Difference between revisions of "Install a new server"

Install a new server Organic Design procedure

Download and install Debian

If the server has no OS then download and install Debian first. Depending on the kind of access you have to the server and the kind of media it can accept, the following links may be of interest.

• Debian Conversion - Change an existing Linux distro into Debian using only SSH access
• Debian installation from memory stick - This is actually one of the most convenient means of installation even when DVD/CD are available

Dell Servers

Dell servers may require the bnx2 non-free firmware for Broadcom LAN cards.

Setting up the software environment

Ensure that you're using the same package repository for your Debian installation as we are:

deb http://ftp.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free

Bring the system up to date and install the organicdesign-server package:

echo "deb http://packages.organicdesign.co.nz main/" >> /etc/apt/sources.list
apt-get update
apt-get upgrade
apt-get install organicdesign-server

If you would like math markup support, also install the following, and see Enabling math markup for more details.

apt-get install dvipng tetex-extra cjk-latex ocaml

You will have a functioning server and LAMP environment.

Configuring a server for a LAN

Network interfaces

Typically when running on a LAN we'll have two LAN cards on the server with the following /etc/network/interfaces:

auto eth0
iface eth0 inet static
	address 192.168.0.1
	netmask 255.255.255.0
	network 192.168.0.0
	broadcast 192.168.0.255
	gateway 192.168.0.254

auto eth1
iface eth1 inet static
	address 192.168.1.1
	netmask 255.255.255.0
	network 192.168.1.0
	broadcast 192.168.1.255
	gateway 192.168.0.254
	ipforwarding active

Packet forwarding and NAT

The 192.168.0 subnet is on eth0 and connects to the Internet router (which should have no wireless on it), and the 192.168.1 subnet is on eth1 and connects to the internal LAN hub. These network interfaces must then be configured for NAT and packet forwarding:

/etc/init.d/networking stop
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
/etc/init.d/networking start

DHCP Server

A DHCP server should be installed to be authoritative on the internal (192.168.1) subnet, and should specify the gateway and DNS server as itself. First install it with apt-get install dhcp3-server, then add the following configuration to /etc/dhcp/dhcpd.conf:

ddns-update-style none;
option domain-name-servers 192.168.1.1;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

# External subnet
subnet 192.168.0.0 netmask 255.255.255.0 {
}

# Internal subnet
subnet 192.168.1.0 netmask 255.255.255.0 {
        range 192.168.1.50 192.168.1.200;
        option routers 192.168.1.1;
        option broadcast-address 192.168.1.255;
        option subnet-mask 255.255.255.0;
}

DNS

Requests under the organisations domain name from the Internet must be forwarded to the ISP-assigned external IP address using an A-record. This may require Dynamic DNS if a static IP address arrangement has not been made with the ISP.

Requests made for the domain from within the LAN require the local server to be authoritative, but to refer all other requests to the ISP-assigned DNS servers. Bind9 can be installed with apt-get install bind9 and the following configuration in /etc/bind/named.conf:

Post install checklist

• /etc/hostname, hostname -F /etc/hostname, /etc/hosts
• tzselect, tzconfig
• DB info for wikia, webmail, crm
• /etc/ssh/sshd_config
• /etc/crontab
• /var/www/backup.pl
• /var/www and /home structures (should be automatically maintained by adding new server as a peer)
• Exim4 (this will need to be configured even for sending mail, see Configure mail server)
• Import spamassassin bayesian rules

Setting up the Wikia file structure

Either copy the /var/www directory structure from an existing wikia installation (excluding the specific content from the domains and wikis directories). Alternatively, unpack a recent www-yyyy-mm-dd.tgz backup into /var/www and remove specific wiki content.

7za x www-yyyy-mm-dd-tgz
tar -xf www.tar /var

You will need to adjust the following items in the structure:

• /var/www/extensions/wikia.php
• /var/www/activity.log
• /var/www/domains
• /var/www/wikis

LAMP configuration

The easiest way to configure this is to copy the vhosts file which originated from the backup file over the default Apache configuration file, and then make the vhosts file a symlink pointing at the default configuration as usual. Then adjust the file to the wikia's specific needs.

mysqladmin -u root -p password *******
mv /var/www/vhosts /etc/apache2/sites-available/default
ln /etc/apache2/sites-available/default vhosts
a2enmod ssl
a2enmod rewrite 

Activate the slow query log for mysqld. Make sure this directive is uncommented.

log_slow_queries	= /var/log/mysql/mysql-slow.log

The differences to the default php.ini file in our servers are as follows:

max_execution_time = 300
memory_limit = 64M
log_errors = On
error_log = syslog
post_max_size = 100M
upload_max_filesize = 100M
extension=domxml
extension=fileinfo.so

The Apache configuration will already have been configured from within the decompressed FS backup, but if you're not installing from a backup, then here's our typical vhost configuration which maps domains to filesystem structure. We usually just replace the default virtual hosts file with this one which handles all domains and sites.

