The Perfect Server - Debian Squeeze (Debian 6.0) [ISPConfig 2] - Page 5

15 Apache/PHP5/Ruby/Python/WebDAV

Now we install Apache:

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert

Next we install PHP5, Ruby, and Python (all three as Apache modules):

apt-get install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-suhosin php5-tidy php5-xcache php5-xmlrpc php5-xsl

Next we edit /etc/apache2/mods-available/dir.conf...

vi /etc/apache2/mods-available/dir.conf

... and change the DirectoryIndex line:

<IfModule mod_dir.c>

          #DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
          DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

</IfModule>

Now we have to enable some Apache modules (SSL, rewrite, suexec, include, and WebDAV):

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav

Restart Apache:

/etc/init.d/apache2 restart

We have to fix a small problem with Ruby. If you install ISPConfig and enable Ruby for a web site, .rbx files will be executed fine and displayed in the browser, but this does not work for .rb files - you will be prompted to download the .rb file - the same happens if you configure Ruby manually for a vhost (i.e., it has nothing to do with ISPConfig). To fix this, we open /etc/mime.types...

vi /etc/mime.types

... and comment out the application/x-ruby line:

[...]
#application/x-ruby                             rb
[...]

Restart Apache:

/etc/init.d/apache2 restart

Now .rb files will be executed and displayed in the browser, just like .rbx files.

In the next chapter (15.1) we are going to disable PHP (this is necessary only if you want to install ISPConfig on this server). Unlike PHP, Ruby and Python are disabled by default, therefore we don't have to do it.

 

15.1 Disable PHP Globally

(If you do not plan to install ISPConfig on this server, please skip this section!)

In ISPConfig you will configure PHP on a per-website basis, i.e. you can specify which website can run PHP scripts and which one cannot. This can only work if PHP is disabled globally because otherwise all websites would be able to run PHP scripts, no matter what you specify in ISPConfig.

To disable PHP globally, we edit /etc/mime.types and comment out the application/x-httpd-php lines:

vi /etc/mime.types
[...]
#application/x-httpd-php                                phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
#application/x-httpd-php5                       php5
[...]

Edit /etc/apache2/mods-enabled/php5.conf and comment out the SetHandler lines:

vi /etc/apache2/mods-enabled/php5.conf
<IfModule mod_php5.c>
    <FilesMatch "\.ph(p3?|tml)$">
        #SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        #SetHandler application/x-httpd-php-source
    </FilesMatch>
    # To re-enable php in user directories comment the following lines
    # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
    # prevents .htaccess files from disabling it.
    <IfModule mod_userdir.c>
        <Directory /home/*/public_html>
            php_admin_value engine Off
        </Directory>
    </IfModule>
</IfModule>

Then restart Apache:

/etc/init.d/apache2 restart

 

16 Proftpd

In order to install Proftpd, run

apt-get install proftpd-basic ucf

You will be asked a question:

Run proftpd: <-- standalone

For security reasons add the following lines to /etc/proftpd/proftpd.conf (thanks to Reinaldo Carvalho; more information can be found here: http://proftpd.org/localsite/Userguide/linked/userguide.html):

vi /etc/proftpd/proftpd.conf
[...]
DefaultRoot ~
ServerIdent on "FTP Server ready."
[...]

ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink (you can skip this command if you don't want to install ISPConfig):

ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

Then restart Proftpd:

/etc/init.d/proftpd restart

 

17 Webalizer

To install webalizer, just run

apt-get install webalizer geoip-database

 

18 Synchronize the System Clock

It is a good idea to synchronize the system clock with an NTP (network time protocol) server over the internet. Simply run

apt-get install ntp ntpdate

and your system time will always be in sync.

 

19 Install Some Perl Modules Needed By SpamAssassin (Comes With ISPConfig)

Run

apt-get install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl libnetaddr-ip-perl libarchive-tar-perl

 

20 ISPConfig

The configuration of the server is now finished, and if you wish you can now install ISPConfig on it. Please check out the ISPConfig installation manual: http://www.ispconfig.org/manual_installation.htm

Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651:

vi /usr/include/stdio.h
[...]
   This function is not part of POSIX and therefore no official
   cancellation point.  But due to similarity with an POSIX interface
   or due to the implementation it is a cancellation point and
   therefore not marked with __THROW.  */
extern _IO_ssize_t parseline (char **__restrict __lineptr,
                            size_t *__restrict __n,
                            FILE *__restrict __stream) __wur;
#endif
[...]

If you don't do this, the installation will fail because of the following error:

htpasswd.c:101: error: conflicting types for 'getline'
/usr/include/stdio.h:651: note: previous declaration of 'getline' was here
make[2]: *** [htpasswd.o] Error 1
make[2]: Leaving directory `/home/ISPConfig-2.2.stable/install_ispconfig/compile_aps/apache_1.3.41/src/support'
make[1]: *** [build-support] Error 1
make[1]: Leaving directory `/home/ISPConfig-2.2.stable/install_ispconfig/compile_aps/apache_1.3.41'
make: *** [build] Error 2
ERROR: Could not make Apache

You can undo the change to /usr/include/stdio.h after the successful ISPConfig installation (but don't forget to change it back whenever you want to update ISPConfig!).

