_the_mars

Server hardware

In my cabinet I had a stripped Acer Travelmate A800 laptop with a Intel Pentium M 1.7 GHz processor and 512 MB of memory. It has no keyboard and screen but it was fully functional. I had kept it to have spare parts for my home server, another Acer Travelmate A800. But I decided to set it up as server to be able to use my current server (with a keyboard and a screen) for other purposes.

Server software

I have installed Ubuntu Server 12.04 Precise Pangolin LTS. I have chosen the server roles SMB server and Virtual Machine host.
Additional packages:

SSH daemon

    marc@server:~$ sudo apt-get install openssh-server

Web server with PHP

    marc@server:~$ sudo apt-get install nginx php5-fpm php5-cli php5-mcrypt

APC for PHP opcode cache

    marc@server:~$ sudo apt-get install php-apc php5-gd

MySQL

    marc@server:~$ sudo apt-get install mysql-server php5-mysql

Exim mailserver

    marc@server:~$ sudo apt-get install exim4

Munin monitoring tool

    marc@server:~$ sudo apt-get install munin munin-plugins-extra munin-libvirt-plugins

Configuration

SSH

To keep my machine safe I have set up public/private key authentication.
I am using that for years now. But here is how you do it:

Create a public/private keypair on the desktop you are using generally and enter through the defaults (but provide a passphrase for security reasons)
```
    marc@client:~$ mkdir -p -m 700 ~/.ssh
    marc@client:~$ ssh-keygen
    
```

Add the public key to your server

    marc@server:~$ mkdir -p -m 700 ~/.ssh
    marc@client:~$ echo `cat ~/.ssh/id_rsa.pub` | ssh marc@server 'cat - >> ~/.ssh/authorized_keys'

Try login and check that it does not ask your server password but your key passphrase
```
    marc@client:~$ ssh marc@server    
```

Lock down access to public/private key authentication only

    marc@server:~$ sudo vi /etc/ssh/sshd_config
    /^[# \t]*PasswordAuthentication
    /PasswordAuthentication
    d^
    w
    cw
    no
    <Esc>
    :wq
    marc@server:~$ sudo service ssh force-reload

Firewall

To limit access and thus improving security I have set up a firewall too: UFW.

Added rules to keep SSH access; do not forget to add your own rules

    marc@server:~$ sudo ufw allow from 127.0.0.0/8 to any app OpenSSH
    marc@server:~$ sudo ufw allow from 192.168.0.0/16 to any app OpenSSH

Enabled the firewall
```
    marc@server:~$ sudo ufw enable    
```

I added some rules to test my webserver

    marc@server:~$ sudo ufw allow from 127.0.0.0/8 to any app 'Nginx Full'
    marc@server:~$ sudo ufw allow from 192.168.0.0/16 to any app 'Nginx Full'

Webserver

The webserver Nginx is installed already and it must be visitable locally due to the firewall rules. It should show "Welcome to nginx!"

Created web dir and a PHP file

    marc@server:~$ sudo mkdir -p /var/www/com/example/www
    marc@server:~$ sudo chown marc:marc /var/www/com/example/www
    marc@server:~$ echo '' > /var/www/com/example/www/index.php

Created config file and enabled it

    marc@server:~$ sudo vi /etc/nginx/sites-available/com.example-zzz
    i
    server {
        server_name *.example.com;
        rewrite ^ $scheme://example.com$request_uri permanent;
    }
    server {
        root /var/www/com/example/www;
        index index.php index.html index.htm;

        server_name example.com

       location ~ \.php(/.*)?$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
        }
    }       
    <Esc>
    :wq
    marc@server:~$ cd /etc/nginx/sites-enabled/
    marc@server:sites-enabled$ sudo ln -s /etc/nginx/sites-available/com.example-zzz
    marc@server:sites-enabled$ cd
    marc@server:~$ sudo service nginx reload

http://example.com/ is visitable now if the DNS or your /etc/hosts file points to your servers IP address.

Admin site

Created an admin site for phpMyAdmin and other admin pages.

