FreeBSD Web Hosting System

Lizenz: Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0)

Verfasser: Markus Kohlmeyer | Letzte Aktualisierung: | Veröffentlicht:

Beitragende: Jesco Freund, Matthias Weiss, Eckhard Doll, Olaf Uecker

Einleitung

Dieses HowTo setzt ein wie in FreeBSD Remote Installation beschriebenes, installiertes und konfiguriertes FreeBSD Basissystem voraus.

Folgende Punkte sind in diesem HowTo zu beachten.

  • Alle Dienste werden mit einem möglichst minimalen und bewährten Funktionsumfang installiert.
  • Alle Dienste werden mit einer möglichst sicheren und dennoch flexiblen Konfiguration versehen.
  • Alle Konfigurationen sind selbstständig auf notwendige individuelle Anpassungen zu kontrollieren.
  • Alle Passworte werden als @PASSWORD@ dargestellt und sind selbstständig durch sichere Passworte zu ersetzen.
  • Die Domain des Servers lautet example.org und ist selbstständig durch die eigene Domain zu ersetzen.
  • Der Hostname des Servers lautet srv und ist selbstständig durch den eigenen Hostnamen zu ersetzen (FQDN=srv.example.org).
  • Es werden die FQDNs srv.example.org, mail.example.org, pki.example.org und www.example.org verwendet und sind selbstständig im DNS zu registrieren.
  • Postfix und Dovecot teilen sich sowohl den FQDN mail.example.org als auch das SSL-Zertifikat.

Unser Web Hosting System wird folgende Dienste umfassen.

  • MySQL 5.7.12
  • Postfix 3.1.0
  • Dovecot 2.2.24
  • Apache 2.4.20 (MPM-Event)
  • PHP 7.0.6 (PHP-FPM)

WICHTIG: An diesem Punkt müssen wir uns entscheiden, ob wir die Pakete/Ports in Zukunft bequem als vorkompiliertes Binary-Paket per pkg install <port> mit den Default-Optionen installieren wollen oder ob wir die Optionen und somit den Funktionsumfang beziehungsweise die Features unserer Pakete/Ports selbst bestimmen wollen. In diesem HowTo werden wir uns für die zweite Variante entscheiden, da uns dies viele Probleme durch unnötige oder fehlende Features und Abhängigkeiten ersparen wird. Andererseits verlieren wir dadurch den Komfort von pkg bei der Installation und den Updates der Pakete/Ports und wir müssen zwangsweise für alle Pakete/Ports die gewünschten Optionen manuell setzen und die Pakete/Ports auch selbst kompilieren. Dies ist zeitaufwendiger und erfordert etwas mehr Wissen über die jeweiligen Pakete/Ports und deren Features, entschädigt uns dafür aber mit einem schlankeren und schnelleren System und bietet uns gegebenenfalls nützliche/erforderliche zusätzliche Features. Auch die potentielle Gefahr durch Sicherheitslücken sinkt, da wir unnütze Pakete/Ports gar nicht erst als Abhängigkeit mitinstallieren werden.

Wir deaktivieren das Default-Repository von pkg um versehentlichen Installationen von Binary-Paketen etwas vorzubeugen, ganz verhindern können wir es leider nicht.

mkdir -p /usr/local/etc/pkg/repos
echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf

Die von uns jeweils gewünschten Build-Optionen der Ports legen wir dabei mittels der options-Files des neuen Portkonfigurationsframeworks OptionsNG fest.

Vorbereitungen

mkdir -p /data/db /data/etc /data/spool /data/tmp
chmod 1777 /data/tmp

OpenSSL

Dieser Themenkomplex ist auf Grund seiner Grösse in ein eigenständiges HowTo ausgelagert: Certificate Authority.

MySQL

MySQL unterstützt mehrere Engines, dieses HowTo beschränkt sich allerdings auf die Beiden am Häufigsten verwendeten: MyISAM und InnoDB.

MySQL installieren

cat >> /etc/make.conf << "EOF"
DEFAULT_VERSIONS+=mysql=5.7
"EOF"

   

mkdir -p /var/db/ports/archivers_lzo2
cat > /var/db/ports/archivers_lzo2/options << "EOF"
_OPTIONS_READ=lzo2-2.09
_FILE_COMPLETE_OPTIONS_LIST=DOCS EXAMPLES
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
"EOF"

mkdir -p /var/db/ports/archivers_libarchive
cat > /var/db/ports/archivers_libarchive/options << "EOF"
_OPTIONS_READ=libarchive-3.1.2
_FILE_COMPLETE_OPTIONS_LIST=LZO NETTLE
OPTIONS_FILE_SET+=LZO
OPTIONS_FILE_UNSET+=NETTLE
"EOF"

mkdir -p /var/db/ports/textproc_py-snowballstemmer
cat > /var/db/ports/textproc_py-snowballstemmer/options << "EOF"
_OPTIONS_READ=py27-snowballstemmer-1.2.0
_FILE_COMPLETE_OPTIONS_LIST=PYSTEMMER
OPTIONS_FILE_SET+=PYSTEMMER
"EOF"

mkdir -p /var/db/ports/dns_libpsl
cat > /var/db/ports/dns_libpsl/options << "EOF"
_OPTIONS_READ=libpsl-0.13.0
_FILE_COMPLETE_OPTIONS_LIST=NLS ICU IDN IDN2
OPTIONS_FILE_SET+=NLS
OPTIONS_FILE_SET+=ICU
OPTIONS_FILE_UNSET+=IDN
OPTIONS_FILE_UNSET+=IDN2
"EOF"

mkdir -p /var/db/ports/security_libssh2
cat > /var/db/ports/security_libssh2/options << "EOF"
_OPTIONS_READ=libssh2-1.7.0
_FILE_COMPLETE_OPTIONS_LIST=GCRYPT TRACE ZLIB
OPTIONS_FILE_UNSET+=GCRYPT
OPTIONS_FILE_UNSET+=TRACE
OPTIONS_FILE_SET+=ZLIB
"EOF"

mkdir -p /var/db/ports/dns_libidn
cat > /var/db/ports/dns_libidn/options << "EOF"
_OPTIONS_READ=libidn-1.31
_FILE_COMPLETE_OPTIONS_LIST=DOCS NLS
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=NLS
"EOF"

mkdir -p /var/db/ports/devel_icu
cat > /var/db/ports/devel_icu/options << "EOF"
_OPTIONS_READ=icu-55.1
_FILE_COMPLETE_OPTIONS_LIST=THREADS
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/devel_boost-libs
cat > /var/db/ports/devel_boost-libs/options << "EOF"
_OPTIONS_READ=boost-libs-1.55.0
_FILE_COMPLETE_OPTIONS_LIST=DEBUG OPTIMIZED_CFLAGS VERBOSE_BUILD ICONV ICU
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=OPTIMIZED_CFLAGS
OPTIONS_FILE_UNSET+=VERBOSE_BUILD
OPTIONS_FILE_SET+=ICONV
OPTIONS_FILE_SET+=ICU
"EOF"

mkdir -p /var/db/ports/devel_libevent2
cat > /var/db/ports/devel_libevent2/options << "EOF"
_OPTIONS_READ=libevent2-2.0.22
_FILE_COMPLETE_OPTIONS_LIST=OPENSSL THREADS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/www_nghttp2
cat > /var/db/ports/www_nghttp2/options << "EOF"
_OPTIONS_READ=nghttp2-1.10.0
_FILE_COMPLETE_OPTIONS_LIST=ASIO DOCS HPACK
OPTIONS_FILE_SET+=ASIO
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=HPACK
"EOF"

mkdir -p /var/db/ports/ftp_curl
cat > /var/db/ports/ftp_curl/options << "EOF"
_OPTIONS_READ=curl-7.48.0
_FILE_COMPLETE_OPTIONS_LIST=CA_BUNDLE COOKIES CURL_DEBUG DEBUG DOCS EXAMPLES HTTP2 IDN IPV6 LDAP LDAPS LIBSSH2 METALINK PROXY PSL RTMP TLS_SRP GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_NONE CARES THREADED_RESOLVER GNUTLS NSS OPENSSL POLARSSL WOLFSSL
OPTIONS_FILE_SET+=CA_BUNDLE
OPTIONS_FILE_SET+=COOKIES
OPTIONS_FILE_UNSET+=CURL_DEBUG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
OPTIONS_FILE_SET+=HTTP2
OPTIONS_FILE_SET+=IDN
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=LDAPS
OPTIONS_FILE_SET+=LIBSSH2
OPTIONS_FILE_UNSET+=METALINK
OPTIONS_FILE_SET+=PROXY
OPTIONS_FILE_SET+=PSL
OPTIONS_FILE_SET+=RTMP
OPTIONS_FILE_UNSET+=TLS_SRP
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_SET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=CARES
OPTIONS_FILE_SET+=THREADED_RESOLVER
OPTIONS_FILE_UNSET+=GNUTLS
OPTIONS_FILE_UNSET+=NSS
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_UNSET+=POLARSSL
OPTIONS_FILE_UNSET+=WOLFSSL
"EOF"

mkdir -p /var/db/ports/security_libgpg-error
cat > /var/db/ports/security_libgpg-error/options << "EOF"
_OPTIONS_READ=libgpg-error-1.22
_FILE_COMPLETE_OPTIONS_LIST=DOCS NLS
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=NLS
"EOF"

mkdir -p /var/db/ports/security_libgcrypt
cat > /var/db/ports/security_libgcrypt/options << "EOF"
_OPTIONS_READ=libgcrypt-1.7.0
_FILE_COMPLETE_OPTIONS_LIST=DOCS
OPTIONS_FILE_SET+=DOCS
"EOF"

mkdir -p /var/db/ports/textproc_libxslt
cat > /var/db/ports/textproc_libxslt/options << "EOF"
_OPTIONS_READ=libxslt-1.1.28
_FILE_COMPLETE_OPTIONS_LIST=CRYPTO MEM_DEBUG
OPTIONS_FILE_SET+=CRYPTO
OPTIONS_FILE_UNSET+=MEM_DEBUG
"EOF"

mkdir -p /var/db/ports/textproc_libxml2
cat > /var/db/ports/textproc_libxml2/options << "EOF"
_OPTIONS_READ=libxml2-2.9.3
_FILE_COMPLETE_OPTIONS_LIST=MEM_DEBUG SCHEMA THREADS THREAD_ALLOC VALID XMLLINT_HIST
OPTIONS_FILE_UNSET+=MEM_DEBUG
OPTIONS_FILE_SET+=SCHEMA
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_UNSET+=THREAD_ALLOC
OPTIONS_FILE_SET+=VALID
OPTIONS_FILE_UNSET+=XMLLINT_HIST
"EOF"

mkdir -p /var/db/ports/devel_bison
cat > /var/db/ports/devel_bison/options << "EOF"
_OPTIONS_READ=bison-2.7.1
_FILE_COMPLETE_OPTIONS_LIST=EXAMPLES NLS
OPTIONS_FILE_SET+=EXAMPLES
OPTIONS_FILE_SET+=NLS
"EOF"

mkdir -p /var/db/ports/textproc_py-docutils
cat > /var/db/ports/textproc_py-docutils/options << "EOF"
_OPTIONS_READ=py27-docutils-0.12
_FILE_COMPLETE_OPTIONS_LIST=PYGMENTS
OPTIONS_FILE_SET+=PYGMENTS
"EOF"

mkdir -p /var/db/ports/devel_py-babel
cat > /var/db/ports/devel_py-babel/options << "EOF"
_OPTIONS_READ=py27-Babel-2.3.3
_FILE_COMPLETE_OPTIONS_LIST=DOCS
OPTIONS_FILE_SET+=DOCS
"EOF"

mkdir -p /var/db/ports/devel_py-Jinja2
cat > /var/db/ports/devel_py-Jinja2/options << "EOF"
_OPTIONS_READ=py27-Jinja2-2.8
_FILE_COMPLETE_OPTIONS_LIST=BABEL EXAMPLES
OPTIONS_FILE_SET+=BABEL
OPTIONS_FILE_SET+=EXAMPLES
"EOF"

