// block access to .svn dirs
// should be done server-wide if you can (another snippet)

<IfModule mod_rewrite.c>
  RewriteRule ^(.*/)?\.svn/ - [F,L]
  ErrorDocument 403 "Access Forbidden"
</IfModule>

// A method for installing LightTPD, PHP, MySQL on FreeBSD
// All source is stored in /usr/local/src
// Source tarballs are in /usr/local/src/tarballs

// nginx web server install on FreeBSD 6.2
// Links:
// http://wiki.codemongers.com/Nginx
// http://blog.kovyrin.net/category/web-tech/nginx/
// http://blog.kovyrin.net/2006/05/30/nginx-php-fastcgi-howto/
// http://blog.kovyrin.net/files/nginx-conf/php-fcgi.nginx.conf
// http://sysoev.ru/nginx/download.html

su
cd /usr/local/src/tarballs
fetch http://sysoev.ru/nginx/nginx-0.5.20.tar.gz
cd ..
tar zxvf tarballs/nginx-0.5.20.tar.gz
cd tarballs/nginx-0.5.20
less README 
  The English documentation is available at http://nginx.net

# Some configuration options:
PREFIX: Let -prefix= default to /usr/local/nginx
--with-cc-opt="-I /usr/local/include"

# from http://wiki.codemongers.com/NginxInstall:
# --with-cc-opt=OPTIONS - Additional parameters which will be added to the variable CFLAGS.
# With the use of the system library PCRE in FreeBSD, it is necessary to indicate 
# --with-cc-opt="-I /usr/local/include". If we are using select() and it is necessary
# to increase the number of file descriptors, then this also can be assigned here:
# --with-cc-opt="-D FD_SETSIZE=2048".

# Look for configuration options:
./configure --help

# Make directory for log files (my preferences!)
mkdir /var/log/nginx
mkdir /var/log/nginx/drupal
chmod -R 777 /var/log/nginx

mkdir /usr/local/etc/nginx
chown www /usr/local/etc/nginx
chmod 775 /usr/local/etc/nginx

# I tell it where to put the nginx binary. Specifically not in the path. Scripts will start it.
# I like to put conf files in /usr/local/etc/
# I like to put pid files in /var/run
# I have PCRE in /usr/local/include (look for pcre.h)
./configure \
  --sbin-path=/usr/local/nginx/nginx \
  --conf-path=/usr/local/etc/nginx/nginx.conf \
  --pid-path=/var/run/nginx.pid 
  --with-cc-opt="-I /usr/local/include/pcre"

Configuration summary
  + threads are not used
  + using system PCRE library
  + OpenSSL library is not used
  + md5 library is not used
  + sha1 library is not used
  + using system zlib library

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/nginx"
  nginx configuration file: "/usr/local/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "/usr/local/nginx/client_body_temp"
  nginx http proxy temporary files: "/usr/local/nginx/proxy_temp"
  nginx http fastcgi temporary files: "/usr/local/nginx/fastcgi_temp"

make
make install

cd /usr/local/nginx
total 1492
drwxr-xr-x  2 root  wheel      512 May 16 15:56 html
drwxr-xr-x  2 root  wheel      512 May 16 15:56 logs
-rwxr-xr-x  1 root  wheel  1495320 May 16 15:56 nginx
v4# ls -l /usr/local/etc/nginx
total 28
-rw-r--r--  1 root  wheel  2837 May 16 15:56 koi-utf
-rw-r--r--  1 root  wheel  2223 May 16 15:56 koi-win
-rw-r--r--  1 root  wheel  2944 May 16 15:56 mime.types
-rw-r--r--  1 root  wheel  2944 May 16 15:56 mime.types.default
-rw-r--r--  1 root  wheel  2702 May 16 15:40 nginx.conf
-rw-r--r--  1 root  wheel  2702 May 16 15:56 nginx.conf.default
-rw-r--r--  1 root  wheel  3610 May 16 15:56 win-utf

# Here's my nginx.conf file
# Note that I serve Drupal (drupal.org) with it.
# I use PHP5 and fastcgi (with spawn-fcgi from the lighttpd installation)
##############################################
user  www;
worker_processes  1;

error_log   /var/log/nginx/error.log debug;

pid         /var/log/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    
    server {
        # Test operations on port 81.
        #listen          81;
        # Normal operations on port 80.
        listen               80;
        server_name     domain.com alias1.domain.com alias2.domain.com;
        access_log      /var/log/nginx/drupal/access.log;

        location / {
            index index.php;
            root  /var/www/drupal;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            include /usr/local/etc/nginx/fastcgi.conf;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
        }
    }

