Installing a Web, Email & MySQL Database Cluster on Debian 8.4 Jessie with ISPConfig 3.1

This tutorial describes the installation of a clustered web, email, database and DNS server to be used for redundancy, high availability and load balancing on Debian 8 with the ISPConfig 3 control panel. MySQL Master/Master replication will be used to replicate the MySQL client databases between the servers, Unison will be used to Sync the /var/www (websites) and the Mails will be synced with Dovecot.


1 General note

In this setup, there will be one master server (which runs the ISPConfig control panel interface) and one slave server which mirrors the web (apache), email (postfix and dovecot), dns (bind) and database (MySQL or MariaDB) services of the master server.

To install the clustered setup, we need two servers with a Debian 8.4 minimal install and the same ISPConfig version.

In my example I use the following hostnames and IP addresses for the two servers:

Master Server

Hostname: server1.example.tld
IPv6-Address: 2001:db8::1

Slave server

Hostname: server2.example.tld
IPv6-Address: 2001:db8::2

Wherever these hostnames or IP addresses occur in the next installation steps you will have to change them to match the IP's and hostnames of your servers.

All commands must be run as the root user. If you need to make changes in MySQL login into MySQL with the root-password for MySQL:

mysql -u root -p

2 Install the Master Server

First we need to install ISPConfig on the Master-Server. If you have already installed ISPConfig on this Server, you can skip the installation (ensure, that the existing installation is up-to-date).

Install ISPConfig on the Master-Server according to The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1).

Add the Slave Server to the /etc/hosts file

vi /etc/hosts

so it looks like:       localhost   server1.example.tld server1
2001:db8::1 server1.example.tld server1 server2.example.tld
2001:db8::2 server2.example.tld # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

3 Prepare the Slave Server

Run steps 1 - 19 from The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1).

Do not install ISPConfig on server2 yet.

Add the Master Server to the /etc/hosts file

vi /etc/hosts

so it looks like:       localhost   server1.example.tld
2001:db8::1 server1.example.tld server2.example.tld server2
2001:db8::2 server2.example.tld server2 # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts

4 Keyless Login from Server1 to Server2

On server2:

We allow temporarily the root-login into server2 with a password. Open /etc/sshd_config:

vi /etc/ssh/sshd_config

and change

PermitRootLogin without-password


PermitRootLogin yes

afterwards, restart the ssh-daemon:

service ssh restart

On server1:

Create a private/public key pair:

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): <-- ENTER
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase): <-- ENTER
Enter same passphrase again: <-- ENTER
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
f3:d0:62:a7:24:6f:f0:1e:d1:64:a9:9f:12:6c:98:5a [email protected]
The key's randomart image is:
+---[RSA 2048]----+
|                 |
|           .     |
|          +      |
|       + *       |
|      E S +      |
|     o O @ .     |
|    .   B +      |
|       o o       |
|        .        |

It is important that you do not enter a passphrase otherwise the mirroring will not work without human interaction so simply hit ENTER!

Next, we copy our public key to server2.example.tld:

ssh-copy-id -i /root/.ssh/ [email protected]
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 25:d8:7a:ee:c2:4b:1d:92:a7:3d:16:26:95:56:62:4e.
Are you sure you want to continue connecting (yes/no)? <-- yes (you will see this only if this is the first time you connect to server2)
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password: <- enter root password from server2

Now try logging into the machine:

ssh [email protected]

And check /root/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.

cat /root/.ssh/authorized_keys
ssh-dss AAAAB3NzaC1kc3MAAACBAPhiAexgEBexnw0rFG8lXwAuIsca/V+lhmv5lhF3BqUfAbL7e2sWlQlGhxZ8I2UnzZK8Ypffq6Ks+lp46yOs7MMXLqb7JBP9gkgqxyEWqOoUSt5hTE9ghupcCvE7rRMhefY5shLUnRkVH6hnCWe6yXSnH+Z8lHbcfp864GHkLDK1AAAAFQDddQckbfRG4C6LOQXTzRBpIiXzoQAAAIEAleevPHwi+a3fTDM2+Vm6EVqR5DkSLwDM7KVVNtFSkAY4GVCfhLFREsfuMkcBD9Bv2DrKF2Ay3OOh39269Z1rgYVk+/MFC6sYgB6apirMlHj3l4RR1g09LaM1OpRz7pc/GqIGsDt74D1ES2j0zrq5kslnX8wEWSHapPR0tziin6UAAACBAJHxgr+GKxAdWpxV5MkF+FTaKcxA2tWHJegjGFrYGU8BpzZ4VDFMiObuzBjZ+LrUs57BiwTGB/MQl9FKQEyEV4J+AgZCBxvg6n57YlVn6OEA0ukeJa29aFOcc0inEFfNhw2jAXt5LRyvuHD/C2gG78lwb6CxV02Z3sbTBdc43J6y [email protected]

Disallow root-login with a password. Open /etc/sshd_config:

vi /etc/ssh/sshd_config

and change

PermitRootLogin yes


PermitRootLogin without-password

afterwards, restart the ssh-daemon:

service ssh restart

Logout from server2:

Connection to closed.

We are now back on server1.

Share this page:

33 Comment(s)

Add comment

Please register in our forum first to comment.


By: Slayer

Nice job! thx

By: Saeid

Thank you,Thats very helpful article. Good explanation and clear instruction.I assume it will be same if I want to implement that on Ubuntu 16.04 LTS server, right?That would be greate if you confirm it's working fine if I alter my current single server setup of ISPConfig to be changed to cluster based system.Thanks again...

By: Ilko

Hi do you know a tutorial to add load balancer on the system which shares the load between the 2 servers?