 

20.1 A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root. Run

 /usr/lib/apache2/suexec -V

and the output should look like this:

[email protected]:~# /usr/lib/apache2/suexec -V
 -D AP_DOC_ROOT="/var/www"
 -D AP_GID_MIN=100
 -D AP_HTTPD_USER="www-data"
 -D AP_LOG_EXEC="/var/log/apache2/suexec.log"
 -D AP_SAFE_PATH="/usr/local/bin:/usr/bin:/bin"
 -D AP_UID_MIN=100
 -D AP_USERDIR_SUFFIX="public_html"
[email protected]:~#

So if you want to use suExec with ISPconfig, don't change the default web root (which is /var/www) if you use expert mode during the ISPConfig installation (in standard mode you can't change the web root anyway so you'll be able to use suExec in any case).

 

Share this page:

13 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: jimcooncat

Because you advised to use a password for root instead of leaving it blank, I believe the first user that you created during install (Administrator) is not set up to use sudo. I could very well be wrong!

By: tonybaldwin

To the above commenter: Nobody is set up for sudo in debian, by default. If you with to use sudo (I'm told it is not recommended, but I do), you must set it up manually (see: http://wiki.debian.org/sudo).   

To the author of this article: I'd like to know why I would want to disable php (or python or ruby, for that matter.) globally.
You explain very well how to do a lot of things here, but you often do not explain why.  For instance, what does quota do?  I did an apt-cache show quota, and it didn't clear that up for me much.  I have a computer here I used to use as a desktop, and I just installed apache2, mysql-server, pureftp, some wordpress and dokuwiki on it, and am serving up some stuff (see http://blinguas.homelinux.net/ ), but it's my first time ever trying to run/admin a server (been making sites on paid hosting for a decade, figured it was time to learn the rest of the game). I ran an ircd on it for a few days, too, but only one guy dropped in to chat, a fellow tcl hacker and debianero.  The ftp server is incredibly handy.  I can keep files there and access them from my phone or laptop, anywhere.  I can also ssh in from my phone (droid does!), although I generally admin the box from my main machine, via ssh.  This is all immensely fun (probably because I don't do it for a living?).

I'm thinking of wiping the hdd and starting from scratch with these instructions, since the machine was set up as a desktop 2 years ago, with lenny, just upgraded to squeeze.
(At the same time, I figure if anything goes loopy on my main machine, having another desktop handy would be, well, handy. After all, my main job is translating stuff, not being a web admin).

 I'd like to have this article on one page (so I can write it to a pdf and keep it around for future reference).  I'm sure it will come in very handy if I continue playing with this stuff (and I will).

By: Luis Freitas

About disabling ruby and php globally, is related to ISPConfig. If you dont know what is ISPConfig, please go to www.ispconfig.org

If you dont know what is quota... wow... just google "quota on linux" and view the first result a read. well,... ISPConfig uses quota if you want.

 This article is awsome. I usually add some tweeks and more specific configurations.


 

By: Anonymous

After following this tutorial for the perfect server and installing ISPConfig-2, I had to load ISPConfig manually after the machine finished booting. I discovered that since the release of Debian Squeeze, the auto-loading of software processes is different. I found out what to do to make ISPConfig load when linux boots. It works for me so I'm going to share the information. Do the following after you install ISPConfig and it should load ISPConfig when your server boots up:

1) Delete any files that have "ispconfig_server" in their name under the following directories. (The names will be similar to "S99ispconfig_server" or "K99ispconfig_server"):

/etc/rc0.d/
/etc/rc0.d/
/etc/rc0.d/
/etc/rc0.d/
/etc/rc0.d/
/etc/rc0.d/
/etc/rc0.d/


2) load "/etc/init.d/ispconfig_server" into your favorite text editor and make sure the following is at the very beginning of the script. Empty lines are important. Make sure there is an empty line between lines with content: #!/bin/bash ### BEGIN INIT INFO # Provides: ISPConfig Server # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short Description: Start ISPConfig on boot # Description: Enable server provided by ISPConfig ### END INIT INFO 3) After saving your changes in "/etc/init.d/ispconfig_server", run the following command: insserv ispconfig_server 4) Now check to see if ISPConfig is loading on boot by restarting your machine. I hope this information is useful. If this doesn't work then there is a completely different problem that I am unaware of.

By: Luis Freitas

You are right.

By: Luis Freitas

 To ease administration:

# nano -w ~/.bash_profile


Copy this a put on .bash_profile file:

export PS1='\[\033[0;35m\]\h\[\033[0;33m\] \w\[\033[00m\]: '

alias free="free -m"

alias aptitude="sudo aptitude"
alias update="sudo aptitude update"
alias upgrade="sudo aptitude upgrade"
alias install="sudo aptitude install"
alias remove="sudo aptitude remove"

 

 # source ~/.bash_profile


 

About Log in

On your LOCAL computer, edit the SSH known_hosts file and remove any entries that point to your server address. If this is a brand new server then you will not need to do this, but a reinstall will result in a different signature.

# nano -w ~/.ssh/known_hosts

If you are not using Linux on your LOCAL computer, the location of the known_hosts file will differ. Please refer to your own OS for details of where this file is kept.

As soon as you have your IP address and password for your login via SSH:

$ ssh [email protected]


User administration

Now we're logged in to the server, add a user:

# adduser serveradmin


As you know we never log in as the root user (this initial setup is the only time you would need to log in as root). As such, the main administration user (serveradmin) needs to have sudo (Super User) privileges so he can, with a password, complete administrative tasks.

Give the 'visudo' command:

# visudo

At the end of the file add:

serveradmin ALL=(ALL) ALL

SSH preparation

One effective way of securing SSH access to your server is to use a public/private key. This means that a 'public' key is placed on the server and the 'private' key is on our local workstation. This makes it impossible for someone to log in using just a password - they must have the private key.

