Project

General

Profile

Support #177

Updated by Daniel Curtis over 10 years ago

h2. Installing The Web Server 

 *Set the hostname* of the server: 
 <pre> 
 echo web.example.com > /etc/hostname 
 /etc/init.d/hostname.sh start 
 </pre> 

 It is a good idea to *synchronize the system clock with an NTP* (network time protocol) server over the Internet. Simply run: 
 <pre> 
 apt-get -y install ntp ntpdate 
 </pre> 

 h3. Install the MySQL server 

 +A MySQL server instance is necessary on every server as ISPConfig+ uses it to sync the configuration between the servers: 
 <pre> 
 apt-get -y install mysql-client mysql-server 
 </pre> 
 Enter the new password for MySQL when requested by the installer. 

 We want* MySQL to listen on all interfaces* on the master server, not just localhost, therefore we edit @/etc/mysql/my.cnf@ and comment out the line @bind-address = 127.0.0.1@: 
 <pre> 
 vi /etc/mysql/my.cnf 
 </pre> 
 > ... 
 > # Instead of skip-networking the default is now to listen only on   
 > # localhost which is more compatible and is not less secure.   
 > #bind-address             = 127.0.0.1   
 > ... 

 Then *restart MySQL*: 
 <pre> 
 service mysql restart 
 </pre> 

 Now *install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt* as follows: 
 <pre> 
 apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-perl2 sudo zip wget 
 </pre> 
 > Web server to reconfigure automatically: *apache2* 

 Then run the following command to *enable the Apache modules suexec, rewrite, ssl, actions, and include*: 
 <pre> 
 a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest 
 </pre> 

 h3. PureFTPd 

 *Install PureFTPd and quota* with the following command: 
 <pre> 
 apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool 
 </pre> 
 *Note*: As of writing this there is no quota support for the virtualization solution used, LXC. Keep this in mind, as not to install unneeded packages.  
 
 Edit the file @/etc/default/pure-ftpd-common@ 
 <pre> 
 vi /etc/default/pure-ftpd-common 
 </pre> 
 and make sure virtualchroot is set @VIRTUALCHROOT=true@: 
 > ... 
 > VIRTUALCHROOT=true 
 > ... 

 Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure. 

 *If you want to allow FTP and TLS sessions*, run: 
 <pre> 
 echo 1 > /etc/pure-ftpd/conf/TLS 
 </pre> 

 In order to use TLS, we must *create an SSL certificate*. I create it in /etc/ssl/private/, therefore I create that directory first: 
 <pre> 
 mkdir -p /etc/ssl/private/ 
 </pre> 
 Afterwards, we can generate the SSL certificate as follows: 
 <pre> 
 openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem 
 </pre> 
 > Country Name (2 letter code) [AU]: *<-- Enter your Country Name* (e.g., "DE"). 
 > State or Province Name (full name) [Some-State]: *<-- Enter your State or Province Name*. 
 > Locality Name (eg, city) []: <-- *Enter your City*. 
 > Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- *Enter your Organization Name* (e.g., the name of your company). 
 > Organizational Unit Name (eg, section) []: <-- *Enter your Organizational Unit Name* (e.g. "IT Department"). 
 > Common Name (eg, YOUR name) []: <-- *Enter the Fully Qualified Domain Name* of the system (e.g. "server1.example.com"). 
 > Email Address []: <-- *Enter your Email Address*. 

 *Change the permissions of the SSL certificate*: 
 <pre> 
 chmod 600 /etc/ssl/private/pure-ftpd.pem 
 </pre> 

 Then *restart PureFTPd*: 
 <pre> 
 /etc/init.d/pure-ftpd-mysql restart 
 </pre> 

 *Edit @/etc/fstab@*. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /): 
 <pre> 
 vi /etc/fstab 
 </pre> 
 <pre> 
 # /etc/fstab: static file system information. 
 # 
 # Use 'blkid' to print the universally unique identifier for a 
 # device; this may be used with UUID= as a more robust way to name devices 
 # that works even if disks are added and removed. See fstab(5). 
 # 
 # <file system> <mount point>     <type>    <options>         <dump>    <pass> 
 proc              /proc             proc      defaults          0         0 
 # / was on /dev/sda1 during installation 
 UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /                 ext3      errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0         1 
 # swap was on /dev/sda5 during installation 
 UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none              swap      sw                0         0 
 /dev/scd0         /media/cdrom0     udf,iso9660 user,noauto       0         0 
 /dev/fd0          /media/floppy0    auto      rw,user,noauto    0         0 
 </pre> 

 To *enable quota*, run these commands: 
 <pre> 
 mount -o remount / 
 quotacheck -avugm 
 quotaon -avug 
 </pre> 

 *Install vlogger, webalizer, and awstats*: 
 <pre> 
 apt-get -y install vlogger webalizer awstats 
 </pre> 

 *Open /etc/cron.d/awstats* afterwards: 
 <pre> 
 vi /etc/cron.d/awstats 
 </pre> 
 Comment out both cron jobs in that file: 
 > #*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh 
 >  
 > # Generate static reports: 
 > #10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh 

 *Install Jailkit*: 

 Jailkit is needed only if you want to @chroot@ SSH users. It can be installed as follows (important: *+Jailkit must be installed before ISPConfig+* - it cannot be installed afterwards!): 
 <pre> 
 apt-get -y install build-essential autoconf automake1.9 libtool flex bison debhelper 
 </pre> 
 <pre> 
 cd /tmp 
 wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz 
 tar xvfz jailkit-2.14.tar.gz 
 cd jailkit-2.14 
 ./debian/rules binary 
 cd .. 
 dpkg -i jailkit_2.14-1_*.deb 
 rm -rf jailkit-2.14* 
 </pre> 

