Apache:
We have many choices for this category but this tutorial will focus on Apache and Nginx.
We'll start off by grabbing the newest stable release of Apache for Windows:
Apache 2.4 from ApacheHaus
Since I'm running with a 64-bit version of Windows, I'll choose to download the 64-bit (x64) version of Apache 2.4.
Once I have the download complete, I'll extract the contents of the Apache 2.4 server into a new folder named httpd.
This is how it should appear:
Code:
Server => httpd => INSTALL.txt
Now it's time to create the folder that will store our website files, so move outside the httpd folder and create a new folder named htdocs.
This is how it should appear:
We will now go out of the htdocs folder and go back into the httpd folder and then into the conf folder to begin configuring our web server to recognize files from the htdocs folder and to get things prepared for heavy traffic.
So let's open the httpd.conf file using our text editor of choice; you can use notepad for this but it would be easier to pick up a copy of Notepad++ and edit the conf file using Notepad++.
Delete everything and put this into the httpd.conf file:
Code:
#
# What is the folder that stores the web server files
#
Define SRVROOT "../"
ServerRoot "${SRVROOT}"
#
# Where are the web server files
#
Define WEBROOT "../htdocs"
DocumentRoot "${WEBROOT}"
Listen 80
#
# What modules are enabled
#
LoadModule actions_module ${SRVROOT}httpd/modules/mod_actions.so
LoadModule alias_module ${SRVROOT}httpd/modules/mod_alias.so
LoadModule allowmethods_module ${SRVROOT}httpd/modules/mod_allowmethods.so
LoadModule asis_module ${SRVROOT}httpd/modules/mod_asis.so
LoadModule auth_basic_module ${SRVROOT}httpd/modules/mod_auth_basic.so
LoadModule authn_core_module ${SRVROOT}httpd/modules/mod_authn_core.so
LoadModule authn_file_module ${SRVROOT}httpd/modules/mod_authn_file.so
LoadModule authz_core_module ${SRVROOT}httpd/modules/mod_authz_core.so
LoadModule authz_groupfile_module ${SRVROOT}httpd/modules/mod_authz_groupfile.so
LoadModule authz_host_module ${SRVROOT}httpd/modules/mod_authz_host.so
LoadModule authz_user_module ${SRVROOT}httpd/modules/mod_authz_user.so
LoadModule autoindex_module ${SRVROOT}httpd/modules/mod_autoindex.so
LoadModule cgi_module ${SRVROOT}httpd/modules/mod_cgi.so
LoadModule dir_module ${SRVROOT}httpd/modules/mod_dir.so
LoadModule env_module ${SRVROOT}httpd/modules/mod_env.so
LoadModule include_module ${SRVROOT}httpd/modules/mod_include.so
LoadModule info_module ${SRVROOT}httpd/modules/mod_info.so
LoadModule isapi_module ${SRVROOT}httpd/modules/mod_isapi.so
LoadModule log_config_module ${SRVROOT}httpd/modules/mod_log_config.so
LoadModule lua_module ${SRVROOT}httpd/modules/mod_lua.so
LoadModule mime_module ${SRVROOT}httpd/modules/mod_mime.so
LoadModule negotiation_module ${SRVROOT}httpd/modules/mod_negotiation.so
LoadModule ratelimit_module ${SRVROOT}httpd/modules/mod_ratelimit.so
LoadModule reflector_module ${SRVROOT}httpd/modules/mod_reflector.so
LoadModule remoteip_module ${SRVROOT}httpd/modules/mod_remoteip.so
LoadModule request_module ${SRVROOT}httpd/modules/mod_request.so
LoadModule rewrite_module ${SRVROOT}httpd/modules/mod_rewrite.so
LoadModule session_module ${SRVROOT}httpd/modules/mod_session.so
LoadModule session_cookie_module ${SRVROOT}httpd/modules/mod_session_cookie.so
LoadModule session_crypto_module ${SRVROOT}httpd/modules/mod_session_crypto.so
LoadModule setenvif_module ${SRVROOT}httpd/modules/mod_setenvif.so
LoadModule socache_memcache_module ${SRVROOT}httpd/modules/mod_socache_memcache.so
LoadModule socache_shmcb_module ${SRVROOT}httpd/modules/mod_socache_shmcb.so
LoadModule ssl_module ${SRVROOT}httpd/modules/mod_ssl.so
LoadModule status_module ${SRVROOT}httpd/modules/mod_status.so
LoadModule watchdog_module ${SRVROOT}httpd/modules/mod_watchdog.so
#
# Who owns this web server
#
ServerAdmin admin@blank.com
