OpenBSD: Otherwise known as Marmite

There are a lot of misconceptions about OpenBSD, chief of which is that it’s bulletproof. Well, the default install has had “only two remote holes, in a heck of a long time”, however those of us on planet Earth realise that few people stick to the default install in the first place. If you need your system to do anything aside from being a router or text-only web browser, then sure, default works handily.

The rest may get tedious so feel free to browse away now.

Security is a process

I’ve lost count of how many times this has come up, but it still bears repeating.

It’s not a destination. Never has been and never will be considering vulnerabilities are discovered all the time in other software needed to turn the afore-mentioned brick into a house. Just because you run a very secure OS, doesn’t mean anything else running on it won’t break and let in something bad through the cracks.

From the FAQ :

The packages and ports collection does NOT go through the same thorough security audit that is performed on the OpenBSD base system. Although we strive to keep the quality of the packages collection high, we just do not have enough human resources to ensure the same level of robustness and security.

Introducing any new software to the machine, regardless of a tar download or ports, will create potential vulnerabilities which the sysadmin has to keep an eye on, apply patches and chroot as necessary. I’m sure I don’t need to go over backing up before applying said updates as that’s just common sense.

Current vs Stable

Current is more likely to break, but you also get fixes fairly quickly. Stable is slower to get fixes, but is less likely to break in the first place.

This is pretty much true of any of the BSDs or really most of the Linux distros for that matter so plan accordingly.

Don’t choose current just for needless features on a production system.  Make an informed decision on whether you’re using the full capabilities of a current branch before using it. I generally stick to stable for production systems unless there’s a feature absolutely needed that’s not in stable, which is very rare.

RTFM

The FAQ, the manual and the mailing list are your friends so don’t ignore them.

Always treat these sources from the project site as your primary references. There are many wonderful tutorial sites on the net about configuring, securing (see above), and otherwise using OpenBSD, but the main sources provided on the project site are still your most reliable, up-to-date, and complete reference. Also it has, by far, one of the most comprehensive manuals for an open source project.

I’m by no means an OpenBSD expert, but I’m patient when it comes to learning and I don’t get embarrassed about asking questions if I don’t know something. You never stop learning.

That said, people who say “OpenBSD is pretty easy” or equivalent are pretentious and condescending. OpenBSD has a steep learning curve and downplaying that with statements attesting ease of use only serve to frustrate and offend people just getting into it. It gets “easier” as time goes by and  as you get familiar with the environment, you will end up with a lot of capability in a very secure and stable system.

It takes a lot of reading and familiarization to get your feet wet and even if you come from a *nix background, it never hurts to read-up. OpenBSD’s strong points are security, consistency and predictability. The last two really help when learning the system.

People within the Linux and BSD community can only help their platform of choice by getting rid of the condescension toward novices.

It’s Marmite (I.E. It works for me)

OK, I get it. You don’t have to go on-and-on about how hard it is and how you just don’t understand or how anyone can use it vs, say, another BSD or Linux distro to get the same, if not better, functionality for the same effort.

If any of the other BSD or Linux flavor floats your boat, well then, more power to you.

I’ve been using Nginx + MySQL + PHP + OpenBSD on one particular production site for quite a while and I’ve been very happy. Maintenance has rarely been a problem, albeit it’s more involved due to chrooting, but I’ve had no complaints so far with the site breaking.

If anyone asks me and if it’s appropriate, this is what I’d recommend, not just on security grounds, but also because I found it consistent and reasonably straightforward to keep secure for the forseeable future. And I’m using it on that production site because it was appropriate for my situation.

Quit trying to convert people to your religion in regular face-to-face conversations saying your Kool-Aid is better for everything. You just sound like a bunch of intolerant morons; as if we needed more of those these days. If what someone does with their system isn’t your cup of tea, but doesn’t affect your system or what you do, then mind your own damn business.

Linux vs BSD comparisons?

I’ve gone over this so many times in real life, I don’t have the energy to do it again, but I will say this. Apples and Oranges — Linux is a kernel and you have a zillion different distros (Operating Systems) that use said kernel which specialize in different things or you can roll out your own. Choose or build carefully.

As for how I feel about other people’s opinions on what I choose; I’ll let Denny Crane explain :

Nginx + PHP + MySQL on Windows in 6 minutes

The last time I posted a tutorial on Nginx, there wasn’t a native port of the server available. Riez Opuz posted a link to his Xenstack project on that post that prompted me to write the rest of what I’ve been putting off. It’s a good way to tweak the stack to your own needs.

I tried to leave this as “in 5 minutes”, but then I remembered how long it would take to download MySQL… Even on broadband.

Kevin Worthington had very kindly provided a Cygwin build that ran on Windows, however Nginx now has a Windows build that we can use and this time, we can add MySQL to the list as well. To keep everything compatible, we’ll be using the 32 bit versions for all downloads.

Once you’ve also downloaded Nginx (0.8.53 at the time of this post), head on to the PHP libraries and remember to download the Windows Libraries only (5.3.3 as of today) and select the thread safe version. The first steps are the same with the exception of the download link to MySQL and we need the no-install download.

Make sure to follow this directory structure!

Extract the Nginx files to C:\nginx
Extract PHP to C:\nginx\php
Extract MySQL to C:\nginx\mysql

First, let’s configure MySQL

MySQL no-install is a freakin’ huge download so feel free to delete mysql-test, Embedded, sql-bench and folders named debug once unzipped. If you want to minimize the folder even more, you can optionally delete any .pdb files. This would come in handy if you want to deploy the whole ensamble on a thumb drive or package it for a demo application and are really penny-pinching the available storage space.

