View Single Post
Old 27th November 2011, 19:51
talkingnews talkingnews is offline
Join Date: Jan 2011
Posts: 67
Thanks: 15
Thanked 6 Times in 6 Posts

Originally Posted by till View Post
The nginx user may never be the user "ispconfig" or you open a huge securiy hole as the user ispconfig is for the controlpabel only and is never used to host any websites or to run the webserver. The tutorial is complete, so no additional changes are required. If it did not work for you, then you might have missed a step, but changing the nginx user to ispconfig is not required and its very dangerous.
You should check each step again and undo the change of the nginx user.
OK, I've undone the change, and as expected, I got 403 forbidden.

Again, I'm looking at this error at the end of installing ISPC and also the fact that I never got asked if I'd like to use ssh.

Configuring Apps vhost
PHP Warning:  symlink(): No such file or directory in /tmp/ispconfig3_install/install/lib/installer_base.lib.php on line 1519
The permissions for files in the /usr/local/ispconfig/interface/web/ dir are

-rwxr-x--- 1 ispconfig ispconfig 1753 2011-11-26 20:22 index.php

If the file to be served belongs to ispconfig user and group, how could nginx be allowed to see it? This goes counter to everything I thought I'd learnt about nginx over the last few months.

I also can't understand how ISPC could have been "seen" by nginx, when I had to manually add the line

include /etc/nginx/sites-available/*.vhost;

at the end of nginx.conf. How would it be able to see it again?

Here are the relevant users and groups.

nginx:x:111:116:nginx user,,,:/nonexistent:/bin/false

Here's the ISPConfig install log followed by my bash history

20:20:59Line 165: read in ispconfig3.sql
20:20:59Line 621: chmod on mysql-virtual_*.cf*
20:20:59Line 623: chgrp on mysql-virtual_*.cf*
20:20:59Line 627: EXECUTED: groupadd -g 5000 vmail
20:20:59Line 630: EXECUTED: useradd -g vmail -u 5000 vmail -d /var/vmail -m
20:21:00Line 689: EXECUTED: postconf -e myhostname =
20:21:00Line 689: EXECUTED: postconf -e mydestination =, localhost, localhost.localdomain
20:21:00Line 689: EXECUTED: postconf -e mynetworks = [::1]/128
20:21:00Line 689: EXECUTED: postconf -e alias_maps = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
20:21:00Line 689: EXECUTED: postconf -e alias_database = hash:/etc/aliases, hash:/var/lib/mailman/data/aliases
20:21:00Line 689: EXECUTED: postconf -e virtual_alias_domains =
20:21:00Line 689: EXECUTED: postconf -e virtual_alias_maps = proxy:mysql:/etc/postfix/, proxy:mysql:/etc/postfix/, hash:/var/lib/mailman/data/virtual-mailman
20:21:00Line 689: EXECUTED: postconf -e virtual_mailbox_domains = proxy:mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e virtual_mailbox_maps = proxy:mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e virtual_mailbox_base = /var/vmail
20:21:00Line 689: EXECUTED: postconf -e virtual_uid_maps = static:5000
20:21:00Line 689: EXECUTED: postconf -e virtual_gid_maps = static:5000
20:21:00Line 689: EXECUTED: postconf -e smtpd_sasl_auth_enable = yes
20:21:00Line 689: EXECUTED: postconf -e broken_sasl_auth_clients = yes
20:21:00Line 689: EXECUTED: postconf -e smtpd_sasl_authenticated_header = yes
20:21:00Line 689: EXECUTED: postconf -e smtpd_recipient_restrictions = permit_mynetworks, permit_sasl_authenticated, check_recipient_access mysql:/etc/postfix/, reject_unauth_destination
20:21:00Line 689: EXECUTED: postconf -e smtpd_use_tls = yes
20:21:00Line 689: EXECUTED: postconf -e smtpd_tls_security_level = may
20:21:00Line 689: EXECUTED: postconf -e smtpd_tls_cert_file = /etc/postfix/smtpd.cert
20:21:00Line 689: EXECUTED: postconf -e smtpd_tls_key_file = /etc/postfix/smtpd.key
20:21:00Line 689: EXECUTED: postconf -e transport_maps = proxy:mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e relay_domains = mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e relay_recipient_maps = mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e proxy_read_maps = $local_recipient_maps $mydestination $virtual_alias_maps $virtual_alias_domains $virtual_mailbox_maps $virtual_mailbox_domains $relay_recipient_maps $relay_domains $canonical_maps $sender_canonical_maps $recipient_canonical_maps $relocated_maps $transport_maps $mynetworks $virtual_mailbox_limit_maps
20:21:00Line 689: EXECUTED: postconf -e smtpd_sender_restrictions = check_sender_access mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e smtpd_client_restrictions = check_client_access mysql:/etc/postfix/
20:21:00Line 689: EXECUTED: postconf -e smtpd_client_message_rate_limit = 100
20:21:00Line 689: EXECUTED: postconf -e maildrop_destination_concurrency_limit = 1
20:21:00Line 689: EXECUTED: postconf -e maildrop_destination_recipient_limit   = 1
20:21:00Line 689: EXECUTED: postconf -e virtual_transport = maildrop
20:21:00Line 689: EXECUTED: postconf -e header_checks = regexp:/etc/postfix/header_checks
20:21:00Line 689: EXECUTED: postconf -e mime_header_checks = regexp:/etc/postfix/mime_header_checks
20:21:00Line 689: EXECUTED: postconf -e nested_header_checks = regexp:/etc/postfix/nested_header_checks
20:21:00Line 689: EXECUTED: postconf -e body_checks = regexp:/etc/postfix/body_checks
20:21:00Line 689: EXECUTED: postconf -e owner_request_special = no
20:21:20Line 699: EXECUTED: chmod o= /etc/postfix/smtpd.key
20:21:20Line 732: EXECUTED: mkdir /var/vmail/mailfilters
20:21:20Line 737: EXECUTED: chown vmail:vmail /var/vmail/.mailfilter
20:21:20Line 740: EXECUTED: chmod 600 /var/vmail/.mailfilter
20:21:20Line 943: EXECUTED: postconf -e content_filter = amavis:[]:10024
20:21:20Line 943: EXECUTED: postconf -e receive_override_options = no_address_mappings
20:21:20Line 984: EXECUTED: useradd -d /etc/getmail getmail
20:21:20Line 987: EXECUTED: chown -R getmail /etc/getmail
20:21:20Line 990: EXECUTED: chmod -R 700 /etc/getmail
20:21:20Line 1230: EXECUTED: groupadd sshusers
20:21:20Line 1457: EXECUTED: groupadd ispapps
20:21:20Line 1460: EXECUTED: useradd -g ispapps -d /var/www/apps ispapps
20:21:20Line 1464: EXECUTED: adduser www-data ispapps
20:21:20Line 1307: cp -f tpl/bastille-firewall.cfg.master /etc/Bastille/bastille-firewall.cfg
20:21:20Line 1308: chmod 644 /etc/Bastille/bastille-firewall.cfg
20:21:20Line 1336: cp -f apps/bastille-firewall /etc/init.d
20:21:20Line 1337: chmod 700 /etc/init.d/bastille-firewall
20:21:21Line 1340: cp -f apps/bastille-ipchains /sbin
20:21:21Line 1341: chmod 700 /sbin/bastille-ipchains
20:21:21Line 1344: cp -f apps/bastille-netfilter /sbin
20:21:21Line 1345: chmod 700 /sbin/bastille-netfilter
20:21:21Line 1347: mkdir /var/lock/subsys
20:22:42Line 1559: EXECUTED: groupadd ispconfig
20:22:42Line 1562: EXECUTED: useradd -g ispconfig -d /usr/local/ispconfig ispconfig
20:22:43Line 1566: EXECUTED: cp -rf ../interface /usr/local/ispconfig
20:22:43Line 1570: EXECUTED: cp -rf ../server /usr/local/ispconfig
20:22:44Line 1708: EXECUTED: chmod -R 750 /usr/local/ispconfig
20:22:44Line 1712: EXECUTED: chown -R ispconfig:ispconfig /usr/local/ispconfig
20:22:44Line 1770: EXECUTED: adduser www-data ispconfig
20:22:44Line 1773: EXECUTED: adduser www-data ispapps
20:22:44Line 1779: EXECUTED: chmod +x /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/ /usr/local/ispconfig/server/scripts/

