Difference between revisions of "Web2 Setup Process"

From CSLabsWiki
Jump to: navigation, search
m (Installed Apache)
m (Installed Apache)
Line 464: Line 464:
 
     ServerAlias lab-build*
 
     ServerAlias lab-build*
 
     <Directory /var/lab-build_www/>
 
     <Directory /var/lab-build_www/>
 +
        Options Indexes FollowSymLinks
 +
        AllowOverride Limit
 +
        Order allow,deny
 +
        allow from all
 +
    </Directory>
 +
</VirtualHost>
 +
</pre></code>
 +
 +
*Created <code>/etc/apache2/sites-enabled/nonlinear</code>
 +
<code><pre>
 +
<VirtualHost *>
 +
    ServerName nonlinear.cslabs.clarkson.edu
 +
    ServerAdmin web-admin@cslabs.clarkson.edu
 +
    DocumentRoot "/var/nonlinear_www/"
 +
    ErrorLog /var/log/apache2/nonlinear-error_log
 +
    CustomLog /var/log/apache2/nonlinear-access_log combined
 +
    ServerAlias nonlinear*
 +
    <Directory /var/nonlinear_www/>
 
         Options Indexes FollowSymLinks
 
         Options Indexes FollowSymLinks
 
         AllowOverride Limit
 
         AllowOverride Limit

Revision as of 21:26, 1 May 2011

This page summarizes how the virtual machine Web2 was set up in Summer 2009.

Install

This system was created via the Create a New VM How-To and is based off the Ubuntu 8.04 Generic VM image.

Configuration

Updated System

  • apt-get update && apt-get upgrade

Created User

  • Created user mccarrms
    • /usr/sbin/useradd -m mccarrms
  • Set password for mccarrms
    • passwd mccarrms

Configured Sudo

  • /usr/sbin/visudo
## Sudoers allows particular users to run various commands as
## the root user, without needing the root password.

## Networking
Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool

## Installation and management of software
Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

## Services
Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

## Updating the locate database
Cmnd_Alias LOCATE = /usr/sbin/updatedb

## Storage
Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount

## Delegating permissions
Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp, /usr/bin/sudoedit

## Processes
Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall

## Drivers
Cmnd_Alias DRIVERS = /sbin/modprobe

## Shells
Cmnd_Alias SHELLS = /bin/sh, /bin/bash, /usr/bin/rsh, /bin/dash, /bin/rbash, /bin/su

## Users
Cmnd_Alias USERS = /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/userhelper, /usr/sbin/usermod, /usr/sbin/usernetctl, /usr/bin/passwd

## HTTP
Cmnd_Alias HTTP = /etc/init.d/apache2 restart, /etc/init.d/apache2 stop

Defaults    requiretty

Defaults    env_reset,tty_tickets,lecture=always,logfile=/var/log/sudo.log
Defaults    env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \
                        LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                        LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                        LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                        LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                        _XKB_CHARSET XAUTHORITY"

## Allow root to run any commands anywhere
root    ALL=(ALL)       ALL
%sudo   ALL=(ALL)       ALL
%admins ALL=(root) ALL, !SHELLS, !HTTP

Configured Network

  • Edited /etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet static
  address 128.153.145.20
  netmask 255.255.255.0
  gateway 128.153.145.1
  pre-up iptables-restore < /etc/iptables.rules
  post-down iptables-restore < /etc/iptables.downrules

auto eth0:0
iface eth0:0 inet static
  address 128.153.145.26
  netmask 255.255.255.0

Configured IPtables

Due to the sensitivity of this material, this config file has been left off; however, the following rules are needed.

-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT

Set Up SSH Login Banner

  • Edited /etc/issue.net
             __   ___ 
 _    _____ / /  |_  |
| |/|/ / -_) _ \/ __/ 
|__,__/\__/_.__/____/ 
                      

Configured Password Requirements

  • Edited /etc/login.defs
MAIL_DIR        /var/mail
#MAIL_FILE      .mail

FAILLOG_ENAB		yes

LOG_UNKFAIL_ENAB	no

LOG_OK_LOGINS		no

SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes

#SULOG_FILE	/var/log/sulog

#TTYTYPE_FILE	/etc/ttytype

FTMP_FILE	/var/log/btmp

SU_NAME		su

HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

ENV_SUPATH	PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
ENV_PATH	PATH=/usr/local/bin:/usr/bin:/bin:/usr/games

