svn commit: r54573 - head/en_US.ISO8859-1/books/handbook/network-servers

Sun Oct 4 05:07:50 UTC 2020

Author: trhodes
Date: Sun Oct  4 05:07:49 2020
New Revision: 54573
URL: https://svnweb.freebsd.org/changeset/doc/54573

Log:
  Update the PHP and SSL subsections of the Apache section.
  
  PR:		240956
  Reviewed by:	bcr
  Sponsored by:	https://reviews.freebsd.org/D26386

Modified:
  head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml
==============================================================================

--- head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml	Sun Oct  4 03:55:59 2020	(r54572)
+++ head/en_US.ISO8859-1/books/handbook/network-servers/chapter.xml	Sun Oct  4 05:07:49 2020	(r54573)
@@ -3526,7 +3526,7 @@ freebsd.org. (A)
 	modules.</para>
 
       <sect3>
-	<title><filename>mod_ssl</filename></title>
+	<title>SSL support</title>
 
 	<indexterm>
 	  <primary>web servers</primary>
@@ -3535,19 +3535,59 @@ freebsd.org. (A)
 	<indexterm><primary>SSL</primary></indexterm>
 	<indexterm><primary>cryptography</primary></indexterm>
 
-	<para>The <filename>mod_ssl</filename> module uses the
-	  <application>OpenSSL</application> library to provide strong
-	  cryptography via the Secure Sockets Layer
-	  (<acronym>SSLv3</acronym>) and Transport Layer Security
-	  (<acronym>TLSv1</acronym>) protocols.  This module provides
-	  everything necessary to request a signed certificate from a
-	  trusted certificate signing authority to run a secure web
-	  server on &os;.</para>
+	<para>At one in point in time, support for <acronym>SSL</acronym>
+	  inside of Apache required a secondary module called
+	  <filename>mod_ssl</filename>. This is no longer the case and
+	  the default install of Apache comes with <acronym>SSL</acronym>
+	  built into the web server. An example of how to enable
+	  support for <acronym>SSL</acronym> websites is available
+	  in the installed file, <filename>httpd-ssl.conf</filename>
+	  inside of the
+	  <filename role="directory">/usr/local/etc/apache24/extra</filename>
+	  directory. Inside this directory is also a sample file called
+	  named <filename>ssl.conf-sample</filename>. It is recommended
+	  that both files be evaluated to properly set up secure websites
+	  in the Apache web server.</para>
 
-	<para>In &os;, <filename>mod_ssl</filename> module is enabled
-	  by default in both the package and the port.  The available
-	  configuration directives are explained at <uri
-	    xlink:href="http://httpd.apache.org/docs/current/mod/mod_ssl.html">http://httpd.apache.org/docs/current/mod/mod_ssl.html</uri>.</para>
+	<para>After the configuration of <acronym>SSL</acronym> is
+	  complete, the following line must be uncommented in the main
+	  <filename>http.conf</filename> to activate the changes on the
+	  next restart or reload of Apache:</para>
+
+	<programlisting>#Include etc/apache24/extra/httpd-ssl.conf</programlisting>
+
+	<warning>
+	  <para><acronym>SSL</acronym> version two and version three have
+	    known vulnerability issues. It is highly recommended TLS version 
+	    1.2 and 1.3 be enabled in place of the older SSL options.
+	    This can be accomplished by setting the following options in the
+	    <filename>ssl.conf</filename>:</para>
+	</warning>
+
+	<programlisting>SSLProtocol all -SSLv3 -SSLv2 +TLSv1.2 +TLSv1.3
+SSLProxyProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1</programlisting>
+
+	<para>To complete the configuration of <acronym>SSL</acronym>
+	  in the web server, uncomment the following line to ensure that
+	  the configuration will be pulled into Apache during restart or
+	  reload:</para>
+
+	<programlisting># Secure (SSL/TLS) connections
+Include etc/apache24/extra/httpd-ssl.conf</programlisting>
+
+	<para>The following lines must also be uncommented in the
+	  <filename>httpd.conf</filename> to fully support
+	  <acronym>SSL</acronym> in Apache:</para>
+
+	<programlisting>LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
+LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
+LoadModule ssl_module libexec/apache24/mod_ssl.so</programlisting>
+
+	<para>The next step is to work with a certificate authority
+	  to have the appropriate certificates installed on the
+	  system. This will set up a chain of trust for the site
+	  and prevent any warnings of self-signed certificates.</para>
+
       </sect3>
 
       <sect3>
@@ -3601,52 +3641,88 @@ freebsd.org. (A)
 	  allowing web developers to write dynamically generated
 	  webpages quickly.</para>
 
