Difference between revisions of "Install a new server"

From Organic Design wiki
m (DNS Server)
(move LAN and DNS out)
Line 35: Line 35:
  
 
You will have a functioning server and LAMP environment.
 
You will have a functioning server and LAMP environment.
 
== LAN Configuration ==
 
Skip this section if the server is a dedicated Internet server, this section covers the steps required to set the server up as a firewall between the internal LAN and the external WAN.
 
 
=== Network interfaces ===
 
Typically when running on a LAN we'll have two LAN cards on the server with the following ''/etc/network/interfaces'':
 
{{code|<pre>
 
auto eth0
 
iface eth0 inet static
 
address 192.168.0.1
 
netmask 255.255.255.0
 
broadcast 192.168.0.255
 
gateway 192.168.0.254
 
 
auto eth1
 
iface eth1 inet static
 
address 192.168.1.1
 
netmask 255.255.255.0
 
broadcast 192.168.1.255
 
</pre>}}
 
 
=== Firewall ===
 
The 192.168.0 subnet is on ''eth0'' and connects to the Internet router (which should have '''no''' wireless on it), and the 192.168.1 subnet is on ''eth1'' and connects to the internal LAN hub. These network interfaces must then be configured as a firewall which can be done by copying the [[firewall]] script to ''/etc/network/if-up.d/00-firewall'' so that it executes whenever the networking starts up. Don't forget to restart the networking after making changes with '''/etc/init.d/networking restart'''.
 
 
=== DHCP Server ===
 
A DHCP server should be installed to be authoritative on the internal (192.168.1) subnet, and should specify the gateway and DNS server as itself. First install it with '''apt-get install dhcp3-server''', then add the following configuration to ''/etc/dhcp/dhcpd.conf'':
 
{{code|<pre>
 
ddns-update-style none;
 
option domain-name-servers 192.168.1.1;
 
default-lease-time 600;
 
max-lease-time 7200;
 
authoritative;
 
log-facility local7;
 
 
# External subnet
 
subnet 192.168.0.0 netmask 255.255.255.0 {
 
}
 
 
# Internal subnet
 
subnet 192.168.1.0 netmask 255.255.255.0 {
 
range 192.168.1.50 192.168.1.200;
 
option routers 192.168.1.1;
 
option broadcast-address 192.168.1.255;
 
option subnet-mask 255.255.255.0;
 
}
 
</pre>}}
 
 
=== DNS Server ===
 
Requests under the organisations domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require [[Dynamic DNS]] if a static IP address arrangement has not been made with the ISP.
 
 
Requests made for the domain from within the LAN require the local server to be authoritative, but to refer all other requests to the ISP-assigned DNS servers.
 
 
Install Bind9 with '''apt-get install bind9''', then edit ''/etc/bind9/named.conf.options'' and set the ''forwarders'' to your ISP's domain name server, e.g.
 
{{code|<pre>
 
forwarders {
 
        58.28.4.2;
 
};
 
</pre>}}
 
 
 
Then and the following zone configuration in ''/etc/bind/named.conf.local'':
 
{{code|<pre>
 
zone "foo.org" {
 
type master;
 
file "foo.db";
 
};
 
 
zone "1.168.192.in-addr.arpa" {
 
type master;
 
file "db.192";
 
};
 
 
</pre>}}
 
 
 
The zone files reside in '''/var/cache/bind''' and are of the following format:
 
{{code|<pre>
 
$TTL 1D
 
@ IN SOA ns1.foo.co.nz. root.foo.co.nz. (
 
                      200905081        ; Serial
 
                        604800        ; Refresh
 
                          86400        ; Retry
 
                        2419200        ; Expire
 
                        604800 )      ; Negative Cache TTL
 
 
NS      ns1
 
MX 10 mail.foo.co.nz.
 
ns1 IN A 192.168.1.1
 
www IN A 202.174.108.130
 
wiki IN A 192.168.1.1
 
mail IN A 192.168.1.1
 
</pre>}}
 
 
 
And the reverse lookup file also in '''/var/cache/bind''':
 
{{code|<pre>
 
@ IN SOA foo.co.nz. root.foo.co.nz. (
 
                      20090508 ; Serial
 
                        604800 ; Refresh
 
                          86400 ; Retry
 
                        2419200 ; Expire
 
                        604800 ) ; Default TTL
 
 
IN NS ns1.foo.co.nz.
 
