Multiserver Setup With Dedicated Web, Email, DNS & MySQL Database Servers On Debian Squeeze With ISPConfig 3

Version 1.0
Author: Till Brehm <t [dot] brehm [at] projektfarm [dot] com>

This tutorial describes the installation of an ISPConfig 3 multiserver setup with dedicated web, email, database and two DNS servers all managed trough a single ISPConfig 3 control panel. The setup described below uses five servers and can be extended easily to to a higher number of servers by just adding more servers. E.g. if you want to have two mailservers, do the setup steps from chapter 2 on both of these servers. If you want to set up more web servers, then install ISPConfig on all other web servers in expert mode except of the first one.

1 Installing The Five Debian Base Systems

In this setup there will be one master server (which runs the web server and ISPConfig control panel interface) and four slave servers for database, email and DNS.

To install the clustered setup, we need five servers (or virtual servers) with a Debian 6.0 minimal install. The base setup is described in the following tutorial in the steps 1 - 6:

https://www.howtoforge.com/perfect-server-debian-squeeze-with-bind-and-dovecot-ispconfig-3

Install only steps 1 - 6 of the perfect server tutorial and not the other steps as they differ for a clustered setup!

In my example I use the following hostnames and IP addresses for the five servers:

Web Server

Hostname: web.example.tld
IP address: 192.168.0.105

Mail Server

Hostname: mail.example.tld
IP address: 192.168.0.106

DB Server

Hostname: db.example.tld
IP address: 192.168.0.107

DNS Server (primary)

Hostname: ns1.example.tld
IP address: 192.168.0.108

DNS Server (secondary)

Hostname: ns2.example.tld
IP address: 192.168.0.109

Whereever these hostnames or IP addresses occur in the next installation steps you will have to change them to match the IP's and hostnames of your servers.

2 Installing The Web Server

Edit the hosts file and add the IP addresses and hostnames for all servers. The hostnames and IP addresses have to be adjusted to match your setup.

vi /etc/hosts

127.0.0.1       localhost
192.168.0.105   web.example.tld
192.168.0.106   mail.example.tld
192.168.0.107   db.example.tld
192.168.0.108   ns1.example.tld
192.168.0.109   ns2.example.tld
 
# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Set the hostname of the server:

echo web.example.tld > /etc/hostname
/etc/init.d/hostname.sh start

Run...

 apt-get update

... to update the apt package database; then run...

apt-get upgrade

... to install the latest updates (if there are any).

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the Internet. Simply run...

apt-get -y install ntp ntpdate

... and your system time will always be in sync.

Install the MySQL server. A MySQL server instance is necessary on every server as ISPConfig uses it to sync the configuration between the servers.

apt-get -y install mysql-client mysql-server

Enter the new password for MySQL when requested by the installer.

We want MySQL to listen on all interfaces on the master server, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

vi /etc/mysql/my.cnf

[...]  

# Instead of skip-networking the default is now to listen only on  
# localhost which is more compatible and is not less secure.  
#bind-address           = 127.0.0.1  

[...]

Then restart MySQL:

/etc/init.d/mysql restart

Now install Apache2, PHP5, phpMyAdmin, FCGI, suExec, Pear, and mcrypt as follows:

apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-perl2 sudo zip wget

You will see the following question:

Web server to reconfigure automatically: <-- apache2

Then run the following command to enable the Apache modules suexec, rewrite, ssl, actions, and include:

a2enmod suexec rewrite ssl actions include ruby dav_fs dav auth_digest

PureFTPd and quota can be installed with the following command:

apt-get -y install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit the file /etc/default/pure-ftpd-common...

vi /etc/default/pure-ftpd-common

... and make sure virtualchroot is set VIRTUALCHROOT=true:

[...]
VIRTUALCHROOT=true
[...]

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

If you want to allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Then restart PureFTPd:

/etc/init.d/pure-ftpd-mysql restart

Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

vi /etc/fstab

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

To enable quota, run these commands:

mount -o remount /

quotacheck -avugm
quotaon -avug

Install vlogger, webalizer, and awstats:

apt-get -y install vlogger webalizer awstats

Open /etc/cron.d/awstats afterwards...

vi /etc/cron.d/awstats

... and comment out both cron jobs in that file:

#*/10 * * * * www-data [ -x /usr/share/awstats/tools/update.sh ] && /usr/share/awstats/tools/update.sh

# Generate static reports:
#10 03 * * * www-data [ -x /usr/share/awstats/tools/buildstatic.sh ] && /usr/share/awstats/tools/buildstatic.sh

Install Jailkit: Jailkit is needed only if you want to chroot SSH users. It can be installed as follows (important: Jailkit must be installed before ISPConfig - it cannot be installed afterwards!):

 apt-get -y install build-essential autoconf automake1.9 libtool flex bison debhelper

cd /tmp
wget http://olivier.sessink.nl/jailkit/jailkit-2.14.tar.gz
tar xvfz jailkit-2.14.tar.gz
cd jailkit-2.14
./debian/rules binary
cd ..
dpkg -i jailkit_2.14-1_*.deb
rm -rf jailkit-2.14*

