HiR's Secure OpenBSD, Apache, MySQL and PHP Guide


In 2014, OpenBSD removed their extensively-patched version of Apache 1.3 from the base distribution. You can still use Apache from ports or packages, though. You can choose to reinstate a (barely maintained) Apache 1.3 based on the old code from the base distro, or a more modern Apache 2 version. For this guide, we'll be using Apache 2.


First, install OpenBSD. Be sure to create a user-level account for yourself during the installation process, and I'd recommend disabling remote root logins while you're at it. This user account will be added to the wheel group. On BSD systems, wheel group is comparable to an administrator group, granting access to use the su command, etc.  You can add other trusted users to this group later on.

As an extension to this privilege, we usually add the wheel group to /etc/sudoers with the ability to run any command. Once you've got OpenBSD installed, log in and su to root (with "su -") or log in as root and edit the sudoers file with the "visudo" command. Uncomment (or add) the line below. Optionally, there's a similar line that does not prompt the user for a password. We do not recommend using that option on a production system.


Now, set up the package manager by adding an installpath line in /etc/pkg.conf. For best results, you should pick an OpenBSD mirror that is near you both physically and network-wise. Try pinging and tracerouting different mirrors in your country and seeing which ones have the best response times or the fewest hops. Once you've picked a mirror, you can create /etc/pkg.conf with this quick one-liner that takes your OpenBSD version and architecture into account. I'm using ftp5.usa in this example. Put it all on one line.

echo installpath=ftp://ftp5.usa.openbsd.org/pub/OpenBSD/$(uname -r)/packages/$(uname -m) | sudo tee /etc/pkg.conf
If you bought the OpenBSD media and have packages on CD you'd like to use, you can add them to the installpath instead of the FTP mirror, or in addition to it.

Install Packages

OpenBSD includes the Suhosin Hardened PHP patches in their default PHP package, which is nice. As of 5.7, OpenBSD has switched to the MariaDB fork of MySQL, which is a bit of a change. Since OpenBSD's package manager automatically installs dependencies, you can get away with this command, which should install everything else we need to get Apache2 and PHP up and running with the MySQL Client extension and MariaDB server:

sudo pkg_add apache-httpd php php-mysql mariadb-server

You'll likely be asked which version of certain packages you wish to install. As mentioned earlier, Go for Apache 2.x. Unless you know you require a specific version of PHP, your best bet is to go for the one with the highest version number. As of OpenBSD 5.7, that's PHP 5.6.5. Be sure to install a PHP version ending in "-ap2" as these are built against the apache2 package for mod_php. After completion, you'll be asked to create symbolic links for PHP's configuration files. The instructions are wrong. Don't follow them. Do this instead:

sudo cp /var/www/conf/modules.sample/php-5.6.conf /etc/apache2/extra

You will need to link the MySQL.ini file for PHP as the instructions say.

sudo ln -sf /etc/php-5.6.sample/mysql.ini /etc/php-5.6/mysql.ini

Configure MariaDB, PHP and Apache2

Edit /etc/my.cnf and tell MariaDB to bind to only At least in my testing environments, it appears that MariaDB will only bind to IPv6 unless you explicitly specify an IPv4 address. I had trouble getting PHP to connect to MariaDB on ::1, even though it worked fine from the command line. I suggest adding the following line somewhere near the top of the [mysqld] section, which starts at line number 28 in the default my.cnf:

bind_address    =

Setup and secure MariaDB.

sudo /usr/local/bin/mysql_install_db

sudo /etc/rc.d/mysqld start

sudo /usr/local/bin/mysql_secure_installation

Follow t
he prompts and choose a good password for the root user while you’re at it.

Add the below line to the end of /etc/apache2/httpd2.conf to enable PHP:

Include /etc/apache2/extra/php-5.6.conf

Set daemons to start up by adding the following lines to /etc/rc.conf.local. You'll probably need to create the file manually.
pkg_scripts="nginx mysqld php_fpm"

Apache makes it relatively easy to set up multiple virtual hosts, but that's beyond the scope of this article. We'll install everything to /var/apache2/htdocs as the default web root.
Go ahead and reboot at this point to make sure the daemons start automatically.

Browsing to your OpenBSD 5.7 web server will probably display a very basic "It Works!" web page if all went well.

Test PHP by adding the following lines to /var/apache2/htdocs/phpinfo.php

Then load http://your.server.ip/phpinfo.php. As you can see below, the Server API is Apache 2.0

PHP-MySQL works just as it always has. Since Apache and PHP are configured for a chroot environment on /var/apache2, the easiest way to make sure you web applications work with MySQL is to set up the user accounts to work from (instead of "localhost" which is a socket connection, with the socket located outside the chroot environment). This forces MySQL to use a TCP connection to localhost. It may be a little slower, but should work for most users. Advanced users may wish to create a solution that hard-links the socket to a location in /var/www, and configure php to use that instead. This is beyond the scope of this getting-started guide, but would involve editing the MySQL startup scripts and php configuration.