Difference between revisions of "The Perfect Small Business Server(+Failover)"

From ArchWiki
Jump to: navigation, search
(Not fit in the main page.)
(Arch Linux Installation:: Deleted. This section is duplicate to existing pages.)
Line 23: Line 23:
*'''ha2.example.dom''' ====> '''''' (Hostname / IP of our 2nd "Virtual/H.A" Address)
*'''ha2.example.dom''' ====> '''''' (Hostname / IP of our 2nd "Virtual/H.A" Address)
=Arch Linux Installation:=
Here is a quick overview of instructions for a very basic arch linux installation that will work with this guide, if you already have arch linux setup, chances are you only need to change your hostname in /etc/rc.conf & edit: /etc/hosts, here we go:
'''Boot from CD & begin the Arch Linux Installation (AIF):'''
# {{ic|[root@myhost ~] /arch/setup}}
'''Perform A regular Installation, with the following options (NOT IN ORDER):'''
*'''TIMEZONE:''' Your Local Time (Regular/Hardware Clock, NOT NTP)
*'''NET INSTALL:''' We will use DHCP initially, and input our static info after reboot'' (optionally, set up static now).''
*'''MIRROR:''' Choose the fastest IN-SYNC mirror, see: http://www.archlinux.org/mirrors/status/
*'''PACKAGES:''' Select BOTH Base & Base-Devel Package/Groups '''(MANDATORY)'''
*'''PARTITIONING:''' Use GUIDED/Entire Disk Partitioning, Make Swap 1/2 the of amount of RAM. Use Defaults for /boot, /home, /
*'''CONFIGURATION:''' After Package install, DON'T configure anything, just set ROOT PASSWORD
*'''BOOTLOADER:''' USE/SET UP GRUB boot loader(Usually you will install on SDA)
'''REBOOT:''' the machine, and '''REMOVE''' the installation disc.
# {{ic|[root@myhost ~] reboot}}
==Network Configuration==
We will now go over basic Networking setup so we can bring both our nodes online, get them up-to-date, and connect to them from another location via SSH, if your machine is already up & running with networking, please feel free to skip this section, just make sure you have the proper definitions in /etc/hosts & the proper hostname in /etc/rc.conf, now, here we go:
'''EDIT: /etc/rc.conf so that it reflects the proper hostnames, your hostnames should be: node1 for your first machine, node2 for the second:
# {{ic|[root@myhost ~] nano /etc/rc.conf}}
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
# -----------------------------------------------------------------------
DAEMONS=(hwclock syslog-ng dbus network netfs crond)
'''EDIT: /etc/hosts so that it reflects the proper hostnames, domain names & IP addresses for our cluster:
# {{ic|[root@myhost ~] nano /etc/hosts}}
# /etc/hosts: static lookup table for host names
#<ip-address>  <hostname.domain.org>  <hostname>      localhost.localdomain  localhost
::1            localhost.localdomain  localhost  node1.example.dom      node1  node2.example.dom      node2  ha1.example.dom        ha1  ha2.example.dom        ha2
'''REBOOT: To set the proper HostNames / DomainNames & bring up networking:
# {{ic|[root@myhost ~] reboot}}
==Pacman Configuration==
We will now Upgrade our pacman package manager database, check that we are using the proper repositories & insure that our system is up-to-date, we will only be using the stable repo's for our two nodes, please do not enable any of the testing repositories and complain that something is not working! you've been warned! ;P here we go:
'''INPUT: the following commands to upgrade our pacman-database:'''
# {{ic|[root@node(1/2) ~] pacman-db-upgrade}}
'''EDIT: the /etc/pacman.conf file to make sure that we are using the proper repositories:'''
# {{ic|[root@myhost ~] nano /etc/pacman.conf}}
# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.
#Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
#Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository.  See the pacman manpage for
# tips on creating your own repositories.
#Server = file:///home/custompkgs
{{note| if you are on a 64bit/x86_64 system/architecture, you may wish to ADD: the multilib repository for 64bit packages '''LIKE THIS''':
{{hc|/etc/pacman.conf (64BIT ONLY)|2=
# The testing repositories are disabled by default. To enable, uncomment the
# repo name header and Include lines. You can add preferred servers immediately
# after the header, and they will be used before the default mirrors.
#Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
#Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
# If you want to run 32 bit applications on your x86_64 system,
# enable the multilib repositories as required here.
#Include = /etc/pacman.d/mirrorlist
Include = /etc/pacman.d/mirrorlist
# An example of a custom package repository.  See the pacman manpage for
# tips on creating your own repositories.
#Server = file:///home/custompkgs
'''INPUT: the following command to download our enabled repositories & insure that our system is fully up-to-date:'''
# {{ic|[root@node(1/2) ~] pacman -Syu}}
'''REBOOT: Once more, just for good measure(probably not neccesary):'''
# {{ic|[root@node(1/2) ~] reboot}}
'''You should now have a very basic Arch Linux installation up & running on both of your machines/nodes, if you have any trouble installing Arch Linux, or need further assistance, see the OFFICIAL Arch Linux INSTALLATION Guide here: https://wiki.archlinux.org/index.php/Beginners%27_Guide
=Install & Configure SSH:=
=Install & Configure SSH:=

