Complete installation of a web server on Debian 6.0

Installing Debian

Download the version of your choice from the page: http://www.debian.org/distrib/netinst

Burn the ISO image and then insert the CD into your future server.

It is recommended to use the graphical installation is easier to use.

When you propose the installation, deselect “Desktop environment” and “standard Utilities System”, we will install only what we need.

Login as root

In Debian server root is the server administrator, he is the only one able to handle it. So remember to properly protect their password.

Update server

For starters, it verifies that the server is up to date:

Update deposits

We start by updating the list of files available in the repositories APT present in the configuration file/etc/apt/sources.list. The regular run is a good practice to keep up to date list of available packages.

# Apt-get update

Updated packages

The option upgradeupdates all installed packages to the latest versions.

# Apt-get upgrade

For more information on apt-get : apt-get

Install SSH server

The SSH server allows you to connect to your server from any other computer, which is very convenient to administer your server remotely.

# Apt-get install openssh-server

Answer yes to confirm the installation.

Once it is installed, you can administer your server remotely using PuTTY software (http://www.01net.com/telecharger/windows/Internet/serveur_ftp/fiches/20166.html ) and IP address your server.

Change the port of the SSH server

If SSH allows you to connect to your server anywhere, it also allows anyone to do so if it finds your password.

By default SSH port is 22. To complicate the pirate, we can change it.

We’re going to do, change the file /etc/ssh/sshd_configusing Nano, a console version text editor ( nano ).

# Nano / etc / ssh / sshd_config

And modify the line:

# What ports, IPs and protocols we listen for
Port 22

We must choose a port that is not used by another program.

Take for example the 5943 Port:

# What ports, IPs and protocols we listen for
Port 5943

Make CTRL + O to save and then CTRL + X to exit Nano.

Are restarting the SSH server:

# Reload /etc/init.d/ssh

Here ! Now to connect to your server via SSH, you should use the 5943 port.

By default root may logguer SSH. This represents a real danger, because with a brute-force attack can crack the password. So PermitRootLogin no.To allow a single user. We made a useradd Linus76 (with such password “TnE15aJ”) and it is allowed and alone to connect via SSH by adding the following line to the end of the file: AllowUsers Linus76.

For now, let’s stay with our root, we may have to do this after you configure the server.

  1. Installing Packages

 Installing Apache 2

We need to install a HTTP server that will handle display our pages. For this, I suggest you install one of the most used servers and best-known Apache. We will install version 2 here.

# Apt-get install apache2

To verify that the installation was completed, enter the following address in your browser http: // IP_DE_VOTRE_SERVEUR /

You should get the following result:

It works!
This is the default web page for this server.
The web server software is running but no happy has-been added, yet.

Installing PHP 5

Currently, our server we can display static pages to the format HTML . Most sites that you want to install will have a dynamic part. That is why we continue by installing PHP 5 on the server.

# Apt-get install php5
Install the MySQL database

PHP is often coupled with a database system MySQL. Here we install mysql-server Version 5. You will see below that we will also install PHPMyAdmin. This is a PHP script that can manage its Mysql database very simple way.

# Apt-get install mysql-server

Set the root password of MySQL ( “mysql” for example).

Mysql is verified that works well:

# Mysql -p
enter the password
> Exit

Install php5-mysql libraries:

# Apt-get install php5-mysql

Install PHPMyAdmin:

# Apt-get install phpmyadmin

The installation will ask us to choose the web server to reconfigure automatically, check apache2 (using the spacebar) and confirm.

It creates a link to phpmyadmin

# Sudo ln -s / usr / share / phpmyadmin / var / www / phpmyadmin

We verify that the installation was successful: http: // IP_DE_VOTRE_SERVEUR / phpmyadmin /

The login form should be displayed.

If the form does not appear and you have a 404, it may be that it comes from /etc/apache2/sites-available/000-default.conf file. In this case change DocumentRoot / var / www / html DocumentRoot / var / www /.

Installing the FTP (VSFTPD)

Having a site available on the net, that’s good. Able to put files is better;). And that is the aim of VSFTPD which is a server FTP very secure.