Install fail2ban: This is optional but recommended, because the ISPConfig monitor tries to show the log:

apt-get install fail2ban

To make fail2ban monitor PureFTPd, create the file /etc/fail2ban/jail.local:

vi /etc/fail2ban/jail.local

[pureftpd]

enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

Then create the following filter file:

vi /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

Restart fail2ban afterwards:

/etc/init.d/fail2ban restart

Next we will install ISPConfig 3. To get the download URL of the latest ISPConfig 3 stable release, please visit the ISPConfig website: http://www.ispconfig.org/ispconfig-3/download/

This server is the master server in our setup which runs the ISPConfig control panel interface. To allow the other MySQL instances to connect to the MySQL database on this node during installation, we have to add MySQL root user records in the master database for every slave server hostname and IP address. The easiest way to do this is to use the web based phpmyadmin administration tool that we installed already. Open the URL http://192.168.0.105/phpmyadmin in a web browser, log in as MySQL root user and execute these MySQL queries:

CREATE USER 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.106' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.107' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.108' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'192.168.0.109' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'192.168.0.109' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'mail.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'db.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns1.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

CREATE USER 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword';
GRANT ALL PRIVILEGES ON * . * TO 'root'@'ns2.example.tld' IDENTIFIED BY 'myrootpassword' WITH GRANT OPTION MAX_QUERIES_PER_HOUR 0 MAX_CONNECTIONS_PER_HOUR 0 MAX_UPDATES_PER_HOUR 0 MAX_USER_CONNECTIONS 0 ;

In the above sql commands, replace the IP adresses (192.168.0.106 - 192.168.0.109) with the IP addresses of your servers and replace mail.example.tld, db.example.tld, ns1.example.tld and ns2.example.tld with the hostnames of your servers and myrootpassword with the desired root password.

Click on the reload permissions button or restart MySQL. Then close phpmyadmin.

Go back to the shell of server1.example.tld and download the latest ISPConfig 3 stable release:

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Then start the install script:

php -q install.php

Select language (en,de) [en]: <-- en
Installation mode (standard,expert) [standard]: <-- expert
Full qualified hostname (FQDN) of the server, eg server2.domain.tld [web.example.tld]: <-- web.example.tld
MySQL server hostname [localhost]: <-- localhost
MySQL root username [root]: <-- root
MySQL root password []: <-- Enter your MySQL root password here
MySQL database to create [dbispconfig]: <-- dbispconfig
MySQL charset [utf8]: <-- utf8
Shall this server join an existing ISPConfig multiserver setup (y,n) [n]: <-- n
Configure Mail (y,n) [y]: <-- n
Configure Jailkit (y,n) [y]: <-- y
Configure FTP Server (y,n) [y]: <-- y
Configure DNS Server (y,n) [y]: <-- n
Configure Apache Server (y,n) [y]: <-- y
Configure Firewall Server (y,n) [y]: <--y
Install ISPConfig Web-Interface (y,n) [y]: <--y
ISPConfig Port [8080]: <-- 8080
Enable SSL for the ISPConfig web interface (y,n) [y]: <-- y
Country Name (2 letter code) [AU]: <-- ENTER
State or Province Name (full name) [Some-State]: <-- ENTER
Locality Name (eg, city) []: <-- ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- ENTER
Organizational Unit Name (eg, section) []: <-- ENTER
Common Name (eg, YOUR name) []: <-- ENTER
Email Address []: <-- ENTER
A challenge password []: <-- ENTER
An optional company name []: <-- ENTER

Clean up the install directories:

cd /tmp
rm -rf /tmp/ispconfig3_install/install
rm -f /tmp/ISPConfig-3-stable.tar.gz

view as pdf | print

Share this page:

Sub pages

28 Comment(s)

Add comment

Comments

By:

I've edited the sources.list but getting so many 'no candidate version found' and 'Couldn't find any package whose name or description matched'

I've been copying and pasting so spelling is definately correct.

[email protected]:~# apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-ruby sudo zip wget

Reading package lists... Done

Building dependency tree

Reading state information... Done

Note, selecting 'libruby' instead of 'libopenssl-ruby'

Package mcrypt is not available, but is referred to by another package.

This may mean that the package is missing, has been obsoleted, or

is only available from another source

Package libapache2-mod-ruby is not available, but is referred to by another package.

This may mean that the package is missing, has been obsoleted, or

is only available from another source

E: Unable to locate package php-auth

E: Package 'mcrypt' has no installation candidate

E: Unable to locate package libapache2-mod-suphp

E: Package 'libapache2-mod-ruby' has no installation candidate

By:

I've edited the sources.list but getting so many 'no candidate version found' and 'Couldn't find any package whose name or description matched'

I've been copying and pasting so spelling is definately correct.

By:

Hello

thank you for these excellent howto!

think you will do a refresh for debian wheezy?

thank you!