-	<para>To gain support for <acronym>PHP</acronym>5 for the
-	  <application>Apache</application> web server, install the
-	  <package>www/mod_php56</package> package or port.  This will
-	  install and configure the modules required to support
-	  dynamic <acronym>PHP</acronym> applications.  The
-	  installation will automatically add this line to
-	  <filename>/usr/local/etc/apache2<replaceable>4</replaceable>/httpd.conf</filename>:</para>
+	<para>Support for <acronym>PHP</acronym> for
+	  <application>Apache</application> and any other feature
+	  written in the language, can be added
+	  by installing the appropriate port.</para>
 
-	<programlisting>LoadModule php5_module        libexec/apache24/libphp5.so</programlisting>
+	<para>For all supported versions, search the package database
+	  using <command>pkg</command>. Here is an example of the
+	  available <acronym>PHP</acronym> packages as of the time
+	  of this writing:</para>
 
-<!--
-I do not think this is still needed
-AddModule mod_php5.c
-    <IfModule mod_php5.c>
-        DirectoryIndex index.php index.html
-    </IfModule>
-    <IfModule mod_php5.c>
-        AddType application/x-httpd-php .php
-        AddType application/x-httpd-php-source .phps
-    </IfModule></programlisting>
+	<screen>&prompt.root; <userinput>pkg search php</userinput></screen>
 
-    -->
+	<para>A list will be displayed including the versions and
+	  additional features they provide. The components are
+	  completely modular, meaning features are enabled by
+	  installing the appropriate port. To install
+	  <acronym>PHP</acronym> version 7.4 for Apache, issue
+	  the following command:</para>
 
-	<para>Then, perform a graceful restart to load the
-	  <acronym>PHP</acronym> module:</para>
+	<screen>&prompt.root; <userinput>pkg install mod_php74</userinput></screen>
 
-	<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen>
+	<para>If any dependency packages need to be installed, they will
+	  be installed as well.</para>
 
-	<para>The <acronym>PHP</acronym> support provided by
-	  <package>www/mod_php56</package> is limited.  Additional
-	  support can be installed using the
-	  <package>lang/php56-extensions</package> port which provides
-	  a menu driven interface to the available
-	  <acronym>PHP</acronym> extensions.</para>
+	<para>By default, <acronym>PHP</acronym> will not be
+	  enabled. The following lines will need to be added to
+	  the Apache configuration file located in
+	  <filename role="directory">/usr/local/etc/apache24</filename>
+	  to make it active:</para>
 
-	<para>Alternatively, individual extensions can be installed
-	  using the appropriate port.  For instance, to add
-	  <acronym>PHP</acronym> support for the
-	  <application>MySQL</application> database server, install
-	  <package>databases/php56-mysql</package>.</para>
+	<programlisting><FilesMatch "\.php$">
+    SetHandler application/x-httpd-php
+</FilesMatch>
+<FilesMatch "\.phps$">
+    SetHandler application/x-httpd-php-source
+</FilesMatch></programlisting>
 
-	<para>After installing an extension, the
-	  <application>Apache</application> server must be reloaded to
-	  pick up the new configuration changes:</para>
+	<para>In addition, the <option>DirectoryIndex</option> in
+	  the configuration file will also need to be updated
+	  and Apache will either need to be restarted or reloaded
+	  for the changes to take effect.</para>
 
+	<para>Support for many of the <acronym>PHP</acronym>
+	  features may also be installed by using
+	  <command>pkg</command>. For example, to install
+	  support for <acronym>XML</acronym> or
+	  <acronym>SSL</acronym>, install their respective
+	  ports:</para>
+
+	<screen>&prompt.root; <userinput>pkg install php74-xml php74-openssl</userinput></screen>
+
+	<para>As before, the Apache configuration will need to be
+	  reloaded for the changes to take effect, even in cases
+	  where it was just a module install.</para>
+
+	<para>To perform a graceful restart to reload the
+	  configuration, issue the following command:</para>
+
 	<screen>&prompt.root; <userinput>apachectl graceful</userinput></screen>
+
+	<para>Once the install is complete, there are two methods of
+	  obtaining the installed <acronym>PHP</acronym> support modules
+	  and the environmental information of the build. The first is
+	  to install the full <acronym>PHP</acronym> binary and running
+	  the command to gain the information:</para>
+
+	<screen>&prompt.root; <userinput>pkg install php74</userinput></screen>
+	<screen>&prompt.root; <userinput>php -i |less</userinput></screen>
+
+	<para>It is necessary to pass the output to a pager, such as
+	  the <command>more</command> or <command>less</command> to
+	  easier digest the amount of output.</para>
+
+	<para>Finally, to make any changes to the global configuration
+	  of <acronym>PHP</acronym> there is a well documented file
+	  installed into
+	  <filename role="directory">/usr/local/etc/php.ini</filename>.
+	  At the time of install, this file will not exist because there
+	  are two versions to choose from, one is
+	  <filename>php.ini-development</filename> and the other is
+	  <filename>php.ini-production</filename>. These are starting
+	  points to assist administrators in their deployment.</para>
       </sect3>
     </sect2>
 
