Real-World Windows 2000 Configuration: Getting Apache, PHP, MySQL, and phpMyAdmin to Work Together, Part 1

Wednesday Jul 31st 2002 by Scott Beatty
Share:

This two-part tutorial covers nearly every detail of one writer's quest to install and configure a Web server, server-side scripting language, database, and data administration application on Windows 2000. Part 1 focuses on how to get Apache 1.3.26 with Mod_SSL 2.8.10 and PHP 4.2.2 up and running.

Are you interested in installing the Apache Web server, the PHP server-side scripting language, and the MySQL database on a computer running a Windows 2000 operating system? Perhaps you would like to install the software on a Windows 2000 laptop in order to develop, demonstrate, or learn how to program a database-driven Web site. All of this high-quality software (excluding Windows) is free (there may be a charge for the database software, depending on how it is used). Conveniently, the versions of these programs that are meant to be run on Windows are available as pre-built binaries.

This article explains how I installed and configured Apache 1.3.26 with Mod_SSL 2.8.10, PHP 4.2.2, MySQL 4.0.2-alpha, and phpMyAdmin 2.3.0-rc4 on my Dell Latitude C800 laptop running Windows 2000 Professional. I used Apache 1.3.26, which is the old stable release, rather than 2.0.39, the current stable release, for at least three reasons (at this time):

  • PHP only has experimental support for Apache 2.0.
  • I haven't found a Windows build of Apache 2.0 with Mod_SSL compiled-in.
  • It appears that none of the Zend products are compatible with it.

If you are looking for Apache 2.0.39 installation information on Windows more information can be found in our sidebar article, "Using Apache 2.0.39." If you are thinking of installing Apache on Windows XP, please note the warning on the Apache Win32 binaries page.

Because Apache 1.3 isn't as stable on Windows as it is on other operating systems, you will not find many production Apache sites running on Windows. Also, although Apache 2.0 is designed to be more stable on Windows (and other systems) than Apache 1.3, I believe that until the combination of Apache 2.0 and PHP4 stabilizes you will not find many production sites running them on any operating system.

The article started out as the notes I compiled as I installed earlier versions of this software. It is a guide to one way to put the pieces of the puzzle together. As such, it can save developers a lot of time.

It is my intention that this article help others that are starting out, while also being useful to experienced developers. For developers coming from a Windows background (and there's potentially man of them out there), this article can be a smoother bridge to learning how to install, configure, and use this open source software. A lot of the information in this article is operating system independent. The article is more detailed than a typical introductory article, but it is pitched to multiple levels of expertise, and as the subjects are all interrelated, it is handy to have them collected in one article.

Please note that this tutorial is oriented toward configuring a stand-alone system, e.g., when the top-level URL is http://localhost/, or http://127.0.0.1/. For a networked environment, the modifications you'll need to make include changing the host name or IP number in the configuration files and scripts, and the site's SSL authentication certificate, if used.

My first piece of advice is to read the instructions. All of the pieces of software that will be mentioned include good documentation. I will tell you where to get the software and documentation, and which pieces you need for a basic setup. I will also go into additional detail in areas that I think might be of interest, with a significant amount of attention given to security concerns.

My second piece of advice is to keep abreast of security vulnerabilities. For example, while I was writing this article, PHP 4.2.2 came out as a result of a security vulnerability that was discovered in versions 4.2.0 and 4.2.1.

This article is primarily oriented to setting up a new system. If you have previously installed (or attempted to install) the software referred to in this article, and you want to start over with the approach that I will be describing, I recommend first backing up content, scripts, and other data that has previously been developed. Then, consider removing the old Web server, scripting, and database software.

Discuss this article in the ServerWatch discussion forum.

The Web Server: Apache - Installation and Configuration

More than half of all Web sites use the Apache Web server. For years, the stable Apache version was 1.3.x, and for a shorter period of time, 2.0.x was in development. In April of this year, Apache 2.0.35 was released and declared stable. One of its benefits is better cross-platform compatibility, including compatibility with Windows.

