Full web server setup with Debian 9 (Stretch)

Viewed 88 Times 1 Comments

Full web server setup with Debian 9 (Stretch): Debian Sources List Generator:

Aktualizace:

datetime zone:

hosts

instalace potřebných balíčků

Postfix Configuration: Internet Site

System mail name: fullweb.nas4y.net

  • web server to reconfigure automatically: apache2

Web server: apache2

  • configure database for phpmyadmin with dbconfig-common? Yes

MariaDB/PhpMyAdmin:

  • MySQL application password for phpmyadmin: [blank]

Setup FTP

Stop VSFTP server:

Create backup configuration:

Add new configuration:

Create an empty chroot_list file:

Install PAM module for virtual users:

And configure it creating the file /etc/pam.d/vsftpd_local_and_virtual with this content:

Setup Apache

Stop Apache web server:

Backup Apache configuration:

Edit the following lines in /etc/apache2/apache2.conf

  • From Timeout 300 to Timeout 45
  • From KeepAliveTimeout 5 to KeepAliveTimeout 15

Edit /etc/apache2/mods-enabled/mpm_prefork.conf:

Edit /etc/apache2/ports.conf and change the port 80 with 8080 since we are going to use Varnish:

Change the port (from 80 to 8080) also in the default virtual host /etc/apache2/sites-enabled/000-default.conf

Enable useful Apache modules:

Now restart Apache:

Setup Varnish

Stop Varnish daemon:

Backup your /etc/varnish/default.vcl and create a new one with this content:

Now edit /etc/default/varnish and set the DAEMON_OPTS variable like this:

Now we have to make some changes also to systemd scripts (this step is mandatory for Debian Stretch!) since systemd does not consider /etc/default/varnish settings.

Edit /lib/systemd/system/varnish.service and change port 6081 with port 80:

Restart Varnish:

Setup MariaDB

Secure MariaDB installation:

  • Enter current password for root (enter for none): [ENTER]
  • Set root password? [Y/n] Y
  • Write your MARIAB_ROOT_PASSWORD
  • Remove anonymous users? [Y/n] Y
  • Disallow root login remotely? [Y/n] Y
  • Remove test database and access to it? [Y/n] Y
  • Reload privilege tables now? [Y/n] Y

Instruct MariaDB to use native password:

Set MariaDB root password in a configuration file (the same password configured before!)

Enable MySQL slow query logging (often useful during slow page load debugging):

MySQL is now configured, so restart it:

Fix for PhpMyAdmin redirecting to port 8080

If you try to access to http://yoursitename/phpmyadmin you are redirected to http://yoursitename:8080/phpmyadmin that will not work unless you open the firewall rule for port 8080 as described below. This because the web server is actually running on port 8080. To workaround this and have the PhpMyAdmin working on port 80 you need to force the redirect:

Configure Shorewall firewall rules

Copy the default configuration for one interface:

Now open /etc/shorewall/policy file and change the line:

removing info directive given it fills the system logs:

Now open /etc/shorewall/rules and add the following rules at the bottom of the file:

NOTE: in case you want to allow ICMP (Ping) traffic from a specific remote hosts you need to add a rule similar to the following where xxx.xxx.xxx.xxx is the remote IP address, before the Ping(DROP) rule:

Now edit /etc/default/shorewall and change startup=0 to startup=1 You are now ready to start the firewall:

Setup Postfix

Stop postfix server:

Edit /etc/mailname and set your server domain name, for example:

Then, in order to monitor mail traffic coming from PHP you need to edit /etc/php/7.0/apache2/php.ini. Go to [mail function] section and set the following two options:

Now create the two files above in /usr/local/bin:

sendmail-wrapper:

env.php:

Now make they both have executable flag:

Add also /usr/local/bin/ to the open_basedir php list in /etc/apache2/conf-enabled/phpmyadmin.conf

Restart Postfix:

Let’s encrypt

In order to SSL free certificates with let’s encrypt install the powerful (and simple) dehydrated tool:

Prepare Apache2 configuration for letsencrypt:

Enable new config and reload Apache

Log rotation

In order to correctly log files you need to adjust lograte configuration for Apache:

Prepare environment

Create all needed directories and files

Now download all tools to manage the server locally:

Download also the tools that will be used with cron:

  • Edit /root/ADD_DOMAIN.sh and change ADMIN_EMAIL variable with your email address.

Configure CRON

Edit /etc/crontab and add the following lines at the bottom:

Was this answer helpful ? Yes (1) / No (0)
Můžete si uložit odkaz příspěvku mezi své oblíbené záložky.

Jedna reakce na Full web server setup with Debian 9 (Stretch)

Napsat komentář

This site uses Akismet to reduce spam. Learn how your comment data is processed.