# Apt-get install vsftpd

Configuring Apache 2

To start, install a web server in the first sense. It is he who will allow us to interpret our pages HTML , PHP, etc. Apache 2 is the most used http server on the servers. It has a good level of security and a lot of documentation available on the net.

On the other hand, it allows to manage virtual sites. And that’s how we’ll set it up. Indeed, the aim being to have several sites on our server, we need to contact them directly with a URL own. Our server obviously does not have an IP address for each site installed. That would be far too complex to physically implement.Above all, the system IPV4 currently used, it is unthinkable. For the record, the system IPV4 uses four numbers from 0 to 255 in the form xxx.xxx.xxx.xxx. This series of numbers uniquely represents each computer physically connected to the Internet.

Some IP ranges are reserved for local networks (192.168.xx or 10.xxx for example). But this concern will soon be solved with the use of IPV6 is beginning to implement. This new notation to switch from 2puissance32 to 2puissance128 different IP. Which will assign a number to the same server in the future.

As at present, this is the protocol IPv4 , which is the most used, we have not therefore a single IP address for 10 or 100 sites hosted on our server. When an HTTP request is sent to our server, the domain name is converted into IP address. The only way to differentiate a request from site1-cpnv.com or site2-cpnv.com, which return the same IP, through the http header, which it always contains the domain name initially requested.

When the query we want reached our http server, it will look in its rules to find out which directory it should be heading. This is where virtualhosts management will intervene. Therefore, we will create an entry for each site hosted on our server. This entry will contain the expected area, and the redirection directory.

Prerequisites

Once the server is installed base, we will create and configure our hosting spaces. First of all, this tutorial assumes the following principles:

  • Want to access your sites by ip_du_server / ~ user_name
  • You only have one IP for all your sites

In this first part we will edit a file: /etc/apache2/apache2.conf, and create files in the / etc / apache2 / sites-available and / etc / apache2 / sites-enabled.

Enable Module userdir

# A2enmod userdir

then restart apache:

# /etc/init.d/apache2 Restart

We check the user and group apache:

# Nano / etc / apache2 / envvars

Then checks the lines:

Export APACHE_RUN_USER = www-data
Export APACHE_RUN_GROUP = www-data

We modify the files you wish by default:

# Nano /etc/apache2/mods-enabled/dir.conf
DirectoryIndex index.html index.php index.xhtml

We verify that the users are allowed to connect:

# Nano /etc/apache2/mods-available/userdir.conf

Then checks the presence of the line:

UserDir public_html

Enable PHP for userdir

Running php is disabled by default with this module. To change this and ensure that the browser downloads the php code directly edit the file and comment /etc/apache2/mods-enabled/php5.conf lines as below:

[..]
# <IfModule mod_userdir.c>
# <Directory / home / * / public_html>
# Php_admin_value engine Off
# </ Directory>
# </ IfModule>
[..]

Restart apache with:

# /etc/init.d/apache2 Restart

Installing virtualhosts

We will now create our virtual hosts. By default, I will call test1.com and test2.com. To you to put the names you want. But before tackling users, we begin by changing the skeleton of the creation of new users. The advantage? Do not need each time having to create the public_html directory and logs when creating a new user, but also to have a direct homepage.

# Mkdir / etc / skel / public_html
# Mkdir / etc / skel / logs
# Echo "<h1> New web space created </ h1>"> /etc/skel/public_html/index.html

After creating the skeleton, we can create a new user:

# Useradd -g www-data -m test1

It creates a new file /etc/apache2/sites-available/test1.com

# Nano /etc/apache2/sites-available/test1.com

And there records:

 

<VirtualHost *: 80>
        ServerAdmin postmaster@test1.com
        ServerName www.test1.com
        ServerAlias test1.com
        DocumentRoot / home / test1 / public_html /
        <Directory / home / test1 / public_html />
                Options FollowSymLinks MultiViews -Indexes
                AllowOverride All
        </ Directory>
        ErrorLog /home/test1/logs/error.log
        LogLevel warn
        CustomLog combined /home/test1/logs/access.log
        ServerSignature Off
</ VirtualHost>

 

One valid and the file is closed. It makes available the domain created.