This is very simple with ssh-copy-id.

We already have our admin user created (serveradmin), so on your local workstation enter the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

We use the -i option to specify which file (identity) to copy across to the server. The user is then specified followed by the IP address of the server.

So what happens when the command is entered? Firstly you will need to enter the user's password so it can have secure access to the server. Then it creates a 'hidden' directory called .ssh and copies the public key to a file named 'authorized_keys'.

It then automatically changes the permissions so that only the owner (serveradmin) can read or write to the file.

It's always a good idea to check the settings on something as important as this so let's have quick look at the permissions:

ls -al /home/serveradmin/.ssh/authorized_keys
...
-rw------- 1 serveradmin  394 Mar 3 10:18 /home/serveradmin/.ssh/authorized_keys

You can also open the authorized_keys file and make sure only your key was copied across and it is not full of unknown keys.

Remember that this is the only time you'll need to enter the SSH password as the file we just copied over will authorize the admin user 'serveradmin' to SSH in without it - but only if they have the private key on their local workstation: it won't work from any workstation.

SSH config

Next we'll change the default SSH configuration to make it more secure:

nano /etc/ssh/sshd_config

Use can use this ssh configuration as an example.

The main things to change (or check) are:

Port 30000 <--- change to a port of your choosing
Protocol 2
PermitRootLogin no
PasswordAuthentication no
X11Forwarding no
UsePAM no
UseDNS no
AllowUsers serveradmin

I think the setting are fairly self explanatory but the main thing is to move it from the default port of 22 to one of your choosing, turn off root logins and define which users can log in.If you use ISPConfig don't use the "AllowUsers" set to just one user.

PasswordAuthentication has been turned off as we setup the public/private key earlier. Do note that if you intend to access your server from different computers you may want leave PasswordAuthentication set to yes. Only use the private key if the local computer is secure.

 Add Virtual terminals

sudo aptitude install screen

To start a screen session simply enter the command:

screen

Press the space bar to remove the introduction page and to activate any custom bash_profile entries, enter:
 source ~/.bash_profile

source ~/.bash_profile


Remember, after the bash profile customization, you just need to:

update
upgrade
etc...

By: Luis Freitas

I use this on OpenSUSE and Debian (minor tweeks on Debian, just paths to correct but it's almost the same). Always works. Packages from 4 of March 2011

HOW TO CONTINUE THIS TUTORIAL WITH APACHE SOLR INSTALLATION FOR USE WITH DRUPAL WITH SOLR SEARCH AND ISP CONFIG

SEARCH ON STEROIDS

Install Drupal.

Use this .htacess file

 <IfModule mod_rewrite.c>  
RewriteEngine on
#RewriteBase /  
RewriteCond %{REQUEST_FILENAME} !-f  
RewriteCond %{REQUEST_FILENAME} !-d  
RewriteRule ^(.*)$ /index.php?q=$1 [L,QSA]  
#RewriteCond %{REQUEST_URI} !=/favicon.ico
</IfModule>

 alter .htacess file on /web/sites/default/files and comment:

#SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
#Options None

Well, install Drupal using normal Drupal installation.

Login as root or sudo as you wish:


pecl install uploadprogress
pecl install json
pecl install apc
pecl install -n solr-beta

Open your php.ini

nano -w /etc/php5/apache2/php.ini

and paste so the extensions loads with PHP (add what is in red):

; Directory in which the loadable extensions (modules) reside.
extension_dir = /usr/lib64/php5/extensions

extension=uploadprogress.so
extension=apc.so
extension=solr.so

Save your file and restart webserver:

/etc/init.d/apache2 restart

cd /tmp
wget http://mirrors.ukfast.co.uk/sites/ftp.apache.org/lucene/solr/1.4.1/apache-solr-1.4.1.zip

unzip apache-solr-1.4.1.zip

mv apache-solr-1.4.1 apache-solr

cp -r apache-solr /usr/share/apache-solr

Copy configuration from your drupal installation, in my case /srv/www/web11/web

cp /srv/www/web11/web/sites/all/modules/apachesolr/solrconfig.xml /usr/share/apache-solr/example/solr/conf/solrconfig.xml

cp /srv/www/web11/web/sites/all/modules/apachesolr/schema.xml /usr/share/apache-solr/example/solr/conf/schema.xml

cd apache-solr/example

java -jar start.jar

in your browser, test it (remember to open in ISPConfig firewall port 8983)

http://yourwebsite.com:8983/solr/admin/

 TEST OK!

ctrl+c in your terminal and apache-solr ends... But never mind.

Let's make a start script so it starts solr when system boots:

nano -w /etc/init.d/solr

and paste this script:

#!/bin/sh -e

# Starts, stops, and restarts solr

SOLR_DIR="/usr/share/apache-solr/example"
JAVA_OPTIONS="-Xmx1024m -DSTOP.PORT=8079 -DSTOP.KEY=stopkey -jar start.jar"
LOG_FILE="/var/log/solr.log"
JAVA="/usr/bin/java"

case $1 in
    start)
        echo "Starting Solr"
        cd $SOLR_DIR
        $JAVA $JAVA_OPTIONS 2> $LOG_FILE &
        ;;
    stop)
        echo "Stopping Solr"
        cd $SOLR_DIR
        $JAVA $JAVA_OPTIONS --stop
        ;;
    restart)
        $0 stop
        sleep 1
        $0 start
        ;;
    *)
        echo "Usage: $0 {start|stop|restart}" >&2
        exit 1
        ;;
esac

 make it executable:

chmod a+rx /etc/init.d/solr

Check what is booting:

chkconfig --list

Oh no! solr is not booting. Of course not!

chkconfig --add solr

Then try to stop it

service solr stop

oh. It's not working? lololololol  OF COURSE NOT! Let's try to start it:

service solr start

Test on your browser. 

http://yourdomain.com:8983/solr/admin/

 It's ALIVE! apache-solr, search on steroids!

