`
bayerlin
  • 浏览: 18188 次
  • 性别: Icon_minigender_1
  • 来自: 广州
最近访客 更多访客>>
社区版块
存档分类
最新评论

Installing FreeBSD 6 for Internet Server

阅读更多

1. Overview

This document is a guidline for install an FreeBSD for Internet hosting. My company ,MiracleNet Group, is a web base software solution provider. Sometime we need to setup a server to host the solution for our customer which is my responsibility.

This guildline was start from notes I has been taken when I install those servers. I assume that the reader has some experience on FreeBSD and has already read the FreeBSD Handbook.

The requirement for this Internet server are:

  • It must be an e-mail server with virus and spam filter. The customer must be allow to add/delete an e-mail without the need to contact us.

  • It must support POP3/IMAP4/POP3S/IMAP4S,webmail , and e-mail relay for our customers.

  • It must host our customers web sites. Each customer must not be able to access files of other customers.

  • The customer must not be able to login on this server , except for upload and download the web pages.




2. Installing FreeBSD 6

First of all, please read my suggestion on Partition Layout because it is the only thing you can not change after install FreeBSD. Then, you can proceed to install FreeBSD as indicated in FreeBSD Handbook. You can download ISO images for i386 or amd64 from FreeBSD.org or mirror sites. Only the first disk ,6.0-xxx-xxx-disc1.iso, is required.


2.2. Upgrade FreeBSD source and ports

After install FreeBSD 6 and ports tree from CD. You need to upgrade your system to the lastest patch to protect your system against various types of attack.

You need a pre-build program (or package in FreeBSD) to upgrade your system. The package is net/cvsup-without-gui which can be used to upgrade both source and ports tree.

For example,as the time of this writing version of 6 is 6.0 and assume that the platform is i386. The command to download and install cvsup are:

    # fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/6.0-RELEASE/packages/net/cvsup-without-gui-16.1h_2.tbz
cvsup-without-gui-16.1h_2.tbz 100% of 754 kB 37 kBps 00m00s
# pkg_add cvsup-without-gui-16.1h_2.tbz
Edit cvs-supfile to upgrade lastest update of FreeBSD 6.0. This is my cvs-supfile:
    #For complete list of cvsupd see CVSup Sites on FreeBSD handbook.
    *default host=cvsup12.freebsd.org
    *default base=/usr
    *default prefix=/usr
    *default release=cvs
    *default delete use-rel-suffix
    *default tag=RELENG_6_0
    
    *default compress
    src-all
    ports-all tag=.
   
Run cvsup ,It will take a while to fetch both src and ports tree.
    # /usr/local/bin/cvsup -L2 cvs-supfile
   
See Using CVSup section on FreeBSD handbook for more detail about using cvsup.


2.3. Rebuild FreeBSD

Edit your /etc/make.conf (copy the default from /usr/src/share/examples/etc/make.conf). At least change the CPUTYPE to match your machine. See gcc 3.4.4 manual for detail of each CPUTYPE. FreeBSD building system may not be able to use all CPUTYPE in gcc manual. If your CPUTYPE cause a build error, try the other one. This is the example of my make.conf:

CPUTYPE?= p4         #Use ?= not = to allow FreeBSD build process to override this value
#CPUTYPE?= k8       #For Athlon64 on i386
#CPUTYPE?= athlon64 #For Athlon64 on AMD64
Modify your kernel configuration. You should read Configuring the FreeBSD Kernel and /usr/src/sys/i386/conf/NOTES or /usr/src/sys/amd64/conf/NOTES for each options of the kernel. This is my kernel configuration for i386/AMD64 on my Althon64 test machine:
machine         i386
#machine        amd64
cpu             I686_CPU
#cpu            HAMMER

