The Perfect Server - CentOS 5.6 x86_64 [ISPConfig 3] - Page 5

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2011-04-12 17:49. ::

15 Installing Apache2 With mod_php, mod_fcgi/PHP5, And suPHP

ISPConfig 3 allows you to use mod_php, mod_fcgi/PHP5, cgi/PHP5, and suPHP on a per website basis.

mod_fcgid is not available in the official CentOS repositories, but there's a package for CentOS 5.x in the centos.karan.org testing repository. We enable the repository as follows:

cd /etc/yum.repos.d/
wget http://centos.karan.org/kbsingh-CentOS-Extras.repo

Next we open /etc/yum.repos.d/kbsingh-CentOS-Extras.repo...

vi /etc/yum.repos.d/kbsingh-CentOS-Extras.repo

... and set gpgcheck to 0 and enabled to 1 in the [kbs-CentOS-Testing] section:

[...]
# pkgs in the -Testing repo are not gpg signed
[kbs-CentOS-Testing]
name=CentOS.Karan.Org-EL$releasever - Testing
gpgcheck=0
gpgkey=http://centos.karan.org/RPM-GPG-KEY-karan.org.txt
enabled=1
baseurl=http://centos.karan.org/el$releasever/extras/testing/$basearch/RPMS/

Afterwards we can install Apache2with mod_php5, mod_fcgid, and PHP5:

yum install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel

Next we open /etc/php.ini...

vi /etc/php.ini

... and change the error reporting (so that notices aren't shown any longer) and add cgi.fix_pathinfo = 1 at the end of the file:

[...]
;error_reporting  =  E_ALL
error_reporting = E_ALL & ~E_NOTICE
[...]
cgi.fix_pathinfo = 1

Next we install suPHP:

cd /tmp
wget http://suphp.org/download/suphp-0.7.1.tar.gz
tar xvfz suphp-0.7.1.tar.gz
cd suphp-0.7.1/
./configure --prefix=/usr --sysconfdir=/etc --with-apr=/usr/bin/apr-1-config --with-apxs=/usr/sbin/apxs --with-apache-user=apache --with-setid-mode=owner --with-php=/usr/bin/php-cgi --with-logfile=/var/log/httpd/suphp_log --enable-SUPHP_USE_USERGROUP=yes
make
make install

Then we add the suPHP module to our Apache configuration...

vi /etc/httpd/conf.d/suphp.conf

LoadModule suphp_module modules/mod_suphp.so

... and create the file /etc/suphp.conf as follows:

vi /etc/suphp.conf

[global]
;Path to logfile
logfile=/var/log/httpd/suphp.log
;Loglevel
loglevel=info
;User Apache is running as
webserver_user=apache
;Path all scripts have to be in
docroot=/
;Path to chroot() to before executing script
;chroot=/mychroot
; Security options
allow_file_group_writeable=true
allow_file_others_writeable=false
allow_directory_group_writeable=true
allow_directory_others_writeable=false
;Check wheter script is within DOCUMENT_ROOT
check_vhost_docroot=true
;Send minor error messages to browser
errors_to_browser=false
;PATH environment variable
env_path=/bin:/usr/bin
;Umask to set, specify in octal notation
umask=0077
; Minimum UID
min_uid=100
; Minimum GID
min_gid=100
[handlers]
;Handler for php-scripts
x-httpd-suphp="php:/usr/bin/php-cgi"
;Handler for CGI-scripts
x-suphp-cgi="execute:!self"

Finally we restart Apache:

/etc/init.d/httpd restart

 

15.1 Ruby

Starting with version 3.0.3, ISPConfig 3 has built-in support for Ruby. Instead of using CGI/FastCGI, ISPConfig depends on mod_ruby being available in the server's Apache.

