By Fahad Usman
Why do we need this?
I wanted to isolate my web-dev work in a jail. My FreeNas machine is a beast, so I just wanted to install MySQL, Python, PhP etc. in a jail instead of installing it on my personal laptop!
There are many tutorials but none worked for me. It took me a while to get it all working so I thought I should write about it so that others can benefit and whip through the installation (unlike me 🙂 )
One of the biggest benefit for me was that I could create python scripts and let them run non stop!
“The nice thing about FeeNas jails is you can experiment with them with no threat to your FreeNas system. When you are done with your jail? Just delete it…”
In this guide, I will take you through step by step how to set it all up.
Step 1 – Create a Jail:
Create a jail as normal.
Jail => Add
FreeNAS is an appliance, meaning that its operating system is not intended to be modified, tweaked, expanded, jacked, bummed, experimented with, or anything else. If you want to install some bit of software into FreeNAS, you really “can’t”, because that’s just not how “appliances” work. But what you *CAN* do is create a “jail”, and you can install software INTO THAT JAIL.
Now Start the Jail.
Step 2 – ssh into FreeNas:
Fire up the terminal and login to FreeNas box.
ssh [email protected]_freenas_ip.
iocage console sql_jail_name
Make sure you have the Internet:
ping google.com
The first thing you need to do is to update and upgrade packages:
pkg update
pkg upgrade
Step 3 – Install Apache:
Installing apache is a piece of cake:
pkg install apache24
Start and Enable Apache
To start and enable Apache web server to run on system boot, run the commands below;
sysrc apache24_enable=yes
This will add the line apache24_enable="yes" at the end of the /etc/rc.conf configuration file.
Now start apache and test if it works:
service apache24 start
You can check the status of Apache as shown below;
service apache24 status apache24 is running as pid 1206.
To verify that you can actually access you web server from your favourite web browser, navigate to the IP address of your jail. If everything is working fine, you should be able to see the default FreeBSD Apache web page which says, “It Works!“.
Step 4 – Install MySQL:
This is similar to installing apache, you could install via a single command. The question is which one because if you do a :
pkg search mysql
There are so many:
mysql55-client-5.5.62_3 Multithreaded SQL database (client) mysql55-server-5.5.62_3 Multithreaded SQL database (server) mysql56-client-5.6.47 Multithreaded SQL database (client) mysql56-server-5.6.47 Multithreaded SQL database (server) mysql57-client-5.7.29 Multithreaded SQL database (client) mysql57-server-5.7.29 Multithreaded SQL database (server) mysql80-client-8.0.19 Multithreaded SQL database (client) mysql80-server-8.0.19 Multithreaded SQL database (server)
I installed mysql80 because it’s based on mysql 8. So run this command to install it:
pkg install mysql80-server
This will also install the mysql-client.
Enable MySQL as a service so it can start on system boot.
sysrc mysql_enable=yes
Start MySQL
service mysql-server start
The first thing we have to do is to secure the installation now. Simply run:
mysql_secure_installation
This will kickoff the script asking questions. Setting root passwords etc. You would normally say ‘y’ to all the questions it asks and set the root password.
Login to check if everything works by:
mysql -u root -pand the password you just set and you should be in the sql prompt like below:
[email protected]:~ # mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 10
Server version: 8.0.19 Source distribution
Copyright (c) 2000, 2020, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
[email protected] [(none)]>
Step 5 – Install and Configure php
In order for PHP to connect to MySQL database to retrieve information for serving to the web server, you need to install PHP Apache and MySQL extensions. The following command installs the most common PHP modules.
pkg install php72-mysqli php72-json php72-mbstring php72-session php72-hash php72 mod_php72 php72-zlib php72-curl php72-gd
Copy the sample PHP configuration file into the default place and regenerate system cached information about installed binaries.
cp /usr/local/etc/php.ini{-production,}
rehashThis will copy the php.ini-production file into:
/usr/local/etc/php.ini
You can check the version of PHP by running:
php -vAll good? This means php is installed. Now get apache to allow php code to run by editing the Apache configuration file httpd.conf.
you can find where this is by:
find / -name httpd.conf
Mine was at: /usr/local/etc/apache24/httpd.conf.
