How to build the ultimate Ubuntu/Lighttpd/PHP/MySQL server, and keep it running
Securing the server with a firewall
OK, everything is working now! Don’t start hosting your sites though, first you need a firewall running on your server!
sudo apt-get install iptablesI recommend you to read the manual page (enter man iptables) and learn how IPTables works. If you don't want to do that, you can still use an online generator though. Let's use that for now, just make sure to read the man page some day.
First create some rules! Go to www.lowth.com/LinWiz and read everything there.
// UPDATE: The site seems down now. Please use http://easyfwgen.morizot.net/ in the meantime. It’s maybe even better than the original link I posted. Make sure you choose “Allow Inbound Services” and “Specify a custom port range”, insert your SSH port there and declick the SSH option. Big chance that you also have to choose “Static IP” and fill in your servers IP address.
You should only need to allow http traffic and add your SSH port to the "Extra TCP/IP" port. Hit "Download 'iptables-restore' file" at the bottom of the page when you're done. After generating the rules, you'll see a page with a lot of text, this it great. Select everything and hit CTRL/CMD+C (copy everything). Go back to you SSH window. Enter
sudo nano /etc/iptables.test.rulesPaste the rules in this file (with right mouse button). Hit CTRL+X to exit nano, save you changes. Now enter
sudo iptables-restore < /etc/iptables.test.rules
iptables -LWith the last command you can review your rules. If you like them, we're going to save them
sudo iptables-save > /etc/iptables.up.rulesYour server has a firewall running now! One problem though, it'll be down when you restart the server. To solve this problem, do the following
sudo nano /etc/network/interfacesAdd the following line right after 'iface lo inet loopback'
...
auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.up.rules
# The primary network interface
...You now have a fully working and secure webserver, ready to host your sites. I recommend you to read on though. I'll give some instructions about optimizing the servers performance.
Add etags to enhanche the sites performance
Open the Lighttpd config file again
sudo nano /etc/lighttpd/lighttpd.confAnd uncomment the following module at the top of the file
server.modules = (
"mod_expire"
)Scroll to a nice place in the config file, I recommend just above the vhosts, and add the following code
$HTTP["url"] =~ "(css|js|png|jpg|ico|gif)$" {
expire.url = ( "" => "access 7 days" )
}
etag.use-inode = "enable"
etag.use-mtime = "enable"
etag.use-size = "enable"
static-file.etags = "enable"This caches all css, js, png, jpg, ico and gif files.
OK, that's it for now folks. I'll update the guide asap with more info. if you want to see something special, just leave a comment and maybe I'll add it!
Also, maybe a good idea to subscribe to my twitter, I'll post some great server/website related tips there from time to time!
(would be great if you left one too!)
Nicely written how-to.
I’ve scheduled a server reinstall for this Friday, and was trying to decide between Fedora 10 and Ubuntu. You’ve just made up my mind with this great walk-through, so look forward to ‘pimping my server’! :)
Since I run a large (10,000 user) phpBB forum on my server, I’ll also look at xcache from your Twitter too…
Ubuntu will be great. First I wanted to use Gentoo (best desktop linux distro imo) on my server, but after seeing that Ubuntu ‘just works’, without looking after it every day, which is exactly what a server has to do, I chose Ubuntu (and never regretted it).
And maybe you already thought of this, but make sure you don’t forget to make backups of the forum before the reinstall! It sounds quite stupid, but even big sites like dpreview.com lose things because of bad backups (ok, they maybe had just bad luck with a failing raid setup)…
And about xcache, it quite great :). I think I’m going to add a guide about it in a month or so (maybe earlier, but I’ve got some difficult exams this month, so don’t know how much spare time I’ll have – it’s also not that hard to install, I think you’ll manage to do it with the guides that are available atm).
My server is currently running Gentoo, albeit a heavily-modified-by-the-hosting-company edition, which sadly doesn’t work very well…
I had to heavily tweak the MySQLd and Apache2 setup – and its now running the site stably, but does freeze every now and again and they seem to have crippled a lot of the extensions/dependancies within Gentoo, so other software (service monitors, etc) just refuse to install.
