Installing a new webserver
Basic Debian and network setup
apt-get install mysql-server openssh-server proftpd apache2 libapache2-mod-perl2 libapache2-mod-php5 php5 php5-cli php5-ffmpeg php5-gd php5-imagick php5-mcrypt php5-mhash php5-mysql php5-xmlrpc php5-xsl php5-curl php-apc snmp snmpd iotop mtop apachetop iptstate atsar postfix popa3d shorewall vim awstats bmon nscd sshfs mc zip unzip bzip2 arj spamassassin pyzor razor ncftp rsync phpmyadmin quota ntpdate ntp vacation pdnsd
pdnsd - use resolvconf configuration
Set up networking in /etc/network/interfaces
<pre>
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
allow-hotplug eth0
#auto eth0
iface eth0 inet static
address 192.168.0.112
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255
# gateway 192.168.0.1
dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
# dns-nameservers 192.168.0.1 192.168.0.2
# dns-search tripnet.int internal.tripnet.int ops.tripnet.int
auto eth1
iface eth1 inet static
address 188.204.140.195
netmask 255.255.255.224
network 188.204.140.192
broadcast 188.204.140.223
gateway 188.204.140.193
dns-nameservers 213.75.63.36 213.75.63.70 192.168.0.1
SNMP
run snmpconf
/etc/default/snmpd get rid of 127.0.0.1
/etc/snmp/snmpd.conf should have at least the following:
rocommunity public default -V systemonly rocommunity euhostro
to define the community and
agentAddress agentaddress
in order to allow the daemon to listen to all IP adresses instead of only localhost
test with
snmpwalk -v1 -c euhostro localhost
then from another server:
snmpwalk -v1 -c euhostro IPADRESS
Proftpd
/etc/proftpd/proftpd.conf add
DefaultRoot ~/../../
Also add /bin/false to /etc/shells
This allows users to log in with ftp, but not with ssh
For AWStats
LogFormat awstats "%t %h %u %m %f %s %b" ExtendedLog /var/log/xferlog read,write awstats TransferLog none RequireValidShell off
Hosting scripts and directories
mkdir /home/adm_usr/webserveradmin/ -p mkdir /opt/triphost/ -p mkdir /opt/weblog/etc -p mkdir /opt/weblog/src -p
copy the stuff from another webserver into these dirs and find and replace the servername in these directories.
mkdir /home/sites/servername.tripany.com/site/sitestats/ -p mkdir /home/sites/servername.tripany.com/site/sitestats/servername.tripany.com/ mkdir /home/sites/USGP.tripany.com/logs/ mkdir /home/sites/USGP.tripany.com/sites/ftpstats chown razor /home/sites/servername.tripany.com/site -R
APC
add
apc.shm_size=512M
to /etc/php5/apache2/conf.d/20-apc.ini
Apache2
log rotation
/etc/logrotate.d/apache2
/var/log/statistics {
daily
missingok
rotate 8
compress
}
/var/log/apache2/*.log {
prerotate
# Run the central statistics before rotating the logs
/opt/triphost/statisticsSERVERNAMEweb.sh
# Then we split the logs for the virtual hosts
/opt/triphost/apachelogsplit.sh
# Run the individual site stats
/opt/triphost/sitestatistics.sh
echo "All done for the day" >> /var/log/statistics
date >> /var/log/statistics
endscript
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 640 root adm
sharedscripts
postrotate
if [ -f "`. /etc/apache2/envvars ; echo ${APACHE_PID_FILE:-/var/run/apache2.pid}`" ]; then
/etc/init.d/apache2 reload > /dev/null
fi
endscript
}
touch /var/log/statistics mkdir /var/log/apache2/virts mkdir /var/log/apache2/awstats
apache2 conf
/etc/apache2/apache2.conf change LogFormat and add %v to the beginning of the the combined format
LogFormat "%v %h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
And also check the values of
<IfModule mpm_prefork_module>
StartServers 100
MinSpareServers 80
MaxSpareServers 150
MaxClients 250
MaxRequestsPerChild 0
</IfModule>
and make sure
Options -Indexes
is in there!
/etc/apache2/ports.conf
NameVirtualHost *:80
Listen 80
<IfModule mod_ssl.c>
NameVirtualHost *:443
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Creating a proxy passthrough
/etc/apache2/apache2.conf or /etc/apache2/mods-enabled/proxy.conf
# Tripany change: This forces it to proxy to the monitor server # Requires libapache2-mod-proxy-html and a2enmod proxy ProxyRequests Off #ProxyPass / http://monitor.tripnet.int/ #ProxyPassReverse / http://monitor.tripnet.int/ ProxyPass / http://192.168.0.210/ ProxyPassReverse / http://192.168.0.210/
NB you can also do
ProxyPass /internal http://192.168.0.210/ ProxyPassReverse /internal http://192.168.0.210/
Which will make requests to http://external.domain/internal/foo go to http://192.168.0.210/foo. Note no trailing slashes!
Make sure all the proxy modules are enabled and restart the server after changes, don't reload.
