Month: January 2025

MariaDB – Multithreaded SQL Database Server/Client

MariaDB – Multithreaded SQL Database Server/Client

Last Updated on 2025-02-03 22:53 by Sture

Description:

MariaDB is a database server that offers drop-in replacement functionality for MySQL. MariaDB is built by some of the original authors of MySQL, with assistance from the broader community of Free and open-source software developers. In addition to the core functionality of MySQL, MariaDB offers a rich set of feature enhancements, including alternate storage engines, server optimizations, and patches.

Developers primarily drive MariaDB at Monty Program, a company founded by Michael “Monty” Widenius, the original author of MySQL, but this is not the whole story about MariaDB. On the “About MariaDB” page, you will find more information about all participants in the MariaDB community, including storage engines XtraDB and PBXT.

WWW: https://mariadb.org/.

Creat ZFS datasets for MariaDB databas storage

One area that definitely needs Specialized Tuning is when you create a ZFS mount specifically for a database.

N.B.: This should be done on a new MariaDB install. It is assumed mySQL has never run on this machine, so the data directories are not populated (on FreeBSD, the first run of mySQL creates the data files. If you have run it, back up any data, then:

### WARNING!, WARNING!, WARNING ###
This will delete any existing databases!

user@freebsdsrv:~ $ sudo rm -fR /var/db/mysql/* [enter]
user@freebsdsrv:~ $

Create ZFS datasets for MariaDB with:

user@freebsdsrv:~ $ sudo zfs create zroot/db ; sudo zfs create zroot/db/logs ; sudo zfs create zroot/db/innodb ; sudo zfs create zroot/db/myisam [enter]
user@freebsdsrv:~ $

Set global ZFS paraemters with:

user@freebsdsrv:~ $ sudo zfs set zfs:zfs_nocacheflush=1 zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set setuid=off zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set primarycache=metadata zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set atime=off zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set sync=disabled zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set compression=off zroot/db [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set logbias=throughput zroot/db [enter]
user@freebsdsrv:~ $

Set individual parameters (blocksizes) with:

user@freebsdsrv:~ $ sudo zfs set recordsize=16k zroot/db/innodb [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set recordsize=128k zroot/db/logs [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set recordsize=8k zroot/db/myisam [enter]
user@freebsdsrv:~ $

Create directories, set the mount points and then set ownership with:

user@freebsdsrv:~ $ sudo mkdir /var/log/mysql [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set mountpoint=/var/log/mysql zroot/db/logs [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo mkdir /var/db/mysql [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set mountpoint=/var/db/mysql zroot/db/myisam [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo mkdir /var/db/mysql-innodb [enter]
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo zfs set mountpoint=/var/db/mysql-innodb zroot/db/innodb [enter]
user@freebsdsrv:~ $

To start the MariaDB Server on system boot:

user@freebsdsrv:~ $ sudo sysrc mysql_enable="YES" [enter]
mysql_enable:  -> YES
user@freebsdsrv:~ $

Installation

Search for “mariadb” in the remote package repositories with:

user@freebsdsrv:~ $ pkg search mariadb1 [enter]
mariadb1011-client-10.11.10_1  Multithreaded SQL database (client)
mariadb1011-server-10.11.10_1  Multithreaded SQL database (server)
mariadb105-client-10.5.27      Multithreaded SQL database (client)
mariadb105-server-10.5.27      Multithreaded SQL database (server)
mariadb106-client-10.6.20      Multithreaded SQL database (client)
mariadb106-server-10.6.20      Multithreaded SQL database (server)
mariadb114-client-11.4.4       Multithreaded SQL database (client)
mariadb114-server-11.4.4       Multithreaded SQL database (server)
user@freebsdsrv:~ $

In this example, mariadb114-server and mariadb114-client will be installed with;

user@freebsdsrv:~ $ sudo pkg install -y mariadb114-server mariadb114-client [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 10 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	bash: 5.2.37
	boost-libs: 1.85.0
	galera26: 26.4.16_3
	icu: 74.2_1,1
	libfmt: 10.2.1
	mariadb114-client: 11.4.3
	mariadb114-server: 11.4.3
	rsync: 3.3.0
	unixODBC: 2.3.12_1
	xxhash: 0.8.2_1

Number of packages to be installed: 10

The process will require 591 MiB more space.
82 MiB to be downloaded.
[1/10] Fetching galera26-26.4.16_3.pkg: 100%  908 KiB 929.6kB/s    00:01    
[2/10] Fetching boost-libs-1.85.0.pkg: 100%   15 MiB  15.2MB/s    00:01    
[3/10] Fetching unixODBC-2.3.12_1.pkg: 100%  547 KiB 559.9kB/s    00:01    
[4/10] Fetching mariadb114-server-11.4.3.pkg: 100%   49 MiB  51.3MB/s    00:01    
[5/10] Fetching icu-74.2_1,1.pkg: 100%   13 MiB  13.2MB/s    00:01    
[6/10] Fetching xxhash-0.8.2_1.pkg: 100%   92 KiB  93.9kB/s    00:01    
[7/10] Fetching bash-5.2.37.pkg: 100%    2 MiB   1.8MB/s    00:01    
[8/10] Fetching mariadb114-client-11.4.3.pkg: 100%    3 MiB   2.9MB/s    00:01    
[9/10] Fetching rsync-3.3.0.pkg: 100%  396 KiB 405.7kB/s    00:01    
[10/10] Fetching libfmt-10.2.1.pkg: 100%  178 KiB 182.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/10] Installing icu-74.2_1,1...
[1/10] Extracting icu-74.2_1,1: 100%
[2/10] Installing boost-libs-1.85.0...
[2/10] Extracting boost-libs-1.85.0: 100%
[3/10] Installing xxhash-0.8.2_1...
[3/10] Extracting xxhash-0.8.2_1: 100%
[4/10] Installing libfmt-10.2.1...
[4/10] Extracting libfmt-10.2.1: 100%
[5/10] Installing galera26-26.4.16_3...
[5/10] Extracting galera26-26.4.16_3: 100%
[6/10] Installing unixODBC-2.3.12_1...
[6/10] Extracting unixODBC-2.3.12_1: 100%
[7/10] Installing bash-5.2.37...
[7/10] Extracting bash-5.2.37: 100%
[8/10] Installing mariadb114-client-11.4.3...
===> Creating groups
Creating group 'mysql' with gid '88'
===> Creating users
Creating user 'mysql' with uid '88'
===> Creating homedir(s)
[8/10] Extracting mariadb114-client-11.4.3: 100%
[9/10] Installing rsync-3.3.0...
[9/10] Extracting rsync-3.3.0: 100%
[10/10] Installing mariadb114-server-11.4.3...
===> Creating groups
Using existing group 'mysql'
===> Creating users
Using existing user 'mysql'
===> Creating homedir(s)
[10/10] Extracting mariadb114-server-11.4.3: 100%
=====
Message from boost-libs-1.85.0:

--
You have built the Boost library with thread support.

Don't forget to add -pthread to your linker options when
linking your code.
=====
Message from galera26-26.4.16_3:

--
Find the Galera Cluster documentation at
https://galeracluster.com/library/documentation/index.html
=====
Message from mariadb114-client-11.4.3:

--
MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc/mysql or /usr/local/etc. Sample
configuration files are provided in /usr/local/etc/mysql
and /usr/local/etc/mysql/conf.d.
The rc(8) script no longer uses /var/db/mysql/my.cnf for configuration
nor /var/db/mysql for logs and PID-file.

This port does NOT include the mytop perl script, this is included in
the MariaDB tarball but the most recent version can be found in the
databases/mytop port

%%WSREP%%The Using wsrep clustering requires additional configuration.
%%WSREP%%Edit /usr/local/etc/mysql/conf.d/wsrep.conf and change what you need there.

The hashicorp_key_management, s3 and spider plugins must be enabled
before they can be used, check the specific .cnf files in /usr/local/etc/mysql/conf.d/
=====
Message from rsync-3.3.0:

--
Some scripts provided by rsync, such as rrsync,
require Python, which is not installed by default.
=====
Message from mariadb114-server-11.4.3:

--
MariaDB respects hier(7) and doesn't check /etc and /etc/mysql for
my.cnf. Please move existing my.cnf files from those paths to
/usr/local/etc/mysql or /usr/local/etc. Sample
configuration files are provided in /usr/local/etc/mysql
and /usr/local/etc/mysql/conf.d.
The rc(8) script no longer uses /var/db/mysql/my.cnf for configuration
nor /var/db/mysql for logs and PID-file.

This port does NOT include the mytop perl script, this is included in
the MariaDB tarball but the most recent version can be found in the
databases/mytop port

The Using wsrep clustering requires additional configuration.
Edit /usr/local/etc/mysql/conf.d/wsrep.conf and change what you need there.

The hashicorp_key_management, s3 and spider plugins must be enabled
before they can be used, check the specific .cnf files in /usr/local/etc/mysql/conf.d/
user@freebsdsrv:~ $

Change owner on MaraDB directories with:

user@freebsdsrv:~ $ sudo chown mysql:mysql /var/log/mysql ; sudo chown mysql:mysql /var/db/mysql ; sudo chown mysql:mysql /var/db/mysql-innodb [enter]
user@freebsdsrv:~ $

Initialize the MariaDB data directory and sart the MySQL server with:

user@freebsdsrv:~ $ sudo service mysql-server start [enter]
Installing MariaDB/MySQL system tables in './data' ...
OK

To start mariadbd at boot time you have to copy
support-files/mariadb.service to the right place for your system


Two all-privilege accounts were created.
One is root@localhost, it has no password, but you need to
be system 'root' user to connect. Use, for example, sudo mysql
The second is mysql@localhost, it has no password either, but
you need to be the system 'mysql' user to connect.
After connecting you can set the password, if you would need to be
able to connect as any of these users with a password and without sudo

See the MariaDB Knowledgebase at https://mariadb.com/kb

You can start the MariaDB daemon with:
cd '/usr/local' ; /usr/local/bin/mariadbd-safe --datadir='./data'

You can test the MariaDB daemon with mariadb-test-run.pl
cd '/usr/local/' ; perl mariadb-test-run.pl

Please report any problems at https://mariadb.org/jiraThe latest information about MariaDB is available at https://mariadb.org/.

Consider joining MariaDB's strong and vibrant community:
https://mariadb.org/get-involved/
user@freebsdsrv:~ $

Verify status with:

user@freebsdsrv:~ $ sudo service mysql-server status [enter]
mysql is running as pid 14018.
user@freebsdsrv:~ $

Set MariaDB server root password with:

user@freebsdsrv:~ $ sudo /usr/local/bin/mariadb-admin -u root password 'DBrootPassWd' [enter]
user@freebsdsrv:~ $

Confirm that the MariaDB service is up and running by checking its status with:

user@freebsdsrv:~ $ sudo service mysql-server status [enter]
mysql is running as pid 6971.
user@freebsdsrv:~ $

Display file /var/log/mysql/mysqld.err with:

user@freebsdsrv:~ $ sudo cat /var/log/mysql/mysqld.err [enter]
2025-02-03 22:42:02 0 [Warning] 'wsrep-causal-reads' was removed. It does nothing now and exists only for compatibility with old my.cnf files.
2025-02-03 22:42:05 0 [Note] Starting MariaDB 11.4.4-MariaDB source revision e9a502df08bad16aa8a354e854f3c014b1380e32 server_uid DByzGKgo5W7evv3aCV6HD1tucBU= as process 14018
2025-02-03 22:42:05 0 [Note] InnoDB: Compressed tables use zlib 1.3.1
2025-02-03 22:42:05 0 [Note] InnoDB: Number of transaction pools: 1
2025-02-03 22:42:05 0 [Note] InnoDB: Using crc32 + pclmulqdq instructions
2025-02-03 22:42:05 0 [Note] InnoDB: Initializing buffer pool, total size = 128.000MiB, chunk size = 2.000MiB
2025-02-03 22:42:05 0 [Note] InnoDB: Completed initialization of buffer pool
2025-02-03 22:42:06 0 [Note] InnoDB: End of log at LSN=47907
2025-02-03 22:42:06 0 [Note] InnoDB: Opened 3 undo tablespaces
2025-02-03 22:42:06 0 [Note] InnoDB: 128 rollback segments in 3 undo tablespaces are active.
2025-02-03 22:42:06 0 [Note] InnoDB: Setting file './ibtmp1' size to 12.000MiB. Physically writing the file full; Please wait ...
2025-02-03 22:42:06 0 [Note] InnoDB: File './ibtmp1' size is now 12.000MiB.
2025-02-03 22:42:06 0 [Note] InnoDB: log sequence number 47907; transaction id 16
2025-02-03 22:42:06 0 [Note] InnoDB: Loading buffer pool(s) from /var/db/mysql/ib_buffer_pool
2025-02-03 22:42:06 0 [Note] Plugin 'FEEDBACK' is disabled.
2025-02-03 22:42:06 0 [Note] Plugin 'wsrep-provider' is disabled.
2025-02-03 22:42:06 0 [Warning] 'wsrep-causal-reads' was removed. It does nothing now and exists only for compatibility with old my.cnf files.
2025-02-03 22:42:06 0 [Warning] 'wsrep-causal-reads' was removed. It does nothing now and exists only for compatibility with old my.cnf files.
2025-02-03 22:42:06 0 [Note] InnoDB: Buffer pool(s) load completed at 250203 22:42:06
2025-02-03 22:42:09 0 [Note] Server socket created on IP: '0.0.0.0'.
2025-02-03 22:42:09 0 [Note] mariadbd: Event Scheduler: Loaded 0 events
2025-02-03 22:42:09 0 [Note] /usr/local/libexec/mariadbd: ready for connections.
Version: '11.4.4-MariaDB'  socket: '/var/run/mysql/mysql.sock'  port: 3306  FreeBSD Ports

Harden the MariaDB database server with:

user@freebsdsrv:~ $ sudo mariadb-secure-installation [enter]

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): <--DBrootPassWd [enter]
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] [enter]
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] n [enter]
 ... skipping.

