Installing, Configuring, and Securing Litespeed + PHP5 + Suhosin on FreeBSD 6.2

Securing PHP is a must nowadays. There are many cases about php exploiting.
And we need to take steps to make sure weak applications are not compromised on the server leading to bigger problems.
LiteSpeed web server is an Apache interchangeable, full-featured high performance,
secure HTTP server specifically engineered from the ground up with security and scalability in mind.
However, setting up Litespeed + PHP5 on FreeBSD has some troubles. This is caused by a bug with
PHP configuration on FreeBSD. This bug will makes you in deep trouble if you wanna build PHP PEAR library
or build matching php opcode cache like APC or eAccelerator or any additional extensions later.
Please see this post error on make install PHP

Don't worry, I'll be here for you :) I got success when try this on php 5.1.4, 5.2.3, but I failed to install using PHP 5.2.4.
Enough talk, lets get into the jungle.

A. LITESPEED INSTALL

Installing Litespeed is pretty easy.
1. Go to your source directory where we want to download litespeed and compile it.

cd /usr/src

2. Now download Litespeed and extract it

wget http://www.litespeedtech.com/packages/3.0/lsws-3.2.3-std-i386-freebsd6.t...
tar -xvzf lsws-3.2.3-std-i386-freebsd6.tar.gz

3. Enter to litespeed source directory and run install script

cd lsws-3.2.3
./install.sh

This install script will bring you to the step-by-step configuration. This is how it looked like.
You can decide whether to install php or not in this step. Please note that default litespeed PHP version is 4.4.*,
so it will be better if we choose no.

* Do you agree with above license? Yes
* Destination [/opt/lsws]: /usr/local/lsws
* User name [admin]: admin
* Password: 123456
* Retype password: 123456
* User [nobody]: nobody
* Group [nobody]: nobody
* HTTP port [8088]: 80
* Admin HTTP port [7080]: 7080
Don't forget, both these ports should be enabled in the firewall
* Setup up PHP [Y/n]: Y
* Suffix for PHP script(comma separated list) [php]: php
* Would you like to change PHP opcode cache setting [y/N]? N
* Would you like to install AWStats Add-on module [y/N]? N
* Would you like to import Apache configuration [y/N]? N
* Would you like to have LiteSpeed Web Server started automatically when the machine restarts [Y/n]? Y
* Would you like to start it right now [Y/n]? Y

LiteSpeed Web Server started successfully. Don't be happy, coz we still haven't been at the end of the road yet.

B. PHP5 INSTALL AND PATCH

1. This tutorial assumes that you have installed mySQL on your machine. If you haven't, read this Quick way installing MySQL
First off download what you need. I use PHP 5.2.3 here, coz I have not successed yet to install php 5.2.4 on FreeBSD.

cd /usr/src
wget http://www.php.net/get/php-5.2.3.tar.bz2/from/this/mirror
wget http://choon.net/opensource/php/php-5.2.3-mail-header.patch
wget http://www.hardened-php.net/suhosin/_media/suhosin-patch-5.2.3-0.9.6.2.p...
wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.20.tgz

OR if you dont want to download them one by one, use this version. Don't worry it's safe.

wget http://download.medialayer.net/public/lsphp-5.2.3-suhosin-choon-lsapi4.t...

Be careful, lsphp-5.2.3-suhosin-choon-lsapi4.tar.gz is already patch.

2. Uncompress PHP

tar xvjf php-5.2.3.tar.bz2

if you downloaded php-5.2.3.tar.gz, use: tar zxvf
3. Begin Patching the source

gunzip suhosin-patch-5.2.3-0.9.6.2.patch.gz ; cat suhosin-patch-5.2.3-0.9.6.2.patch | patch -p0
cat php-5.2.3-mail-header.patch | patch -p0

4. Maybe other people suggest you to enter sapi directory, download and configure php-litespeed.
We'll do that later, ok?
So, lets get to the next part. We still have more things to do here.
Install CGI version of PHP first. To install the CGI version of PHP, just configure PHP without neither '--with-litespeed' nor '--with-axps', the rest is the same, it will build the CGI version of PHP.
I'd implement some configure options here, you don't need to have the same options with me.
Ok, lets do it.

cd php-5.2.3
./configure '--prefix=/usr/local/php5' --enable-discard-path '--with-config-file-scan-dir=/etc/php.d' --enable-magic-quotes --enable-versioning --enable-libxml '--with-libxml-dir=/usr/local/include/libxml2/' --with-zlib --with-openssl '--with-mysql=/usr/local/' --enable-exif --with-gd '--with-jpeg-dir=/usr/local/lib' '--with-png-dir=/usr/local/lib' --with-ttf '--with-freetype-dir=/usr/local/include/freetype2/' --enable-gd-native-ttf '--with-gettext=/usr/local/lib/' --enable-spl --enable-reflection --enable-shmop --enable-sockets --with-regex=php --with-pcre-regex --enable-bcmath --enable-mbstring '--with-mcrypt=/usr/local/lib' --enable-sysvsem --enable-sysvshm --enable-sysvmsg --with-pear --with-zend-vm=CALL --target=i386-unknown-freebsd

huh??, error? What's the error message? Don't panic.
Maybe your PHP missed some libraries on your machine or maybe it didn't find them.
For example if it missed jpeg lib or png, just install them from ports.

cd /usr/ports/graphics/jpeg/ && make install
cd /usr/ports/graphics/png/ && make install

