I am in
the process of reinstalling
the OS on a machine that will be used to host a couple of apps for our business.
The apps will be local only; access from external clients will be via vpn only.
The prior setup used a hosting control panel (Plesk) for most of
the admin, and I was looking at using another similar piece of software for
the reinstall - but I figured I should finally learn how it all works. I can do most of
the things
the software would do for me, but am unclear on
the symbiosis of it all. This is all an attempt to further distance myself from
the land of Configuration Programmer/Programmer, if at all possible.
I can't find a full walkthrough anywhere for what I'm looking for, so I thought I'd put up this question, and if people can help me on
the way I will edit this with
the answers, and document my progress/pitfalls. Hopefully someday this will help someone down
the line.
The details:
CentOS 5.5 x86_64
httpd: Apache/2.2.3
mysql: 5.0.77 (to be upgraded)
php: 5.1 (to be upgraded)
The requirements:
SECURITY!!
Secure file transfer
Secure client access (SSL Certs and CA)
Secure data storage
Virtualhosts/multiple subdomains
Local email would be nice, but not critical
The Steps:
Download latest CentOS DVD-iso (torrent worked great for me).
Install CentOS:
While going through
the install, I checked
the Server Components option thinking I was going to be using another Plesk-like admin. In hindsight, considering I've decided to try to go my own way, this probably wasn't
the best idea.
Basic config:
Setup users, networking/ip address etc. Yum update/upgrade.
Upgrade PHP/MySQL:
To upgrade PHP and MySQL to
the latest versions, I had to look to another repo outside CentOS. IUS looks great and I'm happy I found it!
Add IUS repository to our package manager
cd /tmp
wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/5/x86_64/epel-release-1-1.ius.el5.noarch.rpm
rpm -Uvh epel-release-1-1.ius.el5.noarch.rpm
wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/5/x86_64/ius-release-1-4.ius.el5.noarch.rpm
rpm -Uvh ius-release-1-4.ius.el5.noarch.rpm
yum list | grep -w \.ius\. # list all
the packages in
the IUS repository; use this to find PHP/MySQL version and libraries you want to install
Remove old version of PHP and install newer version from IUS
rpm -qa | grep php # to list all of
the installed php packages we want to remove
yum shell # open an interactive yum shell
remove php-common php-mysql php-cli #remove installed PHP components
install php53 php53-mysql php53-cli php53-common #add packages you want
transaction solve #important!! checks for dependencies
transaction run #important!! does
the actual installation of packages.
[control+d] #exit yum shell
php -v
PHP 5.3.2 (cli) (built: Apr 6 2010 18:13:45)
Upgrade MySQL from IUS repository
/etc/init.d/mysqld stop
rpm -qa | grep mysql # to see installed mysql packages
yum shell
remove mysql mysql-server #remove installed MySQL components
install mysql51 mysql51-server mysql51-devel
transaction solve #important!! checks for dependencies
transaction run #important!! does
the actual installation of packages.
[control+d] #exit yum shell
service mysqld start
mysql -v
Server version: 5.1.42-ius Distributed by
The IUS Community Project
Upgrade instructions courtesy of IUS wiki: http://wiki.iuscommunity.org/Doc/ClientUsageGuide
Install rssh (restricted shell) to provide scp and sftp access, without allowing ssh login
cd /tmp
wget http://dag.wieers.com/rpm/packages/rssh/rssh-2.3.2-1.2.el5.rf.x86_64.rpm
rpm -ivh rssh-2.3.2-1.2.el5.rf.x86_64.rpm
useradd -m -d /home/dev -s /usr/bin/rssh dev
passwd dev
Edit /etc/rssh.conf to grant access to SFTP to rssh users.
vi /etc/rssh.conf
Uncomment or add:
allowscp
allowsftp
This allows me to connect to
the machine via SFTP protocol in Transmit (my FTP program of choice; I'm sure it's similar with other FTP apps).
rssh instructions appropriated (with appreciation!) from http://www.cyberciti.biz/tips/linux-unix-restrict-shell-access-with-rssh.html
Set up virtual interfaces
ifconfig eth1:1 192.168.1.3 up #start up
the virtual interface
cd /etc/sysconfig/network-scripts/
cp ifcfg-eth1 ifcfg-eth1:1 #copy default script and match name to our virtual interface
vi ifcfg-eth1:1 #modify eth1:1 script
#ifcfg-eth1:1 | modify so it looks like this:
DEVICE=eth1:1
IPADDR=192.168.1.3
NETMASK=255.255.255.0
NETWORK=192.168.1.0
ONBOOT=yes
NAME=eth1:1
Add more Virtual interfaces as needed by repeating. Because of
the ONBOOT=yes line in
the ifcfg-eth1:1 file, this interface will be brought up when
the system boots, or
the network starts/restarts.
