Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Topics - Edd Noman

Pages: [1]
1
Linux and BSD / [How-To] Install OwnCloud on FreeBSD FAMP
« on: March 29, 2018, 03:23:13 PM »
[How-To] Install OwnCloud on FreeBSD FAMP

In this tutorial or guide I will show you how to setup and install the needed components for running your own private cloud server based on FreeBSD and OwnCloud, I will also attach the session log output of my own install at the bottom so you can read the proper output of the server install in full.

This guide is based on personal experience whit the different components and are also based on OwnClouds own documentation found at: https://doc.owncloud.org/server/latest/admin_manual/contents.html

One thing to note before beginning, this write up was done by request by a user, and while working on this project OwnCloud had several updates, and in the latest version decided to drop official support for FreeBSD installs, so if that is an issue for you then I suggest using a Linux flavor, you can still follow this guide for setting it up but you need to adjust some of the commands and folder loactions to mach your Linux system.

What is OwnCloud
OwnCloud is a PHP and MySQL based free and open source file sharing application platform which allows us to create our very own cloud storage platform. The OwnCloud server which is a free edition is released under GNU AGPLv3 license whereas the Enterprise edition is under OwnCloud Commercial license. It is a client-server architectural software in which, the files are stored on the server whereas the clients are used to access and share the files. The client for OwnCloud is available for every platform making it easy to manage and access the files from every devices.

Why FreeBSD
FreeBSD is a free and open source Unix-like operating system based on BSD systems. Unlike Linux, FreeBSD is developed as an entire operating system from kernel, device drivers to the userland utilities whereas Linux is a kernel with device drivers.

Currently while writing this article, the latest release of OwnCloud is 10.0.7 so, we'll be performing its setup on our freshly installed FreeBSD 11 server. I will only cover the minimal settings for getting OwnCloud up and running on FreeBSD with the basic configuration of FAMP stack

Some useful environment information:
Server Hostname: server
Server IP: 192.168.55.30
Server Netmask \ CIDR: 255.255.255.0 /24
Web address: http://server.it-monkey.lan/owncloud/

Routing and DNS information is handled by the pfSense network server where DNS Resolver is set whit Host Override for domain it-monkey.lan and server.it-monkey.lan pointing to IP 192.168.55.30 and this IP address is set to be staticly assign to the MAC Addr of the FreeBSD server through DHCP Static mapping.

I suggest you check if your router support this as it will make your access to the server much easier and cleaner

All configuration is done remotely over SSH connection using Putty from a Windows 7 client, as this is a headless server build from random parts I had available to use for this project, and to make it as common for most people that want to try something new.

Installing FAMP Stack
FAMP Stack is the combination of Apache web server, MySQL/MariaDB database server and PHP modules running on a FreeBSD server. FAMP is one of the widely used stack for hosting websites and web applications on servers. Here, we be installing FAMP stack in order to run our PHP based OwnCloud server.

This processes is pretty easy, you install the server OS (not covered in this guide), latest version of Apache web server, PHP and mySQL or MariaDB, we will be working whit the following versions:

FreeBSD 11.1
OwnCloud 10.0.7
Apache 2.4.29
PHP 7.1.15
mySQL 5.7.21

Preparing FreeBSD 11.1
Check current version: uname -a
Show current system info: neofetch (not installed by default)




Before installing any applications we need to make sure we have access to all the latest applications, versions and software available for the platform
Update package repository information:
sudo pkg update

Upgrade package repository information:
sudo pkg upgrade

When the repository is updated, we need to install the tools used in this guide
sudo pkg install curl wget vim nano gnupg

Apache:
The Apache HTTP Server Project is a collaborative software development effort aimed at creating a robust, commercial-grade, featureful, and freely-available source code implementation of an HTTP (Web) server. The project is jointly managed by a group of volunteers located around the world, using the Internet and the Web to communicate, plan, and develop the server and its related documentation. This project is part of the Apache Software Foundation. In addition, hundreds of users have contributed ideas, code, and documentation to the project. This file is intended to briefly describe the history of the Apache HTTP Server and recognize the many contributors.

Documentation: https://httpd.apache.org/docs/2.4/

Important files and locations:
Apache configuration file is: httpd.conf located at /usr/local/etc/apache24/httpd.conf
Default website folder: /usr/local/www/apache24/data
Apache logs: /var/log
Add-on modules are located in: /usr/local/etc/apache24/Includes/

Installing Apache:
sudo pkg install apache24

Now we need to set Apache to start automatically on boots:
sudo sysrc apache24_enable=YES

Now we have to set the default production configuration for the Apache web server: sudo cp /usr/local/etc/apache24/httpd.conf.sample /usr/local/etc/apache24/httpd.conf

Now we can start the web server:
sudo service apache24 start

When starting the Apache web server it is going to do a sanitycheck of its configuration, and since there is no static IP or DNS configuration on the server it is going to complain and warn you about this, this message can be ignored for now.

Test web server, open a web browser and test both IP and DNS access: http://192.168.55.30/ and http://server.it-monkey.lan/





PHP:
PHP is a server-side scripting language designed for web development but also used as a general-purpose programming language. It was originally created by Rasmus Lerdorf in 1994, the PHP reference implementation is now produced by The PHP Group. PHP originally stood for Personal Home Page, but it now stands for the recursive acronym PHP: Hypertext Preprocessor

PHP code may be embedded into HTML code, or it can be used in combination with various web template systems, web content management systems, and web frameworks. PHP code is usually processed by a PHP interpreter implemented as a module in the web server or as a Common Gateway Interface (CGI) executable. The web server combines the results of the interpreted and executed PHP code, which may be any type of data, including images, with the generated web page. PHP code may also be executed with a command-line interface (CLI) and can be used to implement standalone graphical applications.

The standard PHP interpreter, powered by the Zend Engine, is free software released under the PHP License. PHP has been widely ported and can be deployed on most web servers on almost every operating system and platform, free of charge.

Documentation: http://fi2.php.net/docs.php

Important PHP files:
PHP Apache module: /usr/local/etc/php.ini
PHP FastCGI Process Manager Global Directive: /usr/local/etc/php-fpm.conf
PHP FastCGI Process Manager Pool Directive: /usr/local/etc/phpfpm.d/www.conf

Install PHP, PHP Extension and needed modules:
sudo pkg install php71 php71-extensions mod_php71 php71-mysqli php71-gd php71-curl php71-zlib php71-zip php71-pdo_mysql php71-openssl php71-gmp php71-ldap php71-exif php71-fileinfo php71-mbstring php71-bcmath php71-bz2 php71-mcrypt php71-intl

Code tag for no line breaks:
Code: [Select]
sudo pkg install php71 php71-extensions mod_php71 php71-mysqli php71-gd php71-curl php71-zlib php71-zip php71-pdo_mysql php71-openssl php71-gmp php71-ldap php71-exif php71-fileinfo php71-mbstring php71-bcmath php71-bz2 php71-mcrypt php71-intl


Now we need to set the production environment instructions for PHP:
sudo cp /usr/local/etc/php.ini-production  /usr/local/etc/php.ini

We also need to configure PHP to listen on internal socket connections rather than IP and Ports that is done by editing the file  www.conf

In this file we need to check that it has the following valuses

listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

sudo nano /usr/local/etc/php-fpm.d/www.conf

Content of /usr/local/etc/php-fpm.d/www.conf
Code: [Select]

;/usr/local/etc/php-fpm.d/www.conf
;
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www
group = www

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
; listen = 127.0.0.1:9000
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
;listen.owner = www
;listen.group = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =

; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1

; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool processes will inherit the master process priority
;         unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives. With this process management, there will be
;             always at least 1 children.
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
;  ondemand - no children are created at startup. Children will be forked when
;             new requests will connect. The following parameter are used:
;             pm.max_children           - the maximum number of children that
;                                         can be alive at the same time.
;             pm.process_idle_timeout   - The number of seconds after which
;                                         an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3

; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500

; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
;   pool                 - the name of the pool;
;   process manager      - static, dynamic or ondemand;
;   start time           - the date and time FPM has started;
;   start since          - number of seconds since FPM has started;
;   accepted conn        - the number of request accepted by the pool;
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;                          of pending connections since FPM has started;
;   listen queue len     - the size of the socket queue of pending connections;
;   idle processes       - the number of idle processes;
;   active processes     - the number of active processes;
;   total processes      - the number of idle + active processes;
;   max active processes - the maximum number of active processes since FPM
;                          has started;
;   max children reached - number of times, the process limit has been reached,
;                          when pm tries to start more children (works only for
;                          pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
;   pool:                 www
;   process manager:      static
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          62636
;   accepted conn:        190460
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42
;   idle processes:       4
;   active processes:     11
;   total processes:      15
;   max active processes: 12
;   max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
;   http://www.foo.bar/status
;   http://www.foo.bar/status?json
;   http://www.foo.bar/status?html
;   http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
;   http://www.foo.bar/status?full
;   http://www.foo.bar/status?json&full
;   http://www.foo.bar/status?html&full
;   http://www.foo.bar/status?xml&full
; The Full status returns for each process:
;   pid                  - the PID of the process;
;   state                - the state of the process (Idle, Running, ...);
;   start time           - the date and time the process has started;
;   start since          - the number of seconds since the process has started;
;   requests             - the number of requests the process has served;
;   request duration     - the duration in µs of the requests;
;   request method       - the request method (GET, POST, ...);
;   request URI          - the request URI with the query string;
;   content length       - the content length of the request (only with POST);
;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
;   script               - the main script called (or '-' if not set);
;   last request cpu     - the %cpu the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because CPU calculation is done when the request
;                          processing has terminated;
;   last request memory  - the max amount of memory the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because memory calculation is done when the request
;                          processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
;   ************************
;   pid:                  31330
;   state:                Running
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          63087
;   requests:             12808
;   request duration:     1250261
;   request method:       GET
;   request URI:          /test_mem.php?N=10000
;   content length:       0
;   user:                 -
;   script:               /home/fat/web/docs/php/test_mem.php
;   last request cpu:     0.00
;   last request memory:  0
;
; Note: There is a real-time FPM status monitoring sample web page available
;       It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status

; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping

; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong

; The access log file
; Default: not set
;access.log = log/$pool.access.log

; The access log format.
; The following syntax is allowed
;  %%: the '%' character
;  %C: %CPU used by the request
;      it can accept the following format:
;      - %{user}C for user CPU only
;      - %{system}C for system CPU only
;      - %{total}C  for user + system CPU (default)
;  %d: time taken to serve the request
;      it can accept the following format:
;      - %{seconds}d (default)
;      - %{miliseconds}d
;      - %{mili}d
;      - %{microseconds}d
;      - %{micro}d
;  %e: an environment variable (same as $_ENV or $_SERVER)
;      it must be associated with embraces to specify the name of the env
;      variable. Some exemples:
;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
;  %f: script filename
;  %l: content-length of the request (for POST request only)
;  %m: request method
;  %M: peak of memory allocated by PHP
;      it can accept the following format:
;      - %{bytes}M (default)
;      - %{kilobytes}M
;      - %{kilo}M
;      - %{megabytes}M
;      - %{mega}M
;  %n: pool name
;  %o: output header
;      it must be associated with embraces to specify the name of the header:
;      - %{Content-Type}o
;      - %{X-Powered-By}o
;      - %{Transfert-Encoding}o
;      - ....
;  %p: PID of the child that serviced the request
;  %P: PID of the parent of the child that serviced the request
;  %q: the query string
;  %Q: the '?' character if query string exists
;  %r: the request URI (without the query string, see %q and %Q)
;  %R: remote IP address
;  %s: status (response code)
;  %t: server time the request was received
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %T: time the log has been written (the request has finished)
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow

; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0

; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0

; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
;       possible. However, all PHP paths will be relative to the chroot
;       (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =

; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes

; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
;   php_value/php_flag             - you can set classic ini defines which can
;                                    be overwritten from PHP call 'ini_set'.
;   php_admin_value/php_admin_flag - these directives won't be overwritten by
;                                     PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.

; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)

; Default Value: nothing is defined by default except the values in php.ini and
;                specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M


Set PHP to run at bootup:
sudo sysrc php_fpm_enable=YES

Start PHP:
sudo service php-fpm start

Set the PHP Configuration for Apache webserver:
sudo nano /usr/local/etc/apache24/Includes/php.conf

Here you are creating a new config file, and need to add the following code:

Content of /usr/local/etc/apache24/Includes/php.conf
Code: [Select]
<IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>

Now we need to enable the PHP modules in Apache web server:
sudo nano /usr/local/etc/apache24/httpd.conf

Here we need to enable SSL and PHP modules and add the following code:
php7_module:
<IfModule php7_module>
        AddType application/x-httpd-php .php
</IfModule>

dir_module:
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

Content of /usr/local/etc/apache24/httpd.conf
Code: [Select]

# /usr/local/etc/apache24/httpd.conf
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
#LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module        libexec/apache24/libphp7.so

<IfModule php7_module>
        AddType application/x-httpd-php .php
</IfModule>

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
 
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf

# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf

# Language settings
#Include etc/apache24/extra/httpd-languages.conf

# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf

# Various default settings
#Include etc/apache24/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf


Now we need to create a PHP Info \ Diagnostics page to check if all is working correctly:
sudo nano /usr/local/www/apache24/data/phpinfo.php

Content of /usr/local/www/apache24/data/phpinfo.php
Code: [Select]
<?php phpinfo();  ?>

Now we need to restart Apache web server since we have done alot of configuration changes that needs to be reloaded: sudo service apache24 restart

Test web server, open a web browser and test both IP and DNS access: http://192.168.55.30/phpinfo.php and http://server.it-monkey.lan/phpinfo.php






Now that you have checked that everything is working correctly whit Apache and PHP, it is time to install and configure the Database server mySQL v5.7

mySQL:
mySQL is the world's most popular open source database. With its proven performance, reliability and ease-of-use, mySQL has become the leading database choice for web-based applications, used by high profile web properties including Facebook, Twitter, YouTube, Yahoo! and many more.

Oracle drives mySQL innovation, delivering new capabilities to power next generation web, cloud, mobile and embedded applications.

Documentation: https://dev.mysql.com/doc/refman/5.7/en/introduction.html

Install mySQL:
sudo pkg install mysql57-server

Set mySQL to automatically start at bootup:
sudo sysrc mysql_enable=YES

Start mySQL Server:
sudo service mysql-server start

Secure the Database SQL Server: sudo mysql_secure_installation
- Would you like to setup VALIDATE PASSWORD plugin?: yes
There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary                  file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
- Change the password for root ?: yes
New password: MySexyPassword123.
Re-enter new password: MySexyPassword123.

- Do you wish to continue with the password provided?: yes
- Remove anonymous users?: yes
- Disallow root login remotely?: yes
- Remove test database and access to it?: yes
- Remove test database and access to it?: yes
- Reload privilege tables now?: yes

Open mySQL Server to create the needed Databases and access that is required by OwnCloud: sudo mysql -u root -p

Now there is a bug in the SQL secure installation process that make us to reset the password for root user before creating the databases and access:
ALTER USER 'root'@'localhost' IDENTIFIED BY 'MySexyPassword123.';

Then we can create the database: ownclouddb, and the admin user: ocadmin

CREATE DATABASE ownclouddb;
CREATE USER ocadmin@localhost IDENTIFIED BY 'MySexyPassword123.';
GRANT ALL PRIVILEGES ON ownclouddb.* TO 'ocadmin'@'localhost';
FLUSH PRIVILEGES;
EXIT;

Now we have done the minimum FAMP configuration for OwnCloud to run on FreeBSD, now we are just missing a few environment configurations before installing the OwnCloud package. We start by creating the SSL Certs so we can use HTTPS connection for accessing the server

In this guide we will be using the self signed SSL Cert, but the process for generating a self signed cert and a signed cert is identical as you need to generate a CSR and PEM file and a private and public key pair, if you follow this process and give the correct details, you can send the CSR file to a Certificate Authority and get it publicly signed and validated for your server

Make the SSL Cert directory:
sudo mkdir -p /usr/local/etc/ssl/self-cert/owncloud/

Move to the SSL Cert directory:
cd /usr/local/etc/ssl/self-cert/owncloud/

Generating CSR and PEM file:
sudo openssl req -config /etc/ssl/openssl.cnf -new -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.csr -keyout /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem

Enter PEM pass phrase: MySexyPassword123.
Verifying - Enter PEM pass phrase: MySexyPassword123.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but for some fields there will be a default value,
If you enter “ . “ the field will be left blank(not recommended).

Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

My server is located in Drammen, Norway so the form will look like this for me, and you have to adjust this to your server or organisation locations, if you are a home user the important part here is Country, City, Common Name and Email are correct and you can leave the rest empty

Common Name needs to be the FQDN and or Public IP of the server if you are going to have it accessed for the Internet

Country Name (2 letter code) [AU]: NO
State or Province Name (full name) [Some-State]: Buskerud
Locality Name (eg, city) []: Drammen
Organization Name (eg, company) [Internet Widgits Pty Ltd]: IT-Monkey
Organizational Unit Name (eg, section) []: IT
Common Name (e.g. server FQDN or YOUR name) []: server.it-monkey.lan
Email Address []: admin@it-monkey.lan

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: MySexyPassword123.
An optional company name []: IT-Monkey

Generating RSA key:
sudo openssl rsa -in /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.key

Enter pass phrase for /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem: MySexyPassword123.

Sign the CRT and PEM file whit the RSA Key valid for 3 years:
sudo openssl x509 -in /usr/local/etc/ssl/self-cert/owncloud/owncloud.csr -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.crt -req -signkey /usr/local/etc/ssl/self-cert/owncloud/owncloud.key -days 1095

Set the correct file permissions for the certificates:
sudo chmod 600 *

Finally we come to the process for getting OwnCloud on our system, we start by creating the folder that will hold the files for OwnCloud application

Creating the OwnCloud folder under Apache web server:
sudo mkdir -p /usr/local/www/apache24/data/owncloud/

Set the correct premission so Apache web server can read the files:
sudo chown -R www:www /usr/local/www/apache24/data/owncloud/
 
We can now download the OwnCloud software to our server, the current way to do that is to use wget or curl and point it at the URL holding the tar install file of OwnCloud, these URLs changes often so check OwnClouds website for the current version

We only need these files temporarily so we move to the system temp folder:
cd /tmp

Now we need to download the OwnCloud software to our server, the current way to do that is to use wget or curl and point it at the URL holding the tar install file of OwnCloud, these urls changes often so check OwnClouds website for the current version

Current files to be downloaded:
wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2
wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2.sha256
wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2.asc
wget https://owncloud.org/owncloud.asc

Verifying the downloaded files:
sudo gpg --import owncloud.asc
sudo sha256 -c owncloud-10.0.7.tar.bz2.sha256 -s owncloud-10.0.7.tar.bz2
sudo gpg --verify owncloud-10.0.7.tar.bz2.sha256 owncloud-10.0.7.tar.bz2

After you have verified the files, you need to extract them from the tar archive
sudo tar -xjf owncloud-10.0.7.tar.bz2

Now we want to move the files to the directory we created for it under Apache web server
sudo cp -r owncloud/* /usr/local/www/apache24/data/owncloud/

Last thing to do is to restart the Apache web server:
sudo service apache24 restart

Now everything should be installed and working and when you open your web browser and navigate to http://192.168.55.30/owncloud/ or http://server.it-monkey.lan/owncloud/ you should see the OwnCloud setup page






Server output
Code: [Select]


=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2018.03.28 11:10:04 =~=~=~=~=~=~=~=~=~=~=~=
login as: edd
Using keyboard-interactive authentication.
Password for edd@server:
Last login: Mon Mar 26 10:37:58 2018 from 192.168.55.150

FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories: https://www.FreeBSD.org/security/
FreeBSD Handbook: https://www.FreeBSD.org/handbook/
FreeBSD FAQ: https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums: https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
In order to make fetch (the FreeBSD downloading tool) ask for
username/password when it encounters a password-protected web page, you can set
the environment variable HTTP_AUTH to 'basic:*'.

