ISPConfig 3 (nginx)


This section will drive you through the setup of a working ISPConfig 3 (nginx) VM, it's based on the The Perfect Server - Debian Wheezy (nginx, BIND, Dovecot, ISPConfig 3) tutorial.

We assume that, prior to starting this section, you already have a Debian-Wheezy XVA template available, please refer to this wiki article in case you do not have it yet…



> xe vm-import filename=/root/XVAs/DebianWheezy-7.5.xva

VM renaming and resource allocation

Once imported, we rename the VM and change it's memory allocation

From XOA interface:

  • Rename VM: ISPConfig-3-nginx
  • Allocate 4GB RAM

Virtual network interface (vif) association

From Dom0 CLI:
Then we re-allocate the vif (virtual network interface) and link it to a specified MAC address given by the provider for the targeted FO IP (mac=02:00:00:84:fb:29).

> xe vm-list
> xe network-list
> xe vif-list vm-name-label=ISPConfig-3-nginx --minimal
<vif-uuid>
> xe vif-destroy uuid=<vif-uuid>
> xe vif-create vm-uuid=<ispaconfig-vm-uuid> network-uuid=<ntwrk-uuid> device=0 mac="02:00:00:84:fb:29"

Change the host name

> nano /etc/hostname
> nano /etc/hosts


Update sources


Make sure that your sources list contains the wheezy-updates repository (this makes sure you always get the newest updates for the ClamAV virus scanner - this project publishes releases very often, and sometimes old versions stop working).

To keep things clean, we'll add a file in the /etc/apt/sources.list.d directory containing our additional sources references:

> mkdir -p /etc/apt/sources.list.d
> nano /etc/apt/sources.list.d/wheezy-updates.list

Change The Default Shell


/bin/sh is a symlink to /bin/dash, however we need /bin/bash, not /bin/dash (if you don't do this the ISPConfig installation will fail). Therefore we do this:

> dpkg-reconfigure dash

SELECT: NO

Synchronize the System Clock


> apt-get install ntp ntpdate

Install Postfix, Dovecot, MySQL, phpMyAdmin, rkhunter, binutils


This is achieved in a single command:

> apt-get install postfix postfix-mysql postfix-doc mysql-client mysql-server openssl getmail4 rkhunter binutils dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve sudo

You'll have to answer a few questions during installatio:

  • General type of mail configuration: Internet Site
  • System mail name: server1.example.com
  • New password for the MySQL “root” user: yourrootsqlpassword
  • Repeat password for the MySQL “root” user: yourrootsqlpassword

Postfix


Next open the TLS/SSL and submission ports in Postfix:

> nano /etc/postfix/master.cf

Uncomment the submission and smtps sections as follows (leave -o milter_macro_daemon_name=ORIGINATING as we don't need it)

...
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions=permit_sasl_authenticated,reject
#  -o milter_macro_daemon_name=ORIGINATING
...

Restart Postfix:

> service postfix restart

MySQL


MySQL should listen on all interfaces, not just localhost, therefore we edit /etc/mysql/my.cnf and comment out the line bind-address = 127.0.0.1, then restart the service:

> nano /etc/mysql/my.cnf

LINE 47: #bind-address           = 127.0.0.1

> service mysql restart

Check networking is enabled:

> netstat -tap | grep mysql
tcp        0      0 *:mysql                 *:*                     LISTEN      27358/mysqld


> apt-get install amavisd-new spamassassin clamav clamav-daemon zoo unzip bzip2 arj nomarch lzop cabextract apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl

ISPConfig 3 setup uses amavisd which loads the SpamAssassin filter library internally, so we can stop SpamAssassin to free up some RAM:

> service spamassassin stop
> update-rc.d -f spamassassin remove


nginx


> apt-get install nginx
> service nginx start

php-fpm


> apt-get install php5-fpm

php complementary packages


> apt-get install php5-mysql php5-curl php5-gd php5-intl php-pear php5-imagick php5-imap php5-mcrypt php5-memcache php5-memcached php5-ming php5-ps php5-pspell php5-recode php5-snmp php5-sqlite php5-tidy php5-xmlrpc php5-xsl memcached

php.ini


> nano /etc/php5/fpm/php.ini

...
cgi.fix_pathinfo=0
...
date.timezone="Europe/Brussels"
...

> service php-fpm reload

Available timezones can be found in the /usr/share/zoneinfo directories and its subdirectories.

fcgiwrap


To get CGI support in nginx, we install Fcgiwrap.

> apt-get install fcgiwrap 

Multiple php versions


In case you'd like to be able to selct various php version for each site, read How To Use Multiple PHP Versions (PHP-FPM & FastCGI) With ISPConfig 3 (Debian Wheezy)



phpMyAdmin


> apt-get install phpmyadmin

You'll have to answer 2 questions during the installation process:

  • Web server to reconfigure automatically: none (because only apache2 and lighttpd are available as options)
  • Configure database for phpmyadmin with dbconfig-common? No

PhpMyAdmin files are located in /usr/share/phpmyadmin/

The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.

