⬅ Previous Post: My Machine and Operating System
When last we left my Webtrees project, I had installed Gentoo Linux on an old 2005 HP Compaq nc6230, and hardened it for security with SELinux. This formed the foundation of my server machine. Since then, I’ve installed OpenSSH, which allows me to access the server laptop from other machines, over the network, without opening the laptop lid. All work on the server will now ideally be done over an SSH connection.
On today’s episode, I install the LAMP web server software and have it go live to the public. Compared to the work of installing the Gentoo system, this part is really a piece of cake. Even so, I’m still a noob when it comes to web servers. This series can not be read as a full how-to. It can only be a general inspiration and a nudge in the right direction.
Installing and configuring the LAMP stack
LAMP traditionally stands for Linux, Apache, MySQL, PHP. In modern times, MariaDB is often substituted for MySQL, and Perl and Python are often included variations of the ‘P’. For my own server, I’m keeping it to Linux, Apache, MariaDB, and PHP until any of the others are needed.
Installing these packages is a cinch on Gentoo, but configuring them around SELinux is a trick. I would imagine this process to be easier on a dedicated, SELinux-ready, server distribution like (I assume) Fedora Server, but since I have come this far, I’m forging ahead with Gentoo. To follow a bit of a structure, I consulted Tecmint’s guide to Installing LAMP on Gentoo Linux. Having been written in 2014, the guide is dated in a few places. Where I ran into trouble, some extra Googling got me through. Also, as I mentioned earlier, the Tecmint guide recommends a hardened Gentoo profile, but not necessarily a hardened SELinux profile, so I’ve brought most of my SELinux misery upon myself.
Apache is the main web server software. When a visitor comes to my web site, they enter my computer at a location created by the Apache software. The files I put in that directory will be the content that my visitors will see. At most recent count, about 37% of websites are hosted by Apache servers, so my Webtrees installation will be in good company. Following Techmint’s LAMP installation guide without modification will install Apache, start it, and configure it to launch at boot, but SELinux contexts needed some adjustment in my situation:
- In a problem similar to what blocked Portage updates in my previous post, modern Gentoo systems place the Apache web content files in one location, but SELinux policies expect them to be in another location. The result for me was that website visitors did not initially have permission to view my content.
Gentoo details the Apache locations and contexts on its SELinux/Apache page. You should notice there that SELinux on Gentoo expects web content to be located in the folder /srv/localhost/www, and labels any files there with the context system_u:object_r:httpd_sys_content_t. Modern Gentoo systems, however, set /var/www to be the web content folder, which SELinux labels (I believe) as a standard /var folder: system_u:object_r:var_t. I needed to change the context to httpd_sys_content_t, and I did so with the following commands:
root# semanage fcontext -a -t httpd_sys_content_t "/var/www(/.*)?" root# restorecon -R /var/www
If semanage complains that “a context already exists” for /var/www, then the flag -a (to ‘add context’) should be changed to -m (to ‘modify context’). I still mess that one up about half the time, but I’m learning!
PHP is a “scripting language” that helps Webtrees build its pages for the visitors. The PHP section of Tecmint’s guide is deprecated in some areas. The instructions are for installing version 5.5, whereas the version currently on offer from Gentoo’s portage tree is version 7.4. A current guide to installing PHP is available on the Gentoo Wiki. Despite its age, the Tecmint guide still lays out the basic steps quite well, although I’ve found these changes to be necessary:
- The author adds a long string of common USE flags to make.conf. Among them is the “(-selinux)” use flag, which ostensibly disables SELinux support for PHP. I’m running SELinux, so I don’t want that. The parentheses around the “-selinux” USE flag actually signify that the flag is to be set by the system profile and not by the user in make.conf. There is really no cause to be manually messing with USE flags in parentheses, so I removed all of those from the expression in the guide, including: (-frontbase), (-selinux), and (-sybase-ct).
If I recall correctly, Webtrees requires an additional PHP USE flag to be set that was not included in the USE flag string. I’ll update this space later on, when I figure out what flag that is.Webtrees requires the intl internationalization module to be installed, but Techmint’s guide disables it in the USE flag string. Where the guide instructs us to include -intl among the USE flags, removing the minus sign before that entry enables the module for use with Webtrees.
- Since I’ve installed only PHP version 7.4, this is the only version that it makes sense to add as a PHP target in make.conf, so:
is what I wrote in there, rather than PHP_TARGETS=”5-5″.
- Tecmint’s guide configures Apache to load the PHP5 module, but that’s been deprecated. Recent versions of PHP do not use the version number in the module at all, so I simply added:
to the end of my APACHE2_OPTS declaration.
- Tecmint’s instruction for creating a PHP info page is either incorrect or deprecated. Whereas the instruction is to create a file containing the expression:
<!--?php phpinfo(); ?-->
I believe the exclamation point and dashes do not belong. A more recent example from WebHostingHub shows the correct expression:
<? phpinfo(); ?>
Depending on the text editor you use, you might see the latter expression light up in colorful recognition of the PHP syntax, whereas the former probably will not.