$ uname  -a
FreeBSD server 11.1-RELEASE FreeBSD 11.1-RELEASE #0 r321309: Fri Jul 21 02:08:28 UTC 2017     root@releng2.nyi.freebsd.org:/usr/obj/usr/src/sys/GENERIC  amd64

$ neofetch
   ```                        `    edd@server
  ` `.....---.......--.```   -/    ----------
  +o   .--`         /y:`      +.   OS: FreeBSD 11.1-RELEASE amd64
   yo`:.            :o      `+-    Uptime: 1 day, 18 hours, 50 mins
    y/               -/`   -o/     Packages: 126
   .-                  ::/sy+:.    Shell: sh
   /                     `--  /    Terminal: /dev/pts/0
  `:                          :`   CPU: Intel i7-4770 (4) @ 3.392GHz
  `:                          :`   GPU: SVGA II Adapter
   /                          /    Memory: 1641MiB / 2012MiB
   .-                        -.
    --                      -.
     `:`                  `:`
       .--             `--.
          .---.....----.
$

  Updating the package repositories
$ sudo pkg update
Updating FreeBSD repository catalogue...
Fetching meta.txz:   0%
Fetching meta.txz: 100%    944 B   0.9kB/s    00:01   
Fetching packagesite.txz:   0%
Fetching packagesite.txz:   6%  392 KiB 401.4kB/s    00:14 ETA
Fetching packagesite.txz:  54%    3 MiB   2.9MB/s    00:01 ETA
Fetching packagesite.txz: 100%    6 MiB   3.1MB/s    00:02   
Processing entries:   0%
.
.
Processing entries: 100%
FreeBSD repository update completed. 28605 packages processed.
All repositories are up to date.

$ sudo pkg upgrade
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
Updating database digests format:   0%
Updating database digests format: 100%
Checking for upgrades (10 candidates):   0%
Checking for upgrades (10 candidates): 100%
Processing candidates (10 candidates):   0%
Processing candidates (10 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

  Installing the needed tools
$ sudo pkg install curl wget vim nano gnupg
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 21 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
curl: 7.58.0
wget: 1.19.2
vim: 8.0.1427
nano: 2.9.1
gnupg: 2.2.4
libnghttp2: 1.29.0
libedit: 3.1.20170329_2,1
libXpm: 3.5.12
ruby: 2.4.3,1
libyaml: 0.1.6_2
desktop-file-utils: 0.23
ctags: 5.8
cscope: 15.8b
pinentry: 1.0.0_3
pinentry-tty: 1.0.0
libgpg-error: 1.27
libassuan: 2.5.1
libksba: 1.3.5
libgcrypt: 1.8.2
npth: 1.5
sqlite3: 3.22.0_1

Number of packages to be installed: 21

The process will require 104 MiB more space.
22 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/21] Fetching curl-7.58.0.txz:   0%
[1/21] Fetching curl-7.58.0.txz:  31%  376 KiB 385.0kB/s    00:02 ETA
[1/21] Fetching curl-7.58.0.txz: 100%    1 MiB   1.2MB/s    00:01   
[2/21] Fetching wget-1.19.2.txz:   0%
[2/21] Fetching wget-1.19.2.txz:  25%  160 KiB 163.8kB/s    00:02 ETA
[2/21] Fetching wget-1.19.2.txz: 100%  624 KiB 639.1kB/s    00:01   
[3/21] Fetching vim-8.0.1427.txz:   0%
[3/21] Fetching vim-8.0.1427.txz:   1%  128 KiB 131.1kB/s    00:51 ETA
[3/21] Fetching vim-8.0.1427.txz:  18%    1 MiB   1.2MB/s    00:07 ETA
[3/21] Fetching vim-8.0.1427.txz:  71%    5 MiB   3.6MB/s    00:00 ETA
[3/21] Fetching vim-8.0.1427.txz: 100%    7 MiB   2.3MB/s    00:03   
[4/21] Fetching nano-2.9.1.txz:   0%
[4/21] Fetching nano-2.9.1.txz:  65%  312 KiB 319.5kB/s    00:00 ETA
[4/21] Fetching nano-2.9.1.txz: 100%  476 KiB 487.8kB/s    00:01   
[5/21] Fetching gnupg-2.2.4.txz:   0%
[5/21] Fetching gnupg-2.2.4.txz:  20%  408 KiB 417.8kB/s    00:03 ETA
[5/21] Fetching gnupg-2.2.4.txz: 100%    2 MiB   2.0MB/s    00:01   
[6/21] Fetching libnghttp2-1.29.0.txz:   0%
[6/21] Fetching libnghttp2-1.29.0.txz: 100%  108 KiB 110.4kB/s    00:01   
[7/21] Fetching libedit-3.1.20170329_2,1.txz:   0%
[7/21] Fetching libedit-3.1.20170329_2,1.txz: 100%  125 KiB 128.5kB/s    00:01   
[8/21] Fetching libXpm-3.5.12.txz:   0%
[8/21] Fetching libXpm-3.5.12.txz: 100%   71 KiB  72.2kB/s    00:01   
[9/21] Fetching ruby-2.4.3,1.txz:   0%
[9/21] Fetching ruby-2.4.3,1.txz:   6%  568 KiB 581.6kB/s    00:14 ETA
[9/21] Fetching ruby-2.4.3,1.txz:  35%    3 MiB   2.6MB/s    00:03 ETA
[9/21] Fetching ruby-2.4.3,1.txz:  98%    8 MiB   5.7MB/s    00:00 ETA
[9/21] Fetching ruby-2.4.3,1.txz: 100%    9 MiB   3.0MB/s    00:03   
[10/21] Fetching libyaml-0.1.6_2.txz:   0%
[10/21] Fetching libyaml-0.1.6_2.txz: 100%   64 KiB  65.3kB/s    00:01   
[11/21] Fetching desktop-file-utils-0.23.txz:   0%
[11/21] Fetching desktop-file-utils-0.23.txz: 100%   37 KiB  37.4kB/s    00:01   
[12/21] Fetching ctags-5.8.txz:   0%
[12/21] Fetching ctags-5.8.txz: 100%  121 KiB 124.0kB/s    00:01   
[13/21] Fetching cscope-15.8b.txz:   0%
[13/21] Fetching cscope-15.8b.txz: 100%  127 KiB 130.1kB/s    00:01   
[14/21] Fetching pinentry-1.0.0_3.txz:   0%
[14/21] Fetching pinentry-1.0.0_3.txz: 100%   16 KiB  16.6kB/s    00:01   
[15/21] Fetching pinentry-tty-1.0.0.txz:   0%
[15/21] Fetching pinentry-tty-1.0.0.txz: 100%   27 KiB  27.6kB/s    00:01   
[16/21] Fetching libgpg-error-1.27.txz:   0%
[16/21] Fetching libgpg-error-1.27.txz: 100%  183 KiB 187.2kB/s    00:01   
[17/21] Fetching libassuan-2.5.1.txz:   0%
[17/21] Fetching libassuan-2.5.1.txz: 100%   77 KiB  78.7kB/s    00:01   
[18/21] Fetching libksba-1.3.5.txz:   0%
[18/21] Fetching libksba-1.3.5.txz: 100%  158 KiB 161.3kB/s    00:01   
[19/21] Fetching libgcrypt-1.8.2.txz:   0%
[19/21] Fetching libgcrypt-1.8.2.txz:  26%  192 KiB 196.6kB/s    00:02 ETA
[19/21] Fetching libgcrypt-1.8.2.txz: 100%  716 KiB 733.5kB/s    00:01   
[20/21] Fetching npth-1.5.txz:   0%
[20/21] Fetching npth-1.5.txz: 100%   20 KiB  20.9kB/s    00:01   
[21/21] Fetching sqlite3-3.22.0_1.txz:   0%
[21/21] Fetching sqlite3-3.22.0_1.txz:   6%   72 KiB  73.7kB/s    00:15 ETA
[21/21] Fetching sqlite3-3.22.0_1.txz: 100%    1 MiB   1.2MB/s    00:01   
Checking integrity... done (0 conflicting)
[1/21] Installing libgpg-error-1.27...
[1/21] Extracting libgpg-error-1.27:   0%
[1/21] Extracting libgpg-error-1.27: 100%
[2/21] Installing libassuan-2.5.1...
[2/21] Extracting libassuan-2.5.1:   0%
[2/21] Extracting libassuan-2.5.1: 100%
[3/21] Installing libedit-3.1.20170329_2,1...
[3/21] Extracting libedit-3.1.20170329_2,1:   0%
[3/21] Extracting libedit-3.1.20170329_2,1: 100%
[4/21] Installing libyaml-0.1.6_2...
[4/21] Extracting libyaml-0.1.6_2:   0%
[4/21] Extracting libyaml-0.1.6_2: 100%
[5/21] Installing pinentry-tty-1.0.0...
[5/21] Extracting pinentry-tty-1.0.0:   0%
[5/21] Extracting pinentry-tty-1.0.0: 100%
[6/21] Installing libnghttp2-1.29.0...
[6/21] Extracting libnghttp2-1.29.0:   0%
[6/21] Extracting libnghttp2-1.29.0: 100%
[7/21] Installing libXpm-3.5.12...
[7/21] Extracting libXpm-3.5.12:   0%
[7/21] Extracting libXpm-3.5.12: 100%
[8/21] Installing ruby-2.4.3,1...
[8/21] Extracting ruby-2.4.3,1:   0%
[8/21] Extracting ruby-2.4.3,1: 100%
[9/21] Installing desktop-file-utils-0.23...
[9/21] Extracting desktop-file-utils-0.23:   0%
[9/21] Extracting desktop-file-utils-0.23: 100%
[10/21] Installing ctags-5.8...
[10/21] Extracting ctags-5.8:   0%
[10/21] Extracting ctags-5.8: 100%
[11/21] Installing cscope-15.8b...
[11/21] Extracting cscope-15.8b:   0%
[11/21] Extracting cscope-15.8b: 100%
[12/21] Installing pinentry-1.0.0_3...
[12/21] Extracting pinentry-1.0.0_3:   0%
[12/21] Extracting pinentry-1.0.0_3: 100%
[13/21] Installing libksba-1.3.5...
[13/21] Extracting libksba-1.3.5:   0%
[13/21] Extracting libksba-1.3.5: 100%
[14/21] Installing libgcrypt-1.8.2...
[14/21] Extracting libgcrypt-1.8.2:   0%
[14/21] Extracting libgcrypt-1.8.2: 100%
[15/21] Installing npth-1.5...
[15/21] Extracting npth-1.5:   0%
[15/21] Extracting npth-1.5: 100%
[16/21] Installing sqlite3-3.22.0_1...
[16/21] Extracting sqlite3-3.22.0_1:   0%
[16/21] Extracting sqlite3-3.22.0_1: 100%
[17/21] Installing curl-7.58.0...
[17/21] Extracting curl-7.58.0:   0%
[17/21] Extracting curl-7.58.0: 100%
[18/21] Installing wget-1.19.2...
[18/21] Extracting wget-1.19.2:   0%
[18/21] Extracting wget-1.19.2: 100%
[19/21] Installing vim-8.0.1427...
[19/21] Extracting vim-8.0.1427:   0%
[19/21] Extracting vim-8.0.1427: 100%
[20/21] Installing nano-2.9.1...
[20/21] Extracting nano-2.9.1:   0%
[20/21] Extracting nano-2.9.1: 100%
[21/21] Installing gnupg-2.2.4...
Extracting gnupg-2.2.4:   0%
Extracting gnupg-2.2.4: 100%
Message from ruby-2.4.3,1:

====
Some of the standard commands are provided as separate ports for ease
of upgrading:

devel/ruby-gems: gem - RubyGems package manager
devel/rubygem-rake: rake - Ruby Make

And some of the standard libraries are provided as separate ports
since they require extra dependencies:

databases/ruby-gdbm: GDBM module

Install them as occasion demands.
====
Message from ctags-5.8:

**************************************************************************
The executable for Exuberant CTAGS is installed as /usr/local/bin/exctags
**************************************************************************

  Installation of the tools is now compleeted, now we install the Webserver Apache v2.4
$ sudo pkg install apache24
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 3 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
apache24: 2.4.29
apr: 1.6.3.1.6.1
db5: 5.3.28_6

Number of packages to be installed: 3

The process will require 76 MiB more space.
17 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/3] Fetching apache24-2.4.29.txz:   0%
[1/3] Fetching apache24-2.4.29.txz:  15%  752 KiB 770.1kB/s    00:05 ETA
[1/3] Fetching apache24-2.4.29.txz:  79%    4 MiB   3.3MB/s    00:00 ETA
[1/3] Fetching apache24-2.4.29.txz:  99%    5 MiB   1.0MB/s    00:00 ETA
[1/3] Fetching apache24-2.4.29.txz: 100%    5 MiB   1.7MB/s    00:03   
[2/3] Fetching apr-1.6.3.1.6.1.txz:   0%
[2/3] Fetching apr-1.6.3.1.6.1.txz: 100%  453 KiB 464.2kB/s    00:01   
[3/3] Fetching db5-5.3.28_6.txz:   0%
[3/3] Fetching db5-5.3.28_6.txz:   5%  640 KiB 655.4kB/s    00:18 ETA
[3/3] Fetching db5-5.3.28_6.txz:  22%    3 MiB   2.2MB/s    00:06 ETA
[3/3] Fetching db5-5.3.28_6.txz:  48%    6 MiB   3.3MB/s    00:02 ETA
[3/3] Fetching db5-5.3.28_6.txz:  74%    9 MiB   3.4MB/s    00:01 ETA
[3/3] Fetching db5-5.3.28_6.txz: 100%   12 MiB   3.2MB/s    00:04   
Checking integrity... done (0 conflicting)
[1/3] Installing db5-5.3.28_6...
[1/3] Extracting db5-5.3.28_6:   0%
[1/3] Extracting db5-5.3.28_6: 100%
[2/3] Installing apr-1.6.3.1.6.1...
[2/3] Extracting apr-1.6.3.1.6.1:   0%
[2/3] Extracting apr-1.6.3.1.6.1: 100%
[3/3] Installing apache24-2.4.29...
===> Creating groups.
Using existing group 'www'.
===> Creating users
Using existing user 'www'.
Extracting apache24-2.4.29:   0%
Extracting apache24-2.4.29: 100%
Message from apr-1.6.3.1.6.1:

/!\ ================================================================== /!\

The Apache Portable Runtime project removed support for FreeTDS with
version 1.6. Users requiring MS-SQL connectivity must migrate
configurations to use the added ODBC driver and FreeTDS' ODBC features.

/!\ ================================================================== /!\
Message from apache24-2.4.29:

To run apache www server from startup, add apache24_enable="yes"
in your /etc/rc.conf. Extra options can be found in startup script.

Your hostname must be resolvable using at least 1 mechanism in
/etc/nsswitch.conf typically DNS or /etc/hosts or apache might
have issues starting depending on the modules you are using.

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

- apache24 default build changed from static MPM to modular MPM
- more modules are now enabled per default in the port
- icons and error pages moved from WWWDIR to DATADIR

   If build with modular MPM and no MPM is activated in
   httpd.conf, then mpm_prefork will be activated as default
   MPM in etc/apache24/modules.d to keep compatibility with
   existing php/perl/python modules!

Please compare the existing httpd.conf with httpd.conf.sample
and merge missing modules/instructions into httpd.conf!

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  Now we need to set Apache to start automatically on reboots
$ sudo sysrc apache24_enable=YES
apache24_enable:  -> YES

 Now we have to set the default production configuration for the Apache web server
$ sudo cp /usr/local/etc/apache24/httpd.conf.sample /usr/local/etc/apache24/httpd.conf

 Now we can start the web server
$ sudo service apache24 start
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message

 This is a common error since we have not configured DNS or Domain of the FreeBSD Server as this is handled by an external system you do not need to do this for this guide and can be ignored for now

 Now we need to install PHP and PHP Extension modules
$ sudo pkg install php71 php71-extensions mod_php71 php71-mysqli php71-gd php71-curl php71-zlib php71-zip php71-pdo_mysql php71-openssl php71-gmp php71-ldap php71-exif php71-fileinfo php71-mbstring php71-bcmath php71-bz2 php71-mcrypt php71-intl
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 43 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
php71: 7.1.15
php71-extensions: 1.0
mod_php71: 7.1.15
php71-mysqli: 7.1.15
php71-gd: 7.1.15
php71-curl: 7.1.15
php71-zlib: 7.1.15
php71-zip: 7.1.15
php71-pdo_mysql: 7.1.15
php71-openssl: 7.1.15
php71-gmp: 7.1.15
php71-ldap: 7.1.15
php71-exif: 7.1.15
php71-fileinfo: 7.1.15
php71-mbstring: 7.1.15
php71-bcmath: 7.1.15
php71-bz2: 7.1.15
php71-mcrypt: 7.1.15
php71-intl: 7.1.15
php71-session: 7.1.15
php71-opcache: 7.1.15
php71-xmlwriter: 7.1.15
php71-xmlreader: 7.1.15
php71-dom: 7.1.15
php71-xml: 7.1.15
php71-simplexml: 7.1.15
php71-ctype: 7.1.15
php71-posix: 7.1.15
php71-hash: 7.1.15
php71-filter: 7.1.15
php71-tokenizer: 7.1.15
php71-json: 7.1.15
php71-sqlite3: 7.1.15
php71-pdo_sqlite: 7.1.15
php71-pdo: 7.1.15
php71-iconv: 7.1.15
php71-phar: 7.1.15
libzip: 1.3.2
openldap-client: 2.4.45
oniguruma6: 6.6.1
libmcrypt: 2.5.8_3
libltdl: 2.4.6
icu: 60.2_1,1

Number of packages to be installed: 43

The process will require 91 MiB more space.
17 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/43] Fetching php71-7.1.15.txz:   0%
[1/43] Fetching php71-7.1.15.txz:   1%   64 KiB  65.5kB/s    00:49 ETA
[1/43] Fetching php71-7.1.15.txz:  60%    2 MiB   1.9MB/s    00:01 ETA
[1/43] Fetching php71-7.1.15.txz: 100%    3 MiB   1.7MB/s    00:02   
[2/43] Fetching php71-extensions-1.0.txz:   0%
[2/43] Fetching php71-extensions-1.0.txz: 100%    1 KiB   1.1kB/s    00:01   
[3/43] Fetching mod_php71-7.1.15.txz:   0%
[3/43] Fetching mod_php71-7.1.15.txz:  13%  160 KiB 163.8kB/s    00:06 ETA
[3/43] Fetching mod_php71-7.1.15.txz: 100%    1 MiB   1.2MB/s    00:01   
[4/43] Fetching php71-mysqli-7.1.15.txz:   0%
[4/43] Fetching php71-mysqli-7.1.15.txz:  40%   16 KiB  16.4kB/s    00:01 ETA
[4/43] Fetching php71-mysqli-7.1.15.txz: 100%   39 KiB  40.2kB/s    00:01   
[5/43] Fetching php71-gd-7.1.15.txz:   0%
[5/43] Fetching php71-gd-7.1.15.txz: 100%  128 KiB 131.1kB/s    00:01   
[6/43] Fetching php71-curl-7.1.15.txz:   0%
[6/43] Fetching php71-curl-7.1.15.txz: 100%   27 KiB  27.8kB/s    00:01   
[7/43] Fetching php71-zlib-7.1.15.txz:   0%
[7/43] Fetching php71-zlib-7.1.15.txz: 100%   17 KiB  17.6kB/s    00:01   
[8/43] Fetching php71-zip-7.1.15.txz:   0%
[8/43] Fetching php71-zip-7.1.15.txz: 100%   20 KiB  20.4kB/s    00:01   
[9/43] Fetching php71-pdo_mysql-7.1.15.txz:   0%
[9/43] Fetching php71-pdo_mysql-7.1.15.txz: 100%   16 KiB  16.3kB/s    00:01   
[10/43] Fetching php71-openssl-7.1.15.txz:   0%
[10/43] Fetching php71-openssl-7.1.15.txz: 100%   53 KiB  54.0kB/s    00:01   
[11/43] Fetching php71-gmp-7.1.15.txz:   0%
[11/43] Fetching php71-gmp-7.1.15.txz: 100%   18 KiB  18.2kB/s    00:01   
[12/43] Fetching php71-ldap-7.1.15.txz:   0%
[12/43] Fetching php71-ldap-7.1.15.txz: 100%   20 KiB  20.7kB/s    00:01   
[13/43] Fetching php71-exif-7.1.15.txz:   0%
[13/43] Fetching php71-exif-7.1.15.txz: 100%   24 KiB  24.9kB/s    00:01   
[14/43] Fetching php71-fileinfo-7.1.15.txz:   0%
[14/43] Fetching php71-fileinfo-7.1.15.txz: 100%  203 KiB 208.1kB/s    00:01   
[15/43] Fetching php71-mbstring-7.1.15.txz:   0%
[15/43] Fetching php71-mbstring-7.1.15.txz:  10%   72 KiB  73.7kB/s    00:08 ETA
[15/43] Fetching php71-mbstring-7.1.15.txz: 100%  715 KiB 732.6kB/s    00:01   
[16/43] Fetching php71-bcmath-7.1.15.txz:   0%
[16/43] Fetching php71-bcmath-7.1.15.txz: 100%   20 KiB  20.3kB/s    00:01   
[17/43] Fetching php71-bz2-7.1.15.txz:   0%
[17/43] Fetching php71-bz2-7.1.15.txz: 100%   11 KiB  10.9kB/s    00:01   
[18/43] Fetching php71-mcrypt-7.1.15.txz:   0%
[18/43] Fetching php71-mcrypt-7.1.15.txz: 100%   15 KiB  14.9kB/s    00:01   
[19/43] Fetching php71-intl-7.1.15.txz:   0%
[19/43] Fetching php71-intl-7.1.15.txz: 100%  118 KiB 120.7kB/s    00:01   
[20/43] Fetching php71-session-7.1.15.txz:   0%
[20/43] Fetching php71-session-7.1.15.txz: 100%   32 KiB  32.8kB/s    00:01   
[21/43] Fetching php71-opcache-7.1.15.txz:   0%
[21/43] Fetching php71-opcache-7.1.15.txz: 100%  144 KiB 147.2kB/s    00:01   
[22/43] Fetching php71-xmlwriter-7.1.15.txz:   0%
[22/43] Fetching php71-xmlwriter-7.1.15.txz: 100%   13 KiB  13.1kB/s    00:01   
[23/43] Fetching php71-xmlreader-7.1.15.txz:   0%
[23/43] Fetching php71-xmlreader-7.1.15.txz: 100%   13 KiB  12.9kB/s    00:01   
[24/43] Fetching php71-dom-7.1.15.txz:   0%
[24/43] Fetching php71-dom-7.1.15.txz: 100%   54 KiB  55.0kB/s    00:01   
[25/43] Fetching php71-xml-7.1.15.txz:   0%
[25/43] Fetching php71-xml-7.1.15.txz:  81%   16 KiB  16.4kB/s    00:00 ETA
[25/43] Fetching php71-xml-7.1.15.txz: 100%   20 KiB  20.2kB/s    00:01   
[26/43] Fetching php71-simplexml-7.1.15.txz:   0%
[26/43] Fetching php71-simplexml-7.1.15.txz: 100%   22 KiB  23.0kB/s    00:01   
[27/43] Fetching php71-ctype-7.1.15.txz:   0%
[27/43] Fetching php71-ctype-7.1.15.txz: 100%    6 KiB   6.5kB/s    00:01   
[28/43] Fetching php71-posix-7.1.15.txz:   0%
[28/43] Fetching php71-posix-7.1.15.txz: 100%   11 KiB  11.4kB/s    00:01   
[29/43] Fetching php71-hash-7.1.15.txz:   0%
[29/43] Fetching php71-hash-7.1.15.txz: 100%  118 KiB 121.2kB/s    00:01   
[30/43] Fetching php71-filter-7.1.15.txz:   0%
[30/43] Fetching php71-filter-7.1.15.txz:  85%   16 KiB  16.4kB/s    00:00 ETA
[30/43] Fetching php71-filter-7.1.15.txz: 100%   19 KiB  19.2kB/s    00:01   
[31/43] Fetching php71-tokenizer-7.1.15.txz:   0%
[31/43] Fetching php71-tokenizer-7.1.15.txz: 100%    9 KiB   8.8kB/s    00:01   
[32/43] Fetching php71-json-7.1.15.txz:   0%
[32/43] Fetching php71-json-7.1.15.txz: 100%   19 KiB  19.8kB/s    00:01   
[33/43] Fetching php71-sqlite3-7.1.15.txz:   0%
[33/43] Fetching php71-sqlite3-7.1.15.txz: 100%   18 KiB  18.0kB/s    00:01   
[34/43] Fetching php71-pdo_sqlite-7.1.15.txz:   0%
[34/43] Fetching php71-pdo_sqlite-7.1.15.txz: 100%   12 KiB  12.1kB/s    00:01   
[35/43] Fetching php71-pdo-7.1.15.txz:   0%
[35/43] Fetching php71-pdo-7.1.15.txz: 100%   43 KiB  44.5kB/s    00:01   
[36/43] Fetching php71-iconv-7.1.15.txz:   0%
[36/43] Fetching php71-iconv-7.1.15.txz:  90%   16 KiB  16.4kB/s    00:00 ETA
[36/43] Fetching php71-iconv-7.1.15.txz: 100%   18 KiB  18.2kB/s    00:01   
[37/43] Fetching php71-phar-7.1.15.txz:   0%
[37/43] Fetching php71-phar-7.1.15.txz: 100%  102 KiB 104.6kB/s    00:01   
[38/43] Fetching libzip-1.3.2.txz:   0%
[38/43] Fetching libzip-1.3.2.txz:  82%  192 KiB 196.6kB/s    00:00 ETA
[38/43] Fetching libzip-1.3.2.txz: 100%  232 KiB 238.0kB/s    00:01   
[39/43] Fetching openldap-client-2.4.45.txz:   0%
[39/43] Fetching openldap-client-2.4.45.txz:  52%  536 KiB 548.9kB/s    00:00 ETA
[39/43] Fetching openldap-client-2.4.45.txz: 100%    1 MiB   1.1MB/s    00:01   
[40/43] Fetching oniguruma6-6.6.1.txz:   0%
[40/43] Fetching oniguruma6-6.6.1.txz:  97%  232 KiB 237.6kB/s    00:00 ETA
[40/43] Fetching oniguruma6-6.6.1.txz: 100%  237 KiB 242.8kB/s    00:01   
[41/43] Fetching libmcrypt-2.5.8_3.txz:   0%
[41/43] Fetching libmcrypt-2.5.8_3.txz: 100%  115 KiB 118.0kB/s    00:01   
[42/43] Fetching libltdl-2.4.6.txz:   0%
[42/43] Fetching libltdl-2.4.6.txz: 100%   36 KiB  37.0kB/s    00:01   
[43/43] Fetching icu-60.2_1,1.txz:   0%
[43/43] Fetching icu-60.2_1,1.txz:   1%   96 KiB  98.3kB/s    01:38 ETA
[43/43] Fetching icu-60.2_1,1.txz:  13%    1 MiB   1.2MB/s    00:11 ETA
[43/43] Fetching icu-60.2_1,1.txz:  42%    4 MiB   2.9MB/s    00:02 ETA
[43/43] Fetching icu-60.2_1,1.txz:  76%    7 MiB   3.4MB/s    00:01 ETA
[43/43] Fetching icu-60.2_1,1.txz: 100%    9 MiB   2.5MB/s    00:04   
Checking integrity... done (0 conflicting)
[1/43] Installing php71-7.1.15...
[1/43] Extracting php71-7.1.15:   0%
[1/43] Extracting php71-7.1.15: 100%
[2/43] Installing php71-dom-7.1.15...
[2/43] Extracting php71-dom-7.1.15:   0%
[2/43] Extracting php71-dom-7.1.15: 100%
[3/43] Installing php71-hash-7.1.15...
[3/43] Extracting php71-hash-7.1.15:   0%
[3/43] Extracting php71-hash-7.1.15: 100%
[4/43] Installing php71-pdo-7.1.15...
[4/43] Extracting php71-pdo-7.1.15:   0%
[4/43] Extracting php71-pdo-7.1.15: 100%
[5/43] Installing php71-session-7.1.15...
[5/43] Extracting php71-session-7.1.15:   0%
[5/43] Extracting php71-session-7.1.15: 100%
[6/43] Installing php71-opcache-7.1.15...
[6/43] Extracting php71-opcache-7.1.15:   0%
[6/43] Extracting php71-opcache-7.1.15: 100%
[7/43] Installing php71-xmlwriter-7.1.15...
[7/43] Extracting php71-xmlwriter-7.1.15:   0%
[7/43] Extracting php71-xmlwriter-7.1.15: 100%
[8/43] Installing php71-xmlreader-7.1.15...
[8/43] Extracting php71-xmlreader-7.1.15:   0%
[8/43] Extracting php71-xmlreader-7.1.15: 100%
[9/43] Installing php71-xml-7.1.15...
[9/43] Extracting php71-xml-7.1.15:   0%
[9/43] Extracting php71-xml-7.1.15: 100%
[10/43] Installing php71-simplexml-7.1.15...
[10/43] Extracting php71-simplexml-7.1.15:   0%
[10/43] Extracting php71-simplexml-7.1.15: 100%
[11/43] Installing php71-ctype-7.1.15...
[11/43] Extracting php71-ctype-7.1.15:   0%
[11/43] Extracting php71-ctype-7.1.15: 100%
[12/43] Installing php71-posix-7.1.15...
[12/43] Extracting php71-posix-7.1.15:   0%
[12/43] Extracting php71-posix-7.1.15: 100%
[13/43] Installing php71-filter-7.1.15...
[13/43] Extracting php71-filter-7.1.15:   0%
[13/43] Extracting php71-filter-7.1.15: 100%
[14/43] Installing php71-tokenizer-7.1.15...
[14/43] Extracting php71-tokenizer-7.1.15:   0%
[14/43] Extracting php71-tokenizer-7.1.15: 100%
[15/43] Installing php71-json-7.1.15...
[15/43] Extracting php71-json-7.1.15:   0%
[15/43] Extracting php71-json-7.1.15: 100%
[16/43] Installing php71-sqlite3-7.1.15...
[16/43] Extracting php71-sqlite3-7.1.15:   0%
[16/43] Extracting php71-sqlite3-7.1.15: 100%
[17/43] Installing php71-pdo_sqlite-7.1.15...
[17/43] Extracting php71-pdo_sqlite-7.1.15:   0%
[17/43] Extracting php71-pdo_sqlite-7.1.15: 100%
[18/43] Installing php71-iconv-7.1.15...
[18/43] Extracting php71-iconv-7.1.15:   0%
[18/43] Extracting php71-iconv-7.1.15: 100%
[19/43] Installing php71-phar-7.1.15...
[19/43] Extracting php71-phar-7.1.15:   0%
[19/43] Extracting php71-phar-7.1.15: 100%
[20/43] Installing libzip-1.3.2...
[20/43] Extracting libzip-1.3.2:   0%
[20/43] Extracting libzip-1.3.2: 100%
[21/43] Installing openldap-client-2.4.45...
[21/43] Extracting openldap-client-2.4.45:   0%
[21/43] Extracting openldap-client-2.4.45: 100%
[22/43] Installing oniguruma6-6.6.1...
[22/43] Extracting oniguruma6-6.6.1:   0%
[22/43] Extracting oniguruma6-6.6.1: 100%
[23/43] Installing libmcrypt-2.5.8_3...
[23/43] Extracting libmcrypt-2.5.8_3:   0%
[23/43] Extracting libmcrypt-2.5.8_3: 100%
[24/43] Installing libltdl-2.4.6...
[24/43] Extracting libltdl-2.4.6:   0%
[24/43] Extracting libltdl-2.4.6: 100%
[25/43] Installing icu-60.2_1,1...
[25/43] Extracting icu-60.2_1,1:   0%
[25/43] Extracting icu-60.2_1,1: 100%
[26/43] Installing php71-extensions-1.0...
[27/43] Installing mod_php71-7.1.15...
[27/43] Extracting mod_php71-7.1.15:   0%
[27/43] Extracting mod_php71-7.1.15: 100%
[activating module `php7' in /usr/local/etc/apache24/httpd.conf]
[28/43] Installing php71-mysqli-7.1.15...