By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] [enter]
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] [enter]
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] [enter]
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] [enter]
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
user@freebsdsrv:~ $

Access MariaDB using the root user:

user@freebsdsrv:~ $ sudo mysql -u root -p [enter]
Enter password: <-- DBrootPassWd [enter]
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 11.4.4-MariaDB FreeBSD Ports

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost [(none)]>

Exit MariaDB root with:

root@localhost [(none)]> exit [enter]
Bye
user@freebsdsrv:~ $

Lists open Internet or UNIX domain sockets MariaDB service binds to with:

user@freebsdsrv:~ $ sockstat | grep 3306 [enter]
mysql    mariadbd   43037 24  tcp4   *:3306                *:*
user@freebsdsrv:~ $

To prevent remote access to MariaDB, we must make sure that the daemon of MariaDB only listens to the localhost with:

user@freebsdsrv:~ $ sudo sysrc mysql_args="--bind-address=127.0.0.1" [enter]
mysql_args:  -> --bind-address=127.0.0.1
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo service mysql-server restart [enter]
Stopping mysql.
Waiting for PIDS: 51757.
Starting mysql.
user@freebsdsrv:~ $

Lists open Internet or UNIX domain sockets MariaDB service binds to with:

user@freebsdsrv:~ $ sockstat | grep 3306 [enter]
mysql    mariadbd   50299 24  tcp4   127.0.0.1:3306        *:*
user@freebsdsrv:~ $

Test MariaDB on FreeBSD

Test the connectivity to the databases with:

user@freebsdsrv:~ $ sudo mysql -u root -p -e "show databases" [enter]
Enter password: DBrootPassWd [enter]
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
user@freebsdsrv:~ $
Apache – PHP-FPM (FastCGI Process Manager)

Apache – PHP-FPM (FastCGI Process Manager)

Last Updated on 2025-02-03 22:12 by Sture

Consider switching to php-fpm and mod_fast_cgi as per Apache httpd project
recommendation. See https://cwiki.apache.org/confluence/display/HTTPD/PHP-FPM

Requirement:

Prevent PHP from running arbitrary code by mistake with:

user@freebsdsrv:~ $ sudo sed -i -e 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/g' /usr/local/etc/php.ini && cat /usr/local/etc/php.ini | grep "fix_pathinfo=" [enter]
cgi.fix_pathinfo=0
user@freebsdsrv:~ $

PHP-FPM (FastCGI Process Manager) is a web tool used to speed up a website’s performance. It is much faster than traditional CGI-based methods and can handle tremendous loads simultaneously.

View the installed PHP-FPM version on your server.

user@freebsdsrv:~ $ php-fpm -v [enter]
PHP 8.3.15 (fpm-fcgi) (built: Jan 30 2025 02:19:24)
Copyright (c) The PHP Group
Zend Engine v4.3.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.15, Copyright (c), by Zend Technologies
user@freebsdsrv:~ $

Enable the PHP-FPM service to start automatically at boot time.

user@freebsdsrv:~ $ sudo sysrc php_fpm_enable="YES" [enter]
php_fpm_enable:  -> YES
user@freebsdsrv:~ $

Configure PHP-FPM to use a UNIX socket instead of a TCP with:

user@freebsdsrv:~ $ sudo sed -i -e 's/127.0.0.1:9000/\/var\/run\/php-fpm.sock/g' /usr/local/etc/php-fpm.d/www.conf && cat /usr/local/etc/php-fpm.d/www.conf | grep "php-fpm.sock" [enter]
listen = /var/run/php-fpm.sock
user@freebsdsrv:~ $

Set permissions for use of the UNIX socket with:

user@freebsdsrv:~ $ sudo sed -i -e 's/;listen.owner/listen.owner/g' /usr/local/etc/php-fpm.d/www.conf && cat /usr/local/etc/php-fpm.d/www.conf | grep "listen.owner =" [enter]
listen.owner = www
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo sed -i -e 's/;listen.group/listen.group/g' /usr/local/etc/php-fpm.d/www.conf && cat /usr/local/etc/php-fpm.d/www.conf | grep "listen.group =" [enter]
listen.group = www
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo sed -i -e 's/;listen.mode/listen.mode/g' /usr/local/etc/php-fpm.d/www.conf && cat /usr/local/etc/php-fpm.d/www.conf | grep "listen.mode =" [enter]
listen.mode = 0660
user@freebsdsrv:~ $

Display the changed settings in with:

user@freebsdsrv:~ $ head -n 60 /usr/local/etc/php-fpm.d/www.conf [enter]
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
;       --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
;                 If the group is not set, the user's group is used.
user = www
group = www

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '0.0.0.0:port'         - to listen on a TCP socket to all IPv4 addresses on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;                            Note: IPv4-mapped addresses are disabled by-default in
;                                  FreeBSD for security reasons;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
listen = /var/run/php-fpm.sock

; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
;                 is not set, the owner's group is used. Mode is set to 0660.
listen.owner = www
listen.group = www
listen.mode = 0660

user@freebsdsrv:~ $

N.B.: Critical settings are displayed in bold!

Start PHP-FPM

Start the PHP-FPM service with:

user@freebsdsrv:~ $ sudo service php_fpm start [enter]
Performing sanity check on php-fpm configuration:
[09-Aug-2024 23:20:44] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful
Starting php_fpm.
user@freebsdsrv:~ $

..and then restart Nginx so it loads the latest configuration changes incorporating the PHP module:

Configure Apache to load the socache_shmcb modules, uncomment the line, LoadModule proxy_module libexec/apache24/mod_proxy.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/mod_proxy.so/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "mod_proxy.so" [enter]
LoadModule proxy_module libexec/apache24/mod_proxy.so
user@freebsdsrv:~ $

Configure Apache to load the mod_proxy_fcgi.so, uncomment the line, LoadModule proxy_module libexec/apache24/mod_proxy_fcgi.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/mod_proxy_fcgi.so/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "mod_proxy_fcgi.so" [enter]
LoadModule proxy_module libexec/apache24/mod_proxy_fcgi.so
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo ee /usr/local/etc/apache24/Includes/php.conf [enter]

…and update as in thi example:

<IfModule dir_module>
         DirectoryIndex index.php index.html
         <FilesMatch "\.php$">
                SetHandler "proxy:unix:/var/run/php-fpm.sock|fcgi://127.0.0.1/"
         </FilesMatch>
         <FilesMatch "\.phps$">
                SetHandler application/x-httpd-php-source
         </FilesMatch>
</IfModule>
user@freebsdsrv:~ $ sudo service apache24 restart [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 42550.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
user@freebsdsrv:~ $

Verify Configuration

In order to check that the configuration changes have been applied you’ll run some tests. The first one will check what multi-processing module Apache HTTP is using. The second will verify that PHP is using the FPM manager.

Check the Apache HTTP server by running the following command:

user@freebsdsrv:~ $ sudo apachectl -M | grep 'mpm' [enter]
mpm_event_module (shared)
user@freebsdsrv:~ $

Repeat the same for the proxy module and FastCGI:

user@freebsdsrv:~ $ sudo apachectl -M | grep 'proxy' [enter]
proxy_module (shared)
proxy_fcgi_module (shared)
user@freebsdsrv:~ $

To see the entire list of the modules, you can remove the the second part of the command after -M.

Display open PHP-FPM sockets with:

user@freebsdsrv:~ $ sudo sockstat | grep "php-fpm" [enter]
www      php-fpm     1995 9   stream /var/run/php-fpm.sock
www      php-fpm     1994 9   stream /var/run/php-fpm.sock
root     php-fpm     1993 5   stream -> [1993 7]
root     php-fpm     1993 7   stream -> [1993 5]
root     php-fpm     1993 8   stream /var/run/php-fpm.sock
user@freebsdsrv:~ $

Test the FPM configuration file and display the configuration with:

user@freebsdsrv:~ $ sudo php-fpm -tt [enter]
[09-Aug-2024 23:23:29] NOTICE: [global]
[09-Aug-2024 23:23:29] NOTICE: 	pid = /var/run/php-fpm.pid
[09-Aug-2024 23:23:29] NOTICE: 	error_log = /var/log/php-fpm.log
[09-Aug-2024 23:23:29] NOTICE: 	syslog.ident = php-fpm
[09-Aug-2024 23:23:29] NOTICE: 	syslog.facility = 24
[09-Aug-2024 23:23:29] NOTICE: 	log_buffering = yes
[09-Aug-2024 23:23:29] NOTICE: 	log_level = unknown value
[09-Aug-2024 23:23:29] NOTICE: 	log_limit = 1024
[09-Aug-2024 23:23:29] NOTICE: 	emergency_restart_interval = 0s
[09-Aug-2024 23:23:29] NOTICE: 	emergency_restart_threshold = 0
[09-Aug-2024 23:23:29] NOTICE: 	process_control_timeout = 0s
[09-Aug-2024 23:23:29] NOTICE: 	process.max = 0
[09-Aug-2024 23:23:29] NOTICE: 	process.priority = undefined
[09-Aug-2024 23:23:29] NOTICE: 	daemonize = yes
[09-Aug-2024 23:23:29] NOTICE: 	rlimit_files = 0
[09-Aug-2024 23:23:29] NOTICE: 	rlimit_core = 0
[09-Aug-2024 23:23:29] NOTICE: 	events.mechanism = kqueue
[09-Aug-2024 23:23:29] NOTICE:  
[09-Aug-2024 23:23:29] NOTICE: [www]
[09-Aug-2024 23:23:29] NOTICE: 	prefix = undefined
[09-Aug-2024 23:23:29] NOTICE: 	user = www
[09-Aug-2024 23:23:29] NOTICE: 	group = www
[09-Aug-2024 23:23:29] NOTICE: 	listen = /var/run/php-fpm.sock
[09-Aug-2024 23:23:29] NOTICE: 	listen.backlog = -1
[09-Aug-2024 23:23:29] NOTICE: 	listen.owner = www
[09-Aug-2024 23:23:29] NOTICE: 	listen.group = www
[09-Aug-2024 23:23:29] NOTICE: 	listen.mode = 0660
[09-Aug-2024 23:23:29] NOTICE: 	listen.allowed_clients = undefined
[09-Aug-2024 23:23:29] NOTICE: 	listen.setfib = -1
[09-Aug-2024 23:23:29] NOTICE: 	process.priority = undefined
[09-Aug-2024 23:23:29] NOTICE: 	process.dumpable = no
[09-Aug-2024 23:23:29] NOTICE: 	pm = dynamic
[09-Aug-2024 23:23:29] NOTICE: 	pm.max_children = 5
[09-Aug-2024 23:23:29] NOTICE: 	pm.start_servers = 2
[09-Aug-2024 23:23:29] NOTICE: 	pm.min_spare_servers = 1
[09-Aug-2024 23:23:29] NOTICE: 	pm.max_spare_servers = 3
[09-Aug-2024 23:23:29] NOTICE: 	pm.max_spawn_rate = 32
[09-Aug-2024 23:23:29] NOTICE: 	pm.process_idle_timeout = 10
[09-Aug-2024 23:23:29] NOTICE: 	pm.max_requests = 0
[09-Aug-2024 23:23:29] NOTICE: 	pm.status_path = undefined
[09-Aug-2024 23:23:29] NOTICE: 	pm.status_listen = undefined
[09-Aug-2024 23:23:29] NOTICE: 	ping.path = undefined
[09-Aug-2024 23:23:29] NOTICE: 	ping.response = undefined
[09-Aug-2024 23:23:29] NOTICE: 	access.log = undefined
[09-Aug-2024 23:23:29] NOTICE: 	access.format = undefined
[09-Aug-2024 23:23:29] NOTICE: 	slowlog = undefined
[09-Aug-2024 23:23:29] NOTICE: 	request_slowlog_timeout = 0s
[09-Aug-2024 23:23:29] NOTICE: 	request_slowlog_trace_depth = 20
[09-Aug-2024 23:23:29] NOTICE: 	request_terminate_timeout = 0s
[09-Aug-2024 23:23:29] NOTICE: 	request_terminate_timeout_track_finished = no
[09-Aug-2024 23:23:29] NOTICE: 	rlimit_files = 0
[09-Aug-2024 23:23:29] NOTICE: 	rlimit_core = 0
[09-Aug-2024 23:23:29] NOTICE: 	chroot = undefined
[09-Aug-2024 23:23:29] NOTICE: 	chdir = undefined
[09-Aug-2024 23:23:29] NOTICE: 	catch_workers_output = no
[09-Aug-2024 23:23:29] NOTICE: 	decorate_workers_output = yes
[09-Aug-2024 23:23:29] NOTICE: 	clear_env = yes
[09-Aug-2024 23:23:29] NOTICE: 	security.limit_extensions = .php .phar
[09-Aug-2024 23:23:29] NOTICE:  
[09-Aug-2024 23:23:29] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful
user@freebsdsrv:~ $

