Einleitung

Dieses HowTo setzt ein wie in FreeBSD Remote Installation beschriebenes, installiertes und konfiguriertes FreeBSD Basissystem voraus.

Folgende Punkte sind in diesem HowTo zu beachten.

  • Alle Dienste werden mit einem möglichst minimalen und bewährten Funktionsumfang installiert.
  • Alle Dienste werden mit einer möglichst sicheren und dennoch flexiblen Konfiguration versehen.
  • Alle Konfigurationen sind selbstständig auf notwendige individuelle Anpassungen zu kontrollieren.
  • Alle Passworte werden als @PASSWORD@ dargestellt und sind selbstständig durch sichere Passworte zu ersetzen.
  • Die Domain des Servers lautet example.org und ist selbstständig durch die eigene Domain zu ersetzen.
  • Der Hostname des Servers lautet srv und ist selbstständig durch den eigenen Hostnamen zu ersetzen (FQDN=srv.example.org).
  • Es werden die FQDNs srv.example.org, mail.example.org, pki.example.org und www.example.org verwendet und sind selbstständig im DNS zu registrieren.
  • Postfix und Dovecot teilen sich sowohl den FQDN mail.example.org als auch das SSL-Zertifikat.
  • Die von uns jeweils gewünschten Build-Optionen der Ports legen wir dabei mittels der options-Files des neuen Portkonfigurationsframeworks OptionsNG fest.

Unser Web Hosting System wird folgende Dienste umfassen.

  • MySQL 5.6.x
  • Postfix 2.11.x
  • Dovecot 2.2.x
  • Apache 2.4.x
  • mod_php 5.6.x

Vorbereitungen

mkdir -p /data/db /data/etc /data/spool /data/tmp
chmod 1777 /data/tmp

cat >> /etc/make.conf << "EOF"
DEFAULT_VERSIONS+=php=5.6
DEFAULT_VERSIONS+=apache=2.4
DEFAULT_VERSIONS+=mysql=5.6
DEFAULT_VERSIONS+=pgsql=9.4
"EOF"

OpenSSL

Dieser Themenkomplex ist auf Grund seiner Grösse in ein eigenständiges HowTo ausgelagert: Certificate Authority.

MySQL

MySQL unterstützt mehrere Engines, dieses HowTo beschränkt sich allerdings auf die Beiden am Häufigsten verwendeten: MyISAM und InnoDB.

MySQL installieren

mkdir -p /var/db/ports/ftp_curl
cat > /var/db/ports/ftp_curl/options << "EOF"
_OPTIONS_READ=curl-7.38.0
_FILE_COMPLETE_OPTIONS_LIST=CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES HTTP2 IDN IPV6 LDAP LDAPS LIBSSH2 PROXY RTMP TLS_SRP GSSAPI_BASE HEIMDAL_PORT KRB5_PORT CARES THREADED_RESOLVER CYASSL GNUTLS NSS OPENSSL POLARSSL
OPTIONS_FILE_SET+=CA_BUNDLE
OPTIONS_FILE_SET+=COOKIES
OPTIONS_FILE_UNSET+=CURL_DEBUG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_SET+=HTTP2
OPTIONS_FILE_SET+=IDN
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=LDAPS
OPTIONS_FILE_SET+=LIBSSH2
OPTIONS_FILE_SET+=PROXY
OPTIONS_FILE_UNSET+=RTMP
OPTIONS_FILE_SET+=TLS_SRP
OPTIONS_FILE_SET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=HEIMDAL_PORT
OPTIONS_FILE_UNSET+=KRB5_PORT
OPTIONS_FILE_UNSET+=CARES
OPTIONS_FILE_SET+=THREADED_RESOLVER
OPTIONS_FILE_UNSET+=CYASSL
OPTIONS_FILE_UNSET+=GNUTLS
OPTIONS_FILE_UNSET+=NSS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_UNSET+=POLARSSL
"EOF"

mkdir -p /var/db/ports/devel_py-Jinja2
cat > /var/db/ports/devel_py-Jinja2/options << "EOF"
_OPTIONS_READ=py27-Jinja2-2.7.3
_FILE_COMPLETE_OPTIONS_LIST=BABEL EXAMPLES
OPTIONS_FILE_SET+=BABEL
OPTIONS_FILE_UNSET+=EXAMPLES
"EOF"

mkdir -p /var/db/ports/textproc_py-docutils
cat > /var/db/ports/textproc_py-docutils/options << "EOF"
_OPTIONS_READ=py27-docutils-0.12
_FILE_COMPLETE_OPTIONS_LIST=PYGMENTS
OPTIONS_FILE_SET+=PYGMENTS
"EOF"

mkdir -p /var/db/ports/www_nghttp2
cat > /var/db/ports/www_nghttp2/options << "EOF"
_OPTIONS_READ=nghttp2-0.6.1
_FILE_COMPLETE_OPTIONS_LIST=HPACK
OPTIONS_FILE_SET+=HPACK
"EOF"

mkdir -p /var/db/ports/security_libssh2
cat > /var/db/ports/security_libssh2/options << "EOF"
_OPTIONS_READ=libssh2-1.4.3
_FILE_COMPLETE_OPTIONS_LIST=GCRYPT TRACE ZLIB
OPTIONS_FILE_UNSET+=GCRYPT
OPTIONS_FILE_UNSET+=TRACE
OPTIONS_FILE_SET+=ZLIB
"EOF"

mkdir -p /var/db/ports/devel_libevent2
cat > /var/db/ports/devel_libevent2/options << "EOF"
_OPTIONS_READ=libevent2-2.0.21
_FILE_COMPLETE_OPTIONS_LIST=OPENSSL THREADS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/textproc_libxml2
cat > /var/db/ports/textproc_libxml2/options << "EOF"
_OPTIONS_READ=libxml2-2.9.1
_FILE_COMPLETE_OPTIONS_LIST=MEM_DEBUG SCHEMA THREADS THREAD_ALLOC XMLLINT_HIST
OPTIONS_FILE_UNSET+=MEM_DEBUG
OPTIONS_FILE_SET+=SCHEMA
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_UNSET+=THREAD_ALLOC
OPTIONS_FILE_UNSET+=XMLLINT_HIST
"EOF"

cd /usr/ports/databases/mysql56-client
make config-recursive all install clean-depends clean

cd /usr/ports/databases/mysql56-server
make config-recursive all install clean-depends clean

echo 'mysql_enable="YES"' >> /etc/rc.conf
echo 'mysql_dbdir="/data/db/mysql"' >> /etc/rc.conf

cp -a /var/db/mysql /data/db/

MySQL konfigurieren

Hinweis: Die Konfiguration orientiert sich an diesem Forenbeitrag.

cat > /data/db/mysql/my.cnf << "EOF"
[client]
port                            = 3306
socket                          = /tmp/mysql.sock

[mysql]
prompt                          = \u@\h [\d]>\_
no_auto_rehash

[mysqld]
user                            = mysql
port                            = 3306
bind-address                    = 127.0.0.1
socket                          = /tmp/mysql.sock
basedir                         = /usr/local
datadir                         = /data/db/mysql
tmpdir                          = /data/tmp/mysql
slave-load-tmpdir               = /data/tmp/mysql
secure-file-priv                = /data/tmp/mysql
log-bin                         = /data/db/mysql/mysql-bin
relay-log                       = /data/db/mysql/relay.log
relay-log-index                 = /data/db/mysql/relay.index
relay-log-info-file             = /data/db/mysql/relay.info
master-info-file                = /data/db/mysql/master.info
#master-host                     = <hostname>
#master-user                     = <username>
#master-password                 = <password>
#master-port                     = 3306
#auto_increment_increment        = 10
#auto_increment_offset           = 1
server-id                       = 1
back_log                        = 500
sync_binlog                     = 1
binlog_cache_size               = 4M
binlog_stmt_cache_size          = 4M
max_binlog_size                 = 500M
binlog-format                   = MIXED
expire_logs_days                = 30
slow-query-log                  = 1
slow-query-log-file             = /data/db/mysql/slow-query.log
performance_schema              = 1
slave_compressed_protocol       = 1
lower_case_table_names          = 1
safe-user-create                = 1
delay-key-write                 = ALL
sql_mode                        = NO_ENGINE_SUBSTITUTION,STRICT_TRANS_TABLES
myisam-recover-options          = FORCE,BACKUP
key_buffer_size                 = 256M
join_buffer_size                = 128K
sort_buffer_size                = 2M
read_buffer_size                = 128K
read_rnd_buffer_size            = 256K
bulk_insert_buffer_size         = 8M
myisam_sort_buffer_size         = 8M
max_allowed_packet              = 64M
max_heap_table_size             = 64M
tmp_table_size                  = 64M
thread_stack                    = 192K
table_open_cache                = 8192
table_definition_cache          = 8192
open_files_limit                = 32768
net_retry_count                 = 16384
query_cache_type                = 1
query_cache_size                = 64M
query_cache_limit               = 2M
query_cache_min_res_unit        = 4K
thread_cache_size               = 80
max_connections                 = 100
ft_max_word_len                 = 20
ft_min_word_len                 = 3
long_query_time                 = 0.5
local-infile                    = 0
log-warnings                    = 2
log-slave-updates
log-queries-not-using-indexes
skip-external-locking
skip-symbolic-links
innodb_thread_concurrency       = 8
innodb_buffer_pool_size         = 4G
innodb_buffer_pool_instances    = 4
innodb_data_home_dir            = /data/db/mysql
innodb_log_group_home_dir       = /data/db/mysql
innodb_data_file_path           = ibdata1:2000M;ibdata2:2000M;ibdata3:10M:autoextend
innodb_flush_method             = O_DIRECT
innodb_log_file_size            = 256M
innodb_log_buffer_size          = 16M
innodb_log_files_in_group       = 2
innodb_flush_log_at_trx_commit  = 2
innodb_max_dirty_pages_pct      = 90
innodb_file_per_table           = 1
innodb_purge_threads            = 1
innodb_strict_mode              = 1
innodb_old_blocks_time          = 1000
innodb_stats_on_metadata        = 0
innodb_write_io_threads         = 8
innodb_read_io_threads          = 8
innodb_io_capacity              = 200
innodb_open_files               = 8192
innodb_optimize_fulltext_only   = 1