[28/43] Extracting php71-mysqli-7.1.15:   0%
[28/43] Extracting php71-mysqli-7.1.15: 100%
[29/43] Installing php71-gd-7.1.15...
[29/43] Extracting php71-gd-7.1.15:   0%
[29/43] Extracting php71-gd-7.1.15: 100%
[30/43] Installing php71-curl-7.1.15...
[30/43] Extracting php71-curl-7.1.15:   0%
[30/43] Extracting php71-curl-7.1.15: 100%
[31/43] Installing php71-zlib-7.1.15...
[31/43] Extracting php71-zlib-7.1.15:   0%
[31/43] Extracting php71-zlib-7.1.15: 100%
[32/43] Installing php71-zip-7.1.15...
[32/43] Extracting php71-zip-7.1.15:   0%
[32/43] Extracting php71-zip-7.1.15: 100%
[33/43] Installing php71-pdo_mysql-7.1.15...
[33/43] Extracting php71-pdo_mysql-7.1.15:   0%
[33/43] Extracting php71-pdo_mysql-7.1.15: 100%
[34/43] Installing php71-openssl-7.1.15...
[34/43] Extracting php71-openssl-7.1.15:   0%
[34/43] Extracting php71-openssl-7.1.15: 100%
[35/43] Installing php71-gmp-7.1.15...
[35/43] Extracting php71-gmp-7.1.15:   0%
[35/43] Extracting php71-gmp-7.1.15: 100%
[36/43] Installing php71-ldap-7.1.15...
[36/43] Extracting php71-ldap-7.1.15:   0%
[36/43] Extracting php71-ldap-7.1.15: 100%
[37/43] Installing php71-exif-7.1.15...
[37/43] Extracting php71-exif-7.1.15:   0%
[37/43] Extracting php71-exif-7.1.15: 100%
[38/43] Installing php71-fileinfo-7.1.15...
[38/43] Extracting php71-fileinfo-7.1.15:   0%
[38/43] Extracting php71-fileinfo-7.1.15: 100%
[39/43] Installing php71-mbstring-7.1.15...
[39/43] Extracting php71-mbstring-7.1.15:   0%
[39/43] Extracting php71-mbstring-7.1.15: 100%
[40/43] Installing php71-bcmath-7.1.15...
[40/43] Extracting php71-bcmath-7.1.15:   0%
[40/43] Extracting php71-bcmath-7.1.15: 100%
[41/43] Installing php71-bz2-7.1.15...
[41/43] Extracting php71-bz2-7.1.15:   0%
[41/43] Extracting php71-bz2-7.1.15: 100%
[42/43] Installing php71-mcrypt-7.1.15...
[42/43] Extracting php71-mcrypt-7.1.15:   0%
[42/43] Extracting php71-mcrypt-7.1.15: 100%
[43/43] Installing php71-intl-7.1.15...
Extracting php71-intl-7.1.15:   0%
Extracting php71-intl-7.1.15: 100%
Message from openldap-client-2.4.45:

************************************************************

The OpenLDAP client package has been successfully installed.

Edit
  /usr/local/etc/openldap/ldap.conf
to change the system-wide client defaults.

Try `man ldap.conf' and visit the OpenLDAP FAQ-O-Matic at
  http://www.OpenLDAP.org/faq/index.cgi?file=3
for more information.

************************************************************
Message from libmcrypt-2.5.8_3:

===>   NOTICE:

The libmcrypt port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
Message from mod_php71-7.1.15:

***************************************************************

Make sure index.php is part of your DirectoryIndex.

You should add the following to your Apache configuration file:

<FilesMatch "\.php$">
    SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
    SetHandler application/x-httpd-php-source
</FilesMatch>

*********************************************************************

If you are building PHP-based ports in poudriere(8) with ZTS enabled,
add WITH_MPM=event to /etc/make.conf to prevent build failures.

*********************************************************************
 
 Now we need to configure the production configuration of PHP
$ sudo cp /usr/local/etc/php.ini-production  /usr/local/etc/php.ini
$ sudo nano /usr/local/etc/php-fpm.d/www.conf
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]

; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr/local) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
;       will be used.
user = www
group = www

; The address on which to accept FastCGI requests.
; Valid syntaxes are:
;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
;                            a specific port;
;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses
;                            (IPv6 and IPv4-mapped) on a specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
; listen = 127.0.0.1:9000
listen = /var/run/php-fpm.sock
listen.owner = www
listen.group = www
listen.mode = 0660

; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511

; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
;                 mode is set to 0660
;listen.owner = www
;listen.group = www
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =

; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1

; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
;       - The pool processes will inherit the master process priority
;         unless it specified otherwise
; Default Value: no set
; process.priority = -19

; Choose how the process manager will control the number of child processes.
; Possible Values:
;   static  - a fixed number (pm.max_children) of child processes;
;   dynamic - the number of child processes are set dynamically based on the
;             following directives. With this process management, there will be
;             always at least 1 children.
;             pm.max_children      - the maximum number of children that can
;                                    be alive at the same time.
;             pm.start_servers     - the number of children created on startup.
;             pm.min_spare_servers - the minimum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is less than this
;                                    number then some children will be created.
;             pm.max_spare_servers - the maximum number of children in 'idle'
;                                    state (waiting to process). If the number
;                                    of 'idle' processes is greater than this
;                                    number then some children will be killed.
;  ondemand - no children are created at startup. Children will be forked when
;             new requests will connect. The following parameter are used:
;             pm.max_children           - the maximum number of children that
;                                         can be alive at the same time.
;             pm.process_idle_timeout   - The number of seconds after which
;                                         an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic

; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5

; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
pm.start_servers = 2

; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1

; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3

; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;

; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500

; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
;   pool                 - the name of the pool;
;   process manager      - static, dynamic or ondemand;
;   start time           - the date and time FPM has started;
;   start since          - number of seconds since FPM has started;
;   accepted conn        - the number of request accepted by the pool;
;   listen queue         - the number of request in the queue of pending
;                          connections (see backlog in listen(2));
;   max listen queue     - the maximum number of requests in the queue
;                          of pending connections since FPM has started;
;   listen queue len     - the size of the socket queue of pending connections;
;   idle processes       - the number of idle processes;
;   active processes     - the number of active processes;
;   total processes      - the number of idle + active processes;
;   max active processes - the maximum number of active processes since FPM
;                          has started;
;   max children reached - number of times, the process limit has been reached,
;                          when pm tries to start more children (works only for
;                          pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
;   pool:                 www
;   process manager:      static
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          62636
;   accepted conn:        190460
;   listen queue:         0
;   max listen queue:     1
;   listen queue len:     42
;   idle processes:       4
;   active processes:     11
;   total processes:      15
;   max active processes: 12
;   max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
;   http://www.foo.bar/status
;   http://www.foo.bar/status?json
;   http://www.foo.bar/status?html
;   http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
;   http://www.foo.bar/status?full
;   http://www.foo.bar/status?json&full
;   http://www.foo.bar/status?html&full
;   http://www.foo.bar/status?xml&full
; The Full status returns for each process:
;   pid                  - the PID of the process;
;   state                - the state of the process (Idle, Running, ...);
;   start time           - the date and time the process has started;
;   start since          - the number of seconds since the process has started;
;   requests             - the number of requests the process has served;
;   request duration     - the duration in µs of the requests;
;   request method       - the request method (GET, POST, ...);
;   request URI          - the request URI with the query string;
;   content length       - the content length of the request (only with POST);
;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
;   script               - the main script called (or '-' if not set);
;   last request cpu     - the %cpu the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because CPU calculation is done when the request
;                          processing has terminated;
;   last request memory  - the max amount of memory the last request consumed
;                          it's always 0 if the process is not in Idle state
;                          because memory calculation is done when the request
;                          processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
;   ************************
;   pid:                  31330
;   state:                Running
;   start time:           01/Jul/2011:17:53:49 +0200
;   start since:          63087
;   requests:             12808
;   request duration:     1250261
;   request method:       GET
;   request URI:          /test_mem.php?N=10000
;   content length:       0
;   user:                 -
;   script:               /home/fat/web/docs/php/test_mem.php
;   last request cpu:     0.00
;   last request memory:  0
;
; Note: There is a real-time FPM status monitoring sample web page available
;       It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status

; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
;       anything, but it may not be a good idea to use the .php extension or it
;       may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping

; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong

; The access log file
; Default: not set
;access.log = log/$pool.access.log

; The access log format.
; The following syntax is allowed
;  %%: the '%' character
;  %C: %CPU used by the request
;      it can accept the following format:
;      - %{user}C for user CPU only
;      - %{system}C for system CPU only
;      - %{total}C  for user + system CPU (default)
;  %d: time taken to serve the request
;      it can accept the following format:
;      - %{seconds}d (default)
;      - %{miliseconds}d
;      - %{mili}d
;      - %{microseconds}d
;      - %{micro}d
;  %e: an environment variable (same as $_ENV or $_SERVER)
;      it must be associated with embraces to specify the name of the env
;      variable. Some exemples:
;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
;  %f: script filename
;  %l: content-length of the request (for POST request only)
;  %m: request method
;  %M: peak of memory allocated by PHP
;      it can accept the following format:
;      - %{bytes}M (default)
;      - %{kilobytes}M
;      - %{kilo}M
;      - %{megabytes}M
;      - %{mega}M
;  %n: pool name
;  %o: output header
;      it must be associated with embraces to specify the name of the header:
;      - %{Content-Type}o
;      - %{X-Powered-By}o
;      - %{Transfert-Encoding}o
;      - ....
;  %p: PID of the child that serviced the request
;  %P: PID of the parent of the child that serviced the request
;  %q: the query string
;  %Q: the '?' character if query string exists
;  %r: the request URI (without the query string, see %q and %Q)
;  %R: remote IP address
;  %s: status (response code)
;  %t: server time the request was received
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %T: time the log has been written (the request has finished)
;      it can accept a strftime(3) format:
;      %d/%b/%Y:%H:%M:%S %z (default)
;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
;  %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"

; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow

; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0

; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0

; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024

; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0

; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
;       possible. However, all PHP paths will be relative to the chroot
;       (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =

; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www

; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes

; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no

; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7

; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp

; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
;   php_value/php_flag             - you can set classic ini defines which can
;                                    be overwritten from PHP call 'ini_set'.
;   php_admin_value/php_admin_flag - these directives won't be overwritten by
;                                     PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.

; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.

; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)

; Default Value: nothing is defined by default except the values in php.ini and
;                specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M


 Set PHP to run at bootup
$ sudo sysrc php_fpm_enable=YES
php_fpm_enable:  -> YES

 Start PHP
$ sudo service php-fpm start
Performing sanity check on php-fpm configuration:
[28-Mar-2018 12:37:47] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

Starting php_fpm.

 Set the PHP Configuration for Apache webserver
$ sudo nano /usr/local/etc/apache24/Includes/php.conf
<IfModule dir_module>
    DirectoryIndex index.php index.html
    <FilesMatch "\.php$">
        SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        SetHandler application/x-httpd-php-source
    </FilesMatch>
</IfModule>


 Now we need to enable the PHP modules in Apache webserver
$ sudo nano /usr/local/etc/apache24/httpd.conf
#
# This is the main Apache HTTP server configuration file.  It contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without understanding
# what they do.  They're here only as hints or reminders.  If you are unsure
# consult the online docs. You have been warned. 
#
# Configuration and logfile names: If the filenames you specify for many
# of the server's control files begin with "/" (or "drive:/" for Win32), the
# server will use that explicit path.  If the filenames do *not* begin
# with "/", the value of ServerRoot is prepended -- so "logs/access_log"
# with ServerRoot set to "/usr/local/apache2" will be interpreted by the
# server as "/usr/local/apache2/logs/access_log", whereas "/logs/access_log"
# will be interpreted as '/logs/access_log'.

#
# ServerRoot: The top of the directory tree under which the server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path.  If you point
# ServerRoot at a non-local disk, be sure to specify a local disk on the
# Mutex directive, if file-based mutexes are used.  If you wish to share the
# same ServerRoot for multiple httpd daemons, you will need to change at
# least PidFile.
#
ServerRoot "/usr/local"

#
# Mutex: Allows you to set the mutex mechanism and mutex file directory
# for individual mutexes, or change the global defaults
#
# Uncomment and change the directory if mutexes are file-based and the default
# mutex file directory is not on a local disk or is not appropriate for some
# other reason.
#
# Mutex default:/var/run

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#
#Listen 12.34.56.78:80
Listen 80

#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was built as a DSO you
# have to place corresponding `LoadModule' lines at this location so the
# directives contained in it are actually available _before_ they are used.
# Statically compiled modules (those listed by `httpd -l') do not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
#LoadModule mpm_event_module libexec/apache24/mod_mpm_event.so
LoadModule mpm_prefork_module libexec/apache24/mod_mpm_prefork.so
#LoadModule mpm_worker_module libexec/apache24/mod_mpm_worker.so
LoadModule authn_file_module libexec/apache24/mod_authn_file.so
#LoadModule authn_dbm_module libexec/apache24/mod_authn_dbm.so
#LoadModule authn_anon_module libexec/apache24/mod_authn_anon.so
#LoadModule authn_dbd_module libexec/apache24/mod_authn_dbd.so
#LoadModule authn_socache_module libexec/apache24/mod_authn_socache.so
LoadModule authn_core_module libexec/apache24/mod_authn_core.so
LoadModule authz_host_module libexec/apache24/mod_authz_host.so
LoadModule authz_groupfile_module libexec/apache24/mod_authz_groupfile.so
LoadModule authz_user_module libexec/apache24/mod_authz_user.so
#LoadModule authz_dbm_module libexec/apache24/mod_authz_dbm.so
#LoadModule authz_owner_module libexec/apache24/mod_authz_owner.so
#LoadModule authz_dbd_module libexec/apache24/mod_authz_dbd.so
LoadModule authz_core_module libexec/apache24/mod_authz_core.so
#LoadModule authnz_fcgi_module libexec/apache24/mod_authnz_fcgi.so
LoadModule access_compat_module libexec/apache24/mod_access_compat.so
LoadModule auth_basic_module libexec/apache24/mod_auth_basic.so
#LoadModule auth_form_module libexec/apache24/mod_auth_form.so
#LoadModule auth_digest_module libexec/apache24/mod_auth_digest.so
#LoadModule allowmethods_module libexec/apache24/mod_allowmethods.so
#LoadModule file_cache_module libexec/apache24/mod_file_cache.so
#LoadModule cache_module libexec/apache24/mod_cache.so
#LoadModule cache_disk_module libexec/apache24/mod_cache_disk.so
#LoadModule cache_socache_module libexec/apache24/mod_cache_socache.so
#LoadModule socache_shmcb_module libexec/apache24/mod_socache_shmcb.so
#LoadModule socache_dbm_module libexec/apache24/mod_socache_dbm.so
#LoadModule socache_memcache_module libexec/apache24/mod_socache_memcache.so
#LoadModule watchdog_module libexec/apache24/mod_watchdog.so
#LoadModule macro_module libexec/apache24/mod_macro.so
#LoadModule dbd_module libexec/apache24/mod_dbd.so
#LoadModule dumpio_module libexec/apache24/mod_dumpio.so
#LoadModule buffer_module libexec/apache24/mod_buffer.so
#LoadModule data_module libexec/apache24/mod_data.so
#LoadModule ratelimit_module libexec/apache24/mod_ratelimit.so
LoadModule reqtimeout_module libexec/apache24/mod_reqtimeout.so
#LoadModule ext_filter_module libexec/apache24/mod_ext_filter.so
#LoadModule request_module libexec/apache24/mod_request.so
#LoadModule include_module libexec/apache24/mod_include.so
LoadModule filter_module libexec/apache24/mod_filter.so
#LoadModule reflector_module libexec/apache24/mod_reflector.so
#LoadModule substitute_module libexec/apache24/mod_substitute.so
#LoadModule sed_module libexec/apache24/mod_sed.so
#LoadModule charset_lite_module libexec/apache24/mod_charset_lite.so
#LoadModule deflate_module libexec/apache24/mod_deflate.so
#LoadModule xml2enc_module libexec/apache24/mod_xml2enc.so
#LoadModule proxy_html_module libexec/apache24/mod_proxy_html.so
LoadModule mime_module libexec/apache24/mod_mime.so
LoadModule log_config_module libexec/apache24/mod_log_config.so
#LoadModule log_debug_module libexec/apache24/mod_log_debug.so
#LoadModule log_forensic_module libexec/apache24/mod_log_forensic.so
#LoadModule logio_module libexec/apache24/mod_logio.so
LoadModule env_module libexec/apache24/mod_env.so
#LoadModule mime_magic_module libexec/apache24/mod_mime_magic.so
#LoadModule cern_meta_module libexec/apache24/mod_cern_meta.so
#LoadModule expires_module libexec/apache24/mod_expires.so
LoadModule headers_module libexec/apache24/mod_headers.so
#LoadModule usertrack_module libexec/apache24/mod_usertrack.so
#LoadModule unique_id_module libexec/apache24/mod_unique_id.so
LoadModule setenvif_module libexec/apache24/mod_setenvif.so
LoadModule version_module libexec/apache24/mod_version.so
#LoadModule remoteip_module libexec/apache24/mod_remoteip.so
#LoadModule proxy_module libexec/apache24/mod_proxy.so
#LoadModule proxy_connect_module libexec/apache24/mod_proxy_connect.so
#LoadModule proxy_ftp_module libexec/apache24/mod_proxy_ftp.so
#LoadModule proxy_http_module libexec/apache24/mod_proxy_http.so
#LoadModule proxy_fcgi_module libexec/apache24/mod_proxy_fcgi.so
#LoadModule proxy_scgi_module libexec/apache24/mod_proxy_scgi.so
#LoadModule proxy_fdpass_module libexec/apache24/mod_proxy_fdpass.so
#LoadModule proxy_wstunnel_module libexec/apache24/mod_proxy_wstunnel.so
#LoadModule proxy_ajp_module libexec/apache24/mod_proxy_ajp.so
#LoadModule proxy_balancer_module libexec/apache24/mod_proxy_balancer.so
#LoadModule proxy_express_module libexec/apache24/mod_proxy_express.so
#LoadModule proxy_hcheck_module libexec/apache24/mod_proxy_hcheck.so
#LoadModule session_module libexec/apache24/mod_session.so
#LoadModule session_cookie_module libexec/apache24/mod_session_cookie.so
#LoadModule session_crypto_module libexec/apache24/mod_session_crypto.so
#LoadModule session_dbd_module libexec/apache24/mod_session_dbd.so
#LoadModule slotmem_shm_module libexec/apache24/mod_slotmem_shm.so
#LoadModule slotmem_plain_module libexec/apache24/mod_slotmem_plain.so
LoadModule ssl_module libexec/apache24/mod_ssl.so
#LoadModule dialup_module libexec/apache24/mod_dialup.so
#LoadModule http2_module libexec/apache24/mod_http2.so
#LoadModule proxy_http2_module libexec/apache24/mod_proxy_http2.so
#LoadModule lbmethod_byrequests_module libexec/apache24/mod_lbmethod_byrequests.so
#LoadModule lbmethod_bytraffic_module libexec/apache24/mod_lbmethod_bytraffic.so
#LoadModule lbmethod_bybusyness_module libexec/apache24/mod_lbmethod_bybusyness.so
#LoadModule lbmethod_heartbeat_module libexec/apache24/mod_lbmethod_heartbeat.so
LoadModule unixd_module libexec/apache24/mod_unixd.so
#LoadModule heartbeat_module libexec/apache24/mod_heartbeat.so
#LoadModule heartmonitor_module libexec/apache24/mod_heartmonitor.so
#LoadModule dav_module libexec/apache24/mod_dav.so
LoadModule status_module libexec/apache24/mod_status.so
LoadModule autoindex_module libexec/apache24/mod_autoindex.so
#LoadModule asis_module libexec/apache24/mod_asis.so
#LoadModule info_module libexec/apache24/mod_info.so
<IfModule !mpm_prefork_module>
#LoadModule cgid_module libexec/apache24/mod_cgid.so
</IfModule>
<IfModule mpm_prefork_module>
#LoadModule cgi_module libexec/apache24/mod_cgi.so
</IfModule>
#LoadModule dav_fs_module libexec/apache24/mod_dav_fs.so
#LoadModule dav_lock_module libexec/apache24/mod_dav_lock.so
#LoadModule vhost_alias_module libexec/apache24/mod_vhost_alias.so
#LoadModule negotiation_module libexec/apache24/mod_negotiation.so
LoadModule dir_module libexec/apache24/mod_dir.so
#LoadModule imagemap_module libexec/apache24/mod_imagemap.so
#LoadModule actions_module libexec/apache24/mod_actions.so
#LoadModule speling_module libexec/apache24/mod_speling.so
#LoadModule userdir_module libexec/apache24/mod_userdir.so
LoadModule alias_module libexec/apache24/mod_alias.so
#LoadModule rewrite_module libexec/apache24/mod_rewrite.so