}
##################################################

# Here's my fastcgi.conf file:
##################################################
#fastcgi.conf
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    /var/www/drupal$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
##################################################

# Test nginx configuration
/usr/local/nginx/nginx -t -c /usr/local/etc/nginx/nginx.conf
2007/05/16 16:10:37 [info] 6369#0: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
2007/05/16 16:10:37 [info] 6369#0: the configuration file /usr/local/etc/nginx/nginx.conf was tested successfully

# Run it on port 81. Note that conf file was modified. Change it back for production use.
# First spawn an FCGI process to pass PHP scripts to.
# php was compiled like this:
# ./configure --enable-cgi --enable-fastcgi --enable-force-redirect (plus more flags)
# so PHP resides in /usr/local/bin/
# Note I specified port 9000 in the nginx.conf file. Must match here:
/usr/local/bin/spawn-fcgi -f /usr/local/bin/php -a 127.0.0.1 -p 9000 -u www

// output: spawn-fcgi.c.190: child spawned successfully: PID: 6414

# Then start the nginx.
/usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf

ps ax | grep nginx

// output:
// 6425  ??  Ss     0:00.00 nginx: master process /usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf (nginx)
// 6426  ??  S      0:00.00 nginx: worker process (nginx)

# Now we have to try it on port 80 to see if Drupal works
# Graceful shutdown of server
kill -15 6425

# Edit .conf file, restart:
/usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf

ps ax | grep nginx

// output:
// 6447  ??  Ss     0:00.00 nginx: master process /usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf (nginx)
// 6448  ??  S      0:00.00 nginx: worker process (nginx)

# restart the server gracefully if necessary. Just need pid.
kill -HUP 6447

// A method for installing LightTPD, PHP, MySQL on FreeBSD
// All source is stored in /usr/local/src
// Source tarballs are in /usr/local/src/tarballs
// Note this works pretty much the same on Mac OS X
// and I've done it on Ubuntu 6.06

# Have to do this via my Mac because of all the mirror servers
# I use scp to copy from Mac to FreeBSD box
# Downloaded into /usr/local/src/taballs:
- php-5.2.0.tar.bz2 from http://www.php.net/downloads.php
- mysql-5.0.27.tar.gz from http://dev.mysql.com/downloads/mysql/5.0.html#downloads

# On FreeBSD box
cd /usr/local/src
cd tarballs
fetch http://mirrors.cat.pdx.edu/lighttpd/lighttpd-1.4.13.tar.gz
cd ..
tar xzvf tarballs/php-5.2.0.tar.bz2
tar zxvf tarballs/mysql-5.0.27.tar.gz
tar zxvf tarballs/lighttpd-1.4.13.tar.gz

MySQL first
=======================================================
# Shut down MySQL:
/usr/local/mysql/bin/mysqladmin -u root -p shutdown
cd mysql-5.0.27
./configure --prefix=/usr/local/mysql \
            --localstatedir=/usr/local/mysql/data \
            --enable-assembler \
            --with-mysqld-ldflags=-all-static CFLAGS="-O3" CXX=gcc CXXFLAGS="-O3 \
            -felide-constructors -fno-exceptions -fno-rtti"

# Change to root
su

# I like to run the process in the background (&),
# redirect the output to a log file,
# and tail -f the log file.

# Make it:
make > ~/mysql_make.log &
# Watch the make:
tail -f ~/mysql_make.log

# Install it:
make install > ~/mysql_install.log &
# Watch the install:
tail -f ~/mysql_install.log

PHP as a CGI:
=====================================================================
cd /usr/local/src/php-5.2.0

# Make sure curl is where we think it is
locate curl | grep include

# Configure it
./configure --with-xml --with-zlib --with-mysql=/usr/local/mysql \
            --with-mysqli=/usr/local/mysql/bin/mysql_config \
            --with-curl=/usr/local/include \
            --enable-cgi --enable-fastcgi \
            --enable-force-redirect \
            > ~/phpconfig.log &
tail -f ~/phpconfig.log

# Edit the Makefile to eliminate duplicates in the EXTRA_LIBS line
pico Makefile
# New: EXTRA_LIBS = -lcrypt -lmysqlclient -liconv -lcurl -lz -lm -lxml2 -lssl -lcrypto

# Make it
make > ~/php_make.log &
tail -f ~/php_make.log

# Install it
make install > ~/php_install.log &
tail -f ~/php_install.log

LightTPD:
=================================================================
# Check requirements
locate libpcre
locate libz

# If those aren't there, find them in ports and install

cd /usr/local/src/lighttpd-1.4.11
./configure --prefix=/usr/local --with-pcre=/usr/local

# Make it
make > ~/lighttpd_make.log &
tail -f ~/lighttpd_make.log

# Install it
make install > ~/lighttpd_install.log &
tail -f ~/lighttpd_install.log

# Start MySQL
/usr/local/etc/rc.d/mysql.server.sh start
@HOSTNAME@: not found
@HOSTNAME@: not found
Starting MySQL. SUCCESS!

