sysadmin/linux/howto-freevsd-prepare-vhost.txt

$Id$

$Log$


============================================================
    part 1  -  minimum config
============================================================

  - create vhost with "vsdtool-config.pl"
  
  - start vhost with "vsboot --start <vhost>"
  
  - modify accounts
      - bevs -r <vhost>
      - passwd admin
        - enter <admin_passwd>
      - useradd service
      - passwd service
        - enter <service_passwd>
      - create /home/service/.ssh as user "service"
      - useradd <user>
      - passwd <user>
        - enter <user_passwd>
  
  - modify authorization
    - cd /etc/pam.d/
    - edit "sshd", comment out "auth       required     /lib/security/pam_vsd.so priv=login"
    - edit "ftp", comment out "auth       required     /lib/security/pam_vsd.so priv=ftp"
    - logout (CTRL + D)
    --> skel-patch-status: done!!!
  
  - test access to server
    - login as "admin" and "user" via ssh
    - login as "user" via ftp
    - point your browser to http://<vhost_ip>

  - restrict anonymous ftp-access
    - in "/etc/proftpd.conf"
    - comment out "UserAlias                     anonymous ftp"
    --> skel-patch-status: already in skel?
  
  - ready!?


============================================================
    part 2  -  extended config / tuning / troubleshooting
============================================================

  - login to vhost
    - bevs -r <vhost>
    - watch running processes (ps -ax)
      - is all right? (apache, mysql, sshd)

  - make apache listen on port "80" and disable "vsdredirect"s
     - see http://www.fubra.com/vsdfaq/index.html#apache  ;)
     - edit "/etc/rc" and comment out calls to "vsdredirect"
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---
        (Q) Apache listens on port 8080. How can I get it to listen on port 80?
        (A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
        Add the following lines to rc, just before the `exit 0'.
  
        # Start Apache web server (as root) 
        httpd_enable="YES" 
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi 
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi 
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi 
              ${httpd_path} -D SSL & 
              echo 'httpd' 
        fi
  
        Then comment out the following lines in rc.vsd:
  
        # Start Apache web server
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
              su - web -c "${httpd_path} -D SSL" &
              echo 'httpd'
        fi
        
        Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
        NB: Please read the next question for more info on port 80 and 8080... 

        - change /etc/httpd/conf/httpd.conf

        --- snip ---    
  
  - apache/suexec
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---    
        (Q) How do I enable Apache's suexec wrapper?                                                                                                                             
                                                                                                                                                                                 
        (A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
                                                                                                                                                                                 
        Prior to creating the skel, fix the permissions with:                                                                                                                    
        chmod 4711 /usr/sbin/suexec                                                                                                                                              
                                                                                                                                                                                 
        If you have already created the skel, use:                                                                                                                               
        chmod 4711 /path/to/skel/usr/sbin/suexec                                                                                                                                 
        --- snip ---    
  
    
  - enable apache serving /home/*/public_html
    - in /etc/httpd/conf/httpd.conf
    
  - activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
    - useradd service
    - mkdir /home/service/public_html
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/phpMyAdmin .
    - configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
    
  - activate webalizer-stats at http://<domainname>/~service/webalizer/
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/webalizer .
    
  - install kerberos-libraries
    - A. setup rpm
        - download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
        - issue a "./configure && make && make install"
    - B. setup kerberos-libraries
        - download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
        - become root!!!  (e.g. via "bevs -r <vhost>" from main-host)
        - mkdir -p /var/local/lib/rpm
        - rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
        - cd /usr/lib
        - ln -s /usr/kerberos/lib/* .
    - C. todo:
        16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
        16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
        16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)

  - enable "lastlogging"
    - create /var/log/lastlog and give owner to "admin.admin"
    
  - disable ssh-errors in /var/log/messages
    - create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
    