mkdir -p /var/db/ports/devel_cmake
cat > /var/db/ports/devel_cmake/options << "EOF"
_OPTIONS_READ=cmake-3.5.2
_FILE_COMPLETE_OPTIONS_LIST=DOCS MANPAGES
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=MANPAGES
"EOF"

mkdir -p /var/db/ports/databases_mysql57-server
cat > /var/db/ports/databases_mysql57-server/options << "EOF"
_OPTIONS_READ=mysql57-server-5.7.12
_FILE_COMPLETE_OPTIONS_LIST= ARCHIVE BLACKHOLE EXAMPLE FEDERATED INNOBASE PARTITION PERFSCHEMA PERFSCHM
OPTIONS_FILE_SET+=ARCHIVE
OPTIONS_FILE_SET+=BLACKHOLE
OPTIONS_FILE_UNSET+=EXAMPLE
OPTIONS_FILE_SET+=FEDERATED
OPTIONS_FILE_SET+=INNOBASE
OPTIONS_FILE_SET+=PARTITION
OPTIONS_FILE_SET+=PERFSCHEMA
OPTIONS_FILE_SET+=PERFSCHM
"EOF"


cd /usr/ports/databases/mysql57-client
make config-recursive all install clean-depends clean

cd /usr/ports/databases/mysql57-server
make config-recursive all install clean-depends clean


cp -a /var/db/mysql* /data/db/

echo 'mysql_enable="YES"' >> /etc/rc.conf
echo 'mysql_limits="YES"' >> /etc/rc.conf
echo 'mysql_dbdir="/data/db/mysql"' >> /etc/rc.conf
echo 'mysql_optfile="/usr/local/etc/mysql/my.cnf"' >> /etc/rc.conf

MySQL konfigurieren

Hinweis: Die Konfiguration orientiert sich an diesem Forenbeitrag.

cat > /usr/local/etc/mysql/my.cnf << "EOF"
[client]
port                            = 3306
socket                          = /tmp/mysql.sock

[mysql]
prompt                          = \u@\h [\d]>\_
no_auto_rehash

[mysqld]
user                            = mysql
port                            = 3306
socket                          = /tmp/mysql.sock
bind-address                    = 127.0.0.1
basedir                         = /usr/local
datadir                         = /data/db/mysql
tmpdir                          = /data/db/mysql_tmpdir
slave-load-tmpdir               = /data/db/mysql_tmpdir
secure-file-priv                = /data/db/mysql_secure
log-bin                         = mysql-bin
log-output                      = TABLE
master-info-repository          = TABLE
relay-log-info-repository       = TABLE
relay-log-recovery              = 1
slow-query-log                  = 1
server-id                       = 1
sync_binlog                     = 1
sync_relay_log                  = 1
binlog_cache_size               = 16M
expire_logs_days                = 30
default_password_lifetime       = 0
enforce-gtid-consistency        = 1
gtid-mode                       = ON
safe-user-create                = 1
lower_case_table_names          = 1
explicit-defaults-for-timestamp = 1
myisam-recover-options          = BACKUP,FORCE
open_files_limit                = 32768
table_open_cache                = 16384
table_definition_cache          = 8192
net_retry_count                 = 16384
key_buffer_size                 = 256M
max_allowed_packet              = 64M
query_cache_type                = 0
query_cache_size                = 0
long_query_time                 = 0.5
innodb_buffer_pool_size         = 1G
innodb_data_home_dir            = /data/db/mysql
innodb_log_group_home_dir       = /data/db/mysql
innodb_data_file_path           = ibdata1:128M:autoextend
innodb_temp_data_file_path      = ibtmp1:128M:autoextend
innodb_flush_method             = O_DIRECT
innodb_log_file_size            = 256M
innodb_log_buffer_size          = 16M
innodb_write_io_threads         = 8
innodb_read_io_threads          = 8
innodb_autoinc_lock_mode        = 2
skip-symbolic-links

[mysqldump]
max_allowed_packet              = 256M
quote_names
quick
"EOF"

chmod 0640 /usr/local/etc/mysql/my.cnf
chown mysql:mysql /usr/local/etc/mysql/my.cnf

MySQL absichern

MySQL wird nun zum ersten Mal gestartet, was durch das Erzeugen der InnoDB-Files einige Minuten dauern kann.

service mysql-server start

Abschliessend wird das Klartext MySQL root-Passwort aus /root/.mysql_secret mittels mysql_config_editor verschlüsselt in /root/.mylogin abgesichert und /root/.mysql_secret sicherheitshalber gelöscht.

cat /root/.mysql_secret

mysql_config_editor set --login-path=client --host=localhost --user=root --password

rm /root/.mysql_secret

Dovecot

Dovecot installieren

mkdir -p /var/db/ports/mail_dovecot2
cat > /var/db/ports/mail_dovecot2/options << "EOF"
_OPTIONS_READ=dovecot2-2.2.24
_FILE_COMPLETE_OPTIONS_LIST=DOCS EXAMPLES KQUEUE LIBWRAP LZ4 SSL VPOPMAIL GSSAPI_NONE GSSAPI_BASE GSSAPI_HEIMDAL GSSAPI_MIT CDB LDAP MYSQL PGSQL SQLITE ICU LUCENE SOLR TEXTCAT
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
OPTIONS_FILE_SET+=KQUEUE
OPTIONS_FILE_UNSET+=LIBWRAP
OPTIONS_FILE_UNSET+=LZ4
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_UNSET+=VPOPMAIL
OPTIONS_FILE_SET+=GSSAPI_NONE
OPTIONS_FILE_UNSET+=GSSAPI_BASE
OPTIONS_FILE_UNSET+=GSSAPI_HEIMDAL
OPTIONS_FILE_UNSET+=GSSAPI_MIT
OPTIONS_FILE_UNSET+=CDB
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_SET+=ICU
OPTIONS_FILE_UNSET+=LUCENE
OPTIONS_FILE_UNSET+=SOLR
OPTIONS_FILE_UNSET+=TEXTCAT
"EOF"

cd /usr/ports/mail/dovecot2
make config-recursive all install clean-depends clean

echo 'dovecot_enable="YES"' >> /etc/rc.conf

Dovecot konfigurieren

dovecot.conf einrichten.

cat > /usr/local/etc/dovecot/dovecot.conf << "EOF"
auth_mechanisms = plain login
auth_verbose = yes
first_valid_gid = 5000
first_valid_uid = 5000
hostname = mail.example.org
imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
last_valid_gid = 5000
last_valid_uid = 5000
lda_mailbox_autocreate = yes
lda_mailbox_autosubscribe = yes
lda_original_recipient_header = X-Original-To
listen = *, ::
login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c %k session=<%{session}>
mail_location = maildir:/data/vmail/%d/%n
namespace inbox {
  inbox = yes
  mailbox Archives {
    auto = subscribe
    special_use = \Archive
  }
  mailbox Drafts {
    auto = subscribe
    special_use = \Drafts
  }
  mailbox Junk {
    auto = subscribe
    special_use = \Junk
  }
  mailbox Sent {
    auto = subscribe
    special_use = \Sent
  }
  mailbox Trash {
    auto = subscribe
    special_use = \Trash
  }
}
passdb {
  args = scheme=ssha512 username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
plugin {
  quota = maildir:User quota
  quota_rule = *:storage=1G
  quota_rule2 = Archive:storage=+1G
}
pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
postmaster_address = postmaster@example.org
protocol imap {
  mail_plugins = quota imap_quota
}
protocol pop3 {
  mail_plugins = quota
}
protocols = imap lmtp
quota_full_tempfail = yes
sendmail_path = /usr/local/sbin/sendmail
service auth {
  unix_listener /data/spool/postfix/private/auth {
    group = postfix
    user = postfix
    mode = 0660
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
  }
  process_min_avail = 2
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 0
  }
}
ssl = required
ssl_ca = </data/pki/ca/component-ca-chain.pem
ssl_cert = </data/pki/certs/mail.example.org.crt
ssl_cipher_list = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 !aDSS !kECDHe !kECDHr !kDHd !kDHr !SEED !IDEA !RC2 !RC4 !eNULL !aNULL !MEDIUM !LOW !EXPORT
ssl_dh_parameters_length = 2048
ssl_key = </data/pki/private/mail.example.org.key
ssl_options = NO_COMPRESSION
ssl_parameters_regenerate = 6 hours
ssl_prefer_server_ciphers = yes
ssl_protocols = !SSLv2 !SSLv3
userdb {
  args = username_format=%u /usr/local/etc/dovecot/passwd
  default_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
  driver = passwd-file
  override_fields = uid=5000 gid=5000 home=/data/vmail/%d/%n
}
verbose_proctitle = yes
verbose_ssl = yes
"EOF"

/usr/local/etc/dovecot/passwd einrichten.

Das Anlegen neuer Mailuser wird mittels Script automatisiert.

cat > /usr/local/etc/dovecot/create_mailuser.sh << "EOF"
#!/bin/sh

dovecot_user="$1"
dovecot_pass="$(openssl rand -hex 64 | openssl passwd -1 -stdin | tr -cd '[[:alnum:]]' | sed -e 's/^1//' | fold -w 12 | head -n 1)"
dovecot_hash="$(echo "$dovecot_pass" | xargs -I % doveadm pw -s SSHA512 -p %)"
echo "Password for $dovecot_user is: $dovecot_pass"
echo "$dovecot_user:$dovecot_hash:5000:5000::/data/vmail/%d/%n::" >> /usr/local/etc/dovecot/passwd
"EOF"

chmod 0755 /usr/local/etc/dovecot/create_mailuser.sh

# admin@example.org anlegen
/usr/local/etc/dovecot/create_mailuser.sh admin@example.org

Postfix

Postfix installieren

mkdir -p /var/db/ports/security_cyrus-sasl2
cat > /var/db/ports/security_cyrus-sasl2/options << "EOF"
_OPTIONS_READ=cyrus-sasl-2.1.26
_FILE_COMPLETE_OPTIONS_LIST=ALWAYSTRUE AUTHDAEMOND DOCS KEEP_DB_OPEN  OBSOLETE_CRAM_ATTR MYSQL PGSQL BDB1 BDB GDBM SQLITE2 SQLITE3 ANONYMOUS CRAM DIGEST LOGIN NTLM OTP PLAIN SCRAM
OPTIONS_FILE_UNSET+=ALWAYSTRUE
OPTIONS_FILE_UNSET+=AUTHDAEMOND
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_UNSET+=KEEP_DB_OPEN
OPTIONS_FILE_UNSET+=OBSOLETE_CRAM_ATTR
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=BDB1
OPTIONS_FILE_SET+=BDB
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_UNSET+=SQLITE2
OPTIONS_FILE_UNSET+=SQLITE3
OPTIONS_FILE_SET+=ANONYMOUS
OPTIONS_FILE_SET+=CRAM
OPTIONS_FILE_SET+=DIGEST
OPTIONS_FILE_SET+=LOGIN
OPTIONS_FILE_SET+=NTLM
OPTIONS_FILE_SET+=OTP
OPTIONS_FILE_SET+=PLAIN
OPTIONS_FILE_SET+=SCRAM
"EOF"

mkdir -p /var/db/ports/devel_pcre
cat > /var/db/ports/devel_pcre/options << "EOF"
_OPTIONS_READ=pcre-8.38
_FILE_COMPLETE_OPTIONS_LIST=DOCS LIBEDIT READLINE STACK_RECURSION
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=LIBEDIT
OPTIONS_FILE_UNSET+=READLINE
OPTIONS_FILE_SET+=STACK_RECURSION
"EOF"

mkdir -p /var/db/ports/mail_postfix
cat > /var/db/ports/mail_postfix/options << "EOF"
_OPTIONS_READ=postfix-3.1.0
_FILE_COMPLETE_OPTIONS_LIST=BDB CDB DOCS INST_BASE LDAP LDAP_SASL LMDB MYSQL NIS PCRE PGSQL SASL SQLITE TEST TLS SASLKRB5 SASLKMIT
OPTIONS_FILE_UNSET+=BDB
OPTIONS_FILE_SET+=CDB
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_UNSET+=INST_BASE
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=LDAP_SASL
OPTIONS_FILE_UNSET+=LMDB
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=NIS
OPTIONS_FILE_SET+=PCRE
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_SET+=SASL
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_UNSET+=TEST
OPTIONS_FILE_SET+=TLS
OPTIONS_FILE_UNSET+=SASLKRB5
OPTIONS_FILE_UNSET+=SASLKMIT
"EOF"

cd /usr/ports/mail/postfix
make config-recursive all install clean-depends clean

echo 'postfix_enable="YES"' >> /etc/rc.conf

Wir wollen Postfix in der /etc/mail/mailer.conf aktivieren.