# Check MySQL version
/usr/local/mysql/bin/mysqladmin -v
/usr/local/mysql/bin/mysqladmin  Ver 8.41 Distrib 5.0.27, for unknown-freebsd6.0 on i386

# Add mysql to the path for root.
cd
pico .cshrc
 set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin $HOME/bin)
     becomes
 set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin $HOME/bin /usr/local/mysql/bin)

# Use the lighttpd.conf file I have posted separately
# Requires use of /var/log/lighttpd log directory
mkdir /var/log/lighttpd
chmod 777 /var/log/lighttpd

# Test the server?
lighttpd -f /usr/local/etc/lighttpd.conf
ps ax | grep light
59463  ??  S      0:00.02 lighttpd -f /usr/local/etc/lighttpd.conf
59537  p0  R+     0:00.00 grep light

# To shut off the server
# pid file is in /var/run/lighttpd.pid

A nice commandline walkthrough. Replace 'eyebeam' with your org name

# setting up apache2 + SSL on FreeBSD
# a list of commands you can copy/paste!
# @author Jamie Wilkinson <[email protected]>
# ganked from <http://www.freebsdmadeeasy.com/tutorials/web-server/apache-ssl-certs.php>

# edit /etc/openssl.conf to set some nice defaults for location, org. name, etc.
# important! change the default dir ./demoCA to /root/sslCA


# setup
cd ~root/
mkdir sslCA
chmod 700 sslCA
cd sslCA
mkdir certs private newcerts
echo 1000 > serial
touch index.txt

# generate certs
openssl req -new -nodes -out eyebeam-req.pem -keyout private/eyebeam-key.pem -config /etc/ssl/openssl.cnf
openssl req -new -x509 -days 3650 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -config /etc/ssl/openssl.cnf
openssl ca -config /etc/ssl/openssl.cnf -out eyebeam-cert.pem -days 3650 -infiles eyebeam-req.pem 

# keep them somewhere handy
mkdir /etc/ssl/crt
mkdir /etc/ssl/key
cp ~root/sslCA/eyebeam-cert.pem /etc/ssl/crt
cp ~root/sslCA/private/eyebeam-key.pem /etc/ssl/key

# add below to an ssl.conf that you include in your httpd.conf
<VirtualHost *:443>
        ServerName colossus.eyebeam.org:443
        SSLEngine on
        SSLCertificateFile /etc/ssl/crt/eyebeam-cert.pem
        SSLCertificateKeyFile /etc/ssl/key/eyebeam-key.pem
        DocumentRoot /www
        CustomLog /var/log/httpd-ssl-access.log combined
        ErrorLog /var/log/httpd-ssl-error.log
</VirtualHost>

cd /usr/ports/net/openldap23-server
sudo make install WITH_ODBC=y WITH_ODBC_TYPE=unixodbc

More to come on configuring the beast and accompanying phpLDAPadmin...

{Disclaimer: these were with FreeBSD 5. FreeBSD 6 doesn't seem to have the same issues}

Netperf server running on yumi.textdrive.com (solaris nevada build) and comox.textdrive.com (freebsd 5.4).

Tested from emi.textdrive.com (solaris) and pacific.textdrive.com (freebsd)

Restricted to one 3.2 Ghz Intel Xeon CPU

Representative numbers below and maximum of a gigabit is 128MB/sec

Also done with file sizes of 6400 and 64000 with insignificant differences

---------
LOOPBACKS
---------

Loopback speeds comox -> comox via private IP (All FreeBSD)

# /usr/local/netperf/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.comox.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.00      59.79

Loopback speeds comox -> comox via localhost (All FreeBSD)

# /usr/local/netperf/netperf -fM -H 127.0.0.1 -tTCP_STREAM -- -m1472
TCP STREAM TEST to 127.0.0.1
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.00     180.22


Loopback speed yumi -> yumi via private IP (All Solaris)

[yumi:/] root# /opt/csw/bin/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.yumi.textdrive.com (10.0.0.247) port 0 AF_INET

Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    10.00     303.60

Loopback speed yumi -> yumi via 127.0.0.1 (All Solaris)

[yumi:/] root# /opt/csw/bin/netperf -fM -H 127.0.0.1 -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to ::ffff:127.0.0.1 (127.0.0.1) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    9.99      331.41

-------------
OVER A SWITCH
-------------

FreeBSD -> FreeBSD

pacific# /usr/local/netperf/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.comox.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  32768   1472    10.02       4.86