NameVirtualHost *:80
<VirtualHost *:80>
        DocumentRoot /var/www/domains

        RewriteEngine On

        RewriteCond %{REQUEST_URI} ^/$
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^ /%2/wiki/index.php/Main_Page [L]

        RewriteCond %{REQUEST_URI} ^/files/thumb/./../.+?/[0-9]+px-
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^.+/(.+?)/([0-9]+)px- /%2/wiki/thumb.php?w=$2&f=$1 [L]

        RewriteCond %{REQUEST_URI} ^/(wiki/|html|files/|[fF]avicon.ico|[rR]obots.txt)
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2$1 [L]

        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2/wiki/index.php$1 [L]

</VirtualHost>

Domain names

Adjust the names of the symlinks in the /var/www/domains directory to local domain names and ensure that those names are added to the /etc/hosts file.

• Note: If you're installing your wikia structure on a local machine, then you must ensure that your domains such as foo.localhost are set in /etc/hosts as aliases for 127.0.0.1

Extracting Databases from a Backup

Extract the most recent database backup (this may overwrite existing databases of the same names)

7za x all-yyyy-mm-dd.sql.7z
mysql -u root -p < all.sql
mysqladmin -u root -p flush-privileges

Setting up FTP access

Some clients may require standard FTP access which although not very secure, can have some restrictions put on it to make it a little safer such as restricting users to their home directories and using a non standard port. We use the GPL proFTPD server in standalone mode.

apt-get install proftpd

Edit the /etc/proftpd/proftpd.conf file and change the port to something other than 22 and add the following directive to restrict users to their home directories.

DefaultRoot ~

Setting up SSL for Apache

• Generate a self signed certificate
• Generate a certificate request for a commercial Certificate Authority

Create a file in the same dir called organicdesign.co.nz with this content.

<VirtualHost organicdesign.co.nz:443>
        DocumentRoot /var/www/domains
	ServerAlias private.organicdesign.co.nz
	ServerAlias www.organicdesign.co.nz

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /var/log/apache2/access.log common

        RewriteEngine On

        SSLEngine on
        SSLCertificateFile /var/www/ssl/organicdesign.co.nz.crt
        SSLCertificateKeyFile /var/www/ssl/organicdesign.co.nz.key

        RewriteCond %{REQUEST_URI} ^/$
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^ /%2/wiki/index.php/Main_Page [L]

        RewriteCond %{REQUEST_URI} ^/files/thumb/./../.+?/[0-9]+px-
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^.+/(.+?)/([0-9]+)px- /%2/wiki/thumb.php?w=$2&f=$1 [L]

        RewriteCond %{REQUEST_URI} ^/(wiki/|html|files/|common/|blogs|[fF]avicon.ico|[rR]obots.txt)
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2$1 [L]

        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2/wiki/index.php$1 [L]
</VirtualHost>

Run this line

echo 'Include /var/www/ssl/organicdesign.co.nz' >> /var/www/vhosts 

Check the apache config before reloading

apachectl -t

Check the cert with this command:

cd /var/www/ssl
openssl s_server -cert organicdesign.co.nz.crt -key organicdesign.co.nz.key 

The following output indicates the cert is working correctly

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

If everything is ok reload the server

/etc/init.d/apache2 reload

Check the error log for problems.

tail -f /var/log/apache2/error.log

If you see a message like this everything is ok.

[Sat Mar 14 11:32:18 2009] [notice]
    Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8+etch13 mod_ssl/2.2.9 OpenSSL/0.9.8g configured
    -- resuming normal operations

If you see something like this you have problems:

[Fri Mar 13 21:46:54 2009] [error] SSL Library Error:
    218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 13 21:46:54 2009] [error] SSL Library Error:
    218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error
Check permissions and paths of certs and keys. The server will be down now.
    Comment the last ''Include'' from ''vhosts'' and ''/etc/init.d/apache2 start''.
    Server will be up now with no ssl.

Install vim (not required)

apt-get -y install vim
cat >> ~/.vimrc
syntax on
<Press Ctrl-D>
cat >> ~/.bashrc
Alias vi='vim'
<Press Ctrl-D>

Next steps

• Configure mail server
• Install a MediaWiki code-base
• Install an IRC server
• Dynamic DNS

See also

• Debian Post Install
• Add an IP address to a server