[mysqldump]
max_allowed_packet              = 256M
key_buffer_size                 = 256M
quote_names
quick

[isamchk]
key_buffer_size                 = 256M

[myisamchk]
key_buffer_size                 = 256M

[mysqlhotcopy]
interactive_timeout
"EOF"

chmod 0660 /data/db/mysql/my.cnf
chown mysql:mysql /data/db/mysql/my.cnf

MySQL absichern

Aus Sicherheitsgründen beschränken wir das Anlegen temporärer Tabellen und die Operationen LOAD DATA ... INFILE und SELECT ... INTO OUTFILE auf das Verzeichnis /var/tmp/mysql, welches wir nun anlegen.

mkdir -p /data/tmp/mysql
chmod 1770 /data/tmp/mysql
chown mysql:mysql /data/tmp/mysql

Falls im Init-Script (/usr/local/etc/rc.d/mysql-server) in folgender Zeile das --user=${mysql_user} fehlt, muss es jetzt manuell dort eingefügt werden.

mysql_install_db_args="--basedir=/usr/local --defaults-extra-file=${mysql_optfile} --datadir=${mysql_dbdir} --user=${mysql_user} --force"

MySQL wird nun zum ersten Mal gestartet, was durch das Erzeugen der InnoDB-Files einige Minuten dauern und eventuell zu einer falschen Fehlermeldung des Init-Scripts führen kann.

service mysql-server start

Daher warten wir bis im tail -f /data/db/mysql/srv.example.org.err eine Zeile ähnlich der folgenden erscheint und beenden tail mittels ^C (STRG+C).

Version: '5.6.20-log'  socket: '/tmp/mysql.sock'  port: 3306  Source distribution

Abschliessend wird MySQL mittels mysql_secure_installation abgesichert. Hierzu werden alle Fragen, abgesehen vom neuen root-Passwort, jeweils mit einem beherzten Druck auf die Return-Taste beantwortet.

mysql_secure_installation

Dovecot

Dovecot installieren

mkdir -p /var/db/ports/mail_dovecot2
cat > /var/db/ports/mail_dovecot2/options << "EOF"
_OPTIONS_READ=dovecot2-2.2.13
_FILE_COMPLETE_OPTIONS_LIST=DOCS EXAMPLES KQUEUE LDAP LIBWRAP LUCENE MYSQL PGSQL SOLR SQLITE SSL VPOPMAIL GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=EXAMPLES
OPTIONS_FILE_SET+=KQUEUE
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=LIBWRAP
OPTIONS_FILE_UNSET+=LUCENE
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=SOLR
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_UNSET+=VPOPMAIL
OPTIONS_FILE_SET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
"EOF"

cd /usr/ports/mail/dovecot2
make config-recursive all install clean-depends clean

echo 'dovecot_enable="YES"' >> /etc/rc.conf

Dovecot konfigurieren

dovecot.conf einrichten.

mkdir -p /usr/local/etc/dovecot

cat > /usr/local/etc/dovecot/dovecot.conf << "EOF"
auth_verbose = yes
first_valid_gid = 5000
first_valid_uid = 5000
hostname = mail.example.org
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 5000
last_valid_uid = 5000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = *, ::
login_log_format_elements = "user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>"
mail_location = maildir:/data/vmail/%d/%n
namespace inbox {
  inbox = yes
  location =
  mailbox Archives {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
  prefix =
}
passdb {
  args = scheme=ssha512 username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Archive:storage=+1G
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
postmaster_address = postmaster@example.org
protocols = imap lmtp
quota_full_tempfail = yes
sendmail_path = /usr/local/sbin/sendmail
service auth {
  unix_listener /data/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0660
  }
}
service imap-login {
  inet_listener imap {
    address = 127.0.0.1 ::1
    port = 143
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_min_avail = 2
}
service pop3-login {
  inet_listener pop3 {
    address = 127.0.0.1 ::1
    port = 110
  }
  inet_listener pop3s {
    address = 127.0.0.1 ::1
    port = 995
    ssl = yes
  }
}
ssl = required
ssl_ca = </data/pki/ca/component-ca-chain.pem
ssl_cert = </data/pki/certs/mail.example.org.crt
ssl_cipher_list = EECDH+AES256 EECDH+AES128 EDH+AES256 EDH+AES128 !CAMELLIA !RC4 !3DES !IDEA !SEED !PSK !SRP !DSS !eNULL !aNULL !LOW !EXP
ssl_dh_parameters_length = 4096
ssl_key = </data/pki/private/mail.example.org.key
ssl_parameters_regenerate = 0
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  args = username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
verbose_proctitle = yes
verbose_ssl = yes
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
}
"EOF"

/usr/local/etc/dovecot/passwd einrichten.

Das Anlegen neuer Mailuser wird mittels Script automatisiert.

cat > /usr/local/etc/dovecot/create_mailuser.sh << "EOF"
#!/bin/sh

dovecot_user="${1}"
dovecot_pass="`openssl rand -hex 64 | openssl passwd -1 -stdin | tr -cd '[[:alnum:]]' | sed -e 's/^1//' | fold -w 12 | head -n 1`"
dovecot_hash="`echo ${dovecot_pass} | xargs -I % doveadm pw -s SSHA512 -p %`"
echo "Password for ${dovecot_user} is: ${dovecot_pass}"
echo "${dovecot_user}:${dovecot_hash}:5000:5000::/data/vmail/%d/%n::" >> /usr/local/etc/dovecot/passwd
exit 0
"EOF"

chmod 0755 /usr/local/etc/dovecot/create_mailuser.sh

# admin@example.org anlegen
/usr/local/etc/dovecot/create_mailuser.sh admin@example.org

Postfix

Postfix installieren

mkdir -p /var/db/ports/devel_pcre
cat > /var/db/ports/devel_pcre/options << "EOF"
_OPTIONS_READ=pcre-8.35
_FILE_COMPLETE_OPTIONS_LIST=DOCS LIBEDIT READLINE STACK_RECURSION
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=LIBEDIT
OPTIONS_FILE_UNSET+=READLINE
OPTIONS_FILE_SET+=STACK_RECURSION
"EOF"

mkdir -p /var/db/ports/security_cyrus-sasl2
cat > /var/db/ports/security_cyrus-sasl2/options << "EOF"
_OPTIONS_READ=cyrus-sasl-2.1.26
_FILE_COMPLETE_OPTIONS_LIST=ALWAYSTRUE AUTHDAEMOND KEEP_DB_OPEN  OBSOLETE_CRAM_ATTR BDB MYSQL PGSQL SQLITE2 SQLITE3 CRAM DIGEST LOGIN NTLM OTP PLAIN SCRAM
OPTIONS_FILE_UNSET+=ALWAYSTRUE
OPTIONS_FILE_UNSET+=AUTHDAEMOND
OPTIONS_FILE_UNSET+=KEEP_DB_OPEN
OPTIONS_FILE_UNSET+=OBSOLETE_CRAM_ATTR
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=SQLITE2
OPTIONS_FILE_UNSET+=SQLITE3
OPTIONS_FILE_SET+=CRAM
OPTIONS_FILE_SET+=DIGEST
OPTIONS_FILE_SET+=LOGIN
OPTIONS_FILE_SET+=NTLM
OPTIONS_FILE_SET+=OTP
OPTIONS_FILE_SET+=PLAIN
OPTIONS_FILE_SET+=SCRAM
"EOF"

mkdir -p /var/db/ports/mail_postfix
cat > /var/db/ports/mail_postfix/options << "EOF"
_OPTIONS_READ=postfix-2.11.1
_FILE_COMPLETE_OPTIONS_LIST=BDB CDB DOCS INST_BASE LDAP_SASL LMDB MYSQL NIS OPENLDAP PCRE PGSQL SASL2 SPF SQLITE TEST TLS VDA DOVECOT DOVECOT2 SASLKRB5 SASLKMIT
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_SET+=CDB
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=INST_BASE
OPTIONS_FILE_UNSET+=LDAP_SASL
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=NIS
OPTIONS_FILE_UNSET+=OPENLDAP
OPTIONS_FILE_SET+=PCRE
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_SET+=SASL2
OPTIONS_FILE_SET+=SPF
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_UNSET+=TEST
OPTIONS_FILE_SET+=TLS
OPTIONS_FILE_UNSET+=VDA
OPTIONS_FILE_UNSET+=DOVECOT
OPTIONS_FILE_SET+=DOVECOT2
OPTIONS_FILE_UNSET+=SASLKRB5
OPTIONS_FILE_UNSET+=SASLKMIT
"EOF"

cd /usr/ports/mail/postfix
make config-recursive all install clean-depends clean

echo 'postfix_enable="YES"' >> /etc/rc.conf

Wir wollen Postfix in der /etc/mail/mailer.conf aktivieren.