Check if PHP is using the FastCGI Process Manager by pointing your browser to: https://192.168.1.50/info.php.

N.B.: The Server API entry will be FPM/FastCGI.

More Information

Apache.org: PHP-FMP.

Apache – PHP Scripting Language (8.3.X Branch)

Apache – PHP Scripting Language (8.3.X Branch)

Last Updated on 2025-02-03 21:58 by Sture

Description:

PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open-source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

WWW: http://www.php.net.

Requirements

The following application(s) must be installed, configured, and running before PHP is installed:

  1. Apache – HTTP Server

Installation

N.B.: The current version of Apache will be installed if missing!
Search for mod_php in the remote package repositories with:

user@freebsdsrv:~ $ pkg search mod_php | egrep '^mod_php[0-9]+-[0-9]' [enter]
mod_php81-8.1.31               PHP Scripting Language (8.1.X branch)
mod_php82-8.2.27               PHP Scripting Language (8.2.X branch)
mod_php83-8.3.15               PHP Scripting Language (8.3.X branch)
mod_php84-8.4.2                PHP Scripting Language (8.4.X branch)
user@freebsdsrv:~ $

If PHP based services is required to send email via phpmailer we are for det moment limited to use the 8.3.x branch of PHP.
In this example php83, php83-extensions and mod_php83 will installed due to that phpmailer6 will be required later on to be installed.

user@freebsdsrv:~ $ sudo pkg install -y php83 php83-extensions mod_php83 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 22 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	libargon2: 20190702_1
	libedit: 3.1.20240808,1
	mod_php83: 8.3.15
	php83: 8.3.15
	php83-ctype: 8.3.15
	php83-dom: 8.3.15
	php83-extensions: 1.0
	php83-filter: 8.3.15
	php83-iconv: 8.3.15
	php83-opcache: 8.3.15
	php83-pdo: 8.3.15
	php83-pdo_sqlite: 8.3.15
	php83-phar: 8.3.15
	php83-posix: 8.3.15
	php83-session: 8.3.15
	php83-simplexml: 8.3.15
	php83-sqlite3: 8.3.15
	php83-tokenizer: 8.3.15
	php83-xml: 8.3.15
	php83-xmlreader: 8.3.15
	php83-xmlwriter: 8.3.15
	sqlite3: 3.46.1,1

Number of packages to be installed: 22

The process will require 40 MiB more space.
9 MiB to be downloaded.
[1/22] Fetching php83-session-8.3.15.pkg: 100%   41 KiB  41.9kB/s    00:01    
[2/22] Fetching libedit-3.1.20240808,1.pkg: 100%  150 KiB 153.8kB/s    00:01    
[3/22] Fetching php83-filter-8.3.15.pkg: 100%   25 KiB  25.7kB/s    00:01    
[4/22] Fetching php83-pdo_sqlite-8.3.15.pkg: 100%   15 KiB  15.5kB/s    00:01    
[5/22] Fetching php83-ctype-8.3.15.pkg: 100%    8 KiB   7.8kB/s    00:01    
[6/22] Fetching php83-tokenizer-8.3.15.pkg: 100%   16 KiB  16.0kB/s    00:01    
[7/22] Fetching php83-8.3.15.pkg: 100%    5 MiB   4.7MB/s    00:01    
[8/22] Fetching mod_php83-8.3.15.pkg: 100%    2 MiB   1.8MB/s    00:01    
[9/22] Fetching php83-xmlwriter-8.3.15.pkg: 100%   16 KiB  16.8kB/s    00:01    
[10/22] Fetching php83-xml-8.3.15.pkg: 100%   23 KiB  23.9kB/s    00:01    
[11/22] Fetching php83-iconv-8.3.15.pkg: 100%   20 KiB  20.8kB/s    00:01    
[12/22] Fetching php83-dom-8.3.15.pkg: 100%   79 KiB  81.1kB/s    00:01    
[13/22] Fetching sqlite3-3.46.1,1.pkg: 100%    1 MiB   1.5MB/s    00:01    
[14/22] Fetching php83-simplexml-8.3.15.pkg: 100%   25 KiB  26.1kB/s    00:01    
[15/22] Fetching php83-pdo-8.3.15.pkg: 100%   55 KiB  56.6kB/s    00:01    
[16/22] Fetching php83-extensions-1.0.pkg: 100%    1 KiB   1.5kB/s    00:01    
[17/22] Fetching php83-phar-8.3.15.pkg: 100%  115 KiB 117.8kB/s    00:01    
[18/22] Fetching libargon2-20190702_1.pkg: 100%   69 KiB  70.2kB/s    00:01    
[19/22] Fetching php83-opcache-8.3.15.pkg: 100%  344 KiB 352.1kB/s    00:01    
[20/22] Fetching php83-posix-8.3.15.pkg: 100%   17 KiB  17.4kB/s    00:01    
[21/22] Fetching php83-xmlreader-8.3.15.pkg: 100%   18 KiB  18.1kB/s    00:01    
[22/22] Fetching php83-sqlite3-8.3.15.pkg: 100%   28 KiB  28.7kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/22] Installing libargon2-20190702_1...
[1/22] Extracting libargon2-20190702_1: 100%
[2/22] Installing libedit-3.1.20240808,1...
[2/22] Extracting libedit-3.1.20240808,1: 100%
[3/22] Installing php83-8.3.15...
[3/22] Extracting php83-8.3.15: 100%
[4/22] Installing php83-dom-8.3.15...
[4/22] Extracting php83-dom-8.3.15: 100%
[5/22] Installing sqlite3-3.46.1,1...
[5/22] Extracting sqlite3-3.46.1,1: 100%
[6/22] Installing php83-pdo-8.3.15...
[6/22] Extracting php83-pdo-8.3.15: 100%
[7/22] Installing php83-session-8.3.15...
[7/22] Extracting php83-session-8.3.15: 100%
[8/22] Installing php83-filter-8.3.15...
[8/22] Extracting php83-filter-8.3.15: 100%
[9/22] Installing php83-pdo_sqlite-8.3.15...
[9/22] Extracting php83-pdo_sqlite-8.3.15: 100%
[10/22] Installing php83-ctype-8.3.15...
[10/22] Extracting php83-ctype-8.3.15: 100%
[11/22] Installing php83-tokenizer-8.3.15...
[11/22] Extracting php83-tokenizer-8.3.15: 100%
[12/22] Installing php83-xmlwriter-8.3.15...
[12/22] Extracting php83-xmlwriter-8.3.15: 100%
[13/22] Installing php83-xml-8.3.15...
[13/22] Extracting php83-xml-8.3.15: 100%
[14/22] Installing php83-iconv-8.3.15...
[14/22] Extracting php83-iconv-8.3.15: 100%
[15/22] Installing php83-simplexml-8.3.15...
[15/22] Extracting php83-simplexml-8.3.15: 100%
[16/22] Installing php83-phar-8.3.15...
[16/22] Extracting php83-phar-8.3.15: 100%
[17/22] Installing php83-opcache-8.3.15...
[17/22] Extracting php83-opcache-8.3.15: 100%
[18/22] Installing php83-posix-8.3.15...
[18/22] Extracting php83-posix-8.3.15: 100%
[19/22] Installing php83-xmlreader-8.3.15...
[19/22] Extracting php83-xmlreader-8.3.15: 100%
[20/22] Installing php83-sqlite3-8.3.15...
[20/22] Extracting php83-sqlite3-8.3.15: 100%
[21/22] Installing mod_php83-8.3.15...
[21/22] Extracting mod_php83-8.3.15: 100%
[activating module `php' in /usr/local/etc/apache24/httpd.conf]
[22/22] Installing php83-extensions-1.0...
[22/22] Extracting php83-extensions-1.0: 100%
=====
Message from php83-dom-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-dom.ini.sample
=====
Message from php83-pdo-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-pdo.ini.sample
=====
Message from php83-session-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-18-session.ini.sample
=====
Message from php83-filter-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-filter.ini.sample
=====
Message from php83-pdo_sqlite-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-30-pdo_sqlite.ini.sample
=====
Message from php83-ctype-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-ctype.ini.sample
=====
Message from php83-tokenizer-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-tokenizer.ini.sample
=====
Message from php83-xmlwriter-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-xmlwriter.ini.sample
=====
Message from php83-xml-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-xml.ini.sample
=====
Message from php83-iconv-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-iconv.ini.sample
=====
Message from php83-simplexml-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-simplexml.ini.sample
=====
Message from php83-phar-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-phar.ini.sample
=====
Message from php83-opcache-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-10-opcache.ini.sample
=====
Message from php83-posix-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-posix.ini.sample
=====
Message from php83-xmlreader-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-30-xmlreader.ini.sample
=====
Message from php83-sqlite3-8.3.15:

--
This file has been added to automatically load the installed extension:
/usr/local/etc/php/ext-20-sqlite3.ini.sample
=====
Message from mod_php83-8.3.15:

--
******************************************************************************

Consider switching to php-fpm and mod_fast_cgi as per Apache httpd project
recommendation. See https://cwiki.apache.org/confluence/display/HTTPD/PHP-FPM

******************************************************************************

If you are building PHP-based ports in poudriere(8) or Synth with ZTS enabled,
add WITH_MPM=event to /etc/make.conf to prevent build failures.

******************************************************************************

Make sure index.php is part of your DirectoryIndex.