Revision as of 13:32, 30 May 2012

Merge-arrows-2.pngThis article or section is a candidate for merging with Small Business Server.Merge-arrows-2.png

Notes: after merging, redirect this page to Small Business Server. (Discuss in Talk:The Perfect Small Business Server(+Failover)#)

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: please use the first argument of the template to provide a brief explanation. (Discuss in Talk:The Perfect Small Business Server(+Failover)#)

In this guide, we will be building ourselves a 'redundant/Highly Available' Home/Small Business server(Cluster). We will be using two physical nodes(computers)running the same exact services in an 'active/passive'(master/slave/Failover) HeartBeat "cluster". We will refer to these two computers as "node1" & "node2". As I am writing this guide the latest Arch Linux install image is Arch_2010_05(I am using the 32bit/i686 image) though I imagine we are soon due for a new image. Again, this article was written on: 08/14/2011, August 14th, 2011. I will personally speak for the accuracy of this article, I developed this guide step-by-step on my own personal servers and I have since re-built both machines following this guide to the letter, they are 100% functional, fairly secure, and my "Highly Available" services have not had a single moment of downtime since being initially powered on.


On each node we will be installing & setting up the following services/daemons:

  • DNS: Bind in a Chroot, with ProBIND PHP Web GUI To edit DNS Zones.
  • Web: Apache, With SSL.
  • PHP: PHP5.
  • Database: MySQL(i), With PHPMyAdmin Web GUI To create/edit/delete Databases & Users.
  • IMAP/POP3/(S): Dovecot for Incoming Mail/accounts (w/ Secure IMAP/POP3(?S).
  • SMTP/(S): Postfix for Outgoing Mail (+Dovecot-SSL w/ PostfixAdmin Web GUI).
  • RoundCubeMail: Simple, Sleek WebMail/Web GUI with sieve/spam filters & identities.
  • Horde: OpenSource GroupWare & Mail Web GUI Similiar to M$ Exchange in Features/Functionality.
  • Firewall: IPTables with the UFW: Uncomplicated Firewall FrontEnd, (optionally: with UFW'S GTK GUI: GUFW).

Following are the IP Adresses, Hostnames, & Domain Name we'll use to refer to our machines, change these to suit your own needs, for this guide we will have TWO "virtual/shared Highly Available/Failover IP Addresses & Hostnames/Domains, we do this because some DNS registrars require a MINIMUM of TWO unique NameServers, if yours does NOT, you may use a single HA Address as such: 'ha.example.com==>', for this guide our addresses will be:

  • node1.example.dom ==> (Hostname / IP of our 1st Machine)
  • node2.example.dom ==> (Hostname / IP of our 2nd Machine)
  • ha1.example.dom ====> (Hostname / IP of our 1st "Virtual/H.A" Address)
  • ha2.example.dom ====> (Hostname / IP of our 2nd "Virtual/H.A" Address)

Install & Configure SSH:

We will now install SSH/OpenSSH so that we may connect to our nodes from a 3rd machine & manage the rest of our installation/configuration from one(single) keyboard/mouse/monitor, you may continue to work in your current environment if you like however, but you should still install & configure ssh:

INPUT: the following command to install SSH/OpenSSH:

# [root@node(1/2) ~] pacman -S openssh

EDIT: the file: /etc/ssh/sshd_config and make sure it reflects that the following lines are UNCOMMENTED/MADE ACTIVE:

Port 22
AddressFamily any
PermitRootLogin yes
ChallengeResponseAuthentication no
UsePAM yes

# override default of no subsystems
Subsystem	sftp	/usr/lib/ssh/sftp-server

INPUT: the following command to test & make sure ssh/sshd is working:

# [root@node(1/2) ~] /etc/rc.d/sshd start
Note: if you have any problems configuring SSH/SSHD/sshd_config file see: https://wiki.archlinux.org/index.php/SSH

EDIT: the file: /etc/rc.conf and add sshd to the END of your daemons array so that our SSH Server starts at boot-time:

DAEMONS=(hwclock syslog-ng logd dbus network netfs crond sshd)

You should now have your SSH server/daemon up and running, continue on to the next step!

Install Apache, PHP & MySQL:

We will now install & configure Apache with PHP & MySQL, We will do this in two sections, first will we install & configure the basic apache settings, then we will install PHP & create a number of "vhost.conf" style files apache needs for a PROPER setup of: RoundCubeMail, PHPMyAdmin, PHP, ProBIND, mysql, etc...Because we will be telling apache to use things like PHP, PHPMyAdmin, RoundCubeMail, ProBIND, MySQL, PostfixAdmin, Horde, etc, it (may not) start UNTIL all of the previously mentioned packages are downloaded, unpackaged, and installed in the proper places. IF YOU DECIDE NOT TO USE A SPECIFIC WEBAPP/PACKAGE DESCRIBED IN THIS GUIDE, SIMPLY DO NOT PUT AN "Include packagename" LINE for it IN: /etc/httpd/conf/httpd.conf here we go!:

INPUT: the following command to install apache, php & MySQL:

# [root@node(1/2) ~] pacman -S apache php-apache php mysql

Configure Apache:

CHECK: that the user & group http exists / http:http with:

# [root@node(1/2) ~] grep http /etc/passwd

INPUT: the following to create user & group http (if it doesn't already exist):

# [root@node(1/2) ~] useradd -d /srv/http -r -s /bin/false -U http

EDIT: the file: /etc/httpd/conf/httpd.conf and uncomment the following, we will UNCOMMENT/MAKE ACTIVE the ENTIRE LoadModule LIST, we will also add a LoadModule line for PHP5 at the end of the load module list:

# [root@node(1/2) ~] nano /etc/httpd/conf/httpd.conf 
ServerRoot "/etc/httpd"
Listen 80
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule file_cache_module modules/mod_file_cache.so
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
LoadModule mem_cache_module modules/mod_mem_cache.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule reqtimeout_module modules/mod_reqtimeout.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule ident_module modules/mod_ident.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule suexec_module modules/mod_suexec.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule cgid_module modules/mod_cgid.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModulHostnameLookups One dir_module modules/mod_dir.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
User http
Group http
ServerAdmin root@example.dom
DocumentRoot "/srv/http"
TypesConfig conf/mime.types
MIMEMagicFile conf/magic
Note: make sure you put the IP address for node1 in the ServerName line in httpd.conf on Node1, and the ip for Node2 in ServerName line for Node2!

EDIT: the file: /etc/httpd/conf/httpd.conf: We will now ADD Include LINES to include 'supplementary configurations' in /etc/httpd/conf/extra/httpd-*packagename*.conf files, for all of the Web Apps we will install(E.G RoundCubeMail), and uncomment some already existing Include Lines, in the Include list, The lines in bold have been ADDED, so it should look like this:

# [root@node(1/2) ~] nano /etc/httpd/conf/httpd.conf 
# Supplemental configuration
# The configuration files in the conf/extra/ directory can be 
# included to add extra features or to modify the default configuration of 
# the server, or you may simply copy their contents here and change as 
# necessary.

# Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf

# Multi-language error messages
Include conf/extra/httpd-multilang-errordoc.conf

# Fancy directory listings
Include conf/extra/httpd-autoindex.conf

# Language settings
Include conf/extra/httpd-languages.conf

# User home directories
Include conf/extra/httpd-userdir.conf

# Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf

# Virtual hosts
Include conf/extra/httpd-vhosts.conf

# Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf

# Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf

# Various default settings
Include conf/extra/httpd-default.conf

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

# Php 5 vhost-configuration
Include conf/extra/php5_module.conf

#phpMyAdmin vhost-