I will backup the forum ;) At 10gb of files + 1gb DB, it’s a little too big to forget! Shame on any Admins who don’t regularly backup their sites – let alone check they have everything before wiping the server!!
Good luck with the exams.
After applying the changes to the ssh config I get the following error message when trying to connect with putty:
Disconnected: No supported authentication methods available
Any idea?
Eric:
Sorry! At first I was typing a guide in which you authenticated to SSH with a special file. Now I see I forgot to remove one line from a black box.
In ‘/etc/ssh/sshd_config’ you have to either remove
PasswordAuthentication no
or set it to ‘yes’.
One problem though may be getting into your box now.. I can’t tell you how to do this if I don’t know your exact situation, but most of the times you can login through a web based terminal, which is provided by your host.
Again, sorry for the hassle, but thanks for your comment!
I’m updating the guide now!EDIT: Guide updated. I also removed the line “UsePAM no”. You can also set it to yes, or remove it from your sshd_config
Thanks for updating it. Actually I figured it out myself ;-)
Now I’m stuck here:
iptables-restore < /etc/iptables.test.rules
Bad argument `DROP’
np, thanks for leaving the comment! Even though you figured it out by yourself, I really appreciate the comment. It helps me improve the guide.
But ok, now to your question. I think the problem lies with the ` before DROP. Look at the rules you want to implement in IPTables. There should be DROP somewhere (CTRL+W is search in Nano). You should replace the ` before it into a ‘ (I don’t know how you call those things, sorry, I mean the regular ‘ below ” on your keyboard).
Also, you have to type sudo before the line (I forgot to mention that in the guide, will update it now).
I hope this solves the problem, if not, don’t hesitate to comment again!
Thanks for the fast answer!
There’s no ` before the DROP in the textfile:
-A LINWIZ-INPUT -s 127.0.0.0/8 -j DROP
Since I don’t do it exactly the same way I don’t need to sudo anyway ;-)
since iptables-restore doesn’t work I’ll go for a script version of the iptables rules.
can you suggest the rc-update command so I have all important runlevels covered?
will “update-rc.d firewall defaults” do it?
I think you might find the apostrophe problems is actually WordPress… It tries to be clever and do curly quotes, but obviously not code with code is involved..
Glad others have found the problems before me… lol
Not sure if it helps others, but on previous servers, I’ve actually used two programs to look after the IPTables/Firewall: APF (Advanced Policy Firewall) and backed up with BFD (Brute Force Detection).
How-To guide for APF:
http://www.webhostgear.com/61_print.html
Then BFD (you need to install APF first):
http://www.webhostgear.com/60_print.html
Once running, it will look after you server, email you when someone tries to hack into your server with all their details, but don’t worry – its already blocked them on the firewall… :)
thanks, will have a look at it.
by the way, mysql doesn’t work with the server this way. you have to install php-mysql additinally for making it work!
eric: Thanks for pointing that out! Also sorry for forgetting things, but you (I’m not implying that you don’t) have to understand that there will always be a few errors in a brand new guide (even though I tried to write down almost exactly how I setup the server this site is running on).
And by pointing that out you also helped me remember that I was going to add something about PHP modules like GD.
(I’ll look into your try to look into your problem tomorrow btw, have to sleep now)
andi: Thanks for the links!
all: excuse me for using both apt-get and aptitude, as I’m used to Gentoo’s emerge I don’t exactly know which of the two is better….
Since most ‘powered by’ website nowadays needs GD and SQL, if you could add these to the guide – that would be great!
I’ll be needing to get both of those tonight ;)
Added a small part about installing GD, it’s quite easy actually: most important thing is restarting Lighttpd after installing it. The php5-mysql module is also added to the guide (which is indeed crucial to get mysql running).
Brilliant, thank you!
Looks like the Mrs. has vito’d me playing with Ubunutu tonight, but she’s out tomorrow night, so rescheduled for Saturday! Haha..
