4/7/2015

LinuxWebServerandDomainConfigurationTutorial

LinuxInternetWebServerandDomainConfigurationTutorial
HowToCreateanApachebasedLinuxwebsiteserver
CreateawebserverwithLinux,Apache,FTPandbindDNS:ThistutorialcoverstheLinuxserverconfigurationrequiredtohosta
website.TheApachewebserver,FTPserverandDNSconfigurationarecovered.TheApachewebserverisrequiredtoservetheweb
pages,theFTPserverisrequiredforuserstouploadcontentandtheDNSserverisrequiredtoresolvethedomainnamessothataURL
enteredintoawebbrowserwillpointtoyourwebserverandproperlyservethecorrectpages.Theconfigurationspresentedwillinclude
virtualhostingwhichwillallowasingleLinuxservertosupportmultiplewebsitedomains.

Tutorialtopics:
#LinuxApacheweb(httpd)serverconfiguration
#LinuxFTPdserverandFTPuseraccounts
#vsFTPdandFTPuseraccountconfiguration
#wuFTPdandFTPuseraccountconfiguration
#Basic"useraccount"configurationformaximumsecurityonanInternetbasedwebserver
#LinuxDNS(DomainNameServer)configurationusingBindversion8or9(named)
#WebServerLoadBalancing
#Managingwebserverdaemons(services)
#LinksandResources
Alsosee:WebSiteSecurityTutorialYoLinuxInternetServerSecurityTutorial
search

Search

RelatedYoLinuxTutorials:
Apacheloginauthentication
SecuringLinux
LinuxSecurityTools
LinuxNetworking
LinuxSysAdmin
InternetGateway
YoLinuxTutorialsIndex

|HomePage|LinuxTutorials|Terms|PrivacyPolicy|Advertising|Contact|

WebSitePrerequisites:

ThistutorialassumesthatacomputerhasLinuxinstalledandrunning.SeeRedHatInstallationforthebasics.Aconnectiontotheinternetisalsoassume
connectionof128Mbits/secorgreaterwillyieldthebestresults.ISDN,DSL,cablemodemorbetterareallsuitable.A56kmodemwillworkbuttheres
bemediocreatbest.Thetasksmustalsobeperformedwiththerootuserloginandpassword.

Nosingledistributionseemstohaveanadvantage.AUbuntu,SuSe,Fedora,RedHatorCentOSdistributionwillincludeallofthesoftwareyouwillnee
configureawebserver.IfusingRedHatEnterpriseLinux,boththeWorkstationortheServereditionwillsupportyourneedsexceptthattheWorkstatio
willnotincludethevsFTPpackage.Itwillhavetobecompiledfromsourceorusesftp.

SoftwarePrerequisites:TheApachewebserver(httpd),FTP(requiresxinetdorinetd)andBind(named)softwarepackageswiththeirdependenciesar
required.Onecanusetherpmcommandtoverifyinstallation:
FedoraCore1+,RedHatEnterprise4/5,CentOS4/5:
rpmqhttpdbindbindchrootbindutilssystemconfigbindxinetdvsftpd

FreeInformation
TechnologyMagazines
andDocument
Downloads

RPMsaddedFC2+:systemconfighttpd
RPMsaddedFC3+:httpdsuexec
RedHat9.0
rpmqhttpdbindxinetdvsftpd

ARedHat8.0wuftpdRPMmaybeinstalled(Newerversion2.6.2orlaterwithsecurityfixwuftpd2.6.211)orinstallfromsource.
RedHat8.0
rpmqhttpdbindxinetdwuftpd

RedHat7.x:

rpmqapachebindinetdwuftpd

Usewuftpdversion2.6.2orlatertoavoidsecurityproblems.
SuSE9.3:

Advertisements

rpmivhapache2apache2preforkbindbindchrootenvbindutilsvsftpd

Note:Theapache2MPMisagenerictermforApacheinstallationoptionsfor"MultiProcessingModules(MPM)s"prefork"or"worker".Ifyout
onlyinstallapache2youwillgetthefollowingerror:
Jobs
DevOpsLead
ELSegundo,CA
SageITINC
Urgenttofill
Austin,TX
YanaSoftwareInc
EnterpriseArchitect
Kenosha,WI
TeamBradley

apache2MPMisneededbyapache22.0.539

AlsoseeApache.org:MPMs
Ubuntu(natty11.04)/Debian:
aptgetinstallapache2

aptgetinstallbind9

aptgetinstallvsftpd

Ubuntu(dapper6.06/hardy8.04)/Debian:

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

1/33

4/7/2015
SAPBASIS
Naples,NY
AvaniTechSoutions
SeniorTradeEngine
SystemsDeveloper
Chicago,IL
RequestTechnology
RobynHonquest
SrProgramAnalyst
Columbus,OH
ConservationServices
Group
TechnicalAnalyst
Northampton,
Northamptonshire,
United...
StreamRecruitment
Sr.NetDeveloperwith
Power/Energy...
Philadelphia,PA
UnitedSoftwareGroup
Inc
HadoopAdministrator
Northbrook,IL
RequestTechnology
StephanieBaker
SeniorSOADeveloper
McLean,VA
POSTAJOB>

LinuxWebServerandDomainConfigurationTutorial
aptgetinstallapache2apache2commonapache2mpmpreforkapache2utils

aptgetinstallbind9

aptgetinstallvsftpd

OneshouldalsohaveaworkingknowledgeoftheLinuxinitprocesssothattheseservicesareinitiateduponsystemboot.SeetheYoLinuxinitprocesst
formoreinfo.

ApacheHTTPWebserverconfiguration:

ThistutorialisfortheApacheHTTPwebserver(Version1.3and2.0).SeetheYoLinuxlistofLinuxHTTPserversforalistofotherwebserversforthe
TextTransportProtocol.
TheApachewebserverconfigurationfileis:/etc/httpd/conf/httpd.conf
WebpagesareservedfromthedirectoryasconfiguredbytheDocumentRootdirective.Thedefaultdirectorylocationis:
Linuxdistribution

Apachewebserver"DocumentRoot"

RedHat7.x9,FedoraCore,RedHatEnterprise4/5/6,CentOS4/5/6
RedHat6.xandolder

/var/www/html/

Suse9.x

/srv/www/htdocs/

Ubuntu(dapper6.06)/Debian

/var/www/html

Ubuntu(hardy8.04/natty11.04)/Debian

/var/www

/home/httpd/html/

Thedefaulthomepageforthedefaultconfigurationisindex.html.Notethepagesshouldnotbeownedbyuserapacheasthisistheprocessownerofthe
webserverdaemon.Ifthewebserverprocessiscomprimised,itshouldnotbeallowedtoalterthefiles.Thefilesshouldofcoursebereadablebyuser

POWEREDBYJOBTHREAD

Apachemaybeconfiguredtorunasahostforonewebsiteinthisfashionoritmaybeconfiguredtoserveformultipledomains.Servingformultipledo
maybeachievedintwoways:
Virtualhosts:OneIPaddressbutmultipledomains"Namebased"virtualhosting.
MultipleIPbasedvirtualhosts:OneIPaddressforeachdomain"IPbased"virtualhosting.
Thedefaultconfigurationwillallowonetohavemultipleuseraccountsunderonedomainbyusingareferencetotheuseraccount:
http://www.domain.com/~user1/.Ifnodomainisregisteredorconfigured,theIPaddressmayalsobeused:http://XXX.XXX.XXX.XXX/~user1/.
[PotentialPitfall]Thedefaultumaskfordirectorycreationiscorrectbydefaultbutifnotuse:chmod755/home/user1/public_html

[PotentialPitfall]Whencreatingnew"Directory"configurationdirectives,Ifoundthatplacingthembytheexisting"Directory"directivestobeabadid
wouldnotusethe.htaccessfile.Thiswasbecausethestatementdefiningtheuseofthe.htaccessfilewasafterthe"Directory"statement.Previouslyin
thefileswereseparatedandtheorderwasdefinedalittledifferent.Inowplacenew"Directory"statementsneartheendofthefilejustbeforethe"
statements.
ForusersofRedHat7.1,theGUIconfigurationtoolapacheconfwasintroducedforthecrowdwholiketouseprettypointandclicktools.
FilesusedbyApache:
Start/stop/restartscript:
RedHat/Fedora/CentOS:/etc/rc.d/init.d/httpd
SuSE9.3:/etc/init.d/apache2
Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/init.d/apache2
Apachemainconfigurationfile:
RedHat/Fedora/CentOS:/etc/httpd/conf/httpd.conf
SuSE:/etc/apache2/httpd.conf
(Needtoadddirective:ServerNamehostname)
Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:/etc/apache2/apache2.conf
Apachesuplementaryconfigurationfiles:
RedHat/Fedora/CentOS:/etc/httpd/conf.d/component.conf
SuSE:/etc/apache2/conf.d/component.conf
Ubuntu(dapper6.06/hardy8.04/natty11.04)/Debian:
Virtualdomains:/etc/apache2/sitesenabled/domain
(Createsoftlinkfrom/etc/apache2/sitesenabled/domainto/etc/apache2/sitesavailable/domaintoturnon.Usecommand
Additionalconfigurationdirectives:/etc/apache2/conf.d/
Modulestoload:/etc/apache2/modsavailable/
(Softlinkto/etc/apache2/modsenabled/toturnon)
Portstolistento:/etc/apache2/ports.conf
/var/log/httpd/access_loganderror_logRedHat/FedoraCoreApachelogfiles
(Suse:/var/log/apache2/)

Start/Stop/Restartscripts:Thescriptistoberunwiththequalifiersstart,stop,restartorstatus.
i.e./etc/rc.d/init.d/httpdrestart.Arestartallowsthewebservertostartagainandreadtheconfigurationfilestopickupanychanges.Tohavethis
invokeduponsystembootissuethecommandchkconfigaddhttpd.SeeLinuxInitProcessTutorialforamorecompletediscussion.
AlsoApachecontroltool:/usr/sbin/apachectlstart
ApacheControlCommand:apachectl:
RedHat/FedoraCore/CentOS:apachectldirective
Ubuntudapper6.06/hardy8.04/natty11.04/Debian:apachectl(softlinktoapache2ctl)orapache2ctldirective
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

2/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Directive

Description

start

StarttheApachehttpddaemon.Givesanerrorifitisalreadyrunning.

stop

StopstheApachehttpddaemon.

graceful

GracefullyrestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thisdiffersfromanormalrestartinthatcurren
openconnectionsarenotaborted.

graceful
GracefullystopstheApachehttpddaemon.Thisdiffersfromanormalrestartinthatcurrentlyopenconnectionsarenotaborted.
stop
restart

RestartstheApachehttpddaemon.Ifthedaemonisnotrunning,itisstarted.Thiscommandautomaticallycheckstheconfigurationfil
configtestbeforeinitiatingtherestarttomakesurethedaemondoesn'tdie.

status

Displaysabriefstatusreport.

fullstatus Displaysafullstatusreportfrommod_status.Requiresmod_statusenabledonyourserverandatextbasedbrowsersuchaslynxavail
yoursystem.TheURLusedtoaccessthestatusreportcanbesetbyeditingtheSTATUSURLvariableinthescript.
configtest Runaconfigurationfilesyntaxtest.
t
Apachecontroltool:apachectlmanpage
ApacheConfigurationFiles:

/etc/httpd/conf/httpd.conf:isusedtoconfigureApache.Inthepastitwasbrokendownintothreefiles.Thesemaynowbeallconcatenatedinto

file.SeeApacheonlinedocumentationforthefullmanual.
/etc/httpd/conf.d/application.conf:AllconfigurationfilesinthisdirectoryareincludedduringApachestartup.Usedtostoreapplicationspeci
configurations.
/etc/sysconfig/httpd:HoldsenvironmentvariablesusedwhenstartingApache.
Basicsettings:ChangethedefaultvalueforServerNamewww.<yourdomain.com>

GivingApacheaccesstothefilesystem:ItisprudenttolimitApache'sviewofthefilesystemtoonlythosedirectoriesnecessary.Thisisdonewiththe
directorystatement.Startbydenyingaccesstoeverything,thengrantaccesstothenecessarydirectories.
Denyaccesscompletelytofilesystemroot("/")asthedefault:
Denyfirst,thengrantpermissions:
1
2
3
4

<Directory/>
OptionsNone
AllowOverrideNone
</Directory>

Setdefaultlocationofsystemwebpagesandallowaccess:(RedHat/Fedora/CentOS)
1
2
3
4
5
6
7
8

DocumentRoot"/var/www/html"

<Directory"/var/www/html">
OptionsIndexesFollowSymLinks
AllowOverrideNone
Orderallow,deny
Allowfromall
</Directory>

Grantaccesstoauser'swebdirectory:public_html
EnablingRedHat/FedoraLinux,Apachepublic_htmluserdirectoryaccess:
Thiswillallowuserstoservecontentfromtheirhomedirectoriesunderthesubdirectory"/home/userid/public_html/"byaccessingtheURL
http://hostname/~userid/