# Ln -s /etc/apache2/sites-available/test1.com /etc/apache2/sites-enabled/test1.com

We verify that the syntax is correct:

# Apache2ctl -t

If we get in return a “Syntax OK” is redémare apache2:

# /etc/init.d/apache2 Restart

Normally you should be able to enter http: // IP_DE_VOTRE_SERVEUR / test1 ~ / and see New web site created

Read more

VSFTPD configuration in “virtual user mode”

Now that we have a functioning web server site, and the ability to create our database, it becomes necessary to place our files on the server. For this, we install VSFTPD. It is a server FTP very secure (Very Secure File Transfer Protocol Daemon).

VSFTPD has several basic setting styles. Again, since we wish to have several accounts FTP by area, including having accounts FTP pointing to subdomains, we will use the virtual user settings.

To do this, we will use a Berkeley-style database. This is a non-SQL-like basis. It is not intended to be questioned as MySQL or SQL server. In fact, this is a hash table. Each record will consist only of a login and a password. This type of database is indexed, extremely fast and simple to implement. The use of this type of database is mandatory for using a PAM type identification.

In principle, we do not define a single UNIX user to our server FTP . When a user connects with the program checks in our database if it exists, and if the password matches. From there, it will look for relevant parameters (chroot, specific rights) and returns the required directory.

With chroot, there are no safety concerns, because the directory is considered a root directory, it is not possible to trace the hierarchy. This is important from the security point of view, because each connection FTP uses exactly the same Unix user www-data.

To create a new user, just create him an entry in the Berkeley, and personal configuration file.

Preparation

the configuration is first prepared by creating the directory that will contain all our files:

# Mkdir / etc / vsftpd

We’ll have to change the configuration of VSFTPD. For this, a backup is performed. This will go back in case of trouble:

# Cp /etc/vsftpd.conf /etc/vsftpd.conf.bak
# Cp /etc/pam.d/vsftpd /etc/pam.d/vsftpd.bak

Changing vsftpd.conf

To use our virtual users, we need to reconfigure the file vsftpd.conf

Delete the file /etc/vsftpd.conf:

# Rm /etc/vsftpd.conf

Then create it again:

# Nano /etc/vsftpd.conf

Copy the following configuration file:

# This sets vsftpd in "standalone"
listen = YES

# It disables anonymous connections
# Non-anonymous and is active (in the case of virtual users):
anonymous_enable = NO
local_enable = YES

# For safety reasons it prohibits write action:
write_enable = NO
anon_upload_enable = NO
anon_mkdir_write_enable = NO
anon_other_write_enable = NO

# 'Guest_enable is very important: it activates virtual users!
# 'Guest_username' matches all virtual users
# Users 'virtual' we defined above, and at home
# Corresponding 'virtual ~ /'.
guest_enable = YES
guest_username = www-data

# We define the default rights of the uploaded files
anon_umask = 022

# We want virtual users remain at home: ~ virtual / '
# (Wait, they were made to a roof is not for nothing!)
chroot_local_user = YES

# Define the maximum number of sessions to 200 (new clients will receive
# A message like: "Error: Server busy").
# Define the maximum number of sessions per IP 4
max_clients = 200
max_per_ip = 4

####################################
# # Debian customization
# (Or adopt the attitude Debian) #
####################################
# Some of vsftpd's settings do not fit the Debian filesystem layout by
# Default. These settings are more Debian-friendly.
#
# This option shoulds be the name of a directory qui is empty. Also, the
# Directory shoulds not be writable by the FTP user. This directory is used
# As a secure chroot () jail at times vsftpd Does not require filesystem
# Access.
secure_chroot_dir = / var / run / vsftpd
#
# This string is the name of the PAM Service vsftpd will use.
pam_service_name = vsftpd
#
# This option SPECIFIED the rental of the RSA certificate to use for SSL
# Encrypted connections.
rsa_cert_file = / etc / ssl / certs / vsftpd.pem

# Enables use individual settings for each user
user_config_dir = / etc / vsftpd / vsftpd_user_conf

Save and exit.