Als nächstes deaktivieren wir den standardmässig installierten Sendmail vollständig.

cat >> /etc/periodic.conf << "EOF"
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
"EOF"

Postfix konfigurieren

Alias für root einrichten.

sed -e 's/^#[[:space:]]*\(root:[[:space:]]*\).*$/\1 admin@example.org/' \
    -e 's/^#[[:space:]]*\(hostmaster:[[:space:]]*.*\)$/\1/' \
    -e 's/^#[[:space:]]*\(webmaster:[[:space:]]*.*\)$/\1/' \
    -e 's/^#[[:space:]]*\(www:[[:space:]]*.*\)$/\1/' \
    -i '' /etc/mail/aliases

/usr/local/bin/newaliases

main.cf einrichten.

cat > /usr/local/etc/postfix/main.cf << "EOF"
allow_percent_hack = no
biff = no
broken_sasl_auth_clients = yes
command_directory = /usr/local/sbin
config_directory = /usr/local/etc/postfix
daemon_directory = /usr/local/libexec/postfix
data_directory = /data/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = .maildir/
html_directory = no
inet_interfaces = all
inet_protocols = all
mail_owner = postfix
mail_spool_directory = /data/vmail
mailbox_size_limit = 0
mailq_path = /usr/local/bin/mailq
manpage_directory = /usr/local/man
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.$mydomain
mynetworks_style = host
newaliases_path = /usr/local/bin/newaliases
notify_classes = data, protocol, resource, software
postscreen_access_list = permit_mynetworks
postscreen_blacklist_action = ignore
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /data/spool/postfix
readme_directory = no
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
sample_directory = /usr/local/etc/postfix
sendmail_path = /usr/local/sbin/sendmail
setgid_group = maildrop
show_user_unknown_table_name = no
smtp_address_preference = ipv4
smtp_tls_CAfile = /etc/ssl/cert.pem
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:/data/db/postfix/smtp_scache
smtp_use_tls = yes
smtpd_client_port_logging = yes
smtpd_client_restrictions =
  sleep 1,
  reject_unknown_reverse_client_hostname,
  permit
smtpd_data_restrictions =
  reject_unauth_pipelining,
  permit
smtpd_etrn_restrictions =
  reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  check_recipient_mx_access cidr:/usr/local/etc/postfix/mx_access,
  check_recipient_access pcre:/usr/local/etc/postfix/recipient_checks.pcre,
  reject_rbl_client cbl.abuseat.org,
  reject_rbl_client ix.dnsbl.manitu.net,
  reject_rbl_client zen.spamhaus.org,
  permit
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_tls_CAfile = /data/pki/ca/component-ca-chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /data/pki/certs/mail.example.org.crt
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /data/pki/certs/dh_params.pem
smtpd_tls_dh512_param_file = /data/pki/certs/dh_params.pem
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_key_file = /data/pki/private/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = CAMELLIA, RC4, 3DES, IDEA, SEED, PSK, SRP, DSS, eNULL, aNULL
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:/data/db/postfix/smtpd_scache
smtpd_use_tls = yes
strict_rfc821_envelopes = yes
tls_daemon_random_bytes = 64
tls_high_cipherlist = EECDH+AES256 EECDH+AES128 EDH+AES256 EDH+AES128
tls_medium_cipherlist = EECDH+AES256 EECDH+AES128 EDH+AES256 EDH+AES128 EECDH EDH
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = NO_COMPRESSION
unknown_local_recipient_reject_code = 450
virtual_alias_domains = hash:/usr/local/etc/postfix/virtual_alias_domains
virtual_alias_maps = hash:/usr/local/etc/postfix/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /data/vmail
virtual_mailbox_domains = hash:/usr/local/etc/postfix/virtual_mailbox_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:/usr/local/etc/postfix/virtual_mailbox_maps
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000
"EOF"

master.cf einrichten.

cat >> /usr/local/etc/postfix/master.cf << "EOF"
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o milter_macro_daemon_name=ORIGINATING
dovecot   unix  -       n       n       -       -       pipe
  flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda -f ${sender} -a ${recipient} -d ${user}@${nexthop}
"EOF"

/usr/local/etc/postfix/virtual_* einrichten.

cat > /usr/local/etc/postfix/virtual_alias_domains << "EOF"
"EOF"

cat > /usr/local/etc/postfix/virtual_alias_maps << "EOF"
root@example.org          admin@example.org
postmaster@example.org    admin@example.org
hostmaster@example.org    admin@example.org
abuse@example.org         admin@example.org
security@example.org      admin@example.org
webmaster@example.org     admin@example.org
"EOF"

cat > /usr/local/etc/postfix/virtual_mailbox_domains << "EOF"
example.org               OK
"EOF"

cat > /usr/local/etc/postfix/virtual_mailbox_maps << "EOF"
admin@example.org         example.org/admin/
"EOF"

postmap /usr/local/etc/postfix/virtual_alias_domains
postmap /usr/local/etc/postfix/virtual_alias_maps
postmap /usr/local/etc/postfix/virtual_mailbox_domains
postmap /usr/local/etc/postfix/virtual_mailbox_maps

Transport map einrichten.

cat >> /usr/local/etc/postfix/transport << "EOF"
"EOF"

postmap /usr/local/etc/postfix/transport

Restriktionen einrichten.

cat > /usr/local/etc/postfix/recipient_checks.pcre << "EOF"
/^\@/             550 Invalid address format.
/[!%\@].*\@/      550 This server disallows weird address syntax.
/^postmaster\@/   OK
/^hostmaster\@/   OK
/^security\@/     OK
/^abuse\@/        OK
/^admin\@/        OK
"EOF"

cat > /usr/local/etc/postfix/mx_access << "EOF"
0.0.0.0/8            REJECT MX in RFC 6890 Broadcast Network
10.0.0.0/8           REJECT MX in RFC 6890 Private Network
100.64.0.0/10        REJECT MX in RFC 6890 Shared Address Space
127.0.0.0/8          REJECT MX in RFC 6890 Loopback Network
169.254.0.0/16       REJECT MX in RFC 6890 Link Local Network
172.16.0.0/12        REJECT MX in RFC 6890 Private Network
192.0.0.0/24         REJECT MX in RFC 6890 IETF Protocol Assignments Network
192.0.2.0/24         REJECT MX in RFC 6890 Documentation (TEST-NET-1) Network
192.88.99.0/24       REJECT MX in RFC 6890 6to4 Relay Anycast Network
192.168.0.0/16       REJECT MX in RFC 6890 Private Network
198.18.0.0/15        REJECT MX in RFC 6890 Interconnect Device Benchmark Testing Network
198.51.100.0/24      REJECT MX in RFC 6890 Documentation (TEST-NET-2) Network
203.0.113.0/24       REJECT MX in RFC 6890 Documentation (TEST-NET-3) Network
224.0.0.0/4          REJECT MX in RFC 5771 Multicast Network
240.0.0.0/4          REJECT MX in RFC 6890 Reserved Network
255.255.255.255/32   REJECT MX in RFC 6890 Limited Broadcast Destination Address
::/128               REJECT MX in RFC 6890 Unspecified Address
::1/128              REJECT MX in RFC 6890 Loopback Address
100::/64             REJECT MX in RFC 6890 Discard-Only Network
2001::/23            REJECT MX in RFC 6890 IETF Protocol Assignements Network
2001:2::/48          REJECT MX in RFC 6890 Interconnect Device Benchmark Testing Network
2001:db8::/32        REJECT MX in RFC 6890 Documentation Network
fc00::/7             REJECT MX in RFC 6890 Unique-Local Network
fe80::/10            REJECT MX in RFC 6890 Linked-Scoped Unicast Network
ff00::/8             REJECT MX in RFC 4291 Multicast Network
"EOF"

postmap /usr/local/etc/postfix/mx_access

Abschliessende Arbeiten.