LoadModule php7_module        libexec/apache24/libphp7.so

<IfModule php7_module>
        AddType application/x-httpd-php .php
</IfModule>

# Third party modules
IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
 
<IfModule unixd_module>
#
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch. 
#
# User/Group: The name (or #number) of the user/group to run httpd as.
# It is usually good practice to create a dedicated user and group for
# running httpd, as with most system services.
#
User www
Group www

</IfModule>

# 'Main' server configuration
#
# The directives in this section set up the values used by the 'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition.  These values also provide defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost> containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
#

#
# ServerAdmin: Your address, where problems with the server should be
# e-mailed.  This address appears on some server-generated pages, such
# as error documents.  e.g. admin@your-domain.com
#
ServerAdmin you@example.com

#
# ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80

#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
    AllowOverride none
    Require all denied
</Directory>

#
# Note that from this point forward you must specifically allow
# particular features to be enabled - so if something's not working as
# you might expect, make sure that you have specifically enabled it
# below.
#

#
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this directory, but
# symbolic links and aliases may be used to point to other locations.
#
DocumentRoot "/usr/local/www/apache24/data"
<Directory "/usr/local/www/apache24/data">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   AllowOverride FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
    DirectoryIndex index.php index.html
</IfModule>

#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
    Require all denied
</Files>

#
# ErrorLog: The location of the error log file.
# If you do not specify an ErrorLog directive within a <VirtualHost>
# container, error messages relating to that virtual host will be
# logged here.  If you *do* define an error logfile for a <VirtualHost>
# container, that host's errors will be logged there and not here.
#
ErrorLog "/var/log/httpd-error.log"

#
# LogLevel: Control the number of messages logged to the error_log.
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
#
LogLevel warn

<IfModule log_config_module>
    #
    # The following directives define some format nicknames for use with
    # a CustomLog directive (see below).
    #
    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
    LogFormat "%h %l %u %t \"%r\" %>s %b" common

    <IfModule logio_module>
      # You need to enable mod_logio.c to use %I and %O
      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
    </IfModule>

    #
    # The location and format of the access logfile (Common Logfile Format).
    # If you do not define any access logfiles within a <VirtualHost>
    # container, they will be logged here.  Contrariwise, if you *do*
    # define per-<VirtualHost> access logfiles, transactions will be
    # logged therein and *not* in this file.
    #
    CustomLog "/var/log/httpd-access.log" common

    #
    # If you prefer a logfile with access, agent, and referer information
    # (Combined Logfile Format) you can use the following directive.
    #
    #CustomLog "/var/log/httpd-access.log" combined
</IfModule>

<IfModule alias_module>
    #
    # Redirect: Allows you to tell clients about documents that used to
    # exist in your server's namespace, but do not anymore. The client
    # will make a new request for the document at its new location.
    # Example:
    # Redirect permanent /foo http://www.example.com/bar

    #
    # Alias: Maps web paths into filesystem paths and is used to
    # access content that does not live under the DocumentRoot.
    # Example:
    # Alias /webpath /full/filesystem/path
    #
    # If you include a trailing / on /webpath then the server will
    # require it to be present in the URL.  You will also likely
    # need to provide a <Directory> section to allow access to
    # the filesystem path.

    #
    # ScriptAlias: This controls which directories contain server scripts.
    # ScriptAliases are essentially the same as Aliases, except that
    # documents in the target directory are treated as applications and
    # run by the server when requested rather than as documents sent to the
    # client.  The same rules about trailing "/" apply to ScriptAlias
    # directives as to Alias.
    #
    ScriptAlias /cgi-bin/ "/usr/local/www/apache24/cgi-bin/"

</IfModule>

<IfModule cgid_module>
    #
    # ScriptSock: On threaded servers, designate the path to the UNIX
    # socket used to communicate with the CGI daemon of mod_cgid.
    #
    #Scriptsock cgisock
</IfModule>

#
# "/usr/local/www/apache24/cgi-bin" should be changed to whatever your ScriptAliased
# CGI directory exists, if you have that configured.
#
<Directory "/usr/local/www/apache24/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>

<IfModule headers_module>
    #
    # Avoid passing HTTP_PROXY environment to CGI's on this or any proxied
    # backend servers which have lingering "httpoxy" defects.
    # 'Proxy' request header is undefined by the IETF, not listed by IANA
    #
    RequestHeader unset Proxy early
</IfModule>

<IfModule mime_module>
    #
    # TypesConfig points to the file containing the list of mappings from
    # filename extension to MIME-type.
    #
    TypesConfig etc/apache24/mime.types

    #
    # AddType allows you to add to or override the MIME configuration
    # file specified in TypesConfig for specific file types.
    #
    #AddType application/x-gzip .tgz
    #
    # AddEncoding allows you to have certain browsers uncompress
    # information on the fly. Note: Not all browsers support this.
    #
    #AddEncoding x-compress .Z
    #AddEncoding x-gzip .gz .tgz
    #
    # If the AddEncoding directives above are commented-out, then you
    # probably should define those extensions to indicate media types:
    #
    AddType application/x-compress .Z
    AddType application/x-gzip .gz .tgz

    #
    # AddHandler allows you to map certain file extensions to "handlers":
    # actions unrelated to filetype. These can be either built into the server
    # or added with the Action directive (see below)
    #
    # To use CGI scripts outside of ScriptAliased directories:
    # (You will also need to add "ExecCGI" to the "Options" directive.)
    #
    #AddHandler cgi-script .cgi

    # For type maps (negotiated resources):
    #AddHandler type-map var

    #
    # Filters allow you to process content before it is sent to the client.
    #
    # To parse .shtml files for server-side includes (SSI):
    # (You will also need to add "Includes" to the "Options" directive.)
    #
    #AddType text/html .shtml
    #AddOutputFilter INCLUDES .shtml
</IfModule>

#
# The mod_mime_magic module allows the server to use various hints from the
# contents of the file itself to determine its type.  The MIMEMagicFile
# directive tells the module where the hint definitions are located.
#
#MIMEMagicFile etc/apache24/magic

#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#

#
# MaxRanges: Maximum number of Ranges in a request before
# returning the entire resource, or one of the special
# values 'default', 'none' or 'unlimited'.
# Default setting is to accept 200 Ranges.
#MaxRanges unlimited

#
# EnableMMAP and EnableSendfile: On systems that support it,
# memory-mapping or the sendfile syscall may be used to deliver
# files.  This usually improves server performance, but must
# be turned off when serving from networked-mounted
# filesystems or if support for these functions is otherwise
# broken on your system.
# Defaults: EnableMMAP On, EnableSendfile Off
#
#EnableMMAP off
#EnableSendfile on

# Supplemental configuration
#
# The configuration files in the etc/apache24/extra/ directory can be
# included to add extra features or to modify the default configuration of
# the server, or you may simply copy their contents here and change as
# necessary.

# Server-pool management (MPM specific)
#Include etc/apache24/extra/httpd-mpm.conf

# Multi-language error messages
#Include etc/apache24/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
#Include etc/apache24/extra/httpd-autoindex.conf

# Language settings
#Include etc/apache24/extra/httpd-languages.conf

# User home directories
#Include etc/apache24/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include etc/apache24/extra/httpd-info.conf

# Virtual hosts
#Include etc/apache24/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include etc/apache24/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include etc/apache24/extra/httpd-dav.conf

# Various default settings
#Include etc/apache24/extra/httpd-default.conf

# Configure mod_proxy_html to understand HTML4/XHTML1
<IfModule proxy_html_module>
Include etc/apache24/extra/proxy-html.conf
</IfModule>

# Secure (SSL/TLS) connections
#Include etc/apache24/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>

Include etc/apache24/Includes/*.conf



 Now we need to create a PHP Info \ Diagnostics page to check if all is working correctly
$ sudo nano /usr/local/www/apache24/data/phpinfo.php
<?php phpinfo();  ?>


 Now we need to restart Apache Web server since we have done alot of configuration changes that needs to be reloaded
$ sudo service apache24 restart
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Stopping apache24.
Waiting for PIDS: 5585.
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
 
 Test web server, open a web browser and test both IP and DNS access: http://192.168.55.30/phpinfo.php and http://server.it-monkey.lan/phpinfo.php
 Now that you have checked that everything is working correctly whit Apache and PHP, it is time to install and configure the Database server mySQL v5.7

 $ sudo pkg install mysql57-server
Updating FreeBSD repository catalogue...
FreeBSD repository is up to date.
All repositories are up to date.
The following 6 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
mysql57-server: 5.7.21
cyrus-sasl: 2.1.26_12
protobuf: 3.5.1
libevent: 2.1.8_1
mysql57-client: 5.7.21
liblz4: 1.8.0,1

Number of packages to be installed: 6

The process will require 211 MiB more space.
19 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/6] Fetching mysql57-server-5.7.21.txz:   0%
[1/6] Fetching mysql57-server-5.7.21.txz:   7%    1 MiB   1.1MB/s    00:12 ETA
[1/6] Fetching mysql57-server-5.7.21.txz:  29%    4 MiB   3.1MB/s    00:04 ETA
[1/6] Fetching mysql57-server-5.7.21.txz:  53%    7 MiB   3.4MB/s    00:02 ETA
[1/6] Fetching mysql57-server-5.7.21.txz:  77%   11 MiB   3.5MB/s    00:01 ETA
[1/6] Fetching mysql57-server-5.7.21.txz: 100%   14 MiB   3.6MB/s    00:04   
[2/6] Fetching cyrus-sasl-2.1.26_12.txz:   0%
[2/6] Fetching cyrus-sasl-2.1.26_12.txz: 100%  474 KiB 485.2kB/s    00:01   
[3/6] Fetching protobuf-3.5.1.txz:   0%
[3/6] Fetching protobuf-3.5.1.txz:  31%  752 KiB 770.1kB/s    00:02 ETA
[3/6] Fetching protobuf-3.5.1.txz: 100%    2 MiB   2.5MB/s    00:01   
[4/6] Fetching libevent-2.1.8_1.txz:   0%
[4/6] Fetching libevent-2.1.8_1.txz:  10%   32 KiB  32.8kB/s    00:08 ETA
[4/6] Fetching libevent-2.1.8_1.txz: 100%  305 KiB 311.9kB/s    00:01   
[5/6] Fetching mysql57-client-5.7.21.txz:   0%
[5/6] Fetching mysql57-client-5.7.21.txz:  10%  192 KiB 196.6kB/s    00:08 ETA
[5/6] Fetching mysql57-client-5.7.21.txz:  96%    2 MiB   1.7MB/s    00:00 ETA
[5/6] Fetching mysql57-client-5.7.21.txz: 100%    2 MiB 963.5kB/s    00:02   
[6/6] Fetching liblz4-1.8.0,1.txz:   0%
[6/6] Fetching liblz4-1.8.0,1.txz: 100%   98 KiB 100.8kB/s    00:01   
Checking integrity... done (0 conflicting)
[1/6] Installing cyrus-sasl-2.1.26_12...
*** Added group `cyrus' (id 60)
*** Added user `cyrus' (id 60)
[1/6] Extracting cyrus-sasl-2.1.26_12:   0%
[1/6] Extracting cyrus-sasl-2.1.26_12: 100%
[2/6] Installing protobuf-3.5.1...
[2/6] Extracting protobuf-3.5.1:   0%
[2/6] Extracting protobuf-3.5.1: 100%
[3/6] Installing libevent-2.1.8_1...
[3/6] Extracting libevent-2.1.8_1:   0%
[3/6] Extracting libevent-2.1.8_1: 100%
[4/6] Installing liblz4-1.8.0,1...
[4/6] Extracting liblz4-1.8.0,1:   0%
[4/6] Extracting liblz4-1.8.0,1: 100%
[5/6] Installing mysql57-client-5.7.21...
[5/6] Extracting mysql57-client-5.7.21:   0%
[5/6] Extracting mysql57-client-5.7.21: 100%
[6/6] Installing mysql57-server-5.7.21...
===> Creating groups.
Creating group 'mysql' with gid '88'.
===> Creating users
Creating user 'mysql' with uid '88'.
Extracting mysql57-server-5.7.21:   0%
Extracting mysql57-server-5.7.21: 100%
Message from cyrus-sasl-2.1.26_12:

You can use sasldb2 for authentication, to add users use:

saslpasswd2 -c username

If you want to enable SMTP AUTH with the system Sendmail, read
Sendmail.README

NOTE: This port has been compiled with a default pwcheck_method of
      auxprop.  If you want to authenticate your user by /etc/passwd,
      PAM or LDAP, install ports/security/cyrus-sasl2-saslauthd and
      set sasl_pwcheck_method to saslauthd after installing the
      Cyrus-IMAPd 2.X port.  You should also check the
      /usr/local/lib/sasl2/*.conf files for the correct
      pwcheck_method.
      If you want to use GSSAPI mechanism, install
      ports/security/cyrus-sasl2-gssapi.
      If you want to use SRP mechanism, install
      ports/security/cyrus-sasl2-srp.
      If you want to use LDAP auxprop plugin, install
      ports/security/cyrus-sasl2-ldapdb.
Message from mysql57-client-5.7.21:

* * * * * * * * * * * * * * * * * * * * * * * *

This is the mysql CLIENT without the server.
for complete server and client, please install databases/mysql57-server

* * * * * * * * * * * * * * * * * * * * * * * *
Message from mysql57-server-5.7.21:

*****************************************************************************

Remember to run mysql_upgrade the first time you start the MySQL server
after an upgrade from an earlier version.

Initial password for first time use of MySQL is saved in $HOME/.mysql_secret
ie. when you want to use "mysql -u root -p" first you should see password
in /root/.mysql_secret

MySQL57 has a default %%ETCDIR%%/my.cnf,
remember to replace it wit your own
or set `mysql_optfile="$YOUR_CNF_FILE` in rc.conf.

*****************************************************************************
 Set mySQL to automaticly start at Bootup

 $ sudo sysrc mysql_enable=YES
mysql_enable:  -> YES

Start mySQL Server

 $ sudo service mysql-server start
Starting mysql.

 Secure the Database SQL Server
$ sudo mysql_secure_installation
mysql_secure_installation: [ERROR] unknown variable 'prompt=\u@\h [\d]>\_'

Securing the MySQL server deployment.

Connecting to MySQL server using password in '/root/.mysql_secret'

VALIDATE PASSWORD PLUGIN can be used to test passwords
and improve security. It checks the strength of password
and allows the users to set only those passwords which are
secure enough. Would you like to setup VALIDATE PASSWORD plugin?

Press y|Y for Yes, any other key for No: y

There are three levels of password validation policy:

LOW    Length >= 8
MEDIUM Length >= 8, numeric, mixed case, and special characters
STRONG Length >= 8, numeric, mixed case, special characters and dictionary file

Please enter 0 = LOW, 1 = MEDIUM and 2 = STRONG: 1
Using existing password for root.

Estimated strength of the password: 100
Change the password for root ? ((Press y|Y for Yes, any other key for No) : y

New password: MySexyPassword123.

Re-enter new password: MySexyPassword123.

Estimated strength of the password: 100
Do you wish to continue with the password provided?(Press y|Y for Yes, any other key for No) : y
By default, a MySQL installation has an anonymous user,
allowing anyone to log into MySQL without having to have
a user account created for them. This is intended only for
testing, and to make the installation go a bit smoother.
You should remove them before moving into a production
environment.

Remove anonymous users? (Press y|Y for Yes, any other key for No) : y
Success.


Normally, root should only be allowed to connect from
'localhost'. This ensures that someone cannot guess at
the root password from the network.

Disallow root login remotely? (Press y|Y for Yes, any other key for No) : y
Success.

By default, MySQL comes with a database named 'test' that
anyone can access. This is also intended only for testing,
and should be removed before moving into a production
environment.


Remove test database and access to it? (Press y|Y for Yes, any other key for No) : y
 - Dropping test database...
Success.

 - Removing privileges on test database...
Success.

Reloading the privilege tables will ensure that all changes
made so far will take effect immediately.

Reload privilege tables now? (Press y|Y for Yes, any other key for No) : y
Success.

All done!

Open mySQL Server to create the needed Databases and access that is required by OwnCloud

 $ sudo mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5
Server version: 5.7.21-log

Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

root@localhost [(none)]> ALTER USER 'root'@'localhost' IDENTIFIED BY 'MySexyPassword123.';
Query OK, 0 rows affected (0.01 sec)

root@localhost [(none)]> CREATE DATABASE ownclouddb;
Query OK, 1 row affected (0.01 sec)

root@localhost [(none)]> CREATE USER ocadmin@localhost IDENTIFIED BY 'MySexyPassword123.';
Query OK, 0 rows affected (0.00 sec)

root@localhost [(none)]> GRANT ALL PRIVILEGES ON ownclouddb.* TO 'ocadmin'@'localhost';
Query OK, 0 rows affected (0.00 sec)

root@localhost [(none)]> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.01 sec)

root@localhost [(none)]> EXIT;
Bye

 Now we have done the minimum FAMP configuration for OwnCloud to run on FreeBSD,now we are just missing a few enviornment configuratuions before installing the OwnCloud package. We start by creating the SSL Certs so we can use HTTPS connection for accessing the server
$ sudo mkdir -p /usr/local/etc/ssl/self-cert/owncloud/
$ cd /usr/local/etc/ssl/self-cert/owncloud/
$ sudo openssl req -config /etc/ssl/openssl.cnf -new -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.csr -keyout /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem
Generating a 2048 bit RSA private key
.+++
...+++
writing new private key to '/usr/local/etc/ssl/self-cert/owncloud/owncloud.pem'
Enter PEM pass phrase: MySexyPassword123.
Verifying - Enter PEM pass phrase: MySexyPassword123.
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:NO
State or Province Name (full name) [Some-State]:Buskerud
Locality Name (eg, city) []:Drammen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IT-Monkey
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:server.it-monkey.lan
Email Address []:admin@it-monkey.lan

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:MySexyPassword123.
An optional company name []:IT-Monkey

$ sudo openssl rsa -in /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.key
Enter pass phrase for /usr/local/etc/ssl/self-cert/owncloud/owncloud.pem:
writing RSA key

$ sudo openssl x509 -in /usr/local/etc/ssl/self-cert/owncloud/owncloud.csr -out /usr/local/etc/ssl/self-cert/owncloud/owncloud.crt -req -signkey /usr/local/etc/ssl/self-cert/owncloud/owncloud.key -days 1095
Signature ok
subject=/C=NO/ST=Buskerud/L=Drammen/O=IT-Monkey/OU=IT/CN=server.it-monkey.lan/emailAddress=admin@it-monkey.lan
Getting Private key

$ sudo chmod 600 *
$ cd /tmp
 
 Now we need to download the OwnCloud software to our server, the current way to do that is to use wget or curl and point it at the url holding the tar install file of OwnCloud, these urls changes often so check OwnClouds website for the current version

$ wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2
$ wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2.sha256
$ wget https://download.owncloud.org/community/owncloud-10.0.7.tar.bz2.asc
$ wget https://owncloud.org/owncloud.asc

$ sudo gpg --import owncloud.asc
$ sudo sha256 -c owncloud-10.0.7.tar.bz2.sha256 -s owncloud-10.0.7.tar.bz2
$ sudo gpg --verify owncloud-10.0.7.tar.bz2.sha256 owncloud-10.0.7.tar.bz2

 Now we need to unpack and extract the files from the downloaded tar package and move it to a location the web server can read the files
$ sudo tar -xjf owncloud-10.0.7.tar.bz2
$ sudo cp -r owncloud/* /usr/local/www/apache24/data/owncloud/
cp: /usr/local/www/apache24/data/owncloud is not a directory
$ sudo mkdir -p /usr/local/www/apache24/data/owncloud/
$ sudo chown -R www:www /usr/local/www/apache24/data/owncloud/

 Restart Apache web server
$ sudo service apache24 restart
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Stopping apache24.
Waiting for PIDS: 5585.
Performing sanity check on apache24 configuration:
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message
Syntax OK
Starting apache24.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.55.30. Set the 'ServerName' directive globally to suppress this message

 Now everything should be installed and working and when you open your web browser and navigate to http://192.168.55.30/owncloud/ or http://server.it-monkey.lan/owncloud/ you should see the OwnCloud setup page




2
Hardware / IT-Monkey Lab Hardware - end of 2017
« on: November 25, 2017, 11:54:37 AM »
I decided to create this topic about what hardware we use in our test lab her at IT-Monkey, after quite a few comments from people we have been in contact whit that they have no access to brand new hardware and that hardware is so expensive that they can not afford systems and lab equipment like what we have here. This is why I decided to share this list of what our lab hardware is and what our servers are made out of, and to showcase that you do not need the lates and greatest in a home-lab or test-lab at least not when you are starting out and want to learn as it was the goal for my home-lab when I first started out in 2010.


Physical Servers:
At this point in time we at IT-Monkey have 3 different DIY server in our lab-rack, these are:

1. Storage server, running FreeNAS 9.10.2-U6 This system was purpose build as a central storage server for my home office, home-lab and business, it is the only system that I have bought everything brand new from the retailer that sits in my server-rack.
2. Lab1-Server, hypervisor running VMWare ESXi 5.5
3. Lab2-Server, currently have no storage and OS, going to be used as a hypervisor standalone or cluster depending on software and pricing..
these are just generic names and not the actual names of the servers, for security reasons,

FreeNAS-Server Hardware:
Code: [Select]
Chenbro RM23212 2U rackmount whit rails, 12-hotswap hdd bays
Motherboard: Supermicro X11SSL-F (MicroATX, Socket 1151. C232 Chipset and DDR4)
Processor: Intel Xenon E3-1245v5 4 Cores at 3.5Ghz
Memory: Crucial DDR4 ECC unreg 64Gb 2133Mhz KIT
Powersupply: SeaSonic 400w 80-Plus Bronze
CPU Cooler: Noctua NH-L9x56
Raid Controller: LSI MegaRAID 9211-8 (Flashed to IT 20 Firmware)
NIC: Intel PRO 1000 PT (EXPI9404PT) 4-port
OS Drive: SanDisk Cruszer 32Gb
HDD 01: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 02: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 03: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 04: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 05: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 06: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 07: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 08: Seagate Ironwolf ST4000VN008 64MB 4TB
HDD 09: Western Digital Red WD40EFRX 64MB 4TB
HDD 10: Western Digital Red WD40EFRX 64MB 4TB
