The Perfect Server - OpenSUSE 12.3 x86_64 (nginx, Dovecot, ISPConfig 3) - Page 4
10 Install Nginx, PHP5 (PHP-FPM), And Fcgiwrap
Nginx is available as a package for OpenSUSE which we can install as follows:
zypper install nginx
If Apache2 is already installed on the system, stop it now...
systemctl stop apache2.service
... and remove Apache's system startup links:
systemctl disable apache2.service
Then we create the system startup links for nginx and start it:
systemctl enable nginx.service
systemctl start nginx.service
(If both Apache2 and nginx are installed, the ISPConfig 3 installer will ask you which one you want to use - answer nginx in this case. If only one of these both is installed, ISPConfig will do the necessary configuration automatically.)
If you want to use IPv6 addresses with your nginx vhosts, please do the following before you create IPv6 vhosts in ISPConfig:
Open /etc/sysctl.conf...
vi /etc/sysctl.conf
... and add the line net.ipv6.bindv6only = 1:
[...] net.ipv6.bindv6only = 1 |
Run...
sysctl -p
... afterwards for the change to take effect.
We can make PHP5 work in nginx through PHP-FPM (PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites) which we install as follows:
zypper install php5-fpm
Before we start PHP-FPM, rename /etc/php5/fpm/php-fpm.conf.default to /etc/php5/fpm/php-fpm.conf:
mv /etc/php5/fpm/php-fpm.conf.default /etc/php5/fpm/php-fpm.conf
Change the permissions of PHP's session directory:
chmod 1733 /var/lib/php5
Then open /etc/php5/fpm/php-fpm.conf...
vi /etc/php5/fpm/php-fpm.conf
... and change error_log to /var/log/php-fpm.log:
[...] error_log = /var/log/php-fpm.log [...] |
There's no php.ini file for PHP-FPM under OpenSUSE 12.3, therefore we copy the CLI php.ini:
cp /etc/php5/cli/php.ini /etc/php5/fpm/
Next open /etc/php5/fpm/php.ini...
vi /etc/php5/fpm/php.ini
... and set cgi.fix_pathinfo to 0:
[...] ; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI. PHP's ; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok ; what PATH_INFO is. For more information on PATH_INFO, see the cgi specs. Setting ; this to 1 will cause PHP CGI to fix its paths to conform to the spec. A setting ; of zero causes PHP to behave as before. Default is 1. You should fix your scripts ; to use SCRIPT_FILENAME rather than PATH_TRANSLATED. ; http://php.net/cgi.fix-pathinfo cgi.fix_pathinfo=0 [...] |
Next create the system startup links for php-fpm and restart it:
systemctl enable php-fpm.service
systemctl restart php-fpm.service
PHP-FPM is a daemon process that runs a FastCGI server on port 9000, as you can see in the output of
netstat -tapn
server1:~ # netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 10357/clamd
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 9869/dovecot
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 10521/nginx
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1275/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 9816/master
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 10695/php-fpm.conf)
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 10337/amavisd (mast
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 9694/mysqld
tcp 0 0 192.168.0.100:22 192.168.0.199:4630 ESTABLISHED 1332/0
tcp 0 0 :::22 :::* LISTEN 1275/sshd
tcp 0 0 ::1:25 :::* LISTEN 9816/master
server1:~ #
To get MySQL support in PHP, we can install the php5-mysql package. It's a good idea to install some other PHP5 modules as well as you might need them for your applications:
zypper install php5-mysql php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-pear php5-sysvmsg php5-sysvshm
Now restart PHP-FPM:
systemctl restart php-fpm.service
To get CGI support in nginx, we install Fcgiwrap.
Fcgiwrap is a CGI wrapper that should work also for complex CGI scripts and can be used for shared hosting environments because it allows each vhost to use its own cgi-bin directory.
As there's no fcgiwrap package for OpenSUSE, we must build it ourselves. First we install some prerequisites:
zypper install git patch automake glibc-devel gcc flex compat-readline4 db-devel wget gcc-c++ make vim libtool FastCGI-devel
Create the following symlinks:
ln -s /usr/include/fastcgi/fastcgi.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgi_config.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgi_stdio.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgiapp.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgimisc.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgio.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgios.h /usr/local/include/
Now we can build fcgiwrap as follows:
cd /usr/local/src/
git clone git://github.com/gnosek/fcgiwrap.git
cd fcgiwrap
autoreconf -i
./configure
make
make install
This installs fcgiwrap to /usr/local/sbin/fcgiwrap.