For CentOS 5.6, there's no mod_ruby package available, so we must compile it ourselves. First we install some prerequisites:

yum install httpd-devel ruby ruby-devel

Next we download and install mod_ruby as follows:

cd /tmp
wget http://modruby.net/archive/mod_ruby-1.3.0.tar.gz
tar zxvf mod_ruby-1.3.0.tar.gz
cd mod_ruby-1.3.0/
./configure.rb --with-apr-includes=/usr/include/apr-1
make
make install

Finally we must add the mod_ruby module to the Apache configuration, so we create the file /etc/httpd/conf.d/ruby.conf...

vi /etc/httpd/conf.d/ruby.conf

LoadModule ruby_module modules/mod_ruby.so

... and restart Apache:

/etc/init.d/httpd restart

 

15.2 WebDAV

WebDAV should already be enabled, but to check this, open /etc/httpd/conf/httpd.conf and make sure that the following three modules are active:

vi /etc/httpd/conf/httpd.conf

[...]
LoadModule auth_digest_module modules/mod_auth_digest.so
[...]
LoadModule dav_module modules/mod_dav.so
[...]
LoadModule dav_fs_module modules/mod_dav_fs.so
[...]

If you have to modify /etc/httpd/conf/httpd.conf, don't forget to restart Apache afterwards:

/etc/init.d/httpd restart

 

16 Install PureFTPd

PureFTPd can be installed with the following command:

yum install pure-ftpd

Then create the system startup links and start PureFTPd:

chkconfig --levels 235 pure-ftpd on
/etc/init.d/pure-ftpd start

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

yum install openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.
TLS                      1
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [GB]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Berkshire]:
<-- Enter your State or Province Name.
Locality Name (eg, city) [Newbury]:
<-- Enter your City.
Organization Name (eg, company) [My Company Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, your name or your server's hostname) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

/etc/init.d/pure-ftpd restart

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS.

 

17 Install A Chrooted DNS Server (BIND9)

To install a chrooted BIND9, we do this:

yum install bind-chroot

Then do this:

chmod 755 /var/named/
chmod 775 /var/named/chroot/
chmod 775 /var/named/chroot/var/
chmod 775 /var/named/chroot/var/named/
chmod 775 /var/named/chroot/var/run/
chmod 777 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
touch /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf.local
vi /var/named/chroot/etc/named.conf

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { any; };
        directory       "/var/named/chroot/var/named";
        dump-file       "/var/named/chroot/var/named/data/cache_dump.db";
        statistics-file "/var/named/chroot/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/chroot/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion no;
        allow-recursion { none; };
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
zone "." IN {
        type hint;
        file "named.root";
};
include "/var/named/chroot/var/named/named.local";

chkconfig --levels 235 named on
/etc/init.d/named start

BIND will run in a chroot jail under /var/named/chroot/var/named/. I will use ISPConfig to configure BIND (zones, etc.).

 

18 Install Vlogger And Webalizer

Vlogger and webalizer can be installed as follows:

yum install webalizer perl-DateTime-Format-HTTP perl-DateTime-Format-Builder

cd /tmp
wget http://n0rp.chemlab.org/vlogger/vlogger-1.3.tar.gz
tar xvfz vlogger-1.3.tar.gz
mv vlogger-1.3/vlogger /usr/sbin/
rm -rf vlogger*

 

19 Install Jailkit

Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.13.tar.gz
tar xvfz jailkit-2.13.tar.gz
cd jailkit-2.13
./configure
make
make install
cd ..
rm -rf jailkit-2.13*

 

20 Install fail2ban

This is optional but recommended, because the ISPConfig monitor tries to show the log:

yum install fail2ban

chkconfig --levels 235 fail2ban on
/etc/init.d/fail2ban start

 

21 Install rkhunter

rkhunter can be installed as follows:

yum install rkhunter


Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by anhlqn (registered user) on Fri, 2011-12-09 06:13.

With my Drupal 7.x site using SuPHP on ISPConfig3, with step to install suphp, I have to change the umask from

umask=0077  => change to umask=0022
Or folders created by Drupal will have wrong permission.
Submitted by anhlqn (registered user) on Fri, 2011-12-09 06:06.

