ISPConfig 3 (nginx)
This section will drive you through the setup of a working ISPConfig 3 (nginx) VM, it's based on the The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3) tutorial.
We assume that, prior to starting this section, you already have a Debian-Wheezy XVA template available, please refer to this wiki article in case you do not have it yet…
Import and Configure Base VM System
> xe vm-import filename=/root/XVAs/DebianWheezy-7.5.xva
VM renaming and resource allocation
Once imported, we rename the VM and change it's memory allocation
From XOA interface:
- Rename VM: ISPConfig-3-nginx
- Allocate 4GB RAM
Virtual network interface (vif) association
From Dom0 CLI:
Then we re-allocate the vif (virtual network interface) and link it to a specified MAC address given by the provider for the targeted FO IP (mac=02:00:00:84:fb:29).
> xe vm-list > xe network-list > xe vif-list vm-name-label=ISPConfig-3-nginx --minimal <vif-uuid> > xe vif-destroy uuid=<vif-uuid> > xe vif-create vm-uuid=<ispaconfig-vm-uuid> network-uuid=<ntwrk-uuid> device=0 mac="02:00:00:84:fb:29"
Change the host name
> nano /etc/hostname > nano /etc/hosts
ISPConfig Required Packages Installation & Config
Update sources
Make sure that your sources list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working).
To keep things clean, we'll add a file in the /etc/apt/sources.list.d directory containing our additional sources references:
> mkdir -p /etc/apt/sources.list.d > nano /etc/apt/sources.list.d/wheezy-updates.list
Change The Default Shell
/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash (if you don't do this the ISPConfig installation will fail). Therefore we do this:
> dpkg-reconfigure dash SELECT: NO
Synchronize the System Clock
> apt-get install ntp ntpdate
Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils
This is achieved in a single command:
> apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo
You'll have to answer a few questions during installatio:
- General type of mail configuration: Internet Site
- System mail name: server1.example.com
- New password for the MySQL “root” user: yourrootsqlpassword
- Repeat password for the MySQL “root” user: yourrootsqlpassword
Postfix
Next open the TLS/SSL and submission ports in Postfix:
> nano /etc/postfix/master.cf
Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it)
... submission inet n - - - - smtpd -o syslog_name=postfix/submission -o smtpd_tls_security_level=encrypt -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING smtps inet n - - - - smtpd -o syslog_name=postfix/smtps -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject # -o milter_macro_daemon_name=ORIGINATING ...
Restart Postfix:
> service postfix restart
MySQL
MySQL should listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1, then restart the service:
> nano /etc/mysql/my.cnf LINE 47: #bind-address = 127.0.0.1 > service mysql restart
Check networking is enabled:
> netstat -tap | grep mysql tcp 0 0 *:mysql *:* LISTEN 27358/mysqld
Install Amavisd-new, SpamAssassin, And Clamav
> apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl
ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:
> service spamassassin stop > update-rc.d -f spamassassin remove
Install Nginx, PHP5 (PHP-FPM), And Fcgiwrap
nginx
> apt-get install nginx > service nginx start
php-fpm
> apt-get install php5-fpm
php complementary packages
> apt-get install php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached
php.ini
> nano /etc/php5/fpm/php.ini ... cgi.fix_pathinfo=0 ... date.timezone="Europe/Brussels" ... > service php-fpm reload
Available timezones can be found in the /usr/share/zoneinfo directories and its subdirectories.
fcgiwrap
To get CGI support in nginx, we install Fcgiwrap.
> apt-get install fcgiwrap
Multiple php versions
In case you'd like to be able to selct various php version for each site, read How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (Debian Wheezy)
Services
phpMyAdmin
> apt-get install phpmyadmin
You'll have to answer 2 questions during the installation process:
- Web server to reconfigure automatically: none (because only apache2 and lighttpd are available as options)
- Configure database for phpmyadmin with dbconfig-common? No
PhpMyAdmin files are located in /usr/share/phpmyadmin/
The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.