Als nächstes deaktivieren wir den standardmässig installierten Sendmail vollständig.

cat >> /etc/periodic.conf << "EOF"
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
"EOF"

Postfix konfigurieren

main.cf einrichten.

cat > /usr/local/etc/postfix/main.cf << "EOF"
always_add_missing_headers = yes
allow_percent_hack = no
biff = no
compatibility_level = 2
data_directory = /data/db/postfix
disable_vrfy_command = yes
dovecot_destination_recipient_limit = 1
enable_long_queue_ids = yes
fast_flush_domains =
home_mailbox = .maildir/
inet_interfaces = all
inet_protocols = all
lmtp_tls_mandatory_protocols = !SSLv2, !SSLv3
lmtp_tls_protocols = !SSLv2, !SSLv3
local_header_rewrite_clients = permit_mynetworks, permit_sasl_authenticated
mail_spool_directory = /data/vmail
mailbox_size_limit = 0
masquerade_domains = $mydomain
masquerade_exceptions = root, mailer-daemon
message_size_limit = 0
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = example.org
myhostname = mail.$mydomain
mynetworks_style = host
notify_classes = data, protocol, resource, software
openssl_path = /usr/local/bin/openssl
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites =
  zen.spamhaus.org*3
  bl.mailspike.net*3
  ix.dnsbl.manitu.net*2
  bl.spameatingmonkey.net*1
  cbl.abuseat.org*1
  bl.spamcop.net*1
  swl.spamhaus.org*-10
  wl.mailspike.net*-10
postscreen_dnsbl_threshold = 5
postscreen_greet_action = enforce
postscreen_non_smtp_command_enable = yes
postscreen_pipelining_enable = yes
queue_directory = /data/spool/postfix
recipient_delimiter = +
remote_header_rewrite_domain = domain.invalid
show_user_unknown_table_name = no
smtp_dns_support_level = enabled
smtp_tls_CAfile = /usr/local/share/certs/ca-root-nss.crt
smtp_tls_ciphers = medium
smtp_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_loglevel = 1
smtp_tls_mandatory_ciphers = medium
smtp_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtp_tls_mandatory_protocols = !SSLv2, !SSLv3
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2, !SSLv3
smtp_tls_security_level = may
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
#smtpd_client_auth_rate_limit = 20
smtpd_client_port_logging = yes
smtpd_client_restrictions =
  sleep 1,
  permit
smtpd_data_restrictions =
  reject_unauth_pipelining,
  reject_multi_recipient_bounce,
  permit
smtpd_end_of_data_restrictions =
  permit
smtpd_etrn_restrictions =
  reject
smtpd_helo_required = yes
smtpd_helo_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_invalid_helo_hostname,
  reject_non_fqdn_helo_hostname,
  permit
smtpd_recipient_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  reject_non_fqdn_recipient,
  reject_unknown_recipient_domain,
  check_recipient_mx_access cidr:${config_directory}/mx_access,
  check_recipient_access pcre:${config_directory}/recipient_checks.pcre,
  permit
smtpd_relay_restrictions =
  permit_mynetworks,
  permit_sasl_authenticated,
  defer_unauth_destination,
  permit
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = private/auth
smtpd_sasl_type = dovecot
smtpd_sender_restrictions =
  reject_non_fqdn_sender,
  reject_unknown_sender_domain,
  permit
smtpd_tls_CAfile = /data/pki/ca/component-ca-chain.pem
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /data/pki/certs/mail.example.org.crt
smtpd_tls_ciphers = medium
smtpd_tls_eecdh_grade = strong
smtpd_tls_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_key_file = /data/pki/private/mail.example.org.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = medium
smtpd_tls_mandatory_exclude_ciphers = aDSS, kECDHe, kECDHr, kDHd, kDHr, SEED, IDEA, RC2, RC4, eNULL, aNULL, MEDIUM, LOW, EXPORT
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3
smtpd_tls_received_header = yes
smtpd_tls_security_level = may
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
strict_rfc821_envelopes = yes
tls_daemon_random_bytes = 64
tls_high_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES
tls_medium_cipherlist = EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256 EECDH+AES128 EECDH+3DES EDH+CHACHA20 EDH+AESGCM EDH+AES256 EDH+AES128 EDH+3DES AESGCM AES256 AES128 3DES
tls_preempt_cipherlist = yes
tls_random_bytes = 64
tls_ssl_options = NO_COMPRESSION
tlsproxy_tls_mandatory_protocols = $smtpd_tls_mandatory_protocols
tlsproxy_tls_protocols = $smtpd_tls_protocols
unknown_local_recipient_reject_code = 450
virtual_alias_domains = hash:${config_directory}/virtual_alias_domains
virtual_alias_maps = hash:${config_directory}/virtual_alias_maps
virtual_gid_maps = static:5000
virtual_mailbox_base = /data/vmail
virtual_mailbox_domains = hash:${config_directory}/virtual_mailbox_domains
virtual_mailbox_limit = 0
virtual_mailbox_maps = hash:${config_directory}/virtual_mailbox_maps
virtual_minimum_uid = 5000
virtual_transport = dovecot
virtual_uid_maps = static:5000
"EOF"

master.cf einrichten.

cat > /usr/local/etc/postfix/master.cf << "EOF"
#
# Postfix master process configuration file.  For details on the format
# of the file, see the master(5) manual page (command: "man 5 master" or
# on-line: http://www.postfix.org/master.5.html).
#
# Do not forget to execute "postfix reload" after editing this file.
#
# ==========================================================================
# service type  private unpriv  chroot  wakeup  maxproc command + args
#               (yes)   (yes)   (no)    (never) (100)
# ==========================================================================
#smtp      inet  n       -       n       -       -       smtpd
smtp      inet  n       -       n       -       1       postscreen
smtpd     pass  -       -       n       -       -       smtpd
dnsblog   unix  -       -       n       -       0       dnsblog
tlsproxy  unix  -       -       n       -       0       tlsproxy
submission inet n       -       n       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
  -o milter_macro_daemon_name=ORIGINATING
#smtps     inet  n       -       n       -       -       smtpd
#  -o syslog_name=postfix/smtps
#  -o smtpd_tls_wrappermode=yes
#  -o smtpd_sasl_auth_enable=yes
#  -o smtpd_reject_unlisted_recipient=no
#  -o smtpd_client_restrictions=$mua_client_restrictions
#  -o smtpd_helo_restrictions=$mua_helo_restrictions
#  -o smtpd_sender_restrictions=$mua_sender_restrictions
#  -o smtpd_recipient_restrictions=
#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
#628       inet  n       -       n       -       -       qmqpd
pickup    unix  n       -       n       60      1       pickup
cleanup   unix  n       -       n       -       0       cleanup
qmgr      unix  n       -       n       300     1       qmgr
#qmgr     unix  n       -       n       300     1       oqmgr
tlsmgr    unix  -       -       n       1000?   1       tlsmgr
rewrite   unix  -       -       n       -       -       trivial-rewrite
bounce    unix  -       -       n       -       0       bounce
defer     unix  -       -       n       -       0       bounce
trace     unix  -       -       n       -       0       bounce
verify    unix  -       -       n       -       1       verify
flush     unix  n       -       n       1000?   0       flush
proxymap  unix  -       -       n       -       -       proxymap
proxywrite unix -       -       n       -       1       proxymap
smtp      unix  -       -       n       -       -       smtp
relay     unix  -       -       n       -       -       smtp
#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
showq     unix  n       -       n       -       -       showq
error     unix  -       -       n       -       -       error
retry     unix  -       -       n       -       -       error
discard   unix  -       -       n       -       -       discard
local     unix  -       n       n       -       -       local
virtual   unix  -       n       n       -       -       virtual
lmtp      unix  -       -       n       -       -       lmtp
anvil     unix  -       -       n       -       1       anvil
scache    unix  -       -       n       -       1       scache
#
# ====================================================================
# Interfaces to non-Postfix software. Be sure to examine the manual
# pages of the non-Postfix software to find out what options it wants.
#
# Many of the following services use the Postfix pipe(8) delivery
# agent.  See the pipe(8) man page for information about ${recipient}
# and other message envelope options.
# ====================================================================
#
# maildrop. See the Postfix MAILDROP_README file for details.
# Also specify in main.cf: maildrop_destination_recipient_limit=1
#
#maildrop  unix  -       n       n       -       -       pipe
#  flags=DRhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
#
# ====================================================================
#
# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
#
# Specify in cyrus.conf:
#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
#
# Specify in main.cf one or more of the following:
#  mailbox_transport = lmtp:inet:localhost
#  virtual_transport = lmtp:inet:localhost
#
# ====================================================================
#
# Cyrus 2.1.5 (Amos Gouaux)
# Also specify in main.cf: cyrus_destination_recipient_limit=1
#
#cyrus     unix  -       n       n       -       -       pipe
#  user=cyrus argv=/cyrus/bin/deliver -e -r ${sender} -m ${extension} ${user}
#
# ====================================================================
#
# Old example of delivery via Cyrus.
#
#old-cyrus unix  -       n       n       -       -       pipe
#  flags=R user=cyrus argv=/cyrus/bin/deliver -e -m ${extension} ${user}
#
# ====================================================================
#
# See the Postfix UUCP_README file for configuration details.
#
#uucp      unix  -       n       n       -       -       pipe
#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
#
# ====================================================================
#
# Other external delivery methods.
#
#ifmail    unix  -       n       n       -       -       pipe
#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
#
#bsmtp     unix  -       n       n       -       -       pipe
#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
#
#scalemail-backend unix -       n       n       -       2       pipe
#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
#  ${nexthop} ${user} ${extension}
#
#mailman   unix  -       n       n       -       -       pipe
#  flags=FR user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
#  ${nexthop} ${user}
#
dovecot   unix  -       n       n       -       -       pipe
   flags=DRhu user=vmail:vmail argv=/usr/local/libexec/dovecot/dovecot-lda
   -f ${sender} -a ${recipient} -d ${user}@${nexthop}
"EOF"

/usr/local/etc/postfix/virtual_* einrichten.

cat > /usr/local/etc/postfix/virtual_alias_domains << "EOF"
"EOF"

cat > /usr/local/etc/postfix/virtual_alias_maps << "EOF"
root@example.org          admin@example.org
postmaster@example.org    admin@example.org
hostmaster@example.org    admin@example.org
abuse@example.org         admin@example.org
security@example.org      admin@example.org
webmaster@example.org     admin@example.org
"EOF"

cat > /usr/local/etc/postfix/virtual_mailbox_domains << "EOF"
example.org               OK
"EOF"

cat > /usr/local/etc/postfix/virtual_mailbox_maps << "EOF"
admin@example.org         example.org/admin/
"EOF"

postmap /usr/local/etc/postfix/virtual_alias_domains
postmap /usr/local/etc/postfix/virtual_alias_maps
postmap /usr/local/etc/postfix/virtual_mailbox_domains
postmap /usr/local/etc/postfix/virtual_mailbox_maps

Transport map einrichten.

