Whats next? Deb 9 multi server farm

Discussion in 'Installation/Configuration' started by Frankenstein, Aug 3, 2018.

  1. Frankenstein

    Frankenstein Member

    Hey Guys (eventually Ladies),

    before some days i finished my debian 9 multi server setup:

    control.domaint.tld (master (webspace, mail etc. for "company")
    web.domain.tld (web for customers)
    mail.domain.tld (mailserver)
    db.domain.tld (database server)
    ns1.domain.tld (primary dns)
    ns2.domain.tld (secondary dns)

    I have some questions about the next steps that recommended for a setup like this. But i perform in wishes - maybe easier to explain for me:

    I would like the master server to be accessible via the web panel only via the defined FQDN (port 8080) (https://control.domain.tld:8080) and not via port 8080 on each created web page.

    In this course also like to create a LE SSL certificate for web, mail, ftp. This server should only serve for the company website, administration and as a web panel for the customer accounts.

    The "web" server is to serve as a storage for customer web pages without web panel, the management of the pages should run on the master. Is that possible or already so?

    Is there generally recommended steps after setting up all systems on this foundation basis?

    I am looking forward to your support.

    Best regards
    Frankenstein
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you installed the control panel only on the master, then it is not available on the other hosts.
    Since you have several hosts, install unattended-upgrades and do
    Code:
    dpkg-reconfigure -plow unattended-upgrades
    so security updates are installed automatically. You still have to do apt-get upgrade when 9.6 comes.
    LE is a bit tricker when you have multiple hosts, but it can be done. @ahrasis has written a good documentation how to do it. The thread is very long: https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
    I dont't know how to prevent this. Users access their own subset of ISPConfig from their own control panel, I have not had a need to prevent this.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    you can do this by editing the apache/nginx ispconfig.vhost file, set a server name (the name that this vhost shall be accessible trough) and change the port to 443. This will convert the ispconfig vhost to a normal name based vhost on port 443 (ssl).
     
  4. Frankenstein

    Frankenstein Member

    Thank you both.
     
    Last edited: Aug 3, 2018
  5. Frankenstein

    Frankenstein Member

    Back with the same.

    ispconfig.vhost
    I added the servername control.domain.tld, deleted the line "Listen 8080" and changed the <VirtualHost _default_:8080> to <VirtualHost _default_:443> but when i try to reach the control panel over https://control.domain.tld its just show me the "standard welcome page".

    In the past i try'd the tutorial from @ahrasis but i cant activate le ssl to become a ssl certificate for control.domain.tld (e.g. master) but deleted again cauz the interface should run first on https://control.domain.tld before the le ssl works.

    Later want to have following link construct: (all working for all customers (without munin/monit))
    https://domain.tld - company website, shop, customer area
    https://control.domain.tld- ispconfig interface
    https://control.domain.tld/webmail
    https://control.domain.tld/phpmyadmin
    https://control.domain.tld/monit
    https://control.domain.tld/munin
    https://control.domain.tld/webftp

    If anybody feel free to help me it would be welcome :p

    Best regards,
    Frankenstein
     
    Last edited: Sep 27, 2018
  6. ahrasis

    ahrasis Well-Known Member

    I think that should be control.domain.tld:443 in the ispconfig.vhost (based on my readings but I never tried).
     
    Last edited: Sep 27, 2018
    Frankenstein likes this.
  7. Frankenstein

    Frankenstein Member

    #solved thanks @ahrasis

    https://domain.tld - company website, shop, customer area
    https://control.domain.tld- ispconfig interface

    now working.


    For Monitoring (munin/monit):
    Should i run an own server?
    Does it need extra configuration to work fine with ispconfig or did i just need a normal munin/monit monitoring server and fill in the links in the admin panel?

    for phpmyadmin:
    phpmyadmin is installed and i could create a easy alias in vHost from control.domain.tld - but can user login when their customers and theri database is on the database server (db.domain.tld) of the multi-server-setup or its just localhost (control.domain.tld)?