1 IN PTR foo.co.nz.
 
</pre>}}
 
  
 
== Post install checklist ==
 
== Post install checklist ==
Line 223: Line 117:
 
Adjust the names of the symlinks in the ''/var/www/domains'' directory to local domain names and ensure that those names are added to the ''/etc/hosts'' file.
 
Adjust the names of the symlinks in the ''/var/www/domains'' directory to local domain names and ensure that those names are added to the ''/etc/hosts'' file.
 
*'''Note:''' If you're installing your wikia structure on a local machine, then you must ensure that your domains such as ''foo.localhost'' are set in ''/etc/hosts'' as aliases for ''127.0.0.1''
 
*'''Note:''' If you're installing your wikia structure on a local machine, then you must ensure that your domains such as ''foo.localhost'' are set in ''/etc/hosts'' as aliases for ''127.0.0.1''
 +
*'''DNS:''' if you need to set up a DNS server or Dymamic DNS system, see [[Configure DNS]]
  
 
== Extracting Databases from a Backup ==
 
== Extracting Databases from a Backup ==
Line 350: Line 245:
  
 
== Next steps ==
 
== Next steps ==
 +
*[[Configure LAN]] ''- DHCP server and firewall''
 +
*[[Configure DNS]] ''- LAN/Server based DNS and dynamic DNS solutions''
 
*[[Configure mail server]]
 
*[[Configure mail server]]
 
*[[Install a MediaWiki code-base]]
 
*[[Install a MediaWiki code-base]]
 
*[[Install an IRC server]]
 
*[[Install an IRC server]]
*[[Dynamic DNS]]
 
  
 
== See also ==
 
== See also ==

Revision as of 06:04, 12 May 2009

Procedure.svg Install a new server
Organic Design procedure

Download and install Debian

If the server has no OS then download and install Debian first. Depending on the kind of access you have to the server and the kind of media it can accept, the following links may be of interest.

Dell Servers

Dell servers may require the bnx2 non-free firmware for Broadcom LAN cards.

Setting up the software environment

Ensure that you're using the same package repository for your Debian installation as we are: 

deb http://ftp.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free


Bring the system up to date and install the organicdesign-server package: 

echo "deb http://packages.organicdesign.co.nz main/" >> /etc/apt/sources.list
apt-get update
apt-get upgrade
apt-get install organicdesign-server


If you would like math markup support, also install the following, and see Enabling math markup for more details. 

apt-get install dvipng tetex-extra cjk-latex ocaml

You will have a functioning server and LAMP environment.

Post install checklist

  • /etc/hostname, hostname -F /etc/hostname, /etc/hosts
  • tzselect, tzconfig
  • DB info for wikia, webmail, crm
  • /etc/ssh/sshd_config
  • /etc/crontab
  • /var/www/backup.pl
  • /var/www and /home structures (should be automatically maintained by adding new server as a peer)
  • Exim4 (this will need to be configured even for sending mail, see Configure mail server)
  • Import spamassassin bayesian rules

Setting up the Wikia file structure

Either copy the /var/www directory structure from an existing wikia installation (excluding the specific content from the domains and wikis directories). Alternatively, unpack a recent www-yyyy-mm-dd.tgz backup into /var/www and remove specific wiki content. 

7za x www-yyyy-mm-dd-tgz
tar -xf www.tar /var

You will need to adjust the following items in the structure:

  • /var/www/extensions/wikia.php
  • /var/www/activity.log
  • /var/www/domains
  • /var/www/wikis

LAMP configuration

The easiest way to configure this is to copy the vhosts file which originated from the backup file over the default Apache configuration file, and then make the vhosts file a symlink pointing at the default configuration as usual. Then adjust the file to the wikia's specific needs. 

mysqladmin -u root -p password *******
mv /var/www/vhosts /etc/apache2/sites-available/default
ln /etc/apache2/sites-available/default vhosts
a2enmod ssl
a2enmod rewrite

Activate the slow query log for mysqld. Make sure this directive is uncommented. 

log_slow_queries	= /var/log/mysql/mysql-slow.log

The differences to the default php.ini file in our servers are as follows: 

max_execution_time = 300
memory_limit = 64M
log_errors = On
error_log = syslog
post_max_size = 100M
upload_max_filesize = 100M
extension=domxml
extension=fileinfo.so


The Apache configuration will already have been configured from within the decompressed FS backup, but if you're not installing from a backup, then here's our typical vhost configuration which maps domains to filesystem structure. We usually just replace the default virtual hosts file with this one which handles all domains and sites. 