service network restart
Shutting down interface eth0: [ OK ]
Shutting down interface eth1: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
Bringing up interface eth1: [ OK ]
ping 192.168.1.3
64 bytes from 192.168.1.3: icmp_seq=1 ttl=64 time=0.105 ms
Virtualhosts
In
the rssh section
above I added a user to use for SFTP. In this users' home directory, I created a folder called 'https'. This is where
the documents for this site will live, so I need to add a virtualhost that will point to it. I will use
the above virtual interface for this site (herein called dev.site.local).
vi /etc/http/conf/httpd.conf
Add
the following to
the end of httpd.conf:
<VirtualHost 192.168.1.3:80>
ServerAdmin
[email protected]
DocumentRoot /home/dev/https
ServerName dev.site.local
ErrorLog /home/dev/logs/error_log
TransferLog /home/dev/logs/access_log
</VirtualHost>
I put a dummy index.html file in
the https directory just to check everything out. I tried browsing to it, and was met with permission denied errors.
The logs only gave an obscure reference to what was going on:
[Mon May 17 14:57:11 2010] [error] [client 192.168.1.100] (13)Permission denied: access to /index.html denied
I tried chmod 777 et. al., but to no avail. Turns out, I needed to chmod+x
the https directory and its' parent directories.
chmod +x /home
chmod +x /home/dev
chmod +x /home/dev/https
This solved that problem.
DNS
I'm handling DNS via our local Windows Server 2003 box. However,
the CentOS documentation for BIND can be found here: http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-bind.html
SSL
To get SSL working, I changed
the following in httpd.conf:
NameVirtualHost 192.168.1.3:443 #make sure this line is in httpd.conf
<VirtualHost 192.168.1.3:443> #change port to 443
ServerAdmin
[email protected]
DocumentRoot /home/dev/https
ServerName dev.site.local
ErrorLog /home/dev/logs/error_log
TransferLog /home/dev/logs/access_log
</VirtualHost>
Unfortunately, I keep getting (Error code: ssl_error_rx_record_too_long) errors when trying to access a page with SSL. As JamesHannah gracefully pointed out below, I had not set up
the locations of
the certs in httpd.conf, and thusly was getting
the page thrown at
the broswer as
the cert making
the browser balk.
So first, I needed to set up a CA and make certificate files. I found a great (if old) walkthrough on
the process here: http://www.debian-administration.org/articles/284.
Here are
the relevant steps I took from that article:
mkdir /home/CA
cd /home/CA/
mkdir newcerts private
echo '01' > serial
touch index.txt #this and
the above command are for
the database that will keep track of certs
Create an openssl.cnf file in
the /home/CA/ dir and edit it per
the walkthrough linked
above. (For reference, my finished openssl.cnf file looked like this: http://pastebin.com/raw.php?i=hnZDij4T)
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf #this creates
the cacert.pem which gets distributed and imported to
the browser(s)
Modified openssl.cnf again per walkthrough instructions.
openssl req -new -nodes -out dev.req.pem -config ./openssl.cnf #generates certificate request, and key.pem which I renamed dev.key.pem.
Modified openssl.cnf again per walkthrough instructions.
openssl ca -out dev.cert.pem -config ./openssl.cnf -infiles dev.req.pem #create and sign certificate.
cp dev.cert.pem /home/dev/certs/cert.pem
cp dev.key.pem /home/certs/key.pem
I updated httpd.conf to reflect
the certs and turn SSLEngine on:
NameVirtualHost 192.168.1.3:443
<VirtualHost 192.168.1.3:443>
ServerAdmin
[email protected]
DocumentRoot /home/dev/https
SSLEngine on
SSLCertificateFile /home/dev/certs/cert.pem
SSLCertificateKeyFile /home/dev/certs/key.pem
ServerName dev.site.local
ErrorLog /home/dev/logs/error_log
TransferLog /home/dev/logs/access_log
</VirtualHost>
Put
the CA cert.pem in a web-accessible place, and downloaded/imported it into my browser. Now I can visit https://dev.site.local with no errors or warnings.
And this is where I'm at. I will keep editing this as I make progress. Any tips on how to configure SSL email would be appreciated.