The final element of my LAMP stack is the MariaDB database. This is the software that manages all of my data, from my family history information to my users’ names and passwords. MariaDB is a “drop-in replacement” for the seasoned MySQL database software, suggesting that my home server should work about as well with either.
You see, what had happened was that Sun Microsystems bought the original MySQL from its developers, and then the Oracle Corporation bought out Sun Microsystems. ? The original developers of MySQL were skeptical of Oracle’s “stewardship” of MySQL, so they forked their creation to make MariaDB. The result as far as I can tell is a virtually identical database experience with some differing licenses and philosophies about the business of it. The database you choose for your server is nobody’s business but yours, and either should work fine. ?
Installation of MariaDB software was painless, following Tecmint’s guide with only slight modifications for my situation:
- The mysql_install_db command is deprecated on Gentoo. Portage now handles this function through a configuration option. The Gentoo Wiki shows the current command:
root# emerge --config dev-db/mariadb
The mysql_secure_installation command, however, is still current, so I went ahead and used it when prompted to do so.
- Not unexpectedly, I had some trouble with SELinux while attempting to start the MariaDB service and configure it. This was apparently resolved by setting SELinux to permissive mode, performing the installation and configuration, then re-enabing SELinux, and relabeling the system with the rlpkg command as described on the Gentoo Wiki’s SELinux page:
root# rlpkg -a -r
- Tecmint’s guide includes steps for installing PHPMyAdmin for graphical administration of the MariaDB database through a web browser. This seems to be optional, as your interaction with the actual database software should be minimal. One feature I’m most interested in, however, is PHPMyAdmin’s ability to export and import databases. That should be most useful in case you ever want to move your database to another machine. One weird thing it asks for during setup is a “blowfish_secret passphrase using an arbitrary string”. To the best of my knowledge you don’t actually have to remember what you put here. The passphrase should be 32 characters long, and I had one of several different web sites randomly generate one for me.
What about a firewall?
I considered installing and configuring some firewall software. The Gentoo Wiki has pages for firewalls and iptables that would surely be helpful. The MariaDB package actually pulled in iproute2 and iptables as dependencies, so the firewall software is already installed on my machine. The only question is how to configure it. ?
Tecmint’s guide does not mention firewalls or iptables in addition to hardening the system, so I’m content to leave well enough alone for now. Right now I’m eager to get the site live, so I’m forging ahead to the next step in the process. I might tinker with the iptables rules after I get Webtrees up and running.
Opening the router to web traffic
The routers through which home computers receive their internet signals typically block requests coming from outside the network. If I am setting up a home web server, however, I want to open my server to outside requests for access. The process of opening my router to requests for outside access is called port forwarding, or opening the ports.
Every piece of networking software is assigned a numbered port on your computer, which is like little door that you can open to allow outside access. For my Webtrees project, I’ll want to open at least two ports:
- Port 80: Allows visitors to access the Webtrees content on the Apache server.
- Port 22: Allows me to access my server computer through SSH from anywhere, so I can perform server maintenance operations like updating the server software and altering the server’s configuration settings.
Apache optionally uses another port, Port 443, for SSL/TLS encryption services. This would be a must if I were conducting business over my site, such as accepting credit card numbers and other sensitive information from customers. I might experiment with encryption in the future, but for now it would go above and beyond the call.
The process for adding port forwards to your router depends on the router you use. You would have to consult your router’s documentation to learn the process. I’m using the standard Xfinity Xfi Advanced Gateway, which uses the xFi smartphone app to control its settings. To control port forwards through the xFi app, I launched it and tapped my SSID Wifi name. From there I tapped “Gateway”, and then I scrolled to the “Advanced Settings” option at the very bottom. From there, “Port Forwarding” was the first choice. I had to ensure my server computer was online as I did this, because port forwarding requires that I select my server from a list of connected devices. Once I selected my server machine, I just typed in the port number I wanted to add (one at a time), and then I hit “Next” to complete the process for each port. It is really very simple, but as always I have a couple extra tips if you are attempting something similar:
- The xFi Advanced Gateway also seems to need the Advanced Security setting to be disabled before internet traffic is allowed to my server. On the xFi app, the setting is found under: More –> My Services –> xFi Advanced Security. I’m not exactly sure how this affects the security of my home network, but hey. ??♂️ No risk, no reward? ??♂️
- I’m not sure if this is a feature of all routers or just the xFi, but my xFi limits port forwarding to only one port number per router. Therefore, if I ever wanted to set up a second home server on a different machine, I could not reuse the ports 80 and 22 for Apache and SSH on the second machine. I do have another computer running a Minecraft server, so I configured SSH on my web server to use Port 26 instead of 22. This entailed also granting SELinux permissions on Port 26 using the semanage port command.
