Aurora VPS
Table of Contents
Introduction
This article describes the setup of a server on the new Aurora cloud. After creating an instance, you can mount an image to a virtual setup disk, I chose the Debian 7 (Wheezy) image. When installing, you can choose between a couple of templates. I chose Webserver; SQL-server; Fileserver and system components. The fileserver didn't seem to be necessary, because first off we have to install an FTP server. Then we can upload the files of the website.
I've never installed a mail server before, so this part can contain some inconsistencies. I'll useswimmer.zone as default domain, evidently this has to be substituted with your domain, just like the rest of this article. It may be useful to restart the server between operations, to see errors right away, when you can still use them.
Web Server
I wrote this article, because the setup of a web server can take a lot of time, mostly because every component has its own configuration files which have to be edited. Some may easily drown in this pile of information, just like myself. So I wrote it mostly for myself as some sort of documentation of the needed steps. It was a small effort to write this in a wiki-like shape for this tutorial. Installing a web server is not a frequent task, so it's easy to forget.
FTP Server
Setting up an FTP server, add an user and give this user permissions to write the right directories. The files can't be uploaded yet though, they won't be interpreted as PHP files but as plain text, so sensitive data can be released.
1su - root
2# Enter password twice to login as root
3apt-get install pure-ftpd
4groupadd pureftpd
5useradd -g pureftpd -d /var/www yftp
6chown yftp /var/www
7passwd yftp
8# Enter password twice for the FTP accountPHP
So now we install PHP, to parse the files the right way. Now we can upload the PHP files. Because we chose the Web server and SQL server in the pre-install, Apache and PostgreSQL are already installed. PHP automatically installs its dependencies to PostgreSQL.
1apt-get install php5PHPpgAdmin
To add and administrate databases, we install PHPpgAdmin as a web interface for PostgreSQL. Then we log in on the postgres console to add an user.
1apt-get install phppgadmin
2su - postgres
3
4psql template1
5
6ALTER USER postgres WITH PASSWORD '***';
7CREATE USER ysql WITH PASSWORD '***';
8CREATE DATABASE ysql_nl;
9GRANT ALL PRIVILEGES ON DATABASE ysql_nl TO ysql;Ctrl+D to leave the postgres console. Because we are still logged in as user 'postgres', we have to return to user 'root' to execute the next steps. Now we have to find a couple of configuration files and add or edit the following lines:
1su - root
2
3find / -name "pg_hba.conf"
4nano /etc/postgresql/9.1/main/pg_hba.conf
5
6# FILE ########################
7 # Database administrative login by Unix domain socket
8 local all postgres peer
9 # TYPE DATABASE USER ADDRESS METHOD
10 # "local" is for Unix domain socket connections only
11 local all all trust
12 # IPv4 local connections:
13 host all all 127.0.0.1/32 trust
14 # IPv6 local connections:
15 host all all ::1/128 trust
16 host all ysql 127.0.0.1/32 trust
17 host system system 127.0.0.1 255.255.255.255 md5
18###############################
19
20find / -name "postgresql.conf"
21nano /etc/postgresql/9.1/main/postgresql.conf
22
23# FILE ########################
24 listen_addresses = 'localhost'
25 # If you want to let other users login on the server,
26 # you can enter the server ip, or '*'
27###############################It's possible you get a 403 page when trying to login onhttps://[ip address]/phppgadmin/ so we're going to prevent that:
1nano /etc/apache2/conf.d/phppgadmin
2
3# Remove comment character "allow from all"
4
5/etc/init.d/apache2 restart
6
7nano /etc/phppgadmin/config.inc.php
8
9# FILE ########################
10 $conf['extra_login_security'] = false;
11###############################Apache config
In Apache we use different virtual hosts, these can be spread out in different files, if they are in the sites-enabled directory. You can find this in /etc/apache2. In our.htaccess files, Rewrite Engine is used, so we have to enable this inmods-enabled. The files are already available in the mods-availabledirectory, so we only have to create a symlink.