Now add the following at the end of this file:
<FilesMatch "\.php$">
SetHandler application/x-httpd-php
</FilesMatch>
<FilesMatch "\.phps$">
SetHandler application/x-httpd-php-source
</FilesMatch>Also in the same file find where
DirectoryIndex index.html
And add index.php next to index.html. So in the end it will look like this:
DirectoryIndex index.php index.html
Restart apache by:
service apache24 restart
To test if its working, create a file with some php code at:
vim /usr/local/www/apache24/data/test.php I created the test.php file with the following code:
<?php phpinfo(); ?>Now Navigate to this file via a web browser: http://your_ip/test.php. You will see the php info page.
That’s great!
Now remove the test file from your server to avoid exposing the information about server to the public.
rm -rf /usr/local/www/apache24/data/test.php
Step 6 – Install Latest PhpMyAdmin
Goto the website and copy the link to the latest downloadable file. I downloaded the following
wget https://files.phpmyadmin.net/phpMyAdmin/5.0.2/phpMyAdmin-5.0.2-all-languages.zip
Verify that the downloaded file is not corrupted by comparing that SHA256 hash for the two files matches. From the phpMyAdmin download page, the SHA256 has for the phpMyAdmin-5.0.2-all-languages.zip is a6ea4f16ced9f2ce3a9b23d47c1cd0fee5a46ead9bd5f9ec76f8edfb7a153edc. To check the SHA256 for the downloaded file, run the command below;
sha256 phpMyAdmin-5.0.2-all-languages.zip
This will show something like this: SHA256 (phpMyAdmin-5.0.2-all-languages.zip) = a6ea4f16ced9f2ce3a9b23d47c1cd0fee5a46ead9bd5f9ec76f8edfb7a153edc
Great, the hashes match and we are good to proceed.
unzip by:
unzip phpMyAdmin-5.0.2-all-languages.zip
mv phpMyAdmin-5.0.2-all-languages /usr/local/www/apache24/data/phpmyadmin
Configure phpMyAdmin
phpMyAdmin has been installed and thus can be configured as below:
Navigate to the /usr/local/www/apache24/data/phpmyadmin and rename the PHP configuration file.
cd /usr/local/www/apache24/data/phpmyadmin
cp config.sample.inc.php config.inc.php
Edit the /usr/local/etc/php.ini and add the following lines to load the extensions installed above.
vim /usr/local/etc/php.ini
extension=mysqli.so extension=mbstring.so extension=json.so extension=session.so
Save and quit the file.
Create a tmp folder for caching templates and set proper permissions;
mkdir /usr/local/www/apache24/data/phpmyadmin/tmp
chmod 777 /usr/local/www/apache24/data/phpmyadmin/tmp
Create a blowfish secret required for cookie based authentication to encrypt password in cookie. You can generate the secret and paste as follows;
vim /usr/local/www/apache24/data/phpmyadmin/config.inc.php
... /** * This is needed for cookie based authentication to encrypt password in * cookie. Needs to be 32 chars long. */ $cfg['blowfish_secret'] = '$2a$07$jCKBmwSU0iyKGpwsHQUAVOuH5Kh37h52cT5.RLZrvN3tiHO67b1J.'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */ /** ...
Restart Apache for the changes to take effect.
service apache24 restart
To access phpMyAdmin dashboard, navigate to the browser and enter the URL in the format, http://server-IP/phpmyadmin. This will take you to phpMyAdmin login page.
Login with MySQL database root credentials.
If you are running MySQL 8.0 then you might have an issue with logging in to phpMyAdmin dashboard, see the error below. Note that MySQL 8.0 is using caching_sha2_password rather than mysql_native_password as the default authentication plugin which phpMyAdmin may not understand
As a work around, login to your MySQL as a root user by running the following command:
mysql -u root -p
and run the command below to change the Authentication Plugin for the root user to mysql_native_password as shown below;
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY '[email protected]';
go back to the browser and you should be able to login to your phpMyAdmin dashboard.
To change the default login plugin, you need to edit your my.cnf file and add the following under the [mysqld] section:
vim /usr/local/etc/mysql/my.cnf
default_authentication_plugin = mysql_native_password
You can also set the bind address to 0.0.0.0 here in order to login remotely by using SQLWorkBench from your laptop etc.
