Cheap VPS & Xen Server


Residential Proxy Network - Hourly & Monthly Packages

The Perfect Server – OpenSUSE 12.3 x86_64 (nginx, Dovecot, ISPConfig 3)


This tutorial shows how to prepare an OpenSUSE 12.3 64bit (x86_64) server with nginx for the installation of ISPConfig 3, and how to install ISPConfig 3. Since version 3.0.4, ISPConfig comes with full support for the nginx web server in addition to Apache, and this tutorial covers the setup of a server that uses nginx instead of Apache. ISPConfig 3 is a webhosting control panel that allows you to configure the following services through a web browser: nginx and Apache web server, Postfix mail server, MySQL, Dovecot POP3/IMAP, BIND or MyDNS nameserver, PureFTPd, SpamAssassin, ClamAV, and many more.

If you want to use nginx instead of Apache with ISPConfig, please note that your nginx version must be at least 0.8.21, and you must install PHP-FPM as well. For CGI/Perl support, you must use fcgiwrap. This is all covered by this tutorial.

I will use the following software:

  • Web Server: nginx with PHP 5
  • Database Server: MySQL
  • Mail Server: Postfix with virtual users
  • DNS Server: BIND
  • FTP Server: pureftpd
  • POP3/IMAP: Dovecot
  • Webalizer and AWStats for web site statistics

In the end you should have a system that works reliably and is easily manageable with the ISPConfig 3 control panel. The following guide is for the 64bit version of OpenSUSE.

I want to say first that this is not the only way of setting up such a system. There are many ways of achieving this goal but this is the way I take. I do not issue any guarantee that this will work for you!

Notice: This guide is for ISPConfig 3.0.4 or newer. It is not suitable for ISPConfig 2.x!

 

1 Requirements

To install such a system you will need the following:

  • The OpenSUSE 12.3 DVD. You can download it here: http://download.opensuse.org/distribution/12.3/iso/openSUSE-12.3-DVD-x86_64.iso
  • A fast Internet connection…

 

2 Preliminary Note

In this tutorial I use the hostname server1.example.com with the IP address 192.168.2.249 and the gateway 192.168.2.254. These settings might differ for you, so you have to replace them where appropriate.

 

3 The Base System

Boot from your OpenSUSE 12.3 DVD and select Installation:

1

Select your language, keyboard layout and accept the license terms:

2

The installer analyzes your hardware and builds the software repository cache:

Select New Installation:

3

Select the region and timezone:

4

We select Other > Minimal Server Selection (Text Mode) here as we want to install a server without X-Window desktop. The X-Window system is not necessary to run the server and would slow down the system. We will do all administration tasks on the shell or through an SSH connection, e.g. via PuTTY from a remote desktop.

5

Click on Edit Partition Setup… to change the proposed partitions. As this is a server setup, we need a large /srv partition instead of the /home partition:

6

Select /dev/sda3 and click on Edit & Change the Mount Point to /srv and click on Finish:

6

8

Click on Accept:

9

Click on Next:

10

Now I create a user named administrator. You may use any username you like. Make sure that you disable the Automatic Login checkbox for this user. The password that you enter here will be used as the root password:

11

The installer shows an overview of the selected install options. Scroll down to the Firewall and SSH section and enable SSH…

12

… and then disable the firewall (ISPConfig 3 comes with its own firewall):

13

Click on Install to start the installation process and Confirm that you want to start the installation::

14

The installer formats the hard disk, installs the software packages and prepares the system configuration for the first boot:

15

After the basic installation is finished, the system will do an automatic reboot & the automatic configuration starts right after the system has rebooted:

17

Now log in with the username root and the password that you selected during the installation.

4 Configure The Network Settings

We use Yast, the OpenSuSE system management tool to reconfigure the network card settings. After the first boot, the system is configured to get the IP address with DHCP. For a server we will switch it to a static IP address.

Run

yast2

Select Network Devices > Network Settings:

20

Select your network card and then Edit:

21

Select Statically assigned IP Address and enter the IP address, subnet mask and hostname and save the changes by selecting Next:

23

Now select Hostname/DNS and enter the hostname (e.g. server1.example.com) and nameservers (e.g. 192.168.1.200 and 8.8.8.8):

DNS

Now select Routing and enter the default gateway and hit OK:

23

To configure the firewall (in case you didn’t configure it during the basic installation), select Security and Users > Firewall in Yast:

25

I want to install ISPConfig at the end of this tutorial which comes with its own firewall. That’s why I disable the default OpenSUSE firewall now. Of course, you are free to leave it on and configure it to your needs (but then you shouldn’t use any other firewall later on as it will most probably interfere with the OpenSUSE firewall).