Just completed my server re-install, with a massive help (and thanks) to this guide.
All went pretty well apart from a little bit of ‘fun’ trying to get lighttpd working. In the end, I setup simple-vhosts which once configured made it all a doddle!!
It’s 3 simple lines in the config:
simple-vhost.server-root = “/home/USER/web/”
simple-vhost.default-host = “domain.tld”
simple-vhost.document-root = “/”
Then add
“mod_simple_vhost”,
in your server.modules string in the config too.
Then all I need to do is create a new folder in /home/USER/web for the domain I want to add and place the www files in there. No need to touch the config!
So to add eg google.com, I would:
cd /home/USER/web
mkdir google.com
sudo ln -s google.com http://www.google.com
The last part I make a symbolic link from www. to the directory so both work.
—– do you know how to make the www. always work via the simple-vhosts bit? Would be nice not to have to do the symlink each time.
In the guide there are a couple of ‘sudo’ bits missing – but the command line will tell you if you don’t have the rights ;)
*sigh*
All was working well early this morning when I went to bed (4:30am!).
Got up at 8am and checked – yup, site still up, so went out for the day.
I’ve had a raft of messages saying the site has been really slow, sometimes unavailable, or missing pictures (gifs mostly)…
I’ve tried diabling the image caching (thinking it may affect the gif icons on a forum) and tried it with both xcache enabled and disabled. Also looked at server tweaks for lighttpd… Nothing seems to help :(
I’m at a loss at what to do now. I’m sure the issue is in the config, somewhere….. where to start?
Update: (Haha, who’s blog is this? lol)
I didn’t do anything with the server last night – I was too tired. It was misbehaving and wasn’t responding, wouldn’t show gifs, css… (I’m talking about its web-servery-ness. As an actual machine it runs fine, but serving webpages, mostly php, is it purpose).
This morning?
Running like a peach. Didn’t do anything.
I like it when things get fixed by me – not by themselves!!
Sorry, but you use sudo ways too often and restart lighttpd ways too often. You don’t need to be root to edit a file in your home directory and after installing a PHP module, you don’t need to restart lighttpd, it’s enough to kill the PHP FastCGI server by running
sudo killall php.fcgi(or something smililar, depends of the name of the PHP process).Question from a complete Linux Newbie: I’m following this guide along with a brand-new Ubuntu 8.04 LTS image on Linode. When I get to the part where I’m implementing the aliases and I enter “sudo source ~/.bashrc” I get a “sudo: source: command not found” error.
Can anyone tell me what this means? I didn’t find any thing terribly helpful when I searched. I’m reluctant to experiment – I shot my last attempt at Linux that way.
Thanks!
Never mind, I think I stumbled across it right after I posted. I did a simple “source .bashrc” and it seemed to work just fine.
[...] got the first ubuntu box pretty much set up thanks to a nice tutorial from nanoTux. Of course I skipped the http server portion as well as the PHP and got Java installed. No real [...]
Great howto, but I have problems setting up MySQL. These are the error messages I get:
Starting MySQL database server mysqld [fail]
invoke-rc.d: initscript mysql, action “start” failed.
dpkg: error processing mysql-server-5.0 (–configure):
subprocess post-installation script returned error exit status 1
dpkg: dependency problems prevent configuration of mysql-server:
mysql-server depends on mysql-server-5.0; however:
Package mysql-server-5.0 is not configured yet.
dpkg: error processing mysql-server (–configure):
dependency problems – leaving unconfigured
Errors were encountered while processing:
mysql-server-5.0
mysql-server
Any idea what to do about this?
yours,
Erik
Erik: Hmmm… Kinda strange. Could you do the following:
sudo aptitude update
sudo aptitude remove mysql-server-5.0
sudo aptitude remove mysql-server
and then
sudo aptitude install php5-mysql
sudo aptitude install mysql-server mysql-client
sudo aptitude install libmysqlclient15-dev
mysql_secure_installation
If the error persists, please give me the full output of the last commands in a pastebin: http://pastebin.com/ (don’t paste them here, just link to the pastebin)
got a small issue, as soon as I add:
fastcgi.server = ( “.php” => ((
“bin-path” => “/path/to/php-cgi”,
“socket” => “/tmp/php.socket”
)))
I can’t access my site (either index.html or info.php). removing that solves the problem.