pw groupadd -n vmail -g 5000
pw useradd -n vmail -u 5000 -g vmail -c 'Virtual Mailuser' -d /nonexistent -s /usr/sbin/nologin

mkdir -p /data/vmail
chmod 0750 /data/vmail
chown vmail:vmail /data/vmail

cp -a /var/db/postfix /data/db/
cp -a /var/spool/postfix /data/spool/

Apache

Apache installieren

mkdir -p /var/db/ports/devel_apr1
cat > /var/db/ports/devel_apr1/options << "EOF"
_OPTIONS_READ=apr-1.5.1.1.5.3
_FILE_COMPLETE_OPTIONS_LIST= SSL NSS THREADS IPV6 DEVRANDOM BDB GDBM LDAP MYSQL NDBM PGSQL SQLITE FREETDS
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_UNSET+=NSS
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=DEVRANDOM
OPTIONS_FILE_SET+=BDB
OPTIONS_FILE_SET+=GDBM
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=NDBM
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_UNSET+=FREETDS
"EOF"

mkdir -p /var/db/ports/www_apache24
cat > /var/db/ports/www_apache24/options << "EOF"
_OPTIONS_READ=apache24-2.4.10
_FILE_COMPLETE_OPTIONS_LIST=ACCESS_COMPAT ACTIONS ALIAS ALLOWMETHODS ASIS  AUTHN_ANON AUTHN_CORE AUTHN_DBD AUTHN_DBM AUTHN_FILE AUTHN_SOCACHE  AUTHZ_CORE AUTHZ_DBD AUTHZ_DBM AUTHZ_GROUPFILE AUTHZ_HOST  AUTHZ_OWNER AUTHZ_USER  AUTH_BASIC AUTH_DIGEST AUTH_FORM AUTOINDEX  BUFFER  CACHE CACHE_DISK CACHE_SOCACHE CERN_META CGI CGID  DAV DAV_FS DBD DEFLATE DIR DUMPIO  ENV EXPIRES EXT_FILTER  FILE_CACHE FILTER  HEADERS  IMAGEMAP INCLUDE INFO  LBMETHOD_BYBUSYNESS LBMETHOD_BYREQUESTS LBMETHOD_BYTRAFFIC  LOGIO LOG_DEBUG  MACRO MIME MIME_MAGIC  NEGOTIATION  RATELIMIT REMOTEIP REQTIMEOUT REQUEST REWRITE  SED SETENVIF SOCACHE_DBM SOCACHE_MEMCACHE SOCACHE_SHMCB SPELING  SSL STATUS SUBSTITUTE  UNIQUE_ID USERDIR  VERSION VHOST_ALIAS    AUTHNZ_LDAP AUTHNZ_FCGI LDAP CHARSET_LITE DATA DAV_LOCK DIALUP IDENT LOG_FORENSIC  LUA REFLECTOR SLOTMEM_PLAIN SLOTMEM_SHM SOCACHE_DC SUEXEC USERTRACK  XML2ENC WATCHDOG HEARTBEAT HEARTMONITOR LBMETHOD_HEARTBEAT CASE_FILTER CASE_FILTER_IN ECHO EXAMPLE_HOOKS EXAMPLE_IPC  OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT  OPTIONAL_HOOK_IMPORT BUCKETEER LUAJIT IPV4_MAPPED     PROXY SESSION MPM_PREFORK MPM_WORKER MPM_EVENT MPM_SHARED PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_EXPRESS PROXY_FCGI  PROXY_FTP PROXY_HTTP PROXY_SCGI PROXY_WSTUNNEL PROXY_FDPASS PROXY_HTML SESSION_COOKIE SESSION_CRYPTO SESSION_DBD
OPTIONS_FILE_SET+=ACCESS_COMPAT
OPTIONS_FILE_SET+=ACTIONS
OPTIONS_FILE_SET+=ALIAS
OPTIONS_FILE_SET+=ALLOWMETHODS
OPTIONS_FILE_SET+=ASIS
OPTIONS_FILE_SET+=AUTHN_ANON
OPTIONS_FILE_SET+=AUTHN_CORE
OPTIONS_FILE_SET+=AUTHN_DBD
OPTIONS_FILE_SET+=AUTHN_DBM
OPTIONS_FILE_SET+=AUTHN_FILE
OPTIONS_FILE_SET+=AUTHN_SOCACHE
OPTIONS_FILE_SET+=AUTHZ_CORE
OPTIONS_FILE_SET+=AUTHZ_DBD
OPTIONS_FILE_SET+=AUTHZ_DBM
OPTIONS_FILE_SET+=AUTHZ_GROUPFILE
OPTIONS_FILE_SET+=AUTHZ_HOST
OPTIONS_FILE_SET+=AUTHZ_OWNER
OPTIONS_FILE_SET+=AUTHZ_USER
OPTIONS_FILE_SET+=AUTH_BASIC
OPTIONS_FILE_SET+=AUTH_DIGEST
OPTIONS_FILE_SET+=AUTH_FORM
OPTIONS_FILE_SET+=AUTOINDEX
OPTIONS_FILE_SET+=BUFFER
OPTIONS_FILE_SET+=CACHE
OPTIONS_FILE_SET+=CACHE_DISK
OPTIONS_FILE_SET+=CACHE_SOCACHE
OPTIONS_FILE_SET+=CERN_META
OPTIONS_FILE_SET+=CGI
OPTIONS_FILE_SET+=CGID
OPTIONS_FILE_SET+=DAV
OPTIONS_FILE_SET+=DAV_FS
OPTIONS_FILE_SET+=DBD
OPTIONS_FILE_SET+=DEFLATE
OPTIONS_FILE_SET+=DIR
OPTIONS_FILE_SET+=DUMPIO
OPTIONS_FILE_SET+=ENV
OPTIONS_FILE_SET+=EXPIRES
OPTIONS_FILE_SET+=EXT_FILTER
OPTIONS_FILE_SET+=FILE_CACHE
OPTIONS_FILE_SET+=FILTER
OPTIONS_FILE_SET+=HEADERS
OPTIONS_FILE_SET+=IMAGEMAP
OPTIONS_FILE_SET+=INCLUDE
OPTIONS_FILE_SET+=INFO
OPTIONS_FILE_SET+=LBMETHOD_BYBUSYNESS
OPTIONS_FILE_SET+=LBMETHOD_BYREQUESTS
OPTIONS_FILE_SET+=LBMETHOD_BYTRAFFIC
OPTIONS_FILE_SET+=LOGIO
OPTIONS_FILE_SET+=LOG_DEBUG
OPTIONS_FILE_SET+=MACRO
OPTIONS_FILE_SET+=MIME
OPTIONS_FILE_SET+=MIME_MAGIC
OPTIONS_FILE_SET+=NEGOTIATION
OPTIONS_FILE_SET+=RATELIMIT
OPTIONS_FILE_SET+=REMOTEIP
OPTIONS_FILE_SET+=REQTIMEOUT
OPTIONS_FILE_SET+=REQUEST
OPTIONS_FILE_SET+=REWRITE
OPTIONS_FILE_SET+=SED
OPTIONS_FILE_SET+=SETENVIF
OPTIONS_FILE_SET+=SOCACHE_DBM
OPTIONS_FILE_SET+=SOCACHE_MEMCACHE
OPTIONS_FILE_SET+=SOCACHE_SHMCB
OPTIONS_FILE_SET+=SPELING
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_SET+=STATUS
OPTIONS_FILE_SET+=SUBSTITUTE
OPTIONS_FILE_SET+=UNIQUE_ID
OPTIONS_FILE_SET+=USERDIR
OPTIONS_FILE_SET+=VERSION
OPTIONS_FILE_SET+=VHOST_ALIAS
OPTIONS_FILE_UNSET+=AUTHNZ_LDAP
OPTIONS_FILE_UNSET+=AUTHNZ_FCGI
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=CHARSET_LITE
OPTIONS_FILE_SET+=DATA
OPTIONS_FILE_SET+=DAV_LOCK
OPTIONS_FILE_UNSET+=DIALUP
OPTIONS_FILE_UNSET+=IDENT
OPTIONS_FILE_UNSET+=LOG_FORENSIC
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_SET+=REFLECTOR
OPTIONS_FILE_SET+=SLOTMEM_PLAIN
OPTIONS_FILE_SET+=SLOTMEM_SHM
OPTIONS_FILE_UNSET+=SOCACHE_DC
OPTIONS_FILE_UNSET+=SUEXEC
OPTIONS_FILE_SET+=USERTRACK
OPTIONS_FILE_SET+=XML2ENC
OPTIONS_FILE_UNSET+=WATCHDOG
OPTIONS_FILE_UNSET+=HEARTBEAT
OPTIONS_FILE_UNSET+=HEARTMONITOR
OPTIONS_FILE_UNSET+=LBMETHOD_HEARTBEAT
OPTIONS_FILE_UNSET+=CASE_FILTER
OPTIONS_FILE_UNSET+=CASE_FILTER_IN
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=EXAMPLE_HOOKS
OPTIONS_FILE_UNSET+=EXAMPLE_IPC
OPTIONS_FILE_UNSET+=OPTIONAL_FN_EXPORT
OPTIONS_FILE_UNSET+=OPTIONAL_FN_IMPORT
OPTIONS_FILE_UNSET+=OPTIONAL_HOOK_EXPORT
OPTIONS_FILE_UNSET+=OPTIONAL_HOOK_IMPORT
OPTIONS_FILE_UNSET+=BUCKETEER
OPTIONS_FILE_SET+=LUAJIT
OPTIONS_FILE_UNSET+=IPV4_MAPPED
OPTIONS_FILE_SET+=PROXY
OPTIONS_FILE_SET+=SESSION
OPTIONS_FILE_SET+=MPM_PREFORK
OPTIONS_FILE_UNSET+=MPM_WORKER
OPTIONS_FILE_UNSET+=MPM_EVENT
OPTIONS_FILE_SET+=MPM_SHARED
OPTIONS_FILE_SET+=PROXY_AJP
OPTIONS_FILE_SET+=PROXY_BALANCER
OPTIONS_FILE_SET+=PROXY_CONNECT
OPTIONS_FILE_SET+=PROXY_EXPRESS
OPTIONS_FILE_SET+=PROXY_FCGI
OPTIONS_FILE_SET+=PROXY_FTP
OPTIONS_FILE_SET+=PROXY_HTTP
OPTIONS_FILE_SET+=PROXY_SCGI
OPTIONS_FILE_SET+=PROXY_WSTUNNEL
OPTIONS_FILE_UNSET+=PROXY_FDPASS
OPTIONS_FILE_SET+=PROXY_HTML
OPTIONS_FILE_SET+=SESSION_COOKIE
OPTIONS_FILE_SET+=SESSION_CRYPTO
OPTIONS_FILE_UNSET+=SESSION_DBD
"EOF"

cd /usr/ports/www/apache24
make config-recursive all install clean-depends clean

echo 'apache24_enable="YES"' >> /etc/rc.conf
echo 'apache24_http_accept_enable="YES"' >> /etc/rc.conf

echo '/var/log/httpd-*.log                    644  24    *    $M1D0 JCG   /var/run/httpd.pid' >> /etc/newsyslog.conf
echo '/data/www/vhosts/*/logs/*_log           644  24    *    $M1D0 JCG   /var/run/httpd.pid' >> /etc/newsyslog.conf