Select Disable Firewall Automatic Starting and Stop Firewall Now, then hit Next:

26

Hit Finish and leave Yast:

27

Afterwards, you should check with

ifconfig

if your network configuration is correct. If it isn’t (for example, if eth0 is missing), reboot the system…

reboot

… and check your network configuration again afterwards – it should now be correct.

 

5 Install Updates

Now we install the latest updates from the openSUSE repositories. Run

zypper update

And then reboot the server as you most likely installed some kernel updates, too:

reboot

 

6 Install Some Basic Packages

Run

zypper install findutils readline glibc-devel findutils-locate gcc flex lynx compat-readline4 db-devel wget gcc-c++ subversion make vim telnet cron iptables iputils man man-pages nano pico sudo perl-TimeDate

 

7 Journaled Quota

To install quota, run

zypper install quota

Edit /etc/fstab to look like this (I added ,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0 to the mountpoints / and /srv):

vi /etc/fstab

/dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part1 swap                 swap       defaults              0 0
/dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part2 /                    ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 1
/dev/disk/by-id/ata-VBOX_HARDDISK_VB1d06c935-e9b5de19-part3 /srv                 ext4       acl,user_xattr,usrjquota=aquota.user,grpjquota=aquota.group,jqfmt=vfsv0        1 2
proc                 /proc                proc       defaults              0 0
sysfs                /sys                 sysfs      noauto                0 0
debugfs              /sys/kernel/debug    debugfs    noauto                0 0
usbfs                /proc/bus/usb        usbfs      noauto                0 0
devpts               /dev/pts             devpts     mode=0620,gid=5       0 0

Then run:

mount -o remount /
mount -o remount /srv

quotacheck -avugm
quotaon -avug

Dont be worried if you see these error messages – they are normal when you run quotacheck for the first time:

server1:~ # quotacheck -avugm
quotacheck: Scanning /dev/sda2 [/] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Checked 3872 directories and 32991 files
quotacheck: Old file not found.
quotacheck: Old file not found.
quotacheck: Scanning /dev/sda3 [/srv] done
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Cannot stat old user quota file: No such file or directory
quotacheck: Cannot stat old group quota file: No such file or directory
quotacheck: Checked 6 directories and 0 files
quotacheck: Old file not found.
quotacheck: Old file not found.
server1:~ #

8 Install Postfix, Dovecot, MySQL

Run

zypper install postfix postfix-mysql mysql-community-server libmysqlclient-devel dovecot21 dovecot21-backend-mysql pwgen cron python

If you get the following message, please select to uninstall sendmail:

Problem: sendmail-8.14.5-85.1.2.x86_64 conflicts with postfix provided by postfix-2.9.6-1.2.1.x86_64
Solution 1: Following actions will be done:
do not install postfix-2.9.6-1.2.1.x86_64
do not install postfix-mysql-2.9.6-1.2.1.x86_64
Solution 2: deinstallation of sendmail-8.14.5-85.1.2.x86_64

Choose from above solutions by number or cancel [1/2/c] (c):<– 2

Create the following symlink:

ln -s /usr/lib64/dovecot/modules /usr/lib/dovecot

At this point I had to reboot because otherwise MySQL refused to start with the error:

Failed to issue method call: Unit mysql.service failed to load: No such file or directory. See system logs and ‘systemctl status mysql.service’ for details.

reboot

Start MySQL, Postfix, and Dovecot and enable the services to be started at boot time.

systemctl enable mysql.service
systemctl start mysql.service

systemctl enable postfix.service
systemctl start postfix.service

systemctl enable dovecot.service
systemctl start dovecot.service

Now I install the getmail package:

zypper install getmail

To secure the MySQL installation, run:

mysql_secure_installation

Now you will be asked several questions:

server1:~ # mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MySQL
SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MySQL to secure it, we’ll need the current
password for the root user.  If you’ve just installed MySQL, and
you haven’t set the root password yet, the password will be blank,
so you should just press enter here.

Enter current password for root (enter for none): <– ENTER
OK, successfully used password, moving on…

Setting the root password ensures that nobody can log into the MySQL
root user without the proper authorisation.

