sysadmin/linux/howto-freevsd-prepare-vhost.txt

$Id: howto-freevsd-prepare-vhost.txt,v 1.2 2002/02/11 02:45:25 cvsjoko Exp $

$Log: howto-freevsd-prepare-vhost.txt,v $
Revision 1.2  2002/02/11 02:45:25  cvsjoko
+ added info about perl-versions: "replace old perl version through new one"

Revision 1.1.1.1  2002/02/11 01:22:17  cvsjoko
first checkin'


============================================================
    part 1  -  minimum config
============================================================

  - create vhost with "vsdtool-config.pl" (see example-output in "howto-freevsd-prepare-vhost-(test-run-of-vsdtool-config.pl).txt")
  
  - start vhost with "vsboot --start <vhost>"
  
  - modify accounts
      - bevs -r <vhost>
      - passwd admin
        - enter <admin_passwd>
      - useradd service
      - passwd service
        - enter <service_passwd>
      - create /home/service/.ssh as user "service"
      - useradd <user>
      - passwd <user>
        - enter <user_passwd>
  
  - modify authorization
    - cd /etc/pam.d/
    - edit "sshd", comment out "auth       required     /lib/security/pam_vsd.so priv=login"
    - edit "ftp", comment out "auth       required     /lib/security/pam_vsd.so priv=ftp"
    - logout (CTRL + D)
    --> skel-patch-status: done!!!
  
  - test access to server
    - login as "admin" and "user" via ssh
    - login as "user" via ftp
    - point your browser to http://<vhost_ip>

  - restrict anonymous ftp-access
    - in "/etc/proftpd.conf"
    - comment out "UserAlias                     anonymous ftp"
    --> skel-patch-status: already in skel?
  
  - ready!?


============================================================
    part 2  -  extended config / tuning / troubleshooting
============================================================

  - login to vhost
    - bevs -r <vhost>
    - watch running processes (ps -ax)
      - is all right? (apache, mysql, sshd)

  - make apache listen on port "80" and disable "vsdredirect"s
     - see http://www.fubra.com/vsdfaq/index.html#apache  ;)
     - edit "/etc/rc" and comment out calls to "vsdredirect"
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---
        (Q) Apache listens on port 8080. How can I get it to listen on port 80?
        (A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
        Add the following lines to rc, just before the `exit 0'.
  
        # Start Apache web server (as root) 
        httpd_enable="YES" 
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi 
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi 
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi 
              ${httpd_path} -D SSL & 
              echo 'httpd' 
        fi
  
        Then comment out the following lines in rc.vsd:
  
        # Start Apache web server
        if [ "${httpd_enable}" = "YES" ]; then
              echo -n 'starting web server: '
              if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
              if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
              if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
              su - web -c "${httpd_path} -D SSL" &
              echo 'httpd'
        fi
        
        Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
        NB: Please read the next question for more info on port 80 and 8080... 

        - change /etc/httpd/conf/httpd.conf

        --- snip ---    
  
  - apache/suexec
     - see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
        --- snip ---    
        (Q) How do I enable Apache's suexec wrapper?                                                                                                                             
                                                                                                                                                                                 
        (A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
                                                                                                                                                                                 
        Prior to creating the skel, fix the permissions with:                                                                                                                    
        chmod 4711 /usr/sbin/suexec                                                                                                                                              
                                                                                                                                                                                 
        If you have already created the skel, use:                                                                                                                               
        chmod 4711 /path/to/skel/usr/sbin/suexec                                                                                                                                 
        --- snip ---    
  
    
  - enable apache serving /home/*/public_html
    - in /etc/httpd/conf/httpd.conf
    
  - activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
    - useradd service
    - mkdir /home/service/public_html
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/phpMyAdmin .
    - configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
    
  - activate webalizer-stats at http://<domainname>/~service/webalizer/
    - cd /home/service/public_html
    - ln -s /home/httpd/docs/webalizer .
    