File:/etc/httpd/conf/httpd.conf
LoadModuleuserdir_modulemodules/mod_userdir.so
...
...
<IfModulemod_userdir.c>
#UserDirdisableAddcommenttothisline
#
#Toenablerequeststo/~user/toservetheuser'spublic_html
#directory,removethe"UserDirdisable"lineabove,anduncomment
#thefollowinglineinstead:
UserDirpublic_html#Uncommentthisline
</IfModule>
...
...
<Directory/home/*/public_html>
AllowOverrideFileInfoAuthConfigLimit
OptionsMultiViewsIndexesSymLinksIfOwnerMatchIncludesNoExec
<LimitGETPOSTOPTIONS>
Orderallow,deny
Allowfromall

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

3/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
</Limit>
<LimitExceptGETPOSTOPTIONS>
Orderdeny,allow
Denyfromall
</LimitExcept>
</Directory>

Changetoacomment(add"#"atbeginningofline)fromFedoraCoredefaultUserDirdisableandassignthedirectorypublic_htmlasawebserv
accessibledirectory.
OR
Assignasingleuserthespecificabilitytosharetheirdirectory:
1
2
3
4
5
6

<Directory/home/user1/public_html>
AllowOverrideNone
orderallow,deny
allowfromall
OptionsIndexesIncludesFollowSymLinks
</Directory>

Allowsthespecificuser,"user1"only,theabilitytoservethedirectory/home/user1/public_html/
AlsouseSELinuxcommandtosetthesecuritycontext:setseboolhttpd_enable_homedirstrue

Directorypermissions:TheApachewebserverdaemonmustbeabletoreadyourwebpagesinordertofeedtheircontentstothenetwork.Usea
appropriateumaskandfileprotection.Allowaccesstowebdirectory:chmodugo+rxRpublic_html.
Notethattheuser'sdirectoryalsohastohavetheappropriatepermissionsasitistheparentofpublic_html.
Defaultpermissionsonuserdirectory:lsl/home
drwx20user1user14096Mar512:16user1
Allowthewebserveraccesstooperatetheparentdirectory:chmodugo+x/home/user1
dwxxx20user1user14096Mar512:16user1

Onemayalsousegroupstocontrolpermisions.SeetheYoLinuxtutorialonmanaginggroups.
EnablingUbuntu'sApachepublic_htmluserdirectoryaccess:

UbuntuhasbrokenouttheApacheloadablemoduledirectivesintothedirectory/etc/apache2/modsavailable/.ToenableanApachemodule,gen
softlinkstothedirectory/etc/apache2/sitesenabled/byusingthecommandsa2enmod/a2dismodtoenable/disableApachemodules.
Example:
[root@node2]#a2enmod

Alistofavailablemodulesisdisplayed.Enter"userdir"asthemoduletoenable.
RestartApachewiththefollowingcommand:/etc/init.d/apache2forcereload
Note:Thisisthesameasmanuallygeneratingthefollowingtwosoftlinks:
lns/etc/apache2/modsavailable/userdir.conf/etc/apache2/modsenabled/userdir.conf
lns/etc/apache2/modsavailable/userdir.load/etc/apache2/modsenabled/userdir.load

Manpage:a2enmod/a2dismod
[PotentialPitfall]:IftheApachewebservercannotaccessthefileyouwillgettheerror"403Forbidden""Youdon'thavepermissiontoaccess
onthisserver."Notethedefaultpermissionsonauserdirectorywhenfirstcreatedwith"useradd"are:
drwx3userxuserx

Youmustallowthewebserverrunningasuser"apache"toaccessthedirectoryifitistodisplaypagesheldthere.
Fixwithcommand:chmodugo+rx/home/userx
drwxrxrx3userxuserx

SELinuxsecuritycontexts:
FedoraCore3andRedHatEnterpriseLinux4introducedSELinux(SecurityEnhancedLinux)securitypoliciesandcontextlabels.
Toviewthesecuritycontextlabelsappliedtoyourwebpagefilesusethecommand:lsZ
Thesystemenables/disablesSELinuxpoliciesinthefile/etc/selinux/config
SELinuxcanbeturnedoffbysettingthedirectiveSELINUX.(Thenrebootthesystem):
SELINUX=disabled

orusingthecommandsetenforce0totemporarilydisableSELinuxuntilthenextreboot.

WhenusingSELinuxsecurityfeatures,thesecuritycontextlabelsmustbeaddedsothatApachecanreadyourfiles.Thedefaultsecuritycontextla
usedisinheritedfromthedirectoryfornewlycreatedfiles.Thusacopy(cp)mustbeusedandnotamove(mv)whenplacingfilesinthecontentdir
Movedoesnotcreateanewfileandthusthefiledoesnotrecievethedirectorysecuritycontextlabel.ThecontextlabelsusedforthedefaultApac
directoriescanbeviewedwiththecommand:lsZ/var/www
Thewebdirectoriesofusers(i.e.public_html)shouldbesetwiththeappropriatecontextlabel(httpd_sys_content_t).
Assignasecuritycontextforwebpages:chconRhthttpd_sys_content_t/home/user1/public_html
Options:
R:Recursive.Filesanddirectoriesincurrentdirectoryandallsubdirectories.
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

4/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

h:Affectsymboliclinks.
t:Specifytypeofsecuritycontext.
Usethefollowingsecuritycontexts:
ContextType

Description

httpd_sys_content_t

Usedforstaticwebcontent.i.e.HTMLwebpages.

httpd_sys_script_exec_t

UseforexecutableCGIscriptsorbinaryexecutables.

httpd_sys_script_rw_t

CGIisallowedtoalter/deletefilesofthiscontext.

httpd_sys_script_ra_t

CGIisallowedtoreadorappendfilesofthiscontext.

httpd_sys_script_ro_t

CGIisallowedtoreadfilesanddirectoriesofthiscontext.

Setthefollowingoptions:setseboolhttpdoptiontrue
(orsettofalse)
Policy

Description

httpd_enable_cgi

Allowhttpdcgisupport.

httpd_enable_homedirs

Allowhttpdtoreadhomedirectories.

httpd_ssi_exec

AllowhttpdtorunSSIexecutablesinthesamedomainassystemCGIscripts.

ThenrestartApache:
RedHat/Fedora/SuseandallSystemVinitscriptbasedLinuxsystems:/etc/init.d/httpdrestart
RedHat/Fedora:servicehttpdrestart
ThedefaultSEbooleanvaluesarespecifiedinthefile:/etc/selinux/targeted/booleans
FormoreonSELinuxseetheYoLinuxSystemsAdministrationtutorial.

VirtualHosts:

TheApachewebserverallowsonetoconfigureasinglecomputertorepresentmultiplewebsitesasiftheywereonseparatehosts.Therearetwomethod
availableandwedescribetheconfigurationofeach.Chooseonemethodforyourdomain:

Namebasedvirtualhost:(mostcommon)AsinglecomputerwithasingleIPadresssupportingmultiplewebdomains.Thewebbrowserusingthe
protocol,identifiesthedomainbeingaddressed.
IPbasedvirtualhost:ThevirtualhostscanbeconfiguredasasinglemultihomedcomputerwithmultipleIPaddressesonasinglenetworkcard,w
IPaddressrepresentingadifferentwebdomain.Thishastheappearanceofawebdomainsupportedbyadedicatedcomputerbecauseithasadedi
address.

Configuringa"namebased"virtualhost:

Avirtualhostconfigurationallowsonetohostmultiplewebsitedomainsononeserver.(Thisisnotrequiredforadedicatedlinuxserverwhichho
singlewebsite.)
NameVirtualHostXXX.XXX.XXX.XXX
<VirtualHostXXX.XXX.XXX.XXX>
ServerNamewww.yourdomain.comCNAME(bindDNSaliaswww)specifiedinBindconfigurationfile(/var/named/...)
ServerAliasyourdomain.comAllowsrequestsbydomainnamewithoutthe"www"prefix.
[email protected]
DocumentRoot/home/user1/public_html
ErrorLoglogs/yourdomain.comerror_log
TransferLoglogs/yourdomain.comaccess_log
</VirtualHost>

Notes:

YoucanspecifymorethanoneIPaddress.i.e.ifwebserverisalsobeingusedasafirewall/gatewayandyouhaveanexternalinternetIPad
wellasalocalnetworkIPaddress.
NameVirtualHostXXX.XXX.XXX.XXX
NameVirtualHost192.168.XXX.XXX
<VirtualHostXXX.XXX.XXX.XXX192.168.XXX.XXX>
...
..

SeetheYoLinuxTutorialonconfiguringanetworkgateway/firewallusingiptablesandNAT.
UseyourIPaddressforXXX.XXX.XXX.XXX,actualdomainnameandemailaddress.
OnecanuseDNSviewstoprovidedifferentlocalnetworkDNSresults.
NotethatIconfigureApacheforbothrequestshttp://www.domainname.comandhttp://domainname.com.

Oncevirtualhostsareconfigured,yourdefaultsystemdomain(/var/www/html)willstopworking.Yourdefaultdomainnowmustbeconfigu
virtualdomain.
<Directory"/var/www/html">
...Thispartremainsthesame

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

5/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
..
</Directory>
#Defaultforwhennodomainnameisgiven(i.e.accessbyIPaddress)
<VirtualHost*:80>
[email protected]
DocumentRoot/var/www/html
ErrorLoglogs/error_log
TransferLoglogs/access_log
</VirtualHost>
#AddaVirtualHostdefinitionforyourdomainwhichwasoncethesystemdefault.
<VirtualHostXXX.XXX.XXX.XXX>
ServerNamewww.yourdomain.com
ServerAliasyourdomain.com
[email protected]
DocumentRoot/var/www/html
ErrorLoglogs/error_log
TransferLoglogs/access_log
</VirtualHost>
...
..

ForwardingtoaprimaryURL.ItisbesttoavoidtheappearanceofduplicatedwebcontentfromtwoURLssuchashttp://www.yourdomain
andhttp://yourdomain.com.SupplyaforwardingApache"Redirect".
<VirtualHostXXX.XXX.XXX.XXX>
ServerNamewww.yourdomain.comNotethatnoaliasesarelisted
...
...
</VirtualHost>
#AddaVirtualHostdefinitiontoforwardtoyourprimaryURL
<VirtualHostXXX.XXX.XXX.XXX>
ServerNameyourdomain.com
ServerAliasotherdomain.com
ServerAliaswww.otherdomain.com
Redirectpermanent/http://www.yourdomain.com.com/
</VirtualHost>
...
..

Note:
SeetheYoLinux.comApache"Redirect"Tutorial
Morevirtualhostexamples.

Whenspecifyingmoredomains,theymayallusethesameIPaddressorsome/allmayusetheirownuniqueIPaddress.Specifya"NameVirtualHost"fo
IPaddress.

AftertheApacheconfigurationfileshavebeenedited,restartthehttpddaemon:/etc/rc.d/init.d/httpdrestart(RedHat)or/etc/init.d/apache2res
(Ubuntu/Debian)
ApachevirtualdomainconfigurationwithUbuntuDapper/Hardy:

Ubuntuseparatesouteachvirtualdomainintoaseparateconfigurationfileheldinthedirectory/etc/apache2/sitesavailable/.Whenthesitedomaini
becomeactive,asoftlinkiscreatedtothedirectory/etc/apache2/sitesenabled/.
Example:/etc/apache2/sitesavailable/supercorp
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23

<VirtualHostXXX.XXX.XXX.XXX>
ServerNamesupercorp.com
ServerAliaswww.supercorp.com
ServerAdminwebmaster@localhost

DocumentRoot/home/supercorp/public_html/home
<Directory"/">
OptionsFollowSymLinks
AllowOverrideNone
</Directory>
<Directory/home/supercorp/public_html/home>
OptionsIndexesFollowSymLinksMultiViews
IndexOptionsSuppressLastModifiedSuppressDescription
AllowOverrideAll
Orderallow,deny
allowfromall
</Directory>

ScriptAlias/cgibin//home/supercorp/cgibin/
<Directory"/home/supercorp/cgibin/">
AllowOverrideNone
Options+ExecCGIMultiViews+SymLinksIfOwnerMatch
Orderallow,deny

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

6/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
24
25
26
27
28
29
30
31
32
33
34

Allowfromall
</Directory>

ErrorLog/var/log/apache2/supercorp.comerror.log

#Possiblevaluesinclude:debug,info,notice,warn,error,
#crit,alert,emerg.
LogLevelwarn
CustomLog/var/log/apache2/supercorp.comaccess.logcombined
ServerSignatureOn
</VirtualHost>

Enabledomain:
Createsoftlink:
Manually:lns/etc/apache2/sitesavailable/supercorp/etc/apache2/sitesenabled/supercorp
UseUbuntuscriptsa2ensite/a2dissite.Typecommandanditwillpromptyouastowhichsiteyouwouldliketoenableordisable.
RestartApache:
apache2ctlgraceful
or
/etc/init.d/apache2restart
or
/etc/init.d/apache2reload

AlsonotethatApachemodulescanalsobeenabled/disabledwithscriptsa2enmod/a2dismod.
Manpages:
a2ensite/a2dissite(Ubuntu:Apache2enable/disablesite)
apache2ctl

Configuringan"IPbased"virtualhost:

OnemayassignmultipleIPaddressetoasinglenetworkinterface.SeetheYoLinuxnetworkingtutorial:NetworkAliasing.EachIPaddressmayt
it'sownvirtualserverandindividualdomain.Thedownsideofthe"IPbased"virtualhostmethodisthatyouhavetopossessmultiple/extraIPadd
Thisusuallycostsmore.Thestandardnamebasedvirtualhostingmethodaboveismorepopularforthisreason.