#options        SMP         # Symmetric MultiProcessor Kernel

ident           GAIA-I386
#ident          GAIA-AMD64

#Adjust memory limit for 4G RAM for i386
options         KVA_PAGES=384               #1.5 G for kernels
options         MAXDSIZ=(1536UL*1024*1024)  #1.5 G for data
options         MAXSSIZ=(128UL*1024*1024)   #128M for stack
                                            #Leave 896KB for code segment
options         DFLDSIZ=(1536UL*1024*1024)  #Set default data size to 1.5G

options         SCHED_4BSD
options         PREEMPTION              # Enable kernel thread preemption
options         INET                    # InterNETworking
options         FFS                     # Berkeley Fast Filesystem
options         SOFTUPDATES             # Enable FFS soft updates support
options         UFS_ACL                 # Support for access control lists
options         UFS_DIRHASH             # Improve performance on big directories
options         MD_ROOT                 # MD is a potential root device
options         CD9660                  # ISO 9660 Filesystem
options         PROCFS                  # Process filesystem (requires PSEUDOFS)
options         PSEUDOFS                # Pseudo-filesystem framework
options         GEOM_GPT                # GUID Partition Tables.
options         COMPAT_43               # Compatible with BSD 4.3 [KEEP THIS!]
#options        COMPAT_IA32             # Compatible with i386 binaries
options         COMPAT_FREEBSD4         # Compatible with FreeBSD4
options         COMPAT_FREEBSD5         # Compatible with FreeBSD5
options         SCSI_DELAY=5000         # Delay (in ms) before probing SCSI
options         KTRACE                  # ktrace(1) support
options         SYSVSHM                 # SYSV-style shared memory
options         SYSVMSG                 # SYSV-style message queues
options         SYSVSEM                 # SYSV-style semaphores
options         _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options         KBD_INSTALL_CDEV        # install a CDEV entry in /dev

options         ADAPTIVE_GIANT          # Giant mutex is adaptive.

#Kernel Options for PostgreSQL with large shared memory (312.5M)
options         SYSVSHM                 #SYSV-style shared memory
options         SYSVMSG                 #SYSV-style message queues
options         SYSVSEM                 #SYSV-style semaphores
options         SHMMAXPGS=80000
options         SHMSEG=256
options         SHMMNI=256
options         SEMMNI=256
options         SEMMNS=512
options         SEMMNU=256
options         SEMMAP=256
#PostgreSQL use a alot of shared memory - default is 200
options         PMAP_SHPGPERPROC=512

#Firewall & NAT & DummyNet, may be needed in jail setup
options         IPFIREWALL
options         IPDIVERT
options         IPFIREWALL_DEFAULT_TO_ACCEPT
options         IPFIREWALL_VERBOSE
options         IPFIREWALL_VERBOSE_LIMIT=100
options         DUMMYNET
options         IPFIREWALL_FORWARD

options         QUOTA

device          apic                    # I/O APIC
device          pci
# Floppy drives
device          fdc

# ATA and ATAPI devices
device          ata
device          atadisk         # ATA disk drives
device          ataraid         # ATA RAID drives
device          atapicd         # ATAPI CDROM drives
device          atapifd         # ATAPI floppy drives
device          atapist         # ATAPI tape drives
options         ATA_STATIC_ID   # Static device numbering

# SCSI peripherals
device          scbus           # SCSI bus (required for SCSI)
device          ch              # SCSI media changers
device          da              # Direct Access (disks)
device          sa              # Sequential Access (tape etc)
device          cd              # CD
device          pass            # Passthrough device (direct SCSI access)
device          ses             # SCSI Environmental Services (and SAF-TE)

# atkbdc0 controls both the keyboard and the PS/2 mouse
device          atkbdc          # AT keyboard controller
device          atkbd           # AT keyboard
device          psm             # PS/2 mouse

device          vga             # VGA video card driver
device          splash          # Splash screen and screen saver support

# syscons is the default console driver, resembling an SCO console
device          sc
device          agp             # support several AGP chipsets

# Power management support (see NOTES for more options)
device          apm
# Add suspend/resume support for the i8254.
device          pmtimer

# Serial (COM) ports
device          sio             # 8250, 16[45]50 based serial ports
# Parallel port
device          ppc
device          ppbus           # Parallel port bus (required)
device          lpt             # Printer
device          plip            # TCP/IP over parallel
device          ppi             # Parallel port interface device
#device         vpo             # Requires scbus and da

# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device          miibus          # MII bus support
device          sk              # SysKonnect SK-984x & SK-982x gigabit Ethernet

# Pseudo devices.
device          loop            # Network loopback
device          random          # Entropy device
device          ether           # Ethernet support
device          sl              # Kernel SLIP
device          ppp             # Kernel PPP
device          tun             # Packet tunnel.
device          pty             # Pseudo-ttys (telnet etc)
device          md              # Memory "disks"
device          gif             # IPv6 and IPv4 tunneling
device          faith           # IPv6-to-IPv4 relaying (translation)
device          io
device          mem

# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device          bpf             # Berkeley packet filter

# USB support
device          uhci            # UHCI PCI->USB interface
device          ohci            # OHCI PCI->USB interface
device          ehci            # EHCI PCI->USB interface (USB 2.0)
device          usb             # USB Bus (required)
#device         udbp            # USB Double Bulk Pipe devices
device          ugen            # Generic
device          uhid            # "Human Interface Devices"
device          ukbd            # Keyboard
device          ulpt            # Printer
device          umass           # Disks/Mass storage - Requires scbus and da
device          ums             # Mouse
device          uscanner        # Scanners
Rebuild your world and kernel as told in the handbok.
# cd / 
# mergemaster -pai
# cd /usr/src
# make -j2 buildworld -- For dual CPU use -j4
# make -j2 buildkernel KERNCONF=XXX
# make installkernel KERNCONF=XXX
# cd /
# mergemaster -ai
-- clear temproot
# cd /var/tmp/temproot
# chflags noschg var/empty
# find . -type l -delete
# find . -empty -delete
-- check the leftover files, replace or delete as you please
# cd /var/tmp
# rm -rf temproot
If you have the console access
 # shutdown now
If you can only has a ssh access,close as many daemons as you can except sshd and daemons spawn by kernel. This method should work for patch level upgrade (6.0 to 6.0p1), may work for minor version upgrade (6.0 to 6.1) and unlikely to work for major version upgrade (4.x to 5.x).
# cd /usr/src
# make installworld
Before reboot, Set your System Configuration because some setting will be in effect only after reboot. Set them first save you another reboot. If everything is fine, it is the time to reboot your server with shutdown -r now


2.4. Set System Configuration

There are 4 system configuration files you may need to modify.

  1. /etc/rc.conf, check that you have these 3 lines

    sshd_enable="YES"
    sendmail_enable="NONE"
    syslogd_flags="-ss"
    
    firewall_enable="YES"
    firewall_type="/etc/ipfw.rules"
    
    #If your ISP has a reliable DNS service you can use its service,
    #otherwise it better to rely on ourself.
    #Don't forget to run : cd /etc/namedb/ && ./make-localhost
    named_enable="YES"
    
    quota_enable="YES"
    #It is a time consume job, better run it later after we got access to the system
    check_quotas="NO"
    #Don't forget to run : quotacheck -a after next reboot to create a quota file
    

  2. /etc/sysctl.conf

    security.bsd.see_other_uids=0
    kern.coredump=0
    net.inet.icmp.drop_redirect=1
    net.inet.tcp.blackhole=2
    net.inet.udp.blackhole=1
    net.inet.ip.rtexpire=2
    net.inet.ip.rtminexpire=2
    kern.ipc.somaxconn=512
    

  3. /boot/loader.conf

    autoboot_delay="3"
    kern.ipc.maxsockets=81920
    kern.ipc.maxsockbuf=1048576
    

  4. /etc/hosts

    You should swap the first 2 lines to make sure that you will get IPv4 (127.0.0.1) address for localhost instead of IPv6 (::1) because some program does not support IPv6.

    127.0.0.1               localhost localhost.my.domain
    ::1                     localhost localhost.my.domain
    #Our IP is 10.0.0.34 and our name is gaia.net0.intranet
    10.0.0.34               gaia gaia.net0.intranet
    

  5. /etc/ssh/sshd_config

    #Assume that our IP is 10.0.0.34
    ListenAddress 10.0.0.34:22
    # Change to yes to enable built-in password authentication.
    # SecureCRT need this option 
    PasswordAuthentication yes
    # If UseDNS is "yes" and your resolver is not work (i.e DNS server is down), 
    # you can not log in.
    UseDNS no
    
    #Allow only admin to login from anywhere
    AllowUsers cws@*
    
    Subsystem   sftp    /usr/libexec/sftp-server
    

  6. /etc/fstab

    /dev/ad6s1g  /home  ufs  rw,userquota,groupquota   2     2
    

  7. /var/named/etc/namedb/named.conf

    listen-on       { 127.0.0.1; };
    allow-recursion { 127.0.0.1; };
    

  8. /etc/resolv.conf

    nameserver 127.0.0.1
    

  9. /etc/ipfw.rules

    #more rules later
    
    add 65535 allow ip from any to any
    

It is also a good idea to change /etc/motd to something that look more legal such as

* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY.
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER
THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR OTHER APPLICABLE LAWS.
IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW. BY CONTINUING,
YOU CONSENT TO YOUR KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL
PERSONS ARE HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES
CONSENT TO MONITORING AND AUDITING. THE ADMINISTRATORS ALSO RESERVE THE
RIGHT TO CANCEL OR LOCK YOUR ACCOUNT AT ANY GIVEN TIME. ALL TERMS
DESCRIBED ABOVE ARE SUBJECT TO CHANGE WITHOUT ANY GIVEN NOTICE. IF YOU
DO NOT AGREE TO THESE TERMS LOGOUT NOW!
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
which I copied from a web site somewhere.


3. Install Application & Web Service

This is a time to install program from ports tree. It is possible that the previous installation process may already install some ports on your system. Use pkg_delete to remove each installed ports except net/cvsup-without-gui because building this port require a lot of programs that will be never used elsewhere.


3.2. Install Databases




3.2.1. Config MySQL server

I place my database in /home/mysql , so my /etc/rc.conf for mysql are:

mysql_enable="YES"
mysql_dbdir="/home/mysql"
mysql_args="--bind-address=127.0.0.1"
If you want to access mysql from another machine, remove the third line. Before start mysql, you may need to set my.cnf to change mysql options:
# mkdir /home/mysql 
# mkdir /home/mysql/tmp
# cp /usr/local/share/mysql/my-medium.cnf /home/mysql/my.cnf
# chown -R mysql:mysql /home/mysql
I always set mysqld tmpdir to /home/mysql/tmp unless I have a very large /tmp on another disk. Sometime mysql use a lot of tmpdir when you run a complex query. Read
mysql manual for more detail.
[mysqld]
...
max_allowed_packet = 4M
...
#log-bin
skip-innodb
tmpdir          = /home/mysql/tmp

#For development machine, you may need slow query log 
#to track a badly write SQL.
long_query_time = 10
log_slow_queries = /home/mysql/slow-query.log

...
Don't forget to set MySQL root password
# /usr/local/etc/rc.d/mysql-server.sh start
# mysql -u root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.1.14

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> SET PASSWORD FOR root@localhost=PASSWORD('xxx');
Query OK, 0 rows affected (0.02 sec)

mysql>



3.2.2. Config PostgreSQL server

Like mysql , I place postgresql databases in /home/pgsql. My /etc/rc.conf for postgresql are:

postgresql_enable="YES"
postgresql_data="/home/pgsql/data"
Use vipw to change home directory of pgsql user to /home/pgsql.
-- rsync preserve symbolic link while cp is not
# rsync -a -v /usr/local/pgsql /home/
# su -m pgsql
# initdb /home/pgsql/data
You must edit /home/pgsal/data/pg_hba.conf before start postgresql
# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
# "local" is for Unix domain socket connections only
local   all         pgsql                             ident sameuser
local   all         all                               md5
# IPv4 local connections:
host    all         all         127.0.0.1/32          md5
# IPv6 local connections:
host    all         all         ::1/128               md5
Read
PostgreSQL manual and Tuning PostgreSQL for performance for more details.

This is the change I made for my server:

shared_buffers = 30000 # min 16, at least max_connections*2, 8KB each
work_mem = 32768               # min 64, size in KB

max_fsm_pages = 40000          # min max_fsm_relations*16, 6 bytes each
max_fsm_relations = 1000       # min 100, ~50 bytes each

wal_buffers = 32       # min 4, 8KB each
checkpoint_segments = 8        # in logfile segments, min 1, 16MB each
effective_cache_size = 4000    # typically 8KB each

#logging
log_destination = 'stderr' 
redirect_stderr = on
log_directory = 'pg_log'
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
log_rotation_age =1440
log_rotation_size = 10240
#slow query log -- enable for developer to check slow query
#log_min_duration_statement = 10
#log_line_prefix = '%t [%u:%d] '
By default PostgreSQL root is pgsql or any system user that own the database files. You should create another database adminstrator account to allow postgresql user such as sa to act as database adminstrator.
# su pgsql
# psql template1
Welcome to psql 8.0.4, the PostgreSQL interactive terminal.

