So where I left off, we had a LAMP stack started and running. We confirmed this by going to our browser and typing in the IP address we setup through AWS. This URL showed us a “It Works!” message. So now what? Well, on first install Apache2 will setup the document roots to /var/www which is on the root drive. Generally that would be fine, but we setup a external volume and we would like to use that instead. So first we need a place for all the pages/scripts/etc. to go.
What this does is creates a folder called web in the new volume. Then adds a folder name into that. If you run into any permission problems just prefix the commands with “sudo”. So our deepest directory now is /vol/web/public. I chose this format because I will be putting all public facing documents in the “public” folder. And all other dependencies like php libraries, development journals, admin tools, etc. will go in other folders in the “web” directory. This way, Apache treats /vol/web/public as the root folder in which no one can traverse any farther up. But PHP can, and will. So including files in other folders in “web” from php will still work. Now we kind of need to take a side step. Since we just created new folders, they have their permissions set to be owned by ubuntu/root. Apache2’s processes run as www-data by default. So Apache2 won’t have permission to use the files we put here yet. We’re going to fix that by creating a new group for both us and apache, and adjust some of the permissions.
sudo groupadd webdev
sudo usermod -a -G webdev ubuntu
sudo usermod -a -G webdev www-data
sudo chown ubuntu:webdev /vol/web/public
sudo chmod 775 /vol/web/public
sudo chmod g+s /vol/web/public
Blamo! That should work. Now to run through it, the groupadd adds a new system group that I called “webdev”. I then added users to the group with the usermod commands. Make sure that -G option is uppercase. Next is a chown command that sets the owner and group of the public folder. Be very careful with the chown command. Accidentally adding a space, or using the -R (recursive) option improperly can and will brick your entire system. Next comes a chmod command to adjust the permissions. Same warning applies. And the last chmod command adjusts the folders GID so that all new files created here will be attached to the same group as the parent folder (aka webdev). So now if we create a new file in “public” it should be entirely readable by apache. Good! But apache2 doesn’t know to look here yet. So let’s fix that.
First off. By default the Apache2 configuration files are located at /etc/apache2. You can use the “cd” command to move yourself there if you want. I’ll keep all locations absolute though. First off. Let’s copy their template so we can just use a starting point.
cp /etc/apache2/sites-available/default /etc/apache2/sites-available/tutorial
Feel free to change that name “tutorial” to whatever you want. Just remember it. Next go ahead and pull out nano and change the lines that I list (Don’t delete the others!)…
sudo nano /etc/apache2/sites-available/tutorial
ServerAdmin[enter your email address]
Options -Indexes FollowSymLinks MultiViews
Leave everything else alone for now. Make sure to note the “-” before Indexes. This makes it so that if you have subdirectories without index.html files, that apache won’t automatically show the directory listing for that folder (could be a big security risk). The AllowOverride has potential security risks, but is the easiest way to enable the use of .htaccess files. Those .htaccess files are useful for setting specific configurations per directory. Some people will suggest remove all the cgi-bin stuff. Which can help with security, but I don’t really see the use in that right now since it isn’t doing anything. Any who! Go ahead and save that file down by pressing CONTROL+X, then Y, then ENTER (all of which is on Mac). Next up, enter these commands…
sudo a2dissite default
sudo a2ensite tutorial
sudo service apache2 reload
That should make all the changes you just made, stick. If you got any warnings or errors its because something went wrong during that configuration part. Check your directories and such. Now if you refresh your browser you should get a 404 or some other error. If you still get the “It Works!” page, then check that you properly disabled the default settings with that “sudo a2dissite default” command. The error page right now tells us that it is looking for a file in the proper folder. So go ahead, just to test and make sure, enter these commands.
sudo nano /vol/web/public/index.php
Now refresh your browser. You should get a tasty PHP info page telling you all sorts of stuff about the system. If you see this (and you will know if you do). Congrats! Apache2 is setup for the new directory, and PHP is running with it! Now at this point. Your LAMP is mostly working. You could start coding in PHP right now, or building your site as you wish. But you’ll probably want to add a bit more functionality and fine tuning, such as security fixes and setting up that database better!