Set root password? [Y/n] <– Y
New password: <– yourrootsqlpassword
Re-enter new password: <– yourrootsqlpassword
Password updated successfully!
Reloading privilege tables..
… Success!

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] <– Y
 … Success!

Normally, root should only be allowed to connect from ‘localhost’.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] <– Y
… Success!

By default, MySQL comes with a database named ‘test’ that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] <– Y
 – Dropping test database…
… Success!
– Removing privileges on test database…
… Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] <– Y
 … Success!

Cleaning up…

All done!  If you’ve completed all of the above steps, your MySQL
installation should now be secure.

Thanks for using MySQL!

server1:~ #

Now your MySQL setup should be secured.

 

9 Amavisd-new, Spamassassin And Clamav

Install Amavisd-new, Spamassassin and Clamav antivirus. Run

zypper install amavisd-new clamav clamav-db zoo unzip unrar bzip2 unarj perl-DBD-mysql

Open /etc/amavisd.conf

vi /etc/amavisd.conf

… and add the $myhostname line with your correct hostname below the $mydomain line:

[...]
$mydomain = 'example.com';   # a convenient default for other settings
$myhostname = "server1.$mydomain";
[...]

Then create a symlink from /var/run/clamav/clamd to /var/lib/clamav/clamd-socket:

mkdir -p /var/run/clamav
ln -s /var/lib/clamav/clamd-socket /var/run/clamav/clamd

OpenSUSE 12.3 has a /run directory for storing runtime data. /run is now a tmpfs, and /var/run is now bind mounted to /run from tmpfs, and hence emptied on reboot.

This means that after a reboot, the directory /var/run/clamav that we have just created will not exist anymore, and therefore clamd will fail to start. Therefore we create the file /etc/tmpfiles.d/clamav.conf now that will create this directory at system startup (see http://0pointer.de/public/systemd-man/tmpfiles.d.html for more details):

vi /etc/tmpfiles.d/clamav.conf

D /var/run/clamav 0755 root root -

Before we start amavisd and clamd, we must edit the /etc/init.d/amavis init script – I wasn’t able to reliably start, stop and restart amavisd with the default init script:

vi /etc/init.d/amavis

Comment out the following lines in the start and stop section:

[...]
    start)
        # ZMI 20100428 check for stale pid file
        #if test -f $AMAVIS_PID ; then
        #       checkproc -p $AMAVIS_PID amavisd
        #       if test $? -ge 1 ; then
        #               # pid file is stale, remove it
        #               echo -n "(stale amavisd pid file $AMAVIS_PID found, removing. Did amavisd crash?)"
        #               rm -f $AMAVIS_PID
        #       fi
        #fi
        echo -n "Starting virus-scanner (amavisd-new): "
        $AMAVISD_BIN start
        #if ! checkproc amavisd; then
        #    rc_failed 7
        #fi
        rc_status -v
        #if [ "$AMAVIS_SENDMAIL_MILTER" == "yes" ]; then
        #    rc_reset
        #    echo -n "Starting amavis-milter:"
        #    startproc -u vscan $AMAVIS_MILTER_BIN -p $AMAVIS_MILTER_SOCK > /dev/null 2>&1
        #    rc_status -v
        #fi
        ;;
    stop)
        echo -n "Shutting down virus-scanner (amavisd-new): "
        #if checkproc amavisd; then
        #    rc_reset
            $AMAVISD_BIN stop
        #else
        #    rc_reset
        #fi
        rc_status -v
        #if [ "$AMAVIS_SENDMAIL_MILTER" == "yes" ]; then
        #    rc_reset
        #    echo -n "Shutting down amavis-milter: "
        #    killproc -TERM $AMAVIS_MILTER_BIN
        #    rc_status -v
        #fi
        ;;
[...]

Because we have changed the init script, we must run

systemctl –system daemon-reload

now.