Apache konfigurieren

Verzeichnisse für die ersten VirtualHosts erstellen.

mkdir -p /data/www/vhosts/_default_/logs
mkdir -p /data/www/vhosts/_default_/data
chmod 0750 /data/www/vhosts/_default_/data
chown www:www /data/www/vhosts/_default_/data

mkdir -p /data/www/vhosts/pki.example.org/logs
mkdir -p /data/www/vhosts/pki.example.org/data
chmod 0750 /data/www/vhosts/pki.example.org/data
chown www:www /data/www/vhosts/pki.example.org/data

mkdir -p /data/www/vhosts/www.example.org/logs
mkdir -p /data/www/vhosts/www.example.org/data
chmod 0750 /data/www/vhosts/www.example.org/data
chown www:www /data/www/vhosts/www.example.org/data

mkdir -p /data/www/vhosts/mail.example.org/logs
mkdir -p /data/www/vhosts/mail.example.org/data
chmod 0750 /data/www/vhosts/mail.example.org/data
chown www:www /data/www/vhosts/mail.example.org/data

Die folgende Konfiguration verwendet für den Default-Host den Pfad /data/www/vhosts/_default_ und für die regulären Virtual-Hosts den Pfad /data/www/vhosts/sub.domain.tld.

httpd.conf einrichten.

