The Perfect Server - Debian Lenny (Debian 5.0) [ISPConfig 2] - Page 5

14 Apache/PHP5/Ruby/Python

Now we install Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert

Next we install PHP5, Ruby, and Python (all three as Apache modules):

apt-get install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-mhash php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-suhosin php5-tidy php5-xcache php5-xmlrpc php5-xsl

Next we edit /etc/apache2/mods-available/dir.conf...

vi /etc/apache2/mods-available/dir.conf

... and change the DirectoryIndex line:

<IfModule mod_dir.c>

          #DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
          DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

</IfModule>

Now we have to enable some Apache modules (SSL, rewrite, suexec, and include):

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include

Restart Apache:

/etc/init.d/apache2 restart

We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...

vi /etc/mime.types

... and comment out the application/x-ruby line:

[...]
#application/x-ruby                             rb
[...]

Restart Apache:

/etc/init.d/apache2 restart

Now .rb files will be executed and displayed in the browser, just like .rbx files.

In the next chapter (14.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.

 

14.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:

vi /etc/mime.types

[...]
#application/x-httpd-php                                phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
[...]

Edit /etc/apache2/mods-enabled/php5.conf and comment out the following lines:

vi /etc/apache2/mods-enabled/php5.conf

<IfModule mod_php5.c>
  #AddType application/x-httpd-php .php .phtml .php3
  #AddType application/x-httpd-php-source .phps
</IfModule>

Then restart Apache:

/etc/init.d/apache2 restart

 

15 Proftpd

In order to install Proftpd, run

apt-get install proftpd ucf

You will be asked a question:

Run proftpd: <-- standalone

For security reasons add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf

[...]
DefaultRoot ~
IdentLookups off
ServerIdent on "FTP Server ready."
[...]

ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink (you can skip this command if you don't want to install ISPConfig):

ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

Then restart Proftpd:

/etc/init.d/proftpd restart

 

16 Webalizer

To install webalizer, just run

apt-get install webalizer

 

17 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

 

18 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

Run

apt-get install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl libnetaddr-ip-perl libarchive-tar-perl

 

19 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation manual: http://www.ispconfig.org/manual_installation.htm

 

19.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run

/usr/lib/apache2/suexec -V

and the output should look like this:

server1:~# /usr/lib/apache2/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"
server1:~#

So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

 

20 Links

Share this page:

25 Comment(s)

Add comment

Comments

From: Tony at: 2009-03-14 06:40:55

As usual, fantastic guide by Falko!
However, chose the extra partitions - /var, /tmp, /usr & /home
Got all the way to end of this guide, went to install ISPConfig & got this error from the installer package -


ERROR: Sie benötigen mind. 512MB Platz im /root-Verzeichnis, um ISPConfig zu installieren! / You need at least 512MB of disk space in the /root directory to install ISPConfig!


Therefore it seems you must be careful when partitioning if using ISPConfig 2. ISPConfig 3 had no problem with same partitioning.

From: Anonymous at: 2009-02-20 22:24:52

From Etch onward, it is recommended that users use aptitude instead of apt-get.  Aptitude has advanced dependency handling that can avoid some serious problems in unusual situations. 


From the official debian documentation http://www.debian.org/releases/stable/i386/release-notes/ch-whats-new.en.html#s-pkgmgmt:


" The preferred program for package management from the command line is aptitude, which can perform the same package management functions as apt-get and has proven to be better at dependency resolution."

From: ree at: 2009-12-31 12:38:38

hi,


plz edit /etc/init.d/bind9 startup script!! 


to do it follow :


nano /etc/init.d/bind9


then find the PIDFILE def. and edit to look lile that:


PIDFILE=/var/lib/named/var/run/bind/run/named.pid


and restart bind9: 


/etc/init.d/bind9 restart


regards



From: Yves at: 2010-01-29 22:26:31

This is not necessary. The correct path inside the jail is /var/run/bind/run/named.pid

From: Yves at: 2010-01-31 13:11:58

To use IPv6, i.e. listen-on-v6, you need to mount proc inside your chroot:


 mkdir /var/lib/named/proc


 mount -t proc proc /var/lib/named/proc


 Don't forget to create a mount that persists after next reboot, i.e. by adding it to /etc/fstab

From: ROk at: 2010-03-18 09:50:34

In file /etc/network/interfaces DO NOT WRITE DNS adressess. ONLY /etc/resolv.conf


If you will need to specify your DNS servers manually in /etc/resolv.conf, which should look something like this:


search mydomain.example


nameserver 192.168.0.1


nameserver 4.2.2.2


Else this will be mistakes.

From: Nokao at: 2010-05-20 21:37:10

Do you think that the DNS step is important even for who don't need a DNS server ?


 


I mean ... is it true that a DNS server only for local software is "a must have" ?

From: Dima at: 2011-06-14 22:49:32

There is no need to manualy create aquota.user and aquota.group files. They are created automatically by using command quotacheck with appropriate keys ( -c -u -g )

From: at: 2009-05-07 18:19:57

I would suggest to setup addional parameters:


 


postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_invalid_hostname,reject_non_fqdn_hostname,reject_non_fqdn_sender,
reject_non_fqdn_recipient,reject_unknown_sender_domain,reject_unknown_recipient_domain,reject_unauth_pipelining,reject_rbl_client dnsbl.njabl.org,
reject_rbl_client sbl-xbl.spamhaus.org,reject_rbl_client pbl.spamhaus.org,reject_rbl_client bl.spamcop.net,reject_rbl_client duinv.aupads.org,
reject_rbl_client ix.dnsbl.manitu.net,reject_rhsbl_sender rhsbl.sorbs.net,reject_unauth_destination'


postconf -e 'smtpd_sender_restrictions = permit_mynetworks,permit_sasl_authenticated, reject_rhsbl_sender dsn.rfc-ignorant.org'

From: Yves at: 2010-02-04 16:21:54

reject_unauth_destination is way to far to the end; it should be before the rbl calls...


reject_unauth_pipelining should be placed under smtpd_data_restrictions for Postfix 2.x!

