|
|
Installing FreeBSD 6 for Internet
Server
Chatchawan Wongsiriprasert
<cws@miraclenet.co.th>
Copyright © 2005 Chatchawan Wongsiriprasert
$Id: article.sgml,v 1.2 2006/05/27 05:44:30 cws Exp $
FreeBSD is a registered trademark of the FreeBSD Foundation.
Many of the designations used by manufacturers and sellers to distinguish their
products are claimed as trademarks. Where those designations appear in this document, and
the FreeBSD Project was aware of the trademark claim, the designations have been followed
by the “™” or the “®” symbol.
Table of Contents1. Overview2. Installing FreeBSD 63. Install Application & Web Service4. Install Mail Service5. Setup User WWW Site6. Server Maintainance
1. Overview
This document is a guidline for install an FreeBSD for Internet hosting. My company
,MiracleNet Group, is a web base
software solution provider. Sometime we need to setup a server to host the solution for
our customer which is my responsibility.
This guildline was start from notes I has been taken when I install those servers. I
assume that the reader has some experience on FreeBSD and has already read the FreeBSD Handbook.
The requirement for this Internet server are:
- It must be an e-mail server with virus and spam filter. The customer must be allow to
add/delete an e-mail without the need to contact us.
- It must support POP3/IMAP4/POP3S/IMAP4S,webmail , and e-mail relay for our
customers.
- It must host our customers web sites. Each customer must not be able to access files
of other customers.
- The customer must not be able to login on this server , except for upload and download
the web pages.
2. Installing FreeBSD 6
First of all, please read my suggestion on Partition
Layout because it is the only thing you can not change after install FreeBSD. Then,
you can proceed to install FreeBSD as indicated in FreeBSD Handbook. You can download ISO
images for i386 or amd64 from FreeBSD.org or mirror sites. Only the first disk ,6.0-xxx-xxx-disc1.iso, is required.
2.1. Partition Layout
Before start the installation process. You must make up your mind about the partition
layout of the hard disk because it is only the thing you can not change after install the
system
Assume that you have single disk of moderate size (32GB or up) my suggestion for
partition layout are:
Table 1. Partition Layout for 32GB
Partition
Filesystem
Size
Description
a
/
256 MB
FreeBSD handbook suggest 100 MB to this partition but for a 32GB-up disk set it
256 MB may be better.
b
N/A
4-8 GB
This according to FreeBSD handbook that suggest 2-3 x RAM. Upgrade RAM is easy ,just
put the new RAM module but add swap space is mean add new disk which may not be
applicable in 1U RACK.Anyways, with 32GB hard disk or i386, 8 GB may be too
much.
d
/var
2-4 GB
Server need a lot of space on /var for logging and house
keeping. Some software use /var to store temporary data by
default.
e
/tmp
1-2 GB
Many software and user scripts assume that /tmp is world
writable. Put this directory on it own partition will prevent a runaways user process to
eat up all the space on more critical partition such as / or
/var.
f
/usr
5-10 GB
We need this partition to store source/ports tree and do the system building.
5 GB is fine but with large hard disk (72 GB) , 10 GB will not hurt
you.
g
/home
Rest of disk
This partition will store all user data or anything that you don't want to touch when
reinstall the system. Moreover, you may want to set quota on this slice.
2.2. Upgrade
FreeBSD source and ports
After install FreeBSD 6 and ports tree from CD. You need to upgrade your system to the
lastest patch to protect your system against various types of
attack.
You need a pre-build program (or package in FreeBSD) to upgrade your system. The
package is net/cvsup-without-gui which can be used to upgrade both source
and ports tree.
For example,as the time of this writing version of 6 is 6.0 and assume that the
platform is i386. The command to download and install cvsup are:
# fetch ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/6.0-RELEASE/packages/net/cvsup-without-gui-16.1h_2.tbz
cvsup-without-gui-16.1h_2.tbz 100% of 754 kB 37 kBps 00m00s
# pkg_add cvsup-without-gui-16.1h_2.tbz
Edit cvs-supfile to upgrade lastest update of FreeBSD 6.0. This
is my cvs-supfile:
#For complete list of cvsupd see CVSup Sites on FreeBSD handbook.
*default host=cvsup12.freebsd.org
*default base=/usr
*default prefix=/usr
*default release=cvs
*default delete use-rel-suffix
*default tag=RELENG_6_0
*default compress
src-all
ports-all tag=.
Run cvsup ,It will take a while to fetch both src and ports tree.
# /usr/local/bin/cvsup -L2 cvs-supfile
See Using CVSup section on FreeBSD handbook for more detail about using
cvsup.
2.3. Rebuild
FreeBSD
Edit your /etc/make.conf (copy the default from /usr/src/share/examples/etc/make.conf). At least change the CPUTYPE to match your machine. See gcc 3.4.4 manual for detail of each CPUTYPE.
FreeBSD building system may not be able to use all CPUTYPE in
gcc manual. If your CPUTYPE cause a build error, try the other
one. This is the example of my make.conf:
CPUTYPE?= p4 #Use ?= not = to allow FreeBSD build process to override this value
#CPUTYPE?= k8 #For Athlon64 on i386
#CPUTYPE?= athlon64 #For Athlon64 on AMD64
Modify your kernel configuration. You should read Configuring the
FreeBSD Kernel and /usr/src/sys/i386/conf/NOTES or /usr/src/sys/amd64/conf/NOTES for each options of the kernel. This
is my kernel configuration for i386/AMD64 on my Althon64 test machine:
machine i386
#machine amd64
cpu I686_CPU
#cpu HAMMER
#options SMP # Symmetric MultiProcessor Kernel
ident GAIA-I386
#ident GAIA-AMD64
#Adjust memory limit for 4G RAM for i386
options KVA_PAGES=384 #1.5 G for kernels
options MAXDSIZ=(1536UL*1024*1024) #1.5 G for data
options MAXSSIZ=(128UL*1024*1024) #128M for stack
#Leave 896KB for code segment
options DFLDSIZ=(1536UL*1024*1024) #Set default data size to 1.5G
options SCHED_4BSD
options PREEMPTION # Enable kernel thread preemption
options INET # InterNETworking
options FFS # Berkeley Fast Filesystem
options SOFTUPDATES # Enable FFS soft updates support
options UFS_ACL # Support for access control lists
options UFS_DIRHASH # Improve performance on big directories
options MD_ROOT # MD is a potential root device
options CD9660 # ISO 9660 Filesystem
options PROCFS # Process filesystem (requires PSEUDOFS)
options PSEUDOFS # Pseudo-filesystem framework
options GEOM_GPT # GUID Partition Tables.
options COMPAT_43 # Compatible with BSD 4.3 [KEEP THIS!]
#options COMPAT_IA32 # Compatible with i386 binaries
options COMPAT_FREEBSD4 # Compatible with FreeBSD4
options COMPAT_FREEBSD5 # Compatible with FreeBSD5
options SCSI_DELAY=5000 # Delay (in ms) before probing SCSI
options KTRACE # ktrace(1) support
options SYSVSHM # SYSV-style shared memory
options SYSVMSG # SYSV-style message queues
options SYSVSEM # SYSV-style semaphores
options _KPOSIX_PRIORITY_SCHEDULING # POSIX P1003_1B real-time extensions
options KBD_INSTALL_CDEV # install a CDEV entry in /dev
options ADAPTIVE_GIANT # Giant mutex is adaptive.
#Kernel Options for PostgreSQL with large shared memory (312.5M)
options SYSVSHM #SYSV-style shared memory
options SYSVMSG #SYSV-style message queues
options SYSVSEM #SYSV-style semaphores
options SHMMAXPGS=80000
options SHMSEG=256
options SHMMNI=256
options SEMMNI=256
options SEMMNS=512
options SEMMNU=256
options SEMMAP=256
#PostgreSQL use a alot of shared memory - default is 200
options PMAP_SHPGPERPROC=512
#Firewall & NAT & DummyNet, may be needed in jail setup
options IPFIREWALL
options IPDIVERT
options IPFIREWALL_DEFAULT_TO_ACCEPT
options IPFIREWALL_VERBOSE
options IPFIREWALL_VERBOSE_LIMIT=100
options DUMMYNET
options IPFIREWALL_FORWARD
options QUOTA
device apic # I/O APIC
device pci
# Floppy drives
device fdc
# ATA and ATAPI devices
device ata
device atadisk # ATA disk drives
device ataraid # ATA RAID drives
device atapicd # ATAPI CDROM drives
device atapifd # ATAPI floppy drives
device atapist # ATAPI tape drives
options ATA_STATIC_ID # Static device numbering
# SCSI peripherals
device scbus # SCSI bus (required for SCSI)
device ch # SCSI media changers
device da # Direct Access (disks)
device sa # Sequential Access (tape etc)
device cd # CD
device pass # Passthrough device (direct SCSI access)
device ses # SCSI Environmental Services (and SAF-TE)
# atkbdc0 controls both the keyboard and the PS/2 mouse
device atkbdc # AT keyboard controller
device atkbd # AT keyboard
device psm # PS/2 mouse
device vga # VGA video card driver
device splash # Splash screen and screen saver support
# syscons is the default console driver, resembling an SCO console
device sc
device agp # support several AGP chipsets
# Power management support (see NOTES for more options)
device apm
# Add suspend/resume support for the i8254.
device pmtimer
# Serial (COM) ports
device sio # 8250, 16[45]50 based serial ports
# Parallel port
device ppc
device ppbus # Parallel port bus (required)
device lpt # Printer
device plip # TCP/IP over parallel
device ppi # Parallel port interface device
#device vpo # Requires scbus and da
# PCI Ethernet NICs that use the common MII bus controller code.
# NOTE: Be sure to keep the 'device miibus' line in order to use these NICs!
device miibus # MII bus support
device sk # SysKonnect SK-984x & SK-982x gigabit Ethernet
# Pseudo devices.
device loop # Network loopback
device random # Entropy device
device ether # Ethernet support
device sl # Kernel SLIP
device ppp # Kernel PPP
device tun # Packet tunnel.
device pty # Pseudo-ttys (telnet etc)
device md # Memory "disks"
device gif # IPv6 and IPv4 tunneling
device faith # IPv6-to-IPv4 relaying (translation)
device io
device mem
# The `bpf' device enables the Berkeley Packet Filter.
# Be aware of the administrative consequences of enabling this!
# Note that 'bpf' is required for DHCP.
device bpf # Berkeley packet filter
# USB support
device uhci # UHCI PCI->USB interface
device ohci # OHCI PCI->USB interface
device ehci # EHCI PCI->USB interface (USB 2.0)
device usb # USB Bus (required)
#device udbp # USB Double Bulk Pipe devices
device ugen # Generic
device uhid # "Human Interface Devices"
device ukbd # Keyboard
device ulpt # Printer
device umass # Disks/Mass storage - Requires scbus and da
device ums # Mouse
device uscanner # Scanners
Rebuild your world and kernel as told in the handbok.
# cd /
# mergemaster -pai
# cd /usr/src
# make -j2 buildworld -- For dual CPU use -j4
# make -j2 buildkernel KERNCONF=XXX
# make installkernel KERNCONF=XXX
# cd /
# mergemaster -ai
-- clear temproot
# cd /var/tmp/temproot
# chflags noschg var/empty
# find . -type l -delete
# find . -empty -delete
-- check the leftover files, replace or delete as you please
# cd /var/tmp
# rm -rf temproot
If you have the console access
# shutdown now
If you can only has a ssh access,close as many daemons as you can except sshd and daemons
spawn by kernel. This method should work for patch level upgrade (6.0 to 6.0p1), may work for minor version
upgrade (6.0 to 6.1) and unlikely to
work for major version upgrade (4.x to 5.x).
# cd /usr/src
# make installworld
Before reboot, Set your System Configuration because some
setting will be in effect only after reboot. Set them first save you another reboot. If
everything is fine, it is the time to reboot your server with shutdown -r now
2.4. Set System
Configuration
There are 4 system configuration files you may need to modify.
- /etc/rc.conf, check that you have these 3 lines
sshd_enable="YES"
sendmail_enable="NONE"
syslogd_flags="-ss"
firewall_enable="YES"
firewall_type="/etc/ipfw.rules"
#If your ISP has a reliable DNS service you can use its service,
#otherwise it better to rely on ourself.
#Don't forget to run : cd /etc/namedb/ && ./make-localhost
named_enable="YES"
quota_enable="YES"
#It is a time consume job, better run it later after we got access to the system
check_quotas="NO"
#Don't forget to run : quotacheck -a after next reboot to create a quota file
- /etc/sysctl.conf
security.bsd.see_other_uids=0
kern.coredump=0
net.inet.icmp.drop_redirect=1
net.inet.tcp.blackhole=2
net.inet.udp.blackhole=1
net.inet.ip.rtexpire=2
net.inet.ip.rtminexpire=2
kern.ipc.somaxconn=512
- /boot/loader.conf
autoboot_delay="3"
kern.ipc.maxsockets=81920
kern.ipc.maxsockbuf=1048576
- /etc/hosts
You should swap the first 2 lines to make sure that you will get IPv4 (127.0.0.1) address for localhost instead of IPv6 (::1) because some program does not support IPv6.
127.0.0.1 localhost localhost.my.domain
::1 localhost localhost.my.domain
#Our IP is 10.0.0.34 and our name is gaia.net0.intranet
10.0.0.34 gaia gaia.net0.intranet
- /etc/ssh/sshd_config
#Assume that our IP is 10.0.0.34
ListenAddress 10.0.0.34:22
# Change to yes to enable built-in password authentication.
# SecureCRT need this option
PasswordAuthentication yes
# If UseDNS is "yes" and your resolver is not work (i.e DNS server is down),
# you can not log in.
UseDNS no
#Allow only admin to login from anywhere
AllowUsers cws@*
Subsystem sftp /usr/libexec/sftp-server
- /etc/fstab
/dev/ad6s1g /home ufs rw,userquota,groupquota 2 2
- /var/named/etc/namedb/named.conf
listen-on { 127.0.0.1; };
allow-recursion { 127.0.0.1; };
- /etc/resolv.conf
nameserver 127.0.0.1
- /etc/ipfw.rules
#more rules later
add 65535 allow ip from any to any
It is also a good idea to change /etc/motd to something that
look more legal such as
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS FOR AUTHORIZED USE ONLY.
UNAUTHORIZED ACCESS IS STRICTLY PROHIBITED AND MAY BE PUNISHABLE UNDER
THE COMPUTER FRAUD AND ABUSE ACT OF 1986 OR OTHER APPLICABLE LAWS.
IF NOT AUTHORIZED TO ACCESS THIS SYSTEM, DISCONNECT NOW. BY CONTINUING,
YOU CONSENT TO YOUR KEYSTROKES AND DATA CONTENT BEING MONITORED. ALL
PERSONS ARE HEREBY NOTIFIED THAT THE USE OF THIS SYSTEM CONSTITUTES
CONSENT TO MONITORING AND AUDITING. THE ADMINISTRATORS ALSO RESERVE THE
RIGHT TO CANCEL OR LOCK YOUR ACCOUNT AT ANY GIVEN TIME. ALL TERMS
DESCRIBED ABOVE ARE SUBJECT TO CHANGE WITHOUT ANY GIVEN NOTICE. IF YOU
DO NOT AGREE TO THESE TERMS LOGOUT NOW!
* * * * * * * * * * * * * W A R N I N G * * * * * * * * * * * * * * *
which I copied from a web site somewhere.
3. Install Application &
Web Service
This is a time to install program from ports tree. It is possible that the previous
installation process may already install some ports on your system. Use pkg_delete to remove each installed ports except net/cvsup-without-gui because building this port require a lot
of programs that will be never used elsewhere.
3.1. System
Utilities
The system utilities I always install on my server are:
Table 2. System Utilities
Port
Description
Note
lang/perl5.8
Mandatory port.
shells/bash
Shell for users who can login to this server.
security/portaudit
Checks installed ports against a list of security vulnerabilities.
sysutils/portupgrade
FreeBSD ports/packages administration and management tool suite.
Don't check BDB4 box.
security/bcwipe
BCWipe securely erases data from magnetic and solid-state memory.
net/rsync
A network file distribution/synchronization utility.
security/sudo
Allow others to run commands as root.
sysutils/lsof
Lists information about open files (similar to fstat(1) ).
misc/compat4x
Compatible module for application that compiled for FreeBSD 4
Add compat4x_enable="YES" to /etc/rc.conf to enable FreeBSD 4 compatible.
misc/compat5x
Compatible module for application that compiled for FreeBSD 5
Add compat5x_enable="YES" to /etc/rc.conf to enable FreeBSD 5 compatible.
3.2. Install
Databases
Table 3. System Utilities
Port
Description
Note
database/mysql41-server
We use mysql to store administrative data.
Append the line WITH_XCHARSET=all to /etc/make.conf before install the port. This will add many
international languages (such as Thai) support (search/sort) in MySQL.
databases/postgresql81-server
We use postgresql to store data for the application.
databases/phpmyadmin
Tool to manipulate MySQL.
Install this after you install WWW server. Select all
options except MYSQLI.
databases/phppgadmin
Tool to manipulate PostgreSQL.
Install this after you install WWW server.
databases/p5-DBD-mysql
MySQL driver for the Perl5 Database Interface (DBI).
Some of the perl scripts need MySQL access.
3.2.1. Config MySQL server
I place my database in /home/mysql , so my /etc/rc.conf for mysql are:
mysql_enable="YES"
mysql_dbdir="/home/mysql"
mysql_args="--bind-address=127.0.0.1"
If you want to access mysql from another machine, remove the third line. Before start mysql, you may need to set my.cnf to
change mysql options:
# mkdir /home/mysql
# mkdir /home/mysql/tmp
# cp /usr/local/share/mysql/my-medium.cnf /home/mysql/my.cnf
# chown -R mysql:mysql /home/mysql
I always set mysqld tmpdir to /home/mysql/tmp unless I have a very large /tmp on another disk.
Sometime mysql use a lot of tmpdir when you run a complex
query. Read mysql manual
for more detail.
[mysqld]
...
max_allowed_packet = 4M
...
#log-bin
skip-innodb
tmpdir = /home/mysql/tmp
#For development machine, you may need slow query log
#to track a badly write SQL.
long_query_time = 10
log_slow_queries = /home/mysql/slow-query.log
...
Don't forget to set MySQL root password
# /usr/local/etc/rc.d/mysql-server.sh start
# mysql -u root
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 2 to server version: 4.1.14
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> SET PASSWORD FOR root@localhost=PASSWORD('xxx');
Query OK, 0 rows affected (0.02 sec)
mysql>
3.2.2. Config PostgreSQL server
Like mysql , I place postgresql
databases in /home/pgsql. My /etc/rc.conf for postgresql are:
postgresql_enable="YES"
postgresql_data="/home/pgsql/data"
Use vipw to change home directory of pgsql user to /home/pgsql.
-- rsync preserve symbolic link while cp is not
# rsync -a -v /usr/local/pgsql /home/
# su -m pgsql
# initdb /home/pgsql/data
You must edit /home/pgsal/data/pg_hba.conf before start postgresql
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all pgsql ident sameuser
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
Read PostgreSQL manual and Tuning
PostgreSQL for performance for more details.
This is the change I made for my server:
shared_buffers = 30000 # min 16, at least max_connections*2, 8KB each
work_mem = 32768 # min 64, size in KB
max_fsm_pages = 40000 # min max_fsm_relations*16, 6 bytes each
max_fsm_relations = 1000 # min 100, ~50 bytes each
wal_buffers = 32 # min 4, 8KB each
checkpoint_segments = 8 # in logfile segments, min 1, 16MB each
effective_cache_size = 4000 # typically 8KB each
#logging
log_destination = 'stderr'
redirect_stderr = on
log_directory = 'pg_log'
log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'
log_rotation_age =1440
log_rotation_size = 10240
#slow query log -- enable for developer to check slow query
#log_min_duration_statement = 10
#log_line_prefix = '%t [%u:%d] '
By default PostgreSQL root is pgsql or
any system user that own the database files. You should create another database
adminstrator account to allow postgresql user such as sa to act
as database adminstrator.
# su pgsql
# psql template1
Welcome to psql 8.0.4, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
template1=# CREATE USER sa WITH PASSWORD 'xxxx' CREATEDB CREATEUSER
CREATE USER
template1=#
3.2.3. Config WWW tools
After install WWW service, you may want to install database/phpmyadmin and database/phppgadmin to manage your databases. You must access
these packages via HTTPS only because both require you to enter the database user and
password on the webpage.
# cd /home/www/public_ssl
# ln -s /usr/local/www/phpMyAdmin
# ln -s /usr/local/www/data/phpPgAdmin
Copy /usr/local/www/phpMyAdmin/libraries/config.default.php to
/usr/local/www/phpMyAdmin/config.inc.php and change the
following lines to use http authentication:
$cfg['Servers'][0]['host'] = 'localhost';
$cfg['Servers'][0]['connect_type'] = 'socket';
$cfg['Servers'][0]['auth_type'] = 'http';
3.3. Install WWW
Server
Table 4. Ports for WWW Service
Port
Description
Note
www/apache13-modssl
A www server of a choice.
Append the line WITH_APACHE_MODDEFLATE=yes to /etc/make.conf install mod_deflate.
lang/php4
Our main development language.
select OPENSSL box.
lang/php4-extension
A "meta-port" to install PHP extensions.
Append the line WITHOUT_X11=yes to /etc/make.conf before install the port. This will prevent any
reference to X11 which include XBM support in GD.
devel/ZendOptimizer
An optimizer for PHP code.
It free but closed source. May cause a core-dump with some php extenstions.
Unfortunely, the current version of ZendOptimizer (2.5.10) is
not support FreeBSD AMD64. If you really want to run it you may need to enable 32bit
support in the kernel and run a 32-bit version of Apache/PHP -- see Setup
User WWW Site for more detail.
www/awstat
Free real-time logfile analyzer to get advanced web statistics.
net/p5-Geo-IP
Gets country name by IP or hostname.
3.3.1. Config Apache
I usually move apache's document root from /usr/local/www/data to /home/www/public_html for HTTP service and
/home/www/public_ssl for HTTPS
service. Another change I usually made to /usr/local/etc/apache/httpd.conf is remove the univeral listen line
Port 80 or Listen 80 to more specified
listen Listen xxx.xxx.xx.xx:80 because I need to run another apache in a jail(8). I also change a log format and logfile
name.Here is a result of the
command diff -u /usr/local/etc/apache/httpd.conf-dist
/usr/local/etc/apache/httpd.conf and also the complete version of httpd.conf. Don't foget to create a
folder to store your log file. For example:
# mkdir /var/log/httpd
If you have a lot of virtual hosts on the server, it is more preferable to move the
virtual host configuration to another file and use apache Include directive to include that configuration to httpd.conf.
To enable mod_deflate, you must add the line
AddModule mod_deflate.c
#The following lines can be put in .htaccess if you want
#to enable deflate per directory
<IfModule mod_deflate.c>
DeflateEnable On
DeflateMinLength 3000
DeflateCompLevel 1
DeflateProxied Off
DeflateHTTP 1.0
DeflateDisableRange "MSIE 4."
DeflateTypes text/plain text/html
</IfModule>
to httpd.conf
The last concern for httpd.conf is to remove unused modules.
Read Apache
modules Manual to see which module is not need for your server. Or, just remove them
all ,then add the module one by one untils your site work as you want.
If you run HTTPS service, you may need to create a valid SSL certificate. There is a good doucument about Client
Authentication with SSL at The FreeBSD Diary.
# sh /etc/periodic/weekly/310.locate
# locate CA.pl
# /usr/src/crypto/openssl/apps/CA.pl -newreq
Generating a 1024 bit RSA private key
.......................................++++++
...........++++++
writing new private key to 'newreq.pem'
Enter PEM pass phrase:xxxxxx
Verifying - Enter PEM pass phrase:xxxxxx
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Phayathai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MiracleNet Group Co., Ltd.
Organizational Unit Name (eg, section) []:Hosting Service
Common Name (eg, YOUR name) []:gaia.net0.intranet
Email Address []:root@net0.intranet
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:MiracleNet Group Co., Ltd.
Request (and private key) is in newreq.pem
# openssl rsa < newreq.pem > newkey.pem
Enter pass phrase:xxxxxx
writing RSA key
Send your newreq.pem to Certificate
Authority for real server or sign it yourself for the test one.
If you want to sign the certificate yourself. You must create yourown Certificate Authority first (assume that we will put the CA in /home/admin/CA,then sign the certificate:
# mkdir -p /home/admin/CA
# cd /home/admin/CA
# /usr/src/crypto/openssl/apps/CA.pl -newca
CA certificate filename (or enter to create)
<ENTER>
Making CA certificate ...
Generating a 1024 bit RSA private key
........................++++++
........++++++
writing new private key to './demoCA/private/cakey.pem'
Enter PEM pass phrase:xxxxx2
Verifying - Enter PEM pass phrase:xxxxx2
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:TH
State or Province Name (full name) [Some-State]:Bangkok
Locality Name (eg, city) []:Phayathai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Miraclenet Group Co., Ltd.
Organizational Unit Name (eg, section) []:Hosting Service
Common Name (eg, YOUR name) []:miraclenet.co.th
Email Address []:root@miraclenet.co.th
# cp /home/admin/CA/newreq.pem .
# /usr/src/crypto/openssl/apps/CA.pl -sign
Using configuration from /etc/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:xxxxx2
Check that the request matches the signature
Signature ok
...
Certificate is to be certified until Nov 29 02:13:01 2006 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem
Anyways, Use this self signed certificate will generate the warning message from the
browser becase it don't known your Certificate Authority. To get
rid of this warning, you must make the browser know your CA which can be done For firefox and opera, just copy the file demoCA/cacert.pem to the client machine,then, import it to your
browser( Preferences/Advanced/Manage
Certificates/Authories/Import or just put it on your web page and allow user to
download and install the certificate ). For IE, change the file
extension to .crt and import it with Internet Options/Contents/Publishers/Trusted Root Certification
Authorities/Import.
After that, copy the signed request and key to /usr/local/etc/apache and modify your httpd.conf accordingly.
# cp newcert.pem /usr/local/etc/apache/ssl.crt/gaia.crt
# cp newkey.pem /usr/local/etc/apache/ssl.key/gaia.key
# cd /usr/local/etc/apache/ssl.crt/
# make
-- Don't forget to edit SSLCertificateFile and SSLCertificateKeyFile
-- in httpd.conf to point to new crt and key
Don't forget to add the line apache_enable="YES" to /etc/rc.conf to enable apache
service.
3.3.2. Config
PHP
I need to patch PHP to make serialize command run faster , see the bug report "Slow
serialize on FreeBSD". To apply the patch, just download patch-ph_smart_str.h and copy the patch to ports/lang/php4/files before build the php4 port. Anyways, this patch never made it ways through php
porject or FreeBSD port tree, use it with your own risk.
If you want the OPENSSL support on PHP, don't forget to add
OPENSSL option when build PHP. The OPENSSL can not work when compiled as an
extension.
You may need install PHP extensions only install the required extension. The less
extension installed, the less problem from PHP. The extensions normally installed on my
server are BCMATH, BZ2, CTYPE, CURL, GD, IMAP, MBSTRING, MCRYPT,
MHASH, MYSQL , OVERLOAD, PCRE , PDF, PGSQL, POSIX , SESSION , SOCKETS,
SYSVSEM,SYSVSHM,SYSVMSG,TOKENIZER,XML and ZLIB.
Don't forget to add
<IfModule mod_php4.c>
AddType application/x-httpd-php .php
AddType application/x-httpd-php-source .phps
</IfModule>
to /usr/local/etc/apache/httpd.conf to automatic run php when
user access .php file.
There are some dependency mismatch on FreeBSD 6.0/6.1 that cause apache start after compat5x which prevent
ZendOptimizer from starting when you reboot the system. Run /sbin/rcorder to check for this problem
# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/etc/rc.d/yppasswdd
/usr/local/etc/rc.d/apache.sh
/etc/rc.d/LOGIN
/usr/local/etc/rc.d/rsyncd.sh
/usr/local/etc/rc.d/mysql-server.sh
/usr/local/etc/rc.d/010.pgsql.sh
/usr/local/etc/rc.d/000.pkgtools.sh
/usr/local/etc/rc.d/000.compat5x.sh
/usr/local/etc/rc.d/000.compat4x.sh
...