Now you can reboot your server too and see apache-solr working. :)

By: Luis Freitas

Well this works well on OpenSUSE, but in Debian this tutorial will not work properly. In Debian 6 you should:

 i copied this from the docs I created :)
Servidor DigiXS

1. Boot from Network Installation CD

2. Select Install

3. Select Language

4. Location

5. Select Locale

6. Select Keyboard Layout (Portuguese)

7. Enter hostname

devstation

8. Enter domain

homelinux.com

9. Give the root user a password.

password :

10. Create Administrator user and password

11. Partition HD

12. Select partitioning scheme

13. Configure the package manager and apt, selecting mirror you want to use.

14. Software selection. Choose only SSH server and Standart system utilities, and remove selection from Graphical desktop environment

15. Install grub

16. Base Installation Complete

17. Install The SSH Server.

apt-get install ssh openssh-server

18. Install vim-nox, joe, nano and pwgen

apt-get install vim-nox joe nano pwgen

19. Configure The Network

Because the Debian Squeeze installer has configured our system to get its network settings via DHCP, we have to change that now because a server should have a static IP address. Edit /etc/network/interfaces and adjust it to your needs (in this example setup I will use the IP address 192.168.1.80) (please note that I replace allow-hotplug eth0 with auto eth0; otherwise restarting the network doesn't work, and we'd have to reboot the whole system):

nano -w /etc/network/interfaces

_________________________________

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
#allow-hotplug eth0
#iface eth0 inet dhcp
auto eth0
iface eth0 inet static
        address 192.168.1.80
        netmask 255.255.255.0
        network 192.168.1.0
        broadcast 192.168.0.255
        gateway 192.168.1.1

_________________________________

20. Restart network

/etc/init.d/networking restart

21. Then edit /etc/hosts. Make it look like this:

nano -w /etc/hosts

_________________________________

127.0.0.1    localhost.localdomain      localhost
192.168.1.80    devstation.homelinux.com  devstation

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

_________________________________

22. Now run

echo devstation.homelinux.com > /etc/hostname
/etc/init.d/hostname.sh start

23. Check is it's ok. Both should output the same hotname:

hostname
hostname -f

24. Update Your Debian Installation

nano -w /etc/apt/sources.list

[...]
deb http://ftp.de.debian.org/debian/ squeeze-updates main
[...]

25. To update the apt package database and to install the latest updates

apt-get update

apt-get upgrade

26. Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash. Therefore we do this:

dpkg-reconfigure dash

::::::::::::::::::::::::::::::::::::::::::::::::

Use dash as the default system shell (/bin/sh)? <-- No

::::::::::::::::::::::::::::::::::::::::::::::::

27. Run

apt-get install binutils cpp fetchmail flex gcc libarchive-zip-perl libc6-dev libcompress-zlib-perl libdb-dev libpcre3 libpopt-dev lynx m4 make ncftp nmap openssl perl perl-modules unzip zip zlib1g-dev autoconf automake1.9 libtool bison autotools-dev g++ build-essential

28. Quota

apt-get install quota

29. Edit /etc/fstab. Mine looks like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the partition with the mount point /):

nano -w /etc/fstab

_________________________________

# /etc/fstab: static file system information.
#
# Use 'blkid' to print the universally unique identifier for a
# device; this may be used with UUID= as a more robust way to name devices
# that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point>   <type>  <options>       <dump>  <pass>
proc            /proc           proc    defaults        0       0
# / was on /dev/sda1 during installation
UUID=92bceda2-5ae4-4e3a-8748-b14da48fb297 /               ext3    errors=remount-ro,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 0       1
# swap was on /dev/sda5 during installation
UUID=e24b3e9e-095c-4b49-af27-6363a4b7d094 none            swap    sw              0       0
/dev/scd0       /media/cdrom0   udf,iso9660 user,noauto     0       0
/dev/fd0        /media/floppy0  auto    rw,user,noauto  0       0

_________________________________

30. To enable quota, run these commands:

TESTING============May SKIP========
touch /home/aquota.user
touch /home/aquota.group
chmod 600 /home/aquota.*
shutdown -r now
quotacheck -avugm
quotaon -avug
===================================

mount -o remount /

quotacheck -avugm
quotaon -avug

31. BIND9 DNS Server

apt-get install bind9

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

nano -w /etc/default/bind9

_________________________________

# run resolvconf?
RESOLVCONF=yes

# startup options for the server
OPTIONS="-u bind  -t /var/lib/named"

_________________________________

32. Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

mv /etc/bind /var/lib/named/etc

ln -s /var/lib/named/etc/bind /etc/bind

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

nano -w /etc/rsyslog.d/bind-chroot.conf

_________________________________

$AddUnixListenSocket /var/lib/named/dev/log
_________________________________


33. Restart the logging daemon:

/etc/init.d/rsyslog restart

34. Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

35.Install MySQL

apt-get install mysql-server mysql-client libmysqlclient-dev

::::::::::::::::::::::::::::::::::::::::::::::::

New password for the MySQL "root" user: <-- yourrootsqlpassword
Repeat password for the MySQL "root" user: <-- yourrootsqlpassword

::::::::::::::::::::::::::::::::::::::::::::::::

36. We want MySQL to listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1:

nano -w /etc/mysql/my.cnf

_________________________________

[...]
# Instead of skip-networking the default is now to listen only on
# localhost which is more compatible and is not less secure.
#bind-address           = 127.0.0.1
[...]

