Support #177
Updated by Daniel Curtis over 11 years ago
h2. Installing The Web Server *Set the hostname* of the server: <pre> echo web.example.com > /etc/hostname /etc/init.d/hostname.sh start </pre> It is a good idea to *synchronize the system clock with an NTP* (network time protocol) server over the Internet. Simply run: <pre> apt-get -y install ntp ntpdate </pre> h3. Install the MySQL server +A MySQL server instance is necessary on every server as ISPConfig+ uses it to sync the configuration between the servers: <pre> apt-get -y install mysql-client mysql-server </pre> Enter the new password for MySQL when requested by the installer. We want* MySQL to listen on all interfaces* on the master server, not just localhost, therefore we edit @/etc/mysql/my.cnf@ and comment out the line @bind-address = 127.0.0.1@: <pre> vi /etc/mysql/my.cnf </pre> > ... > # Instead of skip-networking the default is now to listen only on > # localhost which is more compatible and is not less secure. > #bind-address = 127.0.0.1 > ... Then *restart MySQL*: <pre> service mysql restart </pre> Now *install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt* as follows: <pre> apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-perl2 sudo zip wget </pre> > Web server to reconfigure automatically: *apache2* Then run the following command to *enable the Apache modules suexec, rewrite, ssl, actions, and include*: <pre> a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest </pre> h3. PureFTPd *Install PureFTPd and quota* with the following command: <pre> apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool </pre> *Note*: As of writing this there is no quota support for the virtualization solution used, LXC. Keep this in mind, as not to install unneeded packages. Edit the file @/etc/default/pure-ftpd-common@ <pre> vi /etc/default/pure-ftpd-common </pre> and make sure virtualchroot is set @VIRTUALCHROOT=true@: > ... > VIRTUALCHROOT=true > ... Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. *If you want to allow FTP and TLS sessions*, run: <pre> echo 1 > /etc/pure-ftpd/conf/TLS </pre> In order to use TLS, we must *create an SSL certificate*. I create it in /etc/ssl/private/, therefore I create that directory first: <pre> mkdir -p /etc/ssl/private/ </pre> Afterwards, we can generate the SSL certificate as follows: <pre> openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem </pre> > Country Name (2 letter code) [AU]: *<-- Enter your Country Name* (e.g., "DE"). > State or Province Name (full name) [Some-State]: *<-- Enter your State or Province Name*. > Locality Name (eg, city) []: <-- *Enter your City*. > Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- *Enter your Organization Name* (e.g., the name of your company). > Organizational Unit Name (eg, section) []: <-- *Enter your Organizational Unit Name* (e.g. "IT Department"). > Common Name (eg, YOUR name) []: <-- *Enter the Fully Qualified Domain Name* of the system (e.g. "server1.example.com"). > Email Address []: <-- *Enter your Email Address*. *Change the permissions of the SSL certificate*: <pre> chmod 600 /etc/ssl/private/pure-ftpd.pem </pre> Then *restart PureFTPd*: <pre> /etc/init.d/pure-ftpd-mysql restart </pre> *Edit @/etc/fstab@*. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /): <pre> vi /etc/fstab </pre> <pre> # /etc/fstab: static file system information. # # Use 'blkid' to print the universally unique identifier for a # device; this may be used with UUID= as a more robust way to name devices # that works even if disks are added and removed. See fstab(5). # # <file system> <mount point> <type> <options> <dump> <pass> proc /proc proc defaults 0 0 # / was on /dev/sda1 during installation UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 / ext3 errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0 1 # swap was on /dev/sda5 during installation UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none swap sw 0 0 /dev/scd0 /media/cdrom0 udf,iso9660 user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0 </pre> To *enable quota*, run these commands: <pre> mount -o remount / quotacheck -avugm quotaon -avug </pre> *Install vlogger, webalizer, and awstats*: <pre> apt-get -y install vlogger webalizer awstats </pre> *Open /etc/cron.d/awstats* afterwards: <pre> vi /etc/cron.d/awstats </pre> Comment out both cron jobs in that file: > #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh > > # Generate static reports: > #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh *Install Jailkit*: Jailkit is needed only if you want to @chroot@ SSH users. It can be installed as follows (important: *+Jailkit must be installed before ISPConfig+* - it cannot be installed afterwards!): <pre> apt-get -y install build-essential autoconf automake1.9 libtool flex bison debhelper </pre> <pre> cd /tmp wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz tar xvfz jailkit-2.14.tar.gz cd jailkit-2.14 ./debian/rules binary cd .. dpkg -i jailkit_2.14-1_*.deb rm -rf jailkit-2.14* </pre> *Install fail2ban*: This is optional but recommended, because the ISPConfig monitor tries to show the log: <pre> apt-get install fail2ban </pre> To *make fail2ban monitor PureFTPd*, create the file @/etc/fail2ban/jail.local@: <pre> vi /etc/fail2ban/jail.local </pre> > [pureftpd] > > enabled = true > port = ftp > filter = pureftpd > logpath = /var/log/syslog > maxretry = 3 Then create the following filter file: <pre> vi /etc/fail2ban/filter.d/pureftpd.conf </pre> > [Definition] > failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* > ignoreregex = *Restart fail2ban* afterwards: <pre> /etc/init.d/fail2ban restart </pre> h2. Install ISPConfig 3. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/ This server is will be configured to be the master server in our setup which runs the ISPConfig control panel interface. *Note*: To add web server without the ISPConfig interface, make sure to select +No+ at the "Install ISPConfig Web-Interface" option during the ISPConfig setup. To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to +add MySQL root user records in the master database for every slave server hostname and IP address+. The easiest way to do this is to use the web based @phpmyadmin@ administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries: * Mail server IP <pre> CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> * Database server IP <pre> CREATE USER 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> * Name server IP <pre> CREATE USER 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> * Mail server hostname <pre> CREATE USER 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> * Database server hostname <pre> CREATE USER 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> * Name server hostname <pre> CREATE USER 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword'; GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; </pre> In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.108) with the IP addresses of your servers and replace mail.example.com, db.example.com, and ns1.example.com with the hostnames of your servers and *myrootpassword* with the desired root password. Click on the reload permissions button, @flush privileges@, or restart MySQL. Then close phpmyadmin. Go back to the shell of web.example.com and *download the latest ISPConfig 3* stable release: <pre> cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz tar xfz ISPConfig-3-stable.tar.gz cd ispconfig3_install/install/ </pre> Then start the install script: <pre> php -q install.php </pre> > Select language (en,de) [en]: <-- *en* > Installation mode (standard,expert) [standard]: <-- *expert* > Full qualified hostname (FQDN) of the server, eg server2.domain.com [web.example.com]: <-- *web.example.com* > MySQL server hostname [localhost]: <-- *localhost* > MySQL root username [root]: <-- *root* > MySQL root password []: <-- Enter your *MySQL root password* here > MySQL database to create [dbispconfig]: <-- *dbispconfig* > MySQL charset [utf8]: <-- *utf8* > Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- *n* > Configure Mail (y,n) [y]: <-- *n* > Configure Jailkit (y,n) [y]: <-- *y* > Configure FTP Server (y,n) [y]: <-- *y* > Configure DNS Server (y,n) [y]: <-- *n* > Configure Apache Server (y,n) [y]: <-- *y* > Configure Firewall Server (y,n) [y]: <-- *y* > Install ISPConfig Web-Interface (y,n) [y]: <-- *y* > ISPConfig Port [8080]: <-- *8080* > Enable SSL for the ISPConfig web interface (y,n) [y]: <-- *y* > Country Name (2 letter code) [AU]: <-- *ENTER* > State or Province Name (full name) [Some-State]: <-- *ENTER* > Locality Name (eg, city) []: <-- *ENTER* > Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- *ENTER* > Organizational Unit Name (eg, section) []: <-- *ENTER* > Common Name (eg, YOUR name) []: <-- *ENTER* > Email Address []: <-- *ENTER* > A challenge password []: <-- *ENTER* > An optional company name []: <-- *ENTER* Clean up the install directories: <pre> cd /tmp rm -rf /tmp/ispconfig3_install/install rm -f /tmp/ISPConfig-3-stable.tar.gz </pre> h2. Adjust The Server Settings In ISPConfig *Log into ISPConfig on the master server* with a web browser: <pre> firefox http://192.168.0.105:8080 </pre> * Click on System -> Server services -> web.example.com > +Disable and +disable all checkboxes except of the *Webserver* and *Fileserver*+ checkbox and click on *Save*. * Click on System -> Server services -> mail.example.com > +Disable and +disable all checkboxes except of the *Mailserver*+ checkbox and click on *Save*. * Click on System -> Server services -> db.example.com > +Disable and +disable all checkboxes except of the *DB-Server*+ checkbox and click on *Save*. * Click on System -> Server services -> ns1.example.com > +Disable and +disable all checkboxes except of the *DNS-Server*+ checkbox and click on *Save*. h2. Resources http://www.howtoforge.com/multiserver-setup-with-dedicated-web-email-dns-and-mysql-database-servers-on-debian-squeeze-with-ispconfig-3