To start clamav we need to download the database & proceed further with the command

freshclam

Note: It takes a lot of time to download the database, you are advised not to interrupt & do not stop the freshclam update service in between

To enable the services, run:

systemctl enable amavis.service
systemctl enable clamd.service
systemctl start amavis.service
systemctl start clamd.service

10 Install Nginx, PHP5 (PHP-FPM), And Fcgiwrap

Nginx is available as a package for OpenSUSE which we can install as follows:

zypper install nginx

If Apache2 is already installed on the system, stop it now…

systemctl stop apache2.service

… and remove Apache’s system startup links:

systemctl disable apache2.service

Then we create the system startup links for nginx and start it:

systemctl enable nginx.service
systemctl start nginx.service

(If both Apache2 and nginx are installed, the ISPConfig 3 installer will ask you which one you want to use – answer nginx in this case. If only one of these both is installed, ISPConfig will do the necessary configuration automatically.)

If you want to use IPv6 addresses with your nginx vhosts, please do the following before you create IPv6 vhosts in ISPConfig:

Open /etc/sysctl.conf

vi /etc/sysctl.conf

… and add the line net.ipv6.bindv6only = 1:

[...]
net.ipv6.bindv6only = 1

Run…

sysctl -p

… afterwards for the change to take effect.

We can make PHP5 work in nginx through PHP-FPM (PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites) which we install as follows:

zypper install php5-fpm

Before we start PHP-FPM, rename /etc/php5/fpm/php-fpm.conf.default to /etc/php5/fpm/php-fpm.conf:

mv /etc/php5/fpm/php-fpm.conf.default /etc/php5/fpm/php-fpm.conf

Change the permissions of PHP’s session directory:

chmod 1733 /var/lib/php5

Then open /etc/php5/fpm/php-fpm.conf

vi /etc/php5/fpm/php-fpm.conf

… and change error_log to /var/log/php-fpm.log:

[...]
error_log = /var/log/php-fpm.log
[...]

There’s no php.ini file for PHP-FPM under OpenSUSE 12.3, therefore we copy the CLI php.ini:

cp /etc/php5/cli/php.ini /etc/php5/fpm/

Next open /etc/php5/fpm/php.ini

vi /etc/php5/fpm/php.ini

… and set cgi.fix_pathinfo to 0:

[...]
; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
; http://php.net/cgi.fix-pathinfo
cgi.fix_pathinfo=0
[...]

Next create the system startup links for php-fpm and restart it:

systemctl enable php-fpm.service
systemctl restart php-fpm.service

PHP-FPM is a daemon process that runs a FastCGI server on port 9000, as you can see in the output of

netstat -tapn

server1:~ # netstat -tapn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.1:3310          0.0.0.0:*               LISTEN      10357/clamd
tcp        0      0 0.0.0.0:143             0.0.0.0:*               LISTEN      9869/dovecot
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      10521/nginx
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1275/sshd
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      9816/master
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN      10695/php-fpm.conf)
tcp        0      0 127.0.0.1:10024         0.0.0.0:*               LISTEN      10337/amavisd (mast
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      9694/mysqld
tcp        0      0 192.168.0.100:22        192.168.0.199:4630      ESTABLISHED 1332/0
tcp        0      0 :::22                   :::*                    LISTEN      1275/sshd
tcp        0      0 ::1:25                  :::*                    LISTEN      9816/master
server1:~ #

To get MySQL support in PHP, we can install the php5-mysql package. It’s a good idea to install some other PHP5 modules as well as you might need them for your applications:

zypper install php5-mysql php5-bcmath php5-bz2 php5-calendar php5-ctype php5-curl php5-dom php5-ftp php5-gd php5-gettext php5-gmp php5-iconv php5-imap php5-ldap php5-mbstring php5-mcrypt php5-odbc php5-openssl php5-pcntl php5-pgsql php5-posix php5-shmop php5-snmp php5-soap php5-sockets php5-sqlite php5-sysvsem php5-tokenizer php5-wddx php5-xmlrpc php5-xsl php5-zlib php5-exif php5-pear php5-sysvmsg php5-sysvshm

Now restart PHP-FPM:

systemctl restart php-fpm.service

To get CGI support in nginx, we install Fcgiwrap.

Fcgiwrap is a CGI wrapper that should work also for complex CGI scripts and can be used for shared hosting environments because it allows each vhost to use its own cgi-bin directory.

As there’s no fcgiwrap package for OpenSUSE, we must build it ourselves. First we install some prerequisites:

zypper install git patch automake glibc-devel gcc flex compat-readline4 db-devel wget gcc-c++ make vim libtool FastCGI-devel

Create the following symlinks:

ln -s /usr/include/fastcgi/fastcgi.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgi_config.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgi_stdio.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgiapp.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgimisc.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgio.h /usr/local/include/
ln -s /usr/include/fastcgi/fcgios.h /usr/local/include/

Now we can build fcgiwrap as follows:

cd /usr/local/src/
git clone git://github.com/gnosek/fcgiwrap.git
cd fcgiwrap
autoreconf -i
./configure
make
make install

This installs fcgiwrap to /usr/local/sbin/fcgiwrap.