_________________________________

37. Restart MySQL

/etc/init.d/mysql restart

38. Check if MySQL is listening

netstat -tap | grep mysql

39. Postfix With SMTP-AUTH And TLS

apt-get install postfix libsasl2-2 sasl2-bin libsasl2-modules procmail

40.You will be asked two questions. Answer as follows:

General type of mail configuration: <-- Internet Site
System mail name: <-- devstation.homelinux.com

41. Run

dpkg-reconfigure postfix


General type of mail configuration: <-- Internet Site
System mail name: <-- devstation.homelinux.com
Root and postmaster mail recipient: <-- [blank]
Other destinations to accept mail for (blank for none): <-- devstation.homelinux.com, localhost.homelinux.com, localhost.localdomain, localhost
Force synchronous updates on mail queue? <-- No
Local networks: <-- 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
Use procmail for local delivery? <-- Yes
Mailbox size limit (bytes): <-- 0
Local address extension character: <-- +
Internet protocols to use: <-- all

42. Enter POSTIF configuration

postconf -e 'smtpd_sasl_local_domain ='
postconf -e 'smtpd_sasl_auth_enable = yes'
postconf -e 'smtpd_sasl_security_options = noanonymous'
postconf -e 'broken_sasl_auth_clients = yes'
postconf -e 'smtpd_sasl_authenticated_header = yes'
postconf -e 'smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination'
postconf -e 'inet_interfaces = all'
echo 'pwcheck_method: saslauthd' >> /etc/postfix/sasl/smtpd.conf
echo 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.conf

43. Afterwards we create the certificates for TLS:

mkdir /etc/postfix/ssl
cd /etc/postfix/ssl/
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024

chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr

openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt

openssl rsa -in smtpd.key -out smtpd.key.unencrypted

mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650

44. Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

45. Next we configure Postfix for TLS (make sure that you use the correct hostname for myhostname):

postconf -e 'myhostname = devstation.homelinux.com'

postconf -e 'smtpd_tls_auth_only = no'
postconf -e 'smtp_use_tls = yes'
postconf -e 'smtpd_use_tls = yes'
postconf -e 'smtp_tls_note_starttls_offer = yes'
postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'
postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'
postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'
postconf -e 'smtpd_tls_loglevel = 1'
postconf -e 'smtpd_tls_received_header = yes'
postconf -e 'smtpd_tls_session_cache_timeout = 3600s'
postconf -e 'tls_random_source = dev:/dev/urandom'

46. The file /etc/postfix/main.cf should now look like this:

cat /etc/postfix/main.cf

___________________________________________

# See /usr/share/postfix/main.cf.dist for a commented, more complete version


# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname

smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
biff = no

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

# TLS parameters
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_use_tls = yes
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

myhostname = server1.example.com
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination = devstation.homelinux.com, localhost.homelinux.com, localhost.localdomain, localhost
relayhost =
mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128
mailbox_command = procmail -a "$EXTENSION"
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all
inet_protocols = all
smtpd_sasl_local_domain =
smtpd_sasl_auth_enable = yes
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_authenticated_header = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtpd_tls_auth_only = no
smtp_use_tls = yes
smtp_tls_note_starttls_offer = yes
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
smtpd_tls_loglevel = 1
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
tls_random_source = dev:/dev/urandom

___________________________________________

47. Authentication will be done by saslauthd. We have to change a few things to make it work properly. Because Postfix runs chrooted in /var/spool/postfix we have to do the following:

mkdir -p /var/spool/postfix/var/run/saslauthd

48. Now we have to edit /etc/default/saslauthd in order to activate saslauthd. Set START to yes and change the line OPTIONS="-c -m /var/run/saslauthd" to OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r":

nano -w /etc/default/saslauthd

___________________________________________

#
# Settings for saslauthd daemon
# Please read /usr/share/doc/sasl2-bin/README.Debian for details.
#

# Should saslauthd run automatically on startup? (default: no)
START=yes

# Description of this saslauthd instance. Recommended.
# (suggestion: SASL Authentication Daemon)
DESC="SASL Authentication Daemon"

# Short name of this saslauthd instance. Strongly recommended.
# (suggestion: saslauthd)
NAME="saslauthd"

# Which authentication mechanisms should saslauthd use? (default: pam)
#
# Available options in this Debian package:
# getpwent  -- use the getpwent() library function
# kerberos5 -- use Kerberos 5
# pam       -- use PAM
# rimap     -- use a remote IMAP server
# shadow    -- use the local shadow password file
# sasldb    -- use the local sasldb database file
# ldap      -- use LDAP (configuration is in /etc/saslauthd.conf)
#
# Only one option may be used at a time. See the saslauthd man page
# for more information.
#
# Example: MECHANISMS="pam"
MECHANISMS="pam"

# Additional options for this mechanism. (default: none)
# See the saslauthd man page for information about mech-specific options.
MECH_OPTIONS=""

# How many saslauthd processes should we run? (default: 5)
# A value of 0 will fork a new process for each connection.
THREADS=5