NameVirtualHost*IndicatesallIPaddresses
<VirtualHost*>
[email protected]
DocumentRoot/home/user0/public_html
</VirtualHost>
<VirtualHostXXX.XXX.XXX.101>
[email protected]
DocumentRoot/home/user1/public_html
</VirtualHost>
<VirtualHostXXX.XXX.XXX.102>
[email protected]
DocumentRoot/home/user2/public_html
</VirtualHost>

Thedefault<VirtualHost*>blockwillbeusedasthedefaultforallIPaddressesnotspecifiedexplicitly.ThisdefaultIP(*)maynotworkfor
URL's.

CGI:(CommonGatewayInterface)

CGIisaprogramexecutablewhichdynamicallygeneratesawebpagebywritingtostdout.CGIispermittedbyeitheroftwoconfigurationfiledirective
ScriptAlias:

RedHat7.x9,Fedoracore:ScriptAlias/cgibin/"/var/www/cgibin/"
RedHat6.xandolder:ScriptAlias/cgibin/"/home/httpd/cgibin/"
Suse9.x:ScriptAlias/cgibin/"/srv/www/cgibin/"
Ubuntu(dapper/hardy/natty)/Debian:ScriptAlias/cgibin/"/usr/lib/cgibin/"
or
Options+ExecCGI:

<Directory/var/www/cgibin>
Options+ExecCGI
</Directory>

Theexecutableprogramfilesmusthaveexecuteprivileges,executablebytheprocessowner(RedHat7+/FedoraCore:apache.Olderusenobody
thehttpddaemonisbeingrun.

ConfiguringCGIToRunWithUserPrivileges:

ThesuEXECfeatureprovidesApacheuserstheabilitytorunCGIandSSIprogramsunderuserIDsdifferentfromtheuserIDofthecallingwebserver.
Normally,whenaCGIorSSIprogramexecutes,itrunsasthesameuserwhoisrunningthewebserver.

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

7/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
NameVirtualHostXXX.XXX.XXX.XXX
<VirtualHostXXX.XXX.XXX.XXX>
ServerNamenode1.yourdomain.comAllowsrequestsbydomainnamewithoutthe"www"prefix.
ServerAliasyourdomain.comwww.yourdomain.comCNAME(aliaswww)specifiedinBindconfigurationfile(/var/named/...)
[email protected]
DocumentRoot/home/user1/public_html/yourdomain.com
ErrorLoglogs/yourdomain.comerror_log
TransferLoglogs/yourdomain.comaccess_log

SuexecUserGroupuser1user1
<Directory/home/user1/public_html/yourdomain.com/>
Options+ExecCGI+Indexes
AddHandlercgiscript.cgi
</Directory>
</VirtualHost>

ERRORPages:
YoucanspecifyyourownwebpagesinsteadofthedefaultApacheerrorpages:
ErrorDocument404/Error404missing.html

CreatethefileError404missing.htmlinyour"DocumentRoot"directory.
Handleallerrorswithaforwardingpage:
ErrorDocument400/error.shtml
ErrorDocument401/error.shtml
ErrorDocument403/error.shtml
ErrorDocument404/error.shtml
ErrorDocument500/error.shtml

Samplefileerror.shtml(inyour"DocumentRoot"directory).
<!#echovar="REQUEST_URI">
<!#echovar="REDIRECT_STATUS">
<h2>Pagedoesnotfound!</h2>
<!Redirecttohomepage>
<METAHTTPEQUIV="Refresh"Content="1;URL=http://www.megacorp.com/">

PHP:

Iftheappropriatephp,perlandhttpdRPM'sareinstalled,thedefaultRedHatApacheconfigurationandmoduleswillsupportPHPcontent.RPMPackag
(RHEL4):
php:HTMLembeddedscriptinglanguage
phppear:PEARisaframeworkanddistributionsystemforreusablePHPcomponents.
phpmysql:MySQLdatabasesupport.
phpldap:LightweightDirectoryAccessProtocol(LDAP)support
Apacheconfiguration:
Addphpdefaultpageindex.phptoapacheconfigfile:/etc/httpd/conf/httpd.conf
...
DirectoryIndexindex.htmlindex.htmindex.php
...

PHPConfigurationFile:
RHEL4PHP4.3:/etc/php.ini
UbuntuDaper6.06/6.11:/etc/php5/apache2/php.ini
[PHP]
engine=On
...
...
display_errors=Off
include_path=".:/php/includes"
...
...
memory_limit=32M;Defaultistypically8MBwhichistoolow.
...
...
[MySQL]
...
...

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

8/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
mysql.default_host=superserver;Hostnameofthecomputer
mysql.default_user=dbuser
...

Smallportionoffileshown.
Notethatchangeswillnottakeeffectuntiltheapachewebserverdaemonisrestarted.
TestyouPHPcapabilitieswiththistestfile:/home/user1/public_html/test.php
<?php
phpinfo();
?>

OR(olderformat)
<?
phpinfo();
?>

Test:http://localhost/~user1/test.php
FormoreinfoseeYoLinuxlistofPHPinformationwebsites.

RunningMultipleinstancesofhttpd:

TheApachewebserverdaemon(httpd)canbestartedwiththecommandlineoption"f"tospecifyauniqueconfigurationfileforeachinstance.
uniqueIPaddressforeachinstanceofApache.SeetheYoLinuxNetworkingTutorialtospecifymultipleIPaddressesforoneNIC(NetworkInterfaceC
UsetheApacheconfigurationfiledirectiveListenXXX.XXX.XXX.XXX,wheretheIPaddressisuniqueforeachinstanceofApache.

ApacheManPages:
httpdApacheHypertextTransferProtocolServer
apachectlApacheHTTPServerControlInterface
abApacheHTTPserverbenchmarkingtool
htdigestmanageuserfilesfordigestauthentication
htpasswdManageuserfilesforbasicauthentication
logresolveResolveIPaddressestohostnamesinApachelogfiles
rotatelogsPipedloggingprogramtorotateApachelogs
AlsoseethelocalonlineApacheconfigurationmanual:http://localhost/manual/.

ApacheRedHat/FedoraCoreGUIconfiguration:
GUIconfigurationtool:
RedHatEL4/5,Fedora210:/usr/bin/systemconfighttpd
RedHat8/9,FedoraCore1:/usr/bin/redhatconfighttpd

Addingwebsiteloginandpasswordprotection:SeetheYoLinuxtutorialonwebsitepasswordprotection.
Logfileanalysis:
ScanningtheApacheweblogfileswillnotprovidemeaningfullstatisticsunlesstheyaregraphedorpresentedinaneasytoreadfashion.Thefollowing
packagestoagoodjobofpresentingsitestatistics.
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

9/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

AnalogAlsoseeReportMagicforAnalog
Webalizer
AWStats(requiresPERL)
Websitestatisticservices:
eXTReMeTracking
Loadtestingyourserver:
PureLoadJAVAloadtestingandreportingtool.
WebPerformanceTrainerLoadTestingTools.
ApacheLinks:
CgiWrapsetuidwrapperthatallowsuserstoinstallandexecutetheirowncgiscriptsthatgetexecutedastheirownuserid
WWWThreads.orgCommercialproductAdvancedWebConferencingSoftware
Configuringhttps(mod_ssl):
Mod_SSL.org:HomePage
Mod_SSL.org:Mod_SSLHowTo
Mod_SSL.org:StepstocreateSSLservercertificate

LogfileanalysisusingAnalog:
Installation:
RedHat/Fedora:yuminstallanalog
Ubuntu/Debian:aptgetinstallanalog
InstallationpackagesalsoavailablefromtheAnalogdownloadspage.
Configurationfile:/etc/analog.cfg
LOGFILE/var/log/httpd/yourdomain.comaccess_log*http://www.yourdomain.com
UNCOMPRESS*.gz,*.Z"gzipcd"
SUBTYPE*.gz,*.Z
#
OUTFILE/home/user1/public_html/analog/Report.html
#
HOSTNAME"YourDomain.com"
HOSTURLhttp://www.yourdomain.com
....
...
..
REQINCLUDEpages#Requestpagestatsonly
ALLON
LANGUAGEUSENGLISH

Onecanviewthesettingswhichbeusedwithyourconfigurationfile(alsogoodfordebugging):analogsettings
MakeAnalogimagesavailabletotheusersreport:lns/usr/share/analog/images/*/home/user1/public_html/analog
Logfilelocation:
RedHat/Fedora:/var/log/httpd/
Ubuntu/Debian:/var/log/apache2/
TheDirectiveALLONturnsonallofthefollowing:
AnalogDirective
MONTHLYON
WEEKLYON
DAILYREPON
DAILYSUMON
HOURLYREPON
GENERALON
REQUESTON
FAILUREON

Description
onelineforeachmonth
onelineforeachweek
onelineforeachday
onelineforeachdayoftheweek
onelineforeachhouroftheday
theGeneralSummaryatthetop
whichfileswererequested
whichfileswerenotfound

DirectoryReport
whichcomputersrequestedfiles
ORGANISATIONON whichorganisationstheywerefrom
DOMAINON
whichcountriestheywerein
REFERRERON
wherepeoplefollowedlinksfrom
FAILREFON
wherepeoplefollowedbrokenlinksfrom
SEARCHQUERYON
thephrasesandwordstheyused...
DIRECTORYON
HOSTON

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

10/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
SEARCHWORDON

...tofindyoufromsearchengines

BROWSERSUMON

whichbrowsertypespeoplewereusing

OSREPON

andwhichoperatingsystems

FILETYPEON

typesoffilerequested

SIZEON

sizesoffilesrequested

STATUSON

numberofeachtypeofsuccessandfailure

Cronjobtohandlemultipledomains:/etc/cron.daily/analog
#!/bin/sh
cp/opt/etc/analogdomain1.com.cfg/etc/analog.cfg
/usr/bin/analog
cp/opt/etc/analogdomain2.com.cfg/etc/analog.cfg
/usr/bin/analog
...

Links:
Analoghomepage
Analogcommandreference

MeasuringWebServerPerformance:
SeetheYoLinux.comwebserverbenchmarkingtutorial.

FTPdandFTPuseraccountconfiguration:

ManyFTPprogramsexist.Thisexamplecoversthepopularvsftpd(RedHatdefault9.0,FedoraCore,Suse)andwuftpd(WashingtonUniversity)progr
whichcomesstandardwithRedHat(lastshippedwithRedHat8.0butcanbeinstalledonanyLinuxsystem).(RPM:wuftpd)ThereareotherFTPprogr
includingproFtpd(supportsLDAPauthentication,Apachelikedirectives,fullfeaturedftpserversoftware),bftpd,pureftpd(freeBSDandoptionalonS
etc...

ForhostileenvironmentssetupachrootedenvironmentforansftpencryptedconnectionandthersshrestrictedshellforOpenSSH.SeetheYoLinux.co
internetsecuritytutorialforLinuxsftpandrsshconfiguration
AlsoseethepreferredchrootedsftpconfigurationforOpenSSH4.9+
FTPdandSELinux:ToallowFTPddaemonaccessandFTPaccesstousershomedirectories:
setseboolPallow_ftpd_full_access=1
Otherwiseyouwillgetanerrorin/var/log/messages:
SELinuxispreventingtheftpdaemonfromwritingfilesoutsidethehomedirectory(./public_html).
setseboolPftp_home_dir1

Followwiththecommandservicevsftpdrestart
FTPdconfigurationtutorials:
#vsFTPd:Configuration
#WUFTPd:Configuration
#FTPClients:Links

vsFTPdandFTPuseraccountconfiguration:

ThevsFTPdftpserverwasfirstmadeavailableinRedHat9.0.IthasbeenadoptedbySuseandOpenBSDaswell.ThisiscurrentlytherecomendedFTP
daemonforuseonFTPservers.
Enablevsftpd:

RedHat/FedoraCore/CentOS:VsFTPdisastandaloneserviceandbythedefaultFedoraCoreinstallation,notcontrolledbyxinetdasisthewuft
defaultinstallation.
Thusstartservice:servicevsftpdstart(or:/etc/init.d/vsftpdstart)
Configurevsftpdtostartuponsystemboot:chkconfigaddvsftpd
SuSE:Bydefault,thevsftpdisanxinetdcontrolledservice.ToenableFTPserverserviceseditthefile/etc/xinetd.d/vsftpdandchange:
disable=yes
to:
disable=no
Restartthexinetddaemon:/etc/init.d/xinetdrestart
Note:vsftpdcanalsoberunasastandaloneservicetoachieveafasterresponsetime.
Ubuntu(dapper/hardy/natty)/Debian:
Install:aptgetinstallvsftpd
VsFTPdisastandaloneservice.
Start:/etc/init.d/vsftpdstart
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