The current stable release of Apache 2.0 is 2.0.39. Windows binaries for it can be obtained from http://www.apache.org/dist/httpd/binaries/win32/. At the time of this writing, only a non-SSL Apache 2.0.39 build is available. Also, a non-SSL version of Apache 1.3.26 is available from the same page. (SSL stands for for Secure Sockets Layer, a security protocol for Internet messages. When you see a URL in your browser beginning with https:// you are using SSL.) If you have Microsoft System Installer, version 1.2 or greater (and it probably is already installed on your system), then either of these versions should install easily by double-clicking the .msi file that you can download. Please refer to the download page, and the installation information included with the distribution.

If you want to utilize Mod_SSL in order to add SSL capability to your Web site, go to http://www.modssl.org/contrib/ftp/contrib/ and download Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip (or later) and OpenSSL-0.9.6d-Win32.zip (or later). Also, download the sample config file, openssl.cnf, from http://www.tud.at/programm/openssl.cnf (right click the link, and select Save Target As... the filename openssl.cnf).

To install Apache with Mod_SSL, first create the directory C:\Apache. Then, extract the files in the Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip file, using a program such as WinZip. Place these extracted files in the C:\Apache directory. Then, create a directory C:\Apache\openssl, and a subdirectory, C:\Apache\openssl\bin. Move the config file to C:\Apache\openssl\bin. Next, from the OpenSSL-0.9.6d-Win32.zip file, extract openssl.exe to C:\Apache\openssl\bin, and extract libeay32.dll and ssleay32.dll to C:\WINNT\system32.

To create a test certificate for using SSL, open a command prompt window, enter a change directory command:

    cd C:\Apache\openssl\bin

and then enter the following commands:

    openssl req -config openssl.cnf -new -out localhost.csr
    openssl rsa -in privkey.pem -out localhost.key
    openssl x509 -in localhost.csr -out localhost.cert -req -signkey localhost.key -days 5000
    openssl x509 -in localhost.cert -out localhost.der.crt -outform DER

(Our sidebar article, "Creating Your SSL Test Certificate" offers additional information for those looking to set up an SSL test certificate.)

Then create a C:\Apache\conf\ssl directory, and move localhost.key, localhost.cert, and localhost.der.crt into it.

Note: The selection of 5000 days to certificate expiration is arbitrary.

Apache 1.3.26 comes with a default configuration file, named httpd.default.conf. The actual configuration file that Apache uses is httpd.conf, which initially is the same as httpd.default.conf. These two files are found in C:\Apache\conf. Keep the httpd.default.conf file unchanged, as a reference, and make the actual configuration changes to httpd.conf.

The following are the significant changes I made to the httpd.conf file provided with Apache_1.3.26-Mod_SSL_2.8.10-OpenSSL_0.9.6d-Win32.zip. (Please note that forward slashes are used in the paths.) In some cases, the information is the same, but it is included here to answer any possible questions.

Changes to httpd.conf

ServerRoot "C:/Apache"

Listen 80
Listen 443

LoadModule ssl_module modules/mod_ssl.so
LoadModule php4_module C:/php/sapi/php4apache.dll

AddModule mod_ssl.c
AddModule mod_php4.c

# Port 80

ServerAdmin webmaster@localhost

ServerName localhost

DocumentRoot "C:/Apache/htdocs"

<Directory "C:/Apache/htdocs">

    UserDir "C:/Apache/users/"

    DirectoryIndex index.php index.htm index.html

#CustomLog logs/access.log common

CustomLog logs/access.log combined

ServerSignature Off

    Alias /icons/ "C:/Apache/icons/"

    <Directory "C:/Apache/icons">

    # Alias /manual/ "C:/Apache/htdocs/manual/"

    # <Directory "C:/Apache/htdocs/manual">
    #     Options Indexes FollowSymlinks MultiViews
    #     AllowOverride None
    #     Order allow,deny
    #     Allow from all
    # </Directory>

    # ScriptAlias /cgi-bin/ "C:/Apache/cgi-bin/"
    # ScriptAlias /php/ "C:/php/"

    # <Directory "C:/Apache/cgi-bin">
    #     AllowOverride None
    #     Options None
    #     Order allow,deny
    #     Allow from all
    # </Directory<

