PHP5 Configuration
From PhoenixWing
Contents |
Intro
This is the way I compile PHP on CentOS & RedHat based systems. Why not use a method others suggest when compiling PHP from source, such as less flags "to keep security to a minimum"? For one, I find no need for --enable-versioning and some less than useful flags, unless you are installing two different versions of PHP on the same machine, or doing very rare tasks with PHP. Second, I also prefer to allow the end user to have access to XML, XSLT, mbstring, curl, calendar, ftp, and the necessary graphics libraries such as GD, ImageMagick and their dependencies: libpng, libjpeg, libtiff & freetype. This allows the user to install most web applications without having to email and/or call me every time they have a new PHP application that isn't supported by my currently running PHP. Plus, not every system has the same software, and not every customer has the same needs. This setup, will satisfy most folks utilizing PHP. I tend to gear my web servers toward blogs, forums, image libraries/galleries, news/rss/xml/atom feeds and the like... My methods, should I opt to compile PHP from scratch, is as follows.
A Matter of Opinion
As a personal matter of opinion, I prefer to use "stock" RPM's from the distribution repositories. However, if you really want to install PHP from source, I'd strongly recommend tightening up the security of your PHP installation, and easing customer headache's by installing the suhosin hardening patch and extension for PHP, and setting suPHP so that customer PHP scripts run as their UID and not apache's... To do so, check out our other article:
Stock CentOS with PHP+SuPHP+suhosin
Installing MySQL
For starters, you will need MySQL to be installed. My personal preferred method (and this has been debated on all sides) is to use the http://dev.mysql.com/ RPM packages for RHEL5 i386 (use the ones for your specific setup & processor type). I tend to install the latest releases of MySQL & PHP by default. (As of this writing, MySQL 5.0.67 and PHP 5.2.6 are the latest stable versions)
For example, I have installed:
MySQL-client-community-5.0.67-0.rhel5.i386.rpm MySQL-devel-community-5.0.67-0.rhel5.i386.rpm MySQL-server-community-5.0.67-0.rhel5.i386.rpm MySQL-shared-compat-5.0.67-0.rhel5.i386.rpm
After installing MySQL, copy the config file from "/usr/share/doc/MySQL-server-community-5.0.26/my-large.cnf" to "/etc/my.cnf". Edit to suit, most of the time this is not needed, however I usually uncomment "skip-networking" on boxes that will not be connected to remotely, ie: that would be highly NOT recommended for a customers with backend database servers, see? Then run the command "mysql_secure_installation". Enter no password as by default root has none... and then when prompted to do so, set one. Be sure to write it down and add it to your notes. Say "yes" when prompted to remove anonymous users and the test database, and to flush the privileges. MySQL has been secured, congratulations! Now run "service mysql stop", and then "service mysql start" to make MySQL start up with the new configuration file.
Installing The Necessary RPM's
After MySQL, you will need to install the following RPM packages, typically by way "yum install <package names>", or your own suitable method. Note: some packages you may need to obtain through other repositories, such as rpmforge.
libpng libpng-devel libjpeg libjpeg-devel libexif libexif-devel libtiff libtiff-devel libxml2 libxml2-devel libxslt libxslt-devel curl curl-devel zlib zlib-devel bzip2 bzip2-devel gd gd-devel gd-progs ImageMagick-devel ImageMagick ImageMagick-perl freetype freetype-devel fontconfig fontconfig-devel libmhash libmhash-devel libmcrypt libmcrypt-devel perl-DBD-MySQL
Configuring & Installing PHP
Once those packages are installed, I configure php with the following in PHP's source directory:
PHP 5.2.6 (http://www.php.net/) --------------------------------------------------- ./configure --prefix=/usr --with-apxs2=/usr/sbin/apxs \ --sysconfdir=/etc --with-config-file-path=/etc --with-mysql=/usr --with-bz2 \ --enable-mbstring --with-gettext --enable-magic-quotes --enable-calendar \ --enable-exif --with-png-dir=/usr --with-jpeg-dir=/usr --with-libxml-dir=/usr \ --with-pear --enable-pdo --with-mhash --with-openssl --enable-ftp --enable-zip \ --disable-embedded-mysqli --with-mysqli=/usr/bin/mysql_config --enable-libxml \ --enable-xmlreader --enable-xmlwriter --with-xmlrpc --enable-xml --enable-dom \ --with-freetype-dir=/usr --enable-shmop --with-gd --enable-wddx --enable-ctype \ --with-mcrypt --with-pdo-mysql=/usr --enable-bcmath --with-curl --with-zlib \ --enable-inline-optimization --with-gmp
Follow this by running "make" to compile the source.
Next, if you have PHP rpm's installed, run "rpm -e php" to remove them.
Finally, "make install", to update apache & install PHP.
Finish Up: Configuration
Locate the php.ini file ($SRCDIR/php.ini-recommended or similar) and copy to /etc/php.ini. Now, I try to make PHP as secure as I can, taking into account not all software is secure in itself.
At the very least, make sure "magic_quotes_gpc" is enabled, as it will save quite a few headaches. I tend not to want outsiders to see my errors, so I set "display_errors" to 'Off', "log_errors" to 'On' and "log_errors_max_len" to '0', this way errors end up in my apache error_log, in their entirety. I also set "register_globals" to 'Off' to support better programming. It helps to know who's updating their software to be more secure, and know that the older, less supported stuff may potentially be apt to hack attempts.
Once you've edited the php.ini file, restart apache using "apachectl stop" & "apachectl start (or startssl)".
Voila... all done.
A Root Suggestion
Now, you can add another user with root-like privileges to MySQL and give that to the customer for use with their server. I personally wouldn't give a customer the root user without them specifically requesting it. To do so, simply follow this:
Log into the MySQL server:mysql -u root -p mysqlAdd the user:
GRANT ALL PRIVILEGES ON *.* TO 'username'@'localhost' IDENTIFIED BY 'C0mPl3xP4s5w0rD' WITH GRANT OPTION;Reload privileges:
FLUSH PRIVILEGES;Verify they are setup:
SELECT * FROM user WHERE User = 'username'\G
- NOTE: choose a better password than what I've mentioned. That's too easy ;)
