#!/bin/sh # # dxr@brutalsec.net # 01-09-2009 # exit 1; 1. If is not a new instalation, then BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP BACKUP 2. Create partitions /var/www/ Chroot partition (ext3) /var/www/html/ Chroot system /var/www/html/var/log/apache2 Log partition (ext3) /var/www/html/var/www/html Webs partition (xfs) /var/www/html/tmp Temporal dir (tmpfs, optiones: ) /dev/lvm_foobar1/chroot_lv -> /var/www/ (ext3) /dev/lvm_foobar2/apachelogs_lv -> /var/www/html/var/log/apache2 (ext3) /dev/lvm_foobar3/hosting_lv -> /var/www/html/var/www/html (xfs) mount /dev/lvm_foobar1/chroot_lv /var/www/ mkdir -p /var/www/html/var/log/apache2 /var/www/html/var/www/html mount /dev/lvm_foobar2/apachelogs_lv /var/www/html/var/log/apache2 mount /dev/lvm_foobar3/hosting_lv /var/www/html/var/www/html 3. Clear apache and php instalation # We never wont install apache or php in non-chroot system, if we have installed, we only have do a backup of confgigurations, uninstall, and check every simbolic link dpkg -l|egrep --color -i 'apache|php' 4. Prepair chroot enviroment apt-get install debootstrap libpcre3 libaprutil1 libxml2 mime-support time debootstrap --arch=amd64 lenny /var/www/html/ ftp://ftp.fr.debian.org/debian/ echo "/proc /var/www/html/proc proc defaults 0 0">>/etc/fstab echo "devpts /var/www/html/dev/pts devpts defaults 0 0">>/etc/fstab mount -a echo "@sshusers - chroot /var/www/html/">>/etc/security/limits.conf cp -r /etc/{passwd,group,apt} /var/www/html/etc/ chroot /var/www/html apt-get update chroot /var/www/html apt-get install fakeroot --force-yes -y chroot /var/www/html apt-get install locales chroot /var/www/html dpkg-reconfigure locales mv /usr/lib/apache2 /usr/lib/apache2_old mv /var/log/apache2 /var/log/apache2_old mv /var/lock/apache2 /var/lock/apache2_old mv /var/lib/apache2 /var/lib/apache2_old mv /usr/lib/php5 /usr/lib/php5_old mv /etc/apache2 /etc/apache2_old mv /etc/suphp /etc/suphp_old chroot /var/www/html apt-get install apache2 apache2.2-common apache2-doc apache2-mpm-prefork apache2-utils libexpat1 ssl-cert libapache2-mod-php5 php5 php5-common php5-gd php5-mysql php5-imap phpmyadmin php5-cli php5-cgi libapache2-mod-fcgid apache2-suexec php-pear php-auth php5-mcrypt mcrypt php5-imagick imagemagick libapache2-mod-suphp libopenssl-ruby libapache2-mod-chroot php-apc chroot /var/www/html /etc/init.d/apache2 stop chroot /var/www/html a2enmod mod_chroot chroot /var/www/html a2enmod suexec echo "ChrootDir /var/www/html" > /var/www/html/etc/apache2/conf.d/mod_chroot.conf sed -i -e 's#DocumentRoot /var/www/#DocumentRoot /var/www/html/#' /var/www/html/etc/apache2/sites-enabled/000-default sed -i -e 's#x-httpd-php=php:/usr/bin/php-cgi#x-httpd-php=php:/usr/bin/php-cgi\nx-httpd-suphp=php:/usr/bin/php-cgi\nx-httpd-php=php:/usr/bin/php-cgi#' /var/www/html/etc/suphp/suphp.conf # Protect apache configuration. ONLY root can read it chown root:root /etc/apache2/ && chmod 700 /etc/apache2/ chmod 711 /var/www/html/etc/php5/ 5. # Is good idea to add nagios alarm for check every simbolic link is correct. ln -s /var/www/html/etc/apache2 /etc/apache2 ln -s /var/www/html/etc/suphp /etc/suphp ln -s /var/www/html/var/run/apache2 /var/run/apache2 ln -s /var/www/html/var/run/apache2.pid /var/run/apache2.pid ln -s /var/www/html/usr/sbin/apache2ctl /usr/sbin/apache2ctl ln -s /var/www/html/usr/sbin/apache2 /usr/sbin/apache2 ln -s /var/www/html/usr/lib/apache2 /usr/lib/apache2 ln -s /var/www/html/usr/sbin/a2enmod /usr/sbin/a2enmod ln -s /var/www/html/usr/sbin/a2dismod /usr/sbin/a2dismod ln -s /var/www/html/usr/sbin/a2ensite /usr/sbin/a2ensite ln -s /var/www/html/usr/sbin/a2dissite /usr/sbin/a2dissite ln -s /var/www/html/var/log/apache2 /var/log/apache2 ln -s /var/www/html/var/lock/apache2 /var/lock/apache2 ln -s /var/www/html/var/lib/apache2 /var/lib/apache2 ln -s /var/www/html/usr/lib/php5 /usr/lib/php5 6. # Install mini_sendmail for chroot cd /tmp/ wget http://acme.com/software/mini_sendmail/mini_sendmail-1.3.6.tar.gz tar xzf mini_sendmail-1.3.6.tar.gz wget http://users1.leipzig.freifunk.net/%7Efirmware-build/brcm_2_4_Broadcom_default/build/openwrt_packages/mail/mini_sendmail/patches/200-fullname.patch patch -p0 < 200-fullname.patch make # 2e555b2573c3ea65a467a5960f0b51f6 mini_sendmail mv /var/www/html/usr/lib/sendmail /var/www/html/usr/lib/sendmail_old mv /var/www/html/usr/sbin/sendmail /var/www/html/usr/sbin/sendmail_old cp mini_sendmail /var/www/html/usr/sbin/mini_sendmail cd /var/www/html/usr/lib/ && ln -s ../sbin/mini_sendmail sendmail /var/www/html/usr/sbin && ln -s mini_sendmail sendmail # ./mini_sendmail -h # usage: ./mini_sendmail [-f] [-t] [-s] [-p] [-T] [-v] [address ...] add to php.ini (/var/www/html/etc/php5/apache2/php.ini /var/www2/etc/php5/cli/php.ini /var/www2/etc/php5/cgi/php.ini line :672) sendmail_path = /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 # Test apache2ctl restart chroot /var/www/html/ # php -i|grep --color sendmail sendmail_from => no value => no value sendmail_path => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 Path to sendmail => /usr/sbin/mini_sendmail -t -i -fhosting@alojamientotecnico.com -s127.0.0.1 # # Sould be good idea check /var/www/html/usr/lib/sendmail /var/www/html/usr/sbin/sendmail and /var/www/html/usr/sbin/mini_sendmail with nagios alarm ;) 8. Install ispconfig ........ ### Migration to other server ### Really easy: Do step 1 And after do a simple rsync: screen time rsync -a --progress root@host1:/var/www/ /var/www/ # Install some apache's dependencies apt-get install debootstrap libpcre3 libaprutil1 libxml2 mime-support Do step 5 Do step 6