Launching the site for free with No-IP
One last thing my server needs before it can go live is an address. My visitors need to know how to find me! Unfortunately most home Internet service does not come with a stable and reliable address. Internet providers do give addresses to home networks, but they are subject to change. There are two ways I can fix this problem for my home web server:
- Upgrade my Internet subscription to business class, or
- Subscribe to a Dynamic DNS service like No-IP.
Since I’m aiming for a $0 server, No-IP’s free Dynamic DNS service will do the job. No-IP will provide, free of charge, up to three URLs to access various devices on your home network. The catches are:
- The URLs are not perfectly customizable. No-IP allows selection from a limited number of domains, but I can customize my subdomains.
- You must log in to No-IP’s web site at least once every 30 days to confirm your URL. I can’t “set it and forget it”.
I can make custom URLs by registering a domain name with No-IP for $15 & up, annually. I could also subscribe to No-IP’s Enhanced Dynamic DNS service for about $25 annually. The more I pay, the better are the services I receive, but also the more I pay, the better off I would be either upgrading to business class internet In the first place, or paying for professional hosting. ??♂️
Once I set up my No-IP account it needed one more thing to be able to do its job, and that is for a dynamic update client to be running on my server machine. The job of this client software is to keep No-IP informed of changes your Internet provider makes to your IP address. No-IP can then in turn keep the URL that it provides me pointed correctly to my server. Here again I had two options:
- DDClient is a free software package available in Linux repositories. I’ve used it successfully on Gentoo and Raspbian before. The pros of using this software are that it updates automatically with my system and that it’s easy to launch as a service at boot, for those rare occasions when I would need to reboot my server. Cons include: (1) It can be tricky to configure. The automatic configuration script provided by Raspian, for example, does not seem to work correctly, or if it does work it is easy to bungle. The Gentoo Wiki has a sample configuration file for No-IP users that I recommend consulting. (2) SELinux permissions did not work out-of-the-box for me on Gentoo. I had such a tough time with it that I gave up on DDClient and went for the next option. I might try DDClient again in the future, after I learn more about SELinux permissions.
- DUC is No-IP’s own dynamic update client, downloadable from its web site. The pros include simple installation instructions, fool-proof configuration, and best of all no SELinux permission errors for me! Cons include: (1) No automatic updates. I will have to visit the No-IP web site to check for updates to the software, and (2) setting it up to launch at boot, while likely possible for seasoned Linux administrators, is not straightforward. I would have either follow yet another lengthy tutorial to make that happen or issue the noip2 command manually to start the client again after rebooting.
Visiting my new server for the first time
As soon as I have my LAMP server running, my No-IP account set up with my URLs chose, and my dynamic update client reporting my IP address to No-IP, I’m ready to visit my server as a normal user would. Although there is no useful information on my site yet, there is great satisfaction in witnessing that my server is ready to broadcast.
The Apache sever software comes loaded with a very simple sample web site. The file is located on the server at /var/www/localhost/htdocs/index.html. It prints only “It works!” by default, but it’s easily customized to say anything you like or nothing at all. I opened the file with nano and customized it with a personal message:
$ newrole -r sysadm_r $ nano /var/www/localhost/htdocs/index.html
In time, I’ll be developing my index.html file into a welcome page that links to my various genealogy projects.
For now, I can visit my server from within my home’s network by typing the internal IP address into a web browser on main main computer. My server’s internal IP address, for example, is 10.0.0.201. If I type that number into my Chrome web address bar while connected to my home network, I will see my web site. That’s cool and all, but the true test is whether I can view my site using the No-IP URL from outside of my home’s network. If I type my server’s No-IP address, GenealogyByTim.zapto.org, directly into the web browser from inside my home network, I won’t get a response. ? Not to worry, however. If everything was set up properly, my No-IP URL should work if accessed from outside of my home network. I’ve got several options for testing this:
- Turn my smart phone’s WiFi off and access my site using my phone’s 4G service. Better still, launch a WiFi hotspot on my phone and connect my main computer to the internet though that.
- Go visit my mother, or my auntie, or the local library! Test my web server by showing off my web server skillz. ?
- Use the Tor browser, even from within my home network, to bounce my access request off of several other computers before it reaches my home server.
Using any of these fine methods I can now access the home page of my Apache server at http://genealogybytim.zapto.org, my PHP info page at http://genealogybytim.zapto.org/info.php, and my PHPMyAdmin installation at http://genealogybytim.zapto.org/phpmyadmin. Here is what they look like on my GPD Pocket 2, connected to the Internet though my smart phone’s WiFi hotspot:
All of this as been completely free so far given that I had an extra laptop sitting idle in my closet, but I did go ahead and reserve the genealogybytim.com domain name with privacy and security for about $24. I’m thinking of re-branding my online presence to Genealogy by Tim G., since I haven’t done photo restorations professionally for quite some time now. ?
Now that I have a LAMP web server up and accessible, it’s finally time to install and configure the Webtrees online collaborative genealogy application!
Next: Installing the Webtrees Software ➡️