Essentials on setting up a LHMP Stack.

Preamble:

After the era of the NSA Leaks, decentralized systems and self managed servers are gaining more attention. Many system administrators are looking for ways to implement systems that are safe, secure, and easy to use. The common goals shared by all of them resolve around privacy and protection of end-users data.

With this in mind, if you are trying to move away from Apache Web Server or looking for a lightweight Web Server such as Nginx, here is what we recommend: Hiawatha Web Server. Designed with security in mind, Hiawatha is a lightweight and highly secure Web Server, in both: code and features. It is capable of handling large number of requests while protecting your back-end servers against SQL injections, XSS, CSRF attacks and exploit attempts. The Hiawatha Web Server is distributed under the GPL license version 2. If you are interested in viewing the list of features that Hiawatha Web Server offers please go to the following link.

In this tutorial we will present the essentials of setting up a LHMP Stack (Linux, Hiawatha, MariaDB, PHP) for hosting and serving web contents.

Fundamentals:

The component that constitute the LHMP Stack are:

  • Server: Virtual Machine or Virtual Node with at least: 1 Core Processor with 512MB of Memory, and 10GB of Disk Space.

  • Operating System: Any Linux Distribution will do, but in our tutorial we will use CentOS 7.

  • Hiawatha: The web Server that will handle requests and serve contents to the end-user.

  • MariaDB: An enhanced, drop-in replacement for MySQL relational database management system.

  • PHP: The server side scripting language. Usually systems administrators like to install PHP along with Perl and Python. In this tutorial we will install them all.

Note: A basic knowledge in Linux Administration is also required.

Installation:

To complete this tutorial your server will need to have access to the internet. Besides if you do not have a copy of CentOS 7, you can download it from here.

Create a user with sudo privileges:

After you have installed CentOS 7 on your server, next we will create a non-root user and assign him to the Wheel Group, then give him sudo rights.

1
# adduser newuser

Note: Do not forget to change “newuser” with a name that makes more sense.

1
# passwd newuser

Then set a strong password that you will remember.

1
# usermod -G wheel newuser

The above command assigns the user newuser to the Wheel group.

1
# vim /etc/pam.d/su

Then find the following line: #auth required pam_wheel.so use_uid and remove the “#” to comment it out.

Finally run the following:

1
# visudo

And comment out the following line: # %wheel ALL=(ALL) ALL by removing the “#”.

Conclusion: In the previous section, we learned how to create a new user and grant him root privileges. In Linux, it is recommended to run commands as a non root user. Preferably use a non root user with sudo power. Now we can switch to our new user environment by running the following command: su newuser.

Useful Repositories:

In the course of this tutorial, we will use a number of packages that are not available in the official CentOS 7.0 repositories. Therefore we will need to add the following repositories:rpmforge.repo, epel.repo.

  • First thing first, check the architecture of your platform (x86_64 or i686):
1
2
sudo uname -i
sudo uname -a

By running the above command we know if we need x86_64 repositories or i686.

  • Protecting the CentOS 7 base repository:
1
sudo yum install yum-protectbase

Next, edit the CentOS-Base.repo:

1
2
3
cd /etc/yum.repos.d/
sudo cp CentOS-Base.repo CentOS-Base.repo.bak
sudo vim CentOS-Base.repo

Then add the following line in the [base] section: protect=1.

Save and exit.

  • Import and install rpmforge, and epel repositories for the x86_64 Platform:
1
2
3
4
5
6
sudo rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
sudo rpm --import http://dag.wieers.com/rpm/packages/RPM-GPG-KEY.dag.txt
cd /tmp
sudo wget http://pkgs.repoforge.org/rpmforge-release/rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
sudo rpm -ivh rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm
sudo rm -rf rpmforge-release-0.5.3-1.el7.rf.x86_64.rpm

The commands above will install the rpmforge repository.

Next, we will install the Epel repository:

1
2
3
sudo rpm --import https://fedoraproject.org/static/0608B895.txt
sudo yum install epel-release
sudo yum install yum-priorities

Next, edit the epel.repo:

1
2
3
cd /etc/yum.repos.d/
sudo cp epel.repo epel.repo.bak
sudo vim epel.repo

Then add the following line in the [epel] section: priority=10.