cp -a /usr/local/etc/apache24/httpd.conf /usr/local/etc/apache24/httpd.conf.orig

cat > /usr/local/etc/apache24/httpd.conf << "EOF"
ServerRoot "/usr/local"
PidFile "/var/run/httpd.pid"
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule logio_module libexec/apache24/mod_logio.so
#LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
#LoadModule cgid_module libexec/apache24/mod_cgid.so
LoadModule cgi_module libexec/apache24/mod_cgi.so
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
<IfModule mpm_prefork_module>
    StartServers             16
    MinSpareServers          16
    MaxSpareServers          16
    MaxRequestWorkers       256
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_worker_module>
    StartServers              5
    MinSpareThreads          75
    MaxSpareThreads         250
    ThreadsPerChild          25
    MaxRequestWorkers      1000
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule mpm_event_module>
    StartServers              5
    MinSpareThreads          75
    MaxSpareThreads         250
    ThreadsPerChild          25
    MaxRequestWorkers      1000
    MaxConnectionsPerChild 5000
</IfModule>
<IfModule unixd_module>
    User www
    Group www
</IfModule>
<IfDefine NOHTTPACCEPT>
    AcceptFilter http none
    AcceptFilter https none
</IfDefine>
<IfModule log_config_module>
    <IfModule logio_module>
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
        CustomLog "/var/log/httpd-access_io.log" combinedio
    </IfModule>
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b" common
    CustomLog "/var/log/httpd-access.log" combined
</IfModule>
ErrorLog "/var/log/httpd-error.log"
LogLevel notice
Listen 80
<IfModule ssl_module>
    Listen 443
</IfModule>
Timeout 60
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 100
UseCanonicalName On
HostnameLookups On
ServerTokens OS
ServerSignature Off
AccessFileName .htaccess
AllowEncodedSlashes NoDecode
AddDefaultCharset UTF-8
<Directory "/">
    AllowMethods GET POST OPTIONS
    Options None +FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
<FilesMatch "^[\._]">
    Require all denied
</FilesMatch>
<IfModule reqtimeout_module>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
FileETag None
<IfModule headers_module>
    Header always unset ETag
</IfModule>
<IfModule dir_module>
    DirectoryIndex index.html index.htm
</IfModule>
<IfModule cgi_module>
    <FilesMatch "\.(cgi|pl|py)$">
        SetHandler cgi-script
    </FilesMatch>
</IfModule>
<IfModule cgid_module>
    <FilesMatch "\.(cgi|pl|py)$">
        SetHandler cgi-script
    </FilesMatch>
    Scriptsock "/var/run/cgisock"
</IfModule>
<IfModule php5_module>
    <FilesMatch "\.(php|phps|php5|phtml)$">
        SetHandler php5-script
    </FilesMatch>
    DirectoryIndex index.php
</IfModule>
<IfModule include_module>
    AddOutputFilter INCLUDES .shtml
</IfModule>
<IfModule mime_module>
    TypesConfig "etc/apache24/mime.types"
    AddType application/pkcs8                .p8  .key
    AddType application/pkcs10               .p10 .csr
    AddType application/pkix-cert            .cer
    AddType application/pkix-crl             .crl
    AddType application/pkcs7-mime           .p7c
    AddType application/x-x509-ca-cert       .crt .der
    AddType application/x-x509-user-cert     .crt
    AddType application/x-pkcs7-crl          .crl
    AddType application/x-pem-file           .pem
    AddType application/x-pkcs12             .p12 .pfx
    AddType application/x-pkcs7-certificates .p7b .spc
    AddType application/x-pkcs7-certreqresp  .p7r
    AddEncoding gzip                       .svgz
    AddType application/x-httpd-php-source .phps
    AddType application/x-httpd-php        .php
    AddType application/x-gzip             .gz .tgz
    AddType application/x-compress         .Z
    AddType application/javascript         .js
    AddType application/json               .json
    AddType audio/ogg                      .oga .ogg
    AddType video/ogg                      .ogv
    AddType video/mp4                      .mp4
    AddType video/webm                     .webm
    AddType image/svg+xml                  .svg .svgz
    AddType application/vnd.ms-fontobject  .eot
    AddType font/truetype                  .ttf
    AddType font/opentype                  .otf
    AddType application/x-font-woff        .woff
    AddType image/x-icon                   .ico
    AddType image/webp                     .webp
    AddType text/cache-manifest            .appcache .manifest
    AddType text/x-component               .htc
    AddType application/x-chrome-extension .crx
    AddType application/x-xpinstall        .xpi
    AddType application/octet-stream       .safariextz
    AddType text/html                      .shtml
    <FilesMatch "favicon\.ico$">
        AddType image/vnd.microsoft.icon .ico
    </FilesMatch>
    AddHandler type-map var
    <IfModule mime_negotiation>
        AddLanguage ca .ca
        AddLanguage cs .cz .cs
        AddLanguage da .dk
        AddLanguage de .de
        AddLanguage el .el
        AddLanguage en .en
        AddLanguage eo .eo
        AddLanguage es .es
        AddLanguage et .et
        AddLanguage fr .fr
        AddLanguage he .he
        AddLanguage hr .hr
        AddLanguage it .it
        AddLanguage ja .ja
        AddLanguage ko .ko
        AddLanguage ltz .ltz
        AddLanguage nl .nl
        AddLanguage nn .nn
        AddLanguage no .no
        AddLanguage pl .po
        AddLanguage pt .pt
        AddLanguage pt-BR .pt-br
        AddLanguage ru .ru
        AddLanguage sv .sv
        AddLanguage tr .tr
        AddLanguage zh-CN .zh-cn
        AddLanguage zh-TW .zh-tw
        LanguagePriority de en ca cs da el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW
        ForceLanguagePriority Prefer Fallback
        AddCharset us-ascii.ascii  .us-ascii
        AddCharset ISO-8859-1  .iso8859-1  .latin1
        AddCharset ISO-8859-2  .iso8859-2  .latin2 .cen
        AddCharset ISO-8859-3  .iso8859-3  .latin3
        AddCharset ISO-8859-4  .iso8859-4  .latin4
        AddCharset ISO-8859-5  .iso8859-5  .cyr .iso-ru
        AddCharset ISO-8859-6  .iso8859-6  .arb .arabic
        AddCharset ISO-8859-7  .iso8859-7  .grk .greek
        AddCharset ISO-8859-8  .iso8859-8  .heb .hebrew
        AddCharset ISO-8859-9  .iso8859-9  .latin5 .trk
        AddCharset ISO-8859-10  .iso8859-10  .latin6
        AddCharset ISO-8859-13  .iso8859-13
        AddCharset ISO-8859-14  .iso8859-14  .latin8
        AddCharset ISO-8859-15  .iso8859-15  .latin9
        AddCharset ISO-8859-16  .iso8859-16  .latin10
        AddCharset ISO-2022-JP .iso2022-jp .jis
        AddCharset ISO-2022-KR .iso2022-kr .kis
        AddCharset ISO-2022-CN .iso2022-cn .cis
        AddCharset Big5.Big5   .big5 .b5
        AddCharset cn-Big5 .cn-big5
        AddCharset WINDOWS-1251 .cp-1251   .win-1251
        AddCharset CP866   .cp866
        AddCharset KOI8  .koi8
        AddCharset KOI8-E  .koi8-e
        AddCharset KOI8-r  .koi8-r .koi8-ru
        AddCharset KOI8-U  .koi8-u
        AddCharset KOI8-ru .koi8-uk .ua
        AddCharset ISO-10646-UCS-2 .ucs2
        AddCharset ISO-10646-UCS-4 .ucs4
        AddCharset UTF-7   .utf7
        AddCharset UTF-8   .utf8
        AddCharset UTF-16  .utf16
        AddCharset UTF-16BE .utf16be
        AddCharset UTF-16LE .utf16le
        AddCharset UTF-32  .utf32
        AddCharset UTF-32BE .utf32be
        AddCharset UTF-32LE .utf32le
        AddCharset euc-cn  .euc-cn
        AddCharset euc-gb  .euc-gb
        AddCharset euc-jp  .euc-jp
        AddCharset euc-kr  .euc-kr
        AddCharset EUC-TW  .euc-tw
        AddCharset gb2312  .gb2312 .gb
        AddCharset iso-10646-ucs-2 .ucs-2 .iso-10646-ucs-2
        AddCharset iso-10646-ucs-4 .ucs-4 .iso-10646-ucs-4
        AddCharset shift_jis   .shift_jis .sjis
        AddCharset UTF-8 .css .js .xml .json .atom .rss
    </IfModule>
</IfModule>
<IfModule mime_magic_module>
    MIMEMagicFile "etc/apache24/magic"
</IfModule>
<IfModule mod_autoindex>
    <IfModule mod_alias>
        Alias /icons/ "/usr/local/www/apache24/icons/"
        <Directory "/usr/local/www/apache24/icons">
            Options None +MultiViews
            AllowOverride None
            Require all granted
        </Directory>
        IndexOrderDefault Ascending Name
        IndexOptions FancyIndexing VersionSort FoldersFirst IgnoreCase IgnoreClient NameWidth=* SuppressDescription XHTML
        IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t .svn *.bak *.orig
        AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
        AddIconByType (TXT,/icons/text.gif) text/*
        AddIconByType (IMG,/icons/image2.gif) image/*
        AddIconByType (SND,/icons/sound2.gif) audio/*
        AddIconByType (VID,/icons/movie.gif) video/*
        AddIcon /icons/binary.gif .bin .exe
        AddIcon /icons/binhex.gif .hqx
        AddIcon /icons/tar.gif .tar
        AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
        AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
        AddIcon /icons/a.gif .ps .ai .eps
        AddIcon /icons/layout.gif .html .shtml .htm .pdf
        AddIcon /icons/text.gif .txt
        AddIcon /icons/c.gif .c
        AddIcon /icons/p.gif .pl .py
        AddIcon /icons/f.gif .for
        AddIcon /icons/dvi.gif .dvi
        AddIcon /icons/uuencoded.gif .uu
        AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
        AddIcon /icons/tex.gif .tex
        AddIcon /icons/bomb.gif core
        AddIcon /icons/back.gif ..
        AddIcon /icons/hand.right.gif README
        AddIcon /icons/folder.gif ^^DIRECTORY^^
        AddIcon /icons/blank.gif ^^BLANKICON^^
        DefaultIcon /icons/unknown.gif
        ReadmeName README.html
        HeaderName HEADER.html
    </IfModule>
</IfModule>
<IfModule expires_module>
    ExpiresActive on
    ExpiresDefault                          "access plus 1 month"
    ExpiresByType text/cache-manifest       "access plus 0 seconds"
    ExpiresByType text/html                 "access plus 0 seconds"
    ExpiresByType text/xml                  "access plus 0 seconds"
    ExpiresByType application/xml           "access plus 0 seconds"
    ExpiresByType application/json          "access plus 0 seconds"
    ExpiresByType application/rss+xml       "access plus 1 hour"
    ExpiresByType application/atom+xml      "access plus 1 hour"
    ExpiresByType image/x-icon              "access plus 1 week"
    ExpiresByType image/gif                 "access plus 1 month"
    ExpiresByType image/png                 "access plus 1 month"
    ExpiresByType image/jpg                 "access plus 1 month"
    ExpiresByType image/jpeg                "access plus 1 month"
    ExpiresByType video/ogg                 "access plus 1 month"
    ExpiresByType audio/ogg                 "access plus 1 month"
    ExpiresByType video/mp4                 "access plus 1 month"
    ExpiresByType video/webm                "access plus 1 month"
    ExpiresByType text/x-component          "access plus 1 month"
    ExpiresByType application/x-font-ttf    "access plus 1 month"
    ExpiresByType font/opentype             "access plus 1 month"
    ExpiresByType application/x-font-woff   "access plus 1 month"
    ExpiresByType image/svg+xml             "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject "access plus 1 month"
    ExpiresByType image/vnd.microsoft.icon  "access plus 2 months"
    ExpiresByType text/css                  "access plus 2 months"
    ExpiresByType application/javascript    "access plus 2 months"
    <FilesMatch "\.(php|phps|php5|phtml|cgi|pl|py|shtml)$">
        ExpiresActive Off
    </FilesMatch>
</IfModule>
<IfModule headers_module>
    <IfModule setenvif_module>
        BrowserMatch ".*MSIE [1-9]\..*" ie
        Header set X-UA-Compatible "IE=Edge,chrome=1" env=ie
        <FilesMatch "\.(js|css|gif|png|jpe?g|pdf|xml|oga|ogg|m4a|ogv|mp4|m4v|webm|svg|svgz|eot|ttf|otf|woff|ico|webp|appcache|manifest|htc|crx|oex|xpi|safariextz|vcf)$">
            Header unset X-UA-Compatible
        </FilesMatch>
    </IfModule>
</IfModule>
<IfModule deflate_module>
    <IfModule setenvif_module>
        <IfModule headers_module>
            SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
            RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
        </IfModule>
    </IfModule>
    AddOutputFilterByType DEFLATE text/html text/plain text/css application/json
    AddOutputFilterByType DEFLATE application/javascript
    AddOutputFilterByType DEFLATE text/xml application/xml text/x-component
    AddOutputFilterByType DEFLATE application/xhtml+xml application/rss+xml application/atom+xml
    AddOutputFilterByType DEFLATE image/x-icon image/svg+xml application/vnd.ms-fontobject application/x-font-ttf font/opentype
    <FilesMatch "\.(woff|ttf|otf|eot|svg)$">
        SetOutputFilter DEFLATE
    </FilesMatch>
</IfModule>
<IfModule mod_userdir>
    UserDir disabled
    UserDir enabled user1 user2 user3
    UserDir "/home/*/public_html"
    <Directory "/home/*/public_html">
        Options None +SymLinksIfOwnerMatch
        AllowOverride None
        Require all granted
    </Directory>
</IfModule>
<IfModule mod_authz_core>
    <IfModule mod_authz_host>
        <IfModule mod_info>
            <Location /server-info>
                SetHandler server-info
                <RequireAny>
                    Require host .example.org
                    Require ip 127
                </RequireAny>
            </Location>
        </IfModule>
        <IfModule mod_status>
            <Location /server-status>
                SetHandler server-status
                <RequireAny>
                    Require host .example.org
                    Require ip 127
                </RequireAny>
            </Location>
        </IfModule>
    </IfModule>
</IfModule>
Include "etc/apache24/vhosts.conf"
<IfModule ssl_module>
    SSLRandomSeed startup file:/dev/urandom 512
    SSLRandomSeed connect file:/dev/urandom 512
    SSLPassPhraseDialog builtin
    <IfModule socache_shmcb_module>
        SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLSessionCache "dbm:/var/run/ssl_scache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLSessionCache "nonenotnull"
        </IfModule>
    </IfModule>
    SSLSessionCacheTimeout 300
    SSLCompression Off
    SSLHonorCipherOrder On
    SSLStrictSNIVHostCheck On
    SSLProtocol -ALL +TLSv1 +TLSv1.2
    SSLCipherSuite "EECDH+AES256 EECDH+AES128 EDH+AES256 EDH+AES128 !CAMELLIA !RC4 !3DES !IDEA !SEED !PSK !SRP !DSS !eNULL !aNULL !LOW !EXP"
###
### OCSP currently unused
###
#    SSLOCSPEnable On
#    SSLOCSPDefaultResponder "http://pki.example.org/ocsp"
#    <IfModule socache_shmcb_module>
#        SSLUseStapling On
#        SSLStaplingResponderTimeout 5
#        SSLStaplingReturnResponderErrors Off
#        SSLStaplingCache "shmcb:/var/run/stapling_cache(128000)"
#    </IfModule>
#    <IfModule !socache_shmcb_module>
#        <IfModule socache_dbm_module>
#            SSLUseStapling On
#            SSLStaplingResponderTimeout 5
#            SSLStaplingReturnResponderErrors Off
#            SSLStaplingCache "dbm:/var/run/stapling_cache"
#        </IfModule>
#    </IfModule>
###
    <FilesMatch "\.(php|phps|php5|phtml|cgi|pl|py|shtml)$">
        SSLOptions +StdEnvVars
    </FilesMatch>
    CustomLog "/var/log/httpd-ssl_request.log" "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    Include "etc/apache24/vhosts-ssl.conf"
</IfModule>
"EOF"

cat > /usr/local/etc/apache24/vhosts.conf << "EOF"
<VirtualHost _default_:80>
    ServerName srv.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/_default_/logs/access_log" combined
    ErrorLog "/data/www/vhosts/_default_/logs/error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName mail.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/mail.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/mail.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/mail.example.org/data"
    <Directory "/data/www/vhosts/mail.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    Redirect 301 / https://mail.example.org/
</VirtualHost>