If it wasn't both, go googling :p
5. Now, compile it using make.

make

Compiling PHP will take some time, take some milk.
(some minutes later)
6. Now, make install.
What do 'make install' do here is to copy PHP binary and other files needed to their location.
It was provided by --prefix= and other options when you configuring your PHP source.
Now, type this

make install

Done. PHP is installed as CGI.
Go to next page for installing php-litespeed


7. This step is downloading and compiling php-litespeed

cd /usr/src/php-5.2.3/sapi
wget http://www.litespeedtech.com/packages/lsapi/php-litespeed-3.1.tgz
tar -zxvf php-litespeed-3.1.tgz
cd ..
touch ac*
./buildconf --force

If it said you need autoconf-2.13, go install it.

cd ..
wget http://ftp.gnu.org/gnu/autoconf/autoconf-2.13.tar.gz
tar zxvf autoconf-2.13.tar.gz
cd autoconf-2.13/
./configure
make
make install
cd ../php-5.2.3

8. Now, configure the PHP source with option similarly with step 4, but with --with-litespeed

./configure --with-litespeed '--prefix=/usr/local/php5' --enable-discard-path '--with-config-file-path=../php/' '--with-config-file-scan-dir=/etc/php.d' --enable-magic-quotes --enable-versioning --enable-libxml '--with-libxml-dir=/usr/local/include/libxml2/' --with-zlib --with-openssl '--with-mysql=/usr/local/' --enable-exif --with-gd '--with-jpeg-dir=/usr/local/lib' '--with-png-dir=/usr/local/lib' --with-ttf '--with-freetype-dir=/usr/local/include/freetype2/' --enable-gd-native-ttf '--with-gettext=/usr/local/lib/' --enable-spl --enable-reflection --enable-shmop --enable-sockets --with-regex=php --with-pcre-regex --enable-bcmath --enable-mbstring '--with-mcrypt=/usr/local/lib' --enable-sysvsem --enable-sysvshm --enable-sysvmsg --with-pear --with-zend-vm=CALL --target=i386-unknown-freebsd
  If it said 'Thank you for installing PHP' and no unknown configure options, congratulation, go to next step.

8. Compile PHP, this will take some times too. Go get your second milk :)

make

9. Welcome back! Copy php binary to litespeed installation directory

cd /usr/local/lsws/fcgi-bin
mv lsphp lsphp.old
cp ~/php-5.2.3/sapi/litespeed/php ./lsphp

10. Test the new lsphp binary. Notice (litespeed) in the output.

./lsphp -v
PHP 5.2.3 (litespeed) (built: Sep 25 2007 02:01:51)
Copyright (c) 1997-2004 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2007 Zend Technologies
with Suhosin v0.9.20, Copyright (c) 2002-2006, by Hardened-PHP Project

If there is litespeed and Suhosin, it means your suffering is over.
11. Don't forget to restart litespeed

/usr/local/lsws/bin/lswsctrl restart

For maximum security and performance, we want to apply suhosin extension.
Enter source directory.

cd /usr/src/

Do ls -al, notice that we had downloaded suhosin-0.9.20.tgz before. If you had not, type

wget http://www.hardened-php.net/suhosin/_media/suhosin-0.9.20.tgz

Now extract, compile, and install it as PHP extension.

tar zxvf suhosin-0.9.20.tgz
cd suhosin-0.9.20
/usr/local/php5/bin/phpize
./configure
make
make install

It will say something like installed in /usr/local/lib/php/extensions/no-debug-non-zts-20060613
Copy this path enter put it in extension_dir directive inside /usr/local/lsws/php/php.ini
or you can just copy suhosin.so file to where the extension_dir directive setted.
Open /usr/local/lsws/php/php.ini and add these lines:

[suhosin]
suhosin.log.syslog.facility = 9
suhosin.log.use-x-forwarded-for = Off
#suhosin.executor.max_depth = ''
suhosin.executor.include.max_traversal = 5
suhosin.executor.disable_emodifier = Off
suhosin.executor.allow_symlink = Off
suhosin.simulation = Off
suhosin.apc_bug_workaround = Off
suhosin.sql.bailout_on_error = Off
suhosin.multiheader = Off
suhosin.mail.protect = 1
suhosin.memory_limit = 100
suhosin.session.encrypt = Off
suhosin.session.cryptua = Off
suhosin.session.cryptdocroot = Off
suhosin.session.cryptraddr = ''
suhosin.cookie.encrypt = Off
suhosin.cookie.cryptua = Off
suhosin.cookie.cryptraddr = ''
suhosin.filter.action = 403
suhosin.cookie.max_array_depth = 100
suhosin.cookie.max_array_index_length = 64
suhosin.cookie.max_name_length = 64
suhosin.cookie.max_totalname_length = 256
suhosin.cookie.max_value_length = 10000
suhosin.cookie.max_vars = 100
suhosin.cookie.disallow_nul = On
suhosin.post.max_vars = 2048
suhosin.request.max_vars = 2048

Now, as far as further php configuration it really depends on what all you need and use. Tweak it as you need.
Restart Litespeed and you're done.

/usr/local/lsws/bin/lswsctrl restart


References:
http://www.litespeedtech.com/support/wiki/doku.php
http://litespeedtech.com/support/forum/showthread.php?t=1340
http://wowtutorial.org/tutorial/245.html Configure Litespeed to support PHP 5.3.0, Mail Header Patch and Suhosin Patch

Facebook Fans