This tutorial demonstrates OpenBSD as an e-commerce solution using PrestaShop and Apache.
Apache is required because PrestaShop has complex URL rewriting requirements that are not supported by OpenBSD's built-in web server, httpd. This tutorial uses self-signed certificates. Please use a verified certificate for production.
Temporarily create a regular user allowed to use doas without a password. This access will be removed after setup.
user add -c "Example User" -m -G wheel -L staff auser
passwd auser
echo 'permit nopass keepenv :wheel' > /etc/doas.conf
Add the OpenBSD package repository.
echo 'https://cdn.openbsd.org/pub/OpenBSD' > /etc/installurl
Forward daily status and security emails to your address.
echo 'hostmaster@example.com' > /root/.forward
Set the hostname of the server.
echo 'www.example.com' > /etc/myname
hostname www.example.com
Add your server's FQDN and IP address to /etc/hosts.
Replace 192.0.2.1 with your Vultr IP address.
127.0.0.1 localhost
::1 localhost
192.0.2.1 www.example.com
Add the required packages for PrestaShop and Apache. Choose the latest versions when prompted.
doas su
pkg_add apache-httpd php php-curl php-gd php-intl php-pdo_mysql php-zip mariadb-client mariadb-server wget unzip
Created a self-signed SSL certificate for testing. Set Common Name to the FQDN of your server, e.g. www.example.com.
openssl req -x509 -new -nodes -newkey rsa:4096 -keyout /etc/ssl/private/example.com.key -out /etc/ssl/example.com.crt -days 3650 -sha256
chmod 0600 /etc/ssl/private/example.com.key
Locate the URL for the latest version of PrestaShop, download to /tmp and extract to /var/www/htdocs/prestashop.
cd /tmp
wget <https://download.prestashop.com/download/releases/prestashop_1.7.6.4.zip>
unzip prestashop_1.7.6.4.zip -d /var/www/htdocs/prestashop
chown -R www:www /var/www/htdocs/prestashop
Configure the firewall to block all inbound traffic except for ssh, www and https.
Make a backup copy of /etc/pf.conf.
cp /etc/pf.conf /etc/pf.conf.bak
Edit /etc/pf.conf as shown.
set skip on lo
block in
pass out
pass in on egress inet proto tcp to port {ssh, www, https} \
flags S/SA keep state
Test and activate the firewall rules.
doas pfctl -nf /etc/pf.conf
doas pfctl -f /etc/pf.conf
Backup your /etc/mail/smtpd.conf file.
cp /etc/mail/smtpd.conf /etc/mail/smtpd.conf.bak
Edit /etc/mail/smtpd.conf as shown below.
Notes:
The table definition for secrets holds the username and password for the mail relay.
The outbound action looks up the username and password under the label prestashop in /etc/mail/secrets and relays the email through your email server.
table aliases file:/etc/mail/aliases
table secrets file:/etc/mail/secrets
listen on lo0
action "local_mail" mbox alias <aliases>
action "outbound" relay host smtp+tls://prestashop@mail.example.com:587 \
tls no-verify auth <secrets>
match from local for local action "local_mail"
match from local for any action "outbound"
Create /etc/mail/secrets
Replace the email address and password with the credentials that you use for your email server.
echo "prestashop user@example.com:password" > /etc/mail/secrets
Set permissions to secure /etc/mail/secrets
chmod 0600 /etc/secrets
Thest the configuration file for errors and restart the smtpd daemon.
smtpd -n
rcctl restart smtpd
Configure the PHP-FPM process to listen on a TCP socket instead of a UNIX domain socket.
Make the following change below for the /etc/php-fpm.conf file.
...
; If using a TCP port, never expose this to a public network.
;listen = /var/www/run/php-fpm.sock
listen = 127.0.0.1:9000
Make some additional changes to the PHP environment in /etc/php-7.3.ini. This file name may change slightly if the version is newer than 7.3. These changes:
Allow for larger files to be uploaded.
Disable the chrooted environment.
Configure PHP to send email via sendmail.
; Default Value: not set
;chroot = /var/www
...
; Maximum allowed size for uploaded files.
; <http://php.net/upload-max-filesize>
upload_max_filesize = 6M
...
; For Unix only. You may supply arguments as well (default: "sendmail -t -i").
; <http://php.net/sendmail-path>
;sendmail_path =
sendmail_path = /usr/sbin/sendmail -t -i
...
; Whether to allow the treatment of URLs (like <http://> or <ftp://)> as files.
; <http://php.net/allow-url-fopen>
allow_url_fopen = On
...
; Maximum size of POST data that PHP will accept.
; Its value may be 0 to disable the limit. It is ignored if POST data reading
; is disabled through enable_post_data_reading.
; <http://php.net/post-max-size>
post_max_size = 12M
Enable the PHP plugins.
cp /etc/php-7.3.sample/* /etc/php-7.3/.