You should add the following to your Apache configuration file:

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

******************************************************************************
user@freebsdsrv:~ $

View the installed PHP version on your server.

user@freebsdsrv:~ $ php -v [enter]
PHP 8.3.15 (cli) (built: Jan 30 2025 02:19:13) (NTS)
Copyright (c) The PHP Group
Zend Engine v4.3.15, Copyright (c) Zend Technologies
    with Zend OPcache v8.3.15, Copyright (c), by Zend Technologies
user@freebsdsrv:~ $

List installed PHP compiled in modules with:

user@freebsdsrv:~ $ php -m [enter]
[PHP Modules]
Core
ctype
date
dom
filter
hash
iconv
json
libxml
mysqlnd
openssl
pcre
PDO
pdo_sqlite
Phar
posix
random
Reflection
session
SimpleXML
SPL
sqlite3
standard
tokenizer
xml
xmlreader
xmlwriter
Zend OPcache

[Zend Modules]
Zend OPcache

user@freebsdsrv:~ $

Configuration

Configure PHP to use production settings with this command:

user@freebsdsrv:~ $ sudo cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini; ls -l /usr/local/etc/php.* [enter]
-rw-r--r--  1 root wheel   123 Jan  7 03:10 /usr/local/etc/php.conf
-rw-r--r--  1 root wheel 69048 Jan 29 12:57 /usr/local/etc/php.ini
-rw-r--r--  1 root wheel 68914 Jan  7 03:10 /usr/local/etc/php.ini-development
-rw-r--r--  1 root wheel 69048 Jan  7 03:10 /usr/local/etc/php.ini-production
user@freebsdsrv:~ $

…and then edit /usr/local/etc/php.ini to meet your demands with:

user@freebsdsrv:~ $ sudo ee +713 /usr/local/etc/php.ini [enter]

Increase post_max_size from 8M to 32M;

; Maximum size of POST data that PHP will accept.
; http://php.net/post-max-size
post_max_size = 32M

Scroll down to line 989 and set date.timezone as in this example:

[Date]
; Defines the default timezone used by the date functions
; https://php.net/date.timezone
date.timezone = Europe/Stockholm

Configure a handler for PHP pages with:

user@freebsdsrv:~ $ sudo ee /usr/local/etc/apache24/Includes/php.conf [enter]
<IfModule dir_module>
         DirectoryIndex index.php index.html
         <FilesMatch "\.php$">
                  SetHandler application/x-httpd-php
         </FilesMatch>
         <FilesMatch "\.phps$">
                  SetHandler application/x-httpd-php-source
         </FilesMatch>
</IfModule>

Verify configuration by creating file:

user@freebsdsrv:~ $ sudo ee /usr/local/www/apache24/data/index.php [enter]
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Simple HTML Page with PHP</title>
</head>
<body>
    <h1>Hello, World!</h1>
    <p>This is a simple HTML page generated using PHP.</p>

    <?php                   
    // You can include PHP code within the HTML content
    $name = "Admin User";        
    echo "<p>Welcome, $name!</p>";
    ?>                      
                            
</body>                     
</html>

Restart Apache with:

user@freebsdsrv:~ $ sudo service apache24 restart [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 1732.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
user@freebsdsrv:~ $

Test the PHP installation

Point your browser to: https://192.168.1.50/index.php

—-

Hello, World!

This is a simple HTML page generated using PHP.

Welcome, Admin User!
—-
Create a PHP Information display file with:

user@freebsdsrv:~ $ sudo sh -c 'echo "<?php phpinfo(); ?>" > /usr/local/www/apache24/data/info.php'; cat /usr/local/www/apache24/data/info.php [enter]

…then point your browser to https://192.168.1.50/info.php.

Information about the PHP installation on the FreeBSD server will be displayed.

Apache – Enable Hypertext Transfer Protocol Secure (HTTPS)

Apache – Enable Hypertext Transfer Protocol Secure (HTTPS)

Last Updated on 2025-02-03 19:50 by Sture

Enable Apache to load the SSL modules, uncomment the line, LoadModule ssl_module libexec/apache24/mod_ssl.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/ssl_module/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "ssl_module" [enter]
LoadModule ssl_module libexec/apache24/mod_ssl.so
<IfModule ssl_module&gt>
user@freebsdsrv:~ $

Configure Apache to load the socache_shmcb modules, uncomment the line, LoadModule ssl_module libexec/apache24/mod_ssl.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/socache_shmcb_module/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "socache_shmcb_module" [enter]
LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
user@freebsdsrv:~ $

Configure Apache to load the rewrite_module modules, uncomment the line, LoadModule rewrite_module libexec/apache24/mod_rewrite.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/rewrite_module/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "rewrite_module" [enter]
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
user@freebsdsrv:~ $

Configure Apache to include the httpd-ssl.conf file, uncomment the line, Include etc/apache24/extra/httpd-ssl.conf and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/httpd-ssl.conf/s/#Include/Include/' /usr/local/etc/apache24/httpd.conf ; cat /usr/local/etc/apache24/httpd.conf | grep "httpd-ssl.conf" [enter]
Include etc/apache24/extra/httpd-ssl.conf
user@freebsdsrv:~ $

Update ServerName in file /usr/local/etc/apache24/extra/httpd-ssl.conf with:

user@freebsdsrv:~ $ sudo sed -i -e '/ServerName/s/www.example.com/freebsdsrv.local.lan/' /usr/local/etc/apache24/extra/httpd-ssl.conf; cat /usr/local/etc/apache24/extra/httpd-ssl.conf | grep "ServerName" [enter]
ServerName freebsdsrv.local.lan:443
user@freebsdsrv:~ $

Update ServerAdmin in file /usr/local/etc/apache24/extra/httpd-ssl.conf with:

user@freebsdsrv:~ $ sudo sed -i -e '/ServerAdmin/s/you@example.com/admin@local.lan/' /usr/local/etc/apache24/extra/httpd-ssl.conf ; cat /usr/local/etc/apache24/extra/httpd-ssl.conf | grep "ServerAdmin" [enter]
ServerAdmin admin@local.lan
user@freebsdsrv:~ $

Copy your self-signed SSL/TLS certificate to Apache with:

user@freebsdsrv:~ $ sudo cp /etc/ssl/server.crt /usr/local/etc/apache24/server.crt; sudo cp /etc/ssl/server.key /usr/local/etc/apache24/server.key; ls -l /usr/local/etc/apache24/ [enter]
drwxr-xr-x  2 root wheel     4 Apr 11 12:17 Includes/
drwxr-xr-x  2 root wheel     2 Apr 11 12:01 envvars.d/
drwxr-xr-x  2 root wheel    27 Apr 11 12:20 extra/
-rw-r--r--  1 root wheel 21165 Apr 11 12:20 httpd.conf
-rw-r--r--  1 root wheel 21165 Apr 11 12:20 httpd.conf-e
-rw-r--r--  1 root wheel 21089 Mar 26 23:02 httpd.conf.sample
-rw-r--r--  1 root wheel 13064 Mar 26 23:02 magic
-rw-r--r--  1 root wheel 13064 Mar 26 23:02 magic.sample
-rw-r--r--  1 root wheel 60919 Mar 26 23:02 mime.types
-rw-r--r--  1 root wheel 60919 Mar 26 23:02 mime.types.sample
drwxr-xr-x  2 root wheel     3 Apr 11 12:01 modules.d/
-rw-r--r--  1 root wheel  1554 Apr 11 12:33 server.crt
-rw-------  1 root wheel  1704 Apr 11 12:35 server.key
user@freebsdsrv:~ $

Verify the Apache configuration file to ensure that there are no syntax errors with:

user@freebsdsrv:~ $ apachectl -t [enter]
Syntax OK
user@freebsdsrv:~ $

Erase content of log file /var/log/httpd-error.log with:

user@freebsdsrv:~ $ sudo sh -c "echo '' > /var/log/httpd-error.log" [enter]
user@freebsdsrv:~ $

Manually restart apache24 with:

user@freebsdsrv:~ $ sudo service apache24 restart [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Stopping apache24.
Waiting for PIDS: 8225.
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
user@freebsdsrv:~ $

Verify apache24 status with:

user@freebsdsrv:~ $ service apache24 status [enter]
apache24 is running as pid 2491.
user@freebsdsrv:~ $

Check the httpd error log for possible errors:

user@freebsdsrv:~ $ tail /var/log/httpd-error.log [enter]

[Thu Jan 30 16:52:09.108534 2025] [mpm_prefork:notice] [pid 50648] AH00169: caught SIGTERM, shutting down
[Thu Jan 30 16:52:09.187884 2025] [ssl:warn] [pid 52360] AH01906: freebsdsrv.local.lan:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 30 16:52:09.193692 2025] [ssl:warn] [pid 52361] AH01906: freebsdsrv.local.lan:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Thu Jan 30 16:52:09.195173 2025] [mpm_prefork:notice] [pid 52361] AH00163: Apache/2.4.62 (FreeBSD) OpenSSL/3.0.15 configured -- resuming normal operations
[Thu Jan 30 16:52:09.195202 2025] [core:notice] [pid 52361] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
user@freebsdsrv:~ $

Show all loaded Apache24 modules with:

user@freebsdsrv:~ $ apachectl -M | sort [enter]
 access_compat_module (shared)
 alias_module (shared)
 auth_basic_module (shared)
 authn_core_module (shared)
 authn_file_module (shared)
 authz_core_module (shared)
 authz_groupfile_module (shared)
 authz_host_module (shared)
 authz_user_module (shared)
 autoindex_module (shared)
 core_module (static)
 dir_module (shared)
 env_module (shared)
 filter_module (shared)
 headers_module (shared)
 http_module (static)
 log_config_module (shared)
 mime_module (shared)
 mpm_prefork_module (shared)
 reqtimeout_module (shared)
 setenvif_module (shared)
 so_module (static)
 socache_shmcb_module (shared)
 ssl_module (shared)
 status_module (shared)
 unixd_module (shared)
 version_module (shared)
Loaded Modules:
user@freebsdsrv:~ $

The Apache service should listen on port https/443. Verify this with:

user@freebsdsrv:~ $ sudo sockstat -4 -6 | grep 443 [enter]
www      httpd      52366 5   tcp6   *:443                 *:*
www      httpd      52366 6   tcp4   *:443                 *:*
www      httpd      52365 5   tcp6   *:443                 *:*
www      httpd      52365 6   tcp4   *:443                 *:*
www      httpd      52364 5   tcp6   *:443                 *:*
www      httpd      52364 6   tcp4   *:443                 *:*
www      httpd      52363 5   tcp6   *:443                 *:*
www      httpd      52363 6   tcp4   *:443                 *:*
www      httpd      52362 5   tcp6   *:443                 *:*
www      httpd      52362 6   tcp4   *:443                 *:*
root     httpd      52361 5   tcp6   *:443                 *:*
root     httpd      52361 6   tcp4   *:443                 *:*
user@freebsdsrv:~ $

Test HTTPS connection

Test HTTPS connection to the Apache Web server using address, https://freebsdsrv.local.lan. or https://192.168.1.50.

If all is well, you should see a “Your connection is not private” message since we are using a self-signed certificate.

Redirect to HTTPS

If you’d like to set HTTP connection to redirect to HTTPS (Always on SSL/TLS), Set RewriteRule to each Host settings.
For example, if you set Virtual Hostings like the link here, Add RewriteRule like follows. Or It’s possible to set RewriteRule in [.htaccess] not in [httpd.conf].

Configure Apache to load the rewrite_module modules, uncomment the line, LoadModule rewrite_module libexec/apache24/mod_rewrite.so and verify the change with:

user@freebsdsrv:~ $ sudo sed -i -e '/rewrite_module/s/#LoadModule/LoadModule/' /usr/local/etc/apache24/httpd.conf; cat /usr/local/etc/apache24/httpd.conf | grep "rewrite_module" [enter]
LoadModule rewrite_module libexec/apache24/mod_rewrite.so
user@freebsdsrv:~ $
user@freebsdsrv:~ $ sudo ee /usr/local/etc/apache24/Includes/vhost.conf [enter]
<VirtualHost *:80>
    DocumentRoot /usr/local/www/apache24/data
    ServerName freebsdsrv.local.lan
    # add RewriteRule
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</VirtualHost>
user@freebsdsrv:~ $ sudo service apache24 reload [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Performing sanity check on apache24 configuration:
Syntax OK
Performing a graceful restart
user@freebsdsrv:~ $
Apache – HTTP Server

Apache – HTTP Server

Last Updated on 2025-01-30 16:50 by Sture

Description:

The Apache HTTP Server Project aims to develop and maintain an open-source HTTP server for various modern desktop and server operating systems, such as UNIX and Windows NT. This project aims to provide a secure, efficient, and extensible server that provides HTTP services in sync with the current HTTP standards.

Apache HTTP Server version 2.4.43 or newer is required in order to operate a TLS 1.3 web server with OpenSSL 1.1.1.

WWW: http://httpd.apache.org/.

You must have a valid domain name for public access to your website.

Requirements

The following software must be installed before the Apache HTTP Server:

  1. OpenSSL – Cryptography And SSL/TLS Toolkit

Installation

Search for “apache2” in the remote package repositories with:

user@freebsdsrv:~ $ pkg search apache | egrep '^apache[0-9]+-[0-9]' [enter]
apache24-2.4.62                Version 2.4.x of Apache web server
user@freebsdsrv:~ $

In this example, apache24-2.4 will be installed.