HDD 11: Western Digital Red WD40EFRX 64MB 4TB
HDD 12: Western Digital Red WD40EFRX 64MB 4TB
Fan 1: GELID Silent PRO 8 PWM
Fan 2: GELID Silent PRO 8 PWM
Fan 3: GELID Silent PRO 8 PWM

Note; This system was purpose build as a central storage server for my home office, home-lab and business, it is the only system that I have bought everything brand new from the retailer that sits in my server-rack.

Lab1-Server Hardware:
Code: [Select]
Case: X-Case X255F 2U rackmount whit rails
Motherboard: MSI Z77A-G45 LGA1155
Processor: Intel i7-3770 4-cors 3.40 GHz
Memory: Corsair Vengeance DDR3 1600mhz 32Gb KIT
Powersupply: Corsair CX500M, 500w 80-Plus Bronze
CPU Cooler: Noctua NH-L9x56
Raid Controller: LSI MegaRAID 9211-8 (Flashed to IT 20 Firmware)
NIC: Intel PRO 1000 PT (EXPI9404PT) 4-port
OS Drive: SanDisk Cruszer Fit 8Gb
Internal HDD 1: Intel 335 240Gb
Internal HDD 2: Intel 335 240Gb
Internal HDD 3: Western Digital Red WD30EFRX 64MB 3TB
Internal HDD 4: --
Fan 1: GELID Silent PRO 8 PWM
Fan 2: GELID Silent PRO 8 PWM
Fan 3: GELID Silent PRO 8 PWM

Note; Currently running VMWare ESXi 5.5 and a Windows 2012r2 DC network, thinking about changing hypervisor to something else

Lab2-Server Hardware:
Code: [Select]
Case: X-Case X255F 2U rackmount whit rails
Motherboard: Gigabyte GA-Z68XP-UD3 LGA1155
Processor: Intel i7-3770 4-cors 3.40 GHz
Memory 1: Corsair Vengeance DDR3 1600mhz 16Gb KIT
Memory 2: Corsair Vengeance DDR3 1600mhz 8Gb KIT
Powersupply: Andersson Mission SG GGP 550w 80-Plus
CPU Cooler: Noctua NH-L9x56
Raid Controller: LSI MegaRAID 9211-8 (Flashed to IT 20 Firmware)
NIC: Intel PRO 1000 PT (EXPI9404PT) 4-port
OS Drive: SanDisk Cruszer Fit 8Gb
Internal HDD 1: --
Internal HDD 2: --
Internal HDD 3: --
Internal HDD 4: --
Fan 1: GELID Silent PRO 8 PWM
Fan 2: GELID Silent PRO 8 PWM
Fan 3: GELID Silent PRO 8 PWM

Note; Server has no storage, server is currently being used as a bench testing server, has support for mSATA SSD, thinking about a hypervisor cluster, not sure what OS to use

As you can see both Lab1 and Lab2 server is built out of old consumer grade hardware and have prior to us getting them been used as gaming machines, where we simply refurbished the motherboard and CPU's moved it to a rack-mount case and added appropriate sized coolers and some other spare parts that we had laying around and most of those are not needed to run a basic test-lab.

Network:
As for our network we do not have very much hardware at all and you really do not need much besides a good Managed Switch whit enough ports to connect it together

For our lab we currently have the following networking equipment:
1. ISP Modem
2. SG-4860 pfSense Firewall
3. Cisco SB SG200-26p Switch

As you know there is no internet connectivity whiteout the ISP and their Modem, then there is the pfSense SG-4860 appliance we use this to separate home network, lab network and office network, then it is the Cisco Switch not much to it plug it in and connect devices to it.

As I am writing this post I am about to redo some of my lab setup so if there is intrest for it I can make a post about setting up your own home-lab from scratch whit more detailed information on how everything is interconnected whit each other

3
Networking / Zabbix Appliance 3.2.6 inconsistencies
« on: June 08, 2017, 10:09:30 AM »
Hello everyone, I just did a fresh lab deployment of the Zabbix Appliance 3.2.6 and I noticed some inconsistencies from my old lab deployment of Zabbix Appliance 3.0.4

Both ISO files where download from: https://sourceforge.net/projects/zabbix/

Hostname on 3.0.4 is set to: zabbix
Hostname on 3.2.6 is set to: ubuntu

This should be set to zabbix or zabbix-appliance on all versions or a even better option would be a prompt during install to set the hostname, also if you would use Static IP or DHCP configuration, this is a enterprise level server appliance to be deployed in lots of different network environments after all.

Another issue is whit the scrip: Detect operating system,
Command: sudo /usr/bin/nmap -O {HOST.CONN} 2>&1

Does not work as it is not added into sudoers list and nmap is not not installed so after editing it to allow to run the sudo command, it gives error command not find as nmap is not installed to begin whit, this should have been in there to begin whit or this option should have been removed from the front end

This issue is on both version, lucely these are minor issues that are easy to fix, just add the zabbix usergroup to sudo users whit visudo, and then install nmap on the device


Running Script on a detected host, no changes made


Editing sudo users to allow zabbix users to run sudo commands


Running OS Detection script against detected host after sudo rights


Running OS Detection script after nmap was installed

4
Configure pfSense as HTTPS \ SSL Proxy filter using Squid and SquidGuard!

This is a short write-up of how I got pfSense 2.3 and 2.4-Beta to act as an Proxy filter for ssl and https traffic without the needs of installing or configuring any client side settings or certificates, all configurations are done on the pfSense Firewall itself.
Tools needed:

Web-browser
Putty or similar console emulator
Notepad or Notepad++
WinSCP (Optional) gives you graphical text editor over ssh, good for beginners

All the steps below can be done directly on the firewall using only the GUI or SSH connections but for beginners it would be easier to use tools like Notepad++ and WinSCP to edit the configuration files needed for this to work

Step 1. Configuring the root Certificate Authority (rootCA)
This is probably the part that is most confusing for people and why their setups have failed, Squid need to have a CA assigned to it so that it is able to decrypt parts of the HTTPS header so that it can determine what to do whit that traffic, otherwise all traffic is passed.

I used the built-in openssl tool of pfSense to generate this rootCA, for this you need to ssh in to your firewall or connect to it over console, when at the console menu select option 8 Shell, when you are at the shell prompt you need to manually edit the openssl to give you the necessary prompts and questions for you to configure the rootCA

vi /etc/ssl/openssl.cnf

under the [ REQ ] option change the following line from: prompt=no to prompt=yes
under the [ V3_REQ ] option change the following line from: basicConstraints=CA:FALSE to basicConstraints=CA:TRUE
Then save and quit (to save and quit vi editor use :wq!).
Now we would make a known location in the filesystem to save our rootCA and key file as they need to be imported into pfSense GUI at a later stage, I like to use /tmp for any temporary files

Command:
mkdir /tmp/Proxyfiles

Now move to the folder you created whit:
cd /tmp/Proxyfiles

When you’re in this folder you are ready to start the openssl tool and start to create your rootCA, you start whit generating your KEY file by running the command:

openssl genrsa -out myProxykey.key 2048

This will create an rsa key file named myProxykey.key that we use to sign our rootCA whit in the next command for generating the pem file for the rootCA
Create a pem file signed whit key using command:

openssl req -x509 -new -nodes -key myProxykey.key -sha256 -days 365 -out myProxyca.pem

This will prompt you to answer some questions to generate the needed pem file in my case it is as below, you need to change this for where you are

US []:NO    - Country code
Somewhere []:Oslo  - State or province
Somecity []:Oslo   - Your city or town
CompanyName []:IT-Monkey   - Name of your company or business, "make something up if you’re a home user"
Organizational Unit Name (eg, section) []:IT-Department  - What part of the company issued the cert, can also be left blank
Common Name (eg, YOUR name) []:Admin    - Your name or identity in the company
Email Address []:admin@it-monkey.local  - Your contact email

At this point you should have 2 files in your /tmp/Proxyfiles directory

myProxyca.pem
myProxykey.key

This can be double checked whit command:

ls -la

If both are there then you are ready to download them and exit the shell environment and continue to the GUI of pfSense, if not you need to look over any error or try again.

To download these files I like to use WinSCP as its fast to navigate and find the files you want to move you can also do this from pfSense Diagnostic -> Command Prompt option and select the file path of:

/tmp/Proxyfiles/myProxyca.pem
/tmp/Proxyfiles/myProxykey.key



In the download box, this is somewhat slower to navigate but works just fine.

Now as you have these files on your desktop or computer you need to open them in a text editor, I prefer Notepad++ as it’s able to adjust the formatting layout of the text but any text editor will work as you will need to copy paste the information in these files to fields in the pfSense GUI.
Navigate to System -> Cert. Manager -> CA's
Here you want to add a new CA

Descriptive name: SquidCA
Method: Import an existing Certificate Authority
Certificate data: Copy \ Paste the info from myProxyca.pem file
Certificate Private Key: Copy \ Paste the info from myProxykey.key file
Save and apply




now you should see your SquidCA (rootCA) populated under System -> Cert. Manager -> CA's whit all the info you provided in the shell prompt and you are done whit Step 1.

You might want to undo the changes from the /etc/ssl/openssl.cnf file before proceeding

vi /etc/ssl/openssl.cnf

under the [ REQ ] option change the following line from: prompt=yes to prompt=no
under the [ V3_REQ ] option change the following line from: basicConstraints=CA:TRUE to basicConstraints=CA:FALSE

Then save and quit (to save and quit vi editor use :wq!).

Step 2. Installing required packages
this is probably the easiest step of the whole write up and you have probably already done it before looking up this post...
Navigate to System -> Package Manager -> Available Packages

Now look for Squid, SquidGuard and Lightsquid (if you want a log phraser)There is a small bug whit squid and SquidGuard installation that I have seen a few times and that is that you need to install the packages in a certain order for them to work properly

1. Squid
2. Lightsquid
3. SquidGuard



When installation is done you are done whit step 2.


Step 3. Configuration of Squid
Now we are going to setup the Squid service to handle the all the HTTP and HTTPS traffic for our clients, but before we can start the configurations Squid have an little bug where it will not save any of your settings before the Local Cache values are set so navigate to Services -> Squid Proxy Server -> Local Cache then set whatever options you like or scroll down to the bottom and hit save.

When the site refreshes from saving the Local Cache settings navigate to Services -> Squid Proxy Server -> General Settings
I have the following option set:

Squid General Settings
Enable Squid Proxy: Yes
Keep Settings/Data: Yes
Proxy Interface(s): LAN & Loopback
Proxy Port: 3128 (you can change this to a custom one if you like)
Allow Users on Interface: Yes



Transparent Proxy Settings
NO I do not use this leave option empty



SSL Man In the Middle Filtering
HTTPS/SSL Interception: Yes
SSL/MITM Mode: SPLICE ALL <- THIS IS AN IMPORTANT SETTING, IF SETT WRONG IT WILL NOT WORK.
SSL Proxy Port: 3129 (you can change this to a custom one if you like)
SSL Proxy Compatibility Mode: Modern
DHParams Key Size: 2048 Default
CA: SquidCA <- This is the rootCA you created in Step 1.
SSL Certificate Daemon Children: 5 Default
Remote Cert Checks: Do not verify remote certificates
Certificate Adapt: Sets the "Not Before" (setvalidbefore)



Logging Settings
Enable Access Logging: Yes
Log Store Directory: /var/squid/logs
Rotate Logs: 62 - keeps 2 months of logs in case of access reviews or issues, large SSD recommended
Log Pages Denied by SquidGuard: Yes
Save and apply



Step 4. Configuration of SquidGuard Proxy filter
This is where you define your ACL's and Blacklist, I do not use any pre-defined blacklist in this guide as I believe you get better control when you set it up manually from scratch, I am going to use Facebook and YouTube as primary targets to block as these are the most requested sites to be blocked by my clients, but this will work for any sites running on HTTP and HTTPS.

To start the configuration navigate to Services -> SquidGuard Proxy filter -> General Settings

General Options
Enable: Yes

LDAP Options
NO I do not use this leave option empty

Logging options
Enable GUI log: Yes
Enable log: Yes
Enable log rotation: Yes

Miscellaneous
Clean Advertising: Yes

Blacklist options
NO I do not use this leave option empty
Save and apply.





Now that SquidGuard is configured and running we need to setup some instructions for it to follow in terms of what to allow and what to block, this is called Target Categories or Target ACL's you can configure this by navigating to Services -> SquidGuard Proxy filter -> Target Categories

There is a bug in SquidGuard that it will not initiate the blacklist blocking before it has a dummy ACL defined under Target Categories so we need to create 3 ACL's for this to work properly



1. Dummy
2. myBlockList
3. myAllowList

Dummy ACL
Name: Dummy
Description: Dummy ACL
Save





myBlockList
Name: myBlockList
Order: ---
Domain List: facbook.com fb.com youtube.com
URL List: facbook.com/ fb.com/ youtube.com/
Regular Expression: BLANK
Redirect mode: int error page
Redirect: these sites have been blocked by your ADMIN, if you have business reason to visit this page contact your supervisor.
Description: Blocked internet sites
Save





myAllowlist
Name: myAllowlist
Order: ---
Domain List: it-monkey.net company.local
URL List: it-monkey.net/ company.local/
Regular Expression: BLANK
Redirect mode: None
Redirect: BLANK
Description: All allowed sites to bypass Proxy filter
save





You should now have all the needed Target ACL's configured to block Facebook and YouTube, but you may wonder why you put the information in both the Domain List and URL List option of the ACL's and there is a reason for that. If a site uses HTTPS it will read from the Domain List option and if it uses HTTP then it uses URL List option and it the sites uses both then you need to have it in both places to fully block the site

HTTP = URL List
HTTPS = Domain List


Now we need to assign an action for what SquidGuard should do whit the different "Categories" this is where you specify if the list you created is a Blacklist and should be blocked or if it’s a whitelist and should bypass all the filters and always allow traffic for it, to do this navigate to
Services -> SquidGuard Proxy filter -> Common ACL

General Options
Target Rules List  + \ -
[Dummy]  Access: ---
[myBlockList]  Access: Block
[myAllowlist]  Access: Whitelist
Default access [all] Access: Allow



Do not allow IP-Addresses in URL: Yes
Proxy Denied Error: Default
Redirect mode: int error message
Use SafeSearch engine: Yes
Rewrite: None
Save and apply



Now that the entire configuration in Squid and SquidGuard is done you need to apply it to the current running configuration by pressing the large green Apply button has to be pressed found on
Services -> SquidGuard Proxy filter -> General Settings

" Important: Please set up at least one category on the 'Target Categories' tab before enabling. The Save button at the bottom of this page must be clicked to save configuration changes. To activate SquidGuard configuration changes, the Apply button must be clicked. "

Now we have to setup WPAD and Firewall rules for pfSense to automatically push the Proxy configuration to its client and also who has access to connect and use the internet on your network, I will setup WPAD first since it will only work when pfSense GUI runs on HTTP and not the default HTTPS so it will affect how you configure your firewall rules.

Step 5. Configuring pfSense to act as WPAD for Squid
For security purpose I am separating the WebGUI and the WPAD servers by using a custom port HTTP TCP port for the WebGUI, I will be running WebGUI on 8080 and WPAD on 80
(8080 is a known admin\ gui port and is only used as example; you should set a custom port for your network)

Stat by creating a allow rule so you don’t lock yourself out of the firewall by going to Firewall -> Rules -> LAN and create an allow rule for port 8080

Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias: IT_Department
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  8080 To: other Custom  8080 
Description: Allow IT-Admins access to WebGUI



I use Aliases for everything, but if you do not have an IT-Department Alias defined, then just set the source to the IP-Address of your main computer.
Save and apply this rule



Now we are ready to change the WebGUI to a custom HTTP port without locking yourself out, to do this navigate to System -> Advanced -> Admin Access

webConfigurator
Protocol: HTTP
TCP port: 8080
Save and apply, then wait for it to automatically redirect your session to the new port this takes about 30sec or so.



Next thing you need to do is set the DNS Record for WPAD to resolve to the webserver that will be hosting your Proxy settings file, since I will run all of this out of pfSense I use the DNS Resolver service for this, If you want you could use whatever DNS and Web server you want as long as you set it to resolve the correct URL to its correct IP.
Navigate to Services -> DNS Resolver add a new Host Override

Host Override Options
Host: wpad
Domain: it-monkey.local  (Set your own internal domain here, if you do not have one you can set one in the System -> General Settings)
IP Address: 192.168.1.1  (LAN IP of pfSense, this has to be set to the local IP of the interface you want to run the Proxy on)
Description: WPAD Autoconfigure Host
Save and Apply



General DNS Settings



Internal Domain Settings



Now we are ready to create the actual client configuration file that will be pushed by this setup, some programing is involved so open your Notepad++ and get ready to create the following 3 files:

wpad.dat
wpad.da
Proxy.pac

All of these files require the same code so it is just a copy\paste or save-as exercise, the code needed is

function FindProxyForURL(url,host)
 {
 return "PROXY IP-of-pfSense-LAN:PORT-of-Squid";
 }

In my setup that would be

function FindProxyForURL(url,host)
 {
 return "PROXY 192.168.1.1:3128";
 }



Now you would need to upload these files to pfSense, I recommend using WinSCP or similar for this the path you want to store these files in are:
/usr/local/www

When all files are uploaded you should see them in the directory like

/usr/local/www/wpad.dat
/usr/local/www/wpad.da
/usr/local/www/Proxy.pac

Now that all this is done we are done whit the WPAD configurations and only need to adjust our firewall rules and lockdown unrestricted access of our network.

Step 6. Logging whit Lightsquid
Lightsquid is currently the only supported and maintained log phraser that you can use whit Squid and SquidGuard on pfSense, this is a small applicatuon that takes all the logs from your proxy server and sort them by your prefrense and the present them to you in a easily read format through its own webinterface. To configure this serverce navigate to Status -> Squid Proxy Reports

Web Service Settings
Lightsquid Web Port: 7445 (Default port, you can use custom port)
Lightsquid Web SSL: Yes
Lightsquid Web User: Admin
Lightsquid Web Password: MysuperSecretandSEXYkeYg3n3ratedbyN0tApA$$w0rdgenetAT0r

Report Template Settings
Language: English
Report Template: Base
Bar Color: Orange

Reporting Settings and Scheduler
IP Resolve Method: DNS
Skip URL(s): None left blank
Refresh Scheduler: None




Step 7. Configuring the Firewall Rules
Start by navigating back to Firewall -> Rules -> LAN
Depending on your preferences you should only need to have about 5 - 8 rules in this list, I currently only have 6 rules defined and in use, those are the following in order

Allow IT Department management access to pfSense
Allow ICMP form LAN Clients
Allow DNS from LAN Clients
Allow WPAD from LAN Clients
Allow Proxy from LAN Clients
Block Everything else from anywhere



Whit this rule set only Ping and DNS traffic is allowed to be used outside of the Proxy filter, this is a good thing for diagnostics purpose in case something breaks for your clients , you can use simple tests for connectivity using Ping and DNS without touching the Proxy or Firewall settings

The rules are defined whit the following details

Allow IT Department management access of pfSense
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias: IT_Department (alias IT_Department contains IP of 192.168.1.2 which is the main desktop used by IT)
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  PF_MGMT To: other Custom  PF_MGMT  (port alias contains port 22, 7445 and 8080 and allow you to define it in a single rule)
Description: Allow IT Department management access of pfSense



Allow ICMP form LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: ICMP
ICMP Subtypes: Any
Source: LAN Net
Destination: Any 
Description: Allow ICMP



Allow DNS from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP \ UDP
Source: LAN Net
Destination: ANY
Destination Port Range: From: DNS To: DNS
Description: Allow DNS



Allow WPAD from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP
Source: LAN Net
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  WPAD To: other Custom WPAD  (port alias WPAD contains port 80 \ HTTP)
Description: Allow WPAD



Allow Proxy from LAN Clients
Action: Pass
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: TCP \ UDP
Source: LAN Net
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  3128 To: other Custom  3129
Description: Allow Proxy



Block Everything else from anywhere
Action: BLOCK
Disabled: NO
Interface: LAN
Address Family: IPv4
Protocol: ANY
Source: ANY
Destination: ANY
Destination Port Range: ANY
Log: Yes
Description: Block Everything



Firewall Aliases

PF_MGMT Ports



WPAD



IT_Admin



All Aliases



When you have all these rules created and applied then all the pieces are in place and you are ready to test these settings on your client computer, However since you have done a lot of configurations as changes to the pfSense systems and rules I suggest that you reboot it so you clear out any conflicting rule or state stuck in the system memory, that way you would start testing on a freshly booted system and rule set.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers.

5
Edd Noman's Guide to pfSense 04 – How-To Block Ad’s and Websites using pfBlockerNG

In this guide I will be covering how to use the DNSBL feature of pfBlockerNG package to block users from accessing unwanted websites like porn, Facebook or YouTube and also keep your users safe from known infected website so that the risk of getting infected whit viruses or malware is reduces, this will also clean up Ad’s seen on websites also so you get a better browsing experience.

How pfBlockerNG and DNSBL achieve to do all this even if the sites uses HTTPS and SSL encryptions is by using DNS bases aliases that has both the Domain and IP to generate the firewall rules. These aliases are generated upon predefined txt files that contain the IP and Domain information that are updated by known security professionals and provider once a bad IP or Domain is identified.

The only issue whit pfBlockerNG and DNSBL is that it can use a lot of resources both RAM and CPU the more lists you assign it the more RAM and CPU it would need to process all of them, the lowest set of hardware I would recommend using for this is 2Gb RAM and 4Core 1.5Ghz processor.

pfBlockerNG uses the DNS Resolver service of pfSense to handle DNS resolutions so before we start the installation make sure your DNS Resolver is running whit the Forwarding mode enabled, this is found under Services -> DNS Resolver -> General Option