By: Anonymous

Any update on this question?

Squeeze is about dead.....

By:

Does this setup work behind a nat firewall?

By: admin

Yes, this works behind a NAT Firewall as well.

By: alan johnston

the pages seem to be screwed up a little, it goes from page 1 wich is parts 1 & 2 then page 2 which is part 7 which is the ned configs

By: skrans

@ step 7 im stuck i only have web.example.tld ther is no mail. db. ns1. ns2.

how can i fix it

thanks in advance

By: Thomas

why is it required to have "kind of" redundant installation of ISPConfig and MySQL on all servers?

By: till

ISPConfig is the software that controls and configures the server, so not installing ISPConfig on a node would mea that this node is not part of this multiserver setup and therefore it can not be controlled by rhe ISPConfig master. The MySQL database is there for fault tolerance, the setup that you instal here allows it that each node can fail and will not affect any other node. If you would use a central mysql database instead, then this central database would be a single point of failure and all nodes would fail if that db is offline.

By: Sangeet Kumar

Hello,

I would like to configure two servers as following but not finding clear instructions for Jessie.

www.example.com (Web, DB & NS1)

mail.example.com (Mirror of Web, Email and NS2).

I have already purchased the guide but it lacks the instructions for Jessie. Please help.

Regards,

Sangeet

By: Kai

Hi, I followed this tutorial and started installing everything on the master ISPconfig server. But on this page I have a big problem: in ISPconfig on the master only the master itself is listed below the

System > Server services

I added the clients to /etc/hosts and already added the mysql-users to root - but did not setup the clients themselves!

How can I enable the clients in the Server Services region?

By: Luis

Hello Till, I have to use the same root password for each installation mysql?

By: till

No, you can use different root passwords.

By: Marco

Excellent guide, I followed it to the letter and everything works properly.

But now I have a doubt. The "mail" command on the web server does not work when no SMTP server configured. How can I do to configure your web server so that the mail server uses as the sending mail server?

Thank you in advance

By: reason8

I have set this up for Opensuse 13.1

My question is: Does, how do I know if the databases are actually being served from the DB-Server?

I looked in /var/lib/mysql but it's not the same as the /var/lib/mysql server on the main ISPConfig Main server.

My second question: is mysql being served from the DB-Server or the main ISPConfig server?

I wanted this setup to offload mysql (performance issues) from the main ISPConfig server.Is this what I am doing?

By: NeonTigerUK

Hi Till

Is there a plan any time soon to update this for Jessie? I've been trying to set up a new cluster 2 x ns 1 x mysql and 1 x web/mail but keep getting fails at step 2 at

[code]

apt-get -y install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-curl php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libruby libapache2-mod-ruby libapache2-mod-perl2 sudo zip wget

[/code]

It would be great if this could be updated to also include lets-encrypt

Thanks :)

By: till

The ISPConfig manual https://www.howtoforge.com/download-the-ispconfig-3-manual contains already an updated version for Debian Jessie + ISPConfig 3.1.

By: NeonTigerUK

Hi Till, I have the manual now, would I be right in assuming if I want to have 2 x ns servers and 1 x web email and MySQL I do the combined installs? -

also, how easy would it be to add separate servers in the future?

By: sgzodyo

How to port forward primary dns and secondary dns server?

By: Corey

Needs sudo apt-get install -y dovecot-sieve dovecot-mysql before installing ISPConfig, otherwise authentication and mail delivery will throw errors in /var/log/mail.log.

By: Mihai

Does anyone managed to configure multiserver with let's encrypt support? I have tried, having separate server for dns (ns1.domain.tld) and then dns moved to master server (web.domain.tld). Non of configuration worked. I receive this message in both situation:

<p>The following errors were reported by the server: Domain: www.domain.tld Type: connection Detail: DNS problem: SERVFAIL looking up A for www.domain.tld Domain: domain.tld Type: connection Detail: DNS problem: SERVFAIL looking up A for domain.tld To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.</p>

Everything else work perfectly, ftp, mail, database, dns configuration. All the servers are behind nat and I did forward the port 53 to local ip of ns1.domain.tld and the do master ispconfig (web.domain.tld) for second situation.

Thank you for any suggestion

By: esezako

Hi,

For when a howto Multiserver Setup With Dedicated Web, Email, DNS & MySQL Database Servers On Debian 9?

Thanks in advance!

By: SijmenNL

Same here maby Till can do a update on this for Debian 9 always love the tutorials from Till Brehm

By: Shelo

Hello,

Thanks for the tuto.

My question is: Do I have to get 5 domain too or I can use one domain name for 5 servers. Thanks

By: till

One domain is enough, there is just one domain used in this tutorial. The hostnames of the 5 servers are subdomains of that one domain.

By: PUREXER

Thanks @TillCan you please make a version of this tuto for centos 7 with the latest updates.

By: Jose Hidalgo

How can I reconfigure a previous ispconfig3 server to make a multiserver setup?

Thanks for all your work!

Log in or Sign up

On this page