Install Apache HTTP Server 2.4 with;

user@freebsdsrv:~ $ sudo pkg install -y apache24 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 14 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	apache24: 2.4.62
	apr: 1.7.5.1.6.3_3
	brotli: 1.1.0,1
	curl: 8.11.1_1
	expat: 2.6.4
	gdbm: 1.24
	jansson: 2.14
	libidn2: 2.3.7
	liblz4: 1.10.0,1
	libnghttp2: 1.64.0
	libpsl: 0.21.5_1
	libssh2: 1.11.1,3
	libunistring: 1.2
	zstd: 1.5.6

Number of packages to be installed: 14

The process will require 46 MiB more space.
10 MiB to be downloaded.
[1/14] Fetching libidn2-2.3.7.pkg: 100%  155 KiB 158.7kB/s    00:01    
[2/14] Fetching liblz4-1.10.0,1.pkg: 100%  163 KiB 167.3kB/s    00:01    
[3/14] Fetching zstd-1.5.6.pkg: 100%  503 KiB 515.3kB/s    00:01    
[4/14] Fetching libunistring-1.2.pkg: 100%  683 KiB 699.4kB/s    00:01    
[5/14] Fetching brotli-1.1.0,1.pkg: 100%  372 KiB 381.2kB/s    00:01    
[6/14] Fetching curl-8.11.1_1.pkg: 100%    2 MiB   1.7MB/s    00:01    
[7/14] Fetching jansson-2.14.pkg: 100%   50 KiB  51.7kB/s    00:01    
[8/14] Fetching libnghttp2-1.64.0.pkg: 100%  142 KiB 145.5kB/s    00:01    
[9/14] Fetching apr-1.7.5.1.6.3_3.pkg: 100%  500 KiB 512.4kB/s    00:01    
[10/14] Fetching apache24-2.4.62.pkg: 100%    5 MiB   5.5MB/s    00:01    
[11/14] Fetching libssh2-1.11.1,3.pkg: 100%  244 KiB 249.6kB/s    00:01    
[12/14] Fetching libpsl-0.21.5_1.pkg: 100%   65 KiB  66.1kB/s    00:01    
[13/14] Fetching expat-2.6.4.pkg: 100%  120 KiB 122.4kB/s    00:01    
[14/14] Fetching gdbm-1.24.pkg: 100%  244 KiB 250.0kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/14] Installing libunistring-1.2...
[1/14] Extracting libunistring-1.2: 100%
[2/14] Installing libidn2-2.3.7...
[2/14] Extracting libidn2-2.3.7: 100%
[3/14] Installing liblz4-1.10.0,1...
[3/14] Extracting liblz4-1.10.0,1: 100%
[4/14] Installing zstd-1.5.6...
[4/14] Extracting zstd-1.5.6: 100%
[5/14] Installing brotli-1.1.0,1...
[5/14] Extracting brotli-1.1.0,1: 100%
[6/14] Installing libnghttp2-1.64.0...
[6/14] Extracting libnghttp2-1.64.0: 100%
[7/14] Installing libssh2-1.11.1,3...
[7/14] Extracting libssh2-1.11.1,3: 100%
[8/14] Installing libpsl-0.21.5_1...
[8/14] Extracting libpsl-0.21.5_1: 100%
[9/14] Installing expat-2.6.4...
[9/14] Extracting expat-2.6.4: 100%
[10/14] Installing gdbm-1.24...
[10/14] Extracting gdbm-1.24: 100%
[11/14] Installing curl-8.11.1_1...
[11/14] Extracting curl-8.11.1_1: 100%
[12/14] Installing jansson-2.14...
[12/14] Extracting jansson-2.14: 100%
[13/14] Installing apr-1.7.5.1.6.3_3...
[13/14] Extracting apr-1.7.5.1.6.3_3: 100%
[14/14] Installing apache24-2.4.62...
===> Creating groups
Using existing group 'www'
===> Creating users
Using existing user 'www'
[14/14] Extracting apache24-2.4.62: 100%
=====
Message from apr-1.7.5.1.6.3_3:

--
The Apache Portable Runtime project removed support for FreeTDS with
version 1.6. Users requiring MS-SQL connectivity must migrate
configurations to use the added ODBC driver and FreeTDS' ODBC features.
=====
Message from apache24-2.4.62:

--
To run apache www server from startup, add apache24_enable="yes"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch.conf typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.


- apache24 default build changed from static MPM to modular MPM
- more modules are now enabled per default in the port
- icons and error pages moved from WWWDIR to DATADIR

   If build with modular MPM and no MPM is activated in
   httpd.conf, then mpm_prefork will be activated as default
   MPM in etc/apache24/modules.d to keep compatibility with
   existing php/perl/python modules!

Please compare the existing httpd.conf with httpd.conf.sample
and merge missing modules/instructions into httpd.conf!
user@freebsdsrv:~ $

To start the Apache HTTP Server on system boot:

user@freebsdsrv:~ $ sudo sysrc apache24_enable="YES" [enter]
apache24_enable:  -> YES
user@freebsdsrv:~ $


Open file /usr/local/etc/apache24/httpd.conf with:

user@freebsdsrv:~ $ sudo ee +217 /usr/local/etc/apache24/httpd.conf [enter]

Line 217: Change admin email address

ServerAdmin admin@local.lan

Line 226: Change to server name

ServerName freebsdsrv.local.lan:80

Make sure the Apache HTTP configuration is correct by running the following command to test:

user@freebsdsrv:~ $ sudo apachectl configtest [enter]
Performing sanity check on apache24 configuration:
Syntax OK
user@freebsdsrv:~ $

Start the httpd service

Manually start apache24 with:

user@freebsdsrv:~ $ sudo service apache24 start [enter]
Performing sanity check on apache24 configuration:
Syntax OK
Starting apache24.
user@freebsdsrv:~ $

Display the apache24 service status with:

user@freebsdsrv:~ $ sudo service apache24 status [enter]
apache24 is running as pid 10207.
user@freebsdsrv:~ $

Display the /var/log/httpd-error.log file with:

user@freebsdsrv:~ $ cat /var/log/httpd-error.log [enter]
[Tue Jan 28 17:24:52.324956 2025] [mpm_prefork:notice] [pid 36445] AH00163: Apache/2.4.62 (FreeBSD) configured -- resuming normal operations
[Tue Jan 28 17:24:52.325105 2025] [core:notice] [pid 36445] AH00094: Command line: '/usr/local/sbin/httpd -D NOHTTPACCEPT'
user@freebsdsrv:~ $

Try to access the Apache HTTP server from a computer on the same network with:

http://192.168.1.50

http://freebsdsrv.local.lan

Display the /var/log/httpd-access.log file with:

user@freebsdsrv:~ $ cat /var/log/httpd-access.log [enter]
192.168.1.195 - - [30/Jan/2025:16:49:22 +0100] "GET / HTTP/1.1" 200 45
user@freebsdsrv:~ $
NTPd – NTP Daemon Program

NTPd – NTP Daemon Program

Last Updated on 2025-02-09 22:52 by Sture

Description:

The ntpd utility is an operating system daemon which sets and maintains the system time of day in synchronization with Internet standard time-servers. It is a complete implementation of the Network Time Protocol (NTP) version 4, as defined by RFC-5905, but also retains compatibility with version 3, as defined by RFC-1305, and versions 1 and 2, as defined by RFC-1059 and RFC-1119, respectively.

Prerequisites

To follow along, make sure that your FreeBSD server has a fully configured Internet access.

Stop the ntpd daemon

Stop the ntpd daemon if it is running with:

user@freebsdsrv:~ $ sudo service ntpd stop [enter]
Stopping ntpd.
Waiting for PIDS: 1484.
user@freebsdsrv:~ $

Set the date and time via NTP, using this command:

# user@freebsdsrv:~ $ sudo ntpdate -v -b pool.ntp.org [enter]
27 Jan 16:15:43 ntpdate[4802]: ntpdate 4.2.8p18-a (1)
27 Jan 16:15:50 ntpdate[4802]: step time server 192.36.143.130 offset -0.000046 sec
user@freebsdsrv:~ $

N.B.: The ntp server “pool.ntp.org” is recommended by ntp.org. You can also select another one, check out http://www.ntp.org for details.

Default operating system daemon settings

List the defaults for ntpd with:

user@freebsdsrv:~ $ cat /etc/defaults/rc.conf | grep ntp [enter]
ntpdate_enable="NO"		# Run ntpdate to sync time on boot (or NO).
ntpdate_program="/usr/sbin/ntpdate"	# path to ntpdate, if you want a different one.
ntpdate_flags="-b"		# Flags to ntpdate (if enabled).
ntpdate_config="/etc/ntp.conf"	# ntpdate(8) configuration file
ntpdate_hosts=""		# Whitespace-separated list of ntpdate(8) servers.
ntpd_enable="NO"		# Run ntpd Network Time Protocol (or NO).
ntpd_program="/usr/sbin/ntpd"	# path to ntpd, if you want a different one.
ntpd_config="/etc/ntp.conf"	# ntpd(8) configuration file
ntpd_sync_on_start="NO"		# Sync time on ntpd startup, even if offset is high
ntpd_flags=""			# Additional flags to ntpd
ntp_src_leapfile="/etc/ntp/leap-seconds"
				# Initial source for ntpd leapfile
ntp_db_leapfile="/var/db/ntpd.leap-seconds.list"
ntp_leapfile_sources="https://hpiers.obspm.fr/iers/bul/bulc/ntp/leap-seconds.list https://data.iana.org/time-zones/tzdb/leap-seconds.list"
ntp_leapfile_fetch_opts="-mq"	# Options to use for ntp leapfile fetch,
ntp_leapfile_expiry_days=30	# Check for new leapfile 30 days prior to
ntp_leapfile_fetch_verbose="NO"	# Be verbose during NTP leapfile fetch
user@freebsdsrv:~ $

Enable start server boot

Enable start and set flags of the ntpd utility at boot time with:

user@freebsdsrv:~ $ sudo sysrc ntpd_enable="YES" ntpd_sync_on_start="YES" ntp_leapfile_fetch_verbose="YES" [enter]
ntpd_enable: YES -> YES
ntpd_sync_on_start: NO -> YES
ntp_leapfile_fetch_verbose: NO -> YES
user@freebsdsrv:~ $

Configure NTPd

The /etc/ntp.conf configuration file is read at initial startup by the ntpd(8) daemon in order to specify the synchronization sources, modes and other related information.
Update file /etc/ntp.conf to use the Swedish public NTP server with:

user@freebsdsrv:~ $ sudo sh -c "sed -i -e 's/0.freebsd.pool.ntp.org/0.se.pool.ntp.org/' /etc/ntp.conf" ; sudo sh -c "sed -i -e 's/2.freebsd.pool.ntp.org/1.se.pool.ntp.org/' /etc/ntp.conf" ; cat /etc/ntp.conf | grep se.pool.ntp.org [enter]
pool 0.se.pool.ntp.org iburst
pool 1.se.pool.ntp.org iburst
user@freebsdsrv:~ $

The drift file is by default /var/db/ntp/ntpd.drift.
Create an empty file, /var/db/ntp/ntpd.drift, with:

user@freebsdsrv:~ $ sudo touch /var/db/ntp/ntpd.drift; sudo chown ntpd:ntpd /var/db/ntp/ntpd.drift ; ls -l /var/db/ntp/ntpd.drift [enter]
-rw-r--r--  1 ntpd ntpd 9 Jan 27 16:22 /var/db/ntp/ntpd.drift
user@freebsdsrv:~ $

Download the current leap-seconds.list file with:

user@freebsdsrv:~ $ sudo rm /var/db/ntpd.leap-seconds.list ; sudo service ntpd fetch [enter]
ntp_src_leapfile version is 3929093563 expires 3960057600
ntp_db_leapfile version is 0 expires 0
replacing /var/db/ntpd.leap-seconds.list with /etc/ntp/leap-seconds
user@freebsdsrv:~ $

Manually start NTPd

Start the Network Time Protocol (NTP) daemon, with this command:

user@freebsdsrv:~ $ sudo service ntpd start [enter]
Starting ntpd.
user@freebsdsrv:~ $

Verify the NTPd setup with:

user@freebsdsrv:~ $ cat /var/log/messages | grep ntpd [enter]
...
Jan 27 16:27:29 freebsdsrv ntpd[11450]: ----------------------------------------------------
Jan 27 16:27:29 freebsdsrv ntpd[11450]: ntp-4 is maintained by Network Time Foundation,
Jan 27 16:27:29 freebsdsrv ntpd[11450]: Inc. (NTF), a non-profit 501(c)(3) public-benefit
Jan 27 16:27:29 freebsdsrv ntpd[11450]: corporation.  Support and training for ntp-4 are
Jan 27 16:27:29 freebsdsrv ntpd[11450]: available at https://www.nwtime.org/support
Jan 27 16:27:29 freebsdsrv ntpd[11450]: ----------------------------------------------------
Jan 27 16:27:29 freebsdsrv ntpd[11451]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): good hash signature
Jan 27 16:27:29 freebsdsrv ntpd[11451]: leapsecond file ('/var/db/ntpd.leap-seconds.list'): loaded, expire=2025-06-28T00:00:00Z last=2017-01-01T00:00:00Z ofs=37
user@freebsdsrv:~ $

NTP is a very cautious standard. It will report its stratum to 16 (the worst possible) until it’s certain it’s in sync. This can take a few minutes to a few hours.

ntpq – standard NTP query program

The ntpq utility program is used to query NTP servers to monitor NTP operations and performance, requesting information about the current state and/or changes in that state.

