Saturday, 26 October 2013

Install Apache (and PHP & MySQL) on Windows: test your web pages at home

When you are making a web page, the easiest way of view a page stored in your hard disk is double-clicking the file, which results in the page being opened in your default browser. Although this method (which I still use sometimes) it's good enough for simple static pages, it's not helpful if you you are using server side languages (PHP, Perl, ASP...), or even for pages that are static but use links relative to the server root (like "/index.html" or "/css/styles.css"). In this situations the solution is either upload the files to the server of your web host (not feasible or desirable, quite cumbersome if the site is already open to the public) or set up a test server in your local computer/ network, which is the fast and safe way of testing your design changes.
Security considerations
Since testing is the main goal here, I won't talk about the security practices associate to Windows+Apache+MySQL+PHP. But with a simple step you can secure your test server from external attacks: configure your firewall to block all Internet access to the server, as only your computer (or your local network) needs access to it.
On other hand, don't think that test servers do not need any protection. If you leave server open to Internet, you will be exposed in the same way as production web sites, since crackers/ hackers often scans ranges of IP numbers looking for known vulnerabilities instead of targeting specific web sites.
Getting the installation files
Among all the versions available I'm going to show you MySQL 4.0.x and Apache2, PHP 4.4.x for this article. Apache2 because it's designed for working more efficiently on Windows than Apache 1.3.x while maintain the compatibility, PHP 4.4.x because mostly production environments have not migrate to PHP 5.x yet, and MySQL 4.0.x because versions 4.1 and higher only works with PHP 5.x . I do not provide the direct links to the files since these sites rely on mirrors for the downloads, and they release continuous minor updates/fixes, and hence the file names change.
Download the Win32 Binary (MSI Installer) (apache_2.0.xx-win32-x86-no_ssl.msi).
PHPhttp://www.php.net/downloads.php
Download the Windows binaries, both the ZIP package (php-4.4.x-Win32.zip) and the Installer (php-4.4.x-installer.exe).
MySQLhttp://dev.mysql.com/downloads/mysql/4.0.html
Download the Windows (x86) package (mysql-4.0.xx-win32.zip).
phpMyAdminhttp://www.phpmyadmin.net/home_page/downloads.php
A popular MySQL administration tool. Download the ZIP package (phpMyAdmin-2.x.x-plx.zip).
Setting up Apache
Installation
Double-click the .MSI file to launch the installation of Apache (Windows 98/Me users may need to install previously the MS Windows Installer). After accepting the license, you will be prompted for some information: Network domain, Server name and Administrator's email. Since this will be a test server, you can put whatever you want, but I recommend using your computer network name as server and domain, since this allows accessing the server from other computers in the local network by name instead of by IP number only. Then put a dummy email direction like "admin@networkname" (we don't need that feature). Consider the options of the bottom, use the recommended option even if you want to start the server manually (we'll see how to change this later). Windows 98/Me users must select the second option since that versions of Windows doesn't support system services.

Then choose Custom install and remove Build Headers and Libraries, since they are needed only for developing server extensions. You can remove the Apache Documentation if you don't need it. Also, you can change here the installation folder.



Press Next for starting the installation. If procedure is correct, the Apache service will be started and you'll notice a new icon in your system tray: the Apache Service Monitor. This is a accessible tool for manage the Apache service: you could start, stop and restart the service from here.
Note for Windows 98/Me users: You need to use the shortcut Start Apache in Console for starting the server. To close the server, press Ctrl+C on the Apache console window.
 Firewall permissions

At this point, if you have running a firewall in your computer (if not, you really should) you probably will get a notification about letting "Apache HTTP Server" or "Apache.exe" run as a server. My recommendations are:

  •          Access/outbound permissions. You should allow Apache outbound access to both the local network/trusted zones and to Internet, since you could need external access for some PHP scripts (e.g. a script that fetch an XML from another web site file for processing it).
    ·         Server/inbound permissions. You have to give Apache server permissions in the local network/trusted zones (or the firewall will block any connection attempts), but you should block the inbound access from Internet. Since the server is only intended for doing local tests, you don't need to expose yourself to hackers without reason. 

    Server configuration file

    Most of the Apache configuration is stored in the httpd.conf file located inside the "conf" subfolder of the Apache installation folder. There is also another file, httpd.default.conf, that contains the default configuration of the server (very useful if you mess something in the configuration and the server stops working).