Now you would install pfBlockerNG as you would any other package by navigating to: System -> Packet Manager -> Available Packets and then search for “pfBlocker” and then click install



Confirm that you want to install the package and all its dependency



Now the installer and progress bar will go over your screen, give it a few moments to complete as it is a fairly large package to download and install and depending on the system you using it can take a few moments to get it done



When installation is done Navigate to Firewall -> pfBlockerNG to start the configuration

General Settings
Enable pfBlockerNG: Yes (checked)
Keep Settings: Yes (checked)
CRON Settings: Every hour | :15 | 0 | 0 (this will sync the list every 15min past a full hour ie, 01:15 then 02:15)
De-Duplication: Yes (checked)
CIDR Aggregation: Yes (checked)
Suppression: Yes (checked)
MaxMind Localized Language: English
Download Failure Threshold: 4
Logfile Size: 20000



Interface/Rules Configuration
Inbound Firewall Rules: WAN | Block
Outbound Firewall Rules: LAN | Reject
Rule Order: pfB_Pass/Match | pfB_Block/Reject | pfSense Pass/Match | pfSense Block/Reject
Auto Rule Suffix: Auto Rule
Kill States: Yes (checked)
Save and Apply



Now we want to move on to DNSBL settings found on Firewall -> pfBlockerNG -> DNSBL

DNSBL Configuration
Enable DNSBL: Yes (checked)
Enable TLD: Yes (checked)
DNSBL Virtual IP: 10.10.10.1
DNSBL Listening Port: 8081
DNSBL SSL Listening Port: 8443
DNSBL Listening Interface: LAN
DNSBL Firewall Rule: Yes | LAN



DNSBL IP Firewall Rule Settings
List Action: Deny Outbound
Enable Logging: Enable
Save and Apply



Next we configure the DNSBL EasyList from Firewall -> pfBlockerNG -> DNSBL -> DNSBL EasyList

DNSBL – EasyList
DNS GROUP Name: EasyList
Description: EasyList

EasyList Feeds
State: ON | EasyList Feeds: EasyList W\O Elements | Header: EasyList
State: ON | EasyList Feeds: EasyPrivacy | Header: EasyPrivacy



DNSBL - EasyList Settings
Categories: All selected*
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



Now we get to the heart of the configurations as we need to define our DNSBL Feeds and from where pfBlockerNG should pull its information from, a good source for this is on the pfSense forum from the developer himself on this link: https://forum.pfsense.org/index.php?topic=102470.msg573167#msg573167

Navigate to Firewall -> pfBlockerNG -> DNSBL -> DNSBL Feeds to add your feeds lists
I am currently running 4 different feeds and those are: Adverts, Malicious, DGA Crypto and hpHost and I have them configured whit the following information

Adverts
DNS GROUP Name: Ads
Description: DNSBL Adverts
DNSBL:
Format: Auto|State: ON | Source: http://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&mimetype=plaintext | Header: yoyo
Format: Auto|State: ON | Source: http://hosts-file.net/ad_servers.txt | Header: hpHosts_ads
Format: Auto|State: ON | Source: https://adaway.org/hosts.txt | Header: Adaway
Format: Auto|State: ON | Source: http://sysctl.org/cameleon/hosts | Header: Cameleon
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



Malicious
DNS GROUP Name: Malicious
Description: DNSBL Malicious
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/download/hosts.zip| Header: hpHosts
Format: Auto|State: ON | Source: http://someonewhocares.org/hosts/hosts| Header: SWC
Format: Auto|State: ON | Source: https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt| Header: spam404
Format: Auto|State: ON | Source: https://malc0de.com/bl/BOOT| Header: malc0de
Format: Auto|State: FLEX | Source: https://mirror1.malwaredomains.com/files/justdomains | Header: MDS
Format: Auto|State: ON | Source: http://winhelp2002.mvps.org/hosts.txt| Header: MVPS
Format: Auto|State: ON | Source: http://www.malwaredomainlist.com/hostslist/hosts.txt| Header: MDL
List Action: Unbound
Update Frequency: Once a day
Weekly (Day of Week): Monday
Save and Apply



DGA
: DGA
Description: DNSBL DGA for Cryptolocker
DNSBL:
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/dga-feed.gz| Header: BBC_DGA
Format: Auto|State: ON | Source: http://osint.bambenekconsulting.com/feeds/c2-dommasterlist.txt| Header: BBC_C2
List Action: Unbound
Update Frequency: Every 8hours
Weekly (Day of Week): Monday
Save and Apply



hpHost
DNS GROUP Name: hpHosts_partial
Description: DNSBL hpHosts_partial
DNSBL:
Format: Auto|State: ON | Source: http://hosts-file.net/hphosts-partial.asp| Header: hpHosts_partial
List Action: Unbound
Update Frequency: Every 6hours
Weekly (Day of Week): Monday
Save and Apply



When done you should be left whit the same 4 categories for blocking Ad’s and some of the malware and crypto locker, you can add more list and sources to this configuration but you need to do your own research on that. The entire list I used is free and open source maintained but there is also paid alternatives for feeds.



At this point we have only configured pfBlockerNG to use DNSBL and react on domain names, but we would also want to block the known bad IPs out on the internet to do this navigate to: Firewall -> pfBlockerNG -> IPv4

I will only be covering IPv4 in this guide, but if you use IPv6 the same method is used to add the rules needed for that, I just do not have the source list to provide you. My IPv4 alias list is called Badguys and are configured as following

Badguys
Alias Name: Badguys
List Description: IPv4 Badguys
IPv4 Lists:
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/d7105c242f17f4498f81/raw/90eb2ac8bdc01af3008d728b7c0f10dc7b2506b4/MS-3| Header: BBcan177_Domains_IPv4
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/blockrules/compromised-ips.txt| Header: ETCompromised
Format: Auto|State: ON | Source: https://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt| Header: ETBlocked
Format: Auto|State: ON | Source: https://gist.githubusercontent.com/BBcan177/bf29d47ea04391cb3eb0/raw/b344ebc9475acdea1fae38a12c4ea9332838a184/MS-1| Header: BBcan177Threats
Format: Auto|State: Auto | Source: http://www.malwaredomainlist.com/hostslist/ip.txt| Header: Malwaredomainlist
Format: Auto|State: ON | Source: https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt| Header: Ransomware
List Action: Deny Both
Update Frequency: Once a day
Weekly (Day of Week): Monday
Enable Logging: Enable
States Removal: Enable
Save and Apply





And this is all that is needed for a working setup of pfBlockerNG to act on known bad sites ether whit domain or IP, it will also block AD’s on webpages you visits, and the last thing for us to do is creating a custom block list of website we do not want our user to visit even though they are marked as clean you may have other reasons for why they need to be blocked. This is handled by the TLD feature of DNSBL so to do this we need to navigate to: Firewall -> pfBlockerNG -> DNSBL

At the bottom of this page you have several advanced options the one we are after is TLD Exclusion List, TLD Blacklist and TLD Whitelist. Yes the names are as intuitive as to what functions they have

TLD Exclusion List will be used for domains you do not want to be included in any pfBlockerNG rules or aliases, no action is performed on these domains, other rules in pfSense may apply
TLD Blacklist will be used for domains you want to specifically block access to
TLD Whitelist will be used for any domains you want to always be accessible, these sites will not be blocked by the firewall.

Open up TLD Blacklist and enter the following domains:

fb.com
facebook.com
youtube.com
cnn.com

Save



After you have made any changes to DNSBL or the TLD lists you need to force an update of the new rule set before the changes take effect on your network, to do a update navigate to Firewall -> pfBlockerNG ->Update
When doing a manual update or forced update due to changes in the config you do not want to run it close to when the cron task is running there is a clock on the update page that will tell you when the next update will run

Select 'Force' option: Reload
Select 'Reload' option: All



When the update is finished you can try to access one of the domains you blocked in TLD Blacklist and you should only get a black screen instead of the actual site loading





Now this should be all there is to blocking websites and ad’s from pfBlockerNG

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers

6
Edd Noman's Guide to pfSense 03 - How-To Monitor Bandwidth Usage whit NtopNG

In this guide I will only focus on bandwidth monitoring whit use of the NtopNG package in pfSense, bandwidth monitoring is a complex topic on its own and I will try to provide the basic you need to understand and get started whit this task and how this can improve your network situation. pfSense have several option for monitoring bandwidth and you can read about them here: https://doc.pfsense.org/index.php/How_can_I_monitor_bandwidth_usage

A word on bandwidth monitoring:
While it used to be that monitoring your bandwidth meant solely focusing on internet traffic, bandwidth usage monitoring now encompasses a broader range of components. For example, you can monitor bandwidth speed or capacity, you can observe network traffic between devices or general web application traffic. Regardless of what traffic you are monitoring, though, its important to understand the bandwidth that is being utilized so you can ensure users are getting the best possible performance out of your network.

I would go as far as saying that monitoring your network bandwidth usage is the most critical function for any network administrator.

What does bandwidth really mean?
To sum it up in one word: data. Bandwidth is quantified as the amount of data transferred in time, typically measured in bits per second. Thirty years ago, data was sent through physical mediums like the postal service; now there are myriad ways to transmit and receive massive amounts of data with the push of a button.

Since most organizations rely on the internet to conduct business-critical operations, internet speed can make all the difference in their success. What people dont know, however, is that there are actually two different types of bandwidth speed: upload and download. Upload speed is the speed at which data is sent to its destination, while download speed refers to the rate at which data is received. It used to be normal for businesses to use low bandwidth services like 56.k modems to transmit information. Now, those who have the funds can install Gigabit speed to their infrastructure to support the growth in data consumption. Firms are still using DSL and cable connections to run their business, but service providers have been able to allocate more resources to support these lower-tier Telco options.
 
Bandwidth capacity is also an important consideration. Bandwidth capacity means the maximum data rate a link can transfer. Bandwidth capacity is an important factor to consider, because when you configure your infrastructure you need to make sure you can support the bandwidth that you require. For example, the service model of your cell phone plan is based on how much data you consume on the vendors network. When you're able to monitor your bandwidth usage, you're better able to determine what plan is right for your environment. As another example, consider an environment with hundreds of users. How do you determine what bandwidth to implement? Its important to have proper metrics and tools that can show you how much bandwidth you'll require to run your day-to-day operations. For business customers, it can become very difficult to forecast current and future consumption of bandwidth without network insight.

High-Speed Web-based Traffic Analysis and Flow Collection whit NtopNG
Ntopng is the next generation version of the original ntop, a network traffic probe that shows the network usage, similar to what the popular top Unix command does. ntopng is based on libpcap and it has been written in a portable way in order to virtually run on every Unix platform, MacOSX and on Windows as well.

Ntopng users can use a a web browser to navigate through ntop (that acts as a web server) traffic information and get a dump of the network status. In the latter case, ntopng can be seen as a simple RMON-like agent with an embedded web interface. The use of:
a web interface.
Limited configuration and administration via the web interface.
Reduced CPU and memory usage (they vary according to network size and traffic).

Features of Ntopng:
- Sort network traffic according to many criteria including IP address, port, L7 protocol, throughput, AS.
- Show network traffic and IPv4/v6 active hosts.
- Produce long-term reports about various network metrics such as throughput, application protocols
- Top X talkers/listeners, top ASs, top L7 applications.
- For each communication flow report network/application latency/RTT, TCP stats (retransmissions, packets OOO, packet lost), bytes/packets
- Store on disk persistent traffic statistics in RRD format.
- Geolocate hosts and display reports according to host location.
- Discover application protocols by leveraging on nDPI, ntop's DPI framework.
- Characterize HTTP traffic by leveraging on characterization services provided by Google and HTTP Blacklist.
- Show IP traffic distribution among the various protocols.
- Analyze IP traffic and sort it according to the source/destination.
- Display IP Traffic Subnet matrix (who's talking to who?)
- Report IP protocol usage sorted by protocol type.
- Produce HTML5/AJAX network traffic statistics.
http://www.ntop.org/products/traffic-analysis/ntop/

Whit all that said, we can start by installing the ntopng package by navigating to System -> Package Manager -> Available Packages
Here you search for "ntop" and then click the install button



Now you would need to confirm that you would like to install selected package and its dependency



Now you will see the install process starting whit the progress bar and text output will run for some minute as the installer is about 250mb that would need to be downloaded and then installed so give it some time



When the package is done installing you need to navigate to Diagnostics -> ntopng Settings
The first thing you would want to do here is to set the password to use when login to the ntopng WebGUI

ntopng Admin Password: MysuperSecretandSEXYkeY
Confirm ntopng Admin Password: MysuperSecretandSEXYkeY
Save and Apply



Now after the access password is set we can configure the default settings for ntopng to use

General Options
Enable ntopng: Yes
Keep Data/Settings: Yes (this will keep all settings in case of updates and reinstallations)
Interface: LAN and WAN
DNS Mode: Decode DNS responses and resolve all numeric IPs
Local Networks: Consider all RFC1918 networks as local traffic (this depends on your layout of pfSense is behind NAT you want to use LAN Interface as local)
Disable Alerts: Yes
Save and Apply



When ntopng service is configured and have start running after its done loading when pressing the save button you want to update the GeoIP Data information so click on the green button for updating the information
At this point the configuration in pfSense is done, and you now need to connect to the ntopng WebGUI to finish its configuration so navigate to https://192.168.1.1:3000/ or IP-OF-pfSense:3000 or if you have followed my previous install guides https://10.99.99.1:3000



Once logged in, the first place to go is Settings and set your recording limits, this is done whit the gear icon on the top right corner



Out of the box, it will record RAW packets for 1 day in your File System, the Rolled up reports in MySQL for 30 days, and Total's for 1 year. You can adjust here to work with the available disk space and RAM you have for pfSense.







The Reports:
Everyone will be different and have their own needs for reporting, but I wanted to screenshot some of the cool reports you can generate and view in ntopng to share with you all.
You can also customize and work with anything which is captured going across the LAN.
You can view total traffic on your local network and sort by usage:



You can view Active Data Flows / Destination / Type in real time with ease on the Active Flows Report



You can even view specifics on a specific host on your Network like so, even with total usage, Activity Maps and more



Even break it down by Protocols



For those of you who are more interested in spying, yes you can see the top HTTP traffic destinations....



Now that is all there is to configure ntopng and where to find the different reports, and yes there is a large benefit to running this package even in your home environment as this will give you graphs and statistics of where all your data and bandwidth went and what device used it, and if you did not get the amount you charged for you have actual proof of your usage when you call your ISP to complain about their service and invoice.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers

7
Edd Noman's Guide to pfSense 02 - How-To Improve Network Functionality whit Basic Features of pfSense 2.3

This is a follow up guide to my prevourius guide: How-To Install and Configure pfSense 2.3 inside a VM using VMware workstation I will suggest you give that a look before you continue on this as that will give you a common reference on the network layout used in this guide, since this guide starts whit a fresh install of pfSense anyone can follow along but I will use the layout referenced in my last guide for consistency purpose.
In this guide I will show you some of the basic features or services of pfSense 2.3 and how-to take advantage of them to improve your overall experience and ease of use for the LAN network.

The features and services I will be covering in this guide will be the following:
- Remote Access whit use of Firewall Aliases and Firewall Rules
- NTP Services for clock synchronizations of your LAN devices
- UPnP Service for those who use Game consoles and are stuck whit Strict-NAT error
- DNS Resolver as local DNS Server
- Dynamic DNS whit DYN or NO-IP services
- DHCP Server and Static IP assignments
- Email reports and alerts

This is again only the basic settings and configurations of said features and services, as this guide series is not a comprehensive guide on how networking or pfSense functions, do not expect a full explanations of each feature settings, I will however try to cover the most important settings for you configure for the services to function properly.

1. Remote Access and Management of pfSense
The reason you may want to configure Remote Access to your firewall is that you might not always be at the location whit physical access to your firewall, and something has happened that you need to address right away, then Remote Access is what allows you to connect from anywhere in the world from any device that has a web-browser and internet connectivity.

There are several ways of doing this but the one I am going to cover here is called Restricted Firewall Access, which means that we only open up access from known IPs and Subnets and uses a custom ports for the WebGUI and SSH Consoles of the firewall, if you are interested in other way of doing Remote Access the pfSense doc covers it here: https://doc.pfsense.org/index.php/Remote_firewall_Administration
Lets start whit changing the default ports of the WebGUI and SSH by navigate to: System -> Advanced -> Admin Access

Here you set the following options
Protocol: HTTPS
TCP Port: 8080
Anti-Lockout rule: Yes (Disabled - checked)
Secure Shell Server: Yes (Enabled - checked)
SSH Port: 2222
Save and Apply

Warning: The ports 8080 and 2222 for WebGUI and SSH is well-known managements ports by administrators and hackers and I only use them for guide purposes and you should select ports that matches your network preferences.



Now you would need to wait about 30sec for it to apply the new settings and redirect and refresh your web-browser to the new port,  your new method of accessing pfSense would be by using the following web address: https://10.99.99.1:8080 from the LAN interface.

Now that all the custom ports are set we need to create some aliases so that we can define it in our firewall rules, aliases are just like what it sounds like it is a collection of IP, Ports or URL that is given a distinctive name so that it helps us to create more human readable rules, you can get more information about Aliases in the pfSense documentation here: https://doc.pfsense.org/index.php/Aliases
To create aliases we navigate to: Firewall -> Aliases

Here we want you need to create 2 different aliases, 1 Port alias and 1 IP alias to be able to create our Remote Access rules
Port Aliases is created from:Firewall -> Aliases -> Ports

Name: MGMT_Ports
Description: pfSense Management ports
Type: Port(s)
Port: 2222, 8080
Save



IP Aliases is created from: Firewall -> Aliases -> IP
When creating IP based aliases you can choose between 2 types of aliases Host(s) based or Network(s) based alias, The main difference between them is:

Host(s) based:  You need to specify each IP Address you want in a separate entry, this is good to use for a small internal network alias where you want the rule only to apply to a small number of IPs
Network(s) based: You can specify whole network segments and subnets as a single entry, but you can also specify a single IP Address. 

Name: RemoteAdmin
Description: Remote Administrators
Type: Network(s)
Network or FQDN: 192.168.1.199/32 or 192.168.1.0/24

If I only want access from my computer whit IP 192.168.1.199 I need to set that as a /32 network and all single devices need to be specified by IP-address+/32 in the alias, this should only be used if you have a static IP address on the computer as if the IP change after a reboot or something you will no longer have access to your firewall.

If I would like to give every one that connects to the D-Link Home-Router access to connect to pfSense I need to specify the Home-Router LAN network of 192.168.1.0/24 in this alias, whit this set anyone whit the IP-address from 192.168.1.1 to 192.168.1.254 will be able to connect to your firewall and manage it.
As you can see in the picture below I have added both 192.168.1.199/32 and 192.168.1.0/24 and only 1 of them is really needed as 192.168.1.199 is part of the 192.168.1.0/24 network I only added it for comparison reason.



Since I trust my own Home Router network the alias would be

Name: RemoteAdmin
Description: Remote Administrators
Type: Network(s)
Network or FQDN: 192.168.1.0/24
Save and Apply



Now that our ports and aliases are set and created we are ready to create the actually rules to allow the traffic to pass and connect to the firewall, to do this navigate to: Firewall -> Rules -> WAN

Action: Pass
Disabled: NO
Interface: WAN
Address Family: IPv4
Protocol: TCP
Source: Single host or alias:  RemoteAdmin
Destination: This Firewall (Self)
Destination Port Range: From: other Custom  MGMT_Ports To: other Custom  MGMT_Ports
Log: Yes
Description: Allow RemoteAdmin access to pfSense
Save and Apply





Now when you have saved and applied the rules you should be able to access your firewall from the Home-Router LAN network and you should see the following Firewall Rule list for WAN interface



This is all there is to setup Remote Access and Management of your firewall, Just a word of warning if you intend to do this when directly connected to internet and not behind your ISP or Home-Router you need to be very specific of what IP addresses and networks you allow to connect and you should use a custom username and strong password.

2. NTP Services for Clock Synchronizations of your Devices