For more info regarding nginx configuration for PhpMyAdmin see point 12.2 of this page in the perfect server guide.
Mailman
ISPConfig (3.0.4+) allows to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:
> apt-get install mailman
Select at least one language, say OK when it says the site list is missing.
If you need a different set of languages at a later time, just run dpkg-reconfigure mailman.
> newlist mailman
- Enter the email of the person running the list: admin email address, e.g. listadmin@example.com
- Initial mailman password: admin password for the mailman list
> nano /etc/aliases ADD: ## mailman mailing list mailman: "|/var/lib/mailman/mail/mailman post mailman" mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman" mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman" mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman" mailman-join: "|/var/lib/mailman/mail/mailman join mailman" mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman" mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman" mailman-request: "|/var/lib/mailman/mail/mailman request mailman" mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman" mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman" > newaliases
Restart Postfix, then start the Mailman daemon:
> service postfix restart > service mailman start
For more info regarding nginx configuration for mailman see point 13 of this page in the perfect server guide.
PureFTPd And Quota
> apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
Edit /etc/default/pure-ftpd-common to make sure that the start mode is set to standalone and set VIRTUALCHROOT=true
> nano /etc/default/pure-ftpd-common ... STANDALONE_OR_INETD=standalone ... VIRTUALCHROOT=true ...
To allow FTP and TLS sessions:
> echo 1 > /etc/pure-ftpd/conf/TLS
In order to use TLS, we must create an SSL certificate. Lets create it in /etc/ssl/private/, creating the directory first:
> mkdir -p /etc/ssl/private/
Then, we generate the SSL certificate as follows:
> openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem
Fill all requested information…
Change the permissions of the SSL certificate, and restart PureFTPd:
> chmod 600 /etc/ssl/private/pure-ftpd.pem > service pure-ftpd-mysql restart
Edit /etc/fstab, adding ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /:
> nano /etc/fstab UUID=1d269e64-420e-47e1-84fc-c8f0b14c1345 / ext4 errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0 1
To enable quota, run these commands:
> mount -o remount / > quotacheck -avugm > quotaon -avug
BIND DNS Server
> apt-get install bind9 dnsutils
Vlogger, Webalizer, And AWstats
> apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl > nano /etc/cron.d/awstats # Comment out everything in that file !
Jailkit
Jailkit is needed only if you want to chroot SSH users. It must be installed before ISPConfig - it cannot be installed afterwards!
> apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold > cd /tmp > wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz > tar xvfz jailkit-2.15.tar.gz > cd jailkit-2.15 > ./debian/rules binary > cd .. > dpkg -i jailkit_2.15-1_*.deb > rm -rf jailkit-2.15*
fail2ban
> apt-get install fail2ban
To have fail2ban monitor PureFTPd and Dovecot, create (or edit) the file /etc/fail2ban/jail.local:
> nano /etc/fail2ban/jail.local [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [sasl] enabled = true port = smtp filter = sasl logpath = /var/log/mail.log maxretry = 3
Create two more files:
> nano /etc/fail2ban/filter.d/pureftpd.conf [Definition] failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* ignoreregex = > nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf [Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.* ignoreregex =
Finally, restart fail2ban:
> /etc/init.d/fail2ban restart
SquirrelMail
This has not been done here, for reference, see this page of The Perfect Server - Debian Wheezy site…
Install ISPConfig 3
Although Apache should not be present in this configuration, make sure it's not running in case it was installed without you knowing about it, then remove its startup link:
> service apache2 stop > update-rc.d -f apache2 remove
Make sure nginx is running:
> service nginx restart
Install ISPConfig 3 from the latest released version
> cd /tmp > wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz > tar xfz ISPConfig-3-stable.tar.gz > cd ispconfig3_install/install/
We need php5-cli to be able to execute php from the command line, then launch the ISPConfig install script:
> apt-get install php5-cli > php -q install.php
Follow the instructions and… You'll soon have access to the ISPConfig interface.
Create an xva Appliance
You might want to save the ISPConfig configured VM for later use, refer to this explanation to see how to do this.