1# Example configuration:
2
3# FILE ########################
4 <virtualhost *:80>
5 ServerAdmin webmaster@localhost
6 # ServerName www.swimmer.zone
7
8 DocumentRoot /var/www
9 <directory>
10 Options FollowSymLinks
11 AllowOverride None
12 </directory>
13
14 <directory "/var/www">
15 Options Indexes FollowSymLinks MultiViews
16 AllowOverride All
17 Order allow,deny
18 allow from all
19 </directory>
20
21 ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
22 <directory "/usr/lib/cgi-bin/">
23 AllowOverride None
24 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
25 Order allow,deny
26 Allow from all
27 </directory>
28
29 ErrorLog /var/log/apache2/error.log
30
31 # Possible values include: debug, info, notice, warn, error, crit,
32 # alert, emerg.
33 LogLevel warn
34
35 CustomLog /var/log/apache2/access.log combined
36
37 Alias /doc/ "/usr/share/doc/"
38 <directory "/usr/share/doc">
39 Options Indexes MultiViews FollowSymLinks
40 AllowOverride None
41 Order deny,allow
42 Deny from all
43 Allow from 127.0.0.0/255.0.0.0 ::1/128
44 </directory>
45 </virtualhost>
46###############################
47
48# Symlink:
49ln -s /etc/apache2/mods-available/rewrite.load /etc/apache2/mods-enabled/rewrite.load
50
51/etc/init.d/apache2 restartPHPSysInfo
To monitor our system through a web interface, we install PHPSysInfo and create a symlink to make it available to the outside:
1apt-get install phpsysinfo
2
3mkdir /var/subdomains/phpsysinfo.swimmer.zone
4cd /usr/share/phpsysinfo
5cp -rf * /var/subdomains/phpsysinfo.swimmer.zoneCronjobs
For optional cronjobs I use a single PHP file that's executed every hour. In the PHP file is determined which tasks have to be executed at that given time.
1crontab -e
2
3# FILE ########################
455 * * * * php /var/www/execute.php
5###############################Mail server
To make our VPS function as a mail server, we have to install three packages, first Postfix for the SMTP protocol. Then Dovecot for the POP3 protocol and then RoundCube to access our e-mail through a web interface. This is still experimental, so it wouldn't hurt to make a snapshot of the system, when this option is available.
Postfix
Installation of Postfix, for this a couple of configuration files have to be edited. Some of the lines have to be added and if a file doesn't exist already, it has to be created. At the end,virtual.db has to be edited or created and Postfix has to be restarted.
1apt-get install postfix
2# Internet site as configuration
3# swimmer.zone as hostname
4
5# controle:
6telnet localhost 25
7
8nano /etc/postfix/main.cf
9
10# FILE ########################
11 myhostname = mail.swimmer.zone
12 mydomain = swimmer.zone
13
14 inet_protocols = ipv4
15 inet_interfaces = all
16 mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
17 mynetworks = 127.0.0.0/8
18 home_mailbox = Maildir/
19 myorigin = $mydomain
20 mynetworks_style = host
21 smtpd_sasl_auth_enable = yes
22 smtpd_sasl_local_domain =
23 smtpd_recipient_restrictions = permit_mynetworks,permit_sasl_authenticated,reject_unauth_destination
24 smtpd_sasl_security_options = noanonymous
25 smtpd_tls_security_level = may
26 smtpd_tls_loglevel = 1
27 smtpd_tls_session_cache_timeout = 3600s
28 smtpd_tls_session_cache_database = btree:/var/spool/postfix/smtpd_tls_cache
29 smtpd_tls_auth_only = no
30 smtpd_delay_reject = yes
31 smtpd_helo_required = yes
32 smtpd_hard_error_limit = 20
33 smtpd_tls_mandatory_ciphers = high
34 # broken_sasl_auth_clients = yes
35 # tls_random_source = dev:/dev/urandom
36 # default_destination_concurrency_limit = 5
37 # disable_vrfy_command = yes
