Being Linux admin - setting up virtual servers and Samba


I’m now programming casino and poker related sites in Malta. First of all, the in house CMS solution we use for our sites is tightly connected to the use of virtual servers in Apache. So first up was trying to implement that without using some admin tool like Plesk or cPanel.

Note that all of the below content applies to Ubuntu, it might work slightly different on other Linux flavors.

A very good write up (but in Swedish) can be found here. In fact it’s so good I’ll try and recap it in English (the following is especially for Debian/Ubuntu).

<VirtualHost *>
  ServerAdmin webmaster@andreasolsson.se
 
  ServerName www.andreasolsson.se
  ServerAlias andreasolsson.se
    
  DocumentRoot /home/andreas/www
  <Directory /home/andreas/www/>
     Options Indexes FollowSymLinks
     AllowOverride All
     Order allow,deny
     allow from all
  </Directory>

  ErrorLog /var/log/apache2/andreas_error.log
  LogLevel warn
  CustomLog /var/log/apache2/andreas_access.log combined

</VirtualHost>

This is the example configuration used on that page, it could be named /etc/apache2/sites-available/andreas for instance.

Next we can activate the site with a2ensite andreas, add NameVirtualHost * in /etc/apache2/apache2.config followed by /etc/init.d/apache2 reload. That took care of the virtual servers.
———–
Update: I just had a problem with a setting /etc/apache2/ports.conf, I had to change NameVirtualHost *:80 to simply NameVirtualHost * in order for the sites to work, they then have only * in the virtualhost attribute/tag.
———–
Update: The NameVirtualHost magic didn’t work on on my dev-laptop for some reason, I had to remove it from the apache config file and instead put www.domain.loc in instead of the * in the VirtualHost tag.

You might also need to set the domain names in /etc/hosts and point them to 127.0.0.1.
———–
Update: Note the AllowOverride All above, you need that to make mod_rewrite work properly, setting it to None will stop the rewriting from working.

———–

Setting up mod_rewrite in Apache, :

a2enmod rewrite

Add to /etc/apache2/apache2.conf:

Include /etc/phpmyadmin/apache.conf

<IfModule mod_rewrite.c>
RewriteEngine On
</IfModule>

That phpMyAdmin include is not needed for mod_rewrite of course but might be needed in order for phpMyAdmin to work correctly.

———–

Next up was being able to work with the projects through the network, the smorgasboard article took care of setting up the server to be found on the network. Next up I had to set up auto mounting it on startup, my own Linux page is a help there.

First create the .smbcredentials file looking like this:
username=MyUsername
password=MyPassword

Next set up the mount in /etc/fstab with the cifs example I have on the Linux page, using the above credentials file. You might need to install smbfs and whatnot to get this to work.

That took care of that, my local environment completely setup, being a Linux admin is a piece of cake!
———–
Update: I just had to setup static ip for my local server, piece of cake, the working /etc/network/interfaces:

auto lo
iface lo inet loopback

iface eth0 inet static
address 192.168.2.198
netmask 255.255.255.0
gateway 192.168.2.1

auto eth0

The static IP we are after here is 192.168.2.198, the router’s IP is 192.168.2.1 in my case.

You also need to remove the normal manager as it might interfere with the settings: sudo apt-get remove network-manager network-manager-gnome

Then to get DNS to work you might have to add: nameserver ip.to.isp.dns in /etc/resolv.conf, don’t forget to do /etc/init.d/networking restart after you’ve set everything.
———–
Update: SSHing in and out of 3 different servers 5 times a day started being a pain, that pain has been greatly alleviated by adding key/value pairs to the remote servers as described here. SSHerminator is also a big help in managing it all. It can also be downloaded here. Thanks to erl for that one!
———–
Update: Setting up the domains so that other people using Vista can access them on the network works just like the advice on the /etc/hosts file above, the path to the Vista hosts file is C:\Windows\System32\drivers\etc.
———–
Update: I just realized I hadn’t set php_value session.cookie_domain in the .htaccess file properly, that needs to be done if you want cookie sessions to work, it needs to reflect the domain name you are accessing through, like this for instance: php_value session.cookie_domain .prodevtips.com
———–
Update: Fixing subdomains with BIND can be done by putting for instance db.mydomain.com in /var/cache/bind/, an example of what that file could look like:

$TTL 86400

mydomain.com. IN SOA ns1.mydomain.com. support.mydomain.com. (
	7 ; serial
	3H ; refresh
	1H ; retry
	1W ; expire
	1D ; ttl
)

; Name Servers
@	IN	NS	ns1.mydomain.com.
@	IN	NS	ns2.mydomain.com.