/etc/apache2/sites-available/default
change
ServerName IPADDRESS DocumentRoot /home/sites/servername.tripany.com/site
and add
Redirect /stats http://servername.tripany.com/sitestats/tripwraith.tripany.com/index.php
Redirect /livestats http://servername.tripany.com/cgi-bin/awstats.pl?config=tripwraith
# AliasMatch ^/mailstats(.*) /home/sites/servername.tripany.com/mailstats/awstats.servername.mail.html
AliasMatch ^/ftpstats(.*) /home/sites/servername.tripany.com/ftpstats/awstats.servername.ftp.html
<Directory /home/sites/servername.tripany.com/>
Options Indexes FollowSymLinks MultiViews
AllowOverride Options Authconfig
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right place
</Directory>
to the bottom
So it should look something like:
<VirtualHost *:80>
ServerAdmin webmaster@localhost
DocumentRoot /home/sites/USGP.tripany.com/site
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
make sure this links from /etc/apache2/sites-enabled/000-default as this becomes the fallback site for any IP or domain name not otherwise used.
/etc/apache2/sites-available/default-ssl
Because we edited ports conf, we need to change:
<VirtualHost *:443>
and of course very important are
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCACertificatePath /etc/ssl/certs/
default-ssl should look something like
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
DocumentRoot /var/www
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
<Directory /var/www/>
Options FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
AllowOverride None
Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel warn
CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
SSLEngine on
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
SSLCACertificatePath /etc/ssl/certs/
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
BrowserMatch "MSIE [2-6]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>
make sure that this links from /etc/apache2/sites-enabled/000-default-ssl as we need this to be the first SNI site.
Disable SSLv3
/etc/apache2/mods-available/ssl.conf Make sure it has SSLv3 disabled, check the line:
SSLProtocol All -SSLv2 -SSLv3
Standard site
Should look something like:
<VirtualHost *:80>
ServerName robin.tripany.com
DocumentRoot /home/sites/robin.tripany.com/site
ServerAdmin red@tripany.com
ServerAlias tripany.com
Redirect /stats http://USGP.tripany.com/sitestats/robin.tripany.com/index.php
Redirect /livestats http://robin.tripany.com/cgi-bin/awstats.pl?config=robin.tripany.com
<Directory /home/sites/robin.tripany.com/site/>
Options FollowSymLinks
AllowOverride All
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
ensure sites have indexes
cp /var/www/index.html /home/sites cp /var/www/index.html /home/sites/servername.tripany.com/site/
listvirts
/etc/apache2/listvirts (NB has to start at group 100!)
# nb make sure first site after the original starts at 100! tripwraith.tripany.com - site0 some.site.com - site100
OLD
create /etc/apache2/sites-available/82.95.91.75 with DocumentRoot /home/sites by hand!
/OLD
create /etc/apache2/sites-available/servername.tripany.com
link it in in sites-enabled
check both sites to see if they go to different indexes.
a2enmod rewrite (or a2enmod for options list)
vi /etc/apache2/conf.d/awstats
Alias /awstatsicon/ /usr/share/awstats/icon/
Post configuration
AWStats
cp /usr/share/doc/awstats/examples/apache.conf /etc/apache2/conf.d/awstats
Make sure that /var/log/apache2 is readable by www-data
chgrp /var/log/apache2/ www-data -R
touch /var/log/statistics
/etc/awstats/model.conf
tar xzvf /usr/share/doc/awstats/examples/awstats.model.conf.gz cp /usr/share/doc/awstats/examples/awstats.model.conf /etc/awstats/model.conf
Changes in the model.conf for our scripts:
LogFile="thislogfile" LogFormat="%virtualname %host %other %logname %time1 %methodurl %code %bytesd %refererquot %uaquot" SiteDomain="thissitedomain" HostAliases="localhost 127.0.0.1 REGEX[thisdomname\.(thisdomext)$]" DNSLookup=1 DirData="/var/log/apache2/awstats" DirIcons="/awstatsicon" AllowFullYearView=3 SaveDatabaseFilesWithPermissionsForEveryone=1 KeepBackupOfHistoricFiles=1 DebugMessages=1
cp /etc/awstats/model.conf /etc/awstats/awstats.servername.tripany.com.conf
Edit the following directives:
LogFile="/var/log/apache2/access.log" SiteDomain="servername.tripany.com" HostAliases="localhost 127.0.0.1 REGEX[servername.tripany\.(com|nl)$]"
Create the index.php file in /home/sites/servername.tripany.com/site/sitestats/servername.tripany.com/
<?
Header('Location: http://servername.tripany.com/sitestats/servername.tripany.com/awstats.zpress.tripany.com.html')
?>
Also do this for the serverIP
copy /etc/awstats/awstats.servername* (ftp / mail / web)
run the statisticsrun in /etc/logrotate.d/apache2 by hand to see how it all goes! ie.
cat /opt/triphost/statisticsSERVERNAME.sh
and run this line by line.
cp /opt/weblog/src/weblog_files/graphs/ /home/sites/USGP.tripany.com/site/webloggraphs/ -R
testing
When testing, it's sometimes useful to delete the following:
/var/cache/awstats/* -R <- generated static files dir
/var/lib/awstats/* <- database directory
in /etc/cron.d/awstats are the run commands to generate the files.
Firewall
See Installing a new mailserver
For instructions on
Postfix and Procmail, as well as Dovecot (for mail pickup), Amavis-new and ClamAV for antivirus and Roundcube webmail
NB don't forget to
postmap virtual postmap transport
spamassassin (knowledgebase page)
other stuff
change the mysql password
set up disk quotas (Quota Howto)
backup scripts in /etc/crontab
00 2 * * * root /opt/triphost/mysqldatasnapdaily.sh 00 3 * * 7 root /opt/triphost/mysqldatasnapweekly.sh 00 4 1 * * root /opt/triphost/mysqldatasnapmonthly.sh
and
mkdir /home/store mkdir /home/store/daily mkdir /home/store/weekly mkdir /home/store/monthly
Add to Cacti