HiR's Secure OpenBSD, Apache, MySQL and PHP Guide

Introduction

It's easy to set up OpenBSD to serve "LAMP" web apps with Apache, MariaDB (a MySQL fork in OpenBSD Ports) and mod_php. We'll call it "OAMP"  (OpenBSD/Apache/MariaDB/PHP) for short. While other web servers such as nginx or the httpd in the base install are simple, lightweight and potentially more secure, this configuration with Apache may work better with more complex web applications like NextCloud. Your mileage may vary.

As of April 15, 2016, this guide has been updated for OpenBSD 6.1. It was tested on the amd64 and i386 architectures.

Preparation

First, install OpenBSD. Be sure to create a user-level account for yourself during the installation process, and I'd recommend disabling remote root logins while you're at it. This user account will be added to the wheel group. On BSD systems, wheel group is comparable to an administrator group, granting access to use the su command, etc. You can add other trusted users to this group later on.

OpenBSD no longer includes sudo in the base install as of 5.8 Release. It's still in ports if you must use it, but we'll be making use of the replacement doas(1) tool, which is similar to sudo in several ways. Create a file called /etc/doas.conf. The man pages for doas and doas.conf are quite helpful, but as a quick and dirty way to get up and running with doas, there's a minimal doas.conf file below. You can also add "nopass" after "permit" if you don't want to be prompted for a password. I don't recommend doing that to a production environment.

permit :wheel

If you have a hard time with typing "sudo" instead of "doas", you might want to add an alias to your shell profile.

New in OpenBSD 6.1 is the /etc/installurl file, replacing /etc/pkg.conf. If you installed sets from an official OpenBSD mirror, the installurl file likely already exists with the mirror you installed from. Otherwise, create this file and add a mirror to it.  My /etc/installurl looks like this:

https://ftp5.usa.openbsd.org/pub/OpenBSD

Install Packages

OpenBSD includes the Suhosin Hardened PHP patches in their default PHP package, which is nice. Apache will use mod_php, which is included in the PHP package as well. Since OpenBSD's package manager automatically installs dependencies, you can get away with this command, which should install PHP, mariadb client tools, Apache Web Server, and everything else we need to get our PHP web application server up and running:

doas pkg_add php-mysqli mariadb-server apache-httpd

You will be prompted for which version of PHP you want to install. Unless you have a good reason not to, it's best to go with the newest (highest version number) available. In OpenBSD 6.1, that's PHP 7.0.16. Enable php-mysqli by symlinking the sample mysqli.ini to the /etc/php-7.0 directory.

doas ln -sf /etc/php-7.0.sample/mysqli.ini /etc/php-7.0/mysql.ini  

Enable mod_php by symlinking the sample php-7.0.conf to the /var/www/conf/modules directory.

doas ln -sf /var/www/conf/modules.sample/php-7.0.conf /var/www/conf/modules  

Configure MariaDB

Setup and secure MariaDB with the below commands:

doas /usr/local/bin/mysql_install_db
doas rcctl start mysqld
doas /usr/local/bin/mysql_secure_installation

Follow the prompts and choose a good password for the root user while you're at it.


That's almost all there is to it. Just tell OpenBSD to start the apache2 and  mysqld services with rcctl enable:

doas rcctl enable apache2
doas rcctl enable mysqld
You can manually start all these services (mysqld is already running because we started it earlier), or just reboot to make sure everything works.

doas rcctl start apache2

Set up LAMP style web-apps

Since the web environment is in a chroot restricted to /var/www and the MySQL socket is not inside /var/www, the easiest way to get database access is to create your MySQL users for a host of "127.0.0.1" instead of localhost. This forces MySQL connections over TCP. There are some complicated ways of getting the socket into /var/www, such as forcing MySQL to write it inside /var/www or creating hard links to the socket. Those are beyond the scope of this article. My first test was to delete the default "It works!" page (/var/www/htdocs/index.html) and create a simple PHPInfo file saved as index.php.



I've managed to get various pre-packaged content management systems and my own PHP web sites working under OAMP without any problems.