By: Hias

Very good tutorial! Can u tell me, what to do, in cause of failover IPs?

By: Butty Pierre-André

hi ! great Tuto, on Step 6 with Download ISPConfig 3.1, an Type Error with the line :

tar xfvz xfz ISPConfig-3.1-beta.tar.gz, the second xfz is too.

By: Pierre-André Butty

hi !

i mean instead of "tar xfvz xfz ISPConfig-3.1-beta.tar.gz" on step 6 with upload of ISPConfig 3.1 only "tar xfvz ISPConfig-3.1-beta.tar.gz" ist ok.


By: Edijs Zatevahins

Thank you. But what means (commenting out all existing conflicting options):

How i know which one's is conflicting options?

By: Zoltan Laczko

And what about PHP session files sync?

By: Jeff S

For the section 5.5, which server is this step being perfomed on?


5.5 MySQL Master-Master-Replication

Create the MySQL-User for the replication and grant the privileg in MySQL:

CREATE USER 'slaveuser1'@'server1.example.tld' IDENTIFIED BY 'slave_user_password';CREATE USER 'slaveuser1'@'' IDENTIFIED BY 'slave_user_password';CREATE USER 'slaveuser1'@'2001:db8::1' IDENTIFIED BY 'slave_user_password';GRANT REPLICATION SLAVE ON *.* TO 'slaveuser1'@'server1.example.tld'; GRANT REPLICATION SLAVE ON *.* TO 'slaveuser1'@'';GRANT REPLICATION SLAVE ON *.* TO 'slaveuser1'@'2001:db8::1';QUIT;

By: stone1555

Can someone clarify on which server section 5.5 and 6 commands are to be run?

By: Peter

It is creating a Slave(second server) user to the 1st (master) server.

CREATE USER 'slaveuser1'@'server1.example.tld'

So its on the first, master server or server1.example.tld...

By: Mounaam


last char is missing for server2 in below line

> relay-log-index          = slave-relay-log.inde

Best regards,Mounaam

By: Marc

In chapter 5.4 it's important to note that by importing the sql from server1 to the slave you overwrite your MySQL credentials.

I had different SQL passwords for root on both servers and of course the login didn't work on the slave after overwriting it.

By: Alex

Is there a reason why we don't install webinterface on server 2? 

So If I shutdown the ISPConfig server 1 how can I see the interface?

By: Florian Leo

And where is mentioned that you would need some sort of SQL-DB installed first?

By: npalokan

I am not quite sure about high availability. Lets imagine that my server1 goes down, server2 keeps going fully functional. If I have website that's in my servers has A record thats pointing to server1 IP-address. In this situation when I am trying to access my site, it's not available, because server1 is down. And if I am not using low TTL, I cannot even change dns IP manually, so it's getting spread around fast enough. Even if you give two a records (both server IP's) it's only working on every two requests (round-robin rule), you know it's not good solution either in this situation.As my opinion it would be great if server1 dns uses it's own IP in A-records etc... and server2 uses it's own. Of course this still needs low TTL, but even with that, it would be much more high available than this current solution.Or is there something I just don't understand corretly :/

By: Tobias


i don not really understand, why i have to do 5.1-5.4 a mysql Master-Slave Cluster and on position 5.5 a master-master cluster.

Is 5.5. alternative?


Thanks a lot



if i want to sync through other port than 22, for example 2222, where can i modifying that scrip for unison?

By: Dennis

Thank you for your tutorial. I personally didn´t know, that it was that easy to sync dovecot. I still have one question: where does the Loadbalancing happen (as mentioned in the introduction text)? Currently it seems to me, if the master goes down, the pages go down too, because most people just point their DNS to the Master. Or do I miss something?

By: Matha Goram

Excellent article!

Any thoughts on configuring more nodes to the HA cluster outlined in your article?


By: Chriss

Hi,If the master fails, and the email are redirected to slave until master si back, the received mails on the slave will be replicated back to master when this will be available again?

How can be managed from DNS to always use the master and just if it fails to use the slave server (for web and emails)?


Thanl you.

By: sgzodyo

Can we do multiserver setup with centos/RHEL?

By: till

Yes. But there is no tutorial available for that setup.

By: Will

Found an Issue with the database replication not being passed from one ispconfig server to the other and it was failing with a log error. You do need to specify the relay-log and relay-index information in the my.cnf files. See this link for more information. The log showed in the syslog after i finished setup and ispconfig starting flagging datalog_status_u_server that changes hadnt been applied to all systems.,207174,216663#msg-216663

By: esezako


When a Debian 9 version of this How to?

Thanks in advance!

By: Jonathon Gilbert

i am also wondering if this will work by using the debian 9 version.

By: Ming-li

Thanks for a great tutorial. One more thing is Let's encrypt. Servers must share /etc/letsencrypt and /usr/local/ispconfig/interface/acme to make it work properly. I use NFS and it works just fine.

By: Oppa

Just waiting for the Debian 10 tutorial.

By: Asau

Hi Till,

Can I install it on Proxmox?

By: raph

I have setup but can't find file config-db.php to copy. I'm on debian 10

By: Juan Pablo

I have 2 errors in the system.

1: It does not sync https domains. <VirtualHost *: 443> missing

2: In the master I have domains with php 7.2 and php 5.6, it does not synchronize the versions of php.


Could you help me?

By: Andrew

/root/.unison/web.prf numericids=true # After sync, the master file owner was changed numericids=false # After sync, the master and slave file owner was sync as same

By: Nebur692

I have a problem, I request your help:

I register a new website, I select a version of PHP. The PHP version on server 1 is the same version that I selected but on server 2 (mirror) the default PHP version is always set.This happens to me with all websites, whether new or old.

How can I fix?