Make sure Apache is running

First of all you need to make sure Apache is actually running. Open up System Preferences > Sharing and enable Web Sharing by checking the box. Or if you prefer using Terminal you can type the following (you’ll be prompted for your password):

cd /var/vhosts/sitename.com/conf

Now if you visit http://localhost in your browser you should see a default holding page.

Enable Virtual Hosts

First of all you’ll need to enable virtual hosts since they are disabled by default. I’m assuming you have TextMate installed (if you haven’t you should) otherwise you can substitute ‘mate’ for ‘pico’, ‘vi’, ‘mvim’ or whichever editor you prefer for the following commands.

vi vhost.conf

Find the following line:

<Directory /var/www/vhosts/sitename.com/httpdocs>
php_admin_flag safe_mode off
php_admin_value open_basedir none
</Directory>

and remove (uncomment) the # from the beginning so it now reads:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Enable PHP5

While you have httpd.conf open it’s a good time to enable PHP5 too.

Find the following line:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain yourdomain.com

and remove (uncomment) the # from the beginning so it now reads:

cd /var/vhosts/sitename.com/subdomains/subdomainname/conf

Now save and close httpd.conf as we’re done with it for now. In the future if you ever need to enable or disable additional modules this is the place to do it.

Adding the Virtual Hosts

Next you’ll want to add your virtual hosts so Apache knows where to find your local sites.

/etc/init.d/sshd restart

You can safely remove the two existing virtual host examples in there and add in the following:

su

You’ll need to add a virtual host for every local site you want to setup. My local sites are stored in my Sites folder but you can change this if you wish. Make sure you set your short username in both paths to your site root, the directory name of your site and the server name to something relevant to you. Remember your server names, you’ll need these in the next step.

Save and close httpd-vhosts.conf

Adding the local hosts

vi /etc/ssh/sshd_config

Add in the following. You’ll of course need to replace mysite.local with whatever you called your site in the previous step. Make sure you add each site host on a new line.

#Port 22

At this point you can check to see if virtual hosts are working as expected, once you’ve saved your hosts file you’ll need to restart Apache so it picks up the changes you’ve just made.

Port 1099

All going well Apache should restart without error. If you now visit mysite.local in a web browser you should be presented with the root of your site. If you’ve no content you can always drop a phpinfo.php file in there and check things are working as expected.

If Apache hasn’t restarted successfully check to ensure everything is correct and that you don’t have any strange invisible characters in your httpd-vhosts.conf file from copying and pasting examples. If you’re still having troubles open up Console (Applications > Utilities > Console) and check your Apache error log for clues.

Installing MySQL

If you’re setting up MySQL driven sites then you’re probably looking at a database error right now. Let’s sort that out.

First of all go and download MySQL for Mac OS 10.6 – you’ll most likely be needing the 64bit DMG version.

Install MySQL first, then the startup item and finally the preference pane. When you’re ready open up system preferences and start the MySql server from the preference pane.

Next you’ll need to make sure Apache knows about our newly installed MySQL server and that brings us to…

Fixing php.ini

You need to rename the php.ini.default to php.ini so that Apache loads it up and honors any changes you make to it.

/etc/init.d/sshd restart

You then need to replace three occurrences of:

ssh you@domain.com -p 1099

to:

Allow incoming from all on port 1099/tcp

While you’re here you can also fix the timezone error that will occur if you’re using the PHP date() function as there is no timezone set by default.

Find the following line:

date.timezone =

and add in your timezone as specified in the PHP documentation like this:

date.timezone = "Europe/London"

If for some reason you need to run software which requires short tags then you can enable this here too. Simply change:

short_open_tag = Off

to:

short_open_tag = On

You can also change other useful settings in here to meet your requirements. When you’re done in php.ini save the file and restart Apache again:

Port 1099

Managing Local Databases

Now that you have a database connection you’ll need some way of creating and managing databases. Of course you can use the command line at this point to do that but at a minimum you should change the default root password:

/usr/local/mysql mysqladmin -u root password 'newpassword'

You’re then free to install PHPMyAdmin (set it up as a local site) or use a free application like Sequel Pro to connect to your MySQL server with your new credentials where you can then import your databases and setup relevant users. Personally I prefer Sequel Pro as it’s easier to connect to remote servers.

Apple Updates

Be careful of updating Snow Leopard though Software Update as Apple have a habit of applying security patches to Apache that can sometimes overwrite your changes without listing them in the main change log (you’ll have to hunt through the logs on the Apple site). Because of this I’d at least backup your httpd-vhosts.conf and changes to php.ini just in case.

Still Having Troubles?

Take a look at MAMP, especially if you need PHP 5.2 support as there will come a time when you need PHP 5.3 as well so this gives you the flexibility to easily switch between versions.

One of the drawbacks of upgrading to the Media Temple (dv) 4.0 is that by default PHP 5.3 doesn’t have the ionCube loaders installed, heres a quick guide on getting sites that require ionCube loaders running again.

Of course you’ll be needing root access to do this so you’ll need root access and the developer tools enabled in the Media Temple account centre. Once you’re successfully SSH’d into your server create a new folder somewhere memorable to download files so things don’t get messy.

cd /var/vhosts/sitename.com/conf

vi vhost.conf

<Directory /var/www/vhosts/sitename.com/httpdocs>
php_admin_flag safe_mode off
php_admin_value open_basedir none
</Directory>

Next you’ll need to download the correct ionCube loader package like this:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Untar the loaders using the following command:

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain yourdomain.com

cd /var/vhosts/sitename.com/subdomains/subdomainname/conf

Move the PHP 5.3 loader module to where the rest of the modules are to ensure it gets loaded properly:

/etc/init.d/sshd restart

Next we need to tell PHP to load these new modules, to do this you can create an .ini file. Change directory to /etc/php.d and we’ll make the file in there.

su

Create the following .ini file using this command (vi automatically creates a file that doesn’t exist):

vi /etc/ssh/sshd_config

Add in the following as the first line of the and save/close.