  - install kerberos-libraries
    - A. setup rpm
        - download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
        - issue a "./configure && make && make install"
    - B. setup kerberos-libraries
        - download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
        - become root!!!  (e.g. via "bevs -r <vhost>" from main-host)
        - mkdir -p /var/local/lib/rpm
        - rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
        - cd /usr/lib
        - ln -s /usr/kerberos/lib/* .
    - C. todo:
        16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
        16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
        16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)

  - enable "lastlogging"
    - create /var/log/lastlog and give owner to "admin.admin"
    
  - disable ssh-errors in /var/log/messages
    - create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
    
  - replace old perl version through new one (if available)
    [root@martha1 bin]# cd /
    [root@martha1 /]# cd /usr/bin/
    [root@martha1 bin]# mv perl
    perl         perl5.00503  perlbug      perlcc       perldoc
    [root@martha1 bin]# mv perl perl.old
    [root@martha1 bin]# ln -s /usr/local/bin/perl .
    [root@martha1 bin]# cd /home/service/bin/ftpweblog/
    [root@martha1 ftpweblog]# ./graphftpweblog
    Error opening file for inclusion: /home/service/ftpweblog/testlog.html
    [root@martha1 ftpweblog]#
    
1	$Id: howto-freevsd-prepare-vhost.txt,v 1.2 2002/02/11 02:45:25 cvsjoko Exp $
2
3	$Log: howto-freevsd-prepare-vhost.txt,v $
4	Revision 1.2 2002/02/11 02:45:25 cvsjoko
5	+ added info about perl-versions: "replace old perl version through new one"
6
7	Revision 1.1.1.1 2002/02/11 01:22:17 cvsjoko
8	first checkin'
9
10
11
12	============================================================
13	part 1 - minimum config
14	============================================================
15
16	- create vhost with "vsdtool-config.pl" (see example-output in "howto-freevsd-prepare-vhost-(test-run-of-vsdtool-config.pl).txt")
17
18	- start vhost with "vsboot --start <vhost>"
19
20	- modify accounts
21	- bevs -r <vhost>
22	- passwd admin
23	- enter <admin_passwd>
24	- useradd service
25	- passwd service
26	- enter <service_passwd>
27	- create /home/service/.ssh as user "service"
28	- useradd <user>
29	- passwd <user>
30	- enter <user_passwd>
31
32	- modify authorization
33	- cd /etc/pam.d/
34	- edit "sshd", comment out "auth required /lib/security/pam_vsd.so priv=login"
35	- edit "ftp", comment out "auth required /lib/security/pam_vsd.so priv=ftp"
36	- logout (CTRL + D)
37	--> skel-patch-status: done!!!
38
39	- test access to server
40	- login as "admin" and "user" via ssh
41	- login as "user" via ftp
42	- point your browser to http://<vhost_ip>
43
44	- restrict anonymous ftp-access
45	- in "/etc/proftpd.conf"
46	- comment out "UserAlias anonymous ftp"
47	--> skel-patch-status: already in skel?
48
49	- ready!?
50
51
52
53	============================================================
54	part 2 - extended config / tuning / troubleshooting
55	============================================================
56
57	- login to vhost
58	- bevs -r <vhost>
59	- watch running processes (ps -ax)
60	- is all right? (apache, mysql, sshd)
61
62	- make apache listen on port "80" and disable "vsdredirect"s
63	- see http://www.fubra.com/vsdfaq/index.html#apache ;)
64	- edit "/etc/rc" and comment out calls to "vsdredirect"
65	- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
66	--- snip ---
67	(Q) Apache listens on port 8080. How can I get it to listen on port 80?
68	(A) It is set to listen on 8080 because of the issue described in security.txt. Unless you really need it to listen on port 80, don't worry (vsdredirect should redirect all requests to 80 to 8080.) To get it to start on port 80, you need to modify `rc' and `rc.vsd', located in /usr/share/freevsd/skel-repo/etc.