Next we install the spawn-fcgi package which allows us to run fcgiwrap as a daemon:

zypper install spawn-fcgi

We can now start fcgiwrap as follows:

spawn-fcgi -u wwwrun -g www -s /var/run/fcgiwrap.socket -S -M 0770 -F 1 -P /var/run/spawn-fcgi.pid — /usr/local/sbin/fcgiwrap

You should now find the fcgiwrap socket in /var/run/fcgiwrap.socket, owned by the user wwwrun and group www. We must now add the user nginx to the group www:

usermod -a -G www nginx

Reload nginx afterwards:

systemctl reload nginx.service

If you don’t want to start fcgiwrap manually each time you boot your system, open /etc/init.d/boot.local

vi /etc/init.d/boot.local

… and add the spawn-fcgi command at the end of the file – this will automatically start fcgiwrap at the end of the boot process:

[...]
/usr/bin/spawn-fcgi -u wwwrun -g www -s /var/run/fcgiwrap.socket -S -M 0770 -F 1 -P /var/run/spawn-fcgi.pid -- /usr/local/sbin/fcgiwrap

That’s it! Now when you create an nginx vhost, ISPConfig will take care of the correct vhost configuration.

 

10.1 Install phpMyAdmin

Next we install phpMyAdmin:

zypper install phpMyAdmin

As this installs Apache as a dependency, remove Apache’s system startup links:

systemctl disable apache2.service

phpMyAdmin is now located in the /srv/www/htdocs/phpMyAdmin directory, but we want it in the /usr/share/phpmyadmin/ directory, so we create a symlink:

ln -s /srv/www/htdocs/phpMyAdmin /usr/share/phpmyadmin

After you have installed ISPConfig 3, you can access phpMyAdmin as follows:

The ISPConfig apps vhost on port 8081 for nginx comes with a phpMyAdmin configuration, so you can use http://server1.example.com:8081/phpmyadmin or http://server1.example.com:8081/phpMyAdmin to access phpMyAdmin.

If you want to use a /phpmyadmin or /phpMyAdmin alias that you can use from your web sites, this is a bit more complicated than for Apache because nginx does not have global aliases (i.e., aliases that can be defined for all vhosts). Therefore you have to define these aliases for each vhost from which you want to access phpMyAdmin.

To do this, paste the following into the nginx Directives field on the Options tab of the web site in ISPConfig:

        location /phpmyadmin {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/phpmyadmin/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /phpMyAdmin {
               rewrite ^/* /phpmyadmin last;
        }

If you use https instead of http for your vhost, you should add the line fastcgi_param HTTPS on; to your phpMyAdmin configuration like this:

        location /phpmyadmin {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/phpmyadmin/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_param HTTPS on; # <-- add this line
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /phpMyAdmin {
               rewrite ^/* /phpmyadmin last;
        }

If you use both http and https for your vhost, you need to add the following section to the http {} section in /etc/nginx/nginx.conf (before any include lines) which determines if the visitor uses http or https and sets the $fastcgi_https variable (which we will use in our phpMyAdmin configuration) accordingly:

vi /etc/nginx/nginx.conf

[...]
http {
[...]
        ## Detect when HTTPS is used
        map $scheme $fastcgi_https {
          default off;
          https on;

        }
[...]
}
[...]

Don’t forget to reload nginx afterwards:

systemctl reload nginx.service

Then go to the nginx Directives field again, and instead of fastcgi_param HTTPS on; you add the line fastcgi_param HTTPS $fastcgi_https; so that you can use phpMyAdmin for both http and https requests:

        location /phpmyadmin {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/phpmyadmin/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_param HTTPS $fastcgi_https; # <-- add this line
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/phpmyadmin/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /phpMyAdmin {
               rewrite ^/* /phpmyadmin last;
        }

 

11 Install PureFTPd

Install the pure-ftpd FTP daemon. Run:

zypper install pure-ftpd

systemctl enable pure-ftpd.service
systemctl start pure-ftpd.service

Now we configure PureFTPd to allow FTP and TLS sessions. FTP is a very insecure protocol because all passwords and all data are transferred in clear text. By using TLS, the whole communication can be encrypted, thus making FTP much more secure.