    Did i need more configuration for a working phpmyadmin connected to all servers with mariadb? Dumb idea?

    I think....thats would be all ^^
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Customer must use PHPMyAdmin on the database server. If you have db.domain.tld in the name service, make that point to the db server customer is supposed to use.
     
  9. Frankenstein

    Frankenstein Member

    So i need to setup webserver on db.domain.tld incl. phpmyadmin, setup db.domain.tld as A record to the db server, setup the vhost on db to db.domain.tld with document root to phpmyadmin and should use https://db.domain.tld/phpmyadmin for phpmyadmin or did i have any rewrite chance to let it shine like control.domain.tld^^?

    Did i should setup and include the webserver to ispConfig or just setup this little thing without config over update.php ?


    //offtopic
    i've setup my .biz domain to my own nameserver - the main content works (default template). I see it on all 2 ns servers with dig @Xns.domain.tld domain.tld. But i think there dont happen my changes which made over dns zone tool.

    All 2 bind9 running with following systemctl status bind9:

    ns1:
    Code:
    ● bind9.service - BIND Domain Name Server
       Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
       Active: active (running) since Wed 2018-09-26 16:29:53 CEST; 21h ago
         Docs: man:named(8)
      Process: 30963 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
     Main PID: 13573 (named)
        Tasks: 4 (limit: 4915)
       CGroup: /system.slice/bind9.service
               └─13573 /usr/sbin/named -f -u bind
    
    Sep 27 14:02:01 ns1 named[13573]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
    Sep 27 14:02:01 ns1 named[13573]: automatic empty zone: EMPTY.AS112.ARPA
    Sep 27 14:02:01 ns1 named[13573]: configuring command channel from '/etc/bind/rndc.key'
    Sep 27 14:02:01 ns1 named[13573]: configuring command channel from '/etc/bind/rndc.key'
    Sep 27 14:02:01 ns1 named[13573]: reloading configuration succeeded
    Sep 27 14:02:01 ns1 named[13573]: reloading zones succeeded
    Sep 27 14:02:01 ns1 named[13573]: zone domain.tld/IN: loaded serial 2018092712
    Sep 27 14:02:01 ns1 named[13573]: zone domain.tld/IN: sending notifies (serial 2018092712)
    Sep 27 14:02:01 ns1 named[13573]: all zones loaded
    Sep 27 14:02:01 ns1 named[13573]: running
    ns2:
    Code:
    ● bind9.service - BIND Domain Name Server
       Loaded: loaded (/lib/systemd/system/bind9.service; enabled; vendor preset: enabled)
       Active: active (running) since Thu 2018-09-27 08:38:15 CEST; 5h 25min ago
         Docs: man:named(8)
      Process: 14987 ExecReload=/usr/sbin/rndc reload (code=exited, status=0/SUCCESS)
     Main PID: 811 (named)
        Tasks: 4 (limit: 4915)
       CGroup: /system.slice/bind9.service
               └─811 /usr/sbin/named -f -u bind
    
    Sep 27 14:02:01 ns2.domain.tld named[811]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
    Sep 27 14:02:01 ns2.domain.tld named[811]: automatic empty zone: EMPTY.AS112.ARPA
    Sep 27 14:02:01 ns2.domain.tld named[811]: configuring command channel from '/etc/bind/rndc.key'
    Sep 27 14:02:01 ns2.domain.tld named[811]: configuring command channel from '/etc/bind/rndc.key'
    Sep 27 14:02:01 ns2.domain.tld named[811]: reloading configuration succeeded
    Sep 27 14:02:01 ns2.domain.tld named[811]: reloading zones succeeded
    Sep 27 14:02:01 ns2.domain.tld named[811]: zone domain.tld/IN: loaded serial 2018092712
    Sep 27 14:02:01 ns2.domain.tld named[811]: zone domain.tld/IN: sending notifies (serial 2018092712)
    Sep 27 14:02:01 ns2.domain.tld named[811]: all zones loaded
    Sep 27 14:02:01 ns2.domain.tld named[811]: running
    dig just show me:

    dig @ns1.domain.tld any domain.tld

    Code:
    ; <<>> DiG 9.10.3-P4-Debian <<>> @ns1.domain.tld any domain.tld
    ; (2 servers found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1550
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;domain.tld.            IN    ANY
    