cat >> /usr/local/etc/postfix/transport << "EOF"
"EOF"

postmap /usr/local/etc/postfix/transport

Restriktionen einrichten.

cat > /usr/local/etc/postfix/recipient_checks.pcre << "EOF"
/^\@/                 550 Invalid address format.
/[!%\@].*\@/          550 This server disallows weird address syntax.
/^postmaster\@/       OK
/^hostmaster\@/       OK
/^security\@/         OK
/^abuse\@/            OK
/^admin\@/            OK
"EOF"

cat > /usr/local/etc/postfix/mx_access << "EOF"
0.0.0.0/8                REJECT MX in RFC 1122 Broadcast Network
10.0.0.0/8               REJECT MX in RFC 1918 Private Network
100.64.0.0/10            REJECT MX in RFC 6598 Shared Address Space
127.0.0.0/8              REJECT MX in RFC 1122 Loopback Network
169.254.0.0/16           REJECT MX in RFC 3927 Link Local Network
172.16.0.0/12            REJECT MX in RFC 1918 Private Network
192.0.0.0/24             REJECT MX in RFC 6890 IETF Protocol Assignments Network
192.0.0.0/29             REJECT MX in RFC 6333 DS-Lite Network
192.0.2.0/24             REJECT MX in RFC 5737 Documentation (TEST-NET-1) Network
192.168.0.0/16           REJECT MX in RFC 1918 Private Network
198.18.0.0/15            REJECT MX in RFC 2544 Interconnect Device Benchmark Testing Network
198.51.100.0/24          REJECT MX in RFC 5737 Documentation (TEST-NET-2) Network
203.0.113.0/24           REJECT MX in RFC 5737 Documentation (TEST-NET-3) Network
224.0.0.0/4              REJECT MX in RFC 5771 Multicast Network
240.0.0.0/4              REJECT MX in RFC 1122 Reserved Network
255.255.255.255/32       REJECT MX in RFC 919  Limited Broadcast Destination Address
::/128                   REJECT MX in RFC 4291 Unspecified Address
::1/128                  REJECT MX in RFC 4291 Loopback Address
::ffff:0:0/96            REJECT MX in RFC 4291 IPv4-mapped Address
100::/64                 REJECT MX in RFC 6666 Discard-Only Network
2001::/23                REJECT MX in RFC 2928 IETF Protocol Assignements Network
2001::/32                REJECT MX in RFC 4380 TEREDO Network
2001:2::/48              REJECT MX in RFC 5180 Interconnect Device Benchmark Testing Network
2001:db8::/32            REJECT MX in RFC 3849 Documentation Network
fc00::/7                 REJECT MX in RFC 4193 Unique-Local Network
fe80::/10                REJECT MX in RFC 4291 Linked-Scoped Unicast Network
ff00::/8                 REJECT MX in RFC 4291 Multicast Network
"EOF"

postmap /usr/local/etc/postfix/mx_access

Abschliessende Arbeiten.

pw groupadd -n vmail -g 5000
pw useradd -n vmail -u 5000 -g vmail -c 'Virtual Mailuser' -d /nonexistent -s /usr/sbin/nologin

mkdir -p /data/vmail
chmod 0750 /data/vmail
chown vmail:vmail /data/vmail

cp -a /var/db/postfix /data/db/
cp -a /var/spool/postfix /data/spool/

Apache

Apache installieren

mkdir -p /var/db/ports/devel_apr1
cat > /var/db/ports/devel_apr1/options << "EOF"
_OPTIONS_READ=apr-1.5.2.1.5.4
_FILE_COMPLETE_OPTIONS_LIST= SSL NSS IPV6 DEVRANDOM BDB GDBM LDAP MYSQL NDBM PGSQL SQLITE FREETDS
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_UNSET+=NSS
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=DEVRANDOM
OPTIONS_FILE_SET+=BDB
OPTIONS_FILE_SET+=GDBM
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_UNSET+=MYSQL
OPTIONS_FILE_UNSET+=NDBM
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_UNSET+=SQLITE
OPTIONS_FILE_UNSET+=FREETDS
"EOF"

mkdir -p /var/db/ports/www_apache24
cat > /var/db/ports/www_apache24/options << "EOF"
_OPTIONS_READ=apache24-2.4.20
_FILE_COMPLETE_OPTIONS_LIST=ACCESS_COMPAT ACTIONS ALIAS ALLOWMETHODS ASIS AUTHNZ_FCGI AUTHNZ_LDAP AUTHN_ANON AUTHN_CORE AUTHN_DBD AUTHN_DBM AUTHN_FILE AUTHN_SOCACHE AUTHZ_CORE AUTHZ_DBD AUTHZ_DBM AUTHZ_GROUPFILE AUTHZ_HOST AUTHZ_OWNER AUTHZ_USER AUTH_BASIC AUTH_DIGEST AUTH_FORM AUTOINDEX BUFFER CACHE CACHE_DISK CACHE_SOCACHE CERN_META CGI CGID CHARSET_LITE DATA DAV DAV_FS DAV_LOCK DBD DEFLATE DIALUP DIR DUMPIO ENV EXPIRES EXT_FILTER FILE_CACHE FILTER HEADERS HEARTBEAT HEARTMONITOR HTTP2 IDENT IMAGEMAP INCLUDE INFO IPV4_MAPPED LBMETHOD_BYBUSYNESS LBMETHOD_BYREQUESTS LBMETHOD_BYTRAFFIC LBMETHOD_HEARTBEAT LDAP LOGIO LOG_DEBUG LOG_FORENSIC LUA LUAJIT MACRO MIME MIME_MAGIC NEGOTIATION PROXY RATELIMIT REFLECTOR REMOTEIP REQTIMEOUT REQUEST REWRITE SED SESSION SETENVIF SLOTMEM_PLAIN SLOTMEM_SHM SOCACHE_DBM SOCACHE_DC SOCACHE_MEMCACHE SOCACHE_SHMCB SPELING SSL STATUS SUBSTITUTE SUEXEC UNIQUE_ID USERDIR USERTRACK VERSION VHOST_ALIAS WATCHDOG XML2ENC MPM_PREFORK MPM_WORKER MPM_EVENT MPM_SHARED PROXY_AJP PROXY_BALANCER PROXY_CONNECT PROXY_EXPRESS PROXY_FCGI  PROXY_FDPASS PROXY_FTP PROXY_HTTP PROXY_HTML PROXY_SCGI PROXY_WSTUNNEL  SESSION_COOKIE SESSION_CRYPTO SESSION_DBD  BUCKETEER CASE_FILTER CASE_FILTER_IN ECHO EXAMPLE_HOOKS EXAMPLE_IPC  OPTIONAL_FN_EXPORT OPTIONAL_FN_IMPORT OPTIONAL_HOOK_EXPORT  OPTIONAL_HOOK_IMPORT
OPTIONS_FILE_SET+=ACCESS_COMPAT
OPTIONS_FILE_SET+=ACTIONS
OPTIONS_FILE_SET+=ALIAS
OPTIONS_FILE_SET+=ALLOWMETHODS
OPTIONS_FILE_SET+=ASIS
OPTIONS_FILE_SET+=AUTHNZ_FCGI
OPTIONS_FILE_UNSET+=AUTHNZ_LDAP
OPTIONS_FILE_SET+=AUTHN_ANON
OPTIONS_FILE_SET+=AUTHN_CORE
OPTIONS_FILE_SET+=AUTHN_DBD
OPTIONS_FILE_SET+=AUTHN_DBM
OPTIONS_FILE_SET+=AUTHN_FILE
OPTIONS_FILE_SET+=AUTHN_SOCACHE
OPTIONS_FILE_SET+=AUTHZ_CORE
OPTIONS_FILE_SET+=AUTHZ_DBD
OPTIONS_FILE_SET+=AUTHZ_DBM
OPTIONS_FILE_SET+=AUTHZ_GROUPFILE
OPTIONS_FILE_SET+=AUTHZ_HOST
OPTIONS_FILE_SET+=AUTHZ_OWNER
OPTIONS_FILE_SET+=AUTHZ_USER
OPTIONS_FILE_SET+=AUTH_BASIC
OPTIONS_FILE_SET+=AUTH_DIGEST
OPTIONS_FILE_SET+=AUTH_FORM
OPTIONS_FILE_SET+=AUTOINDEX
OPTIONS_FILE_SET+=BUFFER
OPTIONS_FILE_SET+=CACHE
OPTIONS_FILE_SET+=CACHE_DISK
OPTIONS_FILE_SET+=CACHE_SOCACHE
OPTIONS_FILE_SET+=CERN_META
OPTIONS_FILE_SET+=CGI
OPTIONS_FILE_SET+=CGID
OPTIONS_FILE_UNSET+=CHARSET_LITE
OPTIONS_FILE_SET+=DATA
OPTIONS_FILE_SET+=DAV
OPTIONS_FILE_SET+=DAV_FS
OPTIONS_FILE_SET+=DAV_LOCK
OPTIONS_FILE_SET+=DBD
OPTIONS_FILE_SET+=DEFLATE
OPTIONS_FILE_UNSET+=DIALUP
OPTIONS_FILE_SET+=DIR
OPTIONS_FILE_SET+=DUMPIO
OPTIONS_FILE_SET+=ENV
OPTIONS_FILE_SET+=EXPIRES
OPTIONS_FILE_SET+=EXT_FILTER
OPTIONS_FILE_SET+=FILE_CACHE
OPTIONS_FILE_SET+=FILTER
OPTIONS_FILE_SET+=HEADERS
OPTIONS_FILE_UNSET+=HEARTBEAT
OPTIONS_FILE_UNSET+=HEARTMONITOR
OPTIONS_FILE_SET+=HTTP2
OPTIONS_FILE_UNSET+=IDENT
OPTIONS_FILE_SET+=IMAGEMAP
OPTIONS_FILE_SET+=INCLUDE
OPTIONS_FILE_SET+=INFO
OPTIONS_FILE_UNSET+=IPV4_MAPPED
OPTIONS_FILE_UNSET+=LBMETHOD_BYBUSYNESS
OPTIONS_FILE_UNSET+=LBMETHOD_BYREQUESTS
OPTIONS_FILE_UNSET+=LBMETHOD_BYTRAFFIC
OPTIONS_FILE_UNSET+=LBMETHOD_HEARTBEAT
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_SET+=LOGIO
OPTIONS_FILE_SET+=LOG_DEBUG
OPTIONS_FILE_UNSET+=LOG_FORENSIC
OPTIONS_FILE_UNSET+=LUA
OPTIONS_FILE_UNSET+=LUAJIT
OPTIONS_FILE_SET+=MACRO
OPTIONS_FILE_SET+=MIME
OPTIONS_FILE_SET+=MIME_MAGIC
OPTIONS_FILE_SET+=NEGOTIATION
OPTIONS_FILE_SET+=PROXY
OPTIONS_FILE_SET+=RATELIMIT
OPTIONS_FILE_SET+=REFLECTOR
OPTIONS_FILE_SET+=REMOTEIP
OPTIONS_FILE_SET+=REQTIMEOUT
OPTIONS_FILE_SET+=REQUEST
OPTIONS_FILE_SET+=REWRITE
OPTIONS_FILE_UNSET+=SED
OPTIONS_FILE_SET+=SESSION
OPTIONS_FILE_SET+=SETENVIF
OPTIONS_FILE_SET+=SLOTMEM_PLAIN
OPTIONS_FILE_SET+=SLOTMEM_SHM
OPTIONS_FILE_SET+=SOCACHE_DBM
OPTIONS_FILE_UNSET+=SOCACHE_DC
OPTIONS_FILE_UNSET+=SOCACHE_MEMCACHE
OPTIONS_FILE_SET+=SOCACHE_SHMCB
OPTIONS_FILE_UNSET+=SPELING
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_SET+=STATUS
OPTIONS_FILE_SET+=SUBSTITUTE
OPTIONS_FILE_UNSET+=SUEXEC
OPTIONS_FILE_SET+=UNIQUE_ID
OPTIONS_FILE_SET+=USERDIR
OPTIONS_FILE_SET+=USERTRACK
OPTIONS_FILE_SET+=VERSION
OPTIONS_FILE_UNSET+=VHOST_ALIAS
OPTIONS_FILE_UNSET+=WATCHDOG
OPTIONS_FILE_SET+=XML2ENC
OPTIONS_FILE_UNSET+=MPM_PREFORK
OPTIONS_FILE_UNSET+=MPM_WORKER
OPTIONS_FILE_SET+=MPM_EVENT
OPTIONS_FILE_SET+=MPM_SHARED
OPTIONS_FILE_UNSET+=PROXY_AJP
OPTIONS_FILE_SET+=PROXY_BALANCER
OPTIONS_FILE_SET+=PROXY_CONNECT
OPTIONS_FILE_SET+=PROXY_EXPRESS
OPTIONS_FILE_SET+=PROXY_FCGI
OPTIONS_FILE_SET+=PROXY_FDPASS
OPTIONS_FILE_SET+=PROXY_FTP
OPTIONS_FILE_SET+=PROXY_HTTP
OPTIONS_FILE_SET+=PROXY_HTML
OPTIONS_FILE_SET+=PROXY_SCGI
OPTIONS_FILE_SET+=PROXY_WSTUNNEL
OPTIONS_FILE_SET+=SESSION_COOKIE
OPTIONS_FILE_SET+=SESSION_CRYPTO
OPTIONS_FILE_SET+=SESSION_DBD
OPTIONS_FILE_UNSET+=BUCKETEER
OPTIONS_FILE_UNSET+=CASE_FILTER
OPTIONS_FILE_UNSET+=CASE_FILTER_IN
OPTIONS_FILE_UNSET+=ECHO
OPTIONS_FILE_UNSET+=EXAMPLE_HOOKS
OPTIONS_FILE_UNSET+=EXAMPLE_IPC
OPTIONS_FILE_UNSET+=OPTIONAL_FN_EXPORT
OPTIONS_FILE_UNSET+=OPTIONAL_FN_IMPORT
OPTIONS_FILE_UNSET+=OPTIONAL_HOOK_EXPORT
OPTIONS_FILE_UNSET+=OPTIONAL_HOOK_IMPORT
"EOF"