Type:  \copyright for distribution terms
       \h for help with SQL commands
       \? for help with psql commands
       \g or terminate with semicolon to execute query
       \q to quit

template1=# CREATE USER sa WITH PASSWORD 'xxxx' CREATEDB CREATEUSER
CREATE USER
template1=#



3.2.3. Config WWW tools

After install WWW service, you may want to install database/phpmyadmin and database/phppgadmin to manage your databases. You must access these packages via HTTPS only because both require you to enter the database user and password on the webpage.

# cd /home/www/public_ssl
# ln -s /usr/local/www/phpMyAdmin
# ln -s /usr/local/www/data/phpPgAdmin
Copy /usr/local/www/phpMyAdmin/libraries/config.default.php to /usr/local/www/phpMyAdmin/config.inc.php and change the following lines to use http authentication:
$cfg['Servers'][0]['host']          = 'localhost';
$cfg['Servers'][0]['connect_type']  = 'socket';
$cfg['Servers'][0]['auth_type']     = 'http';



3.3. Install WWW Server




3.3.1. Config Apache

I usually move apache's document root from /usr/local/www/data to /home/www/public_html for HTTP service and /home/www/public_ssl for HTTPS service. Another change I usually made to /usr/local/etc/apache/httpd.conf is remove the univeral listen line Port 80 or Listen 80 to more specified listen Listen xxx.xxx.xx.xx:80 because I need to run another apache in a jail(8). I also change a log format and logfile name.Here is a result of the command diff -u /usr/local/etc/apache/httpd.conf-dist /usr/local/etc/apache/httpd.conf and also the complete version of httpd.conf. Don't foget to create a folder to store your log file. For example:

# mkdir /var/log/httpd
If you have a lot of virtual hosts on the server, it is more preferable to move the virtual host configuration to another file and use apache Include directive to include that configuration to httpd.conf.

To enable mod_deflate, you must add the line

AddModule mod_deflate.c
#The following lines can be put in .htaccess if you want
#to enable deflate per directory
<IfModule mod_deflate.c>
DeflateEnable On
DeflateMinLength 3000
DeflateCompLevel 1
DeflateProxied Off
DeflateHTTP 1.0
DeflateDisableRange "MSIE 4."
DeflateTypes text/plain text/html
</IfModule>
to httpd.conf

The last concern for httpd.conf is to remove unused modules. Read Apache modules Manual to see which module is not need for your server. Or, just remove them all ,then add the module one by one untils your site work as you want.

If you run HTTPS service, you may need to create a valid SSL certificate. There is a good doucument about Client Authentication with SSL at The FreeBSD Diary.

# sh /etc/periodic/weekly/310.locate
# locate CA.pl
# /usr/src/crypto/openssl/apps/CA.pl -newreq
Generating a 1024 bit RSA private key
.......................................++++++
...........++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxxx
Verifying - Enter PEM pass phrase:xxxxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Phayathai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MiracleNet Group Co., Ltd.
Organizational Unit Name (eg, section) []:Hosting Service
Common Name (eg, YOUR name) []:gaia.net0.intranet
Email Address []:root@net0.intranet

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:MiracleNet Group Co., Ltd.
Request (and private key) is in newreq.pem
# openssl rsa < newreq.pem > newkey.pem
Enter pass phrase:xxxxxx
writing RSA key
Send your newreq.pem to Certificate Authority for real server or sign it yourself for the test one.

If you want to sign the certificate yourself. You must create yourown Certificate Authority first (assume that we will put the CA in /home/admin/CA,then sign the certificate:

# mkdir -p /home/admin/CA
# cd /home/admin/CA
# /usr/src/crypto/openssl/apps/CA.pl -newca
CA certificate filename (or enter to create)
<ENTER>
Making CA certificate ...
Generating a 1024 bit RSA private key
........................++++++
........++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx2
Verifying - Enter PEM pass phrase:xxxxx2
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Phayathai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Miraclenet Group Co.,  Ltd.
Organizational Unit Name (eg, section) []:Hosting Service
Common Name (eg, YOUR name) []:miraclenet.co.th
Email Address []:root@miraclenet.co.th
# cp /home/admin/CA/newreq.pem .
# /usr/src/crypto/openssl/apps/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx2
Check that the request matches the signature
Signature ok
...
Certificate is to be certified until Nov 29 02:13:01 2006 GMT (365 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Anyways, Use this self signed certificate will generate the warning message from the browser becase it don't known your Certificate Authority. To get rid of this warning, you must make the browser know your CA which can be done For firefox and opera, just copy the file demoCA/cacert.pem to the client machine,then, import it to your browser( Preferences/Advanced/Manage Certificates/Authories/Import or just put it on your web page and allow user to download and install the certificate ). For IE, change the file extension to .crt and import it with Internet Options/Contents/Publishers/Trusted Root Certification Authorities/Import.