<VirtualHost *:80>
    ServerName pki.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/pki.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/pki.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/pki.example.org/data"
    <Directory "/data/www/vhosts/pki.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName www.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/www.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerName example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/www.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    Redirect 301 / http://www.example.org/
</VirtualHost>
"EOF"

cat > /usr/local/etc/apache24/vhosts-ssl.conf << "EOF"
<VirtualHost _default_:443>
    ServerName srv.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/_default_/logs/ssl_access_log" combined
    ErrorLog "/data/www/vhosts/_default_/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/srv.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/srv.example.org.key"
    SSLCertificateChainFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header always set Strict-Transport-Security "max-age=15768000"
#    </IfModule>
</VirtualHost>

<VirtualHost *:443>
    ServerName mail.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/mail.example.org/logs/ssl_access_log" combined
    ErrorLog "/data/www/vhosts/mail.example.org/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/mail.example.org/data"
    <Directory "/data/www/vhosts/mail.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/mail.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/mail.example.org.key"
    SSLCertificateChainFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header always set Strict-Transport-Security "max-age=15768000"
#    </IfModule>
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/ssl_access_log" combined
    ErrorLog "/data/www/vhosts/www.example.org/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/www.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/www.example.org.key"
    SSLCertificateChainFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header always set Strict-Transport-Security "max-age=15768000"
#    </IfModule>
</VirtualHost>

<VirtualHost *:443>
    ServerName example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/ssl_access_log" combined
    ErrorLog "/data/www/vhosts/www.example.org/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/www.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/www.example.org.key"
    SSLCertificateChainFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header always set Strict-Transport-Security "max-age=15768000"
#    </IfModule>
    Redirect 301 / https://www.example.org/
</VirtualHost>
"EOF"

Abschliessende Arbeiten.

mkdir -p /data/tmp/www/{cache,uploads}
chmod -R 1750 /data/tmp/www
chown -R www:www /data/tmp/www

PHP

PHP installieren

mkdir -p /var/db/ports/lang_php56
cat > /var/db/ports/lang_php56/options << "EOF"
_OPTIONS_READ=php56-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=CLI CGI FPM FPM_IPV6 EMBED PHPDBG DEBUG DTRACE IPV6 MAILHEAD LINKTHR ZTS
OPTIONS_FILE_SET+=CLI
OPTIONS_FILE_UNSET+=CGI
OPTIONS_FILE_SET+=FPM
OPTIONS_FILE_SET+=FPM_IPV6
OPTIONS_FILE_UNSET+=EMBED
OPTIONS_FILE_UNSET+=PHPDBG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DTRACE
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=MAILHEAD
OPTIONS_FILE_SET+=LINKTHR
OPTIONS_FILE_SET+=ZTS
"EOF"

cd /usr/ports/lang/php56
make config-recursive all install clean-depends clean

mod_PHP installieren

mkdir -p /var/db/ports/www_mod_php56
cat > /var/db/ports/www_mod_php56/options << "EOF"
_OPTIONS_READ=mod_php56-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=AP2FILTER FPM_IPV6 PHPDBG DEBUG DTRACE IPV6 MAILHEAD LINKTHR ZTS
OPTIONS_FILE_UNSET+=AP2FILTER
OPTIONS_FILE_SET+=FPM_IPV6
OPTIONS_FILE_UNSET+=PHPDBG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DTRACE
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=MAILHEAD
OPTIONS_FILE_SET+=LINKTHR
OPTIONS_FILE_SET+=ZTS
"EOF"

cd /usr/ports/www/mod_php56
make config-recursive all install clean-depends clean

PHP-Extensions installieren

mkdir -p /var/db/ports/converters_php56-mbstring
cat > /var/db/ports/converters_php56-mbstring/options << "EOF"
_OPTIONS_READ=php56-mbstring-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=REGEX
OPTIONS_FILE_SET+=REGEX
"EOF"

mkdir -p /var/db/ports/databases_php56-dba
cat > /var/db/ports/databases_php56-dba/options << "EOF"
_OPTIONS_READ=php56-dba-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=CDB DB4 GDBM QDBM TOKYO INIFILE FLATFILE
OPTIONS_FILE_SET+=CDB
OPTIONS_FILE_UNSET+=DB4
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_UNSET+=QDBM
OPTIONS_FILE_UNSET+=TOKYO
OPTIONS_FILE_SET+=INIFILE
OPTIONS_FILE_SET+=FLATFILE
"EOF"

mkdir -p /var/db/ports/databases_php56-mysql
cat > /var/db/ports/databases_php56-mysql/options << "EOF"
_OPTIONS_READ=php56-pdo_mysql-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/databases_php56-mysqli
cat > /var/db/ports/databases_php56-mysqli/options << "EOF"
_OPTIONS_READ=php56-mysqli-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/databases_php56-pdo_mysql
cat > /var/db/ports/databases_php56-pdo_mysql/options << "EOF"
_OPTIONS_READ=php56-pdo_mysql-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/databases_sqlite3
cat > /var/db/ports/databases_sqlite3/options << "EOF"
_OPTIONS_READ=sqlite3-3.8.6
_FILE_COMPLETE_OPTIONS_LIST=DIRECT_READ EXTENSION FTS4 MEMMAN METADATA SECURE_DELETE SOUNDEX THREADS UNLOCK_NOTIFY UPD_DEL_LIMIT URI URI_AUTHORITY TS0 TS1 TS2 TS3 STAT3 STAT4 ICU UNICODE61 RTREE RTREE_INT
OPTIONS_FILE_SET+=DIRECT_READ
OPTIONS_FILE_SET+=EXTENSION
OPTIONS_FILE_SET+=FTS4
OPTIONS_FILE_SET+=MEMMAN
OPTIONS_FILE_SET+=METADATA
OPTIONS_FILE_SET+=SECURE_DELETE
OPTIONS_FILE_SET+=SOUNDEX
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_SET+=UNLOCK_NOTIFY
OPTIONS_FILE_SET+=UPD_DEL_LIMIT
OPTIONS_FILE_SET+=URI
OPTIONS_FILE_SET+=URI_AUTHORITY
OPTIONS_FILE_UNSET+=TS0
OPTIONS_FILE_UNSET+=TS1
OPTIONS_FILE_SET+=TS2
OPTIONS_FILE_UNSET+=TS3
OPTIONS_FILE_UNSET+=STAT3
OPTIONS_FILE_SET+=STAT4
OPTIONS_FILE_UNSET+=ICU
OPTIONS_FILE_SET+=UNICODE61
OPTIONS_FILE_SET+=RTREE
OPTIONS_FILE_UNSET+=RTREE_INT
"EOF"

mkdir -p /var/db/ports/devel_icu
cat > /var/db/ports/devel_icu/options << "EOF"
_OPTIONS_READ=icu-53.1
_FILE_COMPLETE_OPTIONS_LIST=THREADS
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/devel_t1lib
cat > /var/db/ports/devel_t1lib/options << "EOF"
_OPTIONS_READ=t1lib-5.1.2
_FILE_COMPLETE_OPTIONS_LIST=DOCS X11
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_UNSET+=X11
"EOF"

mkdir -p /var/db/ports/dns_libidn
cat > /var/db/ports/dns_libidn/options << "EOF"
_OPTIONS_READ=libidn-1.28
_FILE_COMPLETE_OPTIONS_LIST=DOCS NLS
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=NLS
"EOF"

mkdir -p /var/db/ports/graphics_php56-gd
cat > /var/db/ports/graphics_php56-gd/options << "EOF"
_OPTIONS_READ=php56-gd-5.6.0
_FILE_COMPLETE_OPTIONS_LIST=T1LIB TRUETYPE JIS X11 VPX
OPTIONS_FILE_SET+=T1LIB
OPTIONS_FILE_SET+=TRUETYPE
OPTIONS_FILE_UNSET+=JIS
OPTIONS_FILE_UNSET+=X11
OPTIONS_FILE_UNSET+=VPX
"EOF"

mkdir -p /var/db/ports/graphics_png
cat > /var/db/ports/graphics_png/options << "EOF"
_OPTIONS_READ=png-1.5.18
_FILE_COMPLETE_OPTIONS_LIST=APNG PNGTEST
OPTIONS_FILE_SET+=APNG
OPTIONS_FILE_SET+=PNGTEST
"EOF"

mkdir -p /var/db/ports/mail_cclient
cat > /var/db/ports/mail_cclient/options << "EOF"
_OPTIONS_READ=cclient-2007f
_FILE_COMPLETE_OPTIONS_LIST=IPV6 MBX_DEFAULT SSL SSL_AND_PLAINTEXT
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=MBX_DEFAULT
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_SET+=SSL_AND_PLAINTEXT
"EOF"