At step 15, if you already install webtatic repo I suggested on page 3 step 9, you don't need to enable the centos.karan.org testing repository, just simply run this command to install

yum --enablerepo=webtatic install php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear 
php-xml php-xmlrpc php-eaccelerator php-mbstring php-mcrypt php-mhash 
php-mssql php-snmp php-soap php-tidy curl curl-devel perl-libwww-perl 
ImageMagick libxml2 libxml2-devel mod_fcgid php-cli httpd-devel
Or you can enable the repo webtatic by editing the repo file to enabled=1
Submitted by peterpallesen (registered user) on Wed, 2011-07-27 06:37.
[root@ispconfig3 sysconfig]# yum install bind-chroot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.maulvi.net
 * extras: centos.maulvi.net
 * rpmforge: fr2.rpmfind.net
 * updates: centos.maulvi.net
Excluding Packages from Red Hat Enterprise Linux 5 - x86_64 - ATrpms
Finished
Reducing Red Hat Enterprise Linux 5 - x86_64 - ATrpms to included packages only
Finished
Excluding Packages from Red Hat Enterprise Linux 5 - x86_64 - ATrpms testing
Finished
Reducing Red Hat Enterprise Linux 5 - x86_64 - ATrpms testing to included packages only
Finished
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.x86_64 30:9.3.6-16.P1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

=================================================================================================
 Package                Arch              Version                          Repository       Size
=================================================================================================
Installing:
 bind-chroot            x86_64            30:9.3.6-16.P1.el5               base             46 k

Transaction Summary
=================================================================================================
Install       1 Package(s)
Upgrade       0 Package(s)

Total download size: 46 k
Is this ok [y/N]: y
Downloading Packages:
bind-chroot-9.3.6-16.P1.el5.x86_64.rpm                                    |  46 kB     00:01
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing     : bind-chroot                                                               1/1

Installed:
  bind-chroot.x86_64 30:9.3.6-16.P1.el5

Complete!
[root@ispconfig3 sysconfig]# chmod 755 /var/named/
[root@ispconfig3 sysconfig]# chmod 775 /var/named/chroot/
[root@ispconfig3 sysconfig]# chmod 775 /var/named/chroot/var/named/
[root@ispconfig3 sysconfig]# chmod 775 /var/named/chroot/var/run/
[root@ispconfig3 sysconfig]# chmod 777 /var/named/chroot/var/run/named/
[root@ispconfig3 sysconfig]# cd /var/named/chroot/var/named/
[root@ispconfig3 named]# ln -s ../../ chroot
[root@ispconfig3 named]# touch /var/named/chroot/var/named/named.local
[root@ispconfig3 named]# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
[root@ispconfig3 named]# touch /var/named/chroot/etc/named.conf.local
[root@ispconfig3 named]# vi /var/named/chroot/etc/named.conf
 (named.conf edited as per the text)
[root@ispconfig3 named]# chkconfig named on
[root@ispconfig3 named]# service named start
Starting named:
Error in named configuration:
/var/named/chroot/var/named/named.local:1: unknown option '$TTL'
/var/named/chroot/var/named/named.local:3: unknown option 'Serial'
/var/named/chroot/var/named/named.local:4: unknown option 'Refresh'
/var/named/chroot/var/named/named.local:5: unknown option 'Retry'
/var/named/chroot/var/named/named.local:6: unknown option 'Expire'
/var/named/chroot/var/named/named.local:7: unknown option 'Minimum'
/etc/named.conf:30: unexpected token near end of file
                                                           [FAILED]

Submitted by Rolf Ernst (not registered) on Mon, 2011-09-05 03:59.
For all it's worth - I am getting the same error. I am installing under OpenVZ - not sure this is related?
Submitted by Anonymous (not registered) on Wed, 2012-02-08 13:38.
I have the same error. Have you solved it?
Submitted by Anonymous (not registered) on Wed, 2011-04-27 04:05.
you can install the mod_fcgid from fedora epel repository.
Submitted by Curu (not registered) on Sun, 2011-05-01 02:01.

also, you can install suphp from rpmfoge repo using:

yum install mod_suphp 
Submitted by peterpallesen (registered user) on Tue, 2011-07-26 17:36.

That's good cuz the howto doesn't work: ...

checking for unistd.h... (cached) yes

checking for APR... configure: error: the --with-apr parameter is incorrect. It must specify an install prefix, a

build directory, or an apr-config file.