The NTP Service (ntpd), is configured at Services -> NTP, allows pfSense to act as a Network Time Protocol server for a network, and also keeps the clock in sync against remote NTP servers as an NTP client itself.
Before enabling this service, ensure that the router's clock keeps fairly accurate time. By default the NTP server will bind to and act as an NTP server on all available IP addresses. This may be restricted using the Interface(s) selection on Services -> NTP.

This service should not be exposed publicly. Ensure inbound rules on WANs do not allow connections from the Internet to reach the NTP server on the firewall.
https://doc.pfsense.org/index.php/NTP_Server

When you are to configure this you want the NTP servers you are using to be as close and local to you as possible for you to have the most accurate overall time, to find the best NTP Servers I use the NTP POOL Project website https://pool.ntp.org

To keep this guide as generic  as possible I am going to use the following servers:
0.pool.ntp.org
1.pool.ntp.org
2.pool.ntp.org
3.pool.ntp.org

But as stated you should find the ones that are closest to where you actually are, whit that said lets start configuring it by navigating to: Service -> NTP

NTP Server Configuration:
Interface: LAN
Time Servers:  0.pfsense.pool.ntp.org, 0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org
Orphan Mode: 12
NTP Graphs: Yes (Enabled checked)
Save and Apply





Now it will use some time to synchronize the clock of pfSense and setup the service to serve your network the correct time, You can check the NTP Server status by navigating to: Status -> NTP



And that is all it is to setting up NTP Service of pfSense.

3. UPnP and NAT-PMP Service for Game consoles
What are UPnP and NAT-PMP?
UPnP is short for Universal Plug and Play and is commonly found on Windows, BSD, Linux systems and common home routers.
NAT-PMP is short for NAT Port Mapping Protocol and is similar to UPnP but found more commonly on Apple devices and programs. A growing number of programs support both methods. pfSense supports both, and the service may be configured at Services -> UPnP & NAT-PMP.

UPnP and NAT-PMP both allow devices and programs that support them to automatically add dynamic port forwards and firewall entries. The most common uses are in gaming systems (XBox, PlayStation, etc) and Bit Torrent programs like µTorrent, which both rely on allowing inbound connections to a local service.

There are some potential security risks using this feature like:
When UPnP or NAT-PMP are enabled, use only devices and programs which are trusted. These mechanisms will allow these entities to bypass the firewall to allow incoming connections with no additional control or authorization. Do not be surprised when this happens.
Access permissions for the service may be crafted in the options on pfSense. The format of these is shown in the GUI at Services > UPnP & NAT-PMP in the User specified permissions boxes. Using these, access could be restricted to a specific workstation or device.
https://doc.pfsense.org/index.php/What_are_UPnP_and_NAT-PMP

To configure UPnp & NAT-PMP navigate to:  Services -> UPnP & NAT-PMP

UPnP & NAT-PMP Settings:
Enable:  Yes (checked)
UPnP Port Mapping:  Yes (checked)
NAT-PMP Port Mapping:  Yes (checked)
External Interface: WAN
Interfaces: LAN
Log packets: Yes (checked)
Default Deny: Yes (checked)



UPnP Access Control Lists:
ACL Entries: allow 1024-65535 10.99.99.150/32 1024-65535
Save and Apply



Whit these settings UPnP & NAT-PMP is enabled but only the LAN client whit IP address of 10.99.99.15 are allowed to use this feature to open and close networks ports as needed and should help against Strict-NAT or NAT Type 3 issues on game consoles like PlayStation and Xbox devices behind pfSense firewall

4. DNS Resolver and Dynamic DNS Configuration

DNS Resolver:
Unbound DNS Resolver is a validating, recursive and caching DNS resolver. It provides various modules so that DNSSEC (secure DNS) validation and stub-resolvers are possible. Unbound was integrated into the base system in pfSense 2.2. Unbound is also the default DNS Resolver.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

We start by configuring DNS Resolver general options by navigating to: Services -> DNS Resolver

General DNS Resolver Options:
Enable
:  Yes (checked)
Listen Port: 53
Network Interfaces:  ALL
Outgoing Network Interfaces:  ALL
System Domain Local Zone Type: Transparent
DNSSEC:  Yes (checked)
DNS Query Forwarding:  Yes (checked)
DHCP Registration:  Yes (checked)
Static DHCP:  Yes (checked)
Save and Apply





Now whit the above settings you would have a working DNS Resolver setup, however one of the advantages and cool thing of having your own DNS Resolver service running in your network is that you can assign your own custom domain addresses for your devices, to illustrate this option I am going to convert the access address of pfSense to use the URL of router.vmlab.lan and firewall.vmlab.lan instead of having to remember 10.99.99.1 IP address for it, to do this we use the Host Override Option.

Host Override Options:
Host: router
Domain: vmlab.lan
IP Address: 10.99.99.1
Description: DNS Record for pfSense Server

Additional Names for this Host
Host: firewall
Domain: vmlab.lan
IP Address: 10.99.99.1
Description: DNS Record for pfSense Server
Save and Apply



Now you should be able to access your pfSense firewall using the following URL and web-addresses:
pfSense.vmlab.lan
router.vmlab.lan
firewall.vmlab.lan

You can test this form CMD or Terminal whit the commands
Windows: nslookup
MAC \ Linux: dig



Hopefully you now see a lot of advantages of using the DNS Resolver in your network.

Dynamic DNS Service:
Dynamic DNS (DynDNS), found under Services -> Dynamic DNS, will update an external provider with the current public IP address on the firewall. This keeps a constant DNS hostname, even if the IP address changes periodically. Whenever an interface changes in some way, DHCP lease renew, PPPoE logout/login, etc, the IP will be updated.

There are many free DynDNS services out there, and pfSense supports more than 15 different providers. In addition to the normal public services, pfSense also supports RFC 2136 DNS updates to DNS servers.
In currently supported versions of pfSense, the DynDNS client supports using multiple DynDNS and RFC 2136 clients. These can be used to update multiple services on the same interface, or multiple interfaces.

There are two tabs under Dynamic DNS, one for DynDNS providers, and one for RFC 2136 servers. Each tab has a list of currently configured clients, which reflects not only their configuration but also their status. Additional clients can be managed from these lists.
When editing a DynDNS client, first pick a DynDNS service provider, then choose Interface with the IP address to update. Enter a hostname, username, password, and description. Optionally, an MX record and wildcard support may be enabled depending on the provider.

When editing an RFC 2136 client, first pick the interface with the IP to update, enter a hostname, Time To Live (TTL) for the DNS record, Key name (which must match the setting on the server), Key type of Host, Zone, or User, an HMAC-MD5 key, the DNS server IP address, and a description. TCP transactions may optionally be used instead of UDP.
https://doc.pfsense.org/index.php/Dynamic_DNS

As for configuring this service it heavily depend on your your DDNS provider, however I have a demo account whit 2 of the most popular providers 1 is the free provider NO-IP(noip.com) and a paid alternative Dyn DNS(dyn.com) and most of these provider have their own instructions on how to set it up using different router clients, so when you have singned up for a Domain whit one of the provider and read through their configuration document you can navigate to Services -> Dynamic DNS

Dynamic DNS Client Example:
Disable: No
Service Type: Your provider, if it is not in the list select other
Interface to monitor: WAN
Hostname: Your full domain name whit the host record you created ie, firewall.mydomain.com
MX: this is only used in special cases where you have an email server behind pfSense
Wildcards: Depends on your provider
Verbose logging: Only used for troubleshooting
Username: Your username \ email that you use for login at your provider
Password: Your password or update key used at your provider
Confirm Password: Your password or update key used at your provider
Description: Your description of the config ie, Provider DNS Service

This is the most generic and non-provider specific example I can give anyone for this service, as this is just a update client and all the different providers have their own way of authenticate and verify your account. However I have specific instruction for NO-IP and DYN provider

NO-IP Dynamic DNS Client:
Disable: No
Service Type: NO-IP (free)
Interface to monitor: WAN
Hostname:  lablan.ddns.net
Username:  EddNoman (no you do not get my account details)
Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Confirm Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Description:  NO-IP DNS Service
Save & Force update



For NO-IP they use the email address (username) and password you created to sign up for their service, however for DYN DNS service you get assigned a Update API Key that you need for your password in the client



DYN Dynamic DNS Client:
Disable: No
Service Type: DynDNS (dynamic)
Interface to monitor: WAN
Hostname:  lablan2.qnett.net
Username:  EddNoman (no you do not get my account details)
Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Confirm Password:  MysuperSecretandSEXYkeY  (no you do not get my account details)
Description:  DYN DNS Service
Save & Force update



As you can see from these pictures it is not hard to setup it is just a matter of filling in the correct provider information about your domain and account detail, also as you can see from the picture there is no issue whit having multiple providers and DNS entries pointing to the same router and firewall.



If you do not have any Dynamic DNS provider or account yet, I have a 15% off referral code for DYN DNS (dyn.com) that you can use, if you sign up for DYN DNS then I strongly recommend the Managed DNS Services as then you get your own fully fledged DNS Service whit all the features and benefits of your own public DNS Servers.
Referral Code:  RFE2X07RS8

5. DHCP Server and Static IP Assignments
The DHCP server in pfSense will hand out addresses to DHCP clients and automatically configure them for network access. By default, the DHCP server is enabled on the LAN interface.
The DHCP server page, found under Services -> DHCP Server, has a tab for each available interface. The DHCP daemon can only run on interfaces with a Static IP address, so if a tab for an interface is not present, check that it is enabled and set with a Static IP. The DHCP server cannot be active on any interface if the DHCP Relay service is in use.

DHCP Options
For each Interface, there are many options to choose from. At a minimum, the Enable box must be checked on the interface tab and an address range (starting and ending IP addresses) to use for DHCP clients must be defined. The other settings may be configured, but are optional. Each option is explained in more detail on the page and also in The pfSense Book.
See the DNS Forwarder article for information on the default DNS server behavior.
Some other options which may be set for clients include TFTP server, LDAP URI, and the ability to add in any custom DHCP option number and value.

Static IP Mappings
Static IP mappings can be added at the bottom of the DHCP server tab for a given interface.
To add a Static IP mapping, click "+", and then enter a MAC address, IP address, Hostname, and Description. These mappings can also be created from the DHCP Leases view. There are many other per-host options which can be sent as well. https://doc.pfsense.org/index.php/DHCP_Server

Lets define our network settings by configuring the DHCP Server, navigate to Services -> DHCP Server

General Options:
Enable: Yes (checked)
Subnet: 10.99.99.0
Subnet mask: 255.255.255.0
Available range: 10.99.99.1 - 10.99.99.254
Range: from 10.99.99.100 to 10.99.99.200



Servers
DNS server1: 10.99.99.1



Other Options
Gateway: 10.99.99.1
Domain name: vmlab.lan
Default lease time: 7200 (2Hours)
Maximum lease time: 14400 (4Hours)
Time format change: Yes
NTP:  Yes
NTP Server 1: pfsense.vmlab.lan
NTP Server 2: 10.99.99.1
Save and Apply





As you can see from this page there is a lot of information and configuration parameters you can give your devices and computers through the use of DHCP Server that is not covered in common Home-Routers that you can pick up at your local electronics or computer shop so you need to do some research if you want to use some of the other options as I am only covering what is necessary for the services we have configured in this guide.

Static DHCP Mapping on LAN
MAC Address: 00:0c:29:fa:58:63
IP Address: 10.99.99.15
Hostname: admin-pc
Description: admin pc static ip
Save and Apply





As you can see there is a lot of options that can be assigned on a per device \ IP basis when you create a static IP assignment, but the 2 main thing to keep in mind is that MAC Addresses are unique to every network device and the IP Address need to be outside of what you assigned for the DHCP Range and those IPs are already in use by the server and would make it a IP conflict. And that is all there is to configure DHCP and or a Static IP in pfSense.

6. Email Reports and Alerts
Now I am going to cover something most people neglect to setup in their home or small networks and that is email alerts and reports on events whit the add-on Mailreport as it allows you to setup periodic e-mail reports containing command output, and log file contents, this is a very useful tool to use and see what is going on whit your firewall and network so that you can be ahead and proactive against any issues that are on the rise and all this from the comfort of your email inbox.

Now since this is about sending emails the configuration for this package is very dependent on what email provider you have and I have gotten this to work whit the following providers: Google Gmail, Microsoft Hotmail (live\outlook), Yahoo Mail and Mail.com and it will work for any provider that allows you to connect to it using SMTP and IMAP applications like Thunderbird or Offic-Outlook.

Before we start configuring the notifications and mailreport features I strongly recommend that you have the following information ready:
IP Address of E-Mail server: IP address or FQDN of the SMTP E-Mail Server
From e-mail address: E-mail address that will appear in the from field. (Ex. hostname@domain.com)
Notification E-Mail address: E-mail address which will receive email notifications
Notification E-Mail auth username (optional): Username for SMTP authentication
Notification E-Mail auth password (optional): Password for SMTP authentication

When looking for this information you want the Outgoing SMTP and IMAP server settings from the provider, for your benefit I will add the provider settings I have used in the past below, We start the configuration whit setting the notifications details under System -> Advanced -> Notification

Google Gmail
smtp.gmail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 465
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Gmail password



Microsoft Hotmail (live\outlook)
smtp-mail.outlook.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 587
Port for TLS/STARTTLS:
Account Name, User name, or Email address: Your full email address
Password: Your Hotmail, Live or Outlook password



Yahoo Mail
smtp.mail.yahoo.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 465
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Yahoo password



Apple iCloud Mail
smtp.mail.me.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL: 587
Port for TLS/STARTTLS:
Account Name, User name, or Email address: the name part of your iCloud address (so without @icloud.com behind it)
Password: Your iCloud password



MAILcom
smtp.mail.com
Requires SSL: Yes
Requires TLS: Yes (if available)
Requires Authentication: Yes
Port for SSL:
Port for TLS/STARTTLS: 587
Account Name, User name, or Email address: Your full email address
Password: Your Mailcom password



Now make sure you save the settings before you test the SMTP settings. You should see a green bar at the top saying successes if everything is working if not it will be red whit an indication of what went wrong, in most cases that would be a case sensitive username \ password or that the provider changed ports.

Now that we have enabled pfSense to email us we can continue to install the Mailreport package from System -> Packet Manager
When at the Package Manager -> Available Packages search for "mail" and Mailreprter should be the only hit, now click install



You should always be prompted to confirm any installation so click on the green confirm button



Now some text should fly over the screen and a progress bar should follow until the installation is done, this should only take a minute or so to complete and you should see a installation success message when done.



When the package is installed it would be accessible under Status -> Email Reports
From here you need to add a report schedule before you can add what types of logs it should send you, I usually have it set to once a week on every Sunday at 05:00 in the morning since there should not be any activity on the network at that time in my case

Report Settings
Description: Weekly Report

Schedule
Frequency: Weekly
Day of the Week: Sunday
Hour of Day: 05
Save



Now we need to go back and edit the Weekly Report and add what logs it should send us, this is done by clicking on the pen icon under Actions



When your back at the Weekly reports you should see 2 new fields for Include Commands and Include Logs, I usually include the logs of System, Gateway Events and Firewall to get a overview of what is going on there
Send Now will send you a copy of the current setup to review, then Save to store the configuration



That is it for this guide.

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers

8
Edd Noman's Guide to pfSense 01 - How-To Install and Configure pfSense 2.3 inside a VM using VMware workstation

This is not an in-depth guide for Networking, pfSense, or VMware Workstation. It will provide you with a basic working setup covering the most important components you need to configure 
For you virtual environment and pfSense to run smoothly.

1. Preparations, what do you need to follow this guide

1. PC with local Internet connection
2. VMware Workstation - http://www.vmware.com/products/workstation/workstation-evaluation
3. pfSense ISO file - https://www.pfsense.org/download/ 
4. Windows or Linux installation ISO file
5. Good time, you should have about 2 - 3 hours free to do this if you are completely fresh in the area. Do you have network experience before you can do this in about 1 hour

1.a PC recommended specification:
CPU: i5 4-cores at 2.5 GHz and supports VD-T, VD-X
RAM: 8 GB ++
HDD: 120 GB

You can run on lower hardware but then it will be a slow and painful experience, also AMD equivalent is ok

1.b Internet connection: I recommend you have minimum connection of 10/5Mbps or you are going to wait forever on the files to download, if you are on a slow connection I recommend 
Downloading all the needed files before you start on this project.

2. Network preparation and layout

In this guide, your normal home router and network will act as the ISP and the WAN connection for the VM LAB network that we create in Workstation, so we need to create a layout and map 
Out how everything is going to be connected together otherwise it is easy to get lost and then end up whit a broken configuration, and you need to start over from scratch since you have 
No point of reference to start troubleshooting the issues.

My home network layout and configuration is pretty simple, and it is what I am going to use as an example in this guide:

Home Router: D-link DIR-855
WAN: DHCP IP X.X.X.X  <- This is given from your Service Provider, you have no control of this
LAN Network: 192.168.1.0
LAN Broadcast: 192.168.1.255
LAN Subnet: 255.255.255.0 = /24 in CIDR notation as used in pfSense
LAN IP: 192.168.1.1
LAN DHCP: 192.168.1.100 to 192.168.1.200

PC whit VMware workstation installed has the local IP of 192.168.1.199

Now I want to define the VM LAB network before I start so we know what parameters to use when asked to provide the different network settings in the pfSense installer and the 
Workstation network configurator that we need to setup before we can create our Virtual Machines

LAB Router: pfSense 2.3
WAN: DHCP IP 192.168.1.xx <- the 1.xx is going to be the next unused and available IP from your Home Router in my case that should be 192.168.1.197
LAN Network: 10.99.99.0
LAN Broadcast: 10.99.99.255
LAN Subnet: 255.255.255.0 = /24 in CIDR notation as used in pfSense
LAN IP: 10.99.99.1
LAN DHCP: 10.99.99.100 to 10.99.99.200

Now you are probably wondering why I chose to go whit a 10.99.99.0 network and IP range for my VM LAB setup and there are 2 good main reasons for that

1. Your VM LAB network cannot be the same as your Home Router network that will only make problems and issues for anyone that connect to the internet from your home

2. If something is to go bad an you need to troubleshoot a network issue it is easy to identify that anything whit a 10.99.99.xx IP is from your VM LAB network and anything whit a 
192.168.1.xx IP is from your normal Home Router network that is having or creating issues.

3. Configuring the virtual network infrastructure in VMware Workstation

Now that we have done all of our preparations and network planning we are ready to start configuring and installing the VM LAB network, we start by configuring the network configuration 
Settings by opening Virtual Network Manager from Edit -> Virtual Network Manager

Here you should see 3 different types of networks already defined for you, those should be Bridge, NAT and Host-Only, all this is fine what we want to do is to Add Network and create a 
Custom Host-Only types of network for our LAN interface, to do this click on the Add Network button choose a "VMnet #" I usually go for VMnet3 then click OK



Now back at the Virtual Network Editor you should see 4 for networks in the list the same 3 as before and our newly created VMnet3, you would need to select that in the list and edit 
Its network values according to our VM LAB requirements witch is:

VMnet Info = Host-only
Connect to a host virtual adapter to this network = NO (not checked)
Use local DHCP service = NO (not checked)
Subnet IP = 10.99.99.0 (this is the LAN Network of the VM LAB environment)
Subnet mask = 255.255.255.0

Save these changes by clicking Apply then OK to go back to the main window of VMware workstation.



[Some info about the different types of networks used in VMware workstation for quick reference]
- Bridged type means that the virtual machine shares the physical network port and connection whit the computer, our pfSense will use this for its WAN interface.
- NAT type means it is a translated network that is given to the virtual machine, essentially workstation will act as its own router
- Host-Only type means that only that specific virtual Machine can use that network, it is used to emulate an isolated network whit no internet access or access to other devices

4. Configuring the Virtual Machin Settings and Hardware

Now is the time to define your hardware to be used for pfSense VM, to do this navigate to File -> Create a New Virtual Machine
