Server hardware
In my cabinet I had a stripped Acer Travelmate A800 laptop with a Intel Pentium M 1.7 GHz processor and 512 MB of memory. It has no keyboard and screen but it was fully functional. I had kept it to have spare parts for my home server, another Acer Travelmate A800. But I decided to set it up as server to be able to use my current server (with a keyboard and a screen) for other purposes.Server software
I have installed Ubuntu Server 12.04 Precise Pangolin LTS. I have chosen the server roles SMB server and Virtual Machine host.Additional packages:
- SSH daemon
marc@server:~$ sudo apt-get install openssh-server
- Web server with PHP
marc@server:~$ sudo apt-get install nginx php5-fpm php5-cli php5-mcrypt
- APC for PHP opcode cache
marc@server:~$ sudo apt-get install php-apc php5-gd
- APC for PHP opcode cache
- MySQL
marc@server:~$ sudo apt-get install mysql-server php5-mysql
- Exim mailserver
marc@server:~$ sudo apt-get install exim4
- Munin monitoring tool
marc@server:~$ sudo apt-get install munin munin-plugins-extra munin-libvirt-plugins
Configuration
SSH
To keep my machine safe I have set up public/private key authentication.I am using that for years now. But here is how you do it:
- Create a public/private keypair on the desktop you are using generally and enter through the defaults (but provide a passphrase for security reasons)
marc@client:~$ mkdir -p -m 700 ~/.ssh marc@client:~$ ssh-keygen
- Add the public key to your server
marc@server:~$ mkdir -p -m 700 ~/.ssh marc@client:~$ echo `cat ~/.ssh/id_rsa.pub` | ssh marc@server 'cat - >> ~/.ssh/authorized_keys'
- Try login and check that it does not ask your server password but your key passphrase
marc@client:~$ ssh marc@server
- Lock down access to public/private key authentication only
marc@server:~$ sudo vi /etc/ssh/sshd_config /^[# \t]*PasswordAuthentication /PasswordAuthentication d^ w cw no <Esc> :wq marc@server:~$ sudo service ssh force-reload
Firewall
To limit access and thus improving security I have set up a firewall too: UFW.- Added rules to keep SSH access; do not forget to add your own rules
marc@server:~$ sudo ufw allow from 127.0.0.0/8 to any app OpenSSH marc@server:~$ sudo ufw allow from 192.168.0.0/16 to any app OpenSSH
- Enabled the firewall
marc@server:~$ sudo ufw enable
- I added some rules to test my webserver
marc@server:~$ sudo ufw allow from 127.0.0.0/8 to any app 'Nginx Full' marc@server:~$ sudo ufw allow from 192.168.0.0/16 to any app 'Nginx Full'
Webserver
The webserver Nginx is installed already and it must be visitable locally due to the firewall rules. It should show "Welcome to nginx!"- Created web dir and a PHP file
marc@server:~$ sudo mkdir -p /var/www/com/example/www marc@server:~$ sudo chown marc:marc /var/www/com/example/www marc@server:~$ echo '' > /var/www/com/example/www/index.php
- Created config file and enabled it
marc@server:~$ sudo vi /etc/nginx/sites-available/com.example-zzz i server { server_name *.example.com; rewrite ^ $scheme://example.com$request_uri permanent; } server { root /var/www/com/example/www; index index.php index.html index.htm; server_name example.com location ~ \.php(/.*)?$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include fastcgi_params; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; } } <Esc> :wq marc@server:~$ cd /etc/nginx/sites-enabled/ marc@server:sites-enabled$ sudo ln -s /etc/nginx/sites-available/com.example-zzz marc@server:sites-enabled$ cd marc@server:~$ sudo service nginx reload
- http://example.com/ is visitable now if the DNS or your
/etc/hosts
file points to your servers IP address.