After that, copy the signed request and key to /usr/local/etc/apache and modify your httpd.conf accordingly.

# cp newcert.pem /usr/local/etc/apache/ssl.crt/gaia.crt
# cp newkey.pem /usr/local/etc/apache/ssl.key/gaia.key
# cd /usr/local/etc/apache/ssl.crt/
# make
-- Don't forget to edit SSLCertificateFile and SSLCertificateKeyFile 
-- in httpd.conf to point to new crt and key
Don't forget to add the line apache_enable="YES" to /etc/rc.conf to enable apache service.


3.3.2. Config PHP

I need to patch PHP to make serialize command run faster , see the bug report "Slow serialize on FreeBSD". To apply the patch, just download patch-ph_smart_str.h and copy the patch to ports/lang/php4/files before build the php4 port. Anyways, this patch never made it ways through php porject or FreeBSD port tree, use it with your own risk.

If you want the OPENSSL support on PHP, don't forget to add OPENSSL option when build PHP. The OPENSSL can not work when compiled as an extension.

You may need install PHP extensions only install the required extension. The less extension installed, the less problem from PHP. The extensions normally installed on my server are BCMATH, BZ2, CTYPE, CURL, GD, IMAP, MBSTRING, MCRYPT, MHASH, MYSQL , OVERLOAD, PCRE , PDF, PGSQL, POSIX , SESSION , SOCKETS, SYSVSEM,SYSVSHM,SYSVMSG,TOKENIZER,XML and ZLIB.

Don't forget to add

<IfModule mod_php4.c>
    AddType application/x-httpd-php .php
    AddType application/x-httpd-php-source .phps
</IfModule>
to /usr/local/etc/apache/httpd.conf to automatic run php when user access .php file.

There are some dependency mismatch on FreeBSD 6.0/6.1 that cause apache start after compat5x which prevent ZendOptimizer from starting when you reboot the system. Run /sbin/rcorder to check for this problem

# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/etc/rc.d/yppasswdd
/usr/local/etc/rc.d/apache.sh
/etc/rc.d/LOGIN
/usr/local/etc/rc.d/rsyncd.sh
/usr/local/etc/rc.d/mysql-server.sh
/usr/local/etc/rc.d/010.pgsql.sh
/usr/local/etc/rc.d/000.pkgtools.sh
/usr/local/etc/rc.d/000.compat5x.sh
/usr/local/etc/rc.d/000.compat4x.sh
...
If you see that above result, you have this problem. Edit /usr/local/etc/rc.d/apache.sh to force compat5x to start before apache.
gaia# diff -u apache.sh.org apache.sh
--- apache.sh.org       Sat May 20 14:04:48 2006
+++ apache.sh   Sat May 20 14:04:56 2006
@@ -2,7 +2,7 @@
 # $FreeBSD: ports/www/apache13-modssl/files/rcng.sh,v 1.5 2006/02/20 20:47:46 dougb Exp $

 # PROVIDE: apache
-# REQUIRE: DAEMON
+# REQUIRE: DAEMON compat5x
 # BEFORE: LOGIN
 # KEYWORD: shutdown
Rerun /sbin/rcorder to recheck that apache start after compat5x.
# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/etc/rc.d/yppasswdd
/usr/local/etc/rc.d/000.compat5x.sh
/usr/local/etc/rc.d/apache.sh
/etc/rc.d/LOGIN
...


Some parameters in /usr/local/etc/php.ini may need to be consider such as:

output_buffering = On
zlib.output_compression = On
register_argc_argv = Off
magic_quotes_gpc = Off  #When On, It cause more problems because we don't know 
                        #the quote come from user input or from this option.
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20020429/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20020429/Optimizer_TS"
zend_extension="/usr/local/lib/php/20020429/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20020429/ZendExtensionManager_TS.so"



3.3.3. Config Web Statistic

Due to the volumn of log messages, we does not use syslogd to keep apache access/error log. So, we wrote rotatelog.pl to rotate logs file every midnight to prevent them grow too large. You need to put the rotatelog.pl in your crontab to run it every midnight.