  - 
    
1	cvsjoko	1.1	$Id$
2
3			$Log$
4
5
6			============================================================
7			part 1 - minimum config
8			============================================================
9
10			- create vhost with "vsdtool-config.pl"
11
12			- start vhost with "vsboot --start <vhost>"
13
14			- modify accounts
15			- bevs -r <vhost>
16			- passwd admin
17			- enter <admin_passwd>
18			- useradd service
19			- passwd service
20			- enter <service_passwd>
21			- create /home/service/.ssh as user "service"
22			- useradd <user>
23			- passwd <user>
24			- enter <user_passwd>
25
26			- modify authorization
27			- cd /etc/pam.d/
28			- edit "sshd", comment out "auth required /lib/security/pam_vsd.so priv=login"
29			- edit "ftp", comment out "auth required /lib/security/pam_vsd.so priv=ftp"
30			- logout (CTRL + D)
31			--> skel-patch-status: done!!!
32
33			- test access to server
34			- login as "admin" and "user" via ssh
35			- login as "user" via ftp
36			- point your browser to http://<vhost_ip>
37
38			- restrict anonymous ftp-access
39			- in "/etc/proftpd.conf"
40			- comment out "UserAlias anonymous ftp"
41			--> skel-patch-status: already in skel?
42
43			- ready!?
44
45
46
47			============================================================
48			part 2 - extended config / tuning / troubleshooting
49			============================================================
50
51			- login to vhost
52			- bevs -r <vhost>
53			- watch running processes (ps -ax)
54			- is all right? (apache, mysql, sshd)
55
56			- make apache listen on port "80" and disable "vsdredirect"s
57			- see http://www.fubra.com/vsdfaq/index.html#apache ;)
58			- edit "/etc/rc" and comment out calls to "vsdredirect"
59			- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
60			--- snip ---
61			(Q) Apache listens on port 8080. How can I get it to listen on port 80?
62			(A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
63			Add the following lines to rc, just before the `exit 0'.
64
65			# Start Apache web server (as root)
66			httpd_enable="YES"
67			if [ "${httpd_enable}" = "YES" ]; then
68			echo -n 'starting web server: '
69			if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
70			if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
71			if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
72			${httpd_path} -D SSL &
73			echo 'httpd'
74			fi
75
76			Then comment out the following lines in rc.vsd:
77
78			# Start Apache web server
79			if [ "${httpd_enable}" = "YES" ]; then
80			echo -n 'starting web server: '
81			if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
82			if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
83			if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
84			su - web -c "${httpd_path} -D SSL" &
85			echo 'httpd'
86			fi
87
88			Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
89			NB: Please read the next question for more info on port 80 and 8080...
90
91			- change /etc/httpd/conf/httpd.conf
92
93			--- snip ---
94
95			- apache/suexec
96			- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
97			--- snip ---
98			(Q) How do I enable Apache's suexec wrapper?
99
100			(A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
101
102			Prior to creating the skel, fix the permissions with:
103			chmod 4711 /usr/sbin/suexec
104
105			If you have already created the skel, use:
106			chmod 4711 /path/to/skel/usr/sbin/suexec
107			--- snip ---
108
109
110			- enable apache serving /home/*/public_html
111			- in /etc/httpd/conf/httpd.conf
112
113			- activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
114			- useradd service
115			- mkdir /home/service/public_html
116			- cd /home/service/public_html
117			- ln -s /home/httpd/docs/phpMyAdmin .
118			- configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
119
120			- activate webalizer-stats at http://<domainname>/~service/webalizer/
121			- cd /home/service/public_html
122			- ln -s /home/httpd/docs/webalizer .
123
124			- install kerberos-libraries
125			- A. setup rpm
126			- download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
127			- issue a "./configure && make && make install"
128			- B. setup kerberos-libraries
129			- download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
130			- become root!!! (e.g. via "bevs -r <vhost>" from main-host)
131			- mkdir -p /var/local/lib/rpm
132			- rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
133			- cd /usr/lib
134			- ln -s /usr/kerberos/lib/* .
135			- C. todo:
136			16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
137			16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
138			16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)
139
140			- enable "lastlogging"
141			- create /var/log/lastlog and give owner to "admin.admin"
142
143			- disable ssh-errors in /var/log/messages
144			- create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
145
146			-
147
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26