    AddType application/x-httpd-php .php
    # AddType application/x-httpd-php-source .phps

    # AddHandler cgi-script .cgi

# Action application/x-httpd-php "/php/php.exe"

<IfModule mod_setenvif.c>
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
</ifmodule>

# see http://www.modssl.org/docs/2.8/ssl_reference.html for more info
SSLMutex sem
SSLRandomSeed startup builtin
SSLSessionCache none

SSLProtocol -all +SSLv3
SSLCipherSuite HIGH:MEDIUM

SSLLog logs/SSL.log
# SSLLogLevel info
SSLLogLevel warn

<virtualhost localhost:443>
SSLEngine On
SSLCertificateFile conf/ssl/localhost.cert
SSLCertificateKeyFile conf/ssl/localhost.key
</virtualhost>

<Directory C:/Apache/htdocs/phpMyAdmin>
SSLRequireSSL
</Directory>

Regarding running Apache from the command line:

To test the syntax of the httpd.conf file: at a command prompt in the C:\Apache directory enter the command:

    apache -t

To start Apache: in the C:\Apache directory enter the command:

    apache

To stop Apache: in a separate command prompt window in the C:\Apache directory enter the command:

    apache -k shutdown

For more information, see http://www.tud.at/programm/apache-ssl-win32-howto.php3.

If you are interested in running Apache as a Windows service, the online documentation is at http://httpd.apache.org/docs/win_service.html.

Your Web site home page goes in the C:\Apache\htdocs directory, as do the subfolders for your site.

To test your SSL connection when Apache is running enter the following URL in your browser's address field:

    https://localhost/

A local copy of the Apache manual is included with the software. It is located in the htdocs folder. If you leave it there it will be available through your Web site. The manual for version 1.3.x is also available online at http://httpd.apache.org/docs/. The online manual for version 2.0.x is at http://httpd.apache.org/docs-2.0/.

The Windows shareware program that I like to use for comparing two versions of a configuration file is Compare It!.

If your browser recognizes http://127.0.0.1/ but not http://localhost/, check your hosts file. For Windows 2000, go to the C:\WINNT\system32\drivers\etc directory, and open the hosts file (there's no extension to the filename) with a text editor. The uncommented line should read:

127.0.0.1       localhost

Discuss this article in the ServerWatch discussion forum.

The Server-Side Scripting Language: PHP - Installation and Configuration

PHP is a very capable server-side Web-oriented scripting language used on many Web sites. Its usage is growing as are its capabilities. It is browser independent, and cross-platform.

You can obtain the latest stable release of PHP at http://www.php.net/downloads.php. If you are interested in development versions of the next Windows release, go to http://snaps.php.net/win32/. If you are looking for past release builds for Windows go to http://ftp.proventum.net/pub/php/win32/. Online documentation for installation on Windows, with user comments, is available at http://www.php.net/manual/en/install.windows.php. The file install.txt that comes with the distribution also explains PHP installation on Windows.

Another good source of installation information is the User Contributed Notes at the bottom of the online PHP documentation page for installing PHP on Apache: http://www.php.net/manual/en/install.apache.php. Documentation for offline use can be downloaded from http://www.php.net/download-docs.php. A good way to keep up with PHP developments is to read the PHP Weekly Summary at http://www.zend.com/zend/week/.

This tutorial, however, is about installing PHP as an Apache module. A module takes advantage of the Web server's native Server API, or SAPI. PHP as a module runs faster than PHP as a stand-alone CGI script, but on Windows it has been said that SAPI support is not as stable — although I haven't experienced any problems with my small-scale use of PHP as an Apache module on Windows.

To install PHP, extract the files and folders from the download, php-4.2.2-Win32.zip. For the sake of this article, I will assume that these extracted files are contained in a top-level folder titled php (rename the extracted folder php-4.2.2-Win32 to php). Like the Apache folder, put it at the root of the C:\ drive. Thus, the path to the folder is C:\php.