Set users

We will now chroot our users in their respective directories. For this, we create the directory that will be used to hold our different files by user. And creates the file for each user in our database.

# Mkdir / etc / vsftpd / vsftpd_user_conf /

Then the file is created /etc/vsftpd/vsftpd_user_conf/user1:

# Nano / etc / vsftpd / vsftpd_user_conf / user1

And we add:

anon_world_readable_only = NO
local_root = / home / test1 / public_html
write_enable = YES
anon_upload_enable = YES
anon_mkdir_write_enable = YES
anon_other_write_enable = YES

It saves and closes.

Reboot and test

We restart our service FTP :

# /etc/init.d/vsftpd Restart

And it remains for us to connect to our account FTP using:

IP: server ip
login: user1
password: pass1

There you go. A small test to verify that everything works, and it’s done;).

In case you can not upload files is that the rights are not good. Make sure that the directory / home / test1 / public_html www-data has the rights: www-data for owner and group:

# Chown www-data: www-data / home / test1 / public_html

Add FTP user

To add a user, add the login and password in login.txt then run:

# Db4.8_load -T -f -t hash /etc/vsftpd/login.txt /etc/vsftpd/login.db

Add the information to the user in / etc / vsftpd / vsftpd_user_conf / [NOM_DE_L_UTILISATEUR]

# /etc/init.d/vsftpd Restart

Setting domain names

Now that we have our web server is installed it is that our visitors can find us. And it is not easy to make them remember an address like: 213.251.175.34/~nom_de_mon_site. If you do, you are a champion;). We will use the domain name for an address type www.test1.com .

Method 1: Use your registrar

The server DNS allows to link the domain name and IP address of your server. Your registrar (OVH for example) allows you to this link. When the user enters the address www.test1.com , the server DNS redirect to the IP address of our server. The server then look at the domain name that led up to it (www.test1.com in our case), knowing this information, the apache VirtualHost to redirect the folder for the domain (/ home / test1 / public_html /).

Specify the DNS servers to use (OVH)

Normally when you just bought your domain name, this information is already pre-filled.

Enter the IP address of your server

This information must be filled in the To:

Create a subdomain

Knowing how to create a subdomain is now almost essential for staggered desired to administer its own server.

learn apache

We saw earlier how to redirect a domain name to a folder, now we want to redirect a subdomain to a folder:

Modify the corresponding virtualhost:

# Nano /etc/apache2/sites-available/test1.com

and add the information from our sub-domain as a result.

Our file should look like:

 

<VirtualHost *: 80>
        ServerAdmin postmaster@test1.com
        ServerName www.test1.com
        ServerAlias test1.com
        DocumentRoot / home / test1 / public_html /
        <Directory / home / test1 / public_html />
                Options FollowSymLinks MultiViews -Indexes
                AllowOverride All
        </ Directory>
        ErrorLog /home/test1/logs/error.log
        LogLevel warn
        CustomLog combined /home/test1/logs/access.log
        ServerSignature Off
</ VirtualHost>

<VirtualHost *: 80>
        ServerName admin.test1.com
        DocumentRoot / home / test1 / public_html / sd_admin /
</ VirtualHost>

 

You can create the / sd_admin using FTP .

One valid and the file is closed. It makes available the domain created.

# Ln -s /etc/apache2/sites-available/test1.com /etc/apache2/sites-enabled/test1.com

We verify that the syntax is correct:

# Apache2ctl -t

If we get in return a “Syntax OK” is restart apache2:

# /etc/init.d/apache2 Restart
Enter the DNS server

Back at our registrar (OVH for example) to indicate that we want to use a subdomain:

Add a new CNAME record that points to the main domain, Apache will do the rest:

  • Method 2: Use your server as a DNS server with Bind9
 Introduction

One of the most problematic areas of installation, configuration Bind9. Bind9 (Berkeley Internet Name Domain) is the server DNS most used on the Internet. It is he who will allow our URL www.site1.com to point to our server (for local use). Indeed, it can transform the different alias to an IP address, thus redirecting the right place (on the same server, in this case).