Print a list of the peers known to the server as well as a summary of their state:

user@freebsdsrv:~ $ ntpq --peers localhost [enter]
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
 0.se.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
 1.se.pool.ntp.o .POOL.          16 p    -   64    0    0.000   +0.000   0.000
-sth2.ntp.netnod .PPS.            1 u   50   64  377   14.003   +0.642   0.117
+h-85-24-226-221 194.58.204.20    2 u   46   64  377    2.633   +0.659   0.144
*time100.stupi.s .PPS.            1 u   47   64  377   14.014   +0.466   0.107
+svl1.ntp.netnod .PPS.            1 u   44   64  377   18.632   +0.450   0.099
-h-98-128-175-45 194.58.200.20    2 u   40   64  377    2.168   +0.517   0.177
user@freebsdsrv:~ $

N.B.: Waiting for “st” to drop to 2 (since those should be stratum 2 servers) before the server is used for time sync of local computers.

ntpq Help

user@freebsdsrv:~ $ ntpq -? [enter]
ntpq - standard NTP query program - Ver. 4.2.8p17
Usage:  ntpq [ - [] | --[{=| }] ]... [ host ...]
  Flg Arg Option-Name    Description
   -4 no  ipv4           Force IPv4 name resolution
				- prohibits the option 'ipv6'
   -6 no  ipv6           Force IPv6 name resolution
				- prohibits the option 'ipv4'
   -c Str command        run a command and exit
				- may appear multiple times
   -d no  debug-level    Increase debug verbosity level
				- may appear multiple times
   -D Num set-debug-level Set the debug verbosity level
				- may appear multiple times
   -i no  interactive    Force ntpq to operate in interactive mode
				- prohibits these options:
				command
				peers
   -n no  numeric        numeric host addresses
      no  old-rv         Always output status line with readvar
   -p no  peers          Print a list of the peers
				- prohibits the option 'interactive'
   -r KWd refid          Set default display type for S2+ refids
   -u no  unconnected    Use unconnected UDP to communicate with ntpd (default on Windows)
   -w no  wide           Display the full 'remote' value
      opt version        output version information and exit
   -? no  help           display extended usage information and exit
   -! no  more-help      extended usage information passed thru pager
   -> opt save-opts      save the option state to a config file
   -< Str load-opts      load options from a config file
				- disabled as '--no-load-opts'
				- may appear multiple times

Options are specified by doubled hyphens and their name or by a single
hyphen and the flag character.

The following option preset mechanisms are supported:
 - reading file $HOME/.ntprc
 - reading file ./.ntprc
 - examining environment variables named NTPQ_*

The valid "refid" option keywords are:
  hash ipv4
  or an integer from 0 through 1

Please send bug reports to:  <https://bugs.ntp.org, bugs@ntp.org>
user@freebsdsrv:~ $

Documentation

Documentation in HTML format for the NTP server can be found in: /usr/share/doc/ntp/.

Optional: ntpstat

ntpstat is a script which prints a brief summary of the system clock’s synchronisation status when the ntpd or chronyd daemon is running. It prints the time source (NTP server or reference clock) to which the system clock is currently synchronised, its stratum, how often is the server polled, and the maximum estimated error of the clock. The script uses the ntpq or chronyc program to obtain the information from the daemon.

user@freebsdsrv:~ $ sudo pkg install -y ntpstat [enter]
Updating FreeBSD repository catalogue...
Fetching data.pkg: 100%   10 MiB  10.5MB/s    00:01    
Processing entries: 100%
FreeBSD repository update completed. 35863 packages processed.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gawk: 5.3.1
	ntpstat: 0.6_1

Number of packages to be installed: 2

The process will require 5 MiB more space.
1 MiB to be downloaded.
[1/2] Fetching ntpstat-0.6_1.pkg: 100%    4 KiB   4.3kB/s    00:01    
[2/2] Fetching gawk-5.3.1.pkg: 100%    1 MiB   1.2MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/2] Installing gawk-5.3.1...
[1/2] Extracting gawk-5.3.1: 100%
[2/2] Installing ntpstat-0.6_1...
[2/2] Extracting ntpstat-0.6_1: 100%
user@freebsdsrv:~ $
How to use
user@freebsdsrv:~ $ ntpstat [enter]
synchronised to NTP server (194.58.205.20) at stratum 2
   time correct to within 39 ms
   polling server every 1024 s
user@freebsdsrv:~ $
OpenSSL – Cryptography And SSL/TLS Toolkit

OpenSSL – Cryptography And SSL/TLS Toolkit

Last Updated on 2025-01-27 16:31 by Sture

Description:

The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v3) and Transport Layer Security (TLS v1, v1.1, v1.2, v1.3) protocols with full-strength cryptography world-wide. The project is managed by a worldwide community of volunteers who use the Internet to communicate, plan, and develop the OpenSSL toolkit and its related documentation.

OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J. Hudson. The OpenSSL toolkit is licensed under an Apache-style license, which basically means that you are free to get and use it for commercial and non-commercial purposes, subject to some simple license conditions.

WWW: http://www.openssl.org/.

How to use

The OpenSSL program is a command line tool for using the various cryptography functions of OpenSSL’s crypto library from the shell. It can be used for:

  • Creation and management of private keys, public keys, and parameters
  • Public key cryptographic operations
  • Creation of X.509 certificates, CSRs and CRLs
  • Calculation of Message Digests
  • Encryption and Decryption with Ciphers
  • SSL/TLS Client and Server Tests
  • Handling of S/MIME signed or encrypted mail
  • Time Stamp requests, generation, and verification

Display version information for includes a stable OpenSSL with:

user@freebsdsrv:~ $ openssl version [enter]
OpenSSL 3.0.15 3 Sep 2024 (Library: OpenSSL 3.0.15 3 Sep 2024)
user@freebsdsrv:~ $

Display version information for the current package version(s) of OpenSSL with:

user@freebsdsrv:~ $ pkg search openssl | egrep '^openssl[0-9]+-[0-9]' [enter]
openssl111-1.1.1w_2            TLSv1.3 capable SSL and crypto library
openssl31-3.1.7_1              TLSv1.3 capable SSL and crypto library
openssl32-3.2.3_1              TLSv1.3 capable SSL and crypto library
openssl33-3.3.2_1              TLSv1.3 capable SSL and crypto library
openssl34-3.4.0                TLSv1.3 capable SSL and crypto library
user@freebsdsrv:~ $

Note: The latest stable version is the 3.4!
In this example, an update to the stable version of OpenSSL, version 3.4.0, will be performed!

Installation

Install openssl34 with:

user@freebsdsrv:~ $ sudo pkg install -y security/openssl34 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 1 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	openssl34: 3.4.0

Number of packages to be installed: 1

The process will require 27 MiB more space.
8 MiB to be downloaded.
[1/1] Fetching openssl34-3.4.0.pkg: 100%    8 MiB   8.1MB/s    00:01    
Checking integrity... done (0 conflicting)
[1/1] Installing openssl34-3.4.0...
[1/1] Extracting openssl34-3.4.0: 100%
user@freebsdsrv:~ $

Configuration

Disable the use of the old version of OpenSSL in directory /usr/bin/ with:

user@freebsdsrv:~ $ sudo mv /usr/bin/openssl /usr/bin/openssl.default [enter]
user@freebsdsrv:~ $

Create a symbolic link to enable the use of the new version of OpenSSL with:

user@freebsdsrv:~ $ sudo ln -s /usr/local/bin/openssl /usr/bin/ ; ls -l /usr/bin/openssl [enter]
lrwxr-xr-x  1 root wheel 22 Dec  5 15:26 /usr/bin/openssl@ -> /usr/local/bin/openssl
user@freebsdsrv:~ $

Edit file /etc/ssl/openssl.cnf with:

user@freebsdsrv:~ $ sudo ee +168 /usr/local/openssl/openssl.cnf [enter]

This is an example:

...
[ req_distinguished_name ]
countryName                     = Country Name (2 letter code)
countryName_default             = SE
countryName_min                 = 2
countryName_max                 = 2

stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = Vastra Gotaland

localityName                    = Locality Name (eg, city)
localityName_default            = Hisings Karra

0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Polymathic

# we can do this but it is not needed normally :-)
#1.organizationName             = Second Organization Name (eg, company)
#1.organizationName_default     = World Wide Web Pty Ltd

organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Support and Development

commonName                      = Common Name (e.g. server FQDN or YOUR name)
commonName_default              = freebsdsrv.local.lan
commonName_max                  = 64

emailAddress                    = Email Address
emailAddress_default            = admin@local.lan
emailAddress_max                = 64

# SET-ex3                       = SET extension number 3
...

Generate a key and certificate for 10 year usage with:

user@freebsdsrv:~ $ sudo sh -c 'openssl req -newkey rsa:2048 -nodes -keyout /etc/ssl/server.key -x509 -days 3650 -out /etc/ssl/server.crt' [enter]
.....+.+........+....+..+.........+.+...+..+.+...+..+...+......+..................+.+++++++++++++++++++++++++++++++++++++++*.....+..+.....................+....+.....+.+++++++++++++++++++++++++++++++++++++++*....+....+...+..+......+.+...+..++++++
.+.................+...+.+..+.........+...+.+..+..................+....+++++++++++++++++++++++++++++++++++++++*.....+.+..+.......+++++++++++++++++++++++++++++++++++++++*..+.+......+...+.....+....+...+..+......+.......+.................+...+....+.....+...+...+...............+...+.+.........+......+......+..+.+..+....+........+......+............+.............+.........+..+....+.....+.+......+...+............+..+............+......+....+.....+.+.........+...+...........+......+...+.+..+....+...+.....+...+...+................+...+.....+.......+........+.+..+...+....+...........+.......+...+..+...+................+...+..+....+.....+.......+............+..+.+........+.+.....+....+.....+.......+.....+...+.+...+.....................+..+.........+...+..........+......+......+...+..+...................+.....+....+..+...................++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [SE]: [enter]
State or Province Name (full name) [Vastra Gotaland]: [enter]
Locality Name (eg, city) [Hisings Karra]: [enter]
Organization Name (eg, company) [Polymathic]: [enter]
Organizational Unit Name (eg, section) [Support and Development]: [enter]
Common Name (e.g. server FQDN or YOUR name) [freebsdsrv.local.lan]: [enter]
Email Address [admin@local.lan]: [enter]
user@freebsdsrv:/usr/local/etc/ssl $