# Other options (default: -c -m /var/run/saslauthd)
# Note: You MUST specify the -m option or saslauthd won't run!
#
# WARNING: DO NOT SPECIFY THE -d OPTION.
# The -d option will cause saslauthd to run in the foreground instead of as
# a daemon. This will PREVENT YOUR SYSTEM FROM BOOTING PROPERLY. If you wish
# to run saslauthd in debug mode, please run it by hand to be safe.
#
# See /usr/share/doc/sasl2-bin/README.Debian for Debian-specific information.
# See the saslauthd man page and the output of 'saslauthd -h' for general
# information about these options.
#
# Example for postfix users: "-c -m /var/spool/postfix/var/run/saslauthd"
#OPTIONS="-c -m /var/run/saslauthd"
OPTIONS="-c -m /var/spool/postfix/var/run/saslauthd -r"

___________________________________________

49. Next add the postfix user to the sasl group (this makes sure that Postfix has the permission to access saslauthd):

adduser postfix sasl

50. Now restart Postfix and start saslauthd:

/etc/init.d/postfix restart
/etc/init.d/saslauthd start

51. Check if it's working

telnet localhost 25

> ehlo localhost
> quit

52. Courier-IMAP/Courier-POP3

apt-get install courier-authdaemon courier-base courier-imap courier-imap-ssl courier-pop courier-pop-ssl courier-ssl gamin libgamin0 libglib2.0-0

You will be asked two questions:

Create directories for web-based administration? <-- No
SSL certificate required <-- Ok

cd /etc/courier
rm -f /etc/courier/imapd.pem
rm -f /etc/courier/pop3d.pem

nano -w /etc/courier/imapd.cnf

[...]
CN=devstation.homelinux.com
[...]

nano -w /etc/courier/pop3d.cnf

[...]
CN=devstation.homelinux.com
[...]

53. Then recreate the certificates...

mkimapdcert
mkpop3dcert

54. ... and restart Courier-IMAP-SSL and Courier-POP3-SSL:

/etc/init.d/courier-imap-ssl restart
/etc/init.d/courier-pop-ssl restart

54 a) Please note: You do not have to do this if you intend to use ISPConfig on your system as ISPConfig does the necessary configuration using procmail recipes. But please go sure to enable Maildir under Management -> Server -> Settings -> EMail in the ISPConfig web interface.

55. Apache/PHP5/Ruby/Python/WebDAV

apt-get install apache2 apache2-doc apache2-mpm-prefork apache2-utils apache2-suexec libexpat1 ssl-cert

apt-get install libapache2-mod-php5 libapache2-mod-ruby libapache2-mod-python php5 php5-common php5-curl php5-dev php5-gd php5-idn php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-ming php5-mysql php5-pspell php5-recode php5-snmp php5-sqlite php5-suhosin php5-tidy php5-xcache php5-xmlrpc php5-xsl

56. Edit mods

nano -w /etc/apache2/mods-available/dir.conf

______________________________________________

<IfModule mod_dir.c>

          #DirectoryIndex index.html index.cgi index.pl index.php index.xhtml index.htm
          DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml

</IfModule>

______________________________________________

57. Activate Modules

a2enmod ssl
a2enmod rewrite
a2enmod suexec
a2enmod include
a2enmod dav_fs
a2enmod dav

58. Restart Apache

/etc/init.d/apache2 restart

59. Configure

nano -w /etc/mime.types

______________________________________________

[...]
#application/x-ruby                             rb
[...]
______________________________________________

60. Restart Apache

/etc/init.d/apache2 restart

Now .rb files will be executed and displayed in the browser, just like .rbx files.

61. To disable PHP globally

nano -w /etc/mime.types
______________________________________________

[...]
#application/x-httpd-php                        phtml pht php
#application/x-httpd-php-source                 phps
#application/x-httpd-php3                       php3
#application/x-httpd-php3-preprocessed          php3p
#application/x-httpd-php4                       php4
#application/x-httpd-php5                       php5
[...]
______________________________________________

nano -w /etc/apache2/mods-enabled/php5.conf

______________________________________________

<IfModule mod_php5.c>
    <FilesMatch "\.ph(p3?|tml)$">
        #SetHandler application/x-httpd-php
    </FilesMatch>
    <FilesMatch "\.phps$">
        #SetHandler application/x-httpd-php-source
    </FilesMatch>
    # To re-enable php in user directories comment the following lines
    # (from <IfModule ...> to </IfModule>.) Do NOT set it to On as it
    # prevents .htaccess files from disabling it.
    <IfModule mod_userdir.c>
        <Directory /home/*/public_html>
            php_admin_value engine Off
        </Directory>
    </IfModule>
</IfModule>

______________________________________________

62. Restart Apache

/etc/init.d/apache2 restart

63. Proftpd

apt-get install proftpd-basic ucf

Run proftpd: <-- standalone

nano -w /etc/proftpd/proftpd.conf

______________________________________________

[...]
DefaultRoot ~
ServerIdent on "FTP Server ready."
[...]
______________________________________________

64. ISPConfig expects the configuration to be in /etc/proftpd.conf instead of /etc/proftpd/proftpd.conf, therefore we create a symlink

ln -s /etc/proftpd/proftpd.conf /etc/proftpd.conf

65. Restart Proftpd

/etc/init.d/proftpd restart

66. Webalizer

apt-get install webalizer

67. Clock

apt-get install ntp ntpdate

68. Perl Modules Needed By SpamAssassin

apt-get install libhtml-parser-perl libdb-file-lock-perl libnet-dns-perl libnetaddr-ip-perl libarchive-tar-perl

69. Before you install ISPConfig, there's one important thing you must do. Open /usr/include/stdio.h and replace getline with parseline in line 651:

nano -w /usr/include/stdio.h

______________________________________________

[...]
   This function is not part of POSIX and therefore no official
   cancellation point.  But due to similarity with an POSIX interface
   or due to the implementation it is a cancellation point and
   therefore not marked with __THROW.  */
extern _IO_ssize_t parseline (char **__restrict __lineptr,
                            size_t *__restrict __n,
                            FILE *__restrict __stream) __wur;
#endif
[...]