    Changing the server root folder


    By default, the Apache uses as the server root the "htdocs" folder located inside its installation folder. That is the folder in which you have to put the files that are going to be served by Apache. If you wish to use some other, locate in httpd.conf the DocumentRoot option and put the folder that you want to use as server's root (surrounded by double quotes). Then go through a few lines below until you find the comment that reads "This [the following line] should be changed to whatever you set Document Root to", and follow its advice. Example, if you want to change the server root to “D:\Web server” you has to use the following configuration lines:

    DocumentRoot "D:/Web server"
    and several lines below:
    <Directory "D:/Web server">
    In the Windows version of Apache you could use slashes or backslashes indistinctly for path names; it would work the same (I use slashes since it's the usual way).
    Finally, restart the server to apply the changes. The next time you access to "http://localhost/" you should see listed the contents of new root folder. Here you can see two captures of the server root of one of my test machines, one from the same machine in which the server is installed, and the other from another machine in the same local network:





    Activating Apache modules

    Apache uses a series of modules to extend the server capabilities (like mod_ssl for adding support to secure connections or mod_rewrite for URL rewriting). By default, not all the modules are loaded. If you need to activate some of them, look for the modules section of httpd.conf (the one that contains a lot of LoadModule lines). If the line describing the module is commented (i.e. it begins with a "#") that module is not active, and you need to remove the comment character to activate it.
    For example, if you want to activate the mod_rewrite module, first you need to find the line describing that module:
    #LoadModule rewrite_module modules/mod_rewrite.so
    and then remove the "#" to activate it:
    LoadModule rewrite_module modules/mod_rewrite.so
    After this, restart the server to apply the configuration changes.
     ·         Addign a default character set. Although you can do this in your .htaccess file, if you want to put a default character set for all your pages, you can do it adding to the httpd.conf file a line like one of this:
    AddDefaultCharset ISO-8859-1
    AddDefaultCharset ISO-8859-15
    AddDefaultCharset UTF-8
    ...
    or whatever character set you need to use.
    A bit of troubleshooting
    Port 80 already in use. If you receive an error message like this:
    ERROR 1
    <OS 10048>Only one usage of each socket address <protocol/network address/port> is normally permitted. : make_sock: could not bind address 0.0.0.0.:80 no listening sockets available, shutting down
    Unable to open logs
    Note the errors or messages above, and press <ESC> key to ext. ...

    ERROR2
    [Sat Oct 09 14;22:48 2004] [error] <OS2>The system cannot find the specific
    ed. : no installed service named "Apache2".
    Note the errors or messages above, and press <ESC> key to exit
    it means that there is another server already running on port 80 (the default port used for HTTP connections). Only one application can listen for connections in a given port at the same time, so if you have active another server (like IIS), Apache can't use that port.
    The solution for this is as simple as close or disable the other program when you need to use Apache. If you don't know what program is using that port, you can use an utility like Active Ports or TCPView for getting the list of programs associated to any active port in the system.
    If for some reason you need to maintain the other program running in the port 80, you can change the port number in which Apache will listen for connections. You can use any port number that is not already used by another program between 1024 and 65535 (e.g. 8080, 8000, 10080, 12345...). For doing that open the httpd.conf file and find the following lines (they are located in different parts of the file):
    Listen 80
    ServerName your-server-name:80
    and then replace the 80 with the port number you want to use:
    Listen 8080
    ServerName your-server-name:8080
    After this you can access to the server using the host name plus the port number separated by a colon, like in this examples:
    http://localhost:8080/
    http://your-server-name:8080/

    Setting up PHP

    Installation

    The installation of PHP is bit odd since instead of using a single installation package you need the ZIP package and the installer package, since the installer does not contain the full PHP package (but it's useful for creating a working php.ini file easily). Also, the part of the PHP installer for configuring Apache hasn't been finished yet for versions 4.x, so we'll need to add some lines to httpd.conf.
    First, unpack the contents of the ZIP file to the folder in which you want to install PHP. Note that the ZIP package already contains a folder named "php-4.4.x-Win32", so if you unpack the file in "C:\Program Files\PHP\" the PHP files will be stored in "C:\Program Files\PHP\php-4.4.x-Win32\". Do not use the option of not extracting folders/pathnames or PHP would not work.
    Then run the installer and select the Standard installation. In the next panel select the folder in which you unpacked the PHP package (the folder that contains the php.exe file). Left unchanged the panel about SMTP configuration (SMTP won't run on Windows unless you install an SMTP server) and in the next panel selects Apache from the list of servers. Finally, press Next to start the installation. If all goes fine, the installer will create a php.ini file in the Windows folder with the PHP configuration, and some directories in the PHP folder.