OpenSSL is needed by TLS; to install OpenSSL, we simply run:

zypper install openssl

Open /etc/pure-ftpd/pure-ftpd.conf

vi /etc/pure-ftpd/pure-ftpd.conf

If you want to allow FTP and TLS sessions, set TLS to 1:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      1
[...]

If you want to accept TLS sessions only (no FTP), set TLS to 2:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      2
[...]

To not allow TLS at all (only FTP), set TLS to 0:

[...]
# This option can accept three values :
# 0 : disable SSL/TLS encryption layer (default).
# 1 : accept both traditional and encrypted sessions.
# 2 : refuse connections that don't use SSL/TLS security mechanisms,
#     including anonymous sessions.
# Do _not_ uncomment this blindly. Be sure that :
# 1) Your server has been compiled with SSL/TLS support (--with-tls),
# 2) A valid certificate is in place,
# 3) Only compatible clients will log in.

TLS                      0
[...]

In order to use TLS, we must create an SSL certificate. I create it in /etc/ssl/private/, therefore I create that directory first:

mkdir -p /etc/ssl/private/

Afterwards, we can generate the SSL certificate as follows:

openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pem

Country Name (2 letter code) [AU]: <– Enter your Country Name (e.g., “DE”).
State or Province Name (full name) [Some-State]:
<– Enter your State or Province Name.
Locality Name (eg, city) []:
<– Enter your City.
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
<– Enter your Organization Name (e.g., the name of your company).
Organizational Unit Name (eg, section) []:
<– Enter your Organizational Unit Name (e.g. “IT Department”).
Common Name (eg, YOUR name) []:
<– Enter the Fully Qualified Domain Name of the system (e.g. “server1.example.com”).
Email Address []:
<– Enter your Email Address.

Change the permissions of the SSL certificate:

chmod 600 /etc/ssl/private/pure-ftpd.pem

Finally restart PureFTPd:

systemctl restart pure-ftpd.service

That’s it. You can now try to connect using your FTP client; however, you should configure your FTP client to use TLS – see the next chapter how to do this with FileZilla.

12 Install BIND

The BIND nameserver can be installed as follows:

zypper install bind

Create the BIND system startup links and start it:

systemctl enable named.service
systemctl start named.service

 

13 Install Webalizer And AWStats

Since ISPConfig 3 lets you choose if you want to use Webalizer or AWStats to create your web site statistics, we install both:

zypper install webalizer perl-Date-Manip

zypper install http://download.opensuse.org/repositories/network:/utilities/openSUSE_12.3/noarch/awstats-7.1.1-3.1.noarch.rpm

 

14 Install fail2ban

fail2ban can be installed as follows:

zypper install fail2ban

 

15 Install Jailkit

Jailkit can be installed like this:

zypper install http://download.opensuse.org/repositories/security/openSUSE_12.3/x86_64/jailkit-2.13-1.4.x86_64.rpm

 

16 Synchronize The System Clock

If you want to have the system clock synchronized with an NTP server do the following:

zypper install xntp

Then add system startup links for ntp and start ntp:

systemctl enable ntp.service
systemctl start ntp.service

 

17 Install rkhunter

rkhunter can be installed as follows:

zypper install rkhunter

 

18 Install SquirrelMail

To install the SquirrelMail webmail client, run:

zypper install http://download.opensuse.org/repositories/server:/php:/applications/openSUSE_12.3/noarch/squirrelmail-1.4.22-1.1.noarch.rpm

Then configure SquirrelMail:

/srv/www/htdocs/squirrelmail/config/conf.pl

We must tell SquirrelMail that we are using Dovecot:

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– D

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything

Command >> <– dovecot

SquirrelMail Configuration : Read: config.php
———————————————————
While we have been building SquirrelMail, we have discovered some
preferences that work better with some servers that don’t work so
well with others.  If you select your IMAP server, this option will
set some pre-defined settings for that server.

Please note that you will still need to go through and make sure
everything is correct.  This does not change everything.  There are
only a few settings that this will change.