If you see that above result, you have this problem. Edit /usr/local/etc/rc.d/apache.sh to force compat5x to start before
apache.
gaia# diff -u apache.sh.org apache.sh
--- apache.sh.org Sat May 20 14:04:48 2006
+++ apache.sh Sat May 20 14:04:56 2006
@@ -2,7 +2,7 @@
# $FreeBSD: ports/www/apache13-modssl/files/rcng.sh,v 1.5 2006/02/20 20:47:46 dougb Exp $
# PROVIDE: apache
-# REQUIRE: DAEMON
+# REQUIRE: DAEMON compat5x
# BEFORE: LOGIN
# KEYWORD: shutdown
Rerun /sbin/rcorder to recheck that apache start after
compat5x.
# rcorder /etc/rc.d/* /usr/local/etc/rc.d/*
...
/etc/rc.d/yppasswdd
/usr/local/etc/rc.d/000.compat5x.sh
/usr/local/etc/rc.d/apache.sh
/etc/rc.d/LOGIN
...
Some parameters in /usr/local/etc/php.ini may need to be
consider such as:
output_buffering = On
zlib.output_compression = On
register_argc_argv = Off
magic_quotes_gpc = Off #When On, It cause more problems because we don't know
#the quote come from user input or from this option.
[Zend]
zend_optimizer.optimization_level=15
zend_extension_manager.optimizer="/usr/local/lib/php/20020429/Optimizer"
zend_extension_manager.optimizer_ts="/usr/local/lib/php/20020429/Optimizer_TS"
zend_extension="/usr/local/lib/php/20020429/ZendExtensionManager.so"
zend_extension_ts="/usr/local/lib/php/20020429/ZendExtensionManager_TS.so"
3.3.3. Config
Web Statistic
Due to the volumn of log messages, we does not use syslogd to keep apache access/error
log. So, we wrote rotatelog.pl to
rotate logs file every midnight to prevent them grow too large. You need to put the rotatelog.pl in your crontab to run it every midnight.
Next step is to setup awstat. awstats require a configuration
file which should to be placed in /usr/local/etc/awstats. There
are small changes I made on /usr/local/www/awstats/cgi-bin/awstats.model.conf to create my
configuration file.
awstats.gaia.conf
LogFile="bunzip2 -dc /var/log/httpd/access.log.0.bz2 |"
SiteDomain="gaia.net0.intranet"
HostAliases="localhost 127.0.0.1"
DNSLookup=0
DirData="/home/www/public_html/stats/data"
DirCgi="/stats/cgi-bin"
DirIcons="/stats/icons"
LoadPlugin="geoip GEOIP_STANDARD /usr/local/share/GeoIP/GeoIP.dat"
UseFramesWhenCGI=0
LogFormat=1
The GeoIP database also need to update. The database version that I use is a free GeoLite Country
Database which update once a month. Put this geoip_update.sh shell script in your crontab update the database.
To allow user to view the statistic, don't forget to setup a URL for awstats and setup
authenticate:
# mkdir -p /home/www/apache
# htpasswd -cm /home/www/apache/passwd stats
# mkdir -p /home/www/public_html/stats/data
# cd /home/www/public_html/stats
# ln -s /usr/local/www/awstats/cgi-bin
# ln -s /usr/local/www/awstats/classes
# ln -s /usr/local/www/awstats/css
# ln -s /usr/local/www/awstats/icons
# ln -s /usr/local/www/awstats/js
Create /home/www/public_html/stats/index.php:
<?
header("Location:/stats/cgi-bin/awstats.pl?config=gaia");
?>
Create /home/www/public_html/stats/.htaccess:
AuthType Basic
AuthName "Gaia Access Statistic"
AuthUserFile /home/www/apache/passwd
Require user stats
Options FollowSymLinks
Create /home/www/public_html/stats/cgi-bin/.htaccess to run
perl script with mod_perl:
Options ExecCGI
AddHandler cgi-script .pl
Don't forget to create a crontab entries for rotate access log ,update statistic and
update GeoIP database.
#crontab -e
0 0 * * * /home/admin/bin/rotatelog.pl
10 0 * * * /home/www/public_html/stats/cgi-bin/awstats.pl -config=gaia -update
0 0 2 * * /home/admin/bin/geoip_update.sh
4. Install Mail Service
Mail service (SMTP/POP/IMAP) is one of the function for this server. It much support
virtual mailboxs for our customers. The server must act as a mail relay for the customer
and spam and virus filter are a must have features. The following table show list of
ports I use to implement mail service on this server:
Table 5. Mail Service
Port
Description
Note
security/courier-authlib
Courier authentication library base.
Select AUTH_MYSQL and AUTH_USERDB when build the port.
security/cyrus-sasl2
RFC 2222 SASL
Add the following lines to /etc/make.conf
WITH_AUTHDAEMON= yes
WITHOUT_OTP= yes
WITHOUT_NTLM= yes
WITHOUT_GSSAPI= yes
WITH_MYSQL41=yes #If you use mysql41-server
to remove unused authentication method.
mail/postfix
More secure than mail/sendmail and easier to extend than mail/qmail.
Select SASL2,TLS and MySQL. Answer y to every post installation
questions.
security/amavisd-new
Our spam and virus filter.
Remove all options (MILTER is set by default - uncheck
it).
mail/dspam
Bayesian spam filter.
Append the following lines to /etc/make.conf:
DSPAM_OWNER=vscan
DSPAM_GROUP=vscan
DSPAM_HOME_OWNER=vscan
DSPAM_HOME_GROUP=vscan
Use default options when building the port.
security/clamav
a GPL anti-virus toolkit for UNIX. New version of dspam install clamav by default.
