Running Web Server & Database Server in FreeBSD Jail

In this blog, we will learn about Running Web Server & Database Server in FreeBSD Jail.

This document is about running the Apache web server and Mysql server in a freebsd jail created under zfs dataset. Jails were first introduced in FreeBSD version 4.0. Jail mainly has these features,

• Virtualization
• Security
• Ease of delegation

Before creating jail, let’s first create a dedicated pool for the web and mysql servers. While creating a pool, plan for the pool raid structure. Here we are going to create pools with mirror raid.

# zpool create web mirror da1 da2

# zpool create mysql mirror da3 da4

Refer this article https://docs.freebsd.org/en/books/handbook/zfs/#zfs-zpool for creating pool with different raid options.

Next will go for creating a jail for web server and database server with individual IP’s. Each jail will have its own IP address, created in separate path for which we are going to use zfs dataset. This command requires internet connection to fetch the source from ftp mirror.

# bsdinstall jail /web

# bsdinstall jail /mysql

Path defined here ‘/web’ and ‘/mysql’ are the default mountpoint for the pools that are created above. If you have created pool with different mountpoint, mention that as the path for the respective jail.

Configuring Jail:

Once the jail is installed, it can be started by using jail utility. Each jail functionality has to be configured in /etc/jail.conf file which can be created as shown below,

Configuration file parameters

www {

jid = 1;                                                             # constant jail id

host.hostname = webserver;                     # Hostname

ip4.addr = “vmx0|192.168.1.10”;             # IP address of the jail

path = “/web”;                                              # Path to the jail

mount.devfs;                                                 # Mount devfs inside the jail

exec.clean;

exec.start = “/bin/sh /etc/rc”;                      # Start command

exec.stop = “/bin/sh /etc/rc.shutdown”;   # Stop command

allow.raw_sockets;                                         # allow ping-pong

}

mysql {

jid = 2;                                                                # constant jail id

host.hostname = dbserver;                          # Hostname

ip4.addr = “vmx0|192.168.1.11”;               # IP address of the jail

path = “/mysql”;                                            # Path to the jail

mount.devfs;                                                 # Mount devfs inside the jail

exec.clean;

exec.start = “/bin/sh /etc/rc”;                     # Start command

exec.stop = “/bin/sh /etc/rc.shutdown”;  # Stop command

allow.raw_sockets;                                        # allow ping-pong

}

Here we have specified the interface name ‘vmx0’ which is the virtual machine interface name so that the IP address will get assigned to that interface during jail start.

Once the configuration file is created, FreeBSD rc mechanism provides an easy way to start the jail at the boot time. Edit the rc.conf file and add the below lines to it.

jail_enable=”YES”

jail_list=”www mysql”

Start the jail by using the jail utility, this will start all the jails specified in the jail.conf . Specify the jail name at the end in order to start one by one.

# service jail start

Jail status can be checked by using ‘jls’ utility and enter into the particular jail by using jail id.

# jls

JID  IP Address      Hostname                      Path

1  192.168.1.10 webserver                     /web

2  192.168.1.11 dbserver                      /mysql

First let us install the necessary packages to make the apache web server work along with php modules.

Installing & Configuing apache & PHP in Freebsd Jail.

Enter into the webserver jail by executing the command # jexec 1 and then start installing packages for apache and php.

Run the below command to install the apache 2.4 version and php 7.4

# pkg install -y apache24

# pkg install -y mod_php74 php74-session php74-xml php74-ctype php74-openssl php74-mcrypt php74-filter php74-gd php74-json php74-mysqli php74-mbstring php74-zlib php74-zip php74-bz2

Once the above packages are installed, php.ini file should be created by copying from the default one.

# cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Enable the apache server to run at the boot time, edit the /etc/rc.conf file and add the below line in it.

apache24_enable=”yes”

Now edit the apache configuration file at /usr/local/etc/apache24/httpd.conf and make sure everything mentioned below are added,

ServerName 192.168.1.10:80

DocumentRoot “/home”

<Directory /home>

AllowOverride none

Options Indexes FollowSymLinks

Require all granted

</Directory>

DirectoryIndex index.php index.html

<FilesMatch “\.php$”>

SetHandler application/x-httpd-php

</FilesMatch>

<FilesMatch “\.phps$”>

SetHandler application/x-httpd-php-source

</FilesMatch>

Include etc/apache24/extra/httpd-vhosts.conf

We have enabled virtual host directive in the httpd configuration file, so edit the file ‘Include etc/apache24/extra/httpd-vhosts.conf’ and add these virtual host entries,

<VirtualHost *:80>

ServerAdmin webmaster@dummy-host.example.com

DocumentRoot “/home/test1.com”

ServerName test1.com

ServerAlias www.test1.com

ErrorLog “/var/log/test1.com-error_log”

CustomLog “/var/log/test1.com-access_log” common

</VirtualHost>

<VirtualHost *:80>

ServerAdmin webmaster@dummy-host2.example.com

DocumentRoot “/home/test2.org”

ServerName test2.org

ServerAlias www.test2.org

ErrorLog “/var/log/test2.org-error_log”

CustomLog “/var/log/test2.org-access_log” common

</VirtualHost>

We have altered the document root for the apache, so need to create few directories inside the jail id 1 and assign ownership to it.

# mkdir home home/test1.com home/test2.org

# chown –R www:www home/

Now start the apache server

# service apache24 start

Apache web server is started and now can create a php info page in both the domains.

# php –v => can be used to verify the php version.

# php –m => can be used to check the installed php modules.

Create a file /home/test1.com/index.php and add the below content,

<?php

phpinfo();

?>

Now edit the host file of your local workstation and map the domain name to the IP. Once it is done, you can load the domain in the browser and it should load php info page.

192.168.1.10    test1.com

Installing Mysql Server inside FreeBSD Jail

Enter into the webserver jail by executing the command # jexec 2 and then start installing packages.

Run the following command to install MySQL 5.7 on FreeBSD machine.

# pkg install mysql57-server mysql57-client

Enable MySQL in rc.conf by running the following command.

# sysrc mysql_enable=”yes”

Now you can start the MySQL server by running the following command.

# service mysql-server start

# cat /root/.mysql_secret

This command will show you the current root password set for the mysql server. So, it is recommended to secure mysql by using the following command

# mysql_secure_installation

The above command will automatically read the password in $HOME/.mysql_secret and will continue to set validate password plugin.

Below are the content displayed after running the mysql secure.# mysql_secure_installationSecuring the MySQL server deployment. Connecting to MySQL server using password in ‘/root/.mysql_secret’ VALIDATE PASSWORD PLUGIN can be used to test passwordsand improve security. It checks the strength of the passwordand allows the users to set only those passwords which aresecure enough. Would you like to setup VALIDATE PASSWORD plugin? Press y|Y for Yes, any other key for No: y There are three levels of password validation policy: LOW    Length >= 8MEDIUM Length >= 8, numeric, mixed case, and special charactersSTRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1

It is recommended to use validate password plugin as it bounds the user to set a very strong password for MySQL users. Choose y to set the validate password plug in and enter the level of validation policy according to your choice.

Also, change the root password. Also, choose y for all other options. The questions are self-explanatory.

Change the password for root ? : yDo you wish to continue with the password provided? : yRemove anonymous users? : yDisallow root login remotely? : yRemove test database and access to it? : yReload privilege tables now? : yAll done!

MySQL server is now installed on your server. You can login to MySQL shell by running the following command.

Source for mysql installation 

https://www.howtoforge.com/tutorial/how-to-install-mysql-server-with-phpmyadmin-on-freebsd-11/

Once securing mysql is done, enter the provided password and enter into mysql and excute the following queries if you have wordpress installed in your web server.

# mysql –u root –p

To create database for your wordpress website

$ mysql> CREATE DATABASE db_name_here;

To create database user and set password for your wordpress website

$ mysql> CREATE USER ‘db_user’@’localhost’ IDENTIFIED WITH mysql_native_password BY ‘my-strong-password-here’;

To provide privilege for that db user 

$ mysql> GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, INDEX, DROP, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON db_name_here.* TO ‘db_user’@’localhost’;

To provide privilege to access the db from the other host. ‘jail-ip’ is the ip of the webserver.

$ mysql> grant all privileges on *.* to ‘<username>’@'<jail-ip>’ identified by ‘<pwd>’ with grant option”;

Now we can host the wordpress/any CMS website in the apache server and its database will get hosted in another server in a separate jail. Upload new wordpress files in its document root and start creating your own wordpress website.