Admin site
Created an admin site for phpMyAdmin and other admin pages.- Created the dir
marc@server:~$ sudo mkdir -p /var/www/admin
- Added the sections below to /etc/nginx/sites-available/default
location /nginx_status { stub_status on; access_log off; allow 127.0.0.0/8; allow 192.168.0.0/16; deny all; } location /admin/ { alias /var/www/admin/; index index.html index.htm index.php; autoindex on; allow 127.0.0.0/8; allow 192.168.0.0/16; deny all; } location ~ ^(/admin/.*\.php)(/.*)?$ { alias /var/www$1; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info; include fastcgi_params; }
- Reloaded Nginx config
marc@server:~$ sudo service nginx reload
- Created phpinfo script
marc@server:~$ sudo bash -c 'echo "" > /var/www/admin/phpinfo.php'
- Installed phpMyAdmin
marc@server:~$ wget -O phpMyAdmin-3.5.0-all-languages.tar.bz2 'http://downloads.sourceforge.net/project/phpmyadmin/phpMyAdmin/3.5.0/phpMyAdmin-3.5.0-all-languages.tar.bz2?r=http%3A%2F%2Fwww.phpmyadmin.net%2Fhome_page%2Fdownloads.php&ts=1334868700&use_mirror=ignum' marc@server:~$ tar -xjvf phpMyAdmin-3.5.0-all-languages.tar.bz2 marc@server:~$ sudo mv phpMyAdmin-3.5.0-all-languages /var/www/admin/.phpMyAdmin-3.5.0-all-languages marc@server:~$ cd /var/www/admin/ marc@server:admin$ sudo ln -s .phpMyAdmin-3.5.0-all-languages/ pma marc@server:admin$ cd marc@server:~$ rm phpMyAdmin-3.5.0-all-languages.tar.bz2
- phpMyAdmin should work now on http://server/pma/. Login with the MySQL credentials and follow the phpMyAdmin instructions
Exim
I have configured exim4 because it does not send email by default. And I want to get at least some alerts from my server.- Called config util
marc@server:~$ sudo dpkg-reconfigure exim4-config
And answered the questions:- internet site; email is sent and received using SMTP
- mail name: server.example.com
- only listen for local connections
- accept email for: server.example.com
- forward email for domains: example.com
- forward email for systems: 127.0.0.0/8
- no minimal DNS requests
- deliver local email in mbox-format
- no splitting of config file
Munin
To avoid munin is creating graphs every 5 minutes (produces high load on my old, tiny server) I produced them on demand. If you want to see the graphs then you have to wait some seconds, but it keeps your server fast. I have used a munin wiki page to find out how to configure this in nginx.- Set graph strategy and configured email
marc@server:~$ sudo vi /etc/munin/munin.conf /^#graph_strategy cgi x /^#cgiurl_graph x /#contact\. $ a <Enter> contact.marc.command mail -s "Munin notification" marc@example.com contact.marc.max_messages 5 <Esc> :wq
- Installed spawn-fcgi and the Perl CGI::Fast module
marc@server:~$ sudo apt-get install spawn-fcgi libcgi-fast-perl
- Added fastCGI process to startup
marc@server:~$ sudo vi /etc/rc.local /^exit k $ a <Enter> spawn-fcgi -s /var/run/munin/munin-fastcgi-graph.sock -U www-data -u munin -g munin /usr/lib/cgi-bin/munin-cgi-graph <Esc> :wq
- Added the sections below to /etc/nginx/sites-available/default
location ^~ /cgi-bin/munin-cgi-graph/ { fastcgi_split_path_info ^(/cgi-bin/munin-cgi-graph)(.*); fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/var/run/munin/munin-fastcgi-graph.sock; include fastcgi_params; }
- Published munin pages on a web readable location
marc@server:~$ sudo ln -s /var/cache/munin/www/ /var/www/admin/munin
- Reloaded nginx
marc@server:~$ sudo service nginx reload
- Enabled nginx and other useful plugins
marc@server:~$ sudo ln -s /usr/share/munin/plugins/nginx_* /etc/munin/plugins/ marc@server:~$ sudo ln -s /usr/share/munin/plugins/mysql_* /etc/munin/plugins/ marc@server:~$ sudo ln -s /usr/share/munin/plugins/users /etc/munin/plugins/ marc@server:~$ sudo ln -s /usr/share/munin/plugins/libvirt_* /etc/munin/plugins/ marc@server:~$ sudo service munin-node restart
Finally...
Remember to make your site world-visitable if you have finished setting up your PHP sitemarc@server:~$ sudo ufw allow from any to any app 'Nginx Full' marc@server:~$ sudo ufw delete allow from 127.0.0.0/8 to any app 'Nginx Full' marc@server:~$ sudo ufw delete allow from 192.168.0.0/16 to any app 'Nginx Full'