Difference between revisions of "Debian Wheezy"

From Hexwiki
Jump to navigation Jump to search
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
Can make it look more professional later.
+
__TOC__
 +
This guide covers a robust LEMP (Linux, Nginx, MySQL, PHP) stack running on Debian Wheezy, which includes a similarly robust Dovecot + Postfix mail solution. You might not need everything here, but if you use Linux to serve the Internet in any fashion, you will probably find something of use in here.
 +
 
 +
After finally getting around to putting this up, I noticed I skipped over some documentation, and as a result I am probably still missing a few things. More than that, I am sure not all of this is very clear. Some of it may be wrong, or at least, 'improper'. It does work - you are reading this, after all - and it works quite smoothly.
 +
 
 +
I could add a few more items to the stack section - this server also runs Murmur (mumble-server), a git repository, several Minecraft servers, and a number of forums, blogs, and wikis. Most CMS platforms like the latter will get independent guides.
 +
 
 +
So, given that...
 +
 
 +
# If there is something you want to setup that you would like me to add.
 +
# If there is something confusing about the instructions, or I have missed a step.
 +
# If I am doing something incorrectly.
 +
# Or any other suggestion
 +
 
 +
Please feel free to [mailto:vekseid@elliquiy.com e-mail me] or [http://hexwiki.com/forums/index.php sign up to the forums] and let me know.
 +
 
 +
== History of this guide ==
 +
 
 +
Back in 2009, my main forum (Elliquiy) had gone from outgrowing its shared hosting, to outgrowing its vps, which was then running Debian Etch. I got a Core2 Duo server with 4GB of RAM, installed Debian Lenny on it, and went about documenting everything that I had done. I published the result to my forums as 'The Elliquiy LAMP Stack'.
 +
 
 +
There were some problems with this.
 +
 
 +
'''1)''' Elliquiy has the 'distinction' of likely being the only site where [http://xkcd.com/1353/ this XKCD strip applied to the joke]. That is, it's not safe for work, and https is forced. At least my e-mail was unaffected. And yes, by the time that strip was up I was already patched.
 +
 
 +
'''2)''' Even ignoring that it is five years old, it was still my first non-virtual Debian stack open to the Internet. The traffic that nearly brought it down would not even reach average these days.
 +
 
 +
A few servers and who knows how many VPSes later, I updated the documentation when I moved to Squeeze, but for various reasons, never got around to publishing it.
 +
 
 +
A few more servers and dropping my last VPS later, I updated the documentation to Wheezy. The following, with some server/purpose specific modifications, is currently running on three servers, two [http://hostvenom.com/ servers are at HostVenom in Chicago], the third [https://www.hivelocity.net/ server is at Hivelocity in Tampa]. These two installations exchange their backups with each other every morning.
  
 
== Hardware and Hosting ==
 
== Hardware and Hosting ==
  
# [[Choosing a Collocation or Dedicated Host]]
+
If you need it, I put up some quick advice on [[Choosing a Registrar]] and [[Choosing a Host]].
 +
 
 
# [[Designing a Server]]
 
# [[Designing a Server]]
 
# [[IPMI Installation (Wheezy)]]
 
# [[IPMI Installation (Wheezy)]]
Line 9: Line 38:
 
== Linux Core ==
 
== Linux Core ==
  
Some of the stuff here could be categorized under security, but the Core stuff here does not depend on getting anything else set up yet.
+
The following assumes you have Wheezy installed and partitioned to your specifications - either by your host or by yourself via a remote KVM as above.
  
 
# [[Network (Wheezy)]]
 
# [[Network (Wheezy)]]
 
# [[OpenSSH (6.0)]]
 
# [[OpenSSH (6.0)]]
 +
# [[Packages (Wheezy)]]
 
# [[Sysctl.conf (Wheezy)]]
 
# [[Sysctl.conf (Wheezy)]]
 
# [[Iptables (1.4)]]
 
# [[Iptables (1.4)]]
 
# [[Security (Wheezy)]]
 
# [[Security (Wheezy)]]
 +
# [[User Management (Wheezy)]]
  
 
== Software Stack ==
 
== Software Stack ==
  
# [[Unbound (1.4)]] - While I use a DNS service for my authoritative DNS servers, having a local DNS server is extremely handy. Can speed up some website functions immensely.
+
# [[Unbound (1.4)]] - While I use a DNS service for my authoritative DNS servers, having a local DNS server is extremely handy. In addition to being almost a requirement for any mailserver that accepts mail, it can speed up some website functions immensely.
 
# [[MySQL (5.5)]] - Getting the database going early is often a priority.
 
# [[MySQL (5.5)]] - Getting the database going early is often a priority.
# [[Nginx (1.4)]] - Webserver of champions. I do have some older documentation for Apache, but at this point I cannot afford to consider switching back.
+
# [[Nginx (1.2)]] - Webserver of champions. I do have some older documentation for Apache, but at this point I cannot afford to consider switching back. If using DotDeb, this documentation works fine for 1.4/1.6, it just doesn't take advantage of all features. I am holding off a bit on SPDY, personally.
 