11/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Stop:/etc/init.d/vsftpdstop
Restart:/etc/init.d/vsftpdrestart
(Usethiscommandaftermakingconfigurationfilechanges)
Formoreonstarting/stopping/configuringLinuxservices,seetheYoLinuxtutorialontheLinuxinitprocessandserviceactivation.
Configurationfiles:
vsFTPdconfigurationfile:
FedoraCore/RedHat:/etc/vsftpd/vsftpd.conf
S.u.S.e./Ubuntu(dapper/hardy/natty)/Debian:/etc/vsftpd.conf
DefaultforFedoraCore3:
anonymous_enable=YESAnonymousFTPallowedbydefaultifyoucommentthisout.
Defaultdirectoryused:/var/ftp
local_enable=YESUncommentthistoallowlocaluserstologinwithFTP.
MustalsosetSELinuxboolean:setseboolPftp_home_dir1
write_enable=YESUncommentthistoenableanyformofFTPwriteoruploadcommand.
local_umask=022Defaultis077.Umask022isusedbymostotherftpd's.
#anon_upload_enable=YESUncommenttoallowtheanonymousFTPusertouploadfiles.
Requirestheaboveglobalwriteenabled.Directorymustalsobewritablebyuser.
#anon_mkdir_write_enable=YESUncommentthistoallowtheanonymousFTPusertobeabletocreatenewdirectories.
dirmessage_enable=YESActivatedirectorymessages.
Messagesgiventoremoteuserswhentheyentercertaindirectories
xferlog_enable=YESActivateloggingofuploads/downloads.
connect_from_port_20=YESPORTtransferconnectionsoriginatefromport20(ftpdata)
#chown_uploads=YESUploadedanonymousfilessettoaspecifiedowner.(notroot)
#chown_username=whoever
#xferlog_file=/var/log/vsftpd.logSpecifylogfileexplicitly.Defaultis/var/log/vsftpd.log
xferlog_std_format=YESOutputtologfileinstandardftpdxferlogformat
#idle_session_timeout=600Settimingoutforanidlesession.
#data_connection_timeout=120Settimingoutforanidledataconnection.Port20
#nopriv_user=ftpsecureRunftpserverasanisolatedandunprivilegeduser.
#EnablethisandtheserverwillrecogniseasynchronousABORrequests.Not
#recommendedforsecurity(thecodeisnontrivial).Notenablingit,mayconfuseolderFTPclients.
#async_abor_enable=YES
#ascii_upload_enable=YESImproveperformancebydisablingASCIImode.
Disablescommand"ascii"and"SIZE/big/file".
#ascii_download_enable=YES
#ftpd_banner=WelcometoYoLinuxCustomizetheloginbannerstring.
#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.
#banned_email_file=/etc/vsftpd.banned_emails(Ubuntudefault.RedHat:/etc/vsftpd/banned_emails)
#chroot_list_enable=YESListuserschroot()'dtotheirhomedirectory.If"NO",listusersnotchroot()'d.
#chroot_list_file=/etc/vsftpd.chroot_list(Ubuntudefault.RedHat:/etc/vsftpd/chroot_list)
ls_recurse_enable=YESAllow"lsR"recursivedirectorylist.Defaultisdisabled.
pam_service_name=vsftpd
userlist_enable=YES(UbuntuDefault)Denyusersspecifiedinfile/etc/vsftpd.user_list
If"userlist_enable=NO"thenallowspecifiedusers.
RedHat:/etc/vsftpd/user_list
#deny_email_enable=YESDisallowspecifiedanonymousemailaddresses.UsedtocombatcertainDoSattacks.
listen=YESEnableforstandalonemodeasopposedtoanxinetdservice.
MustsetSELinuxboolean:setseboolPftpd_is_daemon1
tcp_wrappers=YES

RestarttheFTPserviceiftheconfigfileischanged:servicevsftpdrestart(or:/etc/init.d/vsftpdrestart)
[PotentialPitfall]:vsftpdoesNOTsupportcommentsonthesamelineasadirective.i.e.:
directive=XXX#comment

vsftp.confmanpage
Specifylistoflocaluserschrootedtotheirhomedirectories:
RedHat:/etc/vsftpd/vsftpd/chroot_list
Ubuntu:/etc/vsftpd/vsftpd.chroot_list
(Requires:chroot_list_enable=NO)
user1

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

12/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
user2
...
usern

Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..
Specifylistofusers:
RedHat:/etc/vsftpd/user_list
Ubuntu:/etc/vsftpd.user_list
(Denylistofusersrequires:userlist_enable=YES)
AlsoseePAMconfigurationbelow.
root
bin
daemon
adm
lp
sync
shutdown
halt
...

Ifuserlist_enable=NO,thenspecifyvalidusers.
PAMconfigurationfileFedoraCore3:/etc/pam.d/vsftpd
#%PAM1.0
authrequiredpam_listfile.soitem=usersense=denyfile=/etc/vsftpd.ftpusersonerr=succeed
authrequiredpam_stack.soservice=systemauth
authrequiredpam_shells.so
accountrequiredpam_stack.soservice=systemauth
sessionrequiredpam_stack.soservice=systemauth

ThiscausesPAMtocheck/etc/vsftpd.ftpusersforuserswhoaredenied.Thisduplicates/etc/vsftpd.user_list.Speciyuserinbothfiles
PAMisindependentofvsftpdconfiguration.
PAMauthenticationconfigurationfile:ftpusers
RedHat:/etc/vsftpd/ftpusers
Ubuntu:/etc/vsftpd.ftpusers
root
bin
daemon
adm
lp
sync
shutdown
halt
...
...
...
user6Userstodeny
user8
...
...

Logrotateconfigurationfile:/etc/logrotate.d/vsftpd.log
/var/log/xferlog{
#ftpddoesn'thandleSIGHUPproperly
nocompress
missingok
}

SamplevsFTPdconfigurations:
AnonymousdownloadFTPserverconfiguration:/etc/vsftpd/vsftpd.conf
#Accessrights
anonymous_enable=YESTurnonanonymousFTP
chown_uploads=YESUploadedfilesownedbyanassigneduser
chown_username=ftpUploadedfilesownedbythisassigneduser
local_enable=NO
write_enable=NONouploadoffilessystemchangesallowed
anon_upload_enable=NO
anon_mkdir_write_enable=NO
anon_other_write_enable=NO
#Security
anon_world_readable_only=YES
connect_from_port_20=YES

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

13/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
force_dot_files=NO
guest_enable=NO
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
#Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
#Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
anon_max_rate=50000
pam_service_name=vsftpd
userlist_enable=YES
#enableforstandalonemode
listen=YES
tcp_wrappers=YES

Anonymousloginsusetheloginname"anonymous"andthentheusersuppliestheiremailaddressasapassword.Anypasswordwillbeacc
Usedtoallowthepublictodownloadfilesfromanftpserver.Generally,nouploadispermitted.
Webhostingconfiguration:/etc/vsftpd/vsftpd.conf
#Accessrights
anonymous_enable=NO
local_enable=YESAllowuserstoftptotheirhomedirectories
write_enable=YESAllowuserstoSTOR,DELE,RNFR,RNTO,MKD,RMD,APPEandSITE
local_umask=022
#Security
connect_from_port_20=YES
force_dot_files=NO
guest_enable=NODon'tremapusername
ftpd_banner=WelcometoSuperDuperHostingCustomizetheloginbannerstring.
chroot_local_user=YESLimitusertobrowsetheirowndirectoryonly
chroot_list_enable=YESEnablelistofsystem/powerusers
chroot_list_file=/etc/vsftpd.chroot_listActuallistofsystem/powerusers
hide_ids=YES
pasv_min_port=50000
pasv_max_port=60000
#Features
xferlog_enable=YES
ls_recurse_enable=NO
ascii_download_enable=NO
async_abor_enable=YES
dirmessage_enable=YESMessagegreetingheldinfile.messageorspecifywithmessage_file=...
#Performance
one_process_model=NO
idle_session_timeout=120
data_connection_timeout=300
accept_timeout=60
connect_timeout=60
max_per_ip=4
#
pam_service_name=vsftpd
userlist_enable=YES
#enableforstandalonemode
listen=YES
tcp_wrappers=YES

Specifylistoflocaluserschrootedtotheirhomedirectories:/etc/vsftpd/vsftpd.chroot_list
Ubuntutypically:/etc/vsftpd.chroot_list
(Requires:chroot_list_enable=NO)
user1
user2
...
usern

Ifuserlist_enable=YES,thenspecifyusersnottobechroot'd..
[PotentialPitfall]:Mispellingadirectivewillcausevsftpdtofailwithlittlewarning.
File:.message
ANOTETOUSERSUPLOADINGFILES:
Filenamesmayconsistofletters(az,AZ),numbers(09),
anunderscore("_"),dash("")orperiod(".")only.
Thefilenamemaynotbeginwithaperiodordash.

Testifvsftpislistening:netstata|grepftp
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

14/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
[root]#netstata|grepftp
tcp00*:ftp*:*LISTEN

Links:
vsFTPdHomePage
Sampleconfigurations
vsftp.confManpage

WUFTPdandFTPuseraccountconfiguration:
ThewuftpdFTPservercanbedownloaded(binaryorsource)fromhttp://www.wfms.org/wuftpd/(atonetime:http://wuftpd.org).
TherearethreekindsofFTPloginsthatwuftpdprovides:

anonymousFTPonelogsinwiththeusername'anonymous'
realFTPloginwitharealusernameandpasswordandhasaccesstotheentirediskstructure.
guestFTPonelogsinwitharealusernameandpassword,buttheuserischroot'edtohishomedirectoryandcannotescapefromit.Theyarecon
totheirhomedirectorywhichalsomeansthattheydon'thaveaccessto/bin/lsandothercommandsontheserver.Thusalocalminimalistenvironm
mustbesetup.
Thistutorialcovers"guest"FTPconfiguration.
Thefile/etc/ftpaccesscontrolstheconfigurationofftp.
#Don'tallowsystemaccountstologinoverftp
denyuid%99%65534
denygid%99%65534
classallreal,guest*
[email protected]
loginfails5
readmeREADME*login
readmeREADME*cwd=*
message/welcome.msglogin
message.messagecwd=*
compressyesall
taryesall
chmodnoguest,anonymous
deletenoanonymous#deletefilespermission?
overwritenoanonymous#overwritefilespermission?
renamenoanonymous#renamefilespermission?
deleteyesguest#deletefilespermission?
overwriteyesguest#overwritefilespermission?
renameyesguest#renamefilespermission?
umasknoguest#umaskpermission?
logtransfersanonymous,realinbound,outbound
shutdown/etc/shutmsg
passwdcheckrfc822warn
#Mustalsocreatemessagefile/etc/pathmsgoftheguestdirectory.
#Inthiscaseitrefersto/home/user1/public_html/etc/pathmsg.
pathfilterguest/etc/pathmsg^[AZaz09_\.]*$^\.^
limitall2
noretrievepasswd.htaccesscoreDonotallowuserstodownloadfilesofthesenames
limittime*20
bytelimitin5000Limitfilesize
guestuser*Systemuserdefaultcategorizedasa"guest".A"real"usercanroamthesystem.Guestuserischrooted.
realgroupregularuserxregularuseryAssignrealuserprivilegestomembersofgroups"regularuserx"and"regularusery".
VisibilityofthewholefilesystemandsubjecttoregularUNIXfilepermissions
realuseruser4Assignrealuserprivilegestouserid"user4".
restricteduiduser1user2user3RestrictsFTPtothespecifieddirectories
guestroot/home/user1/public_htmluser1
guestroot/home/user2/public_htmluser2
guestroot/home/user3/public_htmluser3

Note:
user1,user2anduser3refertologinaccounts.Usetheappropriateloginname.

TheaboveconfigurationdisablesanonymousFTPwhichallowsanyonetoperformanFTPloginwiththeidanonymousandanemailaddressasa
password.ToenableanonymousFTP,changetheclassdirectiveto:
classallreal,guest,anonymous*

GUIFTPconfigurationtools:
/usr/bin/kwuftpd
/sbin/linuxconf

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

15/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

(Note:LinuxconfisnolongerincludedwithRedHat7.3andlater)
RedHatLinuxassignsusersauseridandgroupidwhichisthesame.Thismeansthatitdoesnotmatterifyouusearealuserorrealgroup
theywillactthesame.
RedHatLinux7.1andlaterusesthexinetdaemontomanageftpconnections.Thusxinetdmustberunningandconfiguredtosupportftp.The
configurationfileis/etc/xinetd.d/wuftpd.Thecommandchkconfigwuftpdonwillmaketheftpserveravailable.Seexinetconfiguration
info.
Allowoverideofdenyuidand/ordenygid:
allowuidusertoallow
allowgidgrouptoallow

Optionalconfiguration:
Createagroupftpchroot
Adduserstothisgroup
Usedirective:guestgroupftpchroot

[PotentialPitfall]:Flakeyftpbehavior,timeouts,etc??FTPworksbestwithnameresolutionofthecomputeritiscommunicatingwith.Thisrequirespro
/etc/resolve.confandnameserver(bind)configuration,/etc/hostsorNIS/NFSconfiguration.
File/home/user1/public_html/etc/pathmsg:
ANOTETOUSERSUPLOADINGFILES:
Filenamesmayconsistofletters(az,AZ),numbers(09),
anunderscore("_"),dash("")orperiod(".")only.
Thefilenamemaynotbeginwithaperiodordash.
Youhavetriedtouploadafilewithaninappropriatename.