cd /usr/ports/www/apache24
make config-recursive all install clean-depends clean

echo 'apache24_enable="YES"' >> /etc/rc.conf
echo 'apache24limits_enable="YES"' >> /etc/rc.conf
echo 'apache24_http_accept_enable="YES"' >> /etc/rc.conf

cat >> /etc/newsyslog.conf.d/apache24 << "EOF"
/var/log/httpd-*.log                    644  13    *    $W6D0 JCG   /var/run/httpd.pid
/data/www/vhosts/*/logs/*_log           644  24    *    $M1D0 JCG   /var/run/httpd.pid
"EOF"

Apache konfigurieren

Verzeichnisse für die ersten VirtualHosts erstellen.

mkdir -p /data/www/vhosts/_default_/logs
mkdir -p /data/www/vhosts/_default_/data
chmod 0750 /data/www/vhosts/_default_/data
chown www:www /data/www/vhosts/_default_/data

mkdir -p /data/www/vhosts/pki.example.org/logs
mkdir -p /data/www/vhosts/pki.example.org/data
chmod 0750 /data/www/vhosts/pki.example.org/data
chown www:www /data/www/vhosts/pki.example.org/data

mkdir -p /data/www/vhosts/www.example.org/logs
mkdir -p /data/www/vhosts/www.example.org/data
chmod 0750 /data/www/vhosts/www.example.org/data
chown www:www /data/www/vhosts/www.example.org/data

Die folgende Konfiguration verwendet für den Default-Host den Pfad /data/www/vhosts/_default_ und für die regulären Virtual-Hosts den Pfad /data/www/vhosts/sub.domain.tld.

httpd.conf einrichten.