Some helpful tools/apps
So I could teach you how to edit the database through command line, but that’s boring! So I’m gonna introduce you to PhpMyAdmin. Install it as such.
sudo apt-get install phpmyadmin
Press Y to install. Then at the first big pink screen go ahead and press enter. When it asks you about the database configuration, say yes, then type in that root password you setup for MySQL. You can then add some more passwords after that. Once it’s all done you *should* be able to just go to http://your-server-ip/phpmyadmin and get the page, but unfortunatly this didn’t work for me. Maybe they need to update the package. Anyways, heres how to fix that if you get a 404.
sudo ln -s /etc/phpmyadmin/apache.conf /etc/apache2/conf.d/phpmyadmin
What that does is creates a symbolic link for the correct configuration file to the apache configuration directory. Think of it like a shortcut. Now if you want you can change the address you enter for phpmyadmin right now if you want. I suggest changing it so that script-kiddies don’t come by and try messing with your stuff. To do so, follow this command and change the appropriate line….
sudo nano /etc/apache2/conf.d/phpmyadmin
Alias /[WHATEVER URI YOU WANT] /usr/share/phpmyadmin
Save that down. Then for good measure run the “sudo service apache2 restart” command. Then check out your new tool with the adjusted URI. You should be greeted with a login form.
Skipping to the database!
Well, before I go into the rest of those fine tunings, I’m gonna jump to the database. This is because I kind of want to steam roll all the performance and security tips into it’s own post. So go ahead and get to the phpmyadmin tool in your browser. Use your root MySQL information here and login. Once inside you’ll notice some databases on the left menu bar, and tons of info and clicky objects on the rest of it. Navigate your way to the “test” database listed on the left menu. After clicking on that click on “Operations” on the top toolbar. It’s right in between Import and Privileges. Next go ahead and select the big red link in the middle labeled “DROP DATABASE”. It’ll then warn you about how your deleting a database. Go ahead and say yes. The “test” database is good to remove since it essentially has wide open permissions to the world. And hackers love to look for those.
Go ahead and click the “Home” icon on the very top right. Nows a good time to click through the toolbar icons and familiarize yourself with the user interface. Check out whats under Variables, or Status. And when your ready, we should go ahead and adjust some user permissions.
So go ahead and click on “Users” on the top. If you don’t see it, click the Home icon first. Now on first glance theres a huge issue. In fact, they highlighted it bright red. The default installation allows any user to login and use this database. NOT GOOD. Check the boxes next to them and press the “Go” button in the “Remove selected users” section. Good, there gone. But at this point others would recommend removing, or at least replacing the root user as well. This is so that anyone trying to brute force your database isn’t gonna be lucky enough to start by guessing the user “root” right off the bat. Good idea! Let’s do that! Click on “Add user”. Fill that sucker out. On Host, I used “Any host”, this is because I never know where I might be when I have to login to the database. I didn’t create a database for this user (it’s a web app not a personal/employee database). And make sure you scroll down to “Global privileges”. Go ahead and guess what that does. If you didn’t guess it sets what this user can and can’t do. Since I’m replacing my root account with this, I made sure to just hit that “Check All” link. At the bottom is a Resource limits box. You could set this if you wanted, but I don’t see the need right now. So go ahead and press “Add user” when your ready.
Once thats effectively done, go ahead and log out, and then back in using your new info. Go back to the “Users” pane and go ahead and delete the root account if you want. IF YOU WANT. I stress that because depending on what other apps or services you will use, if they have self installers that use the root account, they generally don’t ask for a user name. So deleting this will require you to manually configure your database stuff from now on. Personally, I left it there. I just made sure that the Host was set specifically to localhost, or even the IP of the box I’m logged into. This way, the root can only be accessed from within the SSH terminal, or from the server box itself. Now if you thought your done. Your not. We need to create one more user. So go ahead and get to the Add User box and fill out some info. I chose a username of “webdev”. I set the Host to “localhost”. I pressed the Generate Password button and made sure to write it down. Then moving to the Global Privileges box i chose none. Thats right none. Thats because I’m going to use this user in my PHP scripts, so I’m going to set these per database. This way if someone screws around with my php scripts by ways of SQL injection or something the permissions won’t get them any root access. So go ahead and add that one.
Now you can go ahead and start making databases, and tables. And if you got the know how, you should be able to connect to it through PHP as well. You can create files in the new web directory, and see them work in your browser. So essentially you have a functioning LAMP stack. What should you do with it now? Well a System Admin’s job is never done. So in the next series I’ll be going over security and conditioning. As well as how to make life a bit easier when it comes to developing these pages. We might even touch on subjects such as IP logging, GIT repositories, external database applications and code IDE’s. Thanks for reading this far, and feel free to share your comments.