FreeBSD -> Solaris

pacific# /usr/local/netperf/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST to private.yumi.textdrive.com
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  32768   1472    10.01       4.95

Solaris -> FreeBSD

[emi:/] root# /opt/csw/bin/netperf -fM -H private.comox.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.comox.textdrive.com (10.0.0.189) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

65536  49152   1472    10.07      44.13

Solaris -> Solaris

[emi:/] root# /opt/csw/bin/netperf -fM -H private.yumi.textdrive.com -tTCP_STREAM -- -m1472
TCP STREAM TEST from ::ffff:0.0.0.0 (0.0.0.0) port 0 AF_INET to private.yumi.textdrive.com (10.0.0.247) port 0 AF_INET
Recv   Send    Send
Socket Socket  Message  Elapsed
Size   Size    Size     Time     Throughput
bytes  bytes   bytes    secs.    MBytes/sec

49152  49152   1472    10.00      75.59

Ocassionally things go bad(tm). This has bit me for the second time in approx 3 years now, but generally one needs to load the old FreeBSD kernel to start debugging and going through a box with a fine toothcomb.

The following snipbit gives you an idea what steps to take when rebooting the server so that you can load the previous working copy of the FreeBSD kernel:
When the boot menu appears hit the spacebar to stop the countdown.
Press "6" for "to escape to loader prompt"
unload
load /boot/kernel.old/kernel
boot

Now the old working FreeBSD kerenl is booting up. It would be recommended to copy the last working version to /boot/kernel.last for example so that you can "load /boot/kernel.last/kernel", especially if you are going to be building your kernel multiple times on a server.

This searches for and destroys the zombie processes that linger (and block I/O for an indefinite amount of time) after cron starts up on a shared server:

for each in `ps jauxww | grep Z | grep -v PID | awk '{print $3}'`; do for every in `ps auxw | grep $each | grep cron | awk '{print $2}'`; do kill -9 $every; done; done

User the "begin routers" section add:

route_append:
    driver = manualroute
    domains = *
    transport = remote_smtp
    route_data = "smarthost.host.name byname"

Given that this isn't something I do regularly, it's handy to have the commands to hand so I don't have to scroll through man pages trying to remember how to do it.

Clear the disk

# dd if=/dev/zero of=/dev/ad1 bs=1k count=1

Initialise it

# fdisk -BI ad1

Label it, then edit the labels created

# bsdlabel -B -w ad1s1 auto
# bsdlabel -e ad1s1

Format it with a filesystem

# newfs /dev/ad1s1e

Make directories and mount as appropriate, and you're done!

Install CVSup

cd /usr/ports/net/cvsup-without-gui
make install distclean

Make and populate the CVSup config file

touch /root/cvsup-stable-src.sup
echo '*default host=cvsup14.us.FreeBSD.org' >> /root/cvsup-stable-src.sup
echo '*default base=/var/db' >> /root/cvsup-stable-src.sup
echo '*default prefix=/usr' >> /root/cvsup-stable-src.sup
echo '*default release=cvs tag=RELENG_5' >> /root/cvsup-stable-src.sup
echo '*default delete use-rel-suffix compress' >> /root/cvsup-stable-src.sup
echo ' src-all' >> /root/cvsup-stable-src.sup

Update the /usr/src/ tree

cvsup /root/cvsup-stable-src.sup

Get rid of any old "worlds" and make a new one

rm -rf /usr/obj/usr
cd /usr/src/
make buildworld

Make changes to /usr/src/sys/i386/conf/GENERIC and name it was what you want.

Build the kernel, install the kernel, verify it and dot.old in /boot/, run mergemaster, and install the new world.

make buildkernel KERNCONF=GENERIC
make installkernel KERNCONF=GENERIC
mergemaster -p
make installworld
mergemaster
ls -l /boot/
shutdown -r now

Note, we often run in a securelevel of 1 and have immutable binaries in the system folders. You'll need to edit rc.conf.

nano /etc/rc.conf

kern_securelevel_enable="NO"
kern_securelevel="1"

Reboot

shutdown -r now

Then make things mutable

chflags noschg /bin/*
chflags noschg /sbin/*
chflags noschg /bin
chflags noschg /sbin
chflags noschg /usr/bin/*
chflags noschg /usr/sbin/*
chflags noschg /usr/bin
chflags noschg /usr/sbin

Using "textdrive" as an example

pw groupadd textdrive
pw useradd textdrive -m -c "Main Textdrive account" -d /home/textdrive -s /bin/tcsh -G textdrive -k /usr/share/skel/

Then set the password:

passwd textdrive