Please select your IMAP server:
bincimap    = Binc IMAP server
courier     = Courier IMAP server
cyrus       = Cyrus IMAP server
dovecot     = Dovecot Secure IMAP server
exchange    = Microsoft Exchange IMAP server
hmailserver = hMailServer
macosx      = Mac OS X Mailserver
mercury32   = Mercury/32
uw          = University of Washington’s IMAP server
gmail       = IMAP access to Google mail (Gmail) accounts

quit        = Do not change anything

Command >> dovecot

imap_server_type = dovecot
default_folder_prefix = <none>
trash_folder = Trash
sent_folder = Sent
draft_folder = Drafts
show_prefix_option = false
default_sub_of_inbox = false
show_contain_subfolders_option = false
optional_delimiter = detect
delete_folder = false
force_username_lowercase = true

Press enter to continue… <– ENTER

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save dataSw31QypH6CfMb
Q   Quit

Command >> <– S

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> Ssystemctl reload nginx.service

Data saved in config.php

Done activating plugins; registration data saved in plugin_hooks.php

Press enter to continue… <– ENTER

SquirrelMail Configuration : Read: config.php (1.4.0)
———————————————————
Main Menu —
1.  Organization Preferences
2.  Server Settings
3.  Folder Defaults
4.  General Options
5.  User Interface
6.  Address Books
7.  Message of the Day (MOTD)
8.  Plugins
9.  Database
10. Language settings
11. Tweaks

D.  Set pre-defined settings for specific IMAP servers

C   Turn color on
S   Save data
Q   Quit

Command >> <– Q

SquirrelMail is located in the /srv/www/htdocs/squirrelmail directory, but we need it in the /usr/share/squirrelmail/ directory. Therefore we create a symlink:

ln -s /srv/www/htdocs/squirrelmail /usr/share/squirrelmail

In addition to that, we change the owner of the /srv/www/htdocs/squirrelmail/data/ directory to nobody:

chown nobody /srv/www/htdocs/squirrelmail/data/

After you have installed ISPConfig 3, you can access SquirrelMail as follows:

The ISPConfig apps vhost on port 8081 for nginx comes with a SquirrelMail configuration, so you can use http://server1.example.com:8081/squirrelmail or http://server1.example.com:8081/webmail to access SquirrelMail.

If you want to use a /webmail or /squirrelmail alias that you can use from your web sites, this is a bit more complicated than for Apache because nginx does not have global aliases (i.e., aliases that can be defined for all vhosts). Therefore you have to define these aliases for each vhost from which you want to access SquirrelMail.

To do this, paste the following into the nginx Directives field on the Options tab of the web site in ISPConfig:

        location /squirrelmail {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/squirrelmail/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /webmail {
               rewrite ^/* /squirrelmail last;
        }

If you use https instead of http for your vhost, you should add the line fastcgi_param HTTPS on; to your SquirrelMail configuration like this:

        location /squirrelmail {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/squirrelmail/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_param HTTPS on; # <-- add this line
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /webmail {
               rewrite ^/* /squirrelmail last;
        }

If you use both http and https for your vhost, you need to add the following section to the http {} section in /etc/nginx/nginx.conf (before any include lines) which determines if the visitor uses http or https and sets the $fastcgi_https variable (which we will use in our SquirrelMail configuration) accordingly:

vi /etc/nginx/nginx.conf

[...]
http {
[...]
        ## Detect when HTTPS is used
        map $scheme $fastcgi_https {
          default off;
          https on;

        }
[...]
}
[...]

Don’t forget to reload nginx afterwards:

systemctl reload nginx.service

Then go to the nginx Directives field again, and instead of fastcgi_param HTTPS on; you add the line fastcgi_param HTTPS $fastcgi_https; so that you can use SquirrelMail for both http and https requests:

        location /squirrelmail {
               root /usr/share/;
               index index.php index.html index.htm;
               location ~ ^/squirrelmail/(.+\.php)$ {
                       try_files $uri =404;
                       root /usr/share/;
                       fastcgi_pass 127.0.0.1:9000;
                       fastcgi_param HTTPS $fastcgi_https; # <-- add this line
                       fastcgi_index index.php;
                       fastcgi_param SCRIPT_FILENAME $request_filename;
                       include /etc/nginx/fastcgi_params;
                       fastcgi_param PATH_INFO $fastcgi_script_name;
                       fastcgi_buffer_size 128k;
                       fastcgi_buffers 256 4k;
                       fastcgi_busy_buffers_size 256k;
                       fastcgi_temp_file_write_size 256k;
                       fastcgi_intercept_errors on;
               }
               location ~* ^/squirrelmail/(.+\.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt))$ {
                       root /usr/share/;
               }
        }
        location /webmail {
               rewrite ^/* /squirrelmail last;
        }