Once the cleanup is complete, copy my-medium.ini in C:\nginx\mysql\ into my.ini. I think the medium configuration takes care of most uses and, for a moderately busy site, it fares pretty well.

Always try to copy exising files before making changes instead of outright renaming them. This way, if something goes wrong with the new configuration, we still have the original handy to start over..

Open up the newly copied my.ini file and change the [client] block to match the following.


[client]
#password	= your_password
port		= 3306
socket		= c:/nginx/mysql/tmp/mysql.sock

Note the Unix style forward-slashes.

Now in the [mysqld] block in the same file, change to match the following :


[mysqld]
port		= 3306
socket		= c:/nginx/mysql/tmp/mysql.sock
basedir		= c:/nginx/mysql
datadir		= c:/nginx/mysql/data
bind-address	= localhost
enable-named-pipe
skip-external-locking
key_buffer_size = 16M
max_allowed_packet = 1M
table_open_cache = 64
sort_buffer_size = 512K
net_buffer_length = 8K
read_buffer_size = 256K
read_rnd_buffer_size = 512K
myisam_sort_buffer_size = 8M

Now let’s try and run our MySQL server

Start a new command line window…
Note: If you’re running Windows Vista or above with UAC enabled, you need to right click on the command line link and select “Run as administrator”.. If you get a message saying “Install/Remove of the Service Denied!” when trying to start MySQL later on, then you probably have UAC running, so this step is very important.

Navigate to C:\nginx\mysql\bin\ and run :

mysqld --install-manual

There should be a slight delay followed by a “Service successfully installed”. We then must run :

net start mysql

…And if there are no errors noted, then Congratulations!

Before we proceed, we need to run some housekeeping operations. In the same command line window, run :

mysqladmin -u root password newpassword

Where newpassword is your new MySQL root password. This is an important step toward securing your installation.

Now that we’ve changed our root password enter the following :

mysql -u root -p

Which will give you a password prompt. Enter your newpassword created before. Once you’re logged in, you’re at the MySQL console.

If you need to change your root password at a future date, run mysql as above type the following :

update mysql.user set password=PASSWORD('new-newpassword') where user='root';

Note that passwords are encoded before storage in the database, so we need to run the PASSWORD function on our new-newpassword. Once that’s done, be sure to run :

flush privileges;

Now we need to remove all the junk that came with the server.

Delete the test databases and anonymous users (Always remember the semicolon at the end!) :

delete from mysql.user where user='root' and host!='localhost';
drop database test;
delete from mysql.db where db='test' or db='test\_%';

And finally flush privileges and quit :

flush privileges; quit;

Now if we need to, we can stop MySQL by running the following (in C:\nginx\mysql\bin\ as an Administrator of course):

net stop mysql

And if we need to remove it from our services entirely, run the following :

mysqld --remove

Onward to setting up PHP

nginx + PHP on Windows in 5 minutes

Update November 7, 2010

There’s now an updated version of this tutorial which also covers incorporating MySQL.


If you’ve ever needed a very fast, stable, no frills, web server to serve up some pages on a home system, then look no further than nginx. The server is rock solid and gets the job done. And the setup and configuration is unmatched in simplicity for other servers of similar capability.

Nginx is native to the UNIX platform, so you’ll need to get a precompiled version or install Cygwin. I opted for the former because there’s already a package available by Kevin Worthington that works very nicely.

Download the stable package and install it. Because of the Cygwin configuration, it will install to c:\nginx.

Then download the latest PHP Windows binaries (not the installer) and extract all files to c:\nginx\php. We will be using php-cgi.exe because of the nginx fast-cgi capability. Make sure the path is c:\nginx\php\php-cgi.exe during the installation.

Almost there…

Go into c:\nginx\conf and uncomment or modify the following lines in nginx.conf.

location ~ .php$ {
  root           html;
  fastcgi_pass   127.0.0.1:9000;
  fastcgi_index  index.php;
  fastcgi_param  SCRIPT_FILENAME c:/nginx/html/$fastcgi_script_name;
  include        fastcgi_params;
}

Then, in the same folder, edit start-nginx.bat to include the following line :

@ECHO OFF
c:\nginxnginx.exe
c:\nginx\php\php-cgi.exe -b 127.0.0.1:9000 -c c:\nginx\php\php.ini
ping 127.0.0.1 -n 1>NUL
echo Starting nginx
echo .
echo .
echo .
ping 127.0.0.1 >NUL
EXIT

Now edit stop-nginx.bat and add the following lines :


@ECHO OFF
taskkill /f /IM nginx.exe
taskkill /f /IM php-cgi.exe
EXIT

It’s not a perfect solution, but works for non-production applications.

That should be it!

If you need to hide that ugly command prompt during startup, just create two files in conf (alongside start-nginx.bat) and enter the following code :

In launch.js :


var objShell = WScript.CreateObject("WScript.Shell");
var result = objShell.Run("cmd.exe /c start-nginx.bat", 0);

// Give some startup time
WScript.Sleep(3000);

// Navigate to homepage
objShell.Run("http://localhost");

In shutdown.js :


var objShell = WScript.CreateObject("WScript.Shell")
var result = objShell.Run("cmd.exe /c stop-nginx.bat", 0)

Now to startup nginx with fast-cgi PHP, just double-click launch.js. To stop, double-click shutdown.js.

You can make yourself a HTML Application to run these JavaScripts and build a basic control panel at a future date.

Update 12/08

Changed the php.ini file location to an absolute path.

Changed the stop-nginx.bat commands to taskkill instead of multiple process -k lines (you can never tell how many instances there may be of php-cgi.exe, so it’s impractical to do it the old way).

Note: Copying entire blocks is recommended as parts of the code is hidden by my display theme. However all the text is there. Hightlighting the whole thing will ensure that no parts are left behind.