# [[PHP (5.4)]] - FPM and the ancient fastcgi method are covered.
 
# [[PHP (5.4)]] - FPM and the ancient fastcgi method are covered.
  
Line 39: Line 70:
 
# [[Mail Reputation Management]]
 
# [[Mail Reputation Management]]
  
== Wrapup ==
+
== Logging, Finalizing ==
  
 
# [[Logging (Wheezy)]]
 
# [[Logging (Wheezy)]]
 +
# [[Logcheck (Wheezy)]]
 +
# [[Backups (Wheezy)]]
 
# [[AppArmor (Wheezy)]]
 
# [[AppArmor (Wheezy)]]
  
 
{{Bottom Wheezy}}
 
{{Bottom Wheezy}}

Latest revision as of 01:29, 14 May 2014

This guide covers a robust LEMP (Linux, Nginx, MySQL, PHP) stack running on Debian Wheezy, which includes a similarly robust Dovecot + Postfix mail solution. You might not need everything here, but if you use Linux to serve the Internet in any fashion, you will probably find something of use in here.

After finally getting around to putting this up, I noticed I skipped over some documentation, and as a result I am probably still missing a few things. More than that, I am sure not all of this is very clear. Some of it may be wrong, or at least, 'improper'. It does work - you are reading this, after all - and it works quite smoothly.

I could add a few more items to the stack section - this server also runs Murmur (mumble-server), a git repository, several Minecraft servers, and a number of forums, blogs, and wikis. Most CMS platforms like the latter will get independent guides.

So, given that...

  1. If there is something you want to setup that you would like me to add.
  2. If there is something confusing about the instructions, or I have missed a step.
  3. If I am doing something incorrectly.
  4. Or any other suggestion

Please feel free to e-mail me or sign up to the forums and let me know.

History of this guide

Back in 2009, my main forum (Elliquiy) had gone from outgrowing its shared hosting, to outgrowing its vps, which was then running Debian Etch. I got a Core2 Duo server with 4GB of RAM, installed Debian Lenny on it, and went about documenting everything that I had done. I published the result to my forums as 'The Elliquiy LAMP Stack'.

There were some problems with this.

1) Elliquiy has the 'distinction' of likely being the only site where this XKCD strip applied to the joke. That is, it's not safe for work, and https is forced. At least my e-mail was unaffected. And yes, by the time that strip was up I was already patched.

2) Even ignoring that it is five years old, it was still my first non-virtual Debian stack open to the Internet. The traffic that nearly brought it down would not even reach average these days.

A few servers and who knows how many VPSes later, I updated the documentation when I moved to Squeeze, but for various reasons, never got around to publishing it.

A few more servers and dropping my last VPS later, I updated the documentation to Wheezy. The following, with some server/purpose specific modifications, is currently running on three servers, two servers are at HostVenom in Chicago, the third server is at Hivelocity in Tampa. These two installations exchange their backups with each other every morning.

Hardware and Hosting

If you need it, I put up some quick advice on Choosing a Registrar and Choosing a Host.

  1. Designing a Server
  2. IPMI Installation (Wheezy)

Linux Core

The following assumes you have Wheezy installed and partitioned to your specifications - either by your host or by yourself via a remote KVM as above.

  1. Network (Wheezy)
  2. OpenSSH (6.0)
  3. Packages (Wheezy)
  4. Sysctl.conf (Wheezy)
  5. Iptables (1.4)
  6. Security (Wheezy)
  7. User Management (Wheezy)

Software Stack

  1. Unbound (1.4) - While I use a DNS service for my authoritative DNS servers, having a local DNS server is extremely handy. In addition to being almost a requirement for any mailserver that accepts mail, it can speed up some website functions immensely.
  2. MySQL (5.5) - Getting the database going early is often a priority.
  3. Nginx (1.2) - Webserver of champions. I do have some older documentation for Apache, but at this point I cannot afford to consider switching back. If using DotDeb, this documentation works fine for 1.4/1.6, it just doesn't take advantage of all features. I am holding off a bit on SPDY, personally.
  4. PHP (5.4) - FPM and the ancient fastcgi method are covered.

Mail Setup and Stack

  1. MySQL must be setup first for the following configuration, and a working DNS resolver such as Unbound is highly recommended.
  2. Packages used: opendkim opendkim-tools spamc libmail-dkim-perl libmail-spf-perl libio-socket-inet6-perl clamav-docs clamav-freshclam clamav-daemon clamav-milter clamav dovecot-imapd dovecot-mysql postfix postfix-mysql postfix-pcre
    1. We're setting up Postfix as a site.
  3. Mail Setup (Wheezy)
  4. Mail Tables (MySQL)
  5. OpenDKIM (2.6)
  6. Mail and DNS - Once we know what our domains are and have our DKIM key (from OpenDKIM), we can configure our DNS properly.
  7. Spamassassin (3.3) - I've tried others, supposedly for the performance benefits, but honestly, with a handful of custom rules, and a solid postfix configuration, very little spam makes it through.
  8. ClamAV (0.98) - Antivirus IMO should be approached from the viewpoint that it gives a chance for you to avoid the repercussions of your mistakes. Often a small one, but if not intrusive, still better than zero.
  9. Postfix (2.9) - My preferred MTA of choice.
  10. Dovecot (2.1)
  11. Mail Reputation Management

Logging, Finalizing

  1. Logging (Wheezy)
  2. Logcheck (Wheezy)
  3. Backups (Wheezy)
  4. AppArmor (Wheezy)