![[toggle]](javascript:icntoggle('mod-ApplicationMenul30','module.png'); "[toggle]"){kind=small}
- A simple and Open process for web team management -
Sidebar
Menu
![[toggle]](pics/icons/module.png "[toggle]")
Setup a GNU/Linux multitasks server
Install debian 5 Lenny
apt-get install subversion mercurial imagemagick xml-core build-essential apache2 / php5 php5-imap php5-curl php5-cli php5-gd php5-mcrypt php5-mysql php5-xsl samba / smbclient smbfs squid tcpdump nmap traceroute unrar-free unzip emacs exim4 dhcp3-server / git w3m lynx mailx munin bind9 backuppc mysql-client-5.0 mysql-server-5.0 rcconf / fail2ban siproxd screen
Add users
adduser user visudo #add user ALL=NOPASSWD: ALL scp .bashrc root@server:/home/user/ scp -r .ssh root@server:/home/user/ chown -R user.user /home/user scp -r /var/lib/backuppc/.ssh root@server:/var/lib/backuppc/
Configure system
Automatic updates
1 17 * * * apt-get update ; apt-get upgrade -y
Network
Configure network with 2 physical interface.
eth0 (WAN/in)
eth1 (LAN/out)
root@home:~# cat /etc/network/interfaces auto lo iface lo inet loopback auto eth0 iface eth0 inet static address 192.168.1.50 netmask 255.255.255.0 gateway 192.168.1.1 auto eth1 iface eth1 inet static address 10.10.10.1 netmask 255.255.255.0
Configure SSH
/etc/ssh/sshd_config
UseDNS no PermitRootLogin no Port 6123
Configure Samba
workgroup = home interfaces = eth1 [share] create mask = 0775 directory mask = 0775 comment = share dir browseable = yes read only = no locking = no path = /var/share guest ok = no [www] create mask = 0775 directory mask = 0775 comment = web dir browseable = yes read only = no locking = no path = /var/www guest ok = no
Configure Squid
As a transparent proxy (working with iptables rules, see below).
acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT acl lan src 10.10.10.0/24 192.168.1.0/24 http_access allow localhost http_access allow lan http_reply_access allow all icp_access allow all http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_port 10.10.10.1:3128 transparent http_access deny all icp_access allow localnet
Configure iptables
Create an init boot script.
iptables --flush iptables --table nat --flush iptables --delete-chain iptables --table nat --delete-chain tc qdisc del dev eth0 root tc qdisc del dev eth1 root # Set up IP FORWARDing and Masquerading (NAT) sysctl -w net.ipv4.ip_forward=1 echo 1 > /proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT modprobe ip_nat_ftp route del default route del default route add default gw 192.168.1.1 # Traffic shaping TC=/sbin/tc DNLD=750Kbit # download limit DWEIGHT=120Kbit # DOWNLOAD coef(Weight Factor) ~ 1/10 of DOWNLOAD Limit UPLD=90Kbit # upload Limit UWEIGHT=60Kbit # UPLOAD coef (Weight Factor) IPTABLES=iptables IF0=eth1 #LAN IF1=eth0 #WAN U32="$TC filter add dev $IF protocol ip parent 1:0 prio 1 u32" $TC qdisc add dev eth1 root handle 11: cbq bandwidth 100Mbit avpkt 1000 mpu 64 $TC class add dev eth1 parent 11:0 classid 11:1 cbq rate $DNLD weight $DWEIGHT allot 1514 prio 1 avpkt 1000 bounded $TC filter add dev eth1 parent 11:0 protocol ip handle 4 fw flowid 11:1 $TC qdisc add dev eth0 root handle 10: cbq bandwidth 10Mbit avpkt 1000 mpu 64 $TC class add dev eth0 parent 10:0 classid 10:1 cbq rate $UPLD weight $UWEIGHT allot 1514 prio 1 avpkt 1000 bounded $TC filter add dev eth0 parent 10:0 protocol ip handle 3 fw flowid 10:1 # Packets marks $IPTABLES -t mangle -A FORWARD -s 10.10.10.21/29 -j MARK --set-mark 3 $IPTABLES -t mangle -A FORWARD -s ! 10.10.10.0/24 -d 10.10.10.21/29 -j MARK --set-mark 4 #squid transparent proxy iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128 iptables -t nat -A PREROUTING -i eth1 -s ! 10.10.10.1 -p tcp --dport 80 -j DNAT --to 10.10.10.1:3128 iptables -t nat -A POSTROUTING -o eth1 -s 10.10.10.0 -d 10.10.10.1 -j SNAT --to 10.10.10.1 iptables -A FORWARD -s 10.10.10.0 -d 10.10.10.1 -i eth1 -o eth1 -p tcp --dport 3128 -j ACCEPT iptables -A INPUT -i eth1 -p tcp -d 10.10.10.1 -s 10.10.10.0 --dport 3128 -m state --state NEW,ESTABLISHED -j ACCEPT
Configure Apache
<VirtualHost *:80>
ServerName test.tld
ServerAdmin webmaster@localhost
DocumentRoot /var/www/test
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
Configure Bind
/etc/bind/named.conf.local
zone "crm.tld" {
type master;
file "/etc/bind/zones/crm.tld.db";
};
~pp~
/etc/bind/zones/crm.tld.db
~pp~
crm.tld. IN SOA home. admin.example.com. (
2011081401
28800
3600
604800
38400
)
crm.tld. IN NS home.
www IN A 10.10.10.1
@ IN A 10.10.10.1
Configure Backuppc
Got to http://home/backuppc
Configure Siproxy
/etc/siproxd.conf
if_inbound = eth1 if_outbound = eth0
Configure Emails
dpkg-reconfigure exim4-config - wilcard = *
The domain name must be real, target the server and entered in 'System mail name'
Scripts
Add a website (.sh)
IPSRV=10.10.10.1
DOMAIN=test
TLD=local
WEBDIR=/var/www
echo -n "Website name?"
read NAME
echo "CREATE DATABASE $NAME CHARACTER SET utf8" | mysql -uroot
echo "
zone \"$NAME.$TLD\" {
type master;
file \"/etc/bind/zones/$NAME.$TLD.db\";
};
" >> /etc/bind/named.conf.local
echo "$NAME.$TLD. IN SOA $DOMAIN. admin.example.com. (
2006081401
28800
3600
604800
38400
)
$NAME.$TLD. IN NS $DOMAIN.
www IN A $IPSRV
@ IN A $IPSRV
" > /etc/bind/zones/$NAME.$TLD.db
/etc/init.d/bind9 restart
echo "
<VirtualHost *:80>
ServerName $NAME.$TLD
ServerAdmin webmaster@localhost
DocumentRoot $WEBDIR/$NAME
ErrorLog /var/log/apache2/error.log
CustomLog /var/log/apache2/access.log combined
</VirtualHost>
" >> /etc/apache2/sites-available/default
/etc/init.d/apache2 restart
echo "Done, copy files in $WEBDIR/$NAME and db in $NAME"
Contributors to this page: Pierre Doleans
.
Page last modified on Tuesday 18 of January, 2011 11:24:59 UCT by Pierre Doleans.
(Version 7)
RSS:
Wiki
Articles
File Galleries
Wiki
Articles
File Galleries