Restart MySQL by:
service mysql-server restart
Install Method 2: packaged phpMyAdmin
This was the most painful process. The installation is very easy but you need to tell which version you want to install. I installed:
pkg install phpMyAdmin5-php72-5.0.1
It installs it at /usr/local/www/phpMyAdmin so move it to /usr/local/www/apache24/data/
mv /usr/local/www/phpMyAdmin/ /usr/local/www/apache24/data/
if you gona navigate to it i.e. http://your_jail_ip/phpMyAdmin. It will not work. You now need to edit your httpd.conf config again.
vi /usr/local/etc/apache24/httpd.conf
Add at the end:
Alias /phpmyadmin/ "/usr/local/www/apache24/data/phpMyAdmin/"
<Directory "/usr/local/www/apache24/data/phpMyAdmin/">
Options None
AllowOverride Limit
Require local
Require host .example.com
Restart apache by: service apache24 restart
Navigate to it again and you will get a Forbidden error. So reopen the httpd.conf file and add the following in the same directive:
Alias /phpmyadmin/ “/usr/local/www/apache24/data/phpMyAdmin/”
<Directory “/usr/local/www/apache24/data/phpMyAdmin/”>
AddDefaultCharset UTF-8
# Apache 2.4
Require all granted
# Apache 2.2
Order Allow,Deny
Allow from All
Options None
AllowOverride Limit
Require local
Require host .example.com
Restart apache: service apache24 restart , The phpMyAdmin page will appear. Now if you login, you will get an error:
mysqli::real_connect(): The server requested authentication method unknown to the client [caching_sha2_password]
To fix this, you will have to login mysql via jail terminal.
mysql -u root -p
And execute the command:
alter user 'root'@'localhost' identified with mysql_native_password by 'put_complext_password_here';
Re-login and you should be in 🙂
Add the following in your my.cnf file:
vi /usr/local/etc/mysql/my.cnf
default_authentication_plugin = mysql_native_password
under the [mysqld] section.
Now you can login into myPhpAdmin.
If you see the following error message at the bottom of the page when you first log in to /phpMyAdmin (using a previously setup MySQL username and password) :
ERROR: The configuration file now needs a secret passphrase (blowfish_secret)
You need to add a blowfish password to the phpMyAdmin’s config file. Edit /usr/local/www/apache24/data/phpMyAdmin/config.inc.php and insert a random blowfish “password” in the line
$cfg['blowfish_secret'] = ; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
It should now look something like this:
$cfg['blowfish_secret'] = 'randomPassword$£@£{8IZr323xYcSN]0s)r$9b_JUnb{~Xz'; /* YOU MUST FILL IN THIS FOR COOKIE AUTH! */
This all assumes you’ve already properly created the config file,
cp config.sample.inc.php config.inc.phpRestart mysql-server: service mysql-server restart
Re-login and the error should be gone.
Step 7 – Install Python
Install it using:
pkg install python3
Confirm if it installed successfully:
which python3 python3 --version
You can create a link to it so that you dont have to type python3 everytime you need to use it. You can simply say python by:
ln -s /usr/local/bin/python3 /usr/local/bin/python.conf
python --version
Python 3.7.6
So python is installed successfully.
Install pip (Python Package manager)
pkg install py37-pip
pip install --upgrade pip
Step 8 (Optional) – Enable HTTPS
I like to enable HTTPS by self signed certificates so that the communication is encrypted. The first thing you need to do is to create private key and the ssl certificate. Goto:
/usr/local/etc/ssl/
And create a certificate by:
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout mysqlserver.key -out mysqlserver.crtNow enable ssl options in the httpd.conf file:
vi -s /usr/local/etc/apache24/httpd.conf
Listen 443
LoadModule ssl_module libexec/apache24/mod_ssl.so
Include etc/apache24/extra/httpd-vhosts.confOnce these lines were uncommented (You will need to add Listen 443 yourself). Now edit the httpd-vhosts.conf file
vi /usr/local/etc/apache24/extra/httpd-vhosts.conf
Change the paths in the port 80 directives and add the directive for port 443.
This is how it looks like at the end:
<VirtualHost *:80>
DocumentRoot “/usr/local/www/apache24/data/”
ServerName mysqlserver.home.com
ServerAlias www.mysqlserver.home.com
ErrorLog “/var/log/mysqlserver.home.com-error_log”
CustomLog “/var/log/mysqlserver.home.com-access_log” common
</VirtualHost>
<VirtualHost *:443>
DocumentRoot “/usr/local/www/apache24/data/”
SSLEngine on
SSLCertificateFile “/usr/local/etc/ssl/mysqlserver.crt”
SSLCertificateKeyFile “/usr/local/etc/ssl/mysqlserver.key”
</VirtualHost>
Save the file and restart apache:
service apache24 restart
goto https://your_jail_ip/phpMyAdmin
it will load after you add the certificate in the browser!