Here we will be following the on-screen wizard so select typical and click next



Select I will install Operating System later, the virtual machine will be created whit a blank hard disk and press next



Set the guest operating system option to Other -> FreeBSD 64-Bit then click next



Now give the virtual machine a proper identifying name and where one the system you would store the system files then click next

Name: pfSense 2.3 Router
Location: C:\VirtualMachines\pfsense2.3\



Select the amount of storage and hard drive space to be used by the pfSense VM, this would depend on what you are going to use the system for some add-on packages and features would 
Require lager amount of storage than others, for a base system and learning pfSense anything between 5 GB to 10 GB is fine I select 10 GB as that is a nice round nr that allows for growth 
And space to test out most of the features and add-on packages whit ease

I choose 10 GB and single file, then next



At this point you should be looking at a summary page of all the options you have chosen and workstation recommendation of hardware for a FreeBSD system, however we are setting up a 
firewall and router system that does not need many of the hardware options like a normal system would have benefits of using so we would need to edit the selected hardware to fit our 
Install of pfSense, you do this by clicking Customize Hardware button



Now you should see the Hardware selection list, here you should set the following hardware and settings

Memory = 2048mb
Processor = 4 \ 2 processors and 2 cores per processor
Hard Disk = 10 GB
DVD = ISO Image: File location of pfSense iso file, mine is "C:\Users\noman\Downloads\pfSense.iso"
Network Adapter 1 = Bridged (Automatic)
Network Adapter 2 = Custom (VMnet3) 
Display = Auto Detect

As you can see I removed the sound card and usb controller since this is a Virtual Machine you do not have access to put an usb drive to it nor dose a router need a soundcard so removing 
This will save some resources of your system, however if this was a physical install on a machine I do recommend usb ports.
I have also added a second Network adapter whit different types of VMnet networks







When you have set the hardware to your liking you click Close to go back to the summary picture and then press Finish to complete the creation of the virtual machine and return to the 
Main menu of the VMware Workstation.



5. Installation of pfSense software

From this point is going to be a normal installation process for pfSense, and you can follow the normal installation guide from https://doc.pfsense.org/index.php/Installing_pfSense
However when the installation process is done this do not cover the optimizations steps needed for running smoothly in a VM environment

Whit that said we are now ready to start up the new virulent machine, which is done by pressing the green play button and you will open a new window that represents a physical display 
Connected to the machine you just created and the first menu in pfSense

The first screen that we get is the pre-boot option where pfSense ask what type of environment we would like to use, you have a 10 second window to select it manually after that the 
Autoboot will boot the default recommended environment for us



Now you will see a lot of text fly over the screen until it stops and prompt you to select between Recovery mode or Installation mode, again you have 10 seconds to select otherwise it 
Will start the installation mode

[Recovery mode is used to recover the configuration xml files from a non-working system before you wipe the drive and reinstall pfSense on to it]



Now at this screen it will ask you to set your current screen resolution, keyboard layout and video fonts, I just accept the default settings



Next it will ask you if you want to do a quick and easy install or if you want to set some advances options like raid and other custom hardware option, you will once again get the 
option to do a recovery of the system if you missed the first selection, since this is a brand new install as a VM I select quick and easy option



It will now ask for confermation on your settings and warn you about this option is going to wipe and formant the disk and all you files will be lost, dont worry you will not lose anything as it uses a virtual file as its hard drive, however if it had been a physical device it would have wiped all the files from it



Now that the installation has started it will progress up to 50% and then I will ask you for what kernel you want to use, the option are Standard Kernel and Embedded Kernel, No VGA the 
Only difference here is that embedded kernel is to be used on devices where you have no graphical connection for a monitor, so I select Standard Kernel





Now after the selection of what kernel to install it will finish up the installation process and when it reaches 100% it will ask you to reboot or drop down to the console and shell menu 
In case you want to make some last minute custom changes to the system, I choose reboot



Now if everything went ok whit the installation process you should see the same preboot options for multi user or single user mode, when the timer has expired it should fly a lot of text 
Over the screen and you should end up whit a screen saying "Welcome to pfSense 2.3.3" and then give you 16 different options like this



As you can see I have gotten an IP address of 192.168.1.198/24 on my WAN interface but I am missing the famous 192.168.1.1 IP on the LAN interface, the reason for this is that pfSense 
Default settings uses NAT and whit that enabled you are not allowed to have the same network on both LAN and WAN interface so we need to manually tell it what network and IP to use on 
LAN interface so that we can connect to it and configure it from the WEBGUI, to set a network and IP manually enter option 2 Set Interface(s) IP Address

[At this stage I have seen some issues where it mixes the LAN and the WAN interfaces so that it assigns the LAN interface as WAN and gives you the 192.168.1.1 IP on LAN but no IP on 
WAN, if that is the case you need to use option 1 assign interfaces]

You will now get a series of questions about what interface to change, what the new IP Address and Subnet mask for this interface would be, it will also ask me about Gateway options and 
DHCP Server and if we would like to set the WEBGUI access to HTTP instead of HTTPS access

I select the following

Option 2 Set Interface(s) IP Address
2 for LAN
IP: 10.99.99.1
Subnet: /24  - 255.255.255.0
Gateway: blank - press enter to skip
DHCP Start: 10.99.99.100
DHCP Stop: 10.99.99.200
Set WEBGUI to HTTP: NO





When all the option is set and pfSense is finished whit processing the new values you are given a summary page of what has been done in this case changed the LAN IP and enabled WEBGUI 
Access on https://10.99.99.1 and ask you to press enter to continue back to the shell menu



Now at the shell menu you should verify that WAN interface have the same IP range and network as your Home Router and your main computer 192.168.1.XX and that LAN interface have the 
correct IP that we just set to 10.99.99.1, if all this match up then congratulations we are now don whit the installation process and are ready to connect to the pfSense WEBGUI where all 
The magic and configuration happens



6. Configuration of a LAN client

So far we have installed and configured pfSense inside a VM in VMware workstation, but we have no access to actually connect to it and use its feature in any meaningful way, so the next 
step needed is to create a second VM and install your favorite desktop OS, what you use here should be the OS you prefer for simplicity I use a Window 7 install whit Firefox installed 
On it so everyone can follow, I use Widows 7 as that is what I have access to and a license for when writing this guide

For my Windows 7 LAN client I use the following setup

Memory = 4096Mb
Processor = 4 \ 1 processors and 4 cores per processor
Hard Disk = 25 GB
DVD = ISO Image: File location of pfSense iso file, mine is "C:\Users\noman\Downloads\Win7.iso"
Network Adapter = Custom (VMnet3) 
Display = Auto Detect
 
You would need to adjust these settings accordingly to what your selected OS has as a minimum requirement, the only important part here is that you set the Network Adapter to Custom on 
VMnet3 so that it will be connected to the same network as our pfSense LAN interface



Now when you boot your LAN-Client you should verify network connectivity and check that you have been assigned the correct IP and network, since I am using Windows 7 as my client 
Computer I verify this by using CMD.exe and ipconfig and ping command

1. Open CMD.exe
2. Run command ipconfig /all
Here you would look for the following details

IPv4: 10.99.99.100
Subnet mask: 255.255.255.0
Gateway: 10.99.99.1
DHCP: 10.99.99.1
DNS: 10.99.99.1

3. Check for internet connectivity using ping command

Ping 8.8.8.8

Ping google.com

This will check that you have the basic internet connectivity and that you can access google from both IP and DNS URL



If all of this is working as it should and you can access the internet we are now ready to start configuring pfSense from its WEBGUI

4. Connecting to pfSense WEBGUI for the first time

Now it is time for us to open up our favorite web browser and navigate to the pfSense WEBGUI using the following web address http://HTTPS://10.99.99.1/ now you would probably expect a login 
Page for pfSense but instead are met by an error message saying this site is not secure or the connection is not private, do not worry this is to be expected as pfSense uses a self 
signed SSL cert and any of the new web browsers have been set to not accept self-signed SSL certs, so you can safely ignore this error \ waring and move on



In Firefox you do the following:

1. Click on Advanced button
2. In this new box click Add exceptions



Finally you now should see a webpage whit the pfSense logo on it and asking for a username and password to login when you enter the username and password pfSense will ask you to follow 
A setup wizard and it is recommended that you follow it the first times you configure it.

7. pfSense Setup Wizard and General Settings

Now is the time we are able to login to pfSense whit the default username and password to start the online setup process of the Wizard

Username: admin
Password; pfsense



Since it's the first time you log in to the pfSense WEBGIU, you will be prompted to follow a configuration wizard, if you feel that you have a clear understanding of firewall and router 
Setups, you can skip out of it by clicking on one of the pfSense logos that appear on the screen, I recommend that you complete the wizard as the first time user of pfSense



On the next screen you get information about "Gold Subscription" for only $ 99 USD This year, this is strongly recommended when using pfSense in a production network, as you get things 
like auto backup feature, access to the full version of the book , As well as monthly hangouts with pfSense people who show tips and tricks on what and how to configure a lot of the 
Advanced features, but for a test setup like this you can skip this



Now you are prompted to set the general information about your system and asked about Hostname, Domain and DNS Server. I use the following settings

Hostname: pfSense
Domain: vmlab.lan
Primary DNS: 192.168.1.1
Secondary DNS: 8.8.8.8
Override DNS: NO (Unchecked)



Next we are asked to select our location and time zone for the NTP service to sync our clocks, I use the generic time server of 0.pfsense.pool.ntp.org and select the city closest to me 
That is Europe/Oslo, you have to select what is the closest one to you, and you can also find local NTP servers at ntp.org, more on that in a later guide



Now we get setup for the WAN \ Internet access, here you usually enter the information received from your ISP but in our setup it is your normal Home Router network that serves as 
Internet access so that information you set here depends on the settings you have on the Home Router. My recommendation is to leave it to default settings and only set the DHCP Hostname 
Value

Type: DHCP
MTU: 1500
DHCP Hostname: pfSense.vmlab.lan
Do not Block RFC1918 Networks (not checked)
Block BOGON Networks (not checked)



Next page you get questions about the LAN settings, since we already set this in the shell console, just go ahead. No things needed to be changes



Set new administrator password, this is completely up to you but is highly recommended



Press reload to load all the settings we set and move on



Confirmation that the wizard is complete and that pfSense is ready for use, click on the logo to get to the main page also called the dashboard in pfSense



Now you want to see a fancy status page, this is the dashboard page where you can quickly get information about what is moving on your server, this is also the first page you see when 
You usually log in.



8. Driver installation

If this had been a normal physical machine, we would have finished this guide now, but since we run this in a virtual machine, we will install VMware Tools that is the "driver" package 
For all the machines you install in VMware, go to System -> Package Manager



Select Available Packages and search for "open" then open vm tools will appear, then click install



You will now be asked if you confirm the installation of this additional package



It now wants to start working, you want to see a status bar at the top and some text flies over the screen while it is working



Get back to the dashboard so you can always press the pfSense logo, congratulations, you now have a fully functional installation of pfSense running in the VMware Workstation on a 
Separate test network.

This concludes this part of the guide series, I have content for a lot more guides and tutorial for pfSense packages and configurations that I will use this as a base system to work out of so everyone have a common point of reference to the core system and settings when we get into a lot more advances features of pfSense

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers.


9
News from the Admin team / New Board for Guide and Tutorials
« on: April 27, 2017, 07:41:58 AM »
I have created a new board for tested and confirmed working Configurations Guides and How-To Tutorials that is only accessible to registered and active users, this boars is to be based on per specific system unless it is something that is generic and cross platform as it is for many Windows and Linux based configurations and services

Thanks
Admin Team

10
HOW-TO: Use pfSense to separate WebBrowsing and Gaming traffic:

1. Get 2 different ISP connection so you can split and separate the traffic you have out 2 different Gateways

2. Configure and define your WAN1 and WAN2 interfaces in pfSense

3. Configure and define 2 different Gateways in pfSense also removing the "Default" Gateway option from the system.

4. Define what PORTS are used for GAMING traffic and put them in a PORT type Alias  (lots of testing and failing is needed to get this right)

5. Define what IPs is being used by GAMING traffic and put them in a HOST type Alias  (lots of testing and failing is needed to get this right)

6. Create a Alias for WebBrowsing PORTS TCP 80 and TCP 443 for HTTP and HTTPS websites

7. Delete all current Firewall Rules on LAN interface as they can conflict whit the separations of the traffic and the PBR Rules needed to set this up (I recommend enabling the anti-lockout rule before you do this or you will lose access to your firewall)

8. Create Firewall Rule for GAMING Traffic: Pass TCP\UDP from Source: LAN NET to Destination Alias: GamingIP on Ports Custom: GamingPorts then use Gateway: WAN1

9. Create Firewall Rule for WebBrowsing Traffic: Pass TCP from Source: LAN NET to Destination: Any on Ports Custom: BrowsingPorts then use Gateway: WAN2

10. Save, Apply and then Reboot your firewall, test and adjust the GamingIP and GamingPort Aliases as needed to add \ remove connectivity for a game as per needed basis

If you follow this guide and it is not working for you and it broke your system, I am not responsible or liability for that as you should not take anything you read on the internet at face value and you should test settings like this in a lab environment and not on your production servers.

11
vmware: What is The Difference between vSphere, ESXi and vCenter

First out a shutout to Vladan SEGET who is the original writer of this content, and if you find this post useful you should look at the original article at: https://www.vladan.fr/

This post is not a deep dive, and it’s not even much technical. We’ll focus on VMware terminology. It’ is just a quick post for folks unsure about the differences between the base VMware products. Almost anyone knows ESXi, but the difference between vSphere and vCenter? People are often confused and unsure, but those answers are rather simple. Let’s get through this to clear any doubts. This post will teach you What is The Difference between VMware vSphere, ESXi and vCenter.

Launched in 2001, VMware ESX (formerly known as VMware ESX Server) has started the virtual revolution. Today, VMware is leading data center virtualization company (now part of Dell). Every year and a half there is usually a full release of new software which adds new features and also assures compatibility for new hardware, such as NVMe SSDs, very large Hard disk drives or latest Intel or AMD CPUs.

VMware ESXi
ESXi is the hypervisor. It is the piece of software (very tiny) which installs on a single physical server (host) and allows to run several different operating systems OS) to run side-by-side. Those OS are completely separated one from another but can communicate via a network with the rest of the world, with the rest of the computers running on Local Area Network (LAN). Operating systems are running on virtual machines (VMs) where each VM has a virtual hardware (CPU, Memory, Disk).

VMware ESXiVMware ESXi has Free and paid version. The free version is somehow limited, allows limited scale and cannot be managed via a central management server – vCenter. However, the Free ESXi (also called VMware ESXi Hypervisor) can connect to remote storage where a VMs can be created, stored and executed. It means that this remote storage can be shared between several ESXi hosts, but not the VMs. The VMs are owned by each ESXi so no central management possible with this option.

The usage of ESXi Free is obvious. Learning, testing workflows, small DR tests, validating architectural decisions. By using snapshots, you can also validate windows patches. Example, you might want to create an isolated clone of your production server by using VMware Converter and P2V technology, and you want to test a big Microsoft service pack before rolling it directly into the production environment, and possibly causing a downtime.

VMware vCenter
VMware vCenter server is a central piece of software which allows central management of the whole infrastructure. From a single console, you can do pretty much everything. vCenter server can be installed on Windows, but also deployed as a virtual appliance (pre-configured VM) with a Photon OS (Linux) which is very fast booting Linux distribution. This swap to the Photon OS is quite recent, where VMware used Suse Linux Enterprise Server (SUSE).

VMware vSphere InfrastructurevCenter server is a licensed piece of software. There are two options to buy vCenter server:

vCenter Server Essentials – As a part of vSphere Essentials, Essentials Plus bundle. This version of the vCenter server (also called vCenter Server Essentials) is good to manage up to 3 hosts with up to 2 physical CPU each. If you’re a small customer, you can imagine running comfortably about 60 VMs, then this solution might be well suited. With the “essentials” kit you got not only vCenter server license but also licenses for ESXi (3 hosts with up to 2CPU each).
Standalone vCenter Server – The full blown vCenter server, which can manage up to  2000 hosts with up to 25000 powered ON VMs. This is vCenter server license only. Shop for Different vCenter server editions here. vCenter itself is just one part of the licensing puzzle. You need to have a license for each of your connected ESXi hosts in order to manage them from a single central location. Those licensing has basically 3 different flavors (standard, enterprise, enterprise Plus) and it counts per physical CPU. So if you’re planning to have a host with 2 physical CPU, you’ll need to have 2 licenses just for that particular host.

VMware vSphere
VMware vSphere is a commercial name for the whole VMware Suite. As I mentioned, the pricing differs, but one of the lower costs bundles are vSphere essentials or Essentials Plus. The difference between those two? There are. Everything is in the packaging and features, not the actual software.

Depending on the licensing you apply, the infrastructure “unlocks” more features accessible via vSphere Web client. Note that there is also vSphere HTML 5 client, but its functions are for now, limited. VMware continues its development.

Here is the View from the VMware vSphere console after connection to the vCenter server.



Differences between Essentials and Essentials PLUS below. As you can see Essentials does not have High Availability (automatic VM restart), vMotion, backup software (VDP) or possibility to add VSAN as shared storage option (separate licensing option – per physical CPU).



The Essentials is good for very small clients and clients which do not really need availability. Clients which can afford to stay “offline” for a day while doing hardware maintenance. On the other hand, having the possibility to migrate your VMs to another host and do a host maintenance or patching, without interruption, gives you a real advantage. This can be done during business hours and users can continue to work.

Also if there is an unplanned hardware failure, vSphere High Availability (HA) can restart automatically those VMw which failed when the host failed. Those VMs are automatically restarted on other hosts which are part of VMware cluster. There is small downtime during which the system figures out what host has failed and which are the hosts that are able to start the failed VMs. Those hosts must have enough available capacity in terms of memory or CPU.  Once this automatic decision is taken, the VM boots up. The whole process is completely automatic and acts without the admin’s intervention.

Wrap up
As you can see, the VMware terminology is not so complicated and the difference between ESXi, vSphere or vCenter are not that hard to learn. We have also some deep dives and how-to articles which are part of the vSphere 6.5 (or vSphere 6.0 page, if you’re still on vSphere 6.0). VMware licensing is quite coherent. While the hypervisor itself is free, with limited functions, it’s clearly difficult to put such a host into a production environment without taking a risk of a data loss. The Free ESXi is meant to be used for testing environments only.

Only with reliable and solid backup solution which allows to backup running VMs, it is possible to move workloads into production and say that at any time you can restore if anything goes wrong. the malware and crypto locker were never more active than today and it is not only targeting individuals but also enterprises. What to do when all your data are encrypted by some crypto-ransomware? The only way, without paying the ransom, is to restore from the backup location. That’s why is important to backup, but also to copy the backed up data to a secondary location.

Pages: [1]