mkdir -p /var/db/ports/converters_libiconv
cat > /var/db/ports/converters_libiconv/options << "EOF"
_OPTIONS_READ=libiconv-1.14
_FILE_COMPLETE_OPTIONS_LIST=DOCS ENCODINGS PATCHES
OPTIONS_FILE_UNSET+=DOCS
OPTIONS_FILE_SET+=ENCODINGS
OPTIONS_FILE_UNSET+=PATCHES
"EOF"

mkdir -p /var/db/ports/math_gmp
cat > /var/db/ports/math_gmp/options << "EOF"
_OPTIONS_READ=gmp-5.1.3
_FILE_COMPLETE_OPTIONS_LIST=CPU_OPTS
OPTIONS_FILE_UNSET+=CPU_OPTS
"EOF"

mkdir -p /var/db/ports/print_freetype2
cat > /var/db/ports/print_freetype2/options << "EOF"
_OPTIONS_READ=freetype2-2.5.3
_FILE_COMPLETE_OPTIONS_LIST=LCD_FILTERING PNG
OPTIONS_FILE_SET+=LCD_FILTERING
OPTIONS_FILE_SET+=PNG
"EOF"

mkdir -p /var/db/ports/print_pdflib
cat > /var/db/ports/print_pdflib/options << "EOF"
_OPTIONS_READ=pdflib-7.0.5
_FILE_COMPLETE_OPTIONS_LIST=JAVA PERL
OPTIONS_FILE_UNSET+=JAVA
OPTIONS_FILE_UNSET+=PERL
"EOF"

mkdir -p /var/db/ports/textproc_libxslt
cat > /var/db/ports/textproc_libxslt/options << "EOF"
_OPTIONS_READ=libxslt-1.1.28
_FILE_COMPLETE_OPTIONS_LIST=CRYPTO MEM_DEBUG
OPTIONS_FILE_SET+=CRYPTO
OPTIONS_FILE_UNSET+=MEM_DEBUG
"EOF"

mkdir -p /var/db/ports/lang_php56-extensions
cat > /var/db/ports/lang_php56-extensions/options << "EOF"
_OPTIONS_READ=php56-extensions-1.0
_FILE_COMPLETE_OPTIONS_LIST=BCMATH BZ2 CALENDAR CTYPE CURL DBA DOM EXIF FILEINFO FILTER FTP GD GETTEXT GMP HASH ICONV IMAP INTERBASE JSON LDAP MBSTRING MCRYPT MSSQL MYSQL MYSQLI ODBC OPCACHE OPENSSL PCNTL PDF PDO PDO_DBLIB PDO_FIREBIRD PDO_MYSQL PDO_ODBC PDO_PGSQL PDO_SQLITE PGSQL PHAR POSIX PSPELL READLINE RECODE SESSION SHMOP SIMPLEXML SNMP SOAP SOCKETS SQLITE3 SYBASE_CT SYSVMSG SYSVSEM SYSVSHM TIDY TOKENIZER WDDX XML XMLREADER XMLRPC XMLWRITER XSL ZIP ZLIB
OPTIONS_FILE_SET+=BCMATH
OPTIONS_FILE_SET+=BZ2
OPTIONS_FILE_SET+=CALENDAR
OPTIONS_FILE_SET+=CTYPE
OPTIONS_FILE_SET+=CURL
OPTIONS_FILE_SET+=DBA
OPTIONS_FILE_SET+=DOM
OPTIONS_FILE_SET+=EXIF
OPTIONS_FILE_SET+=FILEINFO
OPTIONS_FILE_SET+=FILTER
OPTIONS_FILE_SET+=FTP
OPTIONS_FILE_SET+=GD
OPTIONS_FILE_SET+=GETTEXT
OPTIONS_FILE_SET+=GMP
OPTIONS_FILE_SET+=HASH
OPTIONS_FILE_SET+=ICONV
OPTIONS_FILE_SET+=IMAP
OPTIONS_FILE_UNSET+=INTERBASE
OPTIONS_FILE_SET+=JSON
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_SET+=MBSTRING
OPTIONS_FILE_SET+=MCRYPT
OPTIONS_FILE_UNSET+=MSSQL
OPTIONS_FILE_SET+=MYSQL
OPTIONS_FILE_SET+=MYSQLI
OPTIONS_FILE_UNSET+=ODBC
OPTIONS_FILE_SET+=OPCACHE
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_SET+=PCNTL
OPTIONS_FILE_SET+=PDF
OPTIONS_FILE_SET+=PDO
OPTIONS_FILE_UNSET+=PDO_DBLIB
OPTIONS_FILE_UNSET+=PDO_FIREBIRD
OPTIONS_FILE_SET+=PDO_MYSQL
OPTIONS_FILE_UNSET+=PDO_ODBC
OPTIONS_FILE_UNSET+=PDO_PGSQL
OPTIONS_FILE_SET+=PDO_SQLITE
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_SET+=PHAR
OPTIONS_FILE_SET+=POSIX
OPTIONS_FILE_UNSET+=PSPELL
OPTIONS_FILE_UNSET+=READLINE
OPTIONS_FILE_UNSET+=RECODE
OPTIONS_FILE_SET+=SESSION
OPTIONS_FILE_SET+=SHMOP
OPTIONS_FILE_SET+=SIMPLEXML
OPTIONS_FILE_UNSET+=SNMP
OPTIONS_FILE_SET+=SOAP
OPTIONS_FILE_SET+=SOCKETS
OPTIONS_FILE_SET+=SQLITE3
OPTIONS_FILE_UNSET+=SYBASE_CT
OPTIONS_FILE_SET+=SYSVMSG
OPTIONS_FILE_SET+=SYSVSEM
OPTIONS_FILE_SET+=SYSVSHM
OPTIONS_FILE_SET+=TIDY
OPTIONS_FILE_SET+=TOKENIZER
OPTIONS_FILE_SET+=WDDX
OPTIONS_FILE_SET+=XML
OPTIONS_FILE_SET+=XMLREADER
OPTIONS_FILE_SET+=XMLRPC
OPTIONS_FILE_SET+=XMLWRITER
OPTIONS_FILE_SET+=XSL
OPTIONS_FILE_SET+=ZIP
OPTIONS_FILE_SET+=ZLIB
"EOF"

cd /usr/ports/lang/php56-extensions
make config-recursive all install clean-depends clean

PHP konfigurieren

Die Konfiguration entspricht weitestgehend den Empfehlungen der PHP-Entwickler und ist sowohl auf Security als auch auf Performance getrimmt.

php.ini einrichten.

cat > /usr/local/etc/php.ini << "EOF"
arg_separator.input = ";&"
arg_separator.output = "&amp;"
cli_server.color = "1"
date.default_latitude = "53.5500"
date.default_longitude = "10.0000"
date.timezone = "Europe/Berlin"
default_charset = "UTF-8"
display_errors = "0"
display_startup_errors = "0"
enable_dl = "0"
engine = "1"
error_log = "/var/log/php_error.log"
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"
exif.encode_jis = "UTF-8"
exif.encode_unicode = "UTF-8"
expose_php = "0"
from = "anonymous@example.org"
html_errors = "0"
iconv.input_encoding = "UTF-8"
iconv.output_encoding = "UTF-8"
iconv.internal_encoding = "UTF-8"
input_encoding = "UTF-8"
internal_encoding = "UTF-8"
log_errors = "1"
mail.add_x_header = "1"
mail.log = "/var/log/php_sendmail.log"
max_execution_time = "60"
max_input_time = "60"
mbstring.detect_order = "auto"
mbstring.http_input = "pass"
mbstring.internal_encoding = "UTF-8"
mbstring.http_output = "pass"
mbstring.strict_detection = "1"
memory_limit = "256M"
opcache.enable = "1"
opcache.enable_cli = "1"
opcache.enable_file_override = "1"
opcache.error_log = "/var/log/php_opcache.log"
opcache.fast_shutdown = "1"
opcache.interned_strings_buffer = "8"
opcache.log_verbosity_level = "2"
opcache.max_accelerated_files = "4000"
opcache.memory_consumption = "128"
opcache.revalidate_freq = "60"
opcache.revalidate_path = "1"
openssl.cafile = "/etc/ssl/cert.pem"
output_buffering = "4096"
output_encoding = "UTF-8"
pcre.backtrack_limit = "8M"
post_max_size = "16M"
realpath_cache_size = "512000"
register_argc_argv = "0"
request_order = "GP"
session.cookie_httponly = "1"
session.hash_bits_per_character = "5"
session.hash_function = "1"
session.save_path = "/data/tmp/php/session"
session.use_strict_mode = "1"
short_open_tag = "0"
soap.wsdl_cache_dir = "/data/tmp/php/wsdl"
sys_temp_dir = "/data/tmp/php"
sysvshm.init_mem = "10000"
upload_max_filesize = "64M"
upload_tmp_dir = "/data/tmp/php/uploads"
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry,fieldset="
user_ini.filename = None
variables_order = "GPCS"
"EOF"

Abschliessende Arbeiten.

mkdir -p /data/tmp/php/{session,uploads,wsdl}
chmod -R 1750 /data/tmp/php
chown -R www:www /data/tmp/php

touch /var/log/php_{error,opcache,sendmail}.log
chmod 0664 /var/log/php_{error,opcache,sendmail}.log
chown root:www /var/log/php_{error,opcache,sendmail}.log

PHP-PEAR installieren

cd /usr/ports/devel/pear
make config-recursive all install clean-depends clean

Wie geht es weiter?

Natürlich mit den FreeBSD Tips und Tricks.