sysadmin/linux/howto-freevsd-prepare-vhost.txt

$Id: howto-freevsd-prepare-vhost.txt,v 1.1.1.1 2002/02/11 01:22:17 cvsjoko Exp $

$Log: howto-freevsd-prepare-vhost.txt,v $
Revision 1.1.1.1  2002/02/11 01:22:17  cvsjoko
first checkin'


============================================================
    part 1  -  minimum config
============================================================

  - create vhost with "vsdtool-config.pl"
  
  - start vhost with "vsboot --start <vhost>"
  
  - modify accounts
      - bevs -r <vhost>
      - passwd admin
        - enter <admin_passwd>
      - useradd service
      - passwd service
        - enter <service_passwd>
      - create /home/service/.ssh as user "service"
      - useradd <user>
      - passwd <user>
        - enter <user_passwd>
  
  - modify authorization
    - cd /etc/pam.d/
    - edit "sshd", comment out "auth       required     /lib/security/pam_vsd.so priv=login"
    - edit "ftp", comment out "auth       required     /lib/security/pam_vsd.so priv=ftp"
    - logout (CTRL + D)
    --> skel-patch-status: done!!!
  
  - test access to server
    - login as "admin" and "user" via ssh
    - login as "user" via ftp
    - point your browser to http://<vhost_ip>

  - restrict anonymous ftp-access
    - in "/etc/proftpd.conf"
    - comment out "UserAlias                     anonymous ftp"
    --> skel-patch-status: already in skel?
  
  - ready!?


============================================================
    part 2  -  extended config / tuning / troubleshooting
============================================================

  - login to vhost
    - bevs -r <vhost>
    - watch running processes (ps -ax)
      - is all right? (apache, mysql, sshd)

  - make apache listen on port "80" and disable "vsdredirect"s
     - see http://www.fubra.com/vsdfaq/index.html#apache  ;)
     - edit "/etc/rc" and comment out calls to "vsdredirect"
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---
        (Q) Apache listens on port 8080. How can I get it to listen on port 80?
        (A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
        Add the following lines to rc, just before the `exit 0'.
  
        # Start Apache web server (as root) 
        httpd_enable="YES" 
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi 
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi 
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi 
              ${httpd_path} -D SSL & 
              echo 'httpd' 
        fi
  
        Then comment out the following lines in rc.vsd:
  
        # Start Apache web server
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
              su - web -c "${httpd_path} -D SSL" &
              echo 'httpd'
        fi
        
        Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
        NB: Please read the next question for more info on port 80 and 8080... 

        - change /etc/httpd/conf/httpd.conf

        --- snip ---    
  
  - apache/suexec
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---    
        (Q) How do I enable Apache's suexec wrapper?                                                                                                                             
                                                                                                                                                                                 
        (A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
                                                                                                                                                                                 
        Prior to creating the skel, fix the permissions with:                                                                                                                    
        chmod 4711 /usr/sbin/suexec                                                                                                                                              
                                                                                                                                                                                 
        If you have already created the skel, use:                                                                                                                               
        chmod 4711 /path/to/skel/usr/sbin/suexec                                                                                                                                 
        --- snip ---    
  
    
  - enable apache serving /home/*/public_html
    - in /etc/httpd/conf/httpd.conf
    
  - activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
    - useradd service
    - mkdir /home/service/public_html
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/phpMyAdmin .
    - configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
    
  - activate webalizer-stats at http://<domainname>/~service/webalizer/
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/webalizer .
    
  - install kerberos-libraries
    - A. setup rpm
        - download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
        - issue a "./configure && make && make install"
    - B. setup kerberos-libraries
        - download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
        - become root!!!  (e.g. via "bevs -r <vhost>" from main-host)
        - mkdir -p /var/local/lib/rpm
        - rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
        - cd /usr/lib
        - ln -s /usr/kerberos/lib/* .
    - C. todo:
        16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
        16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
        16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)

  - enable "lastlogging"
    - create /var/log/lastlog and give owner to "admin.admin"
    
  - disable ssh-errors in /var/log/messages
    - create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
    
  - replace old perl version through new one (if available)
    [root@martha1 bin]# cd /
    [root@martha1 /]# cd /usr/bin/
    [root@martha1 bin]# mv perl
    perl         perl5.00503  perlbug      perlcc       perldoc
    [root@martha1 bin]# mv perl perl.old
    [root@martha1 bin]# ln -s /usr/local/bin/perl .
    [root@martha1 bin]# cd /home/service/bin/ftpweblog/
    [root@martha1 ftpweblog]# ./graphftpweblog
    Error opening file for inclusion: /home/service/ftpweblog/testlog.html
    [root@martha1 ftpweblog]#
    