 

19 ISPConfig 3

Before we install ISPConfig 3, make sure that the /var/vmail/ directory exists:

mkdir /var/vmail/

Before you start the ISPConfig installation, make sure that Apache is stopped (if it is installed – it is possible that some of your installed packages have installed Apache as a dependency without you knowing). If Apache2 is already installed on the system, stop it now…

systemctl stop apache2.service

… and remove Apache’s system startup links:

systemctl disable apache2.service

Make sure that nginx is running:

systemctl restart nginx.service

(If you have both Apache and nginx installed, the installer asks you which one you want to use: Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]:

Type nginx. If only Apache or nginx are installed, this is automatically detected by the installer, and no question is asked.)

Download the current ISPConfig 3 version and install it. The ISPConfig installer will configure all services like Postfix, Dovecot, etc. for you. A manual setup as required for ISPConfig 2 is not necessary anymore.

You now also have the possibility to let the installer create an SSL vhost for the ISPConfig control panel, so that ISPConfig can be accessed using https:// instead of http://. To achieve this, just press ENTER when you see this question: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:.

cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/

Now start the installation process by executing:

php -q install.php

server1:/tmp/ispconfig3_install/install # php -q install.php

——————————————————————————–
_____ ___________   _____              __ _         ____
|_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
| | \ `–.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
| |  `–. \  __/  | |    / _ \| ‘_ \|  _| |/ _` |  |_ |
_| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
——————————————————————————–

>> Initial configuration

Operating System: openSUSE or compatible, unknown version.

Following will be a few questions for primary configuration so be careful.
Default values are in [brackets] and can be accepted with <ENTER>.
Tap in “quit” (without the quotes) to stop the installer.

Select language (en,de) [en]: <– ENTER

Installation mode (standard,expert) [standard]: <– ENTER

Full qualified hostname (FQDN) of the server, eg server1.domain.tld  [server1.example.com]: <– ENTER

MySQL server hostname [localhost]: <– ENTER

MySQL root username [root]: <– ENTER

MySQL root password []: <– yourrootsqlpassword

MySQL database to create [dbispconfig]: <– ENTER

MySQL charset [utf8]: <– ENTER

Apache and nginx detected. Select server to use for ISPConfig: (apache,nginx) [apache]: <– nginx

20 Links
Generating a 2048 bit RSA private key
………………………………………………………………………..+++
…+++
writing new private key to ‘smtpd.key’
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
 <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (eg, YOUR name) []: <– ENTER
Email Address []: <– ENTER
Configuring Jailkit
Configuring Dovecot
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring Pureftpd
Configuring BIND
Configuring nginx
Configuring Vlogger
Configuring Apps vhost
Configuring Bastille Firewall
Configuring Fail2ban
Installing ISPConfig
ISPConfig Port [8080]:
 <– ENTER

Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: <– ENTER

Generating RSA private key, 4096 bit long modulus
.++
……………++
e is 65537 (0x10001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [AU]:
 <– ENTER
State or Province Name (full name) [Some-State]: <– ENTER
Locality Name (eg, city) []: <– ENTER
Organization Name (eg, company) [Internet Widgits Pty Ltd]: <– ENTER
Organizational Unit Name (eg, section) []: <– ENTER
Common Name (eg, YOUR name) []: <– ENTER
Email Address []: <– ENTER

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
 <– ENTER
An optional company name []: <– ENTER
writing RSA key
Configuring DBServer
Installing ISPConfig crontab
no crontab for root
no crontab for getmail
Restarting services …
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
redirecting to systemctl
Installation completed.
server1:/tmp/ispconfig3_install/install #

Clean up the /tmp directory:

cd /tmp
rm -rf /tmp/ispconfig3_install
rm -f /tmp/ISPConfig-3-stable.tar.gz

Afterwards you can access ISPConfig 3 under http(s)://server1.example.com:8080/ or http(s)://192.168.0.100:8080/ (http or https depends on what you chose during installation). Log in with the username admin and the password admin (you should change the default password after your first login).

 

  • OpenSUSE: http://www.opensuse.org/
  • ISPConfig: http://www.ispconfig.org/

 

Comments

comments