Difference between revisions of "Install a new server"

From Organic Design wiki
(a few checks to minimise outages)
m (add detail for common name)
Line 102: Line 102:
 
  cd /var/www/ssl
 
  cd /var/www/ssl
 
  openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout organicdesign.co.nz.pem -out organicdesign.co.nz.pem
 
  openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout organicdesign.co.nz.pem -out organicdesign.co.nz.pem
 +
Ensure the common name (cn) is entered as
 +
*.organicdesign.co.nz
 +
 
Open the pem in a text editor and separate the key and cert into two files
 
Open the pem in a text editor and separate the key and cert into two files
 
  /var/www/ssl/organicdesign.co.nz.crt
 
  /var/www/ssl/organicdesign.co.nz.crt

Revision as of 02:39, 14 March 2009

Procedure.svg Install a new server
Organic Design procedure

Download and install Debian

If the server has no OS then download and install Debian first. Depending on the kind of access you have to the server, the following links may be of interest here:

Setting up the software environment

Ensure that you're using the same package repository for your Debian installation as we are:

deb http://ftp.us.debian.org/debian stable main contrib non-free
deb http://security.debian.org stable/updates main contrib non-free

Bring the system up to date and install the organicdesign-server package:

echo "deb http://packages.organicdesign.co.nz main/" >> /etc/apt/sources.list
apt-get update
apt-get upgrade
apt-get install organicdesign-server

If you would like math markup support, also install the following, and see Enabling math markup for more details.

apt-get install dvipng tetex-extra cjk-latex ocaml

You will have a functioning server and LAMP environment.

Post install checklist

  • /etc/hostname, hostname -F /etc/hostname, /etc/hosts
  • tzselect, tzconfig
  • DB info for wikia, webmail, crm
  • /etc/ssh/sshd_config
  • /etc/crontab
  • /var/www/backup.pl
  • /var/www and /home structures (should be automatically maintained by adding new server as a peer)
  • Exim4 (this will need to be configured even for sending mail, see Configure mail server)
  • Import spamassassin bayesian rules

Setting up the Wikia file structure

Either copy the /var/www directory structure from an existing wikia installation (excluding the specific content from the domains and wikis directories). Alternatively, unpack a recent www-yyyy-mm-dd.tgz backup into /var/www and remove specific wiki content.

7za x www-yyyy-mm-dd-tgz
tar -xf www.tar /var

You will need to adjust the following items in the structure:

  • /var/www/extensions/wikia.php
  • /var/www/activity.log
  • /var/www/domains
  • /var/www/wikis

LAMP configuration

The easiest way to configure this is to copy the vhosts file which originated from the backup file over the default Apache configuration file, and then make the vhosts file a symlink pointing at the default configuration as usual. Then adjust the file to the wikia's specific needs.

mysqladmin -u root -p password *******
mv /var/www/vhosts /etc/apache2/sites-available/default
ln /etc/apache2/sites-available/default vhosts
a2enmod ssl
a2enmod rewrite 

The differences to the default php.ini file in our servers are as follows:

max_execution_time = 300
memory_limit = 64M
log_errors = On
error_log = syslog
post_max_size = 100M
upload_max_filesize = 100M
extension=domxml
extension=fileinfo.so

Domain names

Adjust the names of the symlinks in the /var/www/domains directory to local domain names and ensure that those names are added to the /etc/hosts file.

Extracting Databases from a Backup

Extract the most recent database backup (this may overwrite existing databases of the same names)

7za x all-yyyy-mm-dd.sql.7z
mysql -u root -p < all.sql
mysqladmin -u root -p flush-privileges

Setting up FTP access

Some clients may require standard FTP access which although not very secure, can have some restrictions put on it to make it a little safer such as restricting users to their home directories and using a non standard port. We use the GPL proFTPD server in standalone mode.

apt-get install proftpd

Edit the /etc/proftpd/proftpd.conf file and change the port to something other than 22 and add the following directive to restrict users to their home directories.

DefaultRoot ~

Setting up SSL for Apache

This procedure applies to a wildcard self-signed certificate.

mkdir /var/www/ssl
cd /var/www/ssl
openssl req -new -newkey rsa:1024 -days 3650 -nodes -x509 -keyout organicdesign.co.nz.pem -out organicdesign.co.nz.pem

Ensure the common name (cn) is entered as

*.organicdesign.co.nz

Open the pem in a text editor and separate the key and cert into two files

/var/www/ssl/organicdesign.co.nz.crt
/var/www/ssl/organicdesign.co.nz.key
chown www-data organicdesign.co.nz*

Create a file in the same dir called organicdesign.co.nz with this content.

<VirtualHost organicdesign.co.nz:443>
        DocumentRoot /var/www/domains
	ServerAlias private.organicdesign.co.nz
	ServerAlias www.organicdesign.co.nz

        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog /var/log/apache2/access.log common

        RewriteEngine On

        SSLEngine on
        SSLCertificateFile /var/www/ssl/organicdesign.co.nz.crt
        SSLCertificateKeyFile /var/www/ssl/organicdesign.co.nz.key

        RewriteCond %{REQUEST_URI} ^/$
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^ /%2/wiki/index.php/Main_Page [L]

        RewriteCond %{REQUEST_URI} ^/files/thumb/./../.+?/[0-9]+px-
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule ^.+/(.+?)/([0-9]+)px- /%2/wiki/thumb.php?w=$2&f=$1 [L]

        RewriteCond %{REQUEST_URI} ^/(wiki/|html|files/|common/|blogs|[fF]avicon.ico|[rR]obots.txt)
        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2$1 [L]

        RewriteCond %{HTTP_HOST} ^(www\.|wiki\.)?(.+)$
        RewriteRule (.*) /%2/wiki/index.php$1 [L]

</VirtualHost>

Run this line

echo 'Include /var/www/ssl/organicdesign.co.nz' >> /var/www/vhosts 

Ensure mod_ssl is turned on

a2enmod ssl

Check the apache config before reloading

apachectl -t

Check the cert with this command:

cd /var/www/ssl# 
openssl s_server -cert organicdesign.co.nz.crt -key organicdesign.co.nz.key 

The following output indicates the cert is working correctly

Using default temp DH parameters
Using default temp ECDH parameters
ACCEPT

If everything is ok reload the server

/etc/init.d/apache2 reload

Check the error log for problems.

tail -f /var/log/apache2/error.log

If you see a message like this everything is ok.

[Sat Mar 14 11:32:18 2009] [notice] Apache/2.2.9 (Debian) DAV/2 SVN/1.4.2 PHP/5.2.0-8+etch13 mod_ssl/2.2.9 OpenSSL/0.9.8g configured -- resuming normal operations

If you see something like this you have problems:

[Fri Mar 13 21:46:54 2009] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Fri Mar 13 21:46:54 2009] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error

Check permissions and paths of certs and keys. The server will be down now. Comment the last Include from vhosts and /etc/init.d/apache2 start. Server will be up now with no ssl.

Next steps

See also