cat > /usr/local/etc/apache24/httpd.conf << "EOF"
ServerRoot "/usr/local"
PidFile "/var/run/httpd.pid"
#LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule http2_module libexec/apache24/mod_http2.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule logio_module libexec/apache24/mod_logio.so
#LoadModule lua_module libexec/apache24/mod_lua.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
#LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
    LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
    LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
<IfModule mpm_prefork_module>
    StartServers                 16
    MinSpareServers              32
    MaxSpareServers              64
    MaxRequestWorkers           256
    MaxConnectionsPerChild     5000
</IfModule>
<IfModule mpm_worker_module>
    StartServers                 16
    ServerLimit                  64
    ThreadsPerChild              64
    ThreadLimit                 128
    MinSpareThreads             128
    MaxSpareThreads             256
    MaxRequestWorkers          1024
    MaxConnectionsPerChild     5000
</IfModule>
<IfModule mpm_event_module>
    StartServers                 16
    ServerLimit                  64
    ThreadsPerChild              64
    ThreadLimit                 128
    MinSpareThreads             128
    MaxSpareThreads             256
    MaxRequestWorkers          1024
    MaxConnectionsPerChild     5000
</IfModule>
<IfModule unixd_module>
    User www
    Group www
</IfModule>
<IfModule http2_module>
    Protocols h2 h2c http/1.1
    ProtocolsHonorOrder On
    H2Direct On
</IfModule>
<IfDefine NOHTTPACCEPT>
    AcceptFilter http none
    AcceptFilter https none
</IfDefine>
<IfModule log_config_module>
    <IfModule logio_module>
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%v %a %h %l %u %t \"%r\" %>s %b" common
    <IfModule ssl_module>
        <IfModule logio_module>
            LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combinediossl
        </IfModule>
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %{SSL_PROTOCOL}x %{SSL_CIPHER}x" combinedssl
        LogFormat "%v %a %h %l %u %t \"%r\" %>s %b %{SSL_PROTOCOL}x %{SSL_CIPHER}x" commonssl
    </IfModule>
</IfModule>
LogLevel info
<IfModule ssl_module>
    Listen 443
</IfModule>
Listen 80
Timeout 60
KeepAlive On
KeepAliveTimeout 2
MaxKeepAliveRequests 100
UseCanonicalName On
HostnameLookups Double
ServerTokens OS
ServerSignature Off
AccessFileName .htaccess
AllowEncodedSlashes NoDecode
AddDefaultCharset UTF-8
<Directory "/">
    <IfModule allowmethods_module>
        AllowMethods GET POST OPTIONS
    </IfModule>
    Options None +FollowSymLinks
    AllowOverride None
    Require all denied
</Directory>
<DirectoryMatch "^[\._]">
    Require all denied
</DirectoryMatch>
<FilesMatch "^[\._]">
    Require all denied
</FilesMatch>
<FilesMatch "(^#.*#|\.(bak|conf|dat|dist|fla|in[ci]|lock|log|orig|psd|sample|sh|sql|sw[op])|~)$">
    Require all denied
</FilesMatch>
<IfModule setenvif_module>
    <IfModule headers_module>
        SetEnvIfNoCase ^(Accept-EncodXng|X-cept-Encoding|X{15}|~{15}|-{15})$ ^((gzip|deflate)\s*,?\s*)+|[X~-]{4,13}$ HAVE_Accept-Encoding
        RequestHeader append Accept-Encoding "gzip,deflate" env=HAVE_Accept-Encoding
    </IfModule>
</IfModule>
<IfModule reqtimeout_module>
    RequestReadTimeout header=20-40,MinRate=500 body=20,MinRate=500
</IfModule>
FileETag None
<IfModule headers_module>
    Header always unset ETag
    Header unset ETag
</IfModule>
<IfModule dir_module>
    DirectoryIndex index.html index.htm index.php
</IfModule>
<IfModule cgi_module>
    <FilesMatch "\.(cgi|pl|py|rb)$">
        SetHandler cgi-script
    </FilesMatch>
</IfModule>
<IfModule cgid_module>
    <FilesMatch "\.(cgi|pl|py|rb)$">
        SetHandler cgi-script
    </FilesMatch>
    Scriptsock "/var/run/cgisock"
</IfModule>
<IfModule include_module>
    AddOutputFilter INCLUDES .shtml
</IfModule>
<IfModule mime_module>
    TypesConfig "etc/apache24/mime.types"
    AddType application/pkcs8                           p8 key
    AddType application/pkcs10                          p10 csr
    AddType application/pkix-cert                       cer
    AddType application/pkix-crl                        crl
    AddType application/pkcs7-mime                      p7c
    AddType application/x-x509-ca-cert                  crt der
    AddType application/x-x509-user-cert                crt
    AddType application/x-pkcs7-crl                     crl
    AddType application/x-pem-file                      pem
    AddType application/x-pkcs12                        p12 pfx
    AddType application/x-pkcs7-certificates            p7b spc
    AddType application/x-pkcs7-certreqresp             p7r
    AddType application/x-gzip                          gz tgz
    AddType text/html                                   shtml
    AddType application/atom+xml                        atom
    AddType application/json                            json map topojson
    AddType application/ld+json                         jsonld
    AddType application/rss+xml                         rss
    AddType application/vnd.geo+json                    geojson
    AddType application/xml                             rdf xml
    AddType application/javascript                      js
    AddType application/manifest+json                   webmanifest
    AddType application/x-web-app-manifest+json         webapp
    AddType text/cache-manifest                         appcache
    AddType audio/mp4                                   f4a f4b m4a
    AddType audio/ogg                                   oga ogg opus
    AddType image/bmp                                   bmp
    AddType image/svg+xml                               svg svgz
    AddType image/webp                                  webp
    AddType video/mp4                                   f4v f4p m4v mp4
    AddType video/ogg                                   ogv
    AddType video/webm                                  webm
    AddType video/x-flv                                 flv
    AddType image/x-icon                                cur ico
    AddType application/font-woff                       woff
    AddType application/font-woff2                      woff2
    AddType application/vnd.ms-fontobject               eot
    AddType application/x-font-ttf                      ttc ttf
    AddType font/opentype                               otf
    AddType application/octet-stream                    safariextz
    AddType application/x-bb-appworld                   bbaw
    AddType application/x-chrome-extension              crx
    AddType application/x-opera-extension               oex
    AddType application/x-xpinstall                     xpi
    AddType text/vcard                                  vcard vcf
    AddType text/vnd.rim.location.xloc                  xloc
    AddType text/vtt                                    vtt
    AddType text/x-component                            htc
    AddType application/x-httpd-php-source              phps
    AddType application/x-httpd-php                     php php5 phtml
    <FilesMatch "favicon\.ico$">
        AddType image/vnd.microsoft.icon                ico
    </FilesMatch>
    AddEncoding gzip                                    svgz
    AddHandler type-map var
    <IfModule negotiation_module>
        AddLanguage ca    .ca
        AddLanguage cs    .cz    .cs
        AddLanguage da    .dk
        AddLanguage de    .de
        AddLanguage el    .el
        AddLanguage en    .en
        AddLanguage eo    .eo
        AddLanguage es    .es
        AddLanguage et    .et
        AddLanguage fr    .fr
        AddLanguage he    .he
        AddLanguage hr    .hr
        AddLanguage it    .it
        AddLanguage ja    .ja
        AddLanguage ko    .ko
        AddLanguage ltz   .ltz
        AddLanguage nl    .nl
        AddLanguage nn    .nn
        AddLanguage no    .no
        AddLanguage pl    .po
        AddLanguage pt    .pt
        AddLanguage pt-BR .pt-br
        AddLanguage ru    .ru
        AddLanguage sv    .sv
        AddLanguage tr    .tr
        AddLanguage zh-CN .zh-cn
        AddLanguage zh-TW .zh-tw
        LanguagePriority en de ca cs da el eo es et fr he hr it ja ko ltz nl nn no pl pt pt-BR ru sv tr zh-CN zh-TW
        ForceLanguagePriority Prefer Fallback
        AddCharset us-ascii.ascii  .us-ascii
        AddCharset ISO-8859-1      .iso8859-1   .latin1
        AddCharset ISO-8859-2      .iso8859-2   .latin2    .cen
        AddCharset ISO-8859-3      .iso8859-3   .latin3
        AddCharset ISO-8859-4      .iso8859-4   .latin4
        AddCharset ISO-8859-5      .iso8859-5   .cyr       .iso-ru
        AddCharset ISO-8859-6      .iso8859-6   .arb       .arabic
        AddCharset ISO-8859-7      .iso8859-7   .grk       .greek
        AddCharset ISO-8859-8      .iso8859-8   .heb       .hebrew
        AddCharset ISO-8859-9      .iso8859-9   .latin5    .trk
        AddCharset ISO-8859-10     .iso8859-10  .latin6
        AddCharset ISO-8859-13     .iso8859-13
        AddCharset ISO-8859-14     .iso8859-14  .latin8
        AddCharset ISO-8859-15     .iso8859-15  .latin9
        AddCharset ISO-8859-16     .iso8859-16  .latin10
        AddCharset ISO-2022-JP     .iso2022-jp  .jis
        AddCharset ISO-2022-KR     .iso2022-kr  .kis
        AddCharset ISO-2022-CN     .iso2022-cn  .cis
        AddCharset Big5.Big5       .big5        .b5
        AddCharset cn-Big5         .cn-big5
        AddCharset WINDOWS-1251    .cp-1251     .win-1251
        AddCharset CP866           .cp866
        AddCharset KOI8            .koi8
        AddCharset KOI8-E          .koi8-e
        AddCharset KOI8-r          .koi8-r      .koi8-ru
        AddCharset KOI8-U          .koi8-u
        AddCharset KOI8-ru         .koi8-uk     .ua
        AddCharset ISO-10646-UCS-2 .ucs2
        AddCharset ISO-10646-UCS-4 .ucs4
        AddCharset UTF-7           .utf7
        AddCharset UTF-8           .utf8
        AddCharset UTF-16          .utf16
        AddCharset UTF-16BE        .utf16be
        AddCharset UTF-16LE        .utf16le
        AddCharset UTF-32          .utf32
        AddCharset UTF-32BE        .utf32be
        AddCharset UTF-32LE        .utf32le
        AddCharset euc-cn          .euc-cn
        AddCharset euc-gb          .euc-gb
        AddCharset euc-jp          .euc-jp
        AddCharset euc-kr          .euc-kr
        AddCharset EUC-TW          .euc-tw
        AddCharset gb2312          .gb2312      .gb
        AddCharset iso-10646-ucs-2 .ucs-2       .iso-10646-ucs-2
        AddCharset iso-10646-ucs-4 .ucs-4       .iso-10646-ucs-4
        AddCharset shift_jis       .shift_jis   .sjis
        AddCharset UTF-8 .atom \
                         .bbaw \
                         .css \
                         .geojson \
                         .js \
                         .json \
                         .jsonld \
                         .manifest \
                         .rdf \
                         .rss \
                         .topojson \
                         .vtt \
                         .webapp \
                         .webmanifest \
                         .xloc \
                         .xml
    </IfModule>
</IfModule>
<IfModule mime_magic_module>
    MIMEMagicFile "etc/apache24/magic"
</IfModule>
<IfModule autoindex_module>
    <IfModule alias_module>
        Alias /icons/ "/usr/local/www/apache24/icons/"
        <Directory "/usr/local/www/apache24/icons">
            Options None +MultiViews
            AllowOverride None
            Require all granted
        </Directory>
        IndexOrderDefault Ascending Name
        IndexOptions FancyIndexing VersionSort FoldersFirst IgnoreCase IgnoreClient NameWidth=* SuppressDescription XHTML
        IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t .git .svn *.bak *.orig
        AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
        AddIconByType (TXT,/icons/text.gif) text/*
        AddIconByType (IMG,/icons/image2.gif) image/*
        AddIconByType (SND,/icons/sound2.gif) audio/*
        AddIconByType (VID,/icons/movie.gif) video/*
        AddIcon /icons/binary.gif .bin .exe
        AddIcon /icons/binhex.gif .hqx
        AddIcon /icons/tar.gif .tar
        AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
        AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
        AddIcon /icons/a.gif .ps .ai .eps
        AddIcon /icons/layout.gif .html .shtml .htm .pdf
        AddIcon /icons/text.gif .txt
        AddIcon /icons/c.gif .c
        AddIcon /icons/p.gif .pl .py
        AddIcon /icons/f.gif .for
        AddIcon /icons/dvi.gif .dvi
        AddIcon /icons/uuencoded.gif .uu
        AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
        AddIcon /icons/tex.gif .tex
        AddIcon /icons/bomb.gif core
        AddIcon /icons/back.gif ..
        AddIcon /icons/hand.right.gif README
        AddIcon /icons/folder.gif ^^DIRECTORY^^
        AddIcon /icons/blank.gif ^^BLANKICON^^
        DefaultIcon /icons/unknown.gif
        ReadmeName README.html
        HeaderName HEADER.html
    </IfModule>
</IfModule>
<IfModule expires_module>
    ExpiresActive on
    ExpiresDefault                                      "access plus 1 month"
    ExpiresByType text/css                              "access plus 1 week"
    ExpiresByType application/atom+xml                  "access plus 1 hour"
    ExpiresByType application/rdf+xml                   "access plus 1 hour"
    ExpiresByType application/rss+xml                   "access plus 1 hour"
    ExpiresByType application/xhtml+xml                 "access plus 0 seconds"
    ExpiresByType application/json                      "access plus 0 seconds"
    ExpiresByType application/ld+json                   "access plus 0 seconds"
    ExpiresByType application/schema+json               "access plus 0 seconds"
    ExpiresByType application/vnd.geo+json              "access plus 0 seconds"
    ExpiresByType application/xml                       "access plus 0 seconds"
    ExpiresByType text/xml                              "access plus 0 seconds"
    ExpiresByType image/vnd.microsoft.icon              "access plus 1 week"
    ExpiresByType image/x-icon                          "access plus 1 week"
    ExpiresByType text/html                             "access plus 0 seconds"
    ExpiresByType application/javascript                "access plus 1 week"
    ExpiresByType application/x-javascript              "access plus 1 week"
    ExpiresByType text/javascript                       "access plus 1 week"
    ExpiresByType application/manifest+json             "access plus 1 week"
    ExpiresByType application/x-web-app-manifest+json   "access plus 0 seconds"
    ExpiresByType text/cache-manifest                   "access plus 0 seconds"
    ExpiresByType audio/ogg                             "access plus 1 month"
    ExpiresByType image/bmp                             "access plus 1 month"
    ExpiresByType image/gif                             "access plus 1 month"
    ExpiresByType image/jpeg                            "access plus 1 month"
    ExpiresByType image/png                             "access plus 1 month"
    ExpiresByType image/svg+xml                         "access plus 1 month"
    ExpiresByType image/webp                            "access plus 1 month"
    ExpiresByType video/mp4                             "access plus 1 month"
    ExpiresByType video/ogg                             "access plus 1 month"
    ExpiresByType video/webm                            "access plus 1 month"
    ExpiresByType application/vnd.ms-fontobject         "access plus 1 month"
    ExpiresByType font/eot                              "access plus 1 month"
    ExpiresByType font/opentype                         "access plus 1 month"
    ExpiresByType application/x-font-ttf                "access plus 1 month"
    ExpiresByType application/font-woff                 "access plus 1 month"
    ExpiresByType application/x-font-woff               "access plus 1 month"
    ExpiresByType font/woff                             "access plus 1 month"
    ExpiresByType application/font-woff2                "access plus 1 month"
    ExpiresByType text/x-cross-domain-policy            "access plus 1 week"
</IfModule>
<IfModule deflate_module>
    <IfModule filter_module>
        AddOutputFilterByType DEFLATE "application/atom+xml" \
                                      "application/javascript" \
                                      "application/json" \
                                      "application/ld+json" \
                                      "application/manifest+json" \
                                      "application/rdf+xml" \
                                      "application/rss+xml" \
                                      "application/schema+json" \
                                      "application/vnd.geo+json" \
                                      "application/vnd.ms-fontobject" \
                                      "application/x-font-ttf" \
                                      "application/x-javascript" \
                                      "application/x-web-app-manifest+json" \
                                      "application/xhtml+xml" \
                                      "application/xml" \
                                      "font/eot" \
                                      "font/opentype" \
                                      "image/bmp" \
                                      "image/svg+xml" \
                                      "image/vnd.microsoft.icon" \
                                      "image/x-icon" \
                                      "text/cache-manifest" \
                                      "text/css" \
                                      "text/html" \
                                      "text/javascript" \
                                      "text/plain" \
                                      "text/vcard" \
                                      "text/vnd.rim.location.xloc" \
                                      "text/vtt" \
                                      "text/x-component" \
                                      "text/x-cross-domain-policy" \
                                      "text/xml"
    </IfModule>
</IfModule>
<IfModule cache_module>
    CacheQuickHandler off
    CacheIgnoreURLSessionIdentifiers sid SID
    <IfModule cache_disk_module>
        CacheEnable disk "/"
        CacheRoot "/data/tmp/www/cache/"
    </IfModule>
</IfModule>
<IfModule userdir_module>
    UserDir disabled
    UserDir "/home/*/public_html"
    <Directory "/home/*/public_html">
        Options None +SymLinksIfOwnerMatch
        AllowOverride None
        Require all granted
    </Directory>
</IfModule>
<IfModule info_module>
    <Location "/server-info">
        SetHandler server-info
        <RequireAny>
            Require host localhost
        </RequireAny>
    </Location>
</IfModule>
<IfModule status_module>
    <Location "/server-status">
        SetHandler server-status
        <RequireAny>
            Require host localhost
        </RequireAny>
    </Location>
</IfModule>
<IfModule headers_module>
    Header set Access-Control-Allow-Origin "null"
    <IfModule setenvif_module>
        <FilesMatch "\.(bmp|cur|gif|ico|jpe?g|png|svgz?|webp)$">
            SetEnvIf Origin ":" IS_CORS
            Header set Access-Control-Allow-Origin "*" env=IS_CORS
        </FilesMatch>
    </IfModule>
    <FilesMatch "\.(eot|otf|tt[cf]|woff2?)$">
        Header set Access-Control-Allow-Origin "*"
    </FilesMatch>
    Header set Timing-Allow-Origin "*"
    Header set Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header set X-Content-Security-Policy "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header set X-Webkit-CSP "default-src 'self'; child-src 'self'; connect-src 'self'; font-src 'self'; form-action 'self'; frame-ancestors 'self'; frame-src 'self'; img-src 'self' data:; manifest-src 'self'; media-src 'self'; object-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';"
    Header set X-Content-Type-Options "nosniff"
    Header set X-Frame-Options "SAMEORIGIN"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-UA-Compatible "IE=Edge"
    Header set P3P "policyref=\"/w3c/p3p.xml\", CP=\"IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT\""
    Header always merge Cache-Control "no-transform, must-revalidate, proxy-revalidate"
    Header merge Cache-Control "no-transform, must-revalidate, proxy-revalidate"
    Header always merge Vary "User-Agent"
    Header merge Vary "User-Agent"
</IfModule>
IncludeOptional "etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf"
Include "etc/apache24/vhosts.conf"
<IfModule ssl_module>
    SSLRandomSeed startup file:/dev/urandom 65536
    SSLRandomSeed connect file:/dev/urandom 65536
    SSLPassPhraseDialog builtin
    <IfModule socache_shmcb_module>
        SSLSessionCache "shmcb:/var/run/ssl_scache(512000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLSessionCache "dbm:/var/run/ssl_scache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLSessionCache "nonenotnull"
        </IfModule>
    </IfModule>
    SSLSessionTickets Off
    SSLHonorCipherOrder On
    SSLStrictSNIVHostCheck On
    SSLOptions +StrictRequire +StdEnvVars
    SSLProtocol -ALL +TLSv1 +TLSv1.1 +TLSv1.2
    SSLCipherSuite "EECDH+CHACHA20 EECDH+AESGCM EECDH+AES256+SHA384 EECDH+AES128+SHA256 EECDH+AES256+SHA EECDH+AES128+SHA EDH+CHACHA20 EDH+AESGCM EDH+AES256+SHA256 EDH+AES128+SHA256 EDH+AES256+SHA EDH+AES128+SHA !aDSS !kECDHe !kECDHr !kDHd !kDHr !SEED !IDEA !RC2 !RC4 !eNULL !aNULL !MEDIUM !LOW !EXPORT"
    SSLOCSPEnable On
    <IfModule socache_shmcb_module>
        SSLUseStapling On
        SSLStaplingCache "shmcb:/var/run/stapling_cache(128000)"
    </IfModule>
    <IfModule !socache_shmcb_module>
        <IfModule socache_dbm_module>
            SSLUseStapling On
            SSLStaplingCache "dbm:/var/run/stapling_cache"
        </IfModule>
        <IfModule !socache_dbm_module>
            SSLUseStapling Off
        </IfModule>
    </IfModule>
    Include "etc/apache24/vhosts-ssl.conf"
</IfModule>
"EOF"

cat > /usr/local/etc/apache24/vhosts.conf << "EOF"
<VirtualHost *:80>
    ServerName srv.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/_default_/logs/access_log" combined
    ErrorLog "/data/www/vhosts/_default_/logs/error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "\.((php|php5|phps|phtml)(/.*)?)$">
        SetHandler "proxy:unix:///var/run/fpm_www.sock|fcgi://www"
    </FilesMatch>
</VirtualHost>