    Changes to the Apache configuration

    Before enabling the Apache module for PHP, you need to copy the file php4ts.dll located in the PHP installation folder to the System folder (usually "C:\Windows\System" for Windows 98/Me, "C:\Winnt\System32" for Win2000 and "C:\Windows\System32" for WinXP).
    Then you need to enable PHP in the Apache server. Supposing that you installed PHP in "C:\Program files\PHP", you need add the following lines at the end of the modules section of httpd.conf:
    LoadModule php4_module "c:/Program files/PHP/sapi/php4apache2.dll"
    AddType application/x-httpd-php .php
    Finally, locate the DirectoryIndex option and add "index.php" at the end of that line. The resulting line should be:
    DirectoryIndex index.html index.html.var index.php
    After restarting the Apache server, you should note that the index of the server root now shows "Apache/2.0.xx (Win32) PHP/4.4.x" at the bottom of the page. If you want to test the new configuration, create a file named "index.php" in the server root folder and put inside the following line:
    <?php phpinfo(); ?>
    After saving the file, if you open "http://localhost/" in your browser you should get something like this:

    Activating useful PHP extensions

    As well as Apache, PHP use extensions to extend its capabilities. By default, all of the extensions of PHP are disabled. If you need to activate a extension, look for the extensions section of the php.ini file (it begins with Windows Extensions). Then locate the line with the module you want to activate and remove the comment (the ";" character) present at the beginning of the line.
    Some of the extensions require additional DLL's to work. That DLL'S are located in the "dlls" subfolder inside of the PHP folder and must be copied your System folder prior to activating those extensions. In the table below you can see a list of the most common extensions that need additional DLL's: 
    ExtensionRequires
    php_curl.dlllibeay32.dll, ssleay32.dll
    php_domxml.dlliconv.dll
    php_iconv.dlliconv.dll
    php_ldap.dlllibeay32.dll, ssleay32.dll
    php_msql.dllmsql.dll
    php_mssql.dllntwdblib.dll
    php_openssl.dlllibeay32.dll
    php_xslt.dllsablot.dll, expat.dll, iconv.dll
    For example, if you want to activate the extensions "php_domxml.dll" (for DOM XML functions) and "php_gd2.dll" (for image functions), you need to uncomment the following lines:
    extension=php_domxml.dll
    extension=php_gd2.dll
    And since "php_domxml.dll" requires "iconv.dll", you need to copy that file to your System folder.

    "Hey, my old PHP code doesn't work!"

    If after setting up your local server you fing that some of your code doesn't work on it, is highly probable that you are still relying in the deprecated register_globals option of the php.ini file. This option has been disabled by default in PHP for more than three years due to security issues, and consequently very few hosting providers enable it nowadays. Anyway, a few administrators still enable it in order to support legacy code (which is an invitation to having your site hacked if the hosted PHP code doesn't make the proper security checks).
    The typical example of code that rely on register_globals is when you use the data posted by a form in this way:
    First file: source.php
    <form action="destination.php" method="post">
      Enter your text here: <input type="Text" name="some_text">
      <input type="submit">
    </form>
    Second file: destination.php
    <?php echo $some_text ?> // bad! relying on register_globals!
    The right way of using the form variables in destination.php in PHP is through the server superglobals:
    <?php echo $_POST['some_text'] ?>
    or if you use GET instead of POST:
    <?php echo $_GET['some_text'] ?>
    In the same way, if you need to get the document root you have to use $_SERVER['DOCUMENT_ROOT'] instead of$DOCUMENT_ROOT. For more information, take a look to the following pages of the PHP manual:
    Superglobals variables: http://www.php.net/variables.predefined
    Security issues of Register Globals: http://www.php.net/register_globals

    Setting up MySQL

    Installation

    The MySQL installation is pretty straightforward since you doesn't need to modify anything in the Apache or PHP configuration. To begin the installation, run the setup program and select the destination folder if you don't want to use the default one. Then choose Custom and deselect Examples, Libraries, Includes and Script files. You can deselect also the MySQL Documentation if you already have it.