TTYGROUP	tty
TTYPERM		0600

ERASECHAR	0177
KILLCHAR	025

#UMASK		022

PASS_MAX_DAYS	360
PASS_MIN_DAYS	0
PASS_WARN_AGE	60

UID_MIN			 1000
UID_MAX			60000

GID_MIN			  100
GID_MAX			60000

LOGIN_RETRIES		5

LOGIN_TIMEOUT		60

CHFN_RESTRICT		rwh

DEFAULT_HOME	yes

#USERDEL_CMD	/usr/sbin/userdel_local

USERGROUPS_ENAB yes

# FAKE_SHELL /bin/fakeshell

#CONSOLE	/etc/consoles
#CONSOLE	console:tty01:tty02:tty03:tty04

#CONSOLE_GROUPS		floppy:audio:cdrom

#MD5_CRYPT_ENAB	no

Configured Hosts

  • Edited /etc/hosts.allow
For security purposes, this information has been intentionally left off.
  • Edited /etc/hosts.deny
ALL: ALL

Modified umask

  • Removed the following from /etc/profile
umask 022
  • Added the following to /etc/profile
if [ $UID -gt 999 ] && [ "`id -gn`" = "`id -un`" ]; then
        umask 002
elif [ $UID = 0 ]; then
        umask 002
else
        umask 022
fi

Disabled IP v6

  • Modify the following in /etc/modprobe.d/aliases
alias net-pf-10 off

Configured DNS Servers

  • Edited /etc/resolv.conf
search cslabs.clarkson.edu clarkson.edu
nameserver 128.153.145.3
nameserver 128.153.145.4

Configured SNMP

  • Edited /etc/snmp/snmpd.conf
rocommunity     <passphrase>  <ipsallowed>
rocommunity     <passphrase>  <ipsallowed>
 
syslocation Clarkson University Applied CS Labs
syscontact Matt McCarrell <mccarrms@gmail.com>
disk /
exec timeskew /usr/local/sbin/ntp_check
exec uptime /usr/bin/uptime

Configured Logwatch Reports

  • Set detail level to be high and changed MailFrom
sed -i "s/MailFrom = root/MailFrom = logwatch/g" /usr/share/logwatch/dist.conf/logwatch.conf
sed -i "s/Detail = Med/Detail = High/g" /usr/share/logwatch/dist.conf/logwatch.conf

Installed Apache

  • Installed httpd, php, etc.
    • apt-get install apache2 php5 libapache2-mod-php5 mysql-client php5-mysql php5-curl php5-gd php5-suhosin php-pear php-xml-parser php5-xcache highlight source-hightlight php-mode php5-cli libgd2-xpm libgd2-xpm-dev imagemagick
    • Added for lab-build virtual host reprepro
  • Modified /etc/apache2/apache2.conf
ServerRoot "/etc/apache2"

#<IfModule !mpm_winnt.c>
#<IfModule !mpm_netware.c>
LockFile /var/lock/apache2/accept.lock
#</IfModule>
#</IfModule>

PidFile ${APACHE_PID_FILE}

Timeout 30

KeepAlive On

MaxKeepAliveRequests 100

KeepAliveTimeout 5

<IfModule mpm_prefork_module>
    StartServers          5
    MinSpareServers       5
    MaxSpareServers      10
    MaxClients           50
    MaxRequestsPerChild   0
</IfModule>

<IfModule mpm_worker_module>
    StartServers          2
    MaxClients          150
    MinSpareThreads      25
    MaxSpareThreads      75
    ThreadsPerChild      25
    MaxRequestsPerChild   0
</IfModule>

User ${APACHE_RUN_USER}
Group ${APACHE_RUN_GROUP}

AccessFileName .htaccess

<Files ~ "^\.ht">
    Order allow,deny
    Deny from all
</Files>

DefaultType text/plain

HostnameLookups Off

ErrorLog /var/log/apache2/error.log

LogLevel warn

Include /etc/apache2/mods-enabled/*.load
Include /etc/apache2/mods-enabled/*.conf