 *Install fail2ban*: This is optional but recommended, because the ISPConfig monitor tries to show the log: 
 <pre> 
 apt-get install fail2ban 
 </pre> 

 To *make fail2ban monitor PureFTPd*, create the file @/etc/fail2ban/jail.local@: 
 <pre> 
 vi /etc/fail2ban/jail.local 
 </pre> 
 > [pureftpd] 
 >  
 > enabled    = true 
 > port       = ftp 
 > filter     = pureftpd 
 > logpath    = /var/log/syslog 
 > maxretry = 3 

 Then create the following filter file: 
 <pre> 
 vi /etc/fail2ban/filter.d/pureftpd.conf 
 </pre> 
 > [Definition] 
 > failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* 
 > ignoreregex = 

 *Restart fail2ban* afterwards: 
 <pre> 
 /etc/init.d/fail2ban restart 
 </pre> 

 h2. Install ISPConfig 3.  

 To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/ 

 This server is will be configured to be the master server in our setup which runs the ISPConfig control panel interface.  
 *Note*: To add web server without the ISPConfig interface, make sure to select +No+ at the "Install ISPConfig Web-Interface" option during the ISPConfig setup. 

 To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to +add MySQL root user records in the master database for every slave server hostname and IP address+.  

 The easiest way to do this is to use the web based @phpmyadmin@ administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries: 
 * Mail server IP 
 <pre> 
 CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 * Database server IP 
 <pre> 
 CREATE USER 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 * Name server IP 
 <pre> 
 CREATE USER 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 * Mail server hostname 
 <pre> 
 CREATE USER 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 * Database server hostname 
 <pre> 
 CREATE USER 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 * Name server hostname 
 <pre> 
 CREATE USER 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword'; 
 GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.com' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ; 
 </pre> 

 In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.108) with the IP addresses of your servers and replace mail.example.com, db.example.com, and ns1.example.com with the hostnames of your servers and *myrootpassword* with the desired root password. 

 Click on the reload permissions button, @flush privileges@, or restart MySQL. Then close phpmyadmin. 

 Go back to the shell of web.example.com and *download the latest ISPConfig 3* stable release: 
 <pre> 
 cd /tmp 
 wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz 
 tar xfz ISPConfig-3-stable.tar.gz 
 cd ispconfig3_install/install/ 
 </pre> 
 Then start the install script: 
 <pre> 
 php -q install.php 
 </pre> 
 > Select language (en,de) [en]: <-- *en* 
 > Installation mode (standard,expert) [standard]: <-- *expert* 
 > Full qualified hostname (FQDN) of the server, eg server2.domain.com [web.example.com]: <-- *web.example.com* 
 > MySQL server hostname [localhost]: <-- *localhost* 
 > MySQL root username [root]: <-- *root* 
 > MySQL root password []: <-- Enter your *MySQL root password* here 
 > MySQL database to create [dbispconfig]: <-- *dbispconfig* 
 > MySQL charset [utf8]: <-- *utf8* 
 > Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- *n* 
 > Configure Mail (y,n) [y]: <-- *n* 
 > Configure Jailkit (y,n) [y]: <-- *y* 
 > Configure FTP Server (y,n) [y]: <-- *y* 
 > Configure DNS Server (y,n) [y]: <-- *n* 
 > Configure Apache Server (y,n) [y]: <-- *y* 
 > Configure Firewall Server (y,n) [y]: <-- *y* 
 > Install ISPConfig Web-Interface (y,n) [y]: <-- *y* 
 > ISPConfig Port [8080]: <-- *8080* 
 > Enable SSL for the ISPConfig web interface (y,n) [y]: <-- *y* 
 > Country Name (2 letter code) [AU]: <-- *ENTER* 
 > State or Province Name (full name) [Some-State]: <-- *ENTER* 
 > Locality Name (eg, city) []: <-- *ENTER* 
 > Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- *ENTER* 
 > Organizational Unit Name (eg, section) []: <-- *ENTER* 
 > Common Name (eg, YOUR name) []: <-- *ENTER* 
 > Email Address []: <-- *ENTER* 
 > A challenge password []: <-- *ENTER* 
 > An optional company name []: <-- *ENTER* 

 Clean up the install directories: 
 <pre> 
 cd /tmp 
 rm -rf /tmp/ispconfig3_install/install 
 rm -f /tmp/ISPConfig-3-stable.tar.gz 
 </pre> 

 h2. Adjust The Server Settings In ISPConfig 
 
 *Log into ISPConfig on the master server* with a web browser: 
 <pre> 
 firefox http://192.168.0.105:8080 
 </pre> 
 * 

 Click on System -> Server services -> web.example.com  
 > +Disable and +disable all checkboxes except of the *Webserver* and *Fileserver*+ checkbox and click on *Save*. 
 * 

 Click on System -> Server services -> mail.example.com  
 > +Disable and +disable all checkboxes except of the *Mailserver*+ checkbox and click on *Save*. 
 * 

 Click on System -> Server services -> db.example.com  
 > +Disable and +disable all checkboxes except of the *DB-Server*+ checkbox and click on *Save*. 
 * 

 Click on System -> Server services -> ns1.example.com  
 > +Disable and +disable all checkboxes except of the *DNS-Server*+ checkbox and click on *Save*. 

 h2. Resources 

 http://www.howtoforge.com/multiserver-setup-with-dedicated-web-email-dns-and-mysql-database-servers-on-debian-squeeze-with-ispconfig-3 

Back