    Press Next for starting the installation. After it finish, you need to install the MySQL service, since the setup program of versions 4.0.x doesn't install it. Fortunately, the MySQL package includes an utility that simplifies greatly this task.
    First you need go to the MySQL installation folder, as the setup doesn't create either any shortcuts in the Start Menu (don't ask me why). In the "bin" subfolder locate the file winmysqladmin.exe and execute it. The first time this tool is executed, it'll ask you for an user name & password, enter the one you want to use. You don't need this user & password for your scripts, but the tool use it for polling the server status and display detailed information about it.



    After pressing OK the tool will create a new configuration file for the MySQL server in the Windows folder (my.ini), and a semaphore icon will appear in the taskbar. Also, the program will install the MySQL service using the values of the configuration file. If the semaphore shows the red light on, right click on that icon and select Win NT -> ShuDown this tool for closing the program, and then launch it again (with some system configurations it doesn't install the service in the first run). This time it should show the green light on, indicating that the MySQL service is installed an running. The tool will create also a shortcut for it in the Start folder of the Start Menu.
    Note for Windows 98/Me users: Since these OS doesn't support services, you need to run mysqld.exe for starting the server. To close the server, press Ctrl+C on the MySQL console window.

    Installing phpMyAdmin

    phpMyAdmin is a very popular tool for managing the MySQL server and the databases. Since it's a PHP based application, installing it is as simple as unpacking the ZIP file in a folder inside the document root of Apache (note that the ZIP file already contains a folder). To access the application open your browser and navigate to that folder: supposing that your web root is "D:\Web server" and the folder in which you stored the script files is "D:\Web server\phpMyAdmin", you need to go to "http://localhost/phpMyAdmin/".



    If both Apache & MySQL servers are running, you should see the welcome screen without any further configuration, since phpMyAdmin is preconfigured to use the default configuration of MySQL.

    A few notes about MySQL users

    ·         By default, MySQL 4.0.x comes with the predefined user "root" with no password. You can use this user for themysql_connect() function.
    ·         If you want or need to create another user for your scripts, you can do it from phpMyAdmin using the Privilegessection. You can also add a password for the root user, but if you modify it you need to update the phpMyAdmin configuration. For doing that, go to the phpMyAdmin folder, locate the file config.default.php and copy it asconfig.inc.php. Then find following lines:
    $cfg['Servers'][$i]['user'] = 'root'; // MySQL user
    $cfg['Servers'][$i]['password'] = ''; // MySQL password
    and modify the last values with the new user & password. You can use here any other user you have created with admininstrator privileges.

    Final notes


    You should take into account that the configuration of your test server may differ from your web host configuration. Although most of the pages/scripts will run in the same way, some things can behave different or won't work at all.
    For Apache, this problem is mainly an issue of having a different set of active modules than in your web host, and of course, this can be solved activating or deactivating that modules. Besides this, the configuration options of httpd.confare mostly related to security and technical issues (like supporting subdomains, adding virtual folders...). Usually, the configuration relative to pages (URL rewriting, redirects...) is stored in .htaccess files.
    For PHP the differences in the configuration are more relevant since they can modify how some scripts works (like the already mentioned register_globals option). The configuration set by the PHP installer includes the set of options recommended by PHP.net, which is used by most servers, but the final configuration is in the hands of the server administrator.
    For example, an usual configuration change for production environments is suppressing the display of error messages that aren't critical, and thus limiting the information available to possible attackers. Although this change doesn't affect the behaviour of the scripts, you can be greeted with a lot of "E_NOTICE" errors the first time you run your scripts in your test server.
    An related to MySQL, the main difference probably would be that in the test server you have full administrator rights while in your web host you won't have some of that rights. This shouldn't affect scripts, since in a properly configured server you should have all the rights needed for quering and managing your databases, and you can create an user with the same limitations of the one you have in your web server. Another difference is that you will have a different user & password in your web host, but you can replicate it in the test server.
    Anyway, having a test server in your computer can speed up the development on your pages and scripts, and allows developing and testing server scripts even when you don't have an Internet connection available.


No comments:

Post a Comment