Broken LAMPS; PHP MySQL (Part 3)

In our prior missives, we have discussed tweaks to the core operating system, installing the Apache web server and modules; having discussed the L and the A, it is time to cover the M and P.

From Wikipedia:

MySQL (/ˌmaɪˌɛsˌkjuːˈɛl/) is an open-source relational database management system (RDBMS). Its name is a combination of “My”, the name of co-founder Michael Widenius’s daughter, and “SQL”, the abbreviation for Structured Query Language. A relational database organizes data into one or more data tables in which data types may be related to each other; these relations help structure the data. SQL is a language programmers use to create, modify and extract data from the relational database, as well as control user access to the database. In addition to relational databases and SQL, an RDBMS like MySQL works with an operating system to implement a relational database in a computer’s storage system, manages users, allows for network access and facilitates testing database integrity and creation of backups.

MySQL is free and open-source software under the terms of the GNU General Public License, and is also available under a variety of proprietary licenses. MySQL was owned and sponsored by the Swedish company MySQL AB, which was bought by Sun Microsystems (now Oracle Corporation). In 2010, when Oracle acquired Sun, Widenius forked the open-source MySQL project to create MariaDB.

MySQL has stand-alone clients that allow users to interact directly with a MySQL database using SQL, but more often MySQL is used with other programs to implement applications that need relational database capability. MySQL is a component of the LAMP web application software stack (and others), which is an acronym for Linux, Apache, MySQL, Perl/PHP/Python. MySQL is used by many database-driven web applications, including Drupal, Joomla, phpBB, and WordPress.

As we will be using a RDS MySQL server our mysql installation is very simple. We will install the MySQL client.

sudo apt-get update
sudo apt install mysql-client

One can test the installation by attempting to connect to your rds instance:

msql -h <RDS-HOSTNAME> -P 3306 -u <masterusername> -p

The RDS-HOSTNAME and masterusername are from your rds setup; I have used a MySQL instance for this example; one can also use MariaDB. There will be syntax changes in creating users and granting access, but that is another missive.

From Wikipeida:

PHP is a general-purpose scripting language especially suited to web development. It was originally created by Danish-Canadian programmer Rasmus Lerdorf in 1994. The PHP reference implementation is now produced by The PHP Group. PHP originally stood for Personal Home Page, but it now stands for the recursive initialism PHP: Hypertext Preprocessor.

PHP code is usually processed on a web server by a PHP interpreter implemented as a module, a daemon or as a Common Gateway Interface (CGI) executable. On a web server, the result of the interpreted and executed PHP code – which may be any type of data, such as generated HTML or binary image data – would form the whole or part of an HTTP response. Various web template systems, web content management systems, and web frameworks exist which can be employed to orchestrate or facilitate the generation of that response. Additionally, PHP can be used for many programming tasks outside of the web context, such as standalone graphical applications and robotic drone control. Arbitrary PHP code can also be interpreted and executed via command-line interface (CLI).

The PHP language evolved without a written formal specification or standard until 2014, with the original implementation acting as the de facto standard which other implementations aimed to follow. Since 2014, work has gone on to create a formal PHP specification.

As of January 2021, 72% of PHP websites use discontinued versions of PHP, i.e. PHP 7.2 or lower, which are no longer supported by The PHP Development Team. A large additional fraction uses PHP 7.3, which is only (up to December 6, 2021) “supported for critical security issues only.” Over 40% of all PHP websites use version 5.6 or older, that not even Debian supports (Debian 9 supported version 7.0 and 7.1).

Umm, “Over 40% of all PHP websites use version 5.6 or older“, we shall attempt to do a little better than that.

As there have been several rumors and comments that the PHP GIT repository may have been compromised, we shall ensure we install the LATEST version of PHP 7.4. (PHP 8.0 is in release, but our target software (WordPress) seems to have various degrees of issues with it as a core element.

Installation begins with the ritualistic updates and upgrades, thence the addition of the PHP primary repository and the installation of PHP and the necessary PHP modules to support WordPress.

# Update and Upgrade
sudo apt update
sudo apt upgrade

# Add the PHP ppa
sudo add-apt-repository ppa:ondrej/php
sudo apt update
# Yes another update

# And the install of php and friends
sudo apt install php7.4 libapache2-mod-php7.4 php7.4-mysql php-common php7.4-cli php7.4-common php7.4-json php7.4-opcache php7.4-readline​ php7.4-imagick

# As allways
sudo apachectl configtest
sudo apachectl restart

We shall now create a test page to verify proper installation and operations.

sudo echo "<?php phpinfo(); ?>" | sudo tee /var/www/html/not-a-test.php
sudo chown www-data:www-data /var/www/html/not-a-test.php

Browsing to yields a large amount of data about apache, MySQL, PHP, and modules loaded. We use this to verify our installation and operations. One SHOULD REMOVE this file after the installation is complete.

One should note there are many methods to running PHP with a web server, all of which have definite advantages and disadvantages; as this is a BASIC review of setup centering on security, we shall leave these to another missive.

One item displayed in the phpinfo page is the current loaded php.ini file.

We will want to examine this to ensure proper settings for a production PHP server are enabled. The default file is enabled as production and is well commented, but one may want to review this. As this will be a WordPress installation, a few additions to the loaded php.ini are in order.

sudo nano /etc/php/7.4/apache2/php.ini
# Append at the bottom of the file
# WordPress Recommended Adjustments
upload_max_filesize = 32M
post_max_size = 48M
memory_limit = 256M
max_execution_time = 600
max_input_vars = 1000
max_input_time = 400
#Thence save, test your configs and restart apache
sudo apachectl configtest
sudo apachectl restart

We have now installed, configured, reviewed, and tested the LAMP section of the LAMPS stack.

Previously we acquired an SSL certificate and applied it via certbot, thence made configuration changes to tighten the SSL stack. One must not assume that all users will use modern or up-to-date browsers; a close examination of your weblog files will provide some guidance as to how restrictive one may be. I think leaving weak and insecure protocols active to serve one user out of two hundred is not an acceptable choice. But alas, this is a business decision, and we will leave it at that.