ServerName localhost:80
#
# Prevent users from roaming the filesystem
#
<Directory "${SRVROOT}">
AllowOverride none
Require all denied
</Directory>
#
# Allow access to the web server files
#
<Directory "${WEBROOT}">
Options -Indexes
AllowOverride none
Require all granted
</Directory>
#
# Set our index file types
#
<IfModule dir_module>
DirectoryIndex index.php home.php index.html home.html index.htm home.htm
</IfModule>
#
# Prevent direct access to .htaccess and .htpasswd files
#
<Files ".ht*">
Require all denied
</Files>
#
# Prevent direct access to sqlite database files
#
<Files "*.db">
Require all denied
</Files>
#
# Create our error log
#
ErrorLog "logs/error.log"
LogLevel crit
#
# Create our access log
#
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b" common
CustomLog "logs/access.log" common
</IfModule>
#
# Handle file mimetypes
#
<IfModule mime_module>
TypesConfig conf/mime.types
</IfModule>
#
# Set custom error pages
#
ErrorDocument 500 "Server-side error."
ErrorDocument 404 "File not found."
ErrorDocument 403 "Access denied."
#
# Import extra configs
#
Include ${SRVROOT}httpd/conf/extra/httpd-autoinde*****nf
Include ${SRVROOT}httpd/conf/extra/httpd-info.conf
Now that we've got our configuration set up, it's time to go out of the conf folder and out of the httpd folder.
To run our apache server we will start by creating a new file named server.bat and insert the following contents:
Code:
start /d "%~dp0httpd\bin" httpd.exe
Double-click on the server.bat file and it should leave a blank command prompt open with the Apache icon to the far-left corner of the title bar.
Now to access your website you can open a new tab in your web browser and set the url to "localhost" or "127.0.0.1" and it should show a page with the text "Access denied." which should go away as soon as you add an index.html or home.html file to the htdocs folder.
MySQL:
We'll start off by grabbing the latest stable release of MySQL:
MySQL 5.7.20
Because I have a 64-bit version of Apache running on my computer, I'll grab the 64-bit version of MySQL from the website.
Create a new folder named mysql and extract the contents of the downloaded archive into that folder.
It should look like this:
Code:
Server => mysql => README
Now it's time to create a new folder and name it data, it should look like this:
Code:
Server => mysql => data
Now we will enter the bin folder and open a powershell window there by holding shift and right-clicking on an empty spot (without highlighting any items in the folder) and then select "Open PowerShell window here" (Windows XP/Vista/7/8/8.1 users will have an option to open command prompt instead, so go with that and use the command for CMD):
Code:
PowerShell: ./mysqld.exe --initialize-insecure --datadir=../data
CMD: mysqld.exe --initialize-insecure --datadir=../data
Now you can close out of your PowerShell/Command Prompt window and go out of the bin folder and go out of the mysql folder to modify the server.bat file and add the following to a new line:
Code:
start /d "%~dp0mysql\bin" mysqld.exe
Time to test our database by going back into the mysql folder and then going back into the bin folder and opening a new powershell/command prompt window at that location (like we did earlier) and type the following:
Code:
PowerShell: ./mysql.exe -u root
CMD: mysql.exe -u root
From here we'll be creating two accounts:
- root account with full permissions
- site account with read/write permissions
The concept behind this is to limit the range of commands that an intruder can use if you happen to have an SQL injection on your website. The site account will have no ability to create or modify existing accounts and will not be able to escape the database we create for it (meaning that there's no chance of an intruder using information_schema to gather table and column names).