<VirtualHost *:80>
    ServerName pki.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/pki.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/pki.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/pki.example.org/data"
    <Directory "/data/www/vhosts/pki.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "\.((php|php5|phps|phtml)(/.*)?)$">
        SetHandler "proxy:unix:///var/run/fpm_www.sock|fcgi://www"
    </FilesMatch>
</VirtualHost>

<VirtualHost *:80>
    ServerName www.example.org
    ServerAlias example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/access_log" combined
    ErrorLog "/data/www/vhosts/www.example.org/logs/error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "\.((php|php5|phps|phtml)(/.*)?)$">
        SetHandler "proxy:unix:///var/run/fpm_www.sock|fcgi://www"
    </FilesMatch>
</VirtualHost>
"EOF"

cat > /usr/local/etc/apache24/vhosts-ssl.conf << "EOF"
<VirtualHost *:443>
    ServerName srv.example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/_default_/logs/ssl_access_log" combinedssl
    ErrorLog "/data/www/vhosts/_default_/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/_default_/data"
    <Directory "/data/www/vhosts/_default_/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "\.((php|php5|phps|phtml)(/.*)?)$">
        SetHandler "proxy:unix:///var/run/fpm_www.sock|fcgi://www"
    </FilesMatch>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/srv.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/srv.example.org.key"
    SSLCACertificateFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header set Strict-Transport-Security "max-age=15768000; preload"
#    </IfModule>
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.org
    ServerAlias example.org
    ServerAdmin webmaster@example.org
    CustomLog "/data/www/vhosts/www.example.org/logs/ssl_access_log" combinedssl
    ErrorLog "/data/www/vhosts/www.example.org/logs/ssl_error_log"
    DocumentRoot "/data/www/vhosts/www.example.org/data"
    <Directory "/data/www/vhosts/www.example.org/data">
        Options None +FollowSymLinks
        AllowOverride None
        Require all granted
    </Directory>
    <FilesMatch "\.((php|php5|phps|phtml)(/.*)?)$">
        SetHandler "proxy:unix:///var/run/fpm_www.sock|fcgi://www"
    </FilesMatch>
    SSLEngine on
    SSLCertificateFile "/data/pki/certs/www.example.org.crt"
    SSLCertificateKeyFile "/data/pki/private/www.example.org.key"
    SSLCACertificateFile "/data/pki/ca/component-ca-chain.pem"
#    <IfModule headers_module>
#        Header set Strict-Transport-Security "max-age=15768000; includeSubdomains; preload"
#    </IfModule>
</VirtualHost>
"EOF"

Abschliessende Arbeiten.

mkdir -p /data/tmp/www/{cache,uploads}
chmod -R 1777 /data/tmp/www
chown -R www:www /data/tmp/www

PHP

PHP installieren

cat >> /etc/make.conf << "EOF"
DEFAULT_VERSIONS+=php=7.0
"EOF"

   

mkdir -p /var/db/ports/lang_php70
cat > /var/db/ports/lang_php70/options << "EOF"
_OPTIONS_READ=php70-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=CLI CGI FPM EMBED PHPDBG DEBUG DTRACE IPV6 LINKTHR ZTS
OPTIONS_FILE_SET+=CLI
OPTIONS_FILE_UNSET+=CGI
OPTIONS_FILE_SET+=FPM
OPTIONS_FILE_UNSET+=EMBED
OPTIONS_FILE_UNSET+=PHPDBG
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_UNSET+=DTRACE
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_SET+=LINKTHR
OPTIONS_FILE_SET+=ZTS
"EOF"

cd /usr/ports/lang/php70
make config-recursive all install clean-depends clean

echo 'php_fpm_enable="YES"' >> /etc/rc.conf

PHP-Extensions installieren

mkdir -p /var/db/ports/databases_php70-pdo_mysql
cat > /var/db/ports/databases_php70-pdo_mysql/options << "EOF"
_OPTIONS_READ=php70-pdo_mysql-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/databases_php70-mysqli
cat > /var/db/ports/databases_php70-mysqli/options << "EOF"
_OPTIONS_READ=php70-mysqli-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/databases_php70-mysql
cat > /var/db/ports/databases_php70-mysql/options << "EOF"
_OPTIONS_READ=php70-mysql-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=MYSQLND
OPTIONS_FILE_SET+=MYSQLND
"EOF"

mkdir -p /var/db/ports/devel_oniguruma5
cat > /var/db/ports/devel_oniguruma5/options << "EOF"
_OPTIONS_READ=oniguruma5-5.9.6
_FILE_COMPLETE_OPTIONS_LIST=DOCS EXAMPLES
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
"EOF"

mkdir -p /var/db/ports/converters_php70-mbstring
cat > /var/db/ports/converters_php70-mbstring/options << "EOF"
_OPTIONS_READ=php70-mbstring-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=REGEX
OPTIONS_FILE_SET+=REGEX
"EOF"

mkdir -p /var/db/ports/mail_panda-cclient
cat > /var/db/ports/mail_panda-cclient/options << "EOF"
_OPTIONS_READ=panda-cclient-20130621
_FILE_COMPLETE_OPTIONS_LIST=IPV6 MBX_DEFAULT SSL SSL_AND_PLAINTEXT
OPTIONS_FILE_SET+=IPV6
OPTIONS_FILE_UNSET+=MBX_DEFAULT
OPTIONS_FILE_SET+=SSL
OPTIONS_FILE_SET+=SSL_AND_PLAINTEXT
"EOF"

mkdir -p /var/db/ports/mail_php70-imap
cat > /var/db/ports/mail_php70-imap/options << "EOF"
_OPTIONS_READ=php70-imap-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=PANDA
OPTIONS_FILE_SET+=PANDA
"EOF"

mkdir -p /var/db/ports/devel_yasm
cat > /var/db/ports/devel_yasm/options << "EOF"
_OPTIONS_READ=yasm-1.2.0
_FILE_COMPLETE_OPTIONS_LIST=NLS
OPTIONS_FILE_SET+=NLS
"EOF"

mkdir -p /var/db/ports/multimedia_libvpx
cat > /var/db/ports/multimedia_libvpx/options << "EOF"
_OPTIONS_READ=libvpx-1.5.0
_FILE_COMPLETE_OPTIONS_LIST=DEBUG POSTPROC RUNTIME SHARED THREADS
OPTIONS_FILE_UNSET+=DEBUG
OPTIONS_FILE_SET+=POSTPROC
OPTIONS_FILE_SET+=RUNTIME
OPTIONS_FILE_SET+=SHARED
OPTIONS_FILE_SET+=THREADS
"EOF"

mkdir -p /var/db/ports/devel_t1lib
cat > /var/db/ports/devel_t1lib/options << "EOF"
_OPTIONS_READ=t1lib-5.1.2
_FILE_COMPLETE_OPTIONS_LIST=DOCS X11
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_UNSET+=X11
"EOF"

mkdir -p /var/db/ports/graphics_jpeg-turbo
cat > /var/db/ports/graphics_jpeg-turbo/options << "EOF"
_OPTIONS_READ=jpeg-turbo-1.4.2
_FILE_COMPLETE_OPTIONS_LIST=DOCS EXAMPLES
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=EXAMPLES
"EOF"

mkdir -p /var/db/ports/devel_nasm
cat > /var/db/ports/devel_nasm/options << "EOF"
_OPTIONS_READ=nasm-2.11.08
_FILE_COMPLETE_OPTIONS_LIST=DOCS RDOFF
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=RDOFF
"EOF"

mkdir -p /var/db/ports/graphics_png
cat > /var/db/ports/graphics_png/options << "EOF"
_OPTIONS_READ=png-1.6.21
_FILE_COMPLETE_OPTIONS_LIST=APNG PNGTEST
OPTIONS_FILE_SET+=APNG
OPTIONS_FILE_SET+=PNGTEST
"EOF"

mkdir -p /var/db/ports/print_freetype2
cat > /var/db/ports/print_freetype2/options << "EOF"
_OPTIONS_READ=freetype2-2.6.3
_FILE_COMPLETE_OPTIONS_LIST=LCD_FILTERING PNG
OPTIONS_FILE_SET+=LCD_FILTERING
OPTIONS_FILE_SET+=PNG
"EOF"

mkdir -p /var/db/ports/graphics_php70-gd
cat > /var/db/ports/graphics_php70-gd/options << "EOF"
_OPTIONS_READ=php70-gd-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=T1LIB TRUETYPE JIS X11 VPX
OPTIONS_FILE_SET+=T1LIB
OPTIONS_FILE_SET+=TRUETYPE
OPTIONS_FILE_UNSET+=JIS
OPTIONS_FILE_UNSET+=X11
OPTIONS_FILE_SET+=VPX
"EOF"

mkdir -p /var/db/ports/databases_php70-dba
cat > /var/db/ports/databases_php70-dba/options << "EOF"
_OPTIONS_READ=php70-dba-7.0.6
_FILE_COMPLETE_OPTIONS_LIST=CDB DB4 GDBM QDBM TOKYO INIFILE FLATFILE
OPTIONS_FILE_SET+=CDB
OPTIONS_FILE_UNSET+=DB4
OPTIONS_FILE_UNSET+=GDBM
OPTIONS_FILE_UNSET+=QDBM
OPTIONS_FILE_UNSET+=TOKYO
OPTIONS_FILE_SET+=INIFILE
OPTIONS_FILE_SET+=FLATFILE
"EOF"