1	cvsjoko	1.2	$Id: howto-freevsd-prepare-vhost.txt,v 1.1.1.1 2002/02/11 01:22:17 cvsjoko Exp $
2
3			$Log: howto-freevsd-prepare-vhost.txt,v $
4			Revision 1.1.1.1 2002/02/11 01:22:17 cvsjoko
5			first checkin'
6	cvsjoko	1.1
7
8
9			============================================================
10			part 1 - minimum config
11			============================================================
12
13			- create vhost with "vsdtool-config.pl"
14
15			- start vhost with "vsboot --start <vhost>"
16
17			- modify accounts
18			- bevs -r <vhost>
19			- passwd admin
20			- enter <admin_passwd>
21			- useradd service
22			- passwd service
23			- enter <service_passwd>
24			- create /home/service/.ssh as user "service"
25			- useradd <user>
26			- passwd <user>
27			- enter <user_passwd>
28
29			- modify authorization
30			- cd /etc/pam.d/
31			- edit "sshd", comment out "auth required /lib/security/pam_vsd.so priv=login"
32			- edit "ftp", comment out "auth required /lib/security/pam_vsd.so priv=ftp"
33			- logout (CTRL + D)
34			--> skel-patch-status: done!!!
35
36			- test access to server
37			- login as "admin" and "user" via ssh
38			- login as "user" via ftp
39			- point your browser to http://<vhost_ip>
40
41			- restrict anonymous ftp-access
42			- in "/etc/proftpd.conf"
43			- comment out "UserAlias anonymous ftp"
44			--> skel-patch-status: already in skel?
45
46			- ready!?
47
48
49
50			============================================================
51			part 2 - extended config / tuning / troubleshooting
52			============================================================
53
54			- login to vhost
55			- bevs -r <vhost>
56			- watch running processes (ps -ax)
57			- is all right? (apache, mysql, sshd)
58
59			- make apache listen on port "80" and disable "vsdredirect"s
60			- see http://www.fubra.com/vsdfaq/index.html#apache ;)
61			- edit "/etc/rc" and comment out calls to "vsdredirect"
62			- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
63			--- snip ---
64			(Q) Apache listens on port 8080. How can I get it to listen on port 80?
65			(A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
66			Add the following lines to rc, just before the `exit 0'.
67
68			# Start Apache web server (as root)
69			httpd_enable="YES"
70			if [ "${httpd_enable}" = "YES" ]; then
71			echo -n 'starting web server: '
72			if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
73			if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
74			if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
75			${httpd_path} -D SSL &
76			echo 'httpd'
77			fi
78
79			Then comment out the following lines in rc.vsd:
80
81			# Start Apache web server
82			if [ "${httpd_enable}" = "YES" ]; then
83			echo -n 'starting web server: '
84			if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
85			if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
86			if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
87			su - web -c "${httpd_path} -D SSL" &
88			echo 'httpd'
89			fi
90
91			Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
92			NB: Please read the next question for more info on port 80 and 8080...
93
94			- change /etc/httpd/conf/httpd.conf
95
96			--- snip ---
97
98			- apache/suexec
99			- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
100			--- snip ---
101			(Q) How do I enable Apache's suexec wrapper?
102
103			(A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
104
105			Prior to creating the skel, fix the permissions with:
106			chmod 4711 /usr/sbin/suexec
107
108			If you have already created the skel, use:
109			chmod 4711 /path/to/skel/usr/sbin/suexec
110			--- snip ---
111
112
113			- enable apache serving /home/*/public_html
114			- in /etc/httpd/conf/httpd.conf
115
116			- activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
117			- useradd service
118			- mkdir /home/service/public_html
119			- cd /home/service/public_html
120			- ln -s /home/httpd/docs/phpMyAdmin .
121			- configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
122
123			- activate webalizer-stats at http://<domainname>/~service/webalizer/
124			- cd /home/service/public_html
125			- ln -s /home/httpd/docs/webalizer .
126
127			- install kerberos-libraries
128			- A. setup rpm
129			- download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
130			- issue a "./configure && make && make install"
131			- B. setup kerberos-libraries
132			- download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
133			- become root!!! (e.g. via "bevs -r <vhost>" from main-host)
134			- mkdir -p /var/local/lib/rpm
135			- rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
136			- cd /usr/lib
137			- ln -s /usr/kerberos/lib/* .
138			- C. todo:
139			16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
140			16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
141			16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)
142
143			- enable "lastlogging"
144			- create /var/log/lastlog and give owner to "admin.admin"
145
146			- disable ssh-errors in /var/log/messages
147			- create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
148
149	cvsjoko	1.2	- replace old perl version through new one (if available)
150			[root@martha1 bin]# cd /
151			[root@martha1 /]# cd /usr/bin/
152			[root@martha1 bin]# mv perl
153			perl perl5.00503 perlbug perlcc perldoc
154			[root@martha1 bin]# mv perl perl.old
155			[root@martha1 bin]# ln -s /usr/local/bin/perl .
156			[root@martha1 bin]# cd /home/service/bin/ftpweblog/
157			[root@martha1 ftpweblog]# ./graphftpweblog
158			Error opening file for inclusion: /home/service/ftpweblog/testlog.html
159			[root@martha1 ftpweblog]#
160	cvsjoko	1.1
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26