Then, copy the file php4ts.dll from C:\php into C:\WINNT\system32. Also, copy the mibs folder from C:\php into C:\usr (you may need to create the usr folder first).

The recommended configuration settings for PHP are given in the file php.ini-recommended, which is located in the php directory. To create the actual PHP configuration file that you will be using, you can copy php.ini-recommended, edit it, and rename it to php.ini. The php.ini file must be located in the C:\WINNT directory.

The following are the significant changes that I made to php.ini:

Changes to php.ini

short_open_tag = Off

display_errors = On

error_log="C:\php_log\php_errors.log"

include_path = ".;C:\phpinc"

doc_root = C:\Apache\htdocs

extension_dir = C:\php\extensions

file_uploads = Off

logging.directory = C:\php_log

session.save_path = C:\tempsessions

session.cookie_path =

session.cookie_secure = 1

Here are some comments on the changes noted above:

I turned off short_open_tag so that I could serve XHTML files, which begin with something like:

<?xml version="1.0" encoding="iso-8859-1" ?>

I turned display_errors to On to help with development. For production sites, it is recommended for security reasons that this be set to Off.

I created a directory C:\tempsessions to hold temporary session files.

For greater security, and for load balancing on larger sites, session data can be stored in a database rather than in files. This requires additional work, however, as the the custom session handling functions must be set up.

The following four references provide additional information (note that in the examples register_globals are On):

For a basic explanation on using include files see http://hotwired.lycos.com/webmonkey/99/21/index4a.html. I put my include files (*.inc) in C:\phpinc, outside of Apache's htdocs folder, for security reasons.

As can be seen from the configuration file, I created the directory C:\php_log to store my PHP error log, php_errors.log.

I used a directive, session.cookie_secure = 1 that ensures session cookies are sent only when SSL connections are available. If you need to use cookies in a non-SSL (i.e., regular) browser session, do not use this directive.

register_globals

The recommended configuration of PHP has register_globals set to Off, and I did not change that. This is done to make PHP more secure. The consequence; however, is scripts that were written based on register_globals set to On will not work properly until they are rewritten.

With register_globals set to Off, session variables can be accessed via the array variable $_SESSION, which is one of the superglobal arrays. For further information on register_globals, global variables, and superglobal arrays see:

http://www.securiteam.com/securityreviews/6P00G2A3FG.html
http://www.zend.com/zend/art/art-sweat4.php
http://www.php.net/manual/en/security.registerglobals.php
http://www.php.net/manual/en/language.variables.predefined.php
http://www.php.net/manual/en/ref.session.php

By the way, I "experimented" with using the least number of files to run basic PHP and found out that it runs with just four files: C:\php\php.exe, C:\php\sapi\php4apache.dll, C:\WINNT\php.ini, and C:\WINNT\system32\php4ts.dll.

Installing PHP on a Volume Other Than C:\

Here are my tips, based on my experiments on this subject:

  • Refer to the online documentation for installing PHP on Windows,
    http://www.php.net/manual/en/install.windows.php
  • Move the C:\php directory to the volume of your choice, e.g., E:\php
  • Put the php4ts.dll in the same directory as php4apache.dll, e.g., E:\php\sapi
  • Edit the Apache config file, httpd.conf:
       LoadModule php4_module E:/php/sapi/php4apache.dll
  • Edit the PHP config file, php.ini, accordingly. For example, if you want to locate the extensions directory and/or your include files on the E:\ drive, then the paths to them must be specified, e.g.,
       extension_dir = E:\php\extensions
       include_path = ".;E:\phpinc"
  • Keep the path to php.ini as C:\WINNT\php.ini
  • According to a User Contributed Note in the online documentation that I referenced above, when using Windows 2000 Advanced Server you must use forward slashes in php.ini when specifying the path to the PHP extensions directory , e.g.,
       extension_dir = E:/php/extensions

Once you get PHP installed, you can test to see if it is running using one of the simple scripts, such as "Hello World," or phpinfo(), given in the PHP Introductory Tutorial at http://www.php.net/tut.php

Discuss this article in the ServerWatch discussion forum.

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved