Subject:
virt webhosting howto again for ur reviews
From:
muhammad usman ####@####.####
Date:
27 Jan 2005 01:16:24 -0000
Message-Id: <20050127011557.99391.qmail@web80901.mail.scd.yahoo.com>
how r u all!
howto is modified almost 80% , with respect to ur suggestions.
1.more details are added about whats going on and why.
2.tried to make it user friendly through dividing tasks in steps.
3.installation of packages has one separate section now.(optional)
4.configuration of packages has separate section.
however i am waiting for ur suggestions to improve it a lot more.
but it is requested that u all kindly read it completely.
regards
muhammad usman
---------------------------------
Do you Yahoo!?
Yahoo! Search presents - Jib Jab's 'Second Term'
---------------------------------
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
Virtual Webhosting on Linux for support of php+mysql+jsp+servlets
Page 1
INTRODUCTION
------------
Introduction to Virtual Webhosting
---------------------------------
Virtual webhosting allows you to run multiple websites even on a single ip(name based hosting) or different ip per
website(ip based hosting) with only one instance of webserver running on your machine.
we will use the name based hosting method.
Disclaimer
----------
Neither the author nor the distributors, or any other contributor of this HOWTO are in any way responsible for physical, financial, moral or any other type of damage incurred by following the suggestions in this text.
Feedback and corrections
------------------------
your are welcome to write at ####@####.####
Contents
--------
This howto covers following topics
1.Partitioning scheme
2.Installation of PAckages
apache2
mysql4.3
php5
proftpd
tomcat4.1
mod_jk2
adding modules to apache
3.Configuration of Packages
apache
php
proftpd
mod_jk2
tomcat
4.Disk quota
5.adding a domain
6.mysql quota
7.what user(client) need to do
---------------------------------------------------
Page 2
-------
section 1. Installation and Partition Scheme
---------------------------------------------
you must use multiple partitions for security reasons and for limiting each purpose a specific limit of space.
/home
so that users data may remain in a limit and don�t use all available space.
/var/log
so that logging dont use all space.
mysql data directory, same reason.
/tmp
as /tmp has every one read write permissions, so "noexec" mount option can be applied on it.
A Sample Partition Scheme and mount options.
we will use this scheme in our howto
"mount" output
/dev/sda1 on / type ext3 (rw)
/dev/sdb1 on /var/log type ext3 (rw,noexec)
/dev/sdb2 on /tmp type tmpfs (rw,noexec)
/dev/sdb3 on /mysqldata type ext3 (rw,noexec)
/dev/sdc1 on /home type ext3 (rw,noexec,usrquota)
"df -h" output
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 7.4G 2.3G 4.8G 32% /
none 252M 0 252M 0% /dev/shm
/dev/sdb1 966M 22M 895M 3% /var/log
/dev/sdb2 252M 4.2M 248M 2% /tmp
/dev/sdb3 7.1G 55M 6.7G 1% /mysqldata
/dev/sdc1 8.4G 185M 7.8G 3% /home
Why use Noexec?
--------------
So that if an intruder breaks in he cant run his binaries from your machine, unless he have root access
whay use userquota on /home?
---------------------------
To apply diskquotas and specify certain user a certain limit.
output of /etc/fstab
/dev/sda1 / ext3 defaults 1 1
none /dev/pts devpts gid=5,mode=620 0 0
none /proc proc defaults 0 0
none /dev/shm tmpfs defaults 0 0
/dev/sda2 swap swap defaults 0 0
/dev/cdrom /mnt/cdrom udf,iso9660 noauto,owner,kudzu,ro 0 0
/dev/sdb1 /var/log ext3 defaults,noexec 0 1
/dev/sdb2 /tmp tmpfs defaults,noexec 0 1
/dev/sdb3 /mysqldata ext3 defaults,noexec 0 1
/dev/sdc1 /home ext3 defaults,usrquota,noexec 0 1
----------------------
page 3
------------
section 2. Installation of Packages
--------------------------
You can skip this section if your distribution comes with them already, however a an overview will be good.
2.1. Apache
download apache source from http://www.apache.org.
tar -zxvf httpd-2.0.52.tar.gz
cd httpd-2.0.52
./configure --enable-so
make
make install
-----------------------------
2.2 Mysql
download mysql from http://www.mysql.org
tar -xcvf mysql-4.1.8.tar.gz
cd mysql-4.1.8
./configure
make
make install
mysql will be installed in /usr/local/
create a user and group to run mysql with
groupadd mysql
useradd -g mysql -d /mysqldata mysql
mkdir /mysqldata/data
chown -R mysql:mysql /mysqldata
chmod -R 750 /mysqldata
create /etc/my.cnf (mysql reads it configurations from here)
--------
[mysqld]
datadir=/mysqldata/data
socket=/tmp/mysql.sock
[mysql.server]
user=mysql
basedir=/mysqldata
[safe_mysqld]
err-log=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
----------
to install mysql databases.
su mysql
/usr/local/bin/mysql_install_db
(as root ) to run mysqld process as user mysql.
/usr/local/bin/mysqld_safe &
for secirity reasons change mysql super user "root" password.
mysqldadmin -u root -p "securepassword"
------------------------------
2.3. Php
download php from http://www.php.net
tar -zxvf php-5.0.3.tar.gz
cd php-5.0.3
./configure --with-apxs2=/usr/local/apache2/bin/apxs --with-mysql=/usr/local --with-safe-mode
make
make install
cp php.ini-recomended /usr/local/lib/php.ini
important changes in php.ini
------------
register_globals = Off
safe_mode = On
safe_mode_gid = On
expose_php = Off
--------------
------------------------------
2.4.Proftpd
we will use proftpd as ftp server.
if you dont like you can use any other. but make sure to disable anonymous login and configure chroot jail.
download it from http://www.proftpd.org
tar -zxvf proftpd-1.2.10.tar.gz
cd proftpd-1.2.10
./configure --with-modules=mod_radius --enable-auth-pam
make
make install
----------------
-------------------------
2.5.Tomcat4
For Tomcat we need JDK or JVM.
download it from http://java.sun.com
I used jdk1.4
chmod 755 j2sdk-1_4_2_06-linux-i586.bin
execute it
./j2sdk-1_4_2_06-linux-i586.bin
you will get a Directory having name j2sdk1.4.2_06
Rename it so it will be easy.
mv j2sdk1.4.2_06 /jdk
add JAVA_HOME variable in your shell so that tomcat knows where java exists.
hopefully you will be using bash so add these to lines in /etc/profile,otherwise use the way your shell understands.
JAVA_HOME=/jdk
export JAVA_HOME
now Install Tomcat, I used Tomcat 4.1.31 because the latest version of mod_jk2 supports upto tomcat4.1.
so we cant use tomcat 5 which is latest available at this time.
download the binaries from http://jakarta.apache.org/tomcat/tomcat-4.1-doc/index.html
tar -zxvf
rename it to tomcat
mv it to /usr/local/
to start
/usr/local/tomcat/bin/catalina.sh start
to stop
/usr/local/tomcat/bin/catalina.sh stop
---------------------
2.6.mod_jk2
-----------
Q.what is mod_jk2?
A.mod_jk2 is a connector for Apache to communicate with tomcat.
Q.Why we need this connector?
A. We need this for apache to forward all java servlets and jsp pages requests to tomcat.because apache
will only use it to only handle html,cgi,php requests.
download its source from
http://jakarta.apache.org/tomcat/tomcat-4.1-doc/jk2/index.html
tar -zxvf jakarta-tomcat-connectors-jk2-2.0.4-src.tar.gz
cd jakarta-tomcat-connectors-jk2-2.0.4-src
./configure --with-apche=/path/to/apache/source/dir
make
cd build/jk2/apache2/usr/local/apache2/modules/
cp * /usr/lcoal/apache2/modules
----------------------------
2.7 Adding modules in Apache
---------------------------------------------------
now its time to add modules in apache configuration file (/usr/local/apache2/conf/httpd.conf)
-------------
#it is to load modules from modules directory by default its /usr/local/apache2/modules
LoadModule php5_module modules/libphp5.so
LoadModule jk2_module modules/mod_jk2.so
-------------------------------------------
page 4
section 3. Configuration of Packages
------------------------------------------
3.1 Apache
in /usr/local/apache2/conf/httpd.confor ur distribution specific
#we are removing option "indexes" from list of options so that user can see a directory content if there is no index file there
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
# where it will found information about tomcat
<IfModule jk2_module.c>
JkWorkersFile /etc/httpd/conf/workers.properties
</IfModule>
AddType application/x-httpd-php .php .phtml
#so that a user can use index.php and index.jsp as index pages.
DirectoryIndex index.php index.html index.htm default.html default.htm index.jsp
# to enable name based virtual hosting
NameVirtualHost *
------------------------------
3.2 PHP
/usr/local/php.ini or ur distribution specific file for php.
important changes in php.ini
------------
register_globals = Off
safe_mode = On
safe_mode_gid = On
expose_php = Off
--------------
-----------------------
3.3 Proftpd
For security reasons
add all system users in /etc/ftpusers so they cant login, yup and certainly add root too.
important changes in configuration file /usr/local/etc/proftpd.conf or ur distribution specific
-------------
ServerName " your ftp server"
User nobody
Group nobody
#to configure chroot jail for users in their home dir.
DefaultRoot ~
DeferWelcome on
#to disable anonymous login, comment these lines or delete them.
#<Anonymous ~ftp>
# User ftp
# Group ftp
# We want clients to be able to login with "anonymous" as well as "ftp"
# UserAlias anonymous ftp
# Limit the maximum number of anonymous logins
#MaxClients 10
# We want 'welcome.msg' displayed at login, and '.message' displayed
# in each newly chdired directory.
#DisplayLogin welcome.msg
#DisplayFirstChdir .message
# Limit WRITE everywhere in the anonymous chroot
#<Limit WRITE>
# DenyAll
#</Limit>
#</Anonymous>
TransferLog /var/log/proftpd.xferlog
identLookups off
# to prevent from DOS state.
MaxClientsPerHost 6
SystemLog /var/log/proftpd.system.log
timeoutlogin 80
timeoutidle 3000
timeoutstalled 3600
#to reduce load
maxclients 15
#uncomment these to enable auth from radius if you desire.
#RadiusEngine on
#PersistentPasswd off
#RadiusAuthServer yourradiusserver:1812 test
#RadiusLog /var/log/ftprad.log
--------------------
3.4 mod_jk2 related
now we need to create a workers.properties file, put it in /usr/local/apache2/conf or ur distribution
specific apache "conf" directory.
tomcat listens by default on port 8009 for connectivity with other webservers like we are connecting
apache with it.
so we will create a virtual connector having name "ajp13" and apache will use it.
[shm]
file=/var/logs/tomcatconnector.log
size=1048576
# socket channel
[channel.socket:localhost:8009]
port=8009
host=127.0.0.1
# worker for the connector
[ajp13:localhost:8009]
channel=channel.socket:localhost:8009
-----------------------------------
3.5 Tomcat Related
add JAVA_HOME variable in your shell so that tomcat knows where java exists.
hopefully you will be using bash so add these to lines in /etc/profile,otherwise use the way your shell understands.
JAVA_HOME=/jdk
export JAVA_HOME
-------------------------
Page 5
------
4.DiskQuotas
make sure you have quota-tools installed and have quota support in kernel.
for details see quota-howto
------------------------------------------------
page 6
-------
5.Adding a Domain
------------------
NOTE:- Dont forget to do appropriate dns entries in our dns servers
for foo.com and www.foo.com.
Adding a Sample Domain with foo.com and 100 mb web space.
step 1 Add the user and set password
--------------------------------------
useradd -s /sbin/nologin -g nobdoy foo
set the password for foo to login via ftp (only if you are not using any other auth mechanism,
as proftpd is compiled with radius support you can use it.).
passwd foo
step2 apply diskquota
----------------------
Apply disk quota to limit user a maximum space of 100 mb.
As diskquota understands in kbs(kilo bytes)
1mb=1024 kb
100mb=1024x100=102400 kb
setquota -u foo 102400 102400 0 0 /home
step3 add the virtual domain in tomcat
--------------------------------------
open /usr/local/tomcat/conf/server.xml or your distribution specific file in your editor
and add these lines before
</Engine>
</Service>
</Server>
lines are
<Host appBase="/" name="foo.com">
<Logger className="org.apache.catalina.logger.FileLogger" suffix=".txt" prefix="foo.com" timestamp="true"/>
<Context path="" docBase="/home/foo/" debug="0" crossContext="true" privileged="true"/>
<Context path="/servlet" docBase="/home/foo/servlet" debug="0" crossContext="true" privileged="true"/>
<Alias>www.foo.com</Alias>
</HOST>
line1 adds a domain (host)
line2 tells where to log information
line3 root folder for domain
line4 a separate root folder for urls starting with /servlet/. As we need it to put servlets there.
line5 an alias for www.foo.com, so www.foo.com and foo.com will be same for tomcat.
line6 ends the tag
step4 Create folders where user can put servlets
------------------------------------------------
mkdir -p /home/foo/servlet/WEB-INF/classes
mkdir /home/foo/servlet/WEB-INF/lib
step5 create web.xml (the config file for servlets)
---------------------------------------------------
put a testing servlet with name YourServlet.class in /home/foo.com/servlet/WEB-INF/classes
create a web.xml in /home/foo/servlet/WEB-INF/
like
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<servlet>
<servlet-name>YourServlet</servlet-name>
<servlet-class>YourServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>YourServlet</servlet-name>
<url-pattern>/YourServlet</url-pattern>
</servlet-mapping>
</web-app>
now your servlet will be accessible at http://www.foo.com/servlet/YourServlet
step6 Add Domain in apache config file
----------------------------------------
at end in /usr/local/apache2/conf/httpd.conf or your distribution specific file.
#a sample domain entry
<VirtualHost *>
ServerAdmin ####@####.####
DocumentRoot /home/foo
ServerName foo.com
ServerAlias www.foo.com # so that we dont need to do a separete entry for www.foo.com
<Directory "/home/foo">
AllowOverride None
Order allow,deny
Allow from all
</Directory>
#it tells apache to forward such url patterns to worker ajp13 as we defined in workers.properties
#any url request ending in "*.jsp" or containing "/servlet/" will be forwarded to tomcat
#anything else will be handled by apache itself
<Location "/*.jsp">
JkUriSet worker ajp13:localhost:8009
</Location>
<Location "/servlet/*">
JkUriSet worker ajp13:localhost:8009
</Location>
</VirtualHost>
step7 testing phase
---------------------
put website data in /home/foo. add servlets class files in /home/foo/servlet/WEB-INF/classes
or jar files in /home/foo/servlet/WEB-INF/lib
feel free to put *.jsp files anywhere
dont forget to restart tomcat when you modify servlets.
a sample jsp file to put in /home/foo.
index.jsp
<HTML>
<BODY>
<H1><%= " Tomcat works!" %></h1><%= "at " + java.util.Calendar.getInstance().getTime() %>
</BODY>
</HTML>
now restart apache
apachectl restart
retstart tomcat
catalina.sh stop
catalina.sh start
step8 Adding mysql database for domain
---------------------------------------
add a mysql database with name foo.
mysqladmin create foo -u root -pyourpassword
mysql -u root -pyourpassword
->create database foo;
->grant all on foo.* to foo identified by 'somepass';
This will give him mysql access and he can connect from any anywhere on mysql default port 3306.
------------------------------------------------------
Page 7
6.Mysql Quota
---------------
Mysql hasn�t any database quota support, so we need to do a tricky thing.
When you are adding a user add the user name in a file. if you have different packages for hosting create different files
For specific packages. Write a perl script which will check if the user has used more space than specified in package
It will make the database directory read only.
When you create a database in mysql, it creates a directory for it, where every thing of database is stored.
like (in our case) for foo there is a directory in
/mysqldata/data/foo
A sample script, we have 3 files for 3 different packages in /etc/hosting.
Make sure you se crontab to run it several times in a day.
#!/usr/bin/perl
`/bin/chmod -R 755 /home`;
`/bin/chmod -R 750 /mysqldata`;
$fdir="/etc/hosting";
$package1limit=100;
$package2limit=200;
$package3limit=30;
$package1f="$fdir/package1";
$package2f="$fdir/package2";
$package3f="$fdir/package3";
open (P1, "$package1f");
open (P2, "$package2f");
open (P3, "$package3f");
@package1users=<P1>;
@package2users=<P2>;
@package3users=<P3>;
foreach $i (@package1users) {
$size=`du -sm /mysqldata/data/$i`;
$size=substr($size,0,4);
$size++;
$size--;
if ($size > $package1limit) { `chmod -R 550 /mysqldata/data/$i` };
}
foreach $i (@package2users) {
$size=`du -sm /mysqldata/data/$i`;
$size=substr($size,0,4);
$size++;
$size--;
if ($size > $package2limit) { `chmod -R 550 /mysqldata/data/$i` };
}
foreach $i (@package3users) {
$size=`du -sm /mysqldata/data/$i`;
$size=substr($size,0,4);
$size++;
$size--;
if ($size > $package3limit) { `chmod -R 550 /mysqldata/data/$i` };
}
close(P1);
close(P2);
close(P3);
-------------------------------------
page 8
------
7.What user(client) need to do
Now user can use any ftp client to put data on your server and modify it.
However for servlets, guide users to modify web.xml or write a script which will automatically update the web.xml as new servlets found in
classes folder.
i will write it soon for you.
Author
Muhammad Usman
####@####.####
####@####.####