Save and exit. Now we can run the following command to update and reboot our server:

1
2
sudo yum update
sudo reboot

Conclusion: In the previous section, we learned how to extend our repository by adding additional repositories. We also protected our Base Repository by installing the plugin sudo yum install yum-protectbase , and raised the priority level of the Epel repository by installing the plugin sudo yum install yum-priorities.

Install Development Tools:

Run the following to install the development tools we would need later on to build Hiawatha Web Server:

1
2
3
4
5
sudo yum groupinstall 'Development Tools'
sudo yum install ImageMagick libjpeg-turbo-static.x86_64 libjpeg-turbo-devel.x86_64 poppler-utils readline-devel zlib-devel glibc-devel curl curl-devel libxslt libxslt-devel libxml2 libxml2-devel
sudo yum install python python-devel
sudo yum install perl perl-libs
sudo yum install ruby

Conclusion: In the previous section, we just installed the Development Tools that we would need to build our Hiawatha Web Server. In addition we installed perl, python, and ruby.

Install and Configure PHP:

PHP is mainly used to execute codes on the server side, therefore it is known as a server side scripting language. To install PHP and its dependencies, run the following:

1
2
3
4
5
6
7
8
9
sudo yum install php php-pecl-apc
sudo yum install php-interbase php-fpm php-curl php-ncurses php-intl
sudo yum install php-cli php-pear php-pspell php-recode php-tidy
sudo yum install php-mcrypt php-mhash php-mbstring
sudo yum install php-xml php-xmlrpc php-domxml php-xsl php-gd
sudo yum install php-mysql
sudo yum install php-pecl-memcache php-pecl-memcached
sudo yum install php-pecl-sphinx php-pecl-mongo php-odbc php-dba
sudo yum install php-imap php-snmp php-ldap php-sqlite

Next, we will configure our PHP environment:

1
2
sudo cp /etc/php.ini /etc/php.ini.bak
sudo vim /etc/php.ini

Then set the following line section to look like so:

1
2
3
4
5
6
7
8
9
10
11
12
13
disable_functions = system, show_source, symlink, exec, dl, shell_exec, passthru, phpinfo, escapeshellarg, escapeshellcmd
expose_php = Off
disable_functions = system, show_source, phpinfo, escapeshellcmd, escapeshellarg, shell_exec, exec, dl, passthru
display_errors = Off
log_errors = On
post_max_size = 25M
enable_dl = Off
upload_max_filesize = 25M
max_file_uploads = 10
allow_url_fopen = Off
cgi.fix_pathinfo = 0
session.cookie_httponly = 1
safe_mode = On

Conclusion: In the previous section, we learned how to install and configure PHP. Some applications may require you to re-edit the php.ini file. Do so, while being aware of security risks.

Install and Configure NTP Time Server:

NTP is install by default on the CentOS 7 minimal install. Now we just have to configure it. In case you do not have it install on your server just run: sudo yum install ntp. Next, we will configure our NTP server and synchronize the Time server with our current time zone (America/Chicago).

1
2
sudo cp /etc/ntp.conf /etc/ntp.conf.bak
sudo vim /etc/ntp.conf

Then change the server pool to a pool of servers close to your location. In our case we used the following pool, instead of the default pool ntp.conf.

1
2
3
4
server 0.us.pool.ntp.org
server 1.us.pool.ntp.org
server 2.us.pool.ntp.org
server 3.us.pool.ntp.org

Save and exit. Restart the NTP Server:

1
2
sudo chkconfig --levels 235 ntpd on
sudo systemctl start ntpd

Next, we will Set up the Date module in PHP:

1
sudo vim +880 /etc/php.ini

then comment out the line date.timezone by removing the ; and set the line to look like so: date.timezone = America/Chicago

Note: if you have a different time zone other than America/Chicago remember to change it accordingly.

Also run the following to synchronize the localtime on your server to the NTP Servers:

1
sudo ln -sf /usr/share/zoneinfo/America/Chicago /etc/localtime

Finally we will verify if the Ntp Settings are working:

1
2
3
4
5
sudo chkconfig --levels 235 ntpd on
sudo service ntpd start
sudo ntpstat
sudo ntpd .q
sudo ntpq -c peers

Conclusion: In the previous section, we installed and configure our NTP Time Server. Do not forget to change the time zone to fit your current location or the location of your server (if you are using a Virtual Machine).

