HowtoForge

The Perfect Server - OpenSUSE 12.3 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 3

10 Install The Apache 2 Webserver With PHP5, Ruby, Python, WebDAV

Install Apache2 and suphp. Run:

zypper install apache2 apache2-mod_fcgid

Install PHP5:

zypper install php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-mysql php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-fastcgi php5-pear php5-sysvmsg php5-sysvshm ImageMagick curl apache2-mod_php5
zypper install http://download.opensuse.org/repositories/server:/php/openSUSE_12.3/x86_64/suphp-0.7.1-5.1.x86_64.rpm

Then run these commands to enable the Apache modules (including WebDAV):

a2enmod suexec
a2enmod rewrite
a2enmod ssl
a2enmod actions
a2enmod suphp
a2enmod fcgid
a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
chown root:www /usr/sbin/suexec2
chmod 4755 /usr/sbin/suexec2
a2enflag SSL

To add Python support, run:

zypper install apache2-mod_python
a2enmod python

Next we install phpMyAdmin:

zypper install phpMyAdmin

To make sure that we can access phpMyAdmin from all websites created through ISPConfig later on by using /phpmyadmin (e.g. http://www.example.com/phpmyadmin) and /phpMyAdmin (e.g. http://www.example.com/phpMyAdmin), open /etc/apache2/conf.d/phpMyAdmin.conf...

vi /etc/apache2/conf.d/phpMyAdmin.conf

... and add the following two aliases right at the beginning:

Alias /phpMyAdmin /srv/www/htdocs/phpMyAdmin
Alias /phpmyadmin /srv/www/htdocs/phpMyAdmin
[...]

Start Apache:

systemctl enable apache2.service
systemctl start apache2.service

 

10.1 PHP-FPM

Starting with the upcoming ISPConfig 3.0.5, there will be an additional PHP mode that you can select for usage with Apache: PHP-FPM. If you plan to use this PHP mode, it makes sense to configure your system for it now so that later on when you upgrade to ISPConfig 3.0.5, your system is prepared (the latest ISPConfig version at the time of this writing is ISPConfig 3.0.4.6).

To use PHP-FPM with Apache, we need the mod_fastcgi Apache module (please don't mix this up with mod_fcgid - they are very similar, but you cannot use PHP-FPM with mod_fcgid). We can install PHP-FPM and mod_fastcgi as follows:

mod_fastcgi is available from a third-party repository which we can enable it as follows:

zypper --gpg-auto-import-keys addrepo --name "Third-party modules for the Apache HTTP server. (Apache_openSUSE_12.3)" http://download.opensuse.org/repositories/Apache:/Modules/Apache_openSUSE_12.3/ apache-third-party-12.3

Next we install mod_fastcgi and PHP-FPM:

zypper install apache2-mod_fastcgi php5-fpm

Unfortunately there's a bug in the apache2-mod_fastcgi package which does not allow the usage of the FastCgiExternalServer directive inside a <VirtualHost> section (see How To Build mod_fastcgi For Apache2 On OpenSUSE 12.2). That's why we must rebuild mod_fastcgi:

zypper install apache2-devel
wget http://www.fastcgi.com/dist/mod_fastcgi-2.4.6.tar.gz
tar xvfz mod_fastcgi-2.4.6.tar.gz
cd mod_fastcgi-2.4.6/
cp Makefile.AP2 Makefile
ln -s /usr/include/apache2-worker/mpm.h /usr/include/apache2/
make top_dir=/usr/share/apache2
make top_dir=/usr/share/apache2 install

Before we start PHP-FPM, rename /etc/php5/fpm/php-fpm.conf.default to /etc/php5/fpm/php-fpm.conf:

mv /etc/php5/fpm/php-fpm.conf.default /etc/php5/fpm/php-fpm.conf

Change the permissions of PHP's session directory:

chmod 1733 /var/lib/php5

Then open /etc/php5/fpm/php-fpm.conf...

vi /etc/php5/fpm/php-fpm.conf

... and change error_log to /var/log/php-fpm.log:

[...]
error_log = /var/log/php-fpm.log
[...]

There's no php.ini file for PHP-FPM under OpenSUSE 12.3, therefore we copy the CLI php.ini:

cp /etc/php5/cli/php.ini /etc/php5/fpm/

Next open /etc/php5/fpm/php.ini...

vi /etc/php5/fpm/php.ini

... and set cgi.fix_pathinfo to 0:

[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0
[...]

Next create the system startup links for php-fpm and start it:

systemctl enable php-fpm.service 
systemctl start php-fpm.service

PHP-FPM is a daemon process that runs a FastCGI server on port 9000, as you can see in the output of

netstat -tapn
server1:~ # netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      2329/nginx
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1204/sshd
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      2511/php-fpm.conf)
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      2059/mysqld
tcp        0      0 192.168.0.100:22        192.168.0.199:1632      ESTABLISHED 1284/0
tcp        0      0 :::22                   :::*                    LISTEN      1204/sshd
server1:~ #

Next enable the following Apache modules...

a2enmod actions
a2enmod fastcgi
a2enmod alias

... and restart Apache:

systemctl restart apache2.service

 

11 Install PureFTPd

Install the pure-ftpd FTP daemon. Run:

zypper install pure-ftpd
systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

zypper install openssl

Open /etc/pure-ftpd/pure-ftpd.conf...

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      0
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]:
<-- Enter your State or Province Name.
Locality Name (eg, city) []:
<-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []:
<-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []:
<-- Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

systemctl restart pure-ftpd.service

That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.

 

12 Install BIND

The BIND nameserver can be installed as follows:

zypper install bind

Create the BIND system startup links and start it:

systemctl enable named.service
systemctl start named.service

 

13 Install Webalizer And AWStats

Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both:

zypper install webalizer perl-DateManip
zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_12.3/noarch/awstats-7.1.1-3.1.noarch.rpm

 

14 Install fail2ban

fail2ban can be installed as follows:

zypper install fail2ban

 

The Perfect Server - OpenSUSE 12.3 x86_64 (Apache2, Dovecot, ISPConfig 3) - Page 3