====== ISPConfig 3 (nginx) ======
----
This section will drive you through the setup of a working ISPConfig 3 (nginx) VM, it's based on the [[http://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3|The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3)]] tutorial.
We assume that, prior to starting this section, you already have a Debian-Wheezy XVA template available, please refer to [[http://wiki.strategicz.com/vhyper/doku.php?id=hypervisor:basestack:domu#creating_a_pv_vm_from_template|this wiki article]] in case you do not have it yet...
----
===== Import and Configure Base VM System =====
----
> xe vm-import filename=/root/XVAs/DebianWheezy-7.5.xva
=== VM renaming and resource allocation ===
Once imported, we rename the VM and change it's memory allocation
**From XOA interface**:
* Rename VM: ISPConfig-3-nginx
* Allocate 4GB RAM
=== Virtual network interface (vif) association ===
**From Dom0 CLI**:\\
Then we re-allocate the vif (virtual network interface) and link it to a specified MAC address given by the provider for the targeted FO IP (mac=02:00:00:84:fb:29).
> xe vm-list
> xe network-list
> xe vif-list vm-name-label=ISPConfig-3-nginx --minimal
> xe vif-destroy uuid=
> xe vif-create vm-uuid= network-uuid= device=0 mac="02:00:00:84:fb:29"
=== Change the host name ===
> nano /etc/hostname
> nano /etc/hosts
----
===== ISPConfig Required Packages Installation & Config =====
----
==== Update sources ====
----
Make sure that your sources list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working).
To keep things clean, we'll add a file in the **/etc/apt/sources.list.d** directory containing our additional sources references:
> mkdir -p /etc/apt/sources.list.d
> nano /etc/apt/sources.list.d/wheezy-updates.list
----
==== Change The Default Shell ====
----
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash (if you don't do this the ISPConfig installation will fail). Therefore we do this:
> dpkg-reconfigure dash
SELECT: NO
----
==== Synchronize the System Clock ====
----
> apt-get install ntp ntpdate
----
==== Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils ====
----
This is achieved in a single command:
> apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
You'll have to answer a few questions during installatio:
* General type of mail configuration: Internet Site
* System mail name: server1.example.com
* New password for the MySQL "root" user: yourrootsqlpassword
* Repeat password for the MySQL "root" user: yourrootsqlpassword
==== Postfix ====
----
Next open the TLS/SSL and submission ports in Postfix:
> nano /etc/postfix/master.cf
Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it)
...
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
# -o milter_macro_daemon_name=ORIGINATING
...
Restart Postfix:
> service postfix restart
==== MySQL ====
----
MySQL should listen on all interfaces, not just localhost, therefore we edit **/etc/mysql/my.cnf** and comment out the line bind-address = 127.0.0.1, then restart the service:
> nano /etc/mysql/my.cnf
LINE 47: #bind-address = 127.0.0.1
> service mysql restart
Check networking is enabled:
> netstat -tap | grep mysql
tcp 0 0 *:mysql *:* LISTEN 27358/mysqld
----
===== Install Amavisd-new, SpamAssassin, And Clamav =====
----
> apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:
> service spamassassin stop
> update-rc.d -f spamassassin remove
----
===== Install Nginx, PHP5 (PHP-FPM), And Fcgiwrap =====
----
==== nginx ====
----
> apt-get install nginx
> service nginx start
==== php-fpm ====
----
> apt-get install php5-fpm
==== php complementary packages ====
----
> apt-get install php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached
==== php.ini ====
----
> nano /etc/php5/fpm/php.ini
...
cgi.fix_pathinfo=0
...
date.timezone="Europe/Brussels"
...
> service php-fpm reload
Available timezones can be found in the **/usr/share/zoneinfo** directories and its subdirectories.
==== fcgiwrap ====
----
To get CGI support in nginx, we install Fcgiwrap.
> apt-get install fcgiwrap
==== Multiple php versions ====
----
In case you'd like to be able to selct various php version for each site, read [[http://www.howtoforge.com/how-to-use-multiple-php-versions-php-fpm-and-fastcgi-with-ispconfig-3-debian-wheezy|How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (Debian Wheezy)]]
----
===== Services =====
----
==== phpMyAdmin ====
----
> apt-get install phpmyadmin
You'll have to answer 2 questions during the installation process:\\
* Web server to reconfigure automatically: none (because only apache2 and lighttpd are available as options)
* Configure database for phpmyadmin with dbconfig-common? No
PhpMyAdmin files are located in **/usr/share/phpmyadmin/**
The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.