Thewholepointofthechrootdirectoryistomaketheuser'shomedirectoryappeartobetherootofthefilesystem(/)soonecouldnotwanderaroundth
filesystem.Configurationof/etc/ftpaccesswilllimittheusertotheirrespectivedirectorieswhilestillofferingaccessto/bin/lsandothersystemcomm
usedinFTPoperation.
Asroot:
cd/home/user1
mkdirpublic_html
chown$1.$1public_html
touch.rhostsSecurityprotection
chmodugoxrw.rhosts

ManPages:
Server:
ftpdInternetFileTransferProtocolserver
FileFormats:
/etc/ftpaccessConfigurationfileforftpd
/etc/ftpserversftpdvirtualhostingconfigurationfile.(optional)
/etc/ftphostsallowordenyaccesstocertainaccountsfromvarioushosts.(optional)
/etc/ftpconversionsftpdconversionsdatabase(fortarandcompression)
/var/log/xferlogFTPserverlogfile
ftpFileTransferClientprogram
Configurationfiles:(RH8.0+)
PAMconfigurationfile:/etc/pam.d/ftp
#%PAM1.0
authrequiredpam_listfile.soitem=usersense=denyfile=/etc/ftpusersonerr=succeed
authrequiredpam_stack.soservice=systemauth
authrequiredpam_shells.so
accountrequiredpam_stack.soservice=systemauth
sessionrequiredpam_stack.soservice=systemauth

Xinetdconfigurationfile:/etc/xinetd.d/wuftpd
serviceftp
{
disable=no
socket_type=stream
wait=no
user=root
server=/usr/sbin/in.ftpd
server_args=la

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

16/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
log_on_success+=DURATIONUSERID
log_on_failure+=USERID
nice=10
}

Note:wuFTPdiscontrolledbyxinetdandnotastandaloneservicelikevsFTPd.
Logrotateconfigurationfile:/etc/logrotate.d/ftpd
/var/log/xferlog{
nocompress
}

Moreinformation:
WUFTPDrelease
dkftpbenchFTPbenchmarkprogramtogiveyouanideaastohowmanysimultaneousdialupclientsaservercansupport.
FTPandtextfiletypeconversions:EndOfLineCharactersbyPeterBenjamin
ManpagesonrelatedFTPcommandsandfiles:
chrootRunwithaspecialrootdirectory
ftpcountShownumberofconcurrentusers.
ftpshutclosedowntheftpserversatagiventime
ftprestartRestartpreviouslyshutdownftpservers
ftpwhoshowcurrentprocessinformationforeachftpuser
privatepwChangeWUFTPDGroupAccessFileInformation(admincommand)
OtherFTPdaemons:
CrushFTPJava/crossplatform
WS_FTP

FTPPitfalls:
Ifyougetthefollowingerror:
ftp>ls
227EnteringPassiveMode(208,188,34,109,208,89)
ftp:connect:Noroutetohost

ThismeansyouhavefirewallissuesmostprobablyontheFTPserveritself.Startbyremovingthefirewall"iptables"rules:iptablesFAddrulesuntily
discoverwhatiscausingtheproblem.
Passivemode:
Passivemodecanalsohelponepasttherules:
ftp>passive
Passivemodeon.

Thistogglespassivemodeonandoff.Whenon,FTPwillbelimitedtoportsspecifiedinthevsftpdconfigurationfile:vsftpd.confwiththeparam
pasv_min_portandpasv_max_port
Firewallconnectiontrackingmodule:
#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftp
IPTABLES_MODULES="ip_conntrack_ftp"

NATfirewallmodules:
Youcanalsotryaddingip_nat_ftptothelistofautoloadedmodules:(Thiswillalsoloadthedependancy:ip_conntrack_ftp.)
#cat/etc/sysconfig/iptablesconfig|grepip_nat_ftp
IPTABLES_MODULES="ip_nat_ftp"

Thenrestartthefirewall:/etc/init.d/iptablescondrestart
FTPwillchangeportsduringuse.Theip_conntrack_ftpmodulewillconsidereachconnection"RELATED".IfiptablesallowsRELATEDand
ESTABLISHEDconnectionsthenFTPwillwork.i.e.rule:/etc/sysconfig/iptables
AINPUTmstatestateESTABLISHED,RELATEDjACCEPT

FTPfailsbecauseitcannotchangetotheusershomedirectory:
Error:
[user1@nodex~]$ftpnode.domain.com
ConnectedtoXXX.XXX.XXX.XXX.
530PleaseloginwithUSERandPASS.

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

17/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
530PleaseloginwithUSERandPASS.
KERBEROS_V4rejectedasanauthenticationtype
Name(XXX.XXX.XXX.XXX:user1):
331Pleasespecifythepassword.
Password:
500OOPS:cannotchangedirectory:/home/user1
Loginfailed.
ftp>bye

ThisisoftenaresultofSELinuxpreventingthevsftpdprocessfromaccesingtheuser'shomedirectory.Asroot,grantaccesswiththefollowing
command:
setseboolPftp_home_dir1
Followedby:servicevsftpdrestart
TestyourvsftpdSELinuxsettings:getseboola|grepftp
allow_ftpd_anon_write>off
allow_ftpd_full_access>off
allow_ftpd_use_cifs>off
allow_ftpd_use_nfs>off
allow_tftp_anon_write>off
ftp_home_dir>on
ftpd_disable_trans>off
ftpd_is_daemon>on
httpd_enable_ftp_server>off
tftpd_disable_trans>off

FTPdSELinuxmanpage

FTPLinuxclients:

gftp:GUIGTK+Multithreadedclient.Filetransferdirectorybrowsingandcompare.Multipleprotocols:FTP,FTPS(controlconnectiononly),HT
HTTPS,SSHandFSPprotocols.Proxysupport.ComeswithRedHat/FedoraCore.
KFTPgrabber:GUIKDEbasedclient.simultaneousFTPsessionsinseparatetabs.Abilitytolimituploadanddownloadspeed.
kbear:GUIKDEbasedclient.Connecttomultipleservers,transferfiles,directorybrowsing,filecontentbrowsing.ComeswithS.U.S.e.Linux.
ftp:(/usr/kerberos/bin/ftp)kerberosenabledconsoleftpclient.(RPMpackageFC3:krb5workstation)

Basicusersecurity:

Whenhostingwebsites,thereisnoneedtograntashellaccountwhichonlyallowstheservertohavemorepotentialsecurityholes.Currentsystemscan
theusertohaveonlyFTPaccesswithnoshellbygrantingthemthe"shell"/sbin/nologinprovidedwiththesystemorthe"ftponly"shelldescribedbelo
shellcanbespecifiedinthefile/etc/passwdofwhencretingauserwiththecommandaddusers/sbin/nologinuserid

[PotentialPitfall]:RedHat7.3serverwithwuftpserver2.6.25doesnotsupportthisconfigurationtopreventshellaccess.Itrequiresuserstohavearea
shell.i.e./bin/bashItworksgreatinolderandcurrentRedHatversions.Ifitworksforyou,useit,asitismoresecuretodenytheusershellaccess.You
alwaysdenytelnetaccess.YoushouldNOTbeusingthisproblemriddenversionofftpd.Usethelatestwuftpd2.6.211whichsupportsuserswithshel
/opt/bin/ftponly

[PotentialPitfall]:UbuntuDapper/HardySettingtheshelltothepreconfiguredshell/bin/falsewillNOTallowvsftpaccess.Onemustcreatetheshell
"ftponly"asdefinedbelowtoallowvsftpaccesswithnoshell.
1. DisableremotetelnetloginaccessallowingFTPaccessonly:
Changetheshellfortheuserin/etc/passwdfrom/bin/bashtobe/opt/bin/ftponly.
...
user1:x:502:503::/home/user1:/opt/bin/ftponly
...

Createfile:/opt/bin/ftponly.
Protectionsettorwxrxrx1rootroot
withthecommand:chmodugo+x/opt/bin/ftponly
Contentsoffile:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15

#!/bin/sh
#
#ftponlyshell
#
trap"/bin/echoSorry;exit0"12345671015
#
[email protected]
#System=`/bin/hostname`@`/bin/domainname`
#
/bin/echo
/bin/echo"********************************************************************"
/bin/echo"YouareNOTallowedinteractiveaccess."
/bin/echo
/bin/echo"Useraccountsarerestrictedtoftpandwebaccess."
/bin/echo

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

18/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
16
17

/bin/echo"Directquestionsconcerningthispolicyto$Admin."
/bin/echo"********************************************************************"

18
19
20
21
22

/bin/echo
#
#C'ya
#
exit0

Thelaststepistoaddthistothelistofvalidshellsonthesystem.
Addtheline/opt/bin/ftponlyto/etc/shells.
Samplefilecontents:/etc/shells
/bin/bash
/bin/bash1
/bin/tcsh
/bin/csh
/opt/bin/ftponly

Seemanpageon/etc/shells.

Analternativewouldbetoassigntheshell/bin/falseor/sbin/nologinwhichbecameavailableinlaterreleasesofRedHat,DebianandUbuntu.
casetheshell/bin/falseor/sbin/nologinwouldhavetobeaddedto/etc/shellstoallowthemtobeusedasavalidshellforFTPwhiledisablin
telnetaccess.
2. Setfilequotastolimituseraccount.
FormoreonLinuxsecurityseethe:YoLinux.comInternetwebsiteLinuxserversecuritytutorial

DomainNameServer(DNS)configurationusingBindversion8or9:

TwoofthemostpopularwaystoconfiguretheprogramBind(BerkeleyInternetDomainsoftware)toperformDNSservicesisintheroleof(1)ISPor(2
Host.

1. InanISPconfigurationforclients(websurfers)conectedtotheinternet,theDNSservermustresolveIPaddressesforanyURLtheuserwishesto
(SeeDNScachingserver)
2. Inapurelywebhostingconfiguration,BindwillonlyresolvefortheIPaddressesofthedomainswhicharebeinghosted.Thisistheconfiguration
willbediscussedandisoftencalledan"AuthoritativeonlyNameserver".

WhenresolvingIPaddressesforadomain,Internicisexpectinga"Primary"anda"Secondary"DNSnameserver.(SometimescalledMasterandSlave)
DNSnameserverrequiresthefile/etc/named.confandthefilesitpointsto.ThisistypicallytwoseparatecomputersystemshostedontwodifferentIP
addresses.ItisnotnecesarythattheLinuxserversbededicatedtoDNSastheymayrunawebserver,mailserver,etc.
NoteonBindversions:RedHatversions6.xusedBindversion8.Release7.1ofRedHatbeganusingBindversion9andtheGUIconfiguration
wasintroducedforthoseofyouthatlikeaprettypointandclickinterfaceforconfiguration.
InstallationPackages:

RedHat/FedoraCore/CentOS:bind,bindchroot,bindlibs,bindutils,systemconfigbind
bindchroot:Securityjailforoperationofbind.
bindutils:Utilitycommandslikenslookup,host,dig
systemconfigbind:GUIconfigtoolsystemconfigbindandrelatedconfigurationfiles(/etc/security/console.apps/bindconf).
cachingnameserver:Wewillnotbecoveringthisasitisnotrequiredforwebhosting.Thisisusedbyinternetproviderssotheirclientscan
theDNSentriesofthesitestheyarevisiting.
Ubuntu(dapper/hardy/natty)/Debian:bind9

Configurationfiles:
RedHat/Fedora/CentOS:
File
Description
named.conf
Primary/SecondaryDNSserverconfiguration.
(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.conf)
named.root.hints Configurationforrecursiveservice.Requiredforallzones.
(Seedefaultfile/usr/share/doc/bind9.X.X/sample/etc/named.root.hints)
named
RedHatsystemvariables.
rndc.key
Primary/SecondaryDNSserverconfiguration.
Zonefiles
Configurationfilesforeachdomain.Createthisfiletoresolvehostnameinternet
queriesi.e.defineIPaddressofweb(www)andmailserversinthedomain.
Debian/Ubuntu:
File
named.conf
named.conf.options
named.conf.local
rndc.key

Directory
/etc/

ChrootedDirect
/var/named/chroot/etc/

/etc/

/var/named/chroot/etc/

/etc/sysconfig/ nochange
/etc/
/var/named/chroot/etc/
/var/named/ /var/named/chroot/var

Description
Primary/SecondaryDNSserverconfiguration.

Directory
/etc/bind/

ChrootedDirectory
/var/bind/chroot/etc/bind/

Primary/SecondaryDNSserverconfiguration.

/etc/

/var/bind/chroot/etc/

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

19/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Zonefiles

Configurationfilesforeachdomain.