Next we install the spawn-fcgi package which allows us to run fcgiwrap as a daemon:
zypper install spawn-fcgi
We can now start fcgiwrap as follows:
spawn-fcgi -u wwwrun -g www -s /var/run/fcgiwrap.socket -S -M 0770 -F 1 -P /var/run/spawn-fcgi.pid -- /usr/local/sbin/fcgiwrap
You should now find the fcgiwrap socket in /var/run/fcgiwrap.socket, owned by the user wwwrun and group www. We must now add the user nginx to the group www:
usermod -a -G www nginx
Reload nginx afterwards:
systemctl reload nginx.service
If you don't want to start fcgiwrap manually each time you boot your system, open /etc/init.d/boot.local...
vi /etc/init.d/boot.local
... and add the spawn-fcgi command at the end of the file - this will automatically start fcgiwrap at the end of the boot process:
[...] /usr/bin/spawn-fcgi -u wwwrun -g www -s /var/run/fcgiwrap.socket -S -M 0770 -F 1 -P /var/run/spawn-fcgi.pid -- /usr/local/sbin/fcgiwrap |
That's it! Now when you create an nginx vhost, ISPConfig will take care of the correct vhost configuration.
10.1 Install phpMyAdmin
Next we install phpMyAdmin:
zypper install phpMyAdmin
As this installs Apache as a dependency, remove Apache's system startup links:
systemctl disable apache2.service
phpMyAdmin is now located in the /srv/www/htdocs/phpMyAdmin directory, but we want it in the /usr/share/phpmyadmin/ directory, so we create a symlink:
ln -s /srv/www/htdocs/phpMyAdmin /usr/share/phpmyadmin
After you have installed ISPConfig 3, you can access phpMyAdmin as follows:
The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.
If you want to use a /phpmyadmin or /phpMyAdmin alias that you can use from your web sites, this is a bit more complicated than for Apache because nginx does not have global aliases (i.e., aliases that can be defined for all vhosts). Therefore you have to define these aliases for each vhost from which you want to access phpMyAdmin.
To do this, paste the following into the nginx Directives field on the Options tab of the web site in ISPConfig:
location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } |
If you use https instead of http for your vhost, you should add the line fastcgi_param HTTPS on; to your phpMyAdmin configuration like this:
location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; fastcgi_param HTTPS on; # <-- add this line fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } |
If you use both http and https for your vhost, you need to add the following section to the http {} section in /etc/nginx/nginx.conf (before any include lines) which determines if the visitor uses http or https and sets the $fastcgi_https variable (which we will use in our phpMyAdmin configuration) accordingly:
vi /etc/nginx/nginx.conf
[...] http { [...] ## Detect when HTTPS is used map $scheme $fastcgi_https { default off; https on; } [...] } [...] |
Don't forget to reload nginx afterwards:
systemctl reload nginx.service
Then go to the nginx Directives field again, and instead of fastcgi_param HTTPS on; you add the line fastcgi_param HTTPS $fastcgi_https; so that you can use phpMyAdmin for both http and https requests:
location /phpmyadmin { root /usr/share/; index index.php index.html index.htm; location ~ ^/phpmyadmin/(.+\.php)$ { try_files $uri =404; root /usr/share/; fastcgi_pass 127.0.0.1:9000; fastcgi_param HTTPS $fastcgi_https; # <-- add this line fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $request_filename; include /etc/nginx/fastcgi_params; fastcgi_param PATH_INFO $fastcgi_script_name; fastcgi_buffer_size 128k; fastcgi_buffers 256 4k; fastcgi_busy_buffers_size 256k; fastcgi_temp_file_write_size 256k; fastcgi_intercept_errors on; } location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ { root /usr/share/; } } location /phpMyAdmin { rewrite ^/* /phpmyadmin last; } |
11 Install PureFTPd
Install the pure-ftpd FTP daemon. Run:
zypper install pure-ftpd
systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service
Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.
OpenSSL is needed by TLS; to install OpenSSL, we simply run:
zypper install openssl
Open /etc/pure-ftpd/pure-ftpd.conf...
vi /etc/pure-ftpd/pure-ftpd.conf
If you want to allow FTP and TLS sessions, set TLS to 1:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 1 [...] |
If you want to accept TLS sessions only (no FTP), set TLS to 2:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 2 [...] |
To not allow TLS at all (only FTP), set TLS to 0:
[...] # This option can accept three values : # 0 : disable SSL/TLS encryption layer (default). # 1 : accept both traditional and encrypted sessions. # 2 : refuse connections that don't use SSL/TLS security mechanisms, # including anonymous sessions. # Do _not_ uncomment this blindly. Be sure that : # 1) Your server has been compiled with SSL/TLS support (--with-tls), # 2) A valid certificate is in place, # 3) Only compatible clients will log in. TLS 0 [...] |
In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:
mkdir -p /etc/ssl/private/
Afterwards, we can generate the SSL certificate as follows:
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Country Name (2 letter code) [AU]: <-- Enter your Country Name (e.g., "DE").
State or Province Name (full name) [Some-State]: <-- Enter your State or Province Name.
Locality Name (eg, city) []: <-- Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <-- Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []: <-- Enter your Organizational Unit Name (e.g. "IT Department").
Common Name (eg, YOUR name) []: <-- Enter the Fully Qualified Domain Name of the system (e.g. "server1.example.com").
Email Address []: <-- Enter your Email Address.
Change the permissions of the SSL certificate:
chmod 600 /etc/ssl/private/pure-ftpd.pem
Finally restart PureFTPd:
systemctl restart pure-ftpd.service
That's it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS - see the next chapter how to do this with FileZilla.