______________________________________________

70. You can undo the change to /usr/include/stdio.h after the successful ISPConfig installation (but don't forget to change it back whenever you want to update ISPConfig!).

71. A Note On SuExec

If you want to run CGI scripts under suExec, you should specify /var/www as the home directory for websites created by ISPConfig as Debian's suExec is compiled with /var/www as Doc_Root.

/usr/lib/apache2/suexec -V

72.Install ISPConfig

cd /tmp
wget -v http://prdownloads.sourceforge.net/ispconfig/ISPConfig-2.2.37.tar.gz

tar xvfz ISPConfig*.tar.gz

cd install_ispconfig

./setup

(skip step 7 and 8)

73. Write down password

74. https://devstation.homelinux.com:81

75. Change password.

76.SPAMASSASSIN

SpamAssassin

The ISPConfig comes with SpamAssassin, but without the Perl modules needed by

SpamAssassin. Run the following command after the installation of the ISPConfig:

/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin

If errors appear you have to install some Perl modules.

perl -MCPAN -e shell

install HTML::Parser
install DB_File
install Net::DNS (when prompted to enable tests, choose “no”)
install Digest::SHA1

To leave the Perl shell type
q

If

/home/admispconfig/ispconfig/tools/spamassassin/usr/bin/spamassassin

does not return any error everything is fine. You can then
leave SpamAssassin by typing

” CTRL + c”.

77. Create accounts on ISPConfig

78. Install Drupal

Use this .htacess file

<IfModule mod_rewrite.c>  
RewriteEngine on
#RewriteBase /  
RewriteCond %{REQUEST_FILENAME} !-f  
RewriteCond %{REQUEST_FILENAME} !-d  
RewriteRule ^(.*)$ /index.php?q=$1 [L,QSA]  
#RewriteCond %{REQUEST_URI} !=/favicon.ico
</IfModule>

 alter .htacess file on /web/sites/default/files and comment:

#SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
#Options None

79.Install locate

apt-get install locate

80. Install PECL software

pecl update-channels

pecl list-upgrades

pecl upgrade-all

pecl install uploadprogress

pecl install json

apt-get install curl

81. Install Apache Solr

apt-get install tomcat6 tomcat6-admin tomcat6-common tomcat6-user tomcat6-docs tomcat6-examples

wget -v http://mirrors.fe.up.pt/pub/apache//lucene/solr/1.4.1/apache-solr-1.4.1.tgz

tar xvfz apache-solr-1.4.1.tgz
cp dist/apache-solr-1.4.1.war /var/lib/tomcat6/webapps/solr.war
cp -fr example/solr /var/lib/tomcat6/
chown -R tomcat6:tomcat6 /var/lib/tomcat6/solr

82. Restart tomcat6

/etc/init.d/tomcat6 restart

83. Check if it's working

http://devstation.homelinux.com:8080/solr

84. Install solr php client

wget -v http://solr-php-client.googlecode.com/files/SolrPhpClient.r22.2009-11-09.tgz

tar xvfz SolrPhpClient.*.tgz

cp -r /tmp/SolrPhpClient /var/www/luisfreitas.homelinux.com/web/sites/all/modules/apachesolr/SolrPhpClient

85. Activate Solr modules in Drupal

It will give as ok Apache Solr PHP Client Library but

Apache Solr an error:

Apache Solr    Your site was unable to contact the Apache Solr server.
Default server settings:

    * Host: localhost
    * Port: 8983
    * Path: /solr

86.Install libcurl dev

apt-get install libcurl3-dev

87. Install libxml2 dev

apt-get install limxml2-dev

88. Pecl solr

pecl install -n solr-beta

89. Let finish Drupal to solr connection

Let's copy our schema files that will customize our Apache Solr instance so it fits the "Drupal" bill.

cp /var/www/devstation.homelinux.com/web/sites/all/modules/apachesolr/schema.xml /var/lib/tomcat6/solr/conf/schema.xml

cp /var/www/devstation.homelinux.com/web/sites/all/modules/apachesolr/solrconfig.xml /var/lib/tomcat6/solr/conf/solrconfig.xml

90. Edit php.ini

nano -w /etc/php5/apache2/php.ini

add extensions:

extension=solr.so
extension=uploadprogress.so
extension=memcached.so

91. Restart Apache

/etc/init.d/apache2 restart

92. Install APC

apt-get install php-apc

93. Install libpcre3-dev

apt-get install libpcre3-dev

94.Install PECL APC

pecl install apc

94. Edit php.init

nano -w /etc/php5/apache2/php.ini

add extension

extension=apc.so

91. Restart Apache

/etc/init.d/apache2 restart

(not finished but when i have time i'll get to the end)

Still needs APC, Solr configuration done and Apache2 tweaking and MySQL. Memcache will work on 2 machines.  When i have time...

By: Luis Freitas

Well this works well on OpenSUSE (same principle), but in Debian this tutorial will not work properly (because of dependencies).