Review the certificate with:

user@freebsdsrv:~ $ sudo sh -c 'openssl x509 -text -noout -in /etc/ssl/server.crt' [enter]
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            21:b3:69:65:0b:00:ec:5b:bf:55:2e:b3:58:10:e6:58:23:11:21:0b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
        Validity
            Not Before: Jan 27 16:26:04 2025 GMT
            Not After : Jan 25 16:26:04 2035 GMT
        Subject: C=SE, ST=Vastra Gotaland, L=Hisings Karra, O=Polymathic, OU=Support and Development, CN=freebsdsrv.local.lan, emailAddress=admin@local.lan
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bd:d0:43:bb:19:32:7f:b8:4d:36:57:20:02:e3:
                    07:6a:8b:e1:7c:4a:59:c0:78:be:72:c2:b6:e7:10:
                    c8:c5:b7:d0:2b:c5:e6:f7:f1:a7:cf:39:21:98:d2:
                    98:5b:69:d0:e6:e2:00:49:b9:3a:c7:e2:d5:32:4c:
                    d2:3d:b5:d7:91:32:23:7e:8e:4d:82:75:4a:10:54:
                    86:cf:b7:49:44:d0:32:d8:cb:f1:4a:7f:65:68:9a:
                    0b:59:f2:0d:0f:1a:55:19:57:c1:ce:69:d8:36:b4:
                    77:1a:45:29:b0:d6:2d:93:26:4c:f9:10:a2:71:1d:
                    ac:8e:c0:1a:1d:be:98:34:4a:e8:23:bd:e8:87:af:
                    01:7c:30:4c:70:1f:84:80:de:33:4e:f8:19:ae:3c:
                    d5:d0:2b:42:cb:2d:1b:74:79:36:f9:33:20:9e:58:
                    08:99:03:61:f3:60:e3:75:d7:d0:0a:0a:68:0b:b0:
                    ba:51:83:11:6d:cd:b2:06:6d:56:7f:b2:e4:6d:72:
                    1b:b1:a0:2c:18:f0:0c:0f:17:82:0d:61:a1:b2:0f:
                    c2:6f:11:08:6d:74:b6:3d:eb:9d:f4:94:4f:e3:66:
                    ae:36:0d:d8:e9:c5:db:1a:f6:2c:27:ce:66:a3:75:
                    46:e9:98:9b:70:53:37:44:33:a4:f1:68:65:d3:03:
                    72:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
            X509v3 Authority Key Identifier: 
                D0:E3:3C:AA:67:16:7A:E0:4F:8B:66:16:49:15:E4:19:11:36:C7:23
            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
    Signature Value:
        99:07:ac:20:4d:19:68:22:5b:0c:21:c0:9f:01:53:01:aa:a5:
        1b:2c:dd:64:7e:8f:33:4f:d3:58:cb:6e:7a:f6:38:00:85:c8:
        60:71:3a:51:94:da:ff:ed:f9:80:7e:c3:57:e8:c3:ea:88:be:
        5b:f1:ee:d9:fa:40:8a:ee:89:3a:9c:f9:ac:a5:68:ab:27:10:
        33:92:ef:2f:ee:1d:80:6e:90:e6:82:e1:ea:f1:f5:50:cc:6f:
        ce:db:78:00:94:6c:52:13:d5:71:e3:4a:4d:f2:b9:b6:7a:eb:
        41:cd:43:a5:86:ee:72:e0:3b:04:af:d2:a4:c5:47:d6:2b:86:
        82:96:21:a6:ab:47:61:54:0d:9a:70:62:e6:e9:7b:ae:b5:68:
        db:b9:49:dc:a0:55:55:45:64:a0:a0:fb:70:33:6b:8c:70:45:
        50:ef:13:e0:4e:53:d7:2f:16:63:55:16:61:ef:d3:f0:61:0b:
        ce:a5:04:3b:c2:91:e5:52:48:a3:60:b6:ab:ab:b7:2c:b1:65:
        1c:ac:c5:e8:f7:d8:3d:dc:56:cb:91:b4:27:56:ab:e2:0e:a6:
        fc:c1:72:b4:33:46:93:15:10:72:5c:34:01:09:af:43:65:90:
        bd:c6:bf:f0:89:b8:a2:b1:11:5a:1e:25:9d:3b:a0:5c:5c:b2:
        0f:44:5e:51
user@freebsdsrv:~ $

Display a list of files that have been created with:

user@freebsdsrv:~ $ ls -l /etc/ssl/ [enter]
total 49
drwxr-xr-x  2 root wheel   149 Nov 29 12:13 certs
-rw-r--r--  1 root wheel 12336 Nov 29 11:21 openssl.cnf
-rw-r--r--  1 root wheel  1554 Jan 27 17:26 server.crt
-rw-------  1 root wheel  1704 Jan 27 17:25 server.key
drwxr-xr-x  2 root wheel    54 Nov 29 12:12 untrusted
user@freebsdsrv:~ $
First To Do After FreeBSD OS Installation

First To Do After FreeBSD OS Installation

Last Updated on 2025-01-29 15:49 by Sture

Reboot the system after installation of FreeBSD base OS with:

root@:~ # reboot [enter]
Connection to 192.168.1.250 closed by remote host.
Connection to 192.168.1.250 closed.

N.B.: Remove the FreeBSD Installation USB Stick before the system restarts!
In this example, login is performed remotely via the Terminal application from an Apple Mac Mini to a system with the local LAN IP Address 192.168.1.50 as user user.

user@Mac-mini ~ % ssh user@192.168.1.50 [enter]
The authenticity of host '192.168.1.50 (192.168.1.50)' can't be established.
ED25519 key fingerprint is SHA256:uU1ln2+R7xOW1IaKvIsrsBU+t0KFbop75RS5BcBQ0B0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.50' (ED25519) to the list of known hosts.
(user@192.168.1.50) Password for user@freebsdsrv:
FreeBSD 14.2-RELEASE (GENERIC) releng/14.2-n269506-c8918d6c7412

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List:        https://www.FreeBSD.org/lists/questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

To change this login announcement, see motd(5).
ZFS keeps a history of commands run against a specific pool using the
history subcommand to zpool:

zpool history

More details are available using the -i and -l parameters. Note that ZFS
will not keep the complete pool history forever and will remove older
events in favor of newer ones.
		-- Benedict Reuschling <bcr@FreeBSD.org>
user@freebsdsrv:~ $

SUDO – Execute Command As The Superuser

Description:

The best practice is to never log in as the root superuser interactively. If you do – you are doing it wrong!

sudo is a program that allows a permitted user to execute a command as the superuser or another user, as specified by the user’s security policy. Unlike the su utility, sudo authenticates the user against the user’s own password rather than that of the target user. Sudo allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. This allows the delegation of specific commands to specific users on specific systems without sharing passwords among the users.

Prerequisites

To follow along, make sure you have,

  • Root access to your FreeBSD server
  • The password of the root user
Installation

Installation and configuration of sudo require superuser privileges. This sudo installation will be the only and last interactive login as the root superuser you will ever need to perform on this system.

Substitute the user identity with the root superuser identity with:

user@freebsdsrv:~ $ su - [enter]
Password: <-- RootPassWord [enter]
root@freebsdsrv:~ #

Install sudo with:

root@freebsdsrv:~ # pkg install -y security/sudo [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	gettext-runtime: 0.23
	indexinfo: 0.3.1
	sudo: 1.9.16p2

Number of packages to be installed: 3

The process will require 9 MiB more space.
2 MiB to be downloaded.
[1/3] Fetching indexinfo-0.3.1.pkg: 100%    6 KiB   5.9kB/s    00:01    
[2/3] Fetching sudo-1.9.16p2.pkg: 100%    2 MiB   1.9MB/s    00:01    
[3/3] Fetching gettext-runtime-0.23.pkg: 100%  235 KiB 241.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing indexinfo-0.3.1...
[1/3] Extracting indexinfo-0.3.1: 100%
[2/3] Installing gettext-runtime-0.23...
[2/3] Extracting gettext-runtime-0.23: 100%
[3/3] Installing sudo-1.9.16p2...
[3/3] Extracting sudo-1.9.16p2: 100%
root@freebsdsrv:~ #

Configuration

A default sudo configuration file /usr/local/etc/sudoers was created as part of the installation process.

N.B.: /usr/local/etc/sudoers MUST be edited with the visudo command as root.

The use of visudo minimizes the risk of syntax or file permission errors that prevent sudo from running.

Start editing file /usr/local/etc/sudoers with:

root@freebsdsrv:~ # visudo [enter]
## sudoers file.
##
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
##
## See the sudoers man page for the details on how to write a sudoers file.
##
...

visudo use the famous vi editor commands. The following commands are needed for updating and saving or exiting without saving file /usr/local/etc/sudoers:

  1. Use the arrow keys to move the cursor or…
  2. Move the cursor up one line with key ‘K’, down one line with key ‘J’, left one character with key ‘H’ and right one character with key ‘L’
  3. Press key ‘I’ to start inserting charters before the current cursor location
  4. Press key ‘A’ to start inserting charters after the current cursor location
  5. Press key ‘esc’ to abort inserting charters
  6. Press key ‘X’ to delete the character under the cursor
  7. Press key ‘:’, then ‘W’ and ‘Q’ to save and exit
  8. Press key ‘:’, then ‘Q’ and ‘!’ to exit without saving

To delegate privileges to the example user user locate section User privilege specification in the file /usr/local/etc/sudoers.

Update settings as indicated in this example to allow members of the wheel group to substitute user identity without entering their password:

...
##
## User privilege specification
##
root ALL=(ALL:ALL) ALL

## Uncomment to allow members of group wheel to execute any command
# %wheel ALL=(ALL:ALL) ALL

## Same thing without a password
%wheel ALL=(ALL:ALL) NOPASSWD: ALL

## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL:ALL) NOPASSWD: ALL
...

Save and exit visudo by pressing [ esc ], [ : ] and the [ W ] and finally [ Q ]
Exit as root with:

root@freebsdsrv:~ # exit [enter]
user@freebsdsrv:~ $

N.B.: User user in this example is configured to be a member of group wheel!
Display privileges for the current user with:

user@freebsdsrv:~ $ sudo -l [enter]
Matching Defaults entries for user on freebsdsrv:
   
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for user:
    Defaults!/usr/local/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User user may run the following commands on freebsdsrv:
    (ALL : ALL) NOPASSWD: ALL
user@freebsdsrv:~ $
Post-installation Setup and Configuration

Post-installation Setup and Configuration

Last Updated on 2025-01-27 17:52 by Sture

Colorized Directory Listings

Description:

Enable display of colors to directory contents listing for command ls and ll.

Configuration

Add two alias commands to file .profile for the user user with:

user@freebsdsrv:~ $ echo 'alias ll="ls -lGF"' | tee -a .profile ; sudo echo 'alias ls="ls -GF"' | tee -a .profile [enter]
alias ll="ls l-GF"
alias ls="ls -GF"
user@freebsdsrv:~ $

…and for root with:

user@freebsdsrv:~ $ sudo echo 'alias ll="ls -lGF"' | sudo tee -a /root/.profile ; sudo echo 'alias ls="ls -GF"' | sudo tee -a /root/.profile [enter]
alias ll="ls l-GF"
alias ls="ls -GF"
user@freebsdsrv:~ $
Log off your system with:
user@freebsdsrv:~ $ exit [enter]

…and then log in to the FreeBSD server and see colors as in this example:

user@freebsdsrv:~ $ ls -l /usr/local [enter]
drwxr-xr-x   2 root wheel 11 Jan 26 17:20 bin
drwxr-xr-x   6 root wheel 14 Jan 26 17:22 etc
drwxr-xr-x   3 root wheel  7 Jan 26 17:20 include
drwxr-xr-x   3 root wheel 14 Jan 26 17:20 lib
drwxr-xr-x   4 root wheel  4 Jan 26 17:20 libdata
drwxr-xr-x   3 root wheel  3 Jan 26 17:20 libexec
drwxr-xr-x   2 root wheel  7 Jan 26 17:20 sbin
drwxr-xr-x  10 root wheel 10 Jan 26 17:20 share
user@freebsdsrv:~ $

/boot/loader.conf

The file loader.conf contains descriptive information on bootstrapping the system. Through it, you can specify the kernel to be booted, parameters to be passed to it, and additional modules to be loaded; generally, set all variables described in loader(8).

By default, the delay before automatically booting is set to 10 seconds.
In this example, the delay is set to zero seconds with:

autoboot_delay=”0″!
Reset content and add autoboot_delay=”0″ to file /boot/loader.conf and verify entries to file /mnt/boot/loader.conf with:

user@freebsdsrv:~ $ sudo sh -c 'echo -e "autoboot_delay=\"0\"" >> /boot/loader.conf' ; cat /boot/loader.conf [enter]
geom_mirror_load="YES"
kern.geom.label.disk_ident.enable="0"
kern.geom.label.gptid.enable="0"
cryptodev_load="YES"
zfs_load="YES"
autoboot_delay="0"
user@freebsdsrv:~ $

/etc/hosts

The host file /etc/hosts contains information regarding the known hosts on the network.
This file provides a backup used when the name server is not running.
Only a few addresses should be included in this file. These include addresses for the local interfaces that ifconfig needs at boot time and a few machines on the local network.

user@freebsdsrv:~ $ sudo sh -c 'cat <<EOF > /etc/hosts
#
# Host Database
#
::1           localhost localhost.local.lan
127.0.0.1     localhost localhost.local.lan
192.168.1.50  freebsdsrv freebsdsrv.local.lan
EOF' ; cat /etc/hosts [enter]
#
# Host Database
#
::1           localhost localhost.local.lan
127.0.0.1     localhost localhost.local.lan
192.168.1.50  freebsdsrv freebsdsrv.local.lan
user@freebsdsrv:~ $

/etc/resolv.conf

The resolver configuration file contains information that is read by the resolver routines the first time a process invokes them. The file is designed to be human-readable and contains a list of keywords with values that provide various types of resolver information.