NameVirtualHost *:80
<VirtualHost *:80>
        DocumentRoot /var/www/domains

        RewriteEngine On

        RewriteCond %{REQUEST_URI} ^/$
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^ /%2/wiki/index.php/Main_Page [L]

        RewriteCond %{REQUEST_URI} ^/files/thumb/./../.+?/[0-9]+px-
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^.+/(.+?)/([0-9]+)px- /%2/wiki/thumb.php?w=$2&f=$1 [L]

        RewriteCond %{REQUEST_URI} ^/(wiki/|html|files/|[fF]avicon.ico|[rR]obots.txt)
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2$1 [L]

        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2/wiki/index.php$1 [L]

</VirtualHost>

Domain names

Adjust the names of the symlinks in the /var/www/domains directory to local domain names and ensure that those names are added to the /etc/hosts file.

  • Note: If you're installing your wikia structure on a local machine, then you must ensure that your domains such as foo.localhost are set in /etc/hosts as aliases for 127.0.0.1
  • DNS: if you need to set up a DNS server or Dymamic DNS system, see Configure DNS

Extracting Databases from a Backup

Extract the most recent database backup (this may overwrite existing databases of the same names) 

7za x all-yyyy-mm-dd.sql.7z
mysql -u root -p < all.sql
mysqladmin -u root -p flush-privileges

Setting up FTP access

Some clients may require standard FTP access which although not very secure, can have some restrictions put on it to make it a little safer such as restricting users to their home directories and using a non standard port. We use the GPL proFTPD server in standalone mode. 

apt-get install proftpd

Edit the /etc/proftpd/proftpd.conf file and change the port to something other than 22 and add the following directive to restrict users to their home directories. 

DefaultRoot ~

Setting up SSL for Apache

Create a file in the same dir called organicdesign.co.nz with this content. 

<VirtualHost organicdesign.co.nz:443>
        DocumentRoot /var/www/domains
	ServerAlias private.organicdesign.co.nz
	ServerAlias www.organicdesign.co.nz

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /var/log/apache2/access.log common

        RewriteEngine On

        SSLEngine on
        SSLCertificateFile /var/www/ssl/organicdesign.co.nz.crt
        SSLCertificateKeyFile /var/www/ssl/organicdesign.co.nz.key

        RewriteCond %{REQUEST_URI} ^/$
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^ /%2/wiki/index.php/Main_Page [L]

        RewriteCond %{REQUEST_URI} ^/files/thumb/./../.+?/[0-9]+px-
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^.+/(.+?)/([0-9]+)px- /%2/wiki/thumb.php?w=$2&f=$1 [L]

        RewriteCond %{REQUEST_URI} ^/(wiki/|html|files/|common/|blogs|[fF]avicon.ico|[rR]obots.txt)
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2$1 [L]

        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2/wiki/index.php$1 [L]
</VirtualHost>


Run this line 

echo 'Include /var/www/ssl/organicdesign.co.nz' >> /var/www/vhosts


Check the apache config before reloading 

apachectl -t


Check the cert with this command: 

cd /var/www/ssl
openssl s_server -cert organicdesign.co.nz.crt -key organicdesign.co.nz.key


The following output indicates the cert is working correctly 

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT


If everything is ok reload the server 

/etc/init.d/apache2 reload


Check the error log for problems. 

tail -f /var/log/apache2/error.log


If you see a message like this everything is ok. 

[Sat Mar 14 11:32:18 2009] [notice]
    Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8+etch13 mod_ssl/2.2.9 OpenSSL/0.9.8g configured
    -- resuming normal operations


If you see something like this you have problems: 

[Fri Mar 13 21:46:54 2009] [error] SSL Library Error:
    218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 13 21:46:54 2009] [error] SSL Library Error:
    218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Check permissions and paths of certs and keys. The server will be down now.
    Comment the last ''Include'' from ''vhosts'' and ''/etc/init.d/apache2 start''.
    Server will be up now with no ssl.

Install vim (not required)

apt-get -y install vim
cat >> ~/.vimrc
syntax on
<Press Ctrl-D>
cat >> ~/.bashrc
Alias vi='vim'
<Press Ctrl-D>

Next steps

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Install_a_new_server&oldid=93177"