    ;; ANSWER SECTION:
    domain.tld.        3600    IN    NS    ns2.domain.tld.
    domain.tld.        3600    IN    NS    ns1.domain.tld.
    domain.tld.        3600    IN    MX    10 mail.domain.tld.
    domain.tld.        3600    IN    TXT    "v=spf1 mx a ~all"
    domain.tld.        3600    IN    SOA    ns1.domain.tld. support.domain.tld. 2018092712 7200 540 604800 3600
    domain.tld.        3600    IN    A    ip.of.master.server
    
    ;; ADDITIONAL SECTION:
    ns1.domain.tld.    3600    IN    A    ip.of.ns1.server
    ns2.domain.tld.    3600    IN    A    ip.of.ns2.server
    mail.domain.tld.    3600    IN    A    ip.of.mail.server
    
    ;; Query time: 0 msec
    ;; SERVER: 159.69.205.24#53(159.69.205.24)
    ;; WHEN: Thu Sep 27 14:05:43 CEST 2018
    ;; MSG SIZE  rcvd: 235
    dig @ns2.domain.tld any domain.tld

    Code:
    ; <<>> DiG 9.10.3-P4-Debian <<>> @ns2.domain.tld any domain.tld
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22002
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 4
    ;; WARNING: recursion requested but not available
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;domain.tld.            IN    ANY
    
    ;; ANSWER SECTION:
    domain.tld.        3600    IN    NS    ns2.domain.tld.
    domain.tld.        3600    IN    NS    ns1.domain.tld.
    domain.tld.        3600    IN    MX    10 mail.domain.tld.
    domain.tld.        3600    IN    TXT    "v=spf1 mx a ~all"
    domain.tld.        3600    IN    SOA    ns1.domain.tld. support.domain.tld. 2018092712 7200 540 604800 3600
    domain.tld.        3600    IN    A    ip.of.master.server
    
    ;; ADDITIONAL SECTION:
    ns1.domain.tld.    3600    IN    A    ip.of.ns1.server
    ns2.domain.tld.    3600    IN    A    ip.of.ns2.server
    mail.domain.tld.    3600    IN    A    ip.of.mail.server
    
    ;; Query time: 0 msec
    ;; SERVER: 159.69.205.23#53(159.69.205.23)
    ;; WHEN: Thu Sep 27 14:06:04 CEST 2018
    ;; MSG SIZE  rcvd: 235
    but if i done some dns lookups over differently services, its failed:
    https://mxtoolbox.com/SuperTool.aspx?action=a:techgods.biz&run=toolpage

    On a lookup for NS the query timed out.
    https://www.heise.de/netze/tools/dns/
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Frankenstein likes this.
  11. ahrasis

    ahrasis Well-Known Member

    I think it should be at the same server that you want to monitor (as I am not sure they can be on different server). Anyway, just refer to its tutorial.

    Since you have multi server setup, setting up database server of db.domain.tld should be fine.

    What setup did you use for your dns server; cluster or master / slave?
     
  12. Frankenstein

    Frankenstein Member

    @Taleman

    just forgot to register my nameserver @ hetzner :x

    Which way should i prefer?

    @ahrasis
    converted the tutorial in the manual of 3.1 from debian 8 with php5 to debian 9.5 with php7.0+fpm

    After my setup is complete and working fine i would give my full tutorial for the tutorial blog ^^
    (master, web, db, mail, ns1, ns2 actually)

    also planned:
    (master replication, db master-master replication, mail-replication, ns3 for global redundancy and a every 24h full backup system on 2 additional systems for master, web, db, ns1 - all servers protected by fail2ban, rkhunter, public key auth, ssh only reachable over a vpn and munit/monit monitoring)
     
    ahrasis likes this.

Share This Page