OpenBSD as an E-Commerce Solution With PrestaShop and Apache
Introduction
This tutorial demonstrates OpenBSD as an e-commerce solution using PrestaShop and Apache.
Apache is required because PrestaShop has complex URL rewriting requirements that are not supported by OpenBSD's built-in web server, httpd. This tutorial uses self-signed certificates. Please use a verified certificate for production.
Preparation Tasks
Temporarily create a regular user allowed to use doas
without a password. This access will be removed after setup.
user add -c "Example User" -m -G wheel -L staff auser
passwd auser
echo 'permit nopass keepenv :wheel' > /etc/doas.conf
Add the OpenBSD package repository.
echo 'https://cdn.openbsd.org/pub/OpenBSD' > /etc/installurl
Forward daily status and security emails to your address.
echo 'hostmaster@example.com' > /root/.forward
Set the hostname of the server.
echo 'www.example.com' > /etc/myname
hostname www.example.com
Add your server's FQDN and IP address to /etc/hosts
.
Replace 192.0.2.1
with your Vultr IP address.
127.0.0.1 localhost
::1 localhost
192.0.2.1 www.example.com
Add the required packages for PrestaShop and Apache. Choose the latest versions when prompted.
doas su
pkg_add apache-httpd php php-curl php-gd php-intl php-pdo_mysql php-zip mariadb-client mariadb-server wget unzip
Created a self-signed SSL certificate for testing. Set Common Name to the FQDN of your server, e.g. www.example.com.
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/example.com.crt -days 3650 -sha256
chmod 0600 /etc/ssl/private/example.com.key
Download and Extract PrestaShop
Locate the URL for the latest version of PrestaShop, download to /tmp
and extract to /var/www/htdocs/prestashop
.
cd /tmp
wget <https://download.prestashop.com/download/releases/prestashop_1.7.6.4.zip>
unzip prestashop_1.7.6.4.zip -d /var/www/htdocs/prestashop
chown -R www:www /var/www/htdocs/prestashop
Configure OpenBSD's (pf) Firewall
Configure the firewall to block all inbound traffic except for ssh, www and https.
Make a backup copy of /etc/pf.conf
.
cp /etc/pf.conf /etc/pf.conf.bak
Edit /etc/pf.conf
as shown.
set skip on lo
block in
pass out
pass in on egress inet proto tcp to port {ssh, www, https} \
flags S/SA keep state
Test and activate the firewall rules.
doas pfctl -nf /etc/pf.conf
doas pfctl -f /etc/pf.conf
Configure OpenSMTPD as an Email Relay
Backup your /etc/mail/smtpd.conf
file.
cp /etc/mail/smtpd.conf /etc/mail/smtpd.conf.bak
Edit /etc/mail/smtpd.conf
as shown below.
Notes:
The table definition for secrets holds the username and password for the mail relay.
The outbound action looks up the username and password under the label
prestashop
in/etc/mail/secrets
and relays the email through your email server.table aliases file:/etc/mail/aliases table secrets file:/etc/mail/secrets listen on lo0 action "local_mail" mbox alias <aliases> action "outbound" relay host smtp+tls://prestashop@mail.example.com:587 \ tls no-verify auth <secrets> match from local for local action "local_mail" match from local for any action "outbound"
Create /etc/mail/secrets
Replace the email address and password with the credentials that you use for your email server.
echo "prestashop user@example.com:password" > /etc/mail/secrets
Set permissions to secure /etc/mail/secrets
chmod 0600 /etc/secrets
Thest the configuration file for errors and restart the smtpd daemon.
smtpd -n
rcctl restart smtpd
Configure the PHP and PHP-FPM Environment
Configure the PHP-FPM process to listen on a TCP socket instead of a UNIX domain socket.
Make the following change below for the /etc/php-fpm.conf
file.
...
; If using a TCP port, never expose this to a public network.
;listen = /var/www/run/php-fpm.sock
listen = 127.0.0.1:9000
Make some additional changes to the PHP environment in /etc/php-7.3.ini
. This file name may change slightly if the version is newer than 7.3. These changes:
Allow for larger files to be uploaded.
Disable the chrooted environment.
Configure PHP to send email via sendmail.