Next step is to setup awstat. awstats require a configuration file which should to be placed in /usr/local/etc/awstats. There are small changes I made on /usr/local/www/awstats/cgi-bin/awstats.model.conf to create my configuration file.

awstats.gaia.conf

LogFile="bunzip2 -dc /var/log/httpd/access.log.0.bz2 |"
SiteDomain="gaia.net0.intranet"
HostAliases="localhost 127.0.0.1"
DNSLookup=0   
DirData="/home/www/public_html/stats/data"
DirCgi="/stats/cgi-bin"
DirIcons="/stats/icons"
LoadPlugin="geoip GEOIP_STANDARD /usr/local/share/GeoIP/GeoIP.dat"
UseFramesWhenCGI=0
LogFormat=1


The GeoIP database also need to update. The database version that I use is a free GeoLite Country Database which update once a month. Put this geoip_update.sh shell script in your crontab update the database.

To allow user to view the statistic, don't forget to setup a URL for awstats and setup authenticate:

# mkdir -p /home/www/apache
# htpasswd -cm /home/www/apache/passwd stats
# mkdir -p /home/www/public_html/stats/data
# cd /home/www/public_html/stats
# ln -s /usr/local/www/awstats/cgi-bin
# ln -s /usr/local/www/awstats/classes
# ln -s /usr/local/www/awstats/css
# ln -s /usr/local/www/awstats/icons
# ln -s /usr/local/www/awstats/js
Create /home/www/public_html/stats/index.php:
<?
header("Location:/stats/cgi-bin/awstats.pl?config=gaia");
?>
Create /home/www/public_html/stats/.htaccess:
AuthType Basic
AuthName "Gaia Access Statistic"
AuthUserFile /home/www/apache/passwd
Require user stats
Options FollowSymLinks
Create /home/www/public_html/stats/cgi-bin/.htaccess to run perl script with mod_perl:
Options ExecCGI
AddHandler cgi-script .pl
Don't forget to create a crontab entries for rotate access log ,update statistic and update GeoIP database.
#crontab -e
0 0 * * * /home/admin/bin/rotatelog.pl
10 0 * * *  /home/www/public_html/stats/cgi-bin/awstats.pl -config=gaia -update
0 0  2 * * /home/admin/bin/geoip_update.sh



4. Install Mail Service

Mail service (SMTP/POP/IMAP) is one of the function for this server. It much support virtual mailboxs for our customers. The server must act as a mail relay for the customer and spam and virus filter are a must have features. The following table show list of ports I use to implement mail service on this server:



The mail server that I create is not the hight-performane one. On moderate hardware (Althon64 2800 with 1GB RAM and SATA disk) it can process about 3 mails a second (180 mails per minute) which is enought for small or medium company. So , if you a looking for the hight-performance mail server , this setup may not for you.


4.1. Prepare Mail System Database

We store our customer e-mail accounts on MySQL database to make it easier to manipulate and increase look up speed. Most of the information on this section come from Martin List-Petersen's ISP Mailserver Solution Howto.

CREATE DATABASE maildb;
USE maildb;

CREATE TABLE `alias` (
  `email` varchar(255) NOT NULL default '',    
  `destination` varchar(255) NOT NULL default '',
  `customer_id` varchar(16) NOT NULL default '',
  PRIMARY KEY `email` (`email`),
  KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;



CREATE TABLE `transport` (
  `domain` varchar(255) NOT NULL default '',
  `transport` varchar(128) NOT NULL default '',
  `customer_id` varchar(16) NOT NULL default '',
  PRIMARY KEY (`domain`),
  KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;


CREATE TABLE `user` (
  `email` varchar(128) NOT NULL default '',
  `passwd` varchar(128) NOT NULL default '$1$X$XXX',
  `name` varchar(128) NOT NULL default '',
  `uid` int(6) NOT NULL default '65534',    
  `gid` int(6) NOT NULL default '65534',
  `home` varchar(255) NOT NULL default '',  
  `maildir` varchar(255) NOT NULL default '',
  `allow_login` enum('Y','N') NOT NULL default 'Y', 
  `allow_receive` enum('Y','N') NOT NULL default 'Y', 
  `customer_id` varchar(16) NOT NULL default '',
  PRIMARY KEY  (`email`),
  KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;


We need 3 MySQL user accounts with difference privileges .