You may not need to install this port manually.
No options is need. If you don't like clamav, see /usr/local/etc/amavisd.conf for another virus scanner supported by
amavisd-new.
mail/courier-imap
Our POP3, POP3S, IMAP4 and IMAP4S server.
Select OPENSSL, TRASHQUOTA and AUTH_MYSQL. Unselect IPV6 unless you need
it.
mail/squirrelmail
Greate web mail for small and medium size mail server.
go to /usr/port and run make search
key=webmail to see another webmail in ports tree.
The mail server that I create is not the hight-performane one. On moderate hardware
(Althon64 2800 with 1GB RAM and SATA disk) it can process about 3 mails a second (180
mails per minute) which is enought for small or medium company. So , if you a looking for
the hight-performance mail server , this setup may not for you.
4.1. Prepare Mail System
Database
We store our customer e-mail accounts on MySQL database to
make it easier to manipulate and increase look up speed. Most of the information on this
section come from Martin List-Petersen's ISP Mailserver Solution Howto.
CREATE DATABASE maildb;
USE maildb;
CREATE TABLE `alias` (
`email` varchar(255) NOT NULL default '',
`destination` varchar(255) NOT NULL default '',
`customer_id` varchar(16) NOT NULL default '',
PRIMARY KEY `email` (`email`),
KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;
Table 6. alias
| email | The originally email-address. The email can be xyz@example.com for single email or
@example.com for all user in that domain. | | destination | The destination email-address for the email. | | customer_id | System customer id to check record owner. If the id is removed from the system all
record with customer_id will be deleted. |
CREATE TABLE `transport` (
`domain` varchar(255) NOT NULL default '',
`transport` varchar(128) NOT NULL default '',
`customer_id` varchar(16) NOT NULL default '',
PRIMARY KEY (`domain`),
KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;
Table 7. transport
| domain | Domain name of interest. | | transport | Postfix transport type can be local: for local domain, virtual: for virtaul domain and smtp:another.mail.server if you need to forward mail for the domain
to another server. | | customer_id | System customer id to check record owner. If the id is removed from the system all
record with customer_id will be deleted. |
CREATE TABLE `user` (
`email` varchar(128) NOT NULL default '',
`passwd` varchar(128) NOT NULL default '$1$X$XXX',
`name` varchar(128) NOT NULL default '',
`uid` int(6) NOT NULL default '65534',
`gid` int(6) NOT NULL default '65534',
`home` varchar(255) NOT NULL default '',
`maildir` varchar(255) NOT NULL default '',
`allow_login` enum('Y','N') NOT NULL default 'Y',
`allow_receive` enum('Y','N') NOT NULL default 'Y',
`customer_id` varchar(16) NOT NULL default '',
PRIMARY KEY (`email`),
KEY `customer_id` (`customer_id`)
) ENGINE=MyISAM;
Table 8. user
| email | User email address (user@domain.com). | | passwd | Encrypted password. Use /usr/local/sbin/userdbpw to create
an encrypted password. | | name | The users name. This is only for record keeping and it is not use by the mail
system. | | uid/gid | FreeBSD user id/group id of the mailbox owner. | | home | The users home path. This is only for record keeping and it is not use by the mail
system. | | maildir | Path to user mailbox , for example "/home/vhost/user_x/mail/domain.com/user/". Don't
remove the trailing slash or else postfix will deliver your mail to a mailspool format
instead of a maildir. | | allow_login | If it is 'N' user is not allow to access POP3/IMAP4 and SASL. | | allow_receive | If it is 'N' , the user email is closed from receiving mail. | | customer_id | System customer id to check record owner. If the id is removed from the system all
record with customer_id will be deleted. |
We need 3 MySQL user accounts with difference privileges
.
- maildb -- Owner of the database can do everything to the database.
- maildb_auth -- Can read every fields in user table. Use by courier-authlib.
- maildb_smtp -- Can read every fields on the database except passwd. Use by postfix. The user/password of this account must store in a word
readable file in /usr/local/etc/postfix ,therefore, give
minimum access to this account.
GRANT USAGE ON maildb.* TO 'maildb'@'localhost' IDENTIFIED BY '*********';
GRANT ALL PRIVILEGES ON `maildb` . * TO 'maildb'@'localhost' WITH GRANT OPTION;
GRANT USAGE ON maildb. * TO 'maildb_auth'@'localhost' IDENTIFIED BY '*********';
GRANT SELECT ON `maildb`.`user` TO 'maildb_auth'@'localhost';
GRANT USAGE ON maildb. * TO 'maildb_smtp'@'localhost' IDENTIFIED BY '*********';
GRANT SELECT ON `maildb`.`alias` TO 'maildb_smtp'@'localhost';
GRANT SELECT ON `maildb`.`transport` TO 'maildb_smtp'@'localhost';
GRANT SELECT (
`email` , `name` , `uid` , `gid` , `home` , `maildir` , `allow_login` , `allow_receive` , `customer_id`
) ON `maildb`.`user`
TO 'maildb_smtp'@'localhost';
4.2. Config amavisd-new and
dspam
First append the lines to /etc/rc.conf to enable the
service.
#Amavis/ClamAV/SpamAssasin
clamav_clamd_enable="YES"
clamav_freshclam_enable="YES"
amavisd_enable="YES"
Add clamav user to vscan group to
enable clamd to access the amavisd
filtering mail.
# vi /etc/group
spamd:*:58:
vscan:*:110:clamav
clamav:*:106:
To run dspam from amavisd-new you need
to make some change to installed dspam.