/var/bind/data/

/var/bind/chroot/var/bind/data/

Primaryserver(master):
File:named.conf

RedHat/FedoraCore/CentOS:/etc/named.conf(chrootdir:/var/named/chroot/etc/named.conf)and/etc/sysconfig/namedforsystemvariable
Ubuntu/Debian:/etc/bind/named.confPlacelocaldefinitionsin/etc/bind/named.conf.optionsand/etc/bind/named.conf.local
Simpleexample:(noviews)
options{Ubuntustoresoptionsin/etc/bind/named.conf.options
version"Bind";Don'tdiscloserealversiontohackers
directory"/var/named";Specifiedsorelativepathnamescanbeused.Fullpathnamesstillallowed.
allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNS
recursionno;
authnxdomainno;conformtoRFC1035.(default)
fetchglueno;Bind8only!Notusedbyversion9
};
zone"localhost"{
typemaster;
file"/etc/bind/db.local";
};
zone"0.0.127.inaddr.arpa"{
typemaster;
file"/etc/bind/db.127";
};
zone"yourdomain.com"{Ubuntuseparatesthezonedefinitionsinto/etc/bind/named.conf.local
typemaster;Specifymaster,slave,forwardorhint
file"data/named.yourdomain.com";
notifyyes;slaveserversarenotifiedwhenthezoneisupdated.
allowupdate{none;};denyupdatesfromotherhosts(default:none)
allowquery{any;};allowclientstoquerythisserver(default:any)
};
zone"yourdomain2.com"{
typemaster;
file"data/named.yourdomain2.com";
notifyyes;
};

Note:
Theomissionofzone".".Requiredifprovidingarecursiveservice.
Ubuntuincludestheseparatedfileofzonedirectivesusingthedirective:
include"/etc/bind/named.conf.local";

BINDViews:TheBINDnamingservicecansupport"views"whichallowvarioussubnetworks(i.e.privateinternalorpublicexternalnetworks)
adifferentdomainnameresolutionresult.

Ifnoviewsarespecifiedthenusetheconfigurationshownabove.
Thematchupbetweenthe"view"andtheviewclientwhichreceivestheDNSinformationisspecifiedbythematchclientsstatement.
Ifevenoneviewisspecified,thenALLzonesMUSTbeassociatedwitha"view".
Bind9allowsforviewswhichallowdifferentzonestobeservedtodifferenttypesofclients,localhost,privatenetworksandpublicnetwork
mapstothethreeviewnames"localhost_resolver","internal"and"external":
localhost_resolver:Supportsnameresolutionforthesystem(localhost)usingBIND.Supportforuseofbindalsohastobeconfigured
/etc/nsswitch.conf

internal:UserspecifiedLocalAreaNetwork(LAN).IfnotusedtosupportalocalprivateLAN,remove(orcommentout)thisview.
external:Thegeneralpublicinternetdefinedasclient"any".
Ifyouareonlysettingupacachingnameserver,thenonlyspecifytheview"localhost_resolver"(deleteallotherviews).
InordertosupportaDNSforinternetdomainsusingviews,onewillhavetoconfigurean"external"view
TypicalRedHatEnterprise5example:(Bind9.3.4withthree"views")
options
{
directory"/var/named";//thedefault
dumpfile"data/cache_dump.db";
statisticsfile"data/named_stats.txt";
memstatisticsfile"data/named_mem_stats.txt";
};
logging
{
//Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/named
//directory,soputthedefaultdebuglogfileindata/:

channeldefault_debug{
file"data/named.run";
severitydynamic;
};
};
view"localhost_resolver"
{
//Thisviewsetsupnamedtobealocalhostresolver(cachingonlynameserver).
//Ifallyouwantisacachingonlynameserver,thenyouneedonlydefinethisview:
matchclients{localhost;};
...

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

20/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
};
view"internal"
{
//Thisviewwillcontainzonesyouwanttoserveonlyto"internal"clients
//thatconnectviayourdirectlyattachedLANinterfaces"localnets".
//ForlocalprivateLAN.Notcoveredinthistutorial.
//DeletethisviewifwebhostingwithnolocalLAN.
matchclients{localnets;};
...
};
keyddns_key
{
algorithmhmacmd5;
secret"use/usr/sbin/dnskeygentogenerateTSIGkeys";
};
view"external"
{
//Thisviewwillcontainzonesyouwanttoserveonlyto"external"
//publicinternetclients.Thisiscoveredbelow.
matchclients{any;};
...
..
};

Defaultconfigurationfiles:RedHatmaysupplythedefaultconfigurationin:/usr/share/doc/bind9.X.X/sample/etc/named.conf
cp/usr/share/doc/bind9.X.X/sample/etc/named.conf/var/named/chroot/etc
cp/usr/share/doc/bind9.X.X/sample/etc/named.root.hints/var/named/chroot/etc
chconusystem_urobject_rtnamed_conf_t/var/named/chroot/etc/named.conf/var/named/chroot/etc/named.root.hints

view"localhost_resolver":IfsupportingacachingDNSserver(notrequiredtosupportawebdomain)youwillalsoneedthefiles:

cp/usr/share/doc/bind9.X.X/sample/etc/named.rfc1912.zones/var/named/chroot/etc
cp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zones/var/named/chroot/var/named
alsofrom/usr/share/doc/bind9.X.X/sample/var/named/:localhost.zones,named.local,named.zero,named.broadcast,named.ip6.loca
named.root

view"external":(master)details
view"external"
{
/*Thisviewwillcontainzonesyouwanttoserveonlyto"external"clients
*thathaveaddressesthatarenotonyourdirectlyattachedLANinterfacesubnets:
*/
matchclients{any;};
matchdestinations{any;};
allowtransfer{XXX.XXX.XXX.XXX;};IPaddressofsecondaryDNS
recursionno;
//you'dprobablywanttodenyrecursiontoexternalclients,soyoudon't
//endupprovidingfreeDNSservicetoalltakers
//allviewsmustcontaintheroothintszone:
include"/etc/named.root.hints";
//Theseareyour"authoritative"externalzones,andwouldprobably
//containentriesforjustyourwebandmailservers:
zone"yourdomain.com"{
typemaster;
file"/var/named/data/external/named.yourdomain.com";
notifyyes;
allowupdate{none;};
};

//YoucanalsoaddthezonesasaseparatefileliketheydoinUbuntubyaddingthefollowingstatement
include"/etc/named.conf.local";
};

DNSkey:
Usethefollowingcommand/usr/sbin/dnskeygentocreateakey.Addthiskeytothe"secret"statementasfollows:
keyddns_key
{
algorithmhmacmd5;
secret"XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq";
};

ManPages:
named.conf
ForwardZoneFile:/var/named/named.yourdomain.com
RedHat9/CentOS3:/var/named/named.yourdomain.com
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

21/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

RedHatEL4/5,Fedora3+,CentOS4/5:[Chrooted]/var/named/chroot/var/named/data/named.yourdomain.com
RedHatEL4/5,Fedora3+,CentOS4/5:/var/named/data/named.yourdomain.com
Ubuntu/Debian:/etc/bind/data/named.yourdomain.com

$TTL604800Bind9(andsomeofthelaterversionsofBind8)requires$TTLstatement.
Measuredinseconds.Thisvalueis7days.
yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.(
2000021600;serialManypeopleuseyear+month+day+integerasasystem.
86400;refreshHowoftensecondaryservers(inseconds)shouldcheckinforchangesinserialnumber.(86400sec=2
7200;retryHowlongsecondaryservershouldwaitforaretryifcontactfailed.
1209600;expireSecondaryservertopurgeinfoafterthislengthoftime.
86400);default_ttlHowlongdataisheldincachebyremoteservers.
INAXXX.XXX.XXX.XXXNotethatthisisthedefaultIPaddressofthedomain.
IputthewebserverIPaddressheresothatdomain.compointstothesameserversaswww.dom
;
;Nameserversforthedomain
;
INNSns1.yourdomain.com.
INNSns2.yourdomain.com.
;
;Mailserverfordomain
;
INMX5mailIdentify"mail"asthenodehandlingmailforthedomain.DoNOTspecifyanIPaddress!
;
;Nodesindomain
;
node1INAXXX.XXX.XXX.XXXNotethatthisistheIPaddressofnode1
ns1INAXXX.XXX.XXX.XXXOptional:Forhostingyourownprimarynameserver.NotethatthisistheIPaddressof
ns2INAXXX.XXX.XXX.XXXOptional:Forhostingyourownsecondarynameserver.NotethatthisistheIPaddresso
mailINAXXX.XXX.XXX.XXXIdentifytheIPaddressfornodemail.
INMX5XXX.XXX.XXX.XXXIdentifytheIPaddressformailservernamed"mail".
;
;Aliasestoexistingnodesindomain
;
wwwINCNAMEnode1Definethewebserver"www"tobenode1.
ftpINCNAMEnode1Definetheftpservertobenode1.

DNSrecordtypesandformat:
DNS
record
SOA

DescriptionandFormat
StartofAuthority:Primarydomainserverandcontactinfo
Notethatthereisaperiodfollowingtheprimarydomainserverandcontactemail.
Notethattheemailaddressisintheformwherethefirstperiodrepresentsthe"@"symboloftheemailaddress.
yourdomain.cominSOAns1.yourdomain.com.webmaster.yourdomain.com.

or
@inSOAns1.yourdomain.com.webmaster.yourdomain.com.

[PotentialPitfall]:Incorrectspecificationoftheprimarynameservermayresultinthefollowingmessagein/var/log/messages
viewlocalhost_resolver:receivednotifyforzone'yourdomain.com':notauthoritative

SOAattribute
serial
refresh
retry
expire
minimum

Description
Neveruseavaluegreaterthan2147483647fora32bitprocessor.
Incrementtoahighervaluetoindicateanupdatetotheslaveserver.
Timeincrement(seconds)betweenupdatechecksoftheserialnumberwiththeprimaryserver
Timeelapsedbeforeaslavewillcontacttheprimaryserverifaconnectionfailed
TimetillprimaryserverinformationisconsideredinvalidandshouldberefreshedifthereisanewDNSquery
TimeforDNSserversshouldholddomaininformationintheircachebeforepurging

IN
NS

IndicateInternet.
SpecifytheAuthoratativeNameserversforthedomain.

SpecifytheIPaddressassociatedwiththehostname.
Format:hostnameINAXXX.XXX.XXX.XXX
Notethatinmyexample,nohostnameisspecifiedforthefirstrecord.Thiswilldefinethedefaultforthedomain.
Specifyanaliasforthehostname.
Mailexchangerecord.Specifyaprioritynumberfortheprimaryandbackupmailservers.Thelowestnumberindicatesthedefaultm
serverforthedomain
UsedtospecifythereverseDNSlookup

CNAME
MX
PTR

MXrecordsfor3rdpartyoffsitemailservers:
yourdomain.com.INMX10mail1.offsitemail.com.
yourdomain.com.INMX20mail2.offsitemail.com.

Appendtotheaboveexamplefile.
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

22/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Initialconfiguration:NotethatRedHatmaysupplythedefaultzoneconfigurationin:/usr/share/doc/bind9.X.X/sample/var/named/

cp/usr/share/doc/bind9.X.X/sample/var/named/localhost.zone/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/localdomain.zone/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/named.broadcast/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/named.ip6.local/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/named.zero/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/named.local/var/named/chroot/var/named/data/
cp/usr/share/doc/bind9.X.X/sample/var/named/named.root/var/named/chroot/var/named/data/
cd/var/named/chroot/var/named/data/
chconusystem_urobject_rtnamed_cache_tlocalhost.zonelocaldomain.zonenamed.broadcastnamed.ip6.localnamed.zeronamed.roo
named.local

Afilesuffixof"zone"isalsocommoni.e.yourdomain.com.zone

Secondaryserver(slave):
File:named.conf
RedHat/FedoraCore/CentOS:/etc/named.conf
Ubuntu/Debian:/etc/bind/named.conf
Simpleexamplewithnoviews:
options{Ubuntustoresoptionsin/etc/bind/named.conf.options
version"Bind";Don'tdiscloserealversiontohackers
directory"/var/named";
allowtransfer{none;};Slaveisnottransferingupdatestoanyoneelse
recursionno;
authnxdomainno;conformtoRFC1035.(default)
fetchglueno;Bind8only!Notusedbyversion9
};
zone"localhost"{
typemaster;
file"/etc/bind/db.local";Ubutu:/etc/bind/db.local,RedHat:/var/named/named.local
};
zone"0.0.127.inaddr.arpa"{
typemaster;
file"/etc/bind/db.127";
};
zone"yourdomain.com"{
typeslave;
file"named.yourdomain.com";Specifyslaves/named.yourdomain.comforRHEL4/5chrootedbind
masters{XXX.XXX.XXX.XXX;};IPaddressofprimaryDNS
};
zone"yourdomain2.com"{
typeslave;
file"named.yourdomain2.com";
masters{XXX.XXX.XXX.XXX;};
};

view"external":(slave)
view"external"
{
matchclients{any;};
matchdestinations{any;};
allowtransfer{none;};Slavedoesnottransfertoanyone,slavereceives
recursionno;
include"/etc/named.root.hints";
zone"yourdomain.com"{
typeslave;
file"/var/named/slaves/external/named.yourdomain.com";
notifyno;Slavedoesnotnotify,slaveisnotifiedbymaster
masters{XXX.XXX.XXX.XXX;};StateIPofmasterserver
};
};

Note:RHEL4/5,CentOS4/5,Fedora3+usechrooteddirectorystructurepermissionswhichrequiretheuseoftheslavessubdirectory/var/named/
SlaveZoneFiles:Thesearetransferedfrommastertoslaveandcachedbyslave.Thereisnoneedtogenerateazonefileontheslave.
AdditionalInformation:
Manpageonnamed.conf
ManpageonnamedDNSserver
FullDNSmanual
[PotentialPitfall]:Ubuntudapper/hardy/nattyPathnamesusedcannotviolateApparmorsecurityrulesasdefinedin/etc/apparmor.d/usr.sbin.named
thattheslavefilesaretypicallynamed"/var/lib/bind/named.yourdomain.com"aspermittedbythesecurityconfiguration.
[PotentialPitfall]:Ubuntudapper/hardy/nattyCreatelogfileandsetownershipandpermissionforfilenotcreatedbyinstallation:
touch/var/log/bindlog
chownroot.bind/var/log/bindlog