Include /etc/apache2/httpd.conf

Include /etc/apache2/ports.conf

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

ServerTokens Prod

ServerSignature Off

#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html

#    Alias /error/ "/usr/share/apache2/error/"
#
#    <Directory "/usr/share/apache2/error">
#        AllowOverride None
#        Options IncludesNoExec
#        AddOutputFilter Includes html
#        AddHandler type-map var
#        Order allow,deny
#        Allow from all
#        LanguagePriority en cs de es fr it nl sv pt-br ro
#        ForceLanguagePriority Prefer Fallback
#    </Directory>
#
#    ErrorDocument 400 /error/HTTP_BAD_REQUEST.html.var
#    ErrorDocument 401 /error/HTTP_UNAUTHORIZED.html.var
#    ErrorDocument 403 /error/HTTP_FORBIDDEN.html.var
#    ErrorDocument 404 /error/HTTP_NOT_FOUND.html.var
#    ErrorDocument 405 /error/HTTP_METHOD_NOT_ALLOWED.html.var
#    ErrorDocument 408 /error/HTTP_REQUEST_TIME_OUT.html.var
#    ErrorDocument 410 /error/HTTP_GONE.html.var
#    ErrorDocument 411 /error/HTTP_LENGTH_REQUIRED.html.var
#    ErrorDocument 412 /error/HTTP_PRECONDITION_FAILED.html.var
#    ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var
#    ErrorDocument 414 /error/HTTP_REQUEST_URI_TOO_LARGE.html.var
#    ErrorDocument 415 /error/HTTP_UNSUPPORTED_MEDIA_TYPE.html.var
#    ErrorDocument 500 /error/HTTP_INTERNAL_SERVER_ERROR.html.var
#    ErrorDocument 501 /error/HTTP_NOT_IMPLEMENTED.html.var
#    ErrorDocument 502 /error/HTTP_BAD_GATEWAY.html.var
#    ErrorDocument 503 /error/HTTP_SERVICE_UNAVAILABLE.html.var
#    ErrorDocument 506 /error/HTTP_VARIANT_ALSO_VARIES.html.var

Include /etc/apache2/conf.d/

NameVirtualHost *

Include /etc/apache2/sites-enabled/
  • Enabled mod_rewrite
a2enmod rewrite
  • Enabled mod_deflate
a2enmod deflate
  • Unlinked default site config
    • unlink /etc/apache2/sites-enabled/000default
  • Created /etc/apache2/sites-enabled/web2
<VirtualHost *>
    ServerName web2.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/"
    ErrorLog /var/log/apache2/web2-error_log
    CustomLog /var/log/apache2/web2-access_log combined
    ServerAlias web2*
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/apache2/sites-enabled/zDefault
<VirtualHost *>
    ServerName web2.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/www/"
    ErrorLog /var/log/apache2/web2-error_log
    CustomLog /var/log/apache2/web2-access_log combined
    ServerAlias *
    RedirectMatch ^/$ http://cslabs.clarkson.edu/
</VirtualHost>
  • Created /etc/apache2/sites-enabled/docs
<VirtualHost *>
    ServerName docs.cosi.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    ServerAlias docs.cosi
    Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>

<VirtualHost *>
    ServerName docs.cslabs
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    ServerAlias docs
    Redirect permanent / http://docs.cslabs.clarkson.edu/
</VirtualHost>

<VirtualHost *>
    ServerName docs.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/docs_www/"
    ErrorLog /var/log/apache2/docs-error_log
    CustomLog /var/log/apache2/docs-access_log combined
    <Directory /var/docs_www/>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
    # For rewriting /w/index.php to /wiki/
    Alias /wiki "/var/docs_www/w/index.php"
    Alias /index.php "/var/docs_www/w/index.php"
</VirtualHost>
  • Created /etc/apache2/sites-enabled/status
<VirtualHost *>
    ServerName status.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/status_www/"
    ErrorLog /var/log/apache2/status-error_log
    CustomLog /var/log/apache2/status-access_log combined
    ServerAlias status*
    <Directory /var/status_www/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/apache2/sites-enabled/lab-build
<VirtualHost *>
    ServerName lab-build.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/lab-build_www/"
    ErrorLog /var/log/apache2/lab-build-error_log
    CustomLog /var/log/apache2/lab-build-access_log combined
    ServerAlias lab-build*
    <Directory /var/lab-build_www/>
        Options Indexes FollowSymLinks
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Created /etc/apache2/sites-enabled/nonlinear
<VirtualHost *>
    ServerName nonlinear.cslabs.clarkson.edu
    ServerAdmin web-admin@cslabs.clarkson.edu
    DocumentRoot "/var/nonlinear_www/"
    ErrorLog /var/log/apache2/nonlinear-error_log
    CustomLog /var/log/apache2/nonlinear-access_log combined
    ServerAlias nonlinear*
    <Directory /var/nonlinear_www/>
        Options Indexes FollowSymLinks
        AllowOverride Limit
        Order allow,deny
        allow from all
    </Directory>
</VirtualHost>
  • Configured server so php is not exposed and y2k compliance is off
    • Edited /etc/php5/apache2/php.ini
expose_php = Off
memory_limit = 64M
upload_max_filesize = 8M
  • Started Apache
    • /etc/init.d/apache2 start

Virtual Host Notes

  • A group must be created for each virtual host and the virtual host html root must be owned by that group.
  • The setgid bit should be set on each of the virtual host html roots. This can be done by using the following command: chmod g+s <vhost>_www/

AWStats