And here's my bash history - it took me a while but I've gone through with the "perfect server" guide and all seems OK.

vi /etc/network/interfaces
dpkg-reconfigure dash
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
apt-get update
apt-get install ntp ntpdate
/etc/init.d/apparmor stop
update-rc.d -f apparmor remove
apt-get remove apparmor apparmor-utils
apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server courier-authdaemon courier-authlib-mysql courier-pop courier-pop-ssl courier-imap courier-imap-ssl libsasl2-2 libsasl2-modules libsasl2-modules-sql sasl2-bin libpam-mysql openssl getmail4 rkhunter binutils maildrop
vi /etc/mysql/my.cnf
nano /etc/mysql/my.cnf
/etc/init.d/mysql restart
netstat -tap | grep mysql
cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem
nano /etc/courier/imapd.cnf
nano /etc/courier/pop3d.cnf
/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart
apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
/etc/init.d/spamassassin stop
update-rc.d -f spamassassin remove
apt-get install nginx
/etc/init.d/apache2 stop
/etc/init.d/nginx start
apt-get install php5-fpm
apt-cache search php5
apt-get install php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl php5-geoip  php-apc
/etc/init.d/php5-fpm restart
apt-get install fcgiwrap
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
nano /etc/default/pure-ftpd-common
echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
/etc/init.d/pure-ftpd-mysql restart
nano /etc/fstab
apt-get install bind9 dnsutils
apt-get install vlogger webalizer awstats geoip-database
nano /etc/cron.d/awstats
apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
cd /tmp
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*
apt-get install fail2ban
vi /etc/fail2ban/jail.local
nano /etc/fail2ban/jail.local
nano /etc/fail2ban/filter.d/pureftpd.conf
nano /etc/fail2ban/filter.d/courierpop3.conf
nano /etc/fail2ban/filter.d/courierpop3s.conf
nano /etc/fail2ban/filter.d/courierimap.conf
nano /etc/fail2ban/filter.d/courierimaps.conf
nano /etc/fail2ban/filter.d/courierimaps.conf
/etc/init.d/fail2ban restart
apt-get install squirrelmail
/etc/init.d/apache2 stop
/etc/init.d/nginx restart
cd /tmp
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.php
ps -ef
nano /etc/nginx/sites-available/ispconfig.vhost
service nginx restart
cat /var/log/nginx/error.log
cat /var/log/ispconfig/ispconfig.log
nano /etc/nginx/sites-available/ispconfig.vhost
/etc/init.d/php5-fpm restart
nano /etc/nginx/sites-available/ispconfig.vhost
nano /etc/nginx/sites-available/ispconfig.vhost
free -m
/etc/init.d/php5-fpm restart
service nginx restart
reboot now
Reply With Quote