Let's start by adding a password for the root account:
Code:
alter user 'root'@'localhost' identified by 'MyNewPassword';
Make sure to use your own custom password for this, nobody should be able to access the root account from the website so there's no risk of someone gaining access to the root account by an SQL injection. You will use the root account to create and delete tables and change the password for the site account so you shouldn't lose track of the root password.
Now let's create our site account:
Code:
create database `site`;
create user 'site'@'localhost' identified by 'MySecurePassword';
grant select,insert,update,delete on site.* to 'site'@'localhost';
flush privileges;
exit
Now we can test our permissions by logging into the site account:
Code:
PowerShell: ./mysql.exe -u site -p
CMD: mysql.exe -u site -p
And then entering our secure password and then type in the following to show permissions:
This should pop up:
Code:
+------------------------------------------------------------------------+
| Grants for site@localhost |
+------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'site'@'localhost' |
| GRANT SELECT, INSERT, UPDATE, DELETE ON `site`.* TO 'site'@'localhost' |
+------------------------------------------------------------------------+
2 rows in set (0.00 sec)
Then type exit to quit out of the mysql connection and then you can close out of PowerShell/Command prompt.
PHP:
Now we want to go and grab a copy of PHP:
PHP on Windows
Since I am using a 64-bit version of Apache, I'll be wanting to grab the latest thread-safe 64-bit version of PHP which is 7.2 in this case. You may need to install Visual C++ 2015 in order to run PHP 7.2 otherwise you may encounter an error when running PHP.
Now we need to create a new folder in the server named apps and then create a new folder named php within the apps folder. It should look like this:
Code:
Server => apps => php
Now we will extract the contents of our PHP zip file into the apps/php folder.
This apps folder will also contain any other web apps that we install to the server such as phpMyAdmin or any of our private server binaries.
Now we're going to copy the php.ini-production file and paste it into the same folder and rename it to php.ini.
We will now go out of the php folder and out of the apps folder and back into the httpd/conf folder to create a new file name php.conf and add the following:
Code:
Define PHPROOT "./apps/php"
LoadModule php7_module ${SRVROOT}apps/php/php7apache2_4.dll
AddType application/x-httpd-php .php
PHPIniDir ${PHPROOT}
Now we will reopen httpd.conf and add the following line at the very bottom of the file:
Code:
Include ${SRVROOT}httpd/conf/php.conf
Now we should be able to run the server and we should be able to run PHP code on our web server.
So from here we will need to enable the following extensions in php.ini to allow access to our database, so go to line 892 in php.ini and begin removing the semicolons from the following extensions:
So this should give us the ability to connect to our database using MySQLi and PDO, but I'd recommend opting out for PDO over MySQLi if you can.
Web Server IDEs:
A web server IDE (Integrated Development Environment) will be able to cover almost all bases from HTML, SQL, XML, JSON, Javascript, PHP, and other languages associated with websites (too many for me to recall at the moment).
As far as we're concerned we have a free choice and a premium choice:
I've used both IDEs and I know that both of them are available on Windows, Mac OS X, and Linux. I can't recommend one over the other but I'd recommend starting with Netbeans because you don't have to worry about paying for a license in case you find another PHP IDE that you feel more comfortable with (I recommend experimenting with as many IDEs as you can until you find one that you feel most comfortable with, there's no right or wrong choice of IDEs).
What happened to the part about Nginx, SQLite, and Hacklang?
They're on their way but I'm going to take a quick break from this thread so that I can make a spiritual successor teaching others how to protect from multiple types of website vulnerabilities with their webpages.