From: Jerry at: 2010-08-18 19:44:38

I discovered in my /var/log/mail.log file that the aliases db hadn't yet been created.


I recommend that the reader be instructed to execute the # newaliases command before trying to # telnet localhost 25


 The aliases db wasn't there, in my case, because the system had just been installed and no other mail related foo had been done.


 cheers.

From: Jerry at: 2010-08-20 06:48:35

My experiments with the SMTPD showed that with the setup you recommend the relay wasn't "open"  i.e. it at least required a valid user name and password.  But what's the point of a password if it's sent in the clear??  You should strongly recommend that the
smtpd_tls_auth_only keyword be set to "Yes" to require that the client use the TLS feature when sending the password.


Also, I found that setting MECHANISMS to shadow  (for my tiny server) got me away from depending on /etc/courier/userdb.dat;  I now use the systems shadow password file. That minimizes my management overhead. I'm supposed to be productive at the job I trained for, not spending all my time being a sysadmin. :-)


j

From: Edgar at: 2010-10-31 21:45:59

correct this error:


postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
instead of


postconf -e 'smtpd_tls CAfile = /etc/postfix/ssl/cacert.pem'


 


Awesome article

From: Edgar at: 2010-10-31 21:48:46

never mind my last comment. it was the stupid HIGHLIGHT that was hiding the '_'


 


 

From: at: 2009-05-07 18:22:13

To secure php you should edit


 


/etc/php5/apache2/php.ini


 


edit this line:


 


disable_functions = exec,system,passthru,shell_exec,popen,escapeshellcmd,proc_open,proc_nice,ini_restore

From: Emil at: 2009-05-07 10:13:57

i have sucessfully install ispconfig2, but how to change home directory for user example /home/username/public_html/ in ispconfig.


and i have recompile apache with suexec in /home


please advise


thanks


 


 

From: Sanjay K at: 2009-04-18 00:30:49

The tutorial is great.


I did have a few glitches along the way, much of which was due to php5-idn not being installed properly. Eventually I decided not to install it. (Don't know if that would cause other problems down the line). 


I also found aptitude to be marginally better than apt-get especially aptitude purge as a great help to uninstall the failing packages.


And I am absolutely delighted to see the ISPConfig screen. Thanks a lot Falko!


Regards


Sanjay


 

From: light-blue at: 2009-04-01 04:42:57

So that you don't spend 14 hours confused and frustrated like me, be sure that you are NOT submitting forms with lots of data (e.g. 100 form items--yes, I know they're huge by design) when using this setup. Suhosin won't allow that, and submits may FAIL SILENTLY.

after playing with standard php.ini POST settings for WAY too long, /var/log/apache2/error.log was the clue that solved this problem...


ALERT - configured POST variable limit exceeded - dropped variable 'field_agreement[0][value]' (attacker '192.168.10.13', file '/var/www/drupal/index.php'), referer: https://server.mycompany.com/node/add/agreement


The solution is simple ...


#vi /etc/php5/conf.d/suhosin.ini

set these values:

suhosin.post.max_vars = 1000


suhosin.request.max_vars = 1000

From: Anonymous at: 2009-02-20 23:29:32

Is there some reason why you've chosen Courier and not Dovecot for the IMAP server?

From: Pat Foley at: 2009-03-04 22:01:00

Falko. Thanks for all the tutorials! When creating the server (www) behind a router, is it still necessary to use a real tld when ispconfig is going to be added?

From: Leslie at: 2009-06-11 20:11:29

Hi all!


I am starter in perfect server configuration... even server configuration...but with this wonderful manual I did the impossible... :-)


Thanks Falko !


But this is not the end:


ISP is runninig I logged in and changed the login name from admin to other and the password and started to study ISP, and then logged out...


Now I can't log in with my new user name and password, I get the error code: 1002 or 1004


 Please help

From: Anonymous at: 2009-10-03 05:00:43

How do I change the domain.tld from .com to .net!?!?!?! LoL... The setup was PERFECT. Just had to change the ISPConfig to reflect 5.0.3 but other than that, this server is running and working! I just need to change the domain TLD from .com to .net for obvious reasons... Thanks in Advance for your assistance... I tried to change it in hosts and apache wouldnt restart... I need to change ALL instances BTW, from Start to Finish... Im pretty savvy, but this is above me ATM and Im not finding everything I need via google searches. Again Thank You in Advance for your Help. Mike

From: at: 2010-02-17 21:05:09

Falko,


 This How-To is on point; however, I do have a question.  How secure is this setup as it is described here?  By following all of these steps, we are opening a lot of ports on the server and I believe it opens us up to a lot of liability.  Anyone have any pointers or suggestions?  Am I being overly paranoid?  Any input would be appreciated. 


 KaBarsEdge

From: Bernard at: 2010-02-27 13:47:40

To enable usage of FTP username of an admin user for particular ISPConfig domain you have to disable ProFTP check for valid shell (as /dev/null isn't and this one gets added to ISPConfig users with disabled shell access). You have to uncomment this to /etc/proftpd/proftpd.conf :


[...]
 RequireValidShell           off
[...]

From: metoo at: 2010-07-21 20:50:59

thanks for great howto


i have choose (server1) as my host name as described in the tuto.


but when i nstall ispconfig 2 it tell :


Please enter the host name: E.g. www


what to write  in this case ? www or server1 ?


thanks