To configure the FreeBSD server as a DNS client, you need to edit or modify the /etc/resolv.conf file to define which name servers should use.

Display content of file /etc/resolv.conf with:

user@freebsdsrv:~ $ sudo sh -c 'cat <<EOF > /etc/resolv.conf
#
# Resolver Database
#
domain local.lan
nameserver 192.168.1.1
nameserver 208.67.222.222
nameserver 208.67.220.220
EOF' ; cat /etc/resolv.conf [enter]
#
# Resolver Database
#
domain local.lan
nameserver 192.168.1.1
nameserver 208.67.222.222
nameserver 208.67.220.220
user@freebsdsrv:~ $

Verify Configuration with:

ping

ping – send ICMP or ICMPv6 ECHO_REQUEST packets to network hosts.

user@freebsdsrv:~ $ ping -c 3 freebsdsrv.local.lan [enter]
PING freebsdsrv (192.168.1.50): 56 data bytes
64 bytes from 192.168.1.50: icmp_seq=0 ttl=64 time=0.036 ms
64 bytes from 192.168.1.50: icmp_seq=1 ttl=64 time=0.030 ms
64 bytes from 192.168.1.50: icmp_seq=2 ttl=64 time=0.026 ms

--- freebsdsrv ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.026/0.031/0.036/0.004 ms
user@freebsdsrv:~ $
user@freebsdsrv:~ $ ping -c 3 freebsdsrv [enter]
PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.072 ms
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.056 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.047 ms

--- localhost ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 0.047/0.058/0.072/0.010 ms
user@freebsdsrv:~ $
drill

drill is a tool designed to get all sorts of information out of the DNS.

user@freebsdsrv:~ $ drill freebsd.org [enter]
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 31073
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 
;; QUESTION SECTION:
;; freebsd.org.	IN	A

;; ANSWER SECTION:
freebsd.org.	3600	IN	A	96.47.72.84

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 37 msec
;; SERVER: 192.168.1.1
;; WHEN: Fri Oct 28 13:35:22 2022
;; MSG SIZE  rcvd: 45
user@freebsdsrv:~ $

Networking restart

Network interface setup is done using the netif, and routing setup is done using the routing.

N.B.: Always restart the netif and routing services together to avoid lockdown issues!

The right way to restart networking services on FreeBSD is:

user@freebsdsrv:~ $ sudo service netif restart ; sudo service routing restart [enter]
Stopping Network: lo0 em0.
...
Starting Network: lo0 em0.
...
delete host 127.0.0.1: gateway lo0 fib 0: gateway uses the same route
delete net default: gateway 192.168.1.1 fib 0: not in table
delete host ::1: gateway lo0 fib 0: gateway uses the same route
delete net fe80::: gateway ::1
delete net ff02::: gateway ::1
delete net ::ffff:0.0.0.0: gateway ::1
delete net ::0.0.0.0: gateway ::1
add host 127.0.0.1: gateway lo0 fib 0: route already in table
add net default: gateway 192.168.1.1
add host ::1: gateway lo0 fib 0: route already in table
add net fe80::: gateway ::1
add net ff02::: gateway ::1
add net ::ffff:0.0.0.0: gateway ::1
add net ::0.0.0.0: gateway ::1
user@freebsdsrv:~ $
user@freebsdsrv:~ $

Log Console Messages To File

Configuration:

Enable all writes to /dev/console during boot to be logged to file /var/log/console.log with:

user@freebsdsrv:~ $ sudo sed -e 's/#console.info/console.info/' -i "" /etc/syslog.conf && cat /etc/syslog.conf | grep console.info [enter]
console.info					/var/log/console.log
user@freebsdsrv:~ $

Create file /var/log/console.log and then change file modes to mode 600 with:

user@freebsdsrv:~ $ sudo touch /var/log/console.log && sudo chmod -vv 600 /var/log/console.log [enter]
/var/log/console.log: 0100644 [-rw-r--r-- ] -> 0100600 [-rw------- ]
user@freebsdsrv:~ $

Restart syslogd to log all new console messages to file /var/log/console.log with:

user@freebsdsrv:~ $ sudo service syslogd restart [enter]
Stopping syslogd.
Waiting for PIDS: 808.
Starting syslogd.
user@freebsdsrv:~ $

A reboot is required to record all console messages on the system boot.
Reboot the system with:

user@freebsdsrv:~ $ sudo reboot [enter]
Connection to 192.168.1.50 closed by remote host.
Connection to 192.168.1.50 closed.

Wait for the system to reboot, then log back in with a remote SSH client session.

Display file /var/log/console.log with:

user@freebsdsrv:~ $ sudo cat /var/log/console.log [enter]

…and look for ERRORs and WARNINGs.

Display lines with word warning, error or critical in file /var/log/console.log with:

user@freebsdsrv:~ $ sudo cat /var/log/console.log | grep -E -wi 'warning|error|critical' [enter]
user@ freebsdsrv:~ $

If any errors and warnings are found, fix the problem and restart service syslogd as described above.

Create a FreeBSD-14.2-RELEASE-amd64 Install USB Memory Stick

Create a FreeBSD-14.2-RELEASE-amd64 Install USB Memory Stick

Last Updated on 2025-01-27 09:19 by Sture

Requirements:

Required hardware: USB Memory Stick, minimum size 2 GB

Required software: sudo and wget

Download files

user@freebsdsrv:~ $ wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/FreeBSD-14.2-RELEASE-amd64-memstick.img [enter]
--2025-01-24 16:47:51--  https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/FreeBSD-14.2-RELEASE-amd64-memstick.img
Resolving download.freebsd.org (download.freebsd.org)... 85.30.190.138, 2a02:80:0:3ffd::15:1
Connecting to download.freebsd.org (download.freebsd.org)|85.30.190.138|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1559351808 (1.5G) [application/octet-stream]
Saving to: ‘FreeBSD-14.2-RELEASE-amd64-memstick.img’

FreeBSD-14.2-RELEAS 100%[===================>]   1.45G  93.8MB/s    in 16s     

2025-01-24 16:48:07 (91.1 MB/s) - ‘FreeBSD-14.2-RELEASE-amd64-memstick.img’ saved [1559351808/1559351808]

user@freebsdsrv:~ $
user@freebsdsrv:~ $ wget https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64 [enter]
--2025-01-24 16:49:55--  https://download.freebsd.org/ftp/releases/ISO-IMAGES/14.2/CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64
Resolving download.freebsd.org (download.freebsd.org)... 85.30.190.138, 2a02:80:0:3ffd::15:1
Connecting to download.freebsd.org (download.freebsd.org)|85.30.190.138|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1811 (1.8K) [application/octet-stream]
Saving to: ‘CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64’

CHECKSUM.SHA512-Fre 100%[===================>]   1.77K  --.-KB/s    in 0s      

2025-01-24 16:49:55 (200 MB/s) - ‘CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64’ saved [1811/1811]

user@freebsdsrv:~ $

Verify file checksum

user@freebsdsrv:~ % sha512sum --ignore-missing -c CHECKSUM.SHA512-FreeBSD-14.2-RELEASE-amd64 [enter]
FreeBSD-14.2-RELEASE-amd64-memstick.img: OK
user@freebsdsrv:~ %

Prepare the USB Memory Stick

Insert the USB Memory Stick into a USB Port on the FreeBSD Computer.

N.B.: All Data on the USB Memory Stick will be lost!

Since USB devices are seen as a SCSI device, camcontrol can be used to list device information for the inserted USB Memory Stick with this command:

user@freebsdsrv:~ $ sudo camcontrol devlist [enter]
<KINGSTON SKC600MS1024G S4500105>  at scbus0 target 0 lun 0 (pass0,ada0)
<AHCI SGPIO Enclosure 2.00 0001>   at scbus1 target 0 lun 0 (ses0,pass1)
<Generic STORAGE DEVICE 9454>      at scbus2 target 0 lun 0 (da0,pass2)
<USB SanDisk 3.2Gen1 1.00>         at scbus3 target 0 lun 0 (da1,pass3)
user@freebsdsrv:~ %

…or show the list with:

user@freebsdsrv:~ % geom disk list [enter]
Geom name: ada0
Providers:
1. Name: ada0
   Mediasize: 1024209543168 (954G)
   Sectorsize: 512
   Stripesize: 4096
   Stripeoffset: 0
   Mode: r3w3e6
   descr: KINGSTON SKC600MS1024G
   lunid: 50026b7784547f24
   ident: 50026B7784547F24
   rotationrate: 0
   fwsectors: 63
   fwheads: 16

Geom name: da0
Providers:
1. Name: da0
   Mediasize: 15682240512 (15G)
   Sectorsize: 512
   Mode: r0w0e0
   descr: USB SanDisk 3.2Gen1
   lunname: USB     SanDisk 3.2Gen10401d35adeca736bcb13
   lunid: USB     SanDisk 3.2Gen10401d35adeca736bcb13
   ident: 0401d35adeca736bcb13031ed3ec52718ba62977e6bc9346b77babe3dc0b8413cbd00000000000000000000073fbf77f0096801881558107632a548f
   rotationrate: unknown
   fwsectors: 63
   fwheads: 255

user@freebsdsrv:~ %

In this example, SanDisk 3.2Gen1 registered as device da0 is the target USB Memory Stick.

Optional: Display information about device da0 with, for example:

user@freebsdsrv:~ % sudo diskinfo -v da0 [enter]
da1
	512         	# sectorsize
	15682240512 	# mediasize in bytes (15G)
	30629376    	# mediasize in sectors
	0           	# stripesize
	0           	# stripeoffset
	1906        	# Cylinders according to firmware.
	255         	# Heads according to firmware.
	63          	# Sectors according to firmware.
	USB SanDisk 3.2Gen1	# Disk descr.
	0401d35adeca736bcb13031ed3ec52718ba62977e6bc9346b77babe3dc0b8413cbd00000000000000000000073fbf77f0096801881558107632a548f	# Disk ident.
	umass-sim1  	# Attachment
	No          	# TRIM/UNMAP support
	Unknown     	# Rotation rate in RPM
	Not_Zoned   	# Zone Mode

user@freebsdsrv:~ %

Optional: Show the current partition information of the USB Memory Stick using this command:

user@freebsdsrv:~ % gpart show da0 [enter]
=>      63  30629313  da1  MBR  (15G)
        63      1985       - free -  (993K)
      2048  30625792    1  ntfs  (15G)
  30627840      1536       - free -  (768K)

user@freebsdsrv:~ %

N.B.: Your USB Memory Stick may have a different layout than this example!

WARNING: The next step will delete all information on the USB Memory Stick!

Destroy the partitioning scheme on the USB Memory Stick with the following:

user@freebsdsrv:~ % sudo gpart destroy -F da0 [enter]
da1 destroyed
user@freebsdsrv:~ %

Copy the FreeBSD image file to the USB Memory Stick

The image file FreeBSD-14.2-RELEASE-amd64-memstick.img is copied to the USB Memory Stick with the dd utility with this command:

user@freebsdsrv:~ % sudo sh -c 'dd if=FreeBSD-14.2-RELEASE-amd64-memstick.img of=/dev/da0 bs=4M conv=sync status=progress' [enter]
  1560281088 bytes (1560 MB, 1488 MiB) transferred 85.038s, 18 MB/s
372+0 records in
372+0 records out
1560281088 bytes transferred in 85.306856 secs (18290219 bytes/sec)
user@freebsdsrv:~ $

Delete downloaded files

user@freebsdsrv:~ % rm FreeBSD-14.2-*; rm CHECKSUM.SHA512-FreeBSD-14.2-* [enter]
user@freebsdsrv:~ %