '<?php phpinfo(); ?>' | sudo tee -a /usr/local/www/apache24/data/info.php

Restart Apache daemon to apply changes.

$ sudo service apache24 restart

Next, visit the following URI in a browser to view PHP summary.

http://IP-or-FQDN/info.php
apache_php

To activate PHP ini configuration file for production issue the below commands. You can modify php.ini production file in order to change diverse PHP settings in your FAMP stack.

$ sudo cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini-production.bakup
$ sudo ln -s /usr/local/etc/php.ini-production /usr/local/etc/php.ini

In this guide we’ll install the latest version of MariaDB database server in FreeBSD, which currently is represented by mariadb103 binary package release.

Run the following command in order to install MariaDB server and client and the required PHP 7.2 module needed to access the database via Apache server gateway.

$ sudo pkg install mariadb103-server mariadb103-client php72-mysqli

Next, enable MariaDB server system-wide and start the database daemon by running the following commands.

$ sudo sysrc mysql_enable="yes"
$ sudo service mysql-server start

To secure the database run mysql_secure_installation scrip. Use the below script output excerpt to harden MariaDB.

$ sudo /usr/local/bin/mysql_secure_installation

By default, MariaDB daemon listens for network connections outside localhost on port 3306/TCP. Run netstat, lsof or sockstat command to get MariaDB socket state. This configuration is dangerous and exposes the service to outside network attacks.

$ sudo sockstat -4 -6

If you don’t need remote access to MariaDB, make sure MariaDB daemon listens to localhost only, by issuing the below command. Subsequently, restart MariaDB service to apply changes.

$ sudo sysrc mysql_args="--bind-address=127.0.0.1"
$ sudo service mysql-server restart

or

$ sudo /usr/local/etc/rc.d/mysql-server restart

Again, run netstat or sockstat command in order to list MariaDB network socket. The socket should bind and listen on localhost now, as illustrated in the below image.

$ sudo netstat -an | grep 3306
$ sudo sockstat -4 | grep 3306

To test MariaDB database connectivity from console issue the following command. Enter MySQL root password in prompt and a list of default databases should be displayed in your console screen as illustrated in the below image.

$ mysql -u root -p -e "show databases"

That’s all! You’ve successfully installed Apache web server with MariaDB database and PHP interpreter in FreeBSD. You can now start to deploy a WordPress website in no time.

On the next tutorials we’ll discuss some advanced FAMP topics, such as how to enable and create Apache virtual hosts, enable rewrite module required by .htaccess file to function properly, enabling GZip compression, and how to secure Apache connections using a free Certificate offered by Let’s Encrypt entity.