Created the dir

    marc@server:~$ sudo mkdir -p /var/www/admin

Added the sections below to /etc/nginx/sites-available/default

        location /nginx_status {
                stub_status on;
                access_log   off;
                allow 127.0.0.0/8;
                allow 192.168.0.0/16;
                deny all;
        }

        location /admin/ {
                alias /var/www/admin/;
                index index.html index.htm index.php;
                autoindex on;
                allow 127.0.0.0/8;
                allow 192.168.0.0/16;
                deny all;
        }
        location ~ ^(/admin/.*\.php)(/.*)?$ {
                alias /var/www$1;
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_param PATH_INFO $fastcgi_path_info;
                fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
                include fastcgi_params;
        }

Reloaded Nginx config

    marc@server:~$ sudo service nginx reload

Created phpinfo script

    marc@server:~$ sudo bash -c 'echo "" > /var/www/admin/phpinfo.php'

Installed phpMyAdmin

    marc@server:~$ wget -O phpMyAdmin-3.5.0-all-languages.tar.bz2 'http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.5.0/phpMyAdmin-3.5.0-all-languages.tar.bz2?r=http%3A%2F%2Fwww.phpmyadmin.net%2Fhome_page%2Fdownloads.php&ts=1334868700&use_mirror=ignum'
    marc@server:~$ tar -xjvf phpMyAdmin-3.5.0-all-languages.tar.bz2
    marc@server:~$ sudo mv phpMyAdmin-3.5.0-all-languages /var/www/admin/.phpMyAdmin-3.5.0-all-languages
    marc@server:~$ cd /var/www/admin/
    marc@server:admin$ sudo ln -s .phpMyAdmin-3.5.0-all-languages/ pma
    marc@server:admin$ cd
    marc@server:~$ rm phpMyAdmin-3.5.0-all-languages.tar.bz2

phpMyAdmin should work now on http://server/pma/. Login with the MySQL credentials and follow the phpMyAdmin instructions

Exim

I have configured exim4 because it does not send email by default. And I want to get at least some alerts from my server.

Called config util
```
    marc@server:~$ sudo dpkg-reconfigure exim4-config
```
And answered the questions:
- internet site; email is sent and received using SMTP
- mail name: server.example.com
- only listen for local connections
- accept email for: server.example.com
- forward email for domains: example.com
- forward email for systems: 127.0.0.0/8
- no minimal DNS requests
- deliver local email in mbox-format
- no splitting of config file

Munin

To avoid munin is creating graphs every 5 minutes (produces high load on my old, tiny server) I produced them on demand. If you want to see the graphs then you have to wait some seconds, but it keeps your server fast. I have used a munin wiki page to find out how to configure this in nginx.

Set graph strategy and configured email

    marc@server:~$ sudo vi /etc/munin/munin.conf
    /^#graph_strategy cgi
    x
    /^#cgiurl_graph
    x
    /#contact\.
    $
    a
    <Enter>
    contact.marc.command mail -s "Munin notification" marc@example.com
    contact.marc.max_messages 5
    <Esc>
    :wq

Installed spawn-fcgi and the Perl CGI::Fast module

    marc@server:~$ sudo apt-get install spawn-fcgi libcgi-fast-perl

Added fastCGI process to startup

    marc@server:~$ sudo vi /etc/rc.local
    /^exit
    k
    $
    a
    <Enter>
    spawn-fcgi -s /var/run/munin/munin-fastcgi-graph.sock -U www-data -u munin -g munin /usr/lib/cgi-bin/munin-cgi-graph
    <Esc>
    :wq

Added the sections below to /etc/nginx/sites-available/default

            location ^~ /cgi-bin/munin-cgi-graph/ {
        fastcgi_split_path_info ^(/cgi-bin/munin-cgi-graph)(.*);
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_pass unix:/var/run/munin/munin-fastcgi-graph.sock;
        include fastcgi_params;
    }