Enable and start the PHP-FPM daemon. The daemon name might be slightly different if the version is newer.
rcctl enable php73_fpm
rcctl start php73_fpm
MariaDB provides the database backend for PrestaShop. Because MariaDB needs more open files than the default class allows, create a special class in /etc/login.conf.
At the bottom of the file, add the following lines:
mysqld:\
:openfiles-cur=1024:\
:openfiles-max=2048:\
:tc=daemon:
Install MariaDB.
doas su
mysql_install_db
rcctl enable mysqld
rcctl start mysqld
Configure MariaDB security.
mysql_secure_installation
Create the PrestaShop database. Use a strong password.
mysql -u root
CREATE DATABASE prestashop;
GRANT ALL PRIVILEGES ON prestashop.* TO 'prestashop'@'localhost' IDENTIFIED BY 'password123';
FLUSH PRIVILEGES;
EXIT
Back up /etc/apache2/httpd2.conf
cp /etc/apache2/httpd2.conf /etc/apache2/httpd2.conf.bak
Make the following changes to /etc/apache2/httpd2.conf, using # to enable and disable modules.
Listen 443
...
LoadModule mpm_event_module /usr/local/lib/apache2/mod_mpm_event.so
#LoadModule mpm_prefork_module /usr/local/lib/apache2/mod_mpm_prefork.so
LoadModule proxy_module /usr/local/lib/apache2/mod_proxy.so
LoadModule proxy_fcgi_module /usr/local/lib/apache2/mod_proxy_fcgi.so
LoadModule ssl_module /usr/local/lib/apache2/mod_ssl.so
LoadModule rewrite_module /usr/local/lib/apache2/mod_rewrite.so
...
ServerAdmin webmaster@example.com
ServerName 192.0.2.1:80
Several more changes in /etc/apache2/httpd2.conf occur towards the bottom of the file. Remove # from the include statements indicated.
Add the Virtual Hosting lines last.
# Server-pool management (MPM specific)
Include /etc/apache2/extra/httpd-mpm.conf
...
# Virtual Hosts
IncludeOptional /etc/apache2/sites/*.conf
Create the /etc/apache2/sites directory.
mkdir /etc/apache2/sites
Create /etc/apache2/sites/example.conf with the following information:
<VirtualHost *:80>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/htdocs/prestashop"
<Directory "/var/www/htdocs/prestashop">
Options -Indexes +Multiviews +FollowSymLinks
AllowOverride All
<Limit GET POST OPTIONS>
</Limit>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
ServerAdmin webmaster@example.com
DocumentRoot "/var/www/htdocs/prestashop"
<Directory "/var/www/htdocs/prestashop">
Options -Indexes +Multiviews +FollowSymLinks
AllowOverride All
<Limit GET POST OPTIONS>
</Limit>
Require all granted
</Directory>
SSLEngine On
SSLCertificateFile "/etc/ssl/example.com.crt"
SSLCertificateKeyFile "/etc/ssl/private/example.com.key"
SSLCipherSuite HIGH:!aNULL
</VirtualHost>
Configure Apache's proxy module by adding the following to /etc/apache2/sites/example.conf
<IfModule proxy_module>
<IfModule dir_module>
DirectoryIndex index.php
</IfModule>
<FilesMatch "\.php$">
SetHandler "proxy:fcgi://127.0.0.1:9000"
</FilesMatch>
</IfModule>
Test the configuration, then enable and start Apache.
apachectl configtest
rcctl enable apache2
rcctl start apache2
Ensure that Apache is listening on ports 80 and 443.
netstat -ln -finet
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address (state)
tcp 0 0 *.443 *.* LISTEN
tcp 0 0 127.0.0.1.25 *.* LISTEN
tcp 0 0 *.22 *.* LISTEN
tcp 0 0 *.80 *.* LISTEN
tcp 0 0 127.0.0.1.3306 *.* LISTEN
tcp 0 0 127.0.0.1.9000 *.* LISTEN
Browse to your website at http://www.example.com. The PrestaShop install wizard will launch.
Once you complete the install, take note of the store front and administrative links and delete the directory /var/www/htdocs/prestashop/install.
Enable SSL.
Click Shop Parameters
Click General
Enable SSL for all parts of your store
Change your administrative password.
Click Advanced Parameters
Click Team
Change your password.
Backup your store and its database:
cd /var/www/htdocs
doas tar cvfz /home/auser/prestashop.tar.gz prestashop/
doas mysqldump -u prestashop -p prestashop | gzip -4 > /home/auser/prestashop.sql.tar.gz
doas chown auser:auser /home/auser/prestashop*
Remove doas access for your user account by recreating the doas.conf file.
echo 'permit keepenv :wheel' > /etc/doas.conf