38 # queue_directory = /var/spool/postfix
39 # mail_owner = postfix
40 # data_directory = /var/lib/postfix
41 # header_checks = regexp:/etc/postfix/header_checks
42 # body_checks = regexp:/etc/postfix/body_checks
43 virtual_alias_maps = hash:/etc/postfix/virtual
44###############################
45
46# nano /etc/postfix/body_checks
47
48# FILE ########################
49 # /^(|[^>].*)example.com/ REJECT
50###############################
51
52# nano /etc/postfix/header_checks
53
54# FILE ########################
55 # /^From:.*<#.*@.*>/ REJECT
56 # /^Return-Path:.*<#.*@.*>/ REJECT
57###############################
58
59nano /etc/postfix/virtual
60
61# FILE ########################
62 ****@swimmer.zone swimmer
63 ****@swimmer.zone root
64###############################
65
66postmap /etc/postfix/virtual
67
68/etc/init.d/postfix restart
69
70# Create system users and directory for e-mails
71useradd -m swimmer-s /sbin/nologin
72passwd swimmer
73
74mkdir /home/swimmer/Maildir
75chown swimmer /home/swimmer/Maildir
76chmod -R 700 /home/swimmer/MaildirDovecot
Install Dovecot and again, edit some configuration files:
1apt-get install dovecot-common
2# apt-get install dovecot-imapd
3apt-get install dovecot-pop3d
4apt-get install dovecot-lmtpd
5
6nano /etc/dovecot/dovecot.conf
7
8# FILE ########################
9 # Protocols we want to be serving.
10 protocols = pop3 lmtp # imap
11###############################
12
13nano /etc/dovecot/conf.d/10-auth.conf
14
15# FILE ########################
16 disable_plaintext_auth = no
17 auth_mechanisms = plain login
18###############################
19
20nano /etc/dovecot/conf.d/10-mail.conf
21
22# FILE ########################
23 mail_location = maildir:~/Maildir
24###############################
25
26nano /etc/dovecot/conf.d/10-master.conf
27# find that section and make it look like:
28
29# FILE ########################
30 # Postfix smtp-auth
31 unix_listener /var/spool/postfix/private/auth {
32 mode = 0666
33 user = postfix
34 group = postfix
35 }
36###############################
37
38/etc/init.d/dovecot restartRoundCube
First the pgsql package to prevent Roundcube from installing MySQL as a dependency.
1apt-get install roundcube-pgsql
2apt-get install roundcube
3
4mkdir /var/subdomains/roundcube.swimmer.zone
5cd /usr/share/roundcube
6cp -rf * /var/subdomains/roundcube.swimmer.zone
7
8nano /etc/roundcube/main.inc.php
9
10# FILE ########################
11 $rcmail_config['default_host'] = 'localhost';
12 $rcmail_config['default_port'] = 110;
13 $rcmail_config['imap_auth_type'] = NULL;
14
15 $rcmail_config['smtp_server'] = 'mail.swimmer.zone';
16 $rcmail_config['smtp_port'] = 25;
17 $rcmail_config['smtp_user'] = '****@swimmer.zone';
18 $rcmail_config['smtp_pass'] = '********';
19###############################
20
21nano/etc/roundcube/debian-db.php
22
23# FILE ########################
24 $dbuser = 'roundcube';
25 $dbpass = '********';
26 $basepath = '';
27 $dbname = 'roundcube';
28 $dbserver = '';
29 $dbport = '';
30 $dbtype = '';
31###############################Setting up a mail server brought me a lot of trouble, so while debugging, it's possible I forget documenting some of the steps. Below a couple of steps which may be useful. In/var/log/roundcube/errors errors can be found and these can lead to/var/log/auth.log, /var/log/mail.log, /var/log/dovecot.logor /var/log/dovecot-deliver.log. The last one and the second last one have to be added to /etc/dovecot/dovecot.conf. A summary of all configuration lines you can view withdovecot -n, my current setup is like this, pay special attention to theauth_debug section.