# chmod u-s,a+rx /usr/local/bin/dspam
# cd /var/amavis
# ln -s /var/db/dspam
Then edit /usr/local/etc/amavisd.conf as show below:
$mydomain = 'gaia.net0.intranet'; # a convenient default for other settings
$dspam = 'dspam'; # Allow dspam
#Don't forget to uncomment 'ClamAV-clamd' to enable clamav
#If you want to accept .zip and .bz2, remove the comment on
#[ qr'^\.(Z|gz|bz2)$' => 0 ] and
#[ qr'^\.(zip|rar|arc|arj|zoo)$'=> 0 ]
#Discard all filtered mail -- don't notify sender
$final_virus_destiny = D_DISCARD;
$final_banned_destiny = D_DISCARD;
$final_spam_destiny = D_DISCARD;
$final_bad_header_destiny = D_DISCARD;
$recipient_delimiter = '-';
#If someting go wrong enable the following options and take a look at
#/var/log/maillog and your mailheader
#$log_level = 5;
#$sa_tag_level_deflt = 0;
You can see the result of the command diff -u amavisd.conf-dist
amavisd.conf on my server here.
To setup dspam, you must cread a dspam user and database on MySQL. Give that
user full access to the database and run the script in /usr/local/share/examples/dspam/mysql/mysql_objects-4.1.sql.
# mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 144 to server version: 4.1.14
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> CREATE DATABASE dspam;
Query OK, 1 row affected (0.00 sec)
mysql> GRANT USAGE ON dspam.* TO 'dspam'@'localhost' IDENTIFIED BY '*********';
Query OK, 1 row affected (0.00 sec)
mysql> GRANT ALL PRIVILEGES ON `dspam` . * TO 'dspam'@'localhost' WITH GRANT OPTION;
Query OK, 1 row affected (0.00 sec)
mysql> USE dspam;
Database changed
mysql> \. /usr/local/share/examples/dspam/mysql/mysql_objects-4.1.sql
Edit /usr/local/etc/dspam.conf to add MySQL user and password:
StorageDriver /usr/local/lib/libmysql_drv.so
MySQLServer /tmp/mysql.sock
#MySQLPort
MySQLUser dspam
MySQLPass xxxxxx
MySQLDb dspam
#MySQLCompress true
#For Relearn false negative and false positive
MySQLUIDInSignature on
Preference "signatureLocation=headers"
#We work with amavisd-new
IgnoreHeader X-Spam-Status
IgnoreHeader X-Spam-Scanned
IgnoreHeader X-Virus-Scanner-Result
#Add the following line and take a look at /var/log/dspam/dspam.debug
#if something don't work as expected
#Debug vscan
dspam will not activate util it see about 2,000 spam/nospam
mails, so you must wait for this threashold to be reach.
4.3. Config courier-authlib and
cyrus-sasl2
Edit /usr/local/etc/authlib/authmysqlrc:
MYSQL_SERVER localhost
MYSQL_USERNAME maildb_auth
MYSQL_PASSWORD xxxxx
MYSQL_SOCKET /tmp/mysql.sock
MYSQL_DATABASE maildb
MYSQL_USER_TABLE user
MYSQL_CRYPT_PWFIELD passwd
MYSQL_LOGIN_FIELD email
MYSQL_MAILDIR_FIELD maildir
MYSQL_WHERE_CLAUSE allow_login='Y'
Edit /usr/local/etc/authlib/authdaemonrc:
authmodulelist="authpam authmysql"
Don't forget to add the line courier_authdaemond_enable="YES" to
/etc/rc.conf.
For cyrus-sasl2, create the file /usr/local/lib/sasl2/smtpd.conf with content:
pwcheck_method: authdaemond
authdaemond_path: /var/run/authdaemond/socket
and change permission of /var/run/authdaemond to allow other to
access the directory.
# chmod o+x /var/run/authdaemond
4.4. Config postfix
4.4.1. /etc/rc.conf
Edit the file to run postfix as mail service instead of the built-in sendmail:
#Postfix
postfix_enable="YES"
sendmail_enable="NONE"
sendmail_flags="-bd"
sendmail_outbound_enable="NO"
sendmail_submit_enable="NO"
sendmail_msp_queue_enable="NO"
daily_clean_hoststat_enable="NO"
daily_status_mail_rejects_enable="NO"
daily_status_include_submit_mailq="NO"
daily_submit_queuerun="NO"
4.4.2.
/usr/local/etc/rc.d/postfix.sh
Older postfix port does not come with FreeBSD startup script.
If ther is no /usr/local/etc/rc.d/postfix.sh use the following
one:
#!/bin/sh
# PROVIDE: postfix
# REQUIRE: NETWORKING SERVERS
# BEFORE: DAEMON
# AFTER: mysql-server
# KEYWORD: shutdown
. /etc/rc.subr
name="postfix"
rcvar=`set_rcvar`
load_rc_config ${name}
: ${postfix_enable="NO"}
command=/usr/local/sbin/postfix
pidfile=/var/spool/${name}/pid/master.pid
start_cmd="postfix_cmd start"
stop_cmd="postfix_cmd stop"
restart_cmd="postfix_cmd stop && postfix_cmd start"
echo ${pidfile}
postfix_cmd () {
case $1 in
start)
echo "Starting ${name}."
${command} start
;;
stop)
echo "Stopping ${name}."
${command} stop
;;
esac
}
run_rc_command "$1"
4.4.3. /usr/local/etc/postfix/master.cf
We need to run amavisd and let postfix smtpd use it. First remove the standard smtpd
service line at the begining of the file
smtp inet n - n - - smtpd
and appened the following lines to start smtpd with amavis filter. It this configuration,
we don't filter the outgoing mail (127.0.0.1:smtp). Assume that
the server IP is 10.0.0.34
smtp-amavis unix - - n - 2 lmtp
-o lmtp_data_done_timeout=1200
-o lmtp_send_xforward_command=yes
127.0.0.1:smtp inet n - n - - smtpd
-o content_ |
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-11-9 10:14:11
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