; Default Value: not set ;chroot = /var/www ... ; Maximum allowed size for uploaded files. ; <http://php.net/upload-max-filesize> upload_max_filesize = 6M ... ; For Unix only. You may supply arguments as well (default: "sendmail -t -i"). ; <http://php.net/sendmail-path> ;sendmail_path = sendmail_path = /usr/sbin/sendmail -t -i ... ; Whether to allow the treatment of URLs (like <http://> or <ftp://)> as files. ; <http://php.net/allow-url-fopen> allow_url_fopen = On ... ; Maximum size of POST data that PHP will accept. ; Its value may be 0 to disable the limit. It is ignored if POST data reading ; is disabled through enable_post_data_reading. ; <http://php.net/post-max-size> post_max_size = 12M
Enable the PHP plugins.
cp /etc/php-7.3.sample/* /etc/php-7.3/.
Enable and start the PHP-FPM daemon. The daemon name might be slightly different if the version is newer.
rcctl enable php73_fpm
rcctl start php73_fpm
Configuring MariaDB
MariaDB provides the database backend for PrestaShop. Because MariaDB needs more open files than the default class allows, create a special class in /etc/login.conf
.
At the bottom of the file, add the following lines:
mysqld:\
:openfiles-cur=1024:\
:openfiles-max=2048:\
:tc=daemon:
Install MariaDB.
doas su
mysql_install_db
rcctl enable mysqld
rcctl start mysqld
Configure MariaDB security.
mysql_secure_installation
Create the PrestaShop database. Use a strong password.
mysql -u root
CREATE DATABASE prestashop;
GRANT ALL PRIVILEGES ON prestashop.* TO 'prestashop'@'localhost' IDENTIFIED BY 'password123';
FLUSH PRIVILEGES;
EXIT
Configuring Apache
Back up /etc/apache2/httpd2.conf
cp /etc/apache2/httpd2.conf /etc/apache2/httpd2.conf.bak
Make the following changes to /etc/apache2/httpd2.conf
, using #
to enable and disable modules.
Listen 443
...
LoadModule mpm_event_module /usr/local/lib/apache2/mod_mpm_event.so
#LoadModule mpm_prefork_module /usr/local/lib/apache2/mod_mpm_prefork.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
...
ServerAdmin webmaster@example.com
ServerName 192.0.2.1:80
Several more changes in
/etc/apache2/httpd2.conf
occur towards the bottom of the file. Remove#
from the include statements indicated.Add the Virtual Hosting lines last.
# Server-pool management (MPM specific) Include /etc/apache2/extra/httpd-mpm.conf ... # Virtual Hosts IncludeOptional /etc/apache2/sites/*.conf
Create the /etc/apache2/sites
directory.
mkdir /etc/apache2/sites
Create /etc/apache2/sites/example.conf
with the following information:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/htdocs/prestashop"
<Directory "/var/www/htdocs/prestashop">
Options -Indexes +Multiviews +FollowSymLinks
AllowOverride All
<Limit GET POST OPTIONS>
</Limit>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/htdocs/prestashop"
<Directory "/var/www/htdocs/prestashop">
Options -Indexes +Multiviews +FollowSymLinks
AllowOverride All
<Limit GET POST OPTIONS>
</Limit>
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile "/etc/ssl/example.com.crt"
SSLCertificateKeyFile "/etc/ssl/private/example.com.key"
SSLCipherSuite HIGH:!aNULL
</VirtualHost>
Configure Apache's proxy module by adding the following to /etc/apache2/sites/example.conf
<IfModule proxy_module>
<IfModule dir_module>
DirectoryIndex index.php
</IfModule>
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>
Test the configuration, then enable and start Apache.
apachectl configtest
rcctl enable apache2
rcctl start apache2
Ensure that Apache is listening on ports 80 and 443.
netstat -ln -finet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.443 *.* LISTEN
tcp 0 0 127.0.0.1.25 *.* LISTEN
tcp 0 0 *.22 *.* LISTEN
tcp 0 0 *.80 *.* LISTEN
tcp 0 0 127.0.0.1.3306 *.* LISTEN
tcp 0 0 127.0.0.1.9000 *.* LISTEN
Install PrestaShop
Browse to your website at http://www.example.com
. The PrestaShop install wizard will launch.
Once you complete the install, take note of the store front and administrative links and delete the directory /var/www/htdocs/prestashop/install
.
Enable SSL.
- Click Shop Parameters
- Click General
- Enable SSL for all parts of your store
Change your administrative password.
- Click Advanced Parameters
- Click Team
- Change your password.
Some Final Tasks
Backup your store and its database:
cd /var/www/htdocs
doas tar cvfz /home/auser/prestashop.tar.gz prestashop/
doas mysqldump -u prestashop -p prestashop | gzip -4 > /home/auser/prestashop.sql.tar.gz
doas chown auser:auser /home/auser/prestashop*
Remove doas access for your user account by recreating the doas.conf
file.
echo 'permit keepenv :wheel' > /etc/doas.conf