Published munin pages on a web readable location

    marc@server:~$ sudo ln -s /var/cache/munin/www/ /var/www/admin/munin

Reloaded nginx

    marc@server:~$ sudo service nginx reload

Enabled nginx and other useful plugins

    marc@server:~$ sudo ln -s /usr/share/munin/plugins/nginx_* /etc/munin/plugins/
    marc@server:~$ sudo ln -s /usr/share/munin/plugins/mysql_* /etc/munin/plugins/
    marc@server:~$ sudo ln -s /usr/share/munin/plugins/users /etc/munin/plugins/
    marc@server:~$ sudo ln -s /usr/share/munin/plugins/libvirt_* /etc/munin/plugins/
    marc@server:~$ sudo service munin-node restart

Finally...

Remember to make your site world-visitable if you have finished setting up your PHP site

        marc@server:~$ sudo ufw allow from any to any app 'Nginx Full'
    marc@server:~$ sudo ufw delete allow from 127.0.0.0/8 to any app 'Nginx Full'    
    marc@server:~$ sudo ufw delete allow from 192.168.0.0/16 to any app 'Nginx Full'

OwnCloud aims be the solution if you want to keep control over your data while being flexible. It is written in PHP and can optionally use a MySQL database. If you are using a recent version of Ubuntu you can install it from the universe repository. But I am not going to use the package, because it depends on the Apache2 webserver and I am using the nginx webserver.

My Installation

Download, extract and copy the PHP code

Create dir and change to it

mkdir -p /var/www/owncloud/
cd /var/www/owncloud/

Download and extract it

wget http://owncloud.org/releases/owncloud-3.0.0.tar.bz2
tar -xjvf owncloud-3.0.0.tar.bz2

Rename and hide directory and make a symbolic link named www
```
mv owncloud .owncloud-3.0.0
ln -s .owncloud-3.0.0/ www
```

Configure nginx

Create a configuration file

sudo vi /etc/nginx/sites-available/owncloud

With this content

server {
    server_name *.owncloud;
    rewrite ^ $scheme://owncloud$request_uri permanent;
}
server {
    server_name owncloud;
    access_log      /var/log/nginx/owncloud.access.log;
    root        /var/www/owncloud/www;

    location / {
        allow   all;
        dav_methods PUT DELETE MKCOL COPY MOVE;
        dav_access  user:rw group:rw;
        try_files $uri $uri/ $uri.php;
    }

    location ~ \.(tpl|inc)$ {
        deny    all;
    }
    location ~ /\.?(include|tpls|tpls_c)/ {
        deny    all;
    }
    location ~ /\. {
        deny    all;
    }
    location ~ \.(php|html)$ {
        include     /etc/nginx/fastcgi_params;
        fastcgi_pass    127.0.0.1:9000;
        fastcgi_index   index.html;
        fastcgi_split_path_info ^(.+\.php)(/.*)$;
        fastcgi_param   SCRIPT_FILENAME  $document_root/$fastcgi_script_name;
        fastcgi_param PATH_INFO $fastcgi_path_info;
        fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
    }
}

Create symbolic link and enable the site

cd /etc/nginx/sites-enabled/
sudo ln -s ../sites-available/owncloud
sudo service nginx restart

Configure owncloud

owncloud is running at http://owncloud/ but complains about the rights on the data directory
```
cd /var/www/owncloud/www/
chmod 770 data/
chgrp www-data data/
```
Now we have only to fill the credentials to finish the installation.
but I want create a MySQL database too. You can fill the MySQL credentials by clicking on Advanced.
- Create a MySQL database
```
sudo mysql --defaults-file=/etc/mysql/debian.cnf
CREATE DATABASE owncloud;
GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED BY 'choose_password';
QUIT
```
- Fill out the webform with database user, database password, database name and localhost
After hitting Complete Setup it complains about the rights of the config directory
```
cd /var/www/owncloud/www/
chmod 770 config/
chgrp www-data config/
```
Hitting the F5 key to refresh the web page and post the form data again, shows a working owncloud installation!

_the_mars_

05 May 2012

Ubuntu Server 12.04 installation