For more info regarding nginx configuration for PhpMyAdmin see point 12.2 of [[http://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3-p4|this page in the perfect server guide]].
==== Mailman ====
----
ISPConfig (3.0.4+) allows to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:
> apt-get install mailman
Select at least one language, say OK when it says the site list is missing.\\
If you need a different set of languages at a later time, just run dpkg-reconfigure mailman.
> newlist mailman
* Enter the email of the person running the list: admin email address, e.g. listadmin@example.com
* Initial mailman password: admin password for the mailman list
> nano /etc/aliases
ADD:
## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
> newaliases
Restart Postfix, then start the Mailman daemon:
> service postfix restart
> service mailman start
For more info regarding nginx configuration for mailman see point 13 of [[http://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3-p4|this page in the perfect server guide]].
==== PureFTPd And Quota ====
----
> apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit **/etc/default/pure-ftpd-common** to make sure that the start mode is set to standalone and set VIRTUALCHROOT=true
> nano /etc/default/pure-ftpd-common
...
STANDALONE_OR_INETD=standalone
...
VIRTUALCHROOT=true
...
To allow FTP and TLS sessions:
> echo 1 > /etc/pure-ftpd/conf/TLS
In order to use TLS, we must create an SSL certificate. Lets create it in **/etc/ssl/private/**, creating the directory first:
> mkdir -p /etc/ssl/private/
Then, we generate the SSL certificate as follows:
> openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Fill all requested information...
Change the permissions of the SSL certificate, and restart PureFTPd:
> chmod 600 /etc/ssl/private/pure-ftpd.pem
> service pure-ftpd-mysql restart
Edit **/etc/fstab**, adding ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /:
> nano /etc/fstab
UUID=1d269e64-420e-47e1-84fc-c8f0b14c1345 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
To enable quota, run these commands:
> mount -o remount /
> quotacheck -avugm
> quotaon -avug
==== BIND DNS Server ====
----
> apt-get install bind9 dnsutils
==== Vlogger, Webalizer, And AWstats ====
----
> apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
> nano /etc/cron.d/awstats
# Comment out everything in that file !
==== Jailkit ====
----
Jailkit is needed only if you want to chroot SSH users. It must be installed before ISPConfig - it cannot be installed afterwards!
> apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
> cd /tmp
> wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
> tar xvfz jailkit-2.15.tar.gz
> cd jailkit-2.15
> ./debian/rules binary
> cd ..
> dpkg -i jailkit_2.15-1_*.deb
> rm -rf jailkit-2.15*
==== fail2ban ====
----
> apt-get install fail2ban
To have fail2ban monitor PureFTPd and Dovecot, create (or edit) the file **/etc/fail2ban/jail.local**:
> nano /etc/fail2ban/jail.local
[pureftpd]
enabled = true
port = ftp
filter = pureftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5
[sasl]
enabled = true
port = smtp
filter = sasl
logpath = /var/log/mail.log
maxretry = 3
Create two more files:
> nano /etc/fail2ban/filter.d/pureftpd.conf
[Definition]
failregex = .*pure-ftpd: \(.*@\) \[WARNING\] Authentication failed for user.*
ignoreregex =
> nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf
[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P\S*),.*
ignoreregex =
Finally, restart fail2ban:
> /etc/init.d/fail2ban restart
==== SquirrelMail ====
----
This has not been done here, for reference, see [[http://www.howtoforge.com/perfect-server-debian-wheezy-nginx-bind-dovecot-ispconfig-3-p5|this page of The Perfect Server - Debian Wheezy site]]...
----
===== Install ISPConfig 3 =====
----
Although Apache should not be present in this configuration, make sure it's not running in case it was installed without you knowing about it, then remove its startup link:
> service apache2 stop
> update-rc.d -f apache2 remove
Make sure nginx is running:
> service nginx restart
=== Install ISPConfig 3 from the latest released version ===
> cd /tmp
> wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
> tar xfz ISPConfig-3-stable.tar.gz
> cd ispconfig3_install/install/
We need php5-cli to be able to execute php from the command line, then launch the ISPConfig install script:
> apt-get install php5-cli
> php -q install.php
Follow the instructions and... You'll soon have access to the ISPConfig interface.
----
===== Create an xva Appliance =====
----
You might want to save the ISPConfig configured VM for later use, refer to [[http://wiki.strategicz.com/vhyper/doku.php?id=hypervisor:basestack:domu#create_template_and_appliance|this explanation]] to see how to do this.