mkdir -p /var/db/ports/databases_sqlite3
cat > /var/db/ports/databases_sqlite3/options << "EOF"
_OPTIONS_READ=sqlite3-3.12.1
_FILE_COMPLETE_OPTIONS_LIST=ARMOR DBSTAT DIRECT_READ EXTENSION FTS3_TOKEN FTS4 FTS5 JSON1 LIKENOTBLOB MEMMAN METADATA RBU SECURE_DELETE SOUNDEX STMT STSHELL THREADS UNLOCK_NOTIFY UPD_DEL_LIMIT URI URI_AUTHORITY TS0 TS1 TS2 TS3 STAT3 STAT4 ICU UNICODE61 RTREE RTREE_INT READLINES READLINEP EDITLINE
OPTIONS_FILE_SET+=ARMOR
OPTIONS_FILE_SET+=DBSTAT
OPTIONS_FILE_SET+=DIRECT_READ
OPTIONS_FILE_SET+=EXTENSION
OPTIONS_FILE_UNSET+=FTS3_TOKEN
OPTIONS_FILE_SET+=FTS4
OPTIONS_FILE_SET+=FTS5
OPTIONS_FILE_SET+=JSON1
OPTIONS_FILE_UNSET+=LIKENOTBLOB
OPTIONS_FILE_SET+=MEMMAN
OPTIONS_FILE_SET+=METADATA
OPTIONS_FILE_SET+=RBU
OPTIONS_FILE_SET+=SECURE_DELETE
OPTIONS_FILE_SET+=SOUNDEX
OPTIONS_FILE_SET+=STMT
OPTIONS_FILE_SET+=STSHELL
OPTIONS_FILE_SET+=THREADS
OPTIONS_FILE_SET+=UNLOCK_NOTIFY
OPTIONS_FILE_UNSET+=UPD_DEL_LIMIT
OPTIONS_FILE_SET+=URI
OPTIONS_FILE_SET+=URI_AUTHORITY
OPTIONS_FILE_UNSET+=TS0
OPTIONS_FILE_UNSET+=TS1
OPTIONS_FILE_SET+=TS2
OPTIONS_FILE_UNSET+=TS3
OPTIONS_FILE_UNSET+=STAT3
OPTIONS_FILE_SET+=STAT4
OPTIONS_FILE_SET+=ICU
OPTIONS_FILE_UNSET+=UNICODE61
OPTIONS_FILE_SET+=RTREE
OPTIONS_FILE_UNSET+=RTREE_INT
OPTIONS_FILE_UNSET+=READLINES
OPTIONS_FILE_UNSET+=READLINEP
OPTIONS_FILE_SET+=EDITLINE
"EOF"

mkdir -p /var/db/ports/converters_libiconv
cat > /var/db/ports/converters_libiconv/options << "EOF"
_OPTIONS_READ=libiconv-1.14
_FILE_COMPLETE_OPTIONS_LIST=DOCS ENCODINGS PATCHES
OPTIONS_FILE_SET+=DOCS
OPTIONS_FILE_SET+=ENCODINGS
OPTIONS_FILE_SET+=PATCHES
"EOF"

mkdir -p /var/db/ports/lang_php70-extensions
cat > /var/db/ports/lang_php70-extensions/options << "EOF"
_OPTIONS_READ=php70-extensions-1.1
_FILE_COMPLETE_OPTIONS_LIST=BCMATH BZ2 CALENDAR CTYPE CURL DBA DOM EXIF FILEINFO FILTER FTP GD GETTEXT GMP HASH ICONV IMAP INTERBASE INTL JSON LDAP MBSTRING MCRYPT MYSQLI ODBC OPCACHE OPENSSL PCNTL PDF PDO PDO_DBLIB PDO_FIREBIRD PDO_MYSQL PDO_ODBC PDO_PGSQL PDO_SQLITE PGSQL PHAR POSIX PSPELL READLINE RECODE SESSION SHMOP SIMPLEXML SNMP SOAP SOCKETS SQLITE3 SYBASE_CT SYSVMSG SYSVSEM SYSVSHM TIDY TOKENIZER WDDX XML XMLREADER XMLRPC XMLWRITER XSL ZIP ZLIB
OPTIONS_FILE_SET+=BCMATH
OPTIONS_FILE_SET+=BZ2
OPTIONS_FILE_SET+=CALENDAR
OPTIONS_FILE_SET+=CTYPE
OPTIONS_FILE_SET+=CURL
OPTIONS_FILE_SET+=DBA
OPTIONS_FILE_SET+=DOM
OPTIONS_FILE_SET+=EXIF
OPTIONS_FILE_SET+=FILEINFO
OPTIONS_FILE_SET+=FILTER
OPTIONS_FILE_SET+=FTP
OPTIONS_FILE_SET+=GD
OPTIONS_FILE_SET+=GETTEXT
OPTIONS_FILE_SET+=GMP
OPTIONS_FILE_SET+=HASH
OPTIONS_FILE_SET+=ICONV
OPTIONS_FILE_SET+=IMAP
OPTIONS_FILE_UNSET+=INTERBASE
OPTIONS_FILE_SET+=INTL
OPTIONS_FILE_SET+=JSON
OPTIONS_FILE_UNSET+=LDAP
OPTIONS_FILE_SET+=MBSTRING
OPTIONS_FILE_SET+=MCRYPT
OPTIONS_FILE_SET+=MYSQLI
OPTIONS_FILE_UNSET+=ODBC
OPTIONS_FILE_SET+=OPCACHE
OPTIONS_FILE_SET+=OPENSSL
OPTIONS_FILE_SET+=PCNTL
OPTIONS_FILE_UNSET+=PDF
OPTIONS_FILE_SET+=PDO
OPTIONS_FILE_UNSET+=PDO_DBLIB
OPTIONS_FILE_UNSET+=PDO_FIREBIRD
OPTIONS_FILE_SET+=PDO_MYSQL
OPTIONS_FILE_UNSET+=PDO_ODBC
OPTIONS_FILE_UNSET+=PDO_PGSQL
OPTIONS_FILE_SET+=PDO_SQLITE
OPTIONS_FILE_UNSET+=PGSQL
OPTIONS_FILE_SET+=PHAR
OPTIONS_FILE_SET+=POSIX
OPTIONS_FILE_UNSET+=PSPELL
OPTIONS_FILE_UNSET+=READLINE
OPTIONS_FILE_UNSET+=RECODE
OPTIONS_FILE_SET+=SESSION
OPTIONS_FILE_SET+=SHMOP
OPTIONS_FILE_SET+=SIMPLEXML
OPTIONS_FILE_UNSET+=SNMP
OPTIONS_FILE_SET+=SOAP
OPTIONS_FILE_SET+=SOCKETS
OPTIONS_FILE_SET+=SQLITE3
OPTIONS_FILE_UNSET+=SYBASE_CT
OPTIONS_FILE_SET+=SYSVMSG
OPTIONS_FILE_SET+=SYSVSEM
OPTIONS_FILE_SET+=SYSVSHM
OPTIONS_FILE_UNSET+=TIDY
OPTIONS_FILE_SET+=TOKENIZER
OPTIONS_FILE_SET+=WDDX
OPTIONS_FILE_SET+=XML
OPTIONS_FILE_SET+=XMLREADER
OPTIONS_FILE_SET+=XMLRPC
OPTIONS_FILE_SET+=XMLWRITER
OPTIONS_FILE_SET+=XSL
OPTIONS_FILE_SET+=ZIP
OPTIONS_FILE_SET+=ZLIB
"EOF"

cd /usr/ports/lang/php70-extensions
make config-recursive all install clean-depends clean

PHP konfigurieren

Die Konfiguration entspricht weitestgehend den Empfehlungen der PHP-Entwickler und ist sowohl auf Security als auch auf Performance getrimmt.

php.ini einrichten.

cat > /usr/local/etc/php.ini << "EOF"
always_populate_raw_post_data = "-1"
arg_separator.input = ";&"
arg_separator.output = "&amp;"
assert.active = "0"
cli_server.color = "1"
curl.cainfo = "/usr/local/share/certs/ca-root-nss.crt"
date.default_latitude = "53.5500"
date.default_longitude = "10.0000"
date.timezone = "Europe/Berlin"
default_charset = "UTF-8"
display_errors = "0"
display_startup_errors = "0"
enable_dl = "0"
engine = "1"
error_log = "/var/log/php_error.log"
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"
exif.encode_jis = "UTF-8"
exif.encode_unicode = "UTF-8"
expose_php = "0"
from = "anonymous@example.org"
html_errors = "0"
iconv.input_encoding = "UTF-8"
iconv.output_encoding = "UTF-8"
iconv.internal_encoding = "UTF-8"
input_encoding = "UTF-8"
internal_encoding = "UTF-8"
log_errors = "1"
mail.add_x_header = "1"
mail.log = "/var/log/php_sendmail.log"
max_execution_time = "60"
max_input_time = "60"
mbstring.detect_order = "auto"
mbstring.encoding_translation = "0"
mbstring.http_input = "pass"
mbstring.internal_encoding = "UTF-8"
mbstring.http_output = "pass"
mbstring.strict_detection = "1"
memory_limit = "256M"
opcache.enable = "1"
opcache.enable_cli = "1"
opcache.enable_file_override = "1"
opcache.error_log = "/var/log/php_opcache.log"
opcache.fast_shutdown = "1"
opcache.interned_strings_buffer = "16"
opcache.log_verbosity_level = "2"
opcache.max_accelerated_files = "32768"
opcache.max_wasted_percentage = "5"
opcache.memory_consumption = "128"
opcache.revalidate_freq = "60"
opcache.revalidate_path = "1"
opcache.save_comments = "1"
opcache.use_cwd = "1"
opcache.validate_timestamps = "1"
openssl.cafile = "/usr/local/share/certs/ca-root-nss.crt"
output_buffering = "4096"
output_encoding = "UTF-8"
pcre.backtrack_limit = "8000000"
pdo_mysql.cache_size = "2000"
post_max_size = "16M"
realpath_cache_size = "512k"
register_argc_argv = "0"
request_order = "GP"
session.cookie_httponly = "1"
session.gc_divisor = "1000"
session.hash_bits_per_character = "5"
session.hash_function = "1"
session.save_path = "/data/tmp/php"
session.use_strict_mode = "1"
sendmail_path = "/usr/local/sbin/sendmail -t -i"
short_open_tag = "0"
soap.wsdl_cache_dir = "/data/tmp/php"
sys_temp_dir = "/data/tmp/php"
sysvshm.init_mem = "10000"
upload_max_filesize = "64M"
upload_tmp_dir = "/data/tmp/php"
url_rewriter.tags = "a=href,area=href,frame=src,input=src,form=fakeentry,fieldset="
user_ini.filename = None
variables_order = "GPCS"
zend.assertions = "-1"
zend.enable_gc = "1"
zlib.output_compression = "0"
"EOF"

php-fpm.conf einrichten.

sed -e 's|^;[[:space:]]*\(process.max =\).*$|\1 128|' \
    -e 's|^;[[:space:]]*\(process.priority =\).*$|\1 -9|' \
    -e 's|^;[[:space:]]*\(events.mechanism =\).*$|\1 kqueue|' \
    /usr/local/etc/php-fpm.conf.default > /usr/local/etc/php-fpm.conf

php-fpm.d/www.conf einrichten.

sed -e 's|^\(listen =\).*$|\1 /var/run/fpm_www.sock|' \
    -e 's|^;\(listen.owner =\).*$|\1 www|' \
    -e 's|^;\(listen.group =\).*$|\1 www|' \
    -e 's|^;\(listen.mode =\).*$|\1 0660|' \
    -e 's|^\(pm.max_children =\).*$|\1 256|' \
    -e 's|^\(pm.start_servers =\).*$|\1 32|' \
    -e 's|^\(pm.min_spare_servers =\).*$|\1 8|' \
    -e 's|^\(pm.max_spare_servers =\).*$|\1 32|' \
    -e 's|^;\(pm.max_requests =\).*$|\1 500|' \
    -e 's|^;\(security.limit_extensions =\).*$|\1 .php .php3 .php4 .php5 .php7 .phps .phtml|' \
    /usr/local/etc/php-fpm.d/www.conf.default > /usr/local/etc/php-fpm.d/www.conf

Abschliessende Arbeiten.

mkdir -p /data/tmp/php
chmod -R 1777 /data/tmp/php
chown -R www:www /data/tmp/php

touch /var/log/php_{error,opcache,sendmail}.log
chmod 0664 /var/log/php_{error,opcache,sendmail}.log
chown root:www /var/log/php_{error,opcache,sendmail}.log

PHP-PEAR installieren

cd /usr/ports/devel/pear
make config-recursive all install clean-depends clean

Wie geht es weiter?

Natürlich mit den FreeBSD Tips und Tricks.