; MX Records
@	IN	MX	10	mail

; Address Records
@	IN	A	98.150.220.54
www	IN	A	98.150.220.54
ftp	IN	A	98.150.220.54
mail	IN	A	98.150.220.54
ns1	IN	A	98.150.220.54
ns2	IN	A	98.150.220.54
ubuntu	IN	A	98.150.220.54
*	IN	A	98.150.220.54

; Start custom entries
; End custom entries

Notice the * at the end, that is the one that enables for instance routing se.mydomain.com correctly to mydomain.com. At the moment that is what I want, I don’t want different folders for different sub domains. The PHP will instead catch up on the name we requested with and act accordingly (use proper translation strings). Finally we restart with /etc/init.d/bind9 restart. Note that it might take awhile before the routing has propagated far enough that it works for you (5-30min).
———–
Update: I just noticed that stuff I wanted to include in /opt/lib/ wasn’t being included properly after reading this document I realized what the problem was, so now the open_basedir entry in the sites-enabled file looks like this:

php_admin_value open_basedir /opt/lib/:/tmp:/home/default/mysite.com

———–
Update: Setting up PDO and PDO mysql drivers on dapper drake with php 5.1.2 (as root/su), the guide has been ripped out of bhiv.com and www.buggy.id.au:
apt-get install php5-dev
apt-get install php5-pear
apt-get install libmysqlclient15-dev
pecl install pdo
wget http://pecl.php.net/get/PDO_MYSQL-1.0.2.tgz
tar zxvf PDO_MYSQL-1.0.2.tgz
cd PDO_MYSQL-1.0.2
phpize
nano configure

comment out lines 4163-4173, they should look like this when you’re done:

...
   { (exit 1); exit 1; }; }
  fi
  #if test "x$is_it_shared" = "x" && test "x" != "xtrue"; then
   # { { echo "$as_me:$LINENO: error:
#You've configured extension pdo_mysql, which depends on extension pdo,
#but you've either not enabled pdo, or have disabled it.
#" >&5
#echo "$as_me: error:
#You've configured extension pdo_mysql, which depends on extension pdo,
#but you've either not enabled pdo, or have disabled it.
#" >&2;}
#   { (exit 1); exit 1; }; }
#  fi


  PDO_MYSQL_MODULE_TYPE=external
...

./configure
make
make install

add the lines:
extension=pdo.so
extension=pdo_mysql.so
to the very bottom of the files:
nano /etc/php/apache2/php.ini
nano /etc/php/cli/php.ini

/etc/init.d/apache2 restart
rm PDO_MYSQL-1.0.2.tgz
rm -rf PDO_MYSQL-1.0.2
———–
Installing bbcode:

apt-get install php-pear

pecl install bbcode

In php.ini:
1. Change the extension_dir to point to the dir where bbcode.so is or copy bbcode.so to the dir it’s pointing to.
2. Add extension=bbcode.so
———–
Update: Strange I just had problems doing the pecl install bbcode command, I got phpize failed bla bla. So doing pecl download bbcode and then tar -zxvf bbcode-1.0.2.tgz followed by phpize, ./configure and make solved it, then just do 1 and 2 above and you’re set.
———–

Setting up SSL on Apache: There are three good articles for first setting up a certificate and then using it with apache. My own is here.