In Debian you should:

79.Install locate

apt-get install locate

80. Install PECL software

pecl update-channels pecl list-upgrades

pecl upgrade-all

pecl install uploadprogress

pecl install json

apt-get install curl

81. Install Apache Solr

apt-get install tomcat6 tomcat6-admin tomcat6-common tomcat6-user tomcat6-docs tomcat6-examples

wget -v http://mirrors.fe.up.pt/pub/apache//lucene/solr/1.4.1/apache-solr-1.4.1.tgz

tar xvfz apache-solr-1.4.1.tgz

cp dist/apache-solr-1.4.1.war /var/lib/tomcat6/webapps/solr.war

cp -fr example/solr /var/lib/tomcat6/ chown -R tomcat6:tomcat6 /var/lib/tomcat6/solr

82. Restart tomcat6

/etc/init.d/tomcat6 restart

83. Check if it's working http://devstation.homelinux.com:8080/solr

84. Install solr php client

wget -v http://solr-php-client.googlecode.com/files/SolrPhpClient.r22.2009-11-09.tgz

tar xvfz SolrPhpClient.*.tgz

cp -r /tmp/SolrPhpClient /var/www/luisfreitas.homelinux.com/web/sites/all/modules/apachesolr/SolrPhpClient

85. Activate Solr modules in Drupal

It will give as ok Apache Solr PHP Client Library but Apache Solr an error: Apache Solr Your site was unable to contact the Apache Solr server. Default server settings: * Host: localhost * Port: 8983 * Path: /solr

86.Install libcurl dev

apt-get install libcurl3-dev

87. Install libxml2 dev

apt-get install limxml2-dev

88. Pecl solr

pecl install -n solr-beta

89. Let finish Drupal to solr connection

Let's copy our schema files that will customize our Apache Solr instance so it fits the "Drupal" bill.

cp /var/www/devstation.homelinux.com/web/sites/all/modules/apachesolr/schema.xml /var/lib/tomcat6/solr/conf/schema.xml

cp /var/www/devstation.homelinux.com/web/sites/all/modules/apachesolr/solrconfig.xml /var/lib/tomcat6/solr/conf/solrconfig.xml

90. Edit php.ini

nano -w /etc/php5/apache2/php.ini

add extensions:

extension=solr.so

extension=uploadprogress.so

extension=memcached.so

91. Restart Apache

/etc/init.d/apache2 restart

92. Install APC

apt-get install php-apc

93. Install libpcre3-dev

apt-get install libpcre3-dev

94.Install PECL APC

pecl install apc

94. Edit php.init

nano -w /etc/php5/apache2/php.ini

add extension

extension=apc.so

91. Restart Apache

/etc/init.d/apache2 restart

(not finished but when i have time i'll get to the end)

By: Anonymous

This isn't an error with Debian or ISPConfig but I decided to post a fix here for everyone setting up a new system. It is an error in PHP5.

You should notice your administrator account on your server is getting flooded with server emails every 30 minutes by PHP5 complaining that "#" has been depreciated for commenting. To fix this, just load the following file into your favorite text editor "/etc/php5/conf.d/ming.ini" and replace the pound sign "#" with a semicolon ";" and save. Then reboot your server and no more email flooding to your administrator account.

By: Anonymous

My previous post has errors. It should have been a new comment, not a reply. Also, The directories to look in and delete files are wrong, they should be:
/etc/rc0.d/
/etc/rc1.d/
/etc/rc2.d/
/etc/rc3.d/
/etc/rc4.d/
/etc/rc5.d/
/etc/rc6.d/

By: Anonymous

After following this tutorial for the perfect server and installing ISPConfig-2, I had to load ISPConfig manually after the machine finished booting. I discovered that since the release of Debian Squeeze, the auto-loading of software processes is different. I found out what to do to make ISPConfig load when linux boots. It works for me so I'm going to share the information. Do the following after you install ISPConfig and it should load ISPConfig when your server boots up:

1) Delete any files that have "ispconfig_server" in their name under the following directories. (The names will be similar to "S99ispconfig_server" or "K99ispconfig_server"):

/etc/rc0.d/
/etc/rc1.d/
/etc/rc2.d/
/etc/rc3.d/
/etc/rc4.d/
/etc/rc5.d/
/etc/rc6.d/


2) load "/etc/init.d/ispconfig_server" into your favorite text editor and make sure the following is at the very beginning of the script. Empty lines are important. Make sure there is an empty line between lines with content: #!/bin/bash ### BEGIN INIT INFO # Provides: ISPConfig Server # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short Description: Start ISPConfig on boot # Description: Enable server provided by ISPConfig ### END INIT INFO 3) After saving your changes in "/etc/init.d/ispconfig_server", run the following command: insserv ispconfig_server 4) Now check to see if ISPConfig is loading on boot by restarting your machine. I hope this information is useful. If this doesn't work then there is a completely different problem that I am unaware of.

By: Wojciech Chodacki

Hi,

I have a following problem and i don't understand it:

 

Configuring for Apache, Version 1.3.41

 + Warning: Your 'echo' command is slightly broken.

 + It interprets escape sequences per default. We already

 + tried 'echo -E' but had no real success. If errors occur

 + please set the SEO variable in 'configure' manually to

 + the required 'echo' options, i.e. those which force your

 + 'echo' to not interpret escape sequences per default.

 + using installation path layout: Apache (config.layout)

Creating Makefile

Creating Configuration.apaci in src

Syntax error --- The configuration file is used only to

define the list of included modules or to set Makefile in src

options or Configure rules, and I don't see that at all:

/root/ispconfig/openssl

yes

default

no

no

no

 `$(SRCDIR)/apaci`

no

default

default

no

no

no

yes

no

default

no

default

default


./configure:Error: APACI failed

ERROR: Could not configure Apache