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

23/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
chmod664/var/log/bindlog

[PotentialPitfall]:Errorin/var/log/messages:
transferof'yolinux.com/IN'fromXXX.XXX.XXX.XXX#53:failedwhilereceivingresponses:permissiondenied

Namedneedswritepermissiononthedirectorycontainingthefile.Thisconditionoftenoccursforanew"slave"or"secondary"nameserverwher
zonefilesdonotyetexist.
Thedefault(RHEL4/5,CentOS4/5,FedoraCore3+,...):
drwxrx4rootnamed4096Aug252004named
drwxrwx2namednamed4096Sep1720:37slaves

Fix:Innamed.confspecifythattheslavestogotoslavesdirectory/var/named/chroot/var/named/slaveswiththedirective:
file"slaves/named.yourdomain.com";

BindDefaults:
Usesport53ifnoneisspecifiedwiththelistenonportstatement.
Bindwilluserandomportsaboveport1024forqueries.ForusewithfirewallsexpectingallDNStrafficonport53,specifythefollowing
statementin/etc/named.conf
querysourceaddress*port53;
querysourcev6port53;

Loggingisto/var/log/messages
Aftertheconfigurationfileshavebeenedited,restartthenamedaemon.
/etc/init.d/namedrestart

(Note:Ubuntu/Debianrestart:/etc/init.d/bind9restart)
Bindzonetransfersworkbestiftheclocksofthetwosystemsaresynchronised.SeetheYoLinuxSysAdminTutorial:Timeandntpd
File:/var/named/named.yourdomain.comThisiscreatedforyoubyBindontheslave(secondary)serverwhenitreplicatesfromPrimaryserver.
DNSGUIconfiguration:
RedHatEL4/5,Fedora210:/usr/bin/systemconfigbind
RedHat8/9,FedoraCore1:/usr/bin/redhatconfigbind

TestDNS:
Mustinstallpackages:
RedHat/FedoraCore/SuSE:bindutils
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

24/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Ubuntu(dapper/hardy/natty)/Debian:bind9host
Testthenameserverwiththehostcommandininteractivemode:
hostnode.domaintotest.comyournameservertotest.domain.com

Note:ThenameservermayalsobespecifiedbyIPaddress.
or
Testthenameserverwiththenslookupcommandininteractivemode:
nslookup
>serveryournameservertotest.domain.com
>node.domaintotest.com
>exit

TesttheMXrecordifappropriate:
nslookupquerytype=mxdomaintotest.com

OR
hosttmxdomaintotest.com

Testusingthedigcommand:
dig@nameserverdomaintoquery
OR
dig@IPaddressofnameserverdomaintoquery

TestyourDNSwiththefollowingDNSdiagnosticswebsite:DnsStuff.com

ExtraloggingtomonitorBind:
Addthefollowingtoyour/etc/named.conffile.
logging{
channelbindlog{
//Keepfiveoldversionsofthelogfile(rotateslogs)
file"/var/log/bindlog"versions5size1m;
printtimeyes;
printcategoryyes;
printseverityyes;
};
/*Ifyouwanttoenabledebugging,eg.usingthe'rndctrace'command,
*namedwilltrytowritethe'named.run'fileinthe$directory(/var/named).
*Bydefault,SELinuxpolicydoesnotallownamedtomodifythe/var/nameddirectory,
*soputthedefaultdebuglogfileindata/:
*/
channeldefault_debug{
file"data/named.run";
severitydynamic;
};
categoryxferout{bindlog;};Zonetransfers
categoryxferin{bindlog;};Zonetransfers
categorysecurity{bindlog;};Approved/unapprovedrequests
//Thefollowingloggingstatements,panic,insistandresponsechecksare
//validforBind8only.Donotuserforversion9.
categorypanic{bindlog;};Systemshutdowns
categoryinsist{bindlog;};Internalconsistencycheckfailures
categoryresponsechecks{bindlog;};Messages
};

ChrootBindforextrasecurity:

Note:MostmodernLinuxdistributionsdefaulttoa"chrooted"installation.ThistechniquerunstheBindnameservicewithaviewofthefilesystem
changesthedefinitionoftherootdirectory"/"toadirectoryinwhichBindwilloperate.i.e./var/named/chroot.
ThefollowingexampleusestheRedHatRPMbind8.2.30.6.x.i386.rpm.AppliestoBindversion9aswell.

ThelatestRedHatbindupdatesrunthenamedasuser"named"toavoidalotofearlierhackerexploits.Tochroottheprocessistocreateanevenm
secureenvironmentbylimitingtheviewofthesystemthattheprocesscanaccess.Theprocessislimitedtothechrooteddirectoryassigned.

Thechrootofthenamedprocesstoadirectoryunderagivenuserwillpreventthepossibilityofanexploitwhichatonetimewouldresultin
TheoriginaldefaultRedHatconfiguration(6.2)ranthenamedprocessasroot,thusifanexploitwasfound,thenamedprocesswillallowthehack
theprivilegesoftherootuser.(nolongertrue)
NamedCommandSytax:
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

25/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
nameduuserggrouptdirectorytochrootto

Example:
namedunamedgnamedt/opt/named

Whenchrooted,theprocessdoesnothaveaccesstosystemlibrariesthusalocallibdirectoryisrequiredwiththeappropriatelibraryfilestheoret
ThisdoesnotseemtobethecasehereandasnotedaboveinchrootedFTP.It'samysterytomebutitworks????Anothermethodtohandlelibrari
recompilethenamedbinarywitheverythingstaticallylinked.Addstatictothecompileoptions.Thechrootedprocessshouldalsorequirealoc
/etc/named.confetc...butdoesn'tseemto???
Scripttocreateachrootedbindenvironment:

#!/bin/sh
cd/opt
mkdirnamed
cdnamed
mkdiretc
mkdirbin
mkdirvar
cdvar
mkdirnamed
mkdirrun
cd..
chownRnamed.namedbinetcvar

Youcanprobablystophere.Ifyoursystemactslikeachrootedsystemshould,thencontinuewiththefollowing:

cpp/etc/named.confetc
cpp/etc/localtimeetc
cpp/bin/falsebin
echo"named:x:25:25:Named:/var/named:/bin/false">etc/passwd
echo"named:x:25:">etc/group
touchvar/run/named.pid
if[f/etc/namedb]
then
cpp/etc/namedbetc/namedb
fi
mkdirdev
cddev
#Createacharacterunbufferedfile.
mknodmugo+rwnullc13
cd..
chownRnamed.namedbinetcvar

Addchangestotheinitscript:/etc/rc.d/init.d/named
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

#!/bin/bash
#
#namedThisshellscripttakescareofstartingandstopping
#named(BINDDNSserver).
#
#chkconfig:5545
#description:named(BIND)isaDomainNameServer(DNS)\
#thatisusedtoresolvehostnamestoIPaddresses.
#probe:true

#Sourcefunctionlibrary.
./etc/rc.d/init.d/functions

#Sourcenetworkingconfiguration.
./etc/sysconfig/network

#Checkthatnetworkingisup.
[${NETWORKING}="no"]&&exit0

[f/etc/sysconfig/named]&&./etc/sysconfig/named

[f/usr/sbin/named]||exit0

[f/etc/named.conf]||exit0

RETVAL=0

start(){
#Startdaemons.
echon"Startingnamed:"
daemonnamedunamedgnamedt/opt/named#Changemadehere
RETVAL=$?

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

26/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
33
34
35

[$RETVALeq0]&&touch/var/lock/subsys/named
echo
return$RETVAL

36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93

}
stop(){
#Stopdaemons.
echon"Shuttingdownnamed:"
killprocnamed
RETVAL=$?
[$RETVALeq0]&&rmf/var/lock/subsys/named
echo
return$RETVAL
}
rhstatus(){
/usr/sbin/ndcstatus
return$?
}
restart(){
stop
start
}
reload(){
/usr/sbin/ndcreload
return$?
}
probe(){
#namedknowshowtoreloadintelligently;wedon'twantlinuxconf
#tooffertorestarteverytime
/usr/sbin/ndcreload>/dev/null2>&1||echostart
return$?
}

#Seehowwewerecalled.
case"$1"in
start)
start
;;
stop)
stop
;;
status)
rhstatus
;;
restart)
restart
;;
condrestart)
[f/var/lock/subsys/named]&&restart||:
;;
reload)
reload
;;
probe)
probe
;;
*)
echo"Usage:named{start|stop|status|restart|condrestart|reload|probe}"
exit1
esac

exit$?

Note:ThecurrentversionofbindfromtheRedHaterrataupdatesandsecurityfixes(http://www.redhat.com/support/errata/)runsthenamedproce
user"named"inthehome(notchrooted)directory/var/namedwithnoshellavailable.(namedunamed)Thisshouldbesecureenough.Proceedwi
chrootedinstallationifyourareparanoid.
See:
SecuringDNS:Howtousechrootbindfeatures
ChrootedDNSconfiguration:

ModernreleasesofLinux(i.e.FedoreCore3,RedHatEnterpriseLinux4)comepreconfiguredtouse"chrooted"bind.Thissecurityfeatureforceseven
exploitedversionofbindtoonlyoperatewithinthe"chrooted"jail/var/named/chrootwhichcontainsthefamiliardirectories:
/var/named/chroot/etc:Configurationfiles
/var/named/chroot/dev:devicesusedbybind:
/dev/null
/dev/random
/dev/zero

(Realdevicescreatedwiththemknodcommand.)
/var/named/chroot/var:Zonefilesandconfigurationinformation.
ThesedirectoriesaregeneratedandconfiguredbytheRedHat/FedoraRPMpackage"bindchroot".
Ifbuildingfromsourceyouwillhavetogeneratethisconfigurationmanually:
mkdirp/var/named/chroot
mkdir/var/named/chroot/dev
mknod/var/named/chroot/dev/nullc13

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

27/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
mknod/var/named/chroot/dev/zeroc15
mknod/var/named/chroot/dev/randomc18
chmod666R/var/named/chroot/dev
mkdirp/var/named/chroot/etc
lns/var/named/chroot/etc/named.conf/etc/named.conf
mkdirp/var/named/chroot/var/named
lns/var/named/chroot/var/named/named.XXXX/var/named/named.XXXX
lns/var/named/chroot/var/named/named.YYYY/var/named/named.YYYY

...
mkdirp/var/named/chroot/var/named/slaves
mkdirp/var/named/chroot/var/named/data
mkdirp/var/named/chroot/var/run
mkdirp/var/named/chroot/var/tmp
chownRnamed:named/var/named/chroot
chownRroot:named/var/named/chroot/var/named

LoadBalancingofserversusingBind:DNSRoundRobin
ThiswillpopulateDNScachingnameserversaroundtheworldwithdifferentIPaddressesforyourwebserverwww.yourdomain.com
File:/var/named/data/named.yourdomain.com
$TTL604800
yourdomain.com.INSOAns1.yourdomain.com.hostmaster.yourdomain.com.
...
...
wwwINA192.168.1.1
wwwINA192.168.1.2
wwwINA192.168.1.3
wwwINA192.168.1.4
wwwINA192.168.1.5
wwwINA192.168.1.6

Note:

Thisexamplewillresolvethewww.yourdomain.comURLtoeachoftheIPaddresseslisted,oneatatimeforeachrequest.Firstrequestwi
resolveto192.168.1.1,thesecondrequestwillresolveto192.168.1.2,etc.
AperfectlyevenloadbalanceisnotpossiblebecausednetworkserviceprovidersrunDNScachingserverswhichholdtheresolvedIPaddre
differentnumberofusers.
UsingmultipleCNAME'storotaterecordsisnolongerpermissibleinbind9.
ListingarecordmultipletimeswiththesameIPaddresswillnotchangetheloadsharing.Bindwillignoreduplicaterecords.
Reducingthetimetolive(TTL)willcauseloadsharingtotakeplacemorefrequentlythusrespondingtoachangeinserversmorequickly.
Alsoseelbnamed:lbnamedloadbalancingnamed

Bind/DNSLinks:
InternetSoftwareConsortium(ISC)HomePageISCBindHome
ZytraxBind9manualBindforrocketscientists
comp.protocols.tcpip.domainsFAQHTMLversion
mod_rewrite:pageforwarding,loadbalancingandroundrobinschemes
LDPDNSHOWTO
DNSSecuritybestpracticesCricketLiu(coauthorofDNSandBind)
DNSSecurityPaperCraigRowland
EveryDNS.netFreeDNS
Secondary.comFreesecondarynamesserverhosting(fiveorfewerdomains)
TZO.comDynamic,secondaryDNSservices.
OpenDNS.comCanallowforwardingtoOpenDNSservers.
Addto"options"section:forwarders{208.67.222.222;208.67.222.220;};
DynDNS:dyn.com
Command:ipcheck.pyieth0DynDNSuseridpasswordnode.dnsalias.net
Thenaddscriptupdate.dyndns.iptodirectory/etc/cron.daily/toupdateIP.
Thishostmustalsobeallowedaccessthroughanyfirewallrules.
DynDNS.comDynamicDNSforthosewithdynamicIPaddresses.(i.e.dialupgameserversetc.)
Domainnameregistration:
DomainNameRegistrars:
NetworkSolutions.com
Register.com
Registrar.GoDaddy.comDomainnameregistrationforonly$8.95/year!!!
Dotster.comDomainnameregistrationforonly$14.95/year
DomainsNext.com$11.95/year
EasyDNS.com$25.00/year
Gandi.netEuropean
AfterNic.comDomainnameexchangeandauction.
BuyDomains.comBuyadomainnamethatasquatterisholding.
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

28/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

NotethattheNameregistrationspoliciesfortheregistrarsarestatedatICANN.org.
YoumustrenewwiththesameregistrarwithinfivedaysBEFOREtheexpirationdate.Thereisnoruleforafterwards.
Mostfreeadomainname30daysafteritexpires.