1dovecot -n
2
3# FILE ########################
4 mail_location = maildir:/var/mail/%d/%n
5 protocols = imap pop3
6 listen = *
7
8 mail_uid = mailnull
9 mail_gid = mail
10 first_valid_uid = 26
11 first_valid_gid = 6
12 last_valid_uid = 0
13 last_valid_gid = 0
14
15 log_path = syslog
16 syslog_facility = mail
17 auth_mechanisms = plain
18 auth_socket_path = /var/run/dovecot/auth-userdb
19
20 auth_debug = yes
21 auth_debug_passwords = yes
22 auth_verbose = yes
23 verbose_proctitle = yes
24 mail_debug = yes
25 log_path = /var/log/dovecot.log
26 info_log_path = /var/log/dovecot-deliver.log
27
28 mail_plugin_dir = /usr/local/lib/dovecot
29 postmaster_address = postmaster@%d
30 hostname = %d
31 sendmail_path = /usr/local/sbin/exim
32 lda_mailbox_autocreate = yes
33 lda_mailbox_autosubscribe = yes
34
35 passdb {
36 driver = passwd
37 #args = /etc/passwd
38 }
39
40 userdb {
41 driver = passwd
42 args = /etc/passwd
43 }
44
45 protocol lda {
46 }
47
48 protocol pop3 {
49 pop3_client_workarounds = outlook-no-nuls oe-ns-eoh
50 }
51
52 protocol imap {
53 mail_plugins = quota imap_quota antispam
54 imap_client_workarounds = delay-newmail tb-extra-mailbox-sep tb-lsub-flags
55 }
56 ## - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
57 service auth {
58 unix_listener auth-userdb {
59 mode = 0600
60 user = $mail_uid
61 group = $mail_gid
62 }
63 }
64
65 service imap-login {
66 inet_listener imap {
67 port = 143
68 }
69 inet_listener imaps {
70 port = 993
71 ssl = yes
72 }
73 }
74
75 service pop3-login {
76 inet_listener pop3 {
77 port = 110
78 }
79 inet_listener pop3s {
80 port = 995
81 ssl = yes
82 }
83 }
84###############################The settings above can help prevent the following notices:IMAP Error. Wrong startup greeting (localhost:110) (this can mean not the right listeners are configured). IMAP Error. AUTHENTICATE PLAIN: Authentication failed.(this one I solved by editing userdb and passdb). The last error I haven't been able to trace yet:IMAP Error. Empty startup greeting (localhost:110).
Some problems can appear with Roundcube, because we copied the Roundcube directory to the web root. Some symlinks can be broken if they point to a relative path. In my case jQuery, jQuery UI and TinyMCE couldn't be loaded:
1# To the directory /usr/share/javascript/jquery-ui, first make sure there's
2# no symlink pointing to this, then you may create the target directory:
3rm /var/subdomains/roundcube.swimmer.zone/plugins/jqueryui
4mkdir /var/subdomains/roundcube.swimmer.zone/plugins/jqueryui
5cp -rf * /var/subdomains/roundcube.swimmer.zone/plugins/jqueryui
6
7# Then go to /usr/share/javascript/jquery
8rm /var/subdomains/roundcube.swimmer.zone/programs/js
9mkdir /var/subdomains/roundcube.swimmer.zone/programs/js
10cp -rf * /var/subdomains/roundcube.swimmer.zone/programs/js
11
12# And /usr/share/tinymce/www
13rm /var/subdomains/roundcube.swimmer.zone/programs/js/tiny_mce
14mkdir /var/subdomains/roundcube.swimmer.zone/programs/js/tiny_mce
15cp -rf * /var/subdomains/roundcube.swimmer.zone/programs/js/tiny_mceAfter following the steps above it has to be possible to login, though not the right identities are installed yet. So it's only possible to login as ****@localhost.
To Conclude
If we've executed all these steps, we have a working web server with PHP and PostgreSQL and maybe a mail server with protocols incoming and outgoing e-mail and a web interface to make it accessible. I think it's always a good idea to make a snapshot in an initial state when everything works as it should.