Any ideas?
Thanks
I fixed it, on Ubuntu 8.10 the “/path/to/php-cgi” needs to be replaced with “/usr/bin/php-cgi”
The standard hardy install of lighttpd includes mechanisms to enable and disable configuration files. Fastcgi is already included.
/etc/lighttpd/conf-available/README contains instructions and you can enable/disable modules from the commandline without the need to edit the config file.
I only used your HowTo to install lighttpd and php, so I’ve not read all of it. Otherwise, thanks for this HowTo, covers it nicely.
Hi!
I don’t know if that is possible, but I’m trying to test the mail server on my local machine… I have Google Apps in one domain of mine, and I’m trying to user that, but when I try to send emails from there, I get the following on the msmtp.log file:
Fev 09 15:21:00 host=smtp.gmail.com tls=on auth=on user=dejamps@domain.net from=dejamps@domain.net recipients=eber.freitas@gmail_domain.com errormsg=’cannot set X509 trust file /home/eber/.certs/ThawtePremiumServerCA.crt for TLS Session: Error while reading file.’ exitcode=EX_NOINPUT
My server log file says the following:
msmtp: cannot set X509 trust file /home/eber/.certs/ThawtePremiumServerCA.crt for TLS Session: Error while reading file.
msmtp: could not send mail (account default from /etc/msmtprc)
Is that only ’cause I’m running it locally or is there anything wrong with the certicates and so on? Thankyou!
Hey! I fixed it!
I’ve run the following:
——————————————
sudo aptitude install ca-certificates
sudp update-ca-certificates
sudo vim /etc/msmtp
tls_trust_file /etc/ssl/certs/ca-certificates.crt
l2r
——————————————
Now the mail server is running perfectly :)
How about installing and configuring Ruby/Rails?
Hi
The link to IPTables is not working – do you have an alternative link?
thanks
@Adam: Thanks for your reply! The site seems down indeed.
You can use
http://easyfwgen.morizot.net/gen/index.php
in the meantime. It’s maybe even better than the original link I posted. Make sure you choose “Allow Inbound Services” and “Specify a custom port range”, insert your SSH port there and declick the SSH option. Big chance that you also have to choose “Static IP” and fill in your servers IP address.
@Kevin: Installing will be quite easy through the package manager (apt-get or aptitude). Configuring is to complicated to explain in a comment, but there’s a chance that I make a post about somewhere soon (depends on my spare time).
I setup a server very similar to this, however I was using Apache 2.2 rather than Lighttpd, next time I plan to build a server from scratch, I will try using Lighttpd that way you have here.
Great guide, thanks.
I’m getting ‘opening errorlog …. failed: Permisson denied’
To fix, edit the lighttpd.conf entry for virtual hosts and instead of ‘server.errorlog’ , i believe it should be:
‘errorlog.filename’ .
Great guide; thanks for posting; I’ll be trying it out in the next few days.
Thanks NanoTux! It took me a while to set up (my first server) but everything works great now! Thanks for the tutorial.
Awesome guide I just got it working on my laptop thanks :D
Dear Admin,
Great walk through tutorial. I had already installed Ubuntu 8.04 server onto my web server along with the Apache, MySql, and PHP packages. After reading your tuturial, do I need to reinstall Ubuntu and start from scratch if I want to setup the lighttbd?
Thanks for the guide. This has been my goto for a while now to remind me what all I need to do when setting up a new server. Even a couple of years later it works great with minor modifications and additions (Debian, using RSA pubkey authentication for ssh, denyhosts, one or two other little things). I’ve finally realized I do this often enough that I’m going to just write a shell script to set up servers for me, but I wanted to thank you for the work. It’s been really useful.