Install and Configure MariaDB Database:

MariaDB is an enhanced Database server, designed to be a drop-in replacement for the MySQL relational database system. To install MariaDB run the following:

1
sudo yum install mariadb mariadb-server

Next, start MariaDB:

1
2
3
sudo chkconfig --levels 235 mariadb on
sudo systemctl enable mariadb
sudo systemctl start mariadb

To Configure and Secure MariaDB run the following:

1
sudo mysql_secure_installation

And press Enter to answer Yes to all the prompts. Do not forget to set a new strong password for the root database user. Then restart MariaDB:

1
sudo systemctl restart mariadb

Finally, for security reasons, it is also recommended to rename the default root user to something different. In our case the default root user will be changed to newroot

1
2
3
4
5
mysql -u root -p
mysql> use mysql;
mysql> update user set user="newroot" where user="root";
mysql> flush privileges;
mysql> quit;

Conclusion: In the previous section, we installed and configure our Database Server. We also modified the default root user to newroot. If you want to tweak more your database, you may want to take a look at the /etc/my.cnf configuration file.

Installing Hiawatha Wed Server:

To build Hiawatha Web Server, we woud need to have to create a Cmake environment, then configure PHP to work with Hiawatha.

  • First, let download and install Cmake:
1
2
3
4
5
6
7
8
cd /tmp
sudo wget http://www.cmake.org/files/v3.0/cmake-3.0.2.tar.gz
sudo tar -xvzf cmake-3.0.2.tar.gz
rm -rf cmake-3.0.2.tar.gz
cd cmake-3.0.2/
sudo ./configure
sudo gmake
sudo make install

Note: At the time of this writing the latest version of Cmake was 3.0.2. Feel free to use the latest and current version.

  • Next we will configure PHP to work with Hiawatha:
1
sudo vim /etc/php.ini

Then set the following line sections to look like so:

1
2
3
4
5
6
;Enabling GZip content encoding
zlib.output_compression = On
zlib.output_compression_level = 6
;Setting the CGI path
cgi.fix_pathinfo = 0
cgi.rfc2616_headers = 1

Save and exit out of the php.ini configuration file.

  • Now we can Download and install the latest version of Hiawatha:
1
2
3
4
5
6
7
8
cd /tmp
sudo wget http://www.hiawatha-webserver.org/files/hiawatha-9.10.tar.gz
sudo tar -xzvf hiawatha-9.10.tar.gz
cd hiawatha-9.10
sudo ./polarssl/upgrade
sudo mkdir build
cd build
sudo cmake .. -DENABLE_MONITOR=on -DENABLE_XSLT=on -DENABLE_CACHE=ON -DENABLE_RPROXY=ON -DENABLE_TOOLKIT=ON -DENABLE_TOMAHAWK=on -DENABLE_IPV6=ON

If the latest command returns some error, try to run the following:

1
sudo /usr/local/bin/cmake .. -DENABLE_MONITOR=on -DENABLE_XSLT=on -DENABLE_CACHE=ON -DENABLE_RPROXY=ON -DENABLE_TOOLKIT=ON -DENABLE_TOMAHAWK=on -DENABLE_IPV6=ON

Then continue with the build:

1
2
3
4
5
sudo make
sudo make install/strip
cd /tmp
sudo rm -rf /tmp/hiawatha-9.10.tar.gz
sudo rm -rf /tmp/hiawatha-9.10/
  • Starting and Stopping Hiawatha Web Server:
1
2
whereis hiawatha
sudo /usr/local/sbin/hiawatha

Verify that our Hiawatha Web Server is running:

1
sudo netstat -tulpn | grep :80

Now you can direct your browser to http://serverIpaddress to view the welcome page from Hiawatha.

T stop our Hiawatha Web Server we would need the hiawatha PID number. Once we have that run a sudo kill -15 command. For example:

1
sudo kill -15 <hiawatha PID number>

or

1
sudo kill -15 14219

Where 14219 is our current hiawatha PID number.

  • Hiawatha Useful Commands:
1
2
3
hiawatha -v (Shows version of hiawatha and its dependencies)
hiawatha -k (Checks Config Files)
hiawatha -h (Shows help)

General Conclusion: This marks the end of our Tutorial, Essentials on setting up a LHMP Stack. In a upcomming tutorial we will introduce more advanced topic such as creating VirtualHosts, Rewrite Rules, Fast-CGI, and more. So stay tuned!

Comments