  1. maildb -- Owner of the database can do everything to the database.

  2. maildb_auth -- Can read every fields in user table. Use by courier-authlib.

  3. maildb_smtp -- Can read every fields on the database except passwd. Use by postfix. The user/password of this account must store in a word readable file in /usr/local/etc/postfix ,therefore, give minimum access to this account.

GRANT USAGE ON maildb.* TO 'maildb'@'localhost' IDENTIFIED BY '*********';
GRANT ALL PRIVILEGES ON `maildb` . * TO 'maildb'@'localhost' WITH GRANT OPTION;
GRANT USAGE ON maildb. * TO 'maildb_auth'@'localhost' IDENTIFIED BY '*********';
GRANT SELECT ON `maildb`.`user` TO 'maildb_auth'@'localhost';
GRANT USAGE ON maildb. * TO 'maildb_smtp'@'localhost' IDENTIFIED BY '*********';
GRANT SELECT ON `maildb`.`alias` TO 'maildb_smtp'@'localhost';
GRANT SELECT ON `maildb`.`transport` TO 'maildb_smtp'@'localhost';
GRANT SELECT (
`email` , `name` , `uid` , `gid` , `home` , `maildir` , `allow_login` , `allow_receive` , `customer_id`
) ON `maildb`.`user`
TO 'maildb_smtp'@'localhost';



4.2. Config amavisd-new and dspam

First append the lines to /etc/rc.conf to enable the service.

#Amavis/ClamAV/SpamAssasin
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
amavisd_enable="YES"
Add clamav user to vscan group to enable clamd to access the amavisd filtering mail.
# vi /etc/group
spamd:*:58:
vscan:*:110:clamav
clamav:*:106:
To run dspam from amavisd-new you need to make some change to installed dspam.
# chmod u-s,a+rx /usr/local/bin/dspam
# cd /var/amavis
# ln -s /var/db/dspam
Then edit
/usr/local/etc/amavisd.conf as show below:
$mydomain = 'gaia.net0.intranet';   # a convenient default for other settings
$dspam = 'dspam';              # Allow dspam

#Don't forget to uncomment 'ClamAV-clamd' to enable clamav

#If you want to accept .zip and .bz2, remove the comment on
#[ qr'^\.(Z|gz|bz2)$'           => 0 ] and
#[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ] 

#Discard all filtered mail -- don't notify sender
$final_virus_destiny      = D_DISCARD;
$final_banned_destiny     = D_DISCARD;
$final_spam_destiny       = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;

$recipient_delimiter = '-';

#If someting go wrong enable the following options and take a look at
#/var/log/maillog and your mailheader
#$log_level = 5;
#$sa_tag_level_deflt = 0;
You can see the result of the command diff -u amavisd.conf-dist amavisd.conf on my server here.

To setup dspam, you must cread a dspam user and database on MySQL. Give that user full access to the database and run the script in /usr/local/share/examples/dspam/mysql/mysql_objects-4.1.sql.

# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 144 to server version: 4.1.14

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE DATABASE dspam;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT USAGE ON dspam.* TO 'dspam'@'localhost' IDENTIFIED BY '*********';
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON `dspam` . * TO 'dspam'@'localhost' WITH GRANT OPTION;
Query OK, 1 row affected (0.00 sec)
mysql> USE dspam;
Database changed
mysql> \. /usr/local/share/examples/dspam/mysql/mysql_objects-4.1.sql
Edit /usr/local/etc/dspam.conf to add MySQL user and password:
StorageDriver /usr/local/lib/libmysql_drv.so
MySQLServer     /tmp/mysql.sock
#MySQLPort
MySQLUser               dspam
MySQLPass               xxxxxx
MySQLDb                 dspam
#MySQLCompress          true

#For Relearn false negative and false positive
MySQLUIDInSignature     on
Preference "signatureLocation=headers"

#We work with amavisd-new
IgnoreHeader X-Spam-Status
IgnoreHeader X-Spam-Scanned
IgnoreHeader X-Virus-Scanner-Result

#Add the following line and take a look at /var/log/dspam/dspam.debug 
#if something don't work as expected
#Debug vscan
dspam will not activate util it see about 2,000 spam/nospam mails, so you must wait for this threashold to be reach.


4.4. Config postfix

评论

相关推荐

Global site tag (gtag.js) - Google Analytics