#Port 22

Finally you’ll need to restart httpd for the module to be loaded like this:

Port 1099

That’s all there is to it! You should now be able to successfully run ionCube encoded files.

Disable ssh for root

One of the best things you can do is disable direct assess to root via SSH, instead setup another user for SSH with a custom username and switch to root via that account. SSH as root to your server and let’s create a new user:

cd /var/vhosts/sitename.com/conf

vi vhost.conf

Set the password for this user, it’s recommended you use something strong as this user account has SSH access to the server.

<Directory /var/www/vhosts/sitename.com/httpdocs>
php_admin_flag safe_mode off
php_admin_value open_basedir none
</Directory>

It’s a good idea now to open another SSH session and log into the server using the username and password you’ve just setup. Because your about to disable SSH for root you need to ensure you can still access SSH to avoid locking yourself out.

Once your absolutely sure that this user is working you can edit the sshd config like this:

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

Then find the following line

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain yourdomain.com

and change it to (note the line gets uncommented)

cd /var/vhosts/sitename.com/subdomains/subdomainname/conf

Finally restart sshd for your changes to take effect.

/etc/init.d/sshd restart

Now you will no longer be able to SSH directly as root. To assume root privileges instead SSH as the user you’ve just setup and simply type:

su

Where you will be prompted for your root password to gain super user privileges.

Disable ping response

By default anyone (or anything) that pings your server IP address will receive a response making it a sure thing that a server exists on that address. You can stop your server responding and having to deal with any unnecessary ping requests.

Log into Plesk and select Settings > Firewall > Edit Firewall Configuration > Ping Service

Select deny if you want to disallow all ping requests or if you have a static IP address then you can tell the firewall to just respond to your ping requests and ignore all others by selecting allow from selected sources and entering your IP address – useful for troubleshooting.

You’ll need to hit Activate to apply the changes you’ve made, now when anyone tries to ping your server they’ll receive a request time out as if I didn’t exist at all.

Do be aware that the server will now not respond to any ping requests from uptime monitoring software, if you are monitoring a website then you should be using a http check anyway and most tools will support this.

Change the default SSH port

Changing the default SSH port improves security because it stops automated tools and port scanners from tying to log into your server with common lists of passwords. You should set this to a number above 1024 which will help to prevent port scanners from picking it up.

vi /etc/ssh/sshd_config

Find the line that says

#Port 22

Change to any number above 1024 (note the line gets uncommented)

Port 1099

Restart sshd with the following command:

/etc/init.d/sshd restart

Now when you connect via SSH you’ll need to specify a port to connect to using the -p flag.

ssh you@domain.com -p 1099

This will also affect STFP connections too so ensure that the port is set correctly when you connect

Use SFTP

You can use SFTP instead of regular FTP, using SFTP is more secure as the connection is going over SSH which is encrypted.

Login to the account control panel for the account you want to five SFTP to via Plesk and select Websites & Domains > FTP Access

Select the existing FTP user account and then change access to the server over SSH setting to /bin/bash (chrooted) to allow this user SFTP access to their own files.

If you’re sure you don’t need it you can disable regular FTP by setting a deny all on the Firewall.

Log into Plesk and select Settings > Firewall > Edit Firewall Configuration > FTP Service

Select deny if you want to disallow all standard FTP connections or if you have a static IP address then you can tell the firewall to just allow your standard FTP connections and ignore all others by selecting allow from selected sources and entering your IP address.

If you have set a custom port for SSH as above then after disabling connections to FTP I had to set up an additional firewall rule to get SSH and SFTP to work on a custom port.

Allow incoming from all on port 1099/tcp

Use a super secure Root password

You can set the root password for your server by logging into the account center and selecting Admin > Root Access & Developer Tools > Change Root Password

Use a password generator to get a super secure 50 character password with a mix of uppercase/lowercase numbers and special characters.

Store it in a password management system like 1Password for Mac or 1Password for Windows.

You should barely be using the root account, instead look into giving your newly created user sudo (super user do) privileges so you can still perform commands that require root privileges without actually being signed into the root account. You’ll have to set another sudo password for your day-to-day account so again make sure this is nice and secure.

Normally you shouldn’t be disabling this unless you have a good reason, but there are some cases where it’s useful like keeping administration control panels above the www root on the account.

First of all SSH to your server and gain root access.

cd /var/vhosts/sitename.com/conf

Replace sitename.com in the above command with the domain name of the site you wish to remove the restrictions for. Create vhost.conf file if one doesn’t exist, or edit an existing.

vi vhost.conf

add the following lines in making sure to change the domain name in the path:

<Directory /var/www/vhosts/sitename.com/httpdocs>
php_admin_flag safe_mode off
php_admin_value open_basedir none
</Directory>

That will disable php safe mode and any basedir restrictions for this domain only.

You don’t need to restart httpd but you’ll need plesk to reconfigure it’s sites with the following command.

/usr/local/psa/admin/bin/httpdmng --reconfigure-all

If you have a lot of sites on the server you can just reconfigure a single domain which will be much quicker.

/usr/local/psa/admin/bin/httpdmng --reconfigure-domain yourdomain.com

Thats it! PHP safe mode and any Open Base Dir restrictions should now be removed.

What about sub domains?

If you need to do this for a sub domain then do exactly the same thing in:

cd /var/vhosts/sitename.com/subdomains/subdomainname/conf