———–
Update: I just went through the procedure in 2012 through Thawte this time and the following things must be observed:
1.) To enable SANs do like in this tutorial. Copy the default config and add that stuff in that tutorial to it and then use the -config flag.
2.) Use 2048 instead of 1024.
3.) Do not leave the department/sub unit empty.
4.) Do not use a challenge phrase.
5.) It is somewhat ambiguous but the “your name” part in the openssl wizard refers to the domain you want as the main SAN, ie www.yourdomain.com, NOT your human name.
6.) Make sure that the certificates are have pure ASCII encoding before you upload them.
7.) EV certs seem to be longer than SSL123 certs.
———–

Now my ports.conf looks like this:

NameVirtualHost *:80
Listen 80

NameVirtualHost *:443
Listen 443

To setup SSL on a server with several different IPs mapping different IPs to different domains I have a common.conf looking like this:

NameVirtualHost domainip1:80
NameVirtualHost domainip2:443
NameVirtualHost domainip2:80

Ports.conf looks like this:

Listen 80
Listen 443

And the virtual hosts file of the domain that will use SSL:

<VirtualHost domain ip2:443>
        ServerName domain2.com
        ServerAlias www.domain2.com
        ServerAdmin webmaster@domain2.com
        DocumentRoot /home/default/domain2.com/user/htdocs

        SSLEngine on
       #SSLOptions +StrictRequire
        SSLCertificateFile /etc/ssl/certs/main_cert.crt
        SSLCertificateKeyFile /etc/ssl/private/server.key
        #SSLCertificateChainFile /etc/ssl/certs/main_intermediate.crt
        SSLCACertificateFile /etc/ssl/certs/main_intermediate.crt

        ErrorLog /home/default/domain2.com/user/logfiles/error_log
        TransferLog /home/default/domain2.com/user/logfiles/access_log
        php_admin_value open_basedir /opt/lib/:/tmp:/home/default/domain2.com
        ScriptAlias /cgi-bin/ /home/default/domain2.com/user/htdocs/cgi-bin/
        AddHandler server-parsed .shtml
        AddType text/html .shtml
        <Location />
                Options +Includes
        </Location>
# Begin user directives <--
# --> End user directives
</VirtualHost>

<VirtualHost domain ip2:80>
        ServerName domain2.com
        ServerAlias www.domain2.com
        ServerAdmin webmaster@domain2.com
        DocumentRoot /home/default/domain2.com/user/htdocs
        ErrorLog /home/default/domain2.com/user/logfiles/error_log
        TransferLog /home/default/domain2.com/user/logfiles/access_log
        php_admin_value open_basedir /opt/lib/:/tmp:/home/default/domain2.com
        ScriptAlias /cgi-bin/ /home/default/domain2.com/user/htdocs/cgi-bin/
        AddHandler server-parsed .shtml
        AddType text/html .shtml
        <Location />
                Options +Includes
        </Location>
# Begin user directives <--
# --> End user directives
</VirtualHost>

Note how SSLOptions and SSLCertificateChainFile are commented in my case, you might have to uncomment one or both and comment SSLCertificateChainFile depending on your apache version and configuration.

If you have a Verisign certificate you can test it here.

And in the .htaccess file of the domain:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

The site in question is only to be accessed through SSL but allowing it to be accessed through port 80 too seems to be a requirement for the http to https rewrite to work.

——-

Setting up phpMyAdmin:
1.) Add Include /etc/phpmyadmin/apache.conf to apache2.conf
2.) ln -s /usr/share/phpmyadmin /dir/where/the/www/root/is

——-

How to redirect mail via bind:

; MX Rec
yourdomain.com. IN MX 100 mail.yourdomain.com.
yourdomaincom. IN MX 20 mail-anotherdomain.com.
yourdomain.com. IN MX 50 mail-anotherdomain.com.

——-

To fix OOM killer crashes, put the following in /etc/sysctl.conf (original article here):

vm.overcommit_memory = 2
vm.overcommit_ratio = 80

——

To add a lot of IP numbers without messing with the interfaces file put one IP number on each row in say ips.txt and run this:

for ip in $(<ips.txt); do ip addr add $ip/32 dev eth0; done

——

To prevent brute force attacks on a range of ips to throttle you out of SSH access (you get remote: ssh_exchange_identification: Connection closed by remote host all the time):

Add the ips you want SSHd to listen to like this:

ListenAddress 54.45.45.32
ListenAddress 54.45.45.35

In /etc/ssh/sshd_config

Do service ssh restart and netstat -tulpn | grep :22 to check that all is well.



Related Posts

Tags: , , , ,