WebServerLoadBalancing:

Loadbalancingbecomesimportantifyourtrafficvolumebecomestoogreatforeitheryourserverornetworkconnectionorboth.Multipleoptionsareav
forloadbalancing.

DNSroundrobin:Discussedabove,thisusesDNStopointuserstorandomserverinalistofappropriateservers.Thisspreadstheloadamongthe
inthelist.
UseaLinuxVirtualServertoCreateaLoadBalanceCluster.Seenextsectionbelow.
Runareverseproxy.Seenginx("engineX").Fromasingleexternalinternetnetworkconnection,routehttp,smtp,imaporpop3traffictovarious
onaninternalnetwork.Resultsarepushedbacktothenginxproxyforroutingtotheinternet(nocaching).
RuntheApachehttpdwebservermodule"mod_proxy"tooffloadprocessingofdynamiccontenttoanotherwebserver.Thisactsasareverseprox
routingexternaltraffictovariousserversonaninternalnetwork.

UsingaLinuxVirtualServertoCreateaLoadBalanceCluster:

YoucanuseasingleLinuxservertoforwardrequeststoaclusterofserversusingiptablesforIPmasqueradingandIPVsadmtoscaleyourload.Theloa
balancingserverreceivingandroutingtherequestsiscalledthe"LinuxVirtualServer"(LVS).TheLVSreceivestherequestswhicharepassedtotherea
serverswhichprocessandreplytotherequest.ThisreplyisforwardedtotheclientbytheLVS.
ThisfeatureisavailablewiththeLinux2.4/2.6kernel.(Ifcompilingkernel:NetworkingOptions+IP:VirtualServerConfiguration)
Configuration:Thisexamplewillloadbalancehttptraffictothreewebserversandftptraffictoafourthserver.
EnableForwarding:(AlsoseeYoLinuxNetworkingTutorial:EnableForwarding)
echo"1">/proc/sys/net/ipv4/ip_forward

EnableIPMasquerading:
iptablestnatPPOSTROUTINGDROP
iptablestnatAPOSTROUTINGoeth0jMASQUERADE

FormoreonIPMasquerading,iptablesandsubnetaddresses,seetheYoLinuxnetworkgatewaytutorial.
Enablevirtualserver:
Createvirtualserviceandchooseschedulerforhttp(80)andftp(21):
ipvsadmAt66.218.88.103:80swlc
ipvsadmAt66.218.88.103:21swrr

Commanddirectives:
A:AddavirtualservicedefinedbyIPaddress,portnumber,andprotocol.
t:UseTCPservicehost:port
s:scheduler:
rr:RobinRobin:distributesjobsequallyamongsttheavailablerealservers.
wrr:WeightedRoundRobin.
lc:LeastConnection:assignsmorejobstorealserverswithfeweractivejobs.
wlc:(Default)WeightedLeastConnection:assignsmorejobstoserverswithfewerjobsandrelativetotherealserver's
lblc,lblcr,dh,sh,sed,nq.Seemanpage.
Configureloadbalancingcluser.
ipvsadmat66.218.88.103:80r176.168.1.1:80m
ipvsadmat66.218.88.103:80r176.168.1.2:80mw2
ipvsadmat66.218.88.103:80r176.168.1.3:80m
ipvsadmat66.218.88.103:21r176.168.1.4:21m

Commanddirectives:
r:Realserver.
m:Usemasqueradingalsoknownasnetworkaddresstranslation(NAT)
w:Weightisanintegerspecifyingthecapacityofaserverrelativetotheothersinthepool.Thevalidvaluesofweightare
to65535.Thedefaultis1.
Links:
LinuxVirtualServer.org
iptablesAdministrationtoolforIPv4packetfilteringandNAT
ipvsadmAdministertheroutingtableonaLinuxVirtualServer.

ManagingWebServerDaemons:

Toviewiftheseservicesarerunning,typepsauxandlookforthehttpd,inetdandnamedservices(daemons).Thesearebackgroundprocessesnecessa
performtheservertasks.
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

29/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial
root6810.00.52304744?SSep090:01named
nobody281230.01.130361420?SOct060:00httpd
nobody281860.00.73044896?SOct060:00httpd
root3850.00.11136232?SSep090:00inetd

AnewinstallationwillmostlikelyNOTstartthenamedbackgroundprocesswhichmaybestartedmanuallyafterconfiguration.
SeetheYoLinuxInitProcessTutorialformoreinformation.
Theinetd(orxinetd)backgroundprocessistheInternetdaemonwhichstartsFTPwhenanftprequestismade.

SysAdminScript:
Scripttoprepareanaccount:(RedHat/Fedora)
#!/bin/sh
#AuthorGregIppolito
#Requires:/opt/etc/AccountDefaults/pathmsgfavicon.icomwhmini_tr.gifetc.
#/opt/bin/ftponly
#Youmustberoottorunthisscript.
#
if[$#eq0]
then
echo"Enteruseridasacommandargument"
elseif[r/home/$1]
then
echo"User'shomedirectoryalreadyexists"
else
echo"1)Createuser."
adduserm$1
echo"2)SetuserPassword."
passwd$1
echo"3)Addreadaccesstouserdirectorysoapachecanreadit."
cd/home
chmodugo+rx$1
cd$1
echo"4)Createwebdirectories."
mkdirpublic_html
chown$1.$1public_html
chconRhusystem_urobject_rthttpd_sys_content_tpublic_html
cdpublic_html
mkdirimages
chown$1.$1images
chconRhusystem_urobject_rthttpd_sys_content_timages
#Blockpotentialforunauthenticatedlogins
cd../
touch.rhosts
chmodugoxrw.rhosts
echo"5)Createdefaultwebpage"
sed"/HEADING/s!HEADING!$1!"/opt/etc/AccountDefaults/defaultindex.html>index.html
cpp/opt/etc/AccountDefaults/favicon.ico.
cpp/opt/etc/AccountDefaults/defaultlogo.gif./images
cpp/opt/etc/AccountDefaults/robots.txt.
chown$1.$1index.htmlfavicon.icorobots.txt
chconRhthttpd_sys_content_tindex.htmlfavicon.icorobots.txt
chconRhthttpd_sys_content_timages/defaultlogo.gif
echo"6)Edit/etc/passwdfilechangeusershellto/opt/bin/ftponly"
cpp/etc/passwd/etc/passwd`date+%m%d%y`
sed"/^$1/s!/bin/bash!/opt/bin/ftponly!"/etc/passwd`date+%m%d%y`>/etc/passwd
#wuftp#Requires:/etc/ftpaccessguestuserrestrictuid
#wuftp#echo"7)Adduserto/etc/ftpaccessfile"
#wuftp#cpp/etc/ftpaccess/etc/ftpaccess`date+%m%d%y`
#wuftp#sed"/^guestuser/s!guestuser!guestuser$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess
#wuftp#sed"/^restricteduid/s!restricteduid!restricteduid$1!"/etc/ftpaccess`date+%m%d%y`>/etc/ftpaccess
#wuftp#echo"guestroot/home/$1/public_html$1">>/etc/ftpaccess
echo"7)Addusertovsftpdchrootlist
cat`echo$1`>>/etc/vsftpd/vsftpd.chroot_list
echo"8)SettingDiskQuotastodefault50Mblimit:"
#Useuserjohndoeasaprototype.
edquotapjohndoe$1
echo"9)AdminFollowup:"
echo"Modifyquota.userifdifferentthandefault"
echo"MakechangestoBindnamesservicesondns1anddns2ifnecessary"
echo"Change/etc/http/conf/httpd.confor
echo"addconfigto/etc/http/conf.d/ifusinganewdomainname"
echo"Addemailaliasestomailserverifnecessary"
fi
fi

FYI:Samplerobots.txtfiles:
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

30/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

yolinux.com/robots.txt
USC.edu/robots.txt

Usefullinksandresources:
LinuxInitProcessYoLinux.comtutorial
SettingupanApacheredirectYoLinux.comtutorial
ApacheDocumentation
LDPHowToGuides:
DNSHOWTODNSadministrationNicolaiLangfeldt
SecuringDomainHOWTO
ISPSetupRedHatUsingLinuxtohostanISPAntonChuvakin
LinuxNetworkingOverviewHOWTODanielLopezRidruejo
VirtualServicesHOWTODNS,FTP,Apache,Mail(POP,Qmail,Sendmail),SyslogdandSamba
WWWHOWTOSettingupApacheservices
WWWmSQLHOWTO
ListofInternetExchanges[mapandlist]AnInternetExchange(IX)isajunctionbetweenmultipleprincipleInternetcommunicationlines.
atorclosetoanIXwillhaveyourbestabilitytohandletrafficandyourlowestlatencies.
descriptionofIX
SettingupamailserverYoLinuxTutorial

Books:
"UbuntuUnleashed2013edition:"
Covering12.10and13.04(8thEdition)
byMatthewHelmke,AndrewHudsonandPaulHudson
SamsPublishing,ISBN#0672336243
(Dec15,2012)

"UbuntuUnleashed2012edition:"
Covering11.10and12.04(7thEdition)
byMatthewHelmke,AndrewHudsonandPaulHudson
SamsPublishing,ISBN#0672335786
(Jan16,2012)

"UbuntuUnleashed2011edition:"
Covering10.10and11.04(6thEdition)
byMatthewHelmke,RyanTroy,AndrewHudsonandPaulHudson
SurfingTurtlePress,ISBN#0672333449
(Dec24,2010)

"Fedora18DesktopHandbook"
byRichardPetersen
SurfingTurtlePress,ISBN#1936280639
(Mar6,2013)

"Fedora18NetworkingandServers"
byRichardPetersen
SurfingTurtlePress,ISBN#1936280698
(March29,2013)

"Fedora14DesktopHandbook"
byRichardPetersen
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

31/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

Amazonbook
image

Amazonbook
image

Amazonbook
image

Amazonbook
image

Amazonbook
image

SurfingTurtlePress,ISBN#1936280167
(Nov30,2010)

"Fedora14AdministrationandSecurity"
byRichardPetersen
SurfingTurtlePress,ISBN#1936280221
(Jan6,2011)
"Fedora14NetworkingandServers"
byRichardPetersen
SurfingTurtlePress,ISBN#1936280191
(Dec26,2010)
"PracticalGuidetoUbuntuLinux(Versions8.10and8.04)"
byMarkSobell
PrenticeHallPTR,ISBN#0137003889
2edition(January9,2009)
"Fedora10andRedHatEnterpriseLinuxBible"
byChristopherNegus
Wiley,ISBN#0470413395
"RedHatFedora6andEnterpriseLinuxBible"
byChristopherNegus
Sams,ISBN#047008278X

"Fedora7&RedHatEnterpriseLinux:TheCompleteReference"
byRichardPetersen
Sams,ISBN#0071486429

"RedHatFedoraCore6Unleashed"
byPaulHudson,AndrewHudson
Sams,ISBN#0672329298

"RedHatLinuxFedora3Unleashed"
byBillBall,HoytDuff
Sams,ISBN#0672327082

"RedHatLinux9Unleashed"
byBillBall,HoytDuff
Sams,ISBN#0672325888
May8,2003
IhavetheRedHat6versionandIhavefoundittobeveryhelpful.Ihavefoundittobewaymorecompletethan
theotherLinuxbooks.ItisthemostcompletegeneralLinuxbookinpublication.Whileotherbooksinthe
"Unleashed"serieshavedissapointedme,thisbookisthebestoutthere.
"ApacheServerBible2"
http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

32/33

4/7/2015

LinuxWebServerandDomainConfigurationTutorial

byMohammedJ.Kabir
ISBN#0764548212,HungryMinds
Thisbookisverycompletecoveringallaspectsindetail.Itisnotyourbasicreprintoftheapache.orgdocuments
likesomanyothers.

"ProDNSandBind"
byRonaldAitchison
Apress,ISBN#1590594940

YoLinux.comHomePage
YoLinuxTutorialIndex|Terms
PrivacyPolicy|Advertisewithus|FeedbackForm|
Unauthorizedcopyingorredistributionprohibited.

totopofpage

Copyright20002014byGregIppolito

http://www.yolinux.com/TUTORIALS/LinuxTutorialWebSiteConfig.html

33/33