For more info regarding nginx configuration for PhpMyAdmin see point 12.2 of this page in the perfect server guide.

Mailman


ISPConfig (3.0.4+) allows to manage (create/modify/delete) Mailman mailing lists. If you want to make use of this feature, install Mailman as follows:

> apt-get install mailman

Select at least one language, say OK when it says the site list is missing.
If you need a different set of languages at a later time, just run dpkg-reconfigure mailman.

> newlist mailman
  • Enter the email of the person running the list: admin email address, e.g. listadmin@example.com
  • Initial mailman password: admin password for the mailman list
> nano /etc/aliases

ADD:
## mailman mailing list
mailman:              "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin:        "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces:      "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm:      "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join:         "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave:        "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner:        "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request:      "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe:    "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe:  "|/var/lib/mailman/mail/mailman unsubscribe mailman"

> newaliases

Restart Postfix, then start the Mailman daemon:

> service postfix restart
> service mailman start

For more info regarding nginx configuration for mailman see point 13 of this page in the perfect server guide.

PureFTPd And Quota


> apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool

Edit /etc/default/pure-ftpd-common to make sure that the start mode is set to standalone and set VIRTUALCHROOT=true

> nano /etc/default/pure-ftpd-common

...
STANDALONE_OR_INETD=standalone
...
VIRTUALCHROOT=true
...

To allow FTP and TLS sessions:

> echo 1 > /etc/pure-ftpd/conf/TLS

In order to use TLS, we must create an SSL certificate. Lets create it in /etc/ssl/private/, creating the directory first:

> mkdir -p /etc/ssl/private/

Then, we generate the SSL certificate as follows:

> openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Fill all requested information…

Change the permissions of the SSL certificate, and restart PureFTPd:

> chmod 600 /etc/ssl/private/pure-ftpd.pem
> service pure-ftpd-mysql restart

Edit /etc/fstab, adding ,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 to the partition with the mount point /:

> nano /etc/fstab

UUID=1d269e64-420e-47e1-84fc-c8f0b14c1345 /               ext4    errors=remount-ro,usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 0       1

To enable quota, run these commands:

> mount -o remount /
> quotacheck -avugm
> quotaon -avug

BIND DNS Server


> apt-get install bind9 dnsutils

Vlogger, Webalizer, And AWstats


> apt-get install vlogger webalizer awstats geoip-database libclass-dbi-mysql-perl
> nano /etc/cron.d/awstats

# Comment out everything in that file !

Jailkit


Jailkit is needed only if you want to chroot SSH users. It must be installed before ISPConfig - it cannot be installed afterwards!

> apt-get install build-essential autoconf automake1.9 libtool flex bison debhelper binutils-gold
> cd /tmp
> wget http://olivier.sessink.nl/jailkit/jailkit-2.15.tar.gz
> tar xvfz jailkit-2.15.tar.gz
> cd jailkit-2.15
> ./debian/rules binary
> cd ..
> dpkg -i jailkit_2.15-1_*.deb
> rm -rf jailkit-2.15*

fail2ban


> apt-get install fail2ban

To have fail2ban monitor PureFTPd and Dovecot, create (or edit) the file /etc/fail2ban/jail.local:

> nano /etc/fail2ban/jail.local

[pureftpd]
enabled  = true
port     = ftp
filter   = pureftpd
logpath  = /var/log/syslog
maxretry = 3

[dovecot-pop3imap]
enabled = true
filter = dovecot-pop3imap
action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp]
logpath = /var/log/mail.log
maxretry = 5

[sasl]
enabled  = true
port     = smtp
filter   = sasl
logpath  = /var/log/mail.log
maxretry = 3

Create two more files:

> nano /etc/fail2ban/filter.d/pureftpd.conf

[Definition]
failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.*
ignoreregex =

> nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf

[Definition]
failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.*
ignoreregex =

Finally, restart fail2ban:

> /etc/init.d/fail2ban restart

SquirrelMail


This has not been done here, for reference, see this page of The Perfect Server - Debian Wheezy site



Although Apache should not be present in this configuration, make sure it's not running in case it was installed without you knowing about it, then remove its startup link:

> service apache2 stop
> update-rc.d -f apache2 remove

Make sure nginx is running:

> service nginx restart

Install ISPConfig 3 from the latest released version

> cd /tmp
> wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
> tar xfz ISPConfig-3-stable.tar.gz
> cd ispconfig3_install/install/

We need php5-cli to be able to execute php from the command line, then launch the ISPConfig install script:

> apt-get install php5-cli
> php -q install.php

Follow the instructions and… You'll soon have access to the ISPConfig interface.



You might want to save the ISPConfig configured VM for later use, refer to this explanation to see how to do this.