69	Add the following lines to rc, just before the `exit 0'.
70
71	# Start Apache web server (as root)
72	httpd_enable="YES"
73	if [ "${httpd_enable}" = "YES" ]; then
74	echo -n 'starting web server: '
75	if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
76	if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
77	if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
78	${httpd_path} -D SSL &
79	echo 'httpd'
80	fi
81
82	Then comment out the following lines in rc.vsd:
83
84	# Start Apache web server
85	if [ "${httpd_enable}" = "YES" ]; then
86	echo -n 'starting web server: '
87	if [ -x "/bin/httpd" ]; then httpd_path="/bin/httpd"; fi
88	if [ -x "/usr/sbin/httpd" ]; then httpd_path="/usr/sbin/httpd"; fi
89	if [ -x "/usr/libexec/httpd" ]; then httpd_path="/usr/libexec/httpd"; fi
90	su - web -c "${httpd_path} -D SSL" &
91	echo 'httpd'
92	fi
93
94	Once you have done that, delete your virtual servers, re-create the skel (using vsd-genskel.pl) and re-create your virtual servers
95	NB: Please read the next question for more info on port 80 and 8080...
96
97	- change /etc/httpd/conf/httpd.conf
98
99	--- snip ---
100
101	- apache/suexec
102	- see http://www.fubra.com/vsdfaq/index.html#apache and do steps described there:
103	--- snip ---
104	(Q) How do I enable Apache's suexec wrapper?
105
106	(A) By default Apache is installed with the suexec wrapper disabled. It is left as an exercise for the administrator to enable it by setting the appropriate permissions.
107
108	Prior to creating the skel, fix the permissions with:
109	chmod 4711 /usr/sbin/suexec
110
111	If you have already created the skel, use:
112	chmod 4711 /path/to/skel/usr/sbin/suexec
113	--- snip ---
114
115
116	- enable apache serving /home/*/public_html
117	- in /etc/httpd/conf/httpd.conf
118
119	- activate phpMyAdmin at http://<domainname>/~service/phpMyAdmin/
120	- useradd service
121	- mkdir /home/service/public_html
122	- cd /home/service/public_html
123	- ln -s /home/httpd/docs/phpMyAdmin .
124	- configure at least hostname in /home/httpd/docs/phpMyAdmin/config.inc.php3
125
126	- activate webalizer-stats at http://<domainname>/~service/webalizer/
127	- cd /home/service/public_html
128	- ln -s /home/httpd/docs/webalizer .
129
130	- install kerberos-libraries
131	- A. setup rpm
132	- download rpm 3.0 - no problems ;) - from ftp://ftp.rpm.org/pub/rpm/dist/rpm-3.0.x/rpm-3.0.6.tar.gz
133	- issue a "./configure && make && make install"
134	- B. setup kerberos-libraries
135	- download krb-libs from ftp://rpmfind.net/linux/redhat/updates/6.2/en/os/i386/krb5-libs-1.1.1-28.i386.rpm
136	- become root!!! (e.g. via "bevs -r <vhost>" from main-host)
137	- mkdir -p /var/local/lib/rpm
138	- rpm -i --nodeps krb5-libs-1.1.1-28.i386.rpm
139	- cd /usr/lib
140	- ln -s /usr/kerberos/lib/* .
141	- C. todo:
142	16:08 <[joko]> 16:06 <[joko]> 1. setup "rpm": works as "admin"
143	16:08 <[joko]> 16:06 <[joko]> 2. setup "kerberos": to be done as "root" via "bevs -r <vhost>"
144	16:08 <[joko]> 3. checkout how kerberos-libs can be set up as "admin" (e.g. modify installation-path to /usr/local)
145
146	- enable "lastlogging"
147	- create /var/log/lastlog and give owner to "admin.admin"
148
149	- disable ssh-errors in /var/log/messages
150	- create /etc/security/limits.conf by issuing a echo "" > /etc/security/limits.conf
151
152	- replace old perl version through new one (if available)
153	[root@martha1 bin]# cd /
154	[root@martha1 /]# cd /usr/bin/
155	[root@martha1 bin]# mv perl
156	perl perl5.00503 perlbug perlcc perldoc
157	[root@martha1 bin]# mv perl perl.old
158	[root@martha1 bin]# ln -s /usr/local/bin/perl .
159	[root@martha1 bin]# cd /home/service/bin/ftpweblog/
160	[root@martha1 ftpweblog]# ./graphftpweblog
161	Error opening file for inclusion: /home/service/ftpweblog/testlog.html
162	[root@martha1 ftpweblog]#
163
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26