The Perfect Load-Balanced & High-Availability Web Cluster With 2 Servers Running Xen On Ubuntu 8.04 Hardy Heron - Page 3
8. DNS Server (web1, web2)
8.1 Install the DNS Server
Run :
apt-get install bind9
For security reasons we want to run BIND chrooted so we have to do the following steps:
/etc/init.d/bind9 stop
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9
OPTIONS="-u bind -t /var/lib/named" # Set RESOLVCONF=no to not run resolvconf RESOLVCONF=yes
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":
vi /etc/default/syslogd
# # Top configuration file for syslogd # # # Full documentation of possible arguments are found in the manpage # syslogd(8). # # # For remote UDP logging use SYSLOGD="-r" # SYSLOGD="-a /var/lib/named/dev/log"
Restart the logging daemon:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
8.2 Configure bind
We are going to configure bind with 2 domains, example.com which will be the nameserver and we will configure bind for yoursite.com as well.
Now the main configuration file in BIND is named.conf, however named.conf.local is already included in named.conf and its there for customized configuration, so we will edit named.conf.local and we will add our zones, here I added a zone camed tm.local as well as a reverse zone for 192.168.1.0:
vi /etc/bind/named.conf.local
#EXAMPLE.COM zone "example.com" { type master; file "/etc/bind/zones/example.com.db"; }; #YOURSITE.COM zone "yoursite.com" { type master; file "/etc/bind/zones/yoursite.com.db"; }; # This is the zone definition for reverse DNS. replace 1.168.192 with your network address in reverse notation - e.g my network address is 192.168.1.X zone "1.168.192.in-addr.arpa." { type master; file "/etc/bind/zones/rev.1.168.192.in-addr.arpa"; };
Note : If your ISP is delegating you a subnet maps (let says ip 192.168.1.100 to 192.168.1.112) read this for the reverse zone (see Customer/User Zone File) :
http://www.zytrax.com/books/dns/ch9/reverse.html
8.3 Configure zones
mkdir /etc/bind/zones
vi /etc/bind/zones/example.com.db
and make it look like this :
$TTL 86400 @ IN SOA ns1.example.com. admin.example.com. ( 2008060902 ; serial, todays date + todays serial # 28800 ; refresh, seconds 7200 ; retry, seconds 604800 ; expire, seconds 86400 ) ; minimum, seconds ; NS ns1.example.com. ; Inet Address of name server 1 NS ns2.example.com. ; Inet Address of name server 2 ; MX 10 example.com. example.com. A 192.168.1.106 www A 192.168.1.106 ns1 A 192.168.1.106 ns2 A 192.168.1.106 dom01 A 192.168.1.100 dom02 A 192.168.1.101 lb1 A 192.168.1.102 lb2 A 192.168.1.103 web1 A 192.168.1.104 web2 A 192.168.1.105 example.com. TXT "v=spf1 ip4:192.168.1.104 ip4:192.168.1.105 a ptr a:web1.example.com a:web2.example.com ~all"
Now we will create the zone for yoursite.com :
vi /etc/bind/zones/yoursite.com.db
Make it look like this :
$TTL 86400 @ IN SOA ns1.example.com. admin.yoursite.com. ( 2008060902 ; serial, todays date + todays serial # 28800 ; refresh, seconds 7200 ; retry, seconds 604800 ; expire, seconds 86400 ) ; minimum, seconds ; NS ns1.example.com. ; Inet Address of name server 1 NS ns2.example.com. ; Inet Address of name server 2 ; MX 10 yoursite.com. yoursite.com. A 192.168.1.107 www A 192.168.1.107 yoursite.com. TXT "v=spf1 ip4:192.168.1.104 ip4:192.168.1.105 a ptr a:web1.example.com a:web2.example.com ~all"
Now let's go ahead with the reverse zone.
vi /etc/bind/zones/rev.1.168.192.in-addr.arpa
$TTL 86400 @ IN SOA ns1.example.com. hostmaster.example.com. ( 2008060901 ; serial, todays date + todays serial # 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS ns1.example.com. NS ns2.example.com. 100 PTR dom01.example.com. 101 PTR dom02.example.com. 102 PTR lb1.example.com. 103 PTR lb2.example.com. 104 PTR web1.example.com. 105 PTR web2.example.com. 106 PTR example.com. 107 PTR yoursite.com.
Now configure the server to forward any requests to your ISP server so it case resolve external IPs.
vi /etc/bind/named.conf.options
Uncomment the forwarder section to look like this:
[...] forwarders { # Replace the address below with the address of your ISP DNS server 123.123.123.123; }; [...]
8.4 Configure the server to use itself as DNS
vi /etc/resolv.conf
search example.com nameserver localhost
We have to restart bind :
/etc/init.d/bind9 restart
8.5 Test the DNS server
We will first install dig which in included in the package dnsutils :
apt-get install dnsutils
Now we will see if our dns servers give us the right answers :
on web1
dig yoursite.com @192.168.1.105
on web2
dig yoursite.com @192.168.1.104
On both you should see an output like this :
; DiG 9.4.2-P1 yoursite.com ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4547 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;yoursite.com. IN A ;; ANSWER SECTION: yoursite.com. 86400 IN A 192.168.1.107 ;; AUTHORITY SECTION: yoursite.com. 15090 IN NS ns2.example.com. yoursite.com. 15090 IN NS ns1.example.com. ;; ADDITIONAL SECTION: ns2.example.com. 162439 IN A 192.168.1.106 ns1.example.com. 162439 IN A 192.168.1.106 ;; Query time: 27 msec ;; WHEN: Sun Sep 21 19:07:17 2008 ;; MSG SIZE rcvd: 124
Now we will test reverse lookup :
on web1
dig -x 192.168.1.107 @192.168.1.105
on web2***
dig -x 192.168.1.107 @192.168.1.104
Output should be similar to this :
; DiG 9.4.2-P1 -x 192.168.1.107 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22614 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;107.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: ;107.1.168.192.in-addr.arpa. 86400 IN PTR yoursite.com. ;; AUTHORITY SECTION: ;1.168.192.in-addr.arpa. 86400 IN NS ns2.example.com. ;1.168.192.in-addr.arpa. 86400 IN NS ns1.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 162147 IN A 192.168.1.106 ns2.example.com. 162147 IN A 192.168.1.106 ;; Query time: 88 msec ;; WHEN: Sun Sep 21 19:12:09 2008 ;; MSG SIZE rcvd: 172
More info how to use dig :
http://www.madboa.com/geek/dig/
9. Proftpd (web1, web2)
9.1 Proftpd installation
In order to install Proftpd, run
apt-get install proftpd ucf
You will be asked a question:
Run proftpd: <-- standalone
9.2 Proftpd configuration
vi /etc/proftpd/proftpd.conf
For security reasons add the following lines to /etc/proftpd/proftpd.conf:
DefaultRoot ~ IdentLookups off ServerIdent on "FTP Server ready."
Then restart Proftpd:
/etc/init.d/proftpd restart