Bind configuration is a bit more complex than what we’ve seen so far. First, because different tests to perform take time. Indeed, the spread of DNS takes 6 to 48 hours, depending on the ISP , and registars. Then this is the first step that will have a real impact of the external perspective on our server. Bind a misconfigured, and our sites are inaccessible!

Installing Bind itself is like the other, as we use here as the binaries available. Once installed, we need to make some adjustments. Indeed, based on BIND server is provided as open DNS . This means that anyone can use our server DNS . This can pose security problems, and especially relay server DNS hackers or spammers. We must therefore not permit the use of the server from the server itself (localhost).

Once done, we must create an entry in the field for each area that we host. This is actually a single file, which we call: db.nom_domaine.tld principle. It is important to dissect this file that contains many parameters to configure, and especially to ensure it well.

More information Bind9: bind9

More information on DNS : dns

install bind9

# Apt-get install bind9

named.conf.local

To configure BIND, we will modify a /etc/bind/named.conf.local file and create one for each area that we want to host.

It does not affect the default data, but is added after the last zone (one entry for each domain, of course. And test1.com is to change your domain name, it goes without saying!).

# Nano /etc/bind/named.conf.local

 

"Test1.com" {area
        Master-type;
        file "/etc/bind/db.test1.com";
};

 

A small change to make, to prevent our server from being used to relay DNS open. These lines in the file is added (between the {}):

# Nano /etc/bind/named.conf.options

 

allow-recursion {localhost; };

 

Is recorded in and out of the file.

Create the zone configuration file

It creates the description file of our area:

# Nano /etc/bind/db.test1.com

One of the values of our field (this is an example to you to suit your needs / desires.)

 

$ Ttl 86400
test1.com. IN SOA ksXXXXX.kimsufi.com. webmaster.test1.com. (
                    	   		2011031001
                 	       		21600
                	        	3600
                	        	604800
                	        	86400)
test1.com. IN NS ksXXXXX.kimsufi.com.
test1.com. IN NS ns.kimsufi.com.
test1.com. IN MX 10 mail.test1.com.
test1.com. IN A xxx.xxx.xxx.xxx
Server IN A xxx.xxx.xxx.xxx
www IN A xxx.xxx.xxx.xxx
email IN A xxx.xxx.xxx.xxx
SMTP IN A xxx.xxx.xxx.xxx
pop IN A xxx.xxx.xxx.xxx
pop3 IN CNAME Server
imap IN A xxx.xxx.xxx.xxx
sql IN A xxx.xxx.xxx.xxx
mysql IN A xxx.xxx.xxx.xxx

 

Some explanations:

Field Description
2011031001 Is to change with each edition of the file. By convention, it is written: year-month-day 2-digit number
21600 Time that the slave must wait before questioning the master server again. Time unit: [second]
3600 Time to wait before making a new request to the master server in case of no response. Time unit: [second]
604800 main server expiration time for non response. Time unit: [second]
86400 In minimum time caching by other servers DNS . Time unit: [second]
CNAME canonical name record, which tells the nameserver that one name is also known that another (alias)
AT Address record, which specifies an IP address to assign to a name
NS Name Server record (NameServer) announcing the name servers authoritative for a particular zone
MX Mail eXchange record, which tells where mail sent to a particular namespace controlled by this zone
SOA Recording “Start of Authority”, which proclaims important authoritative information about namespaces for the nameservers
PTR PoinTeR record, designed to point to another part of the namespace

One backup, it will restart bind9.

# /etc/init.d/bind9 Restart

And now, it remains for us to test our redirection with our domain names. It is also possible to have a complete description of the different options under Bind Google. A simple search will give you a site host for this!

There are 2 with scope to test our zone configuration file:

http://www.afnic.fr/outils/zonecheck

http://www.dnsstuff.com/

If you wish to install a .com, you will no longer have any errors (fatal in zonecheck or red box at DNSstuff). Indeed, afnic refuses to register your domains with an error. For other areas, is to be tested directly with your registar. But anyway, ideally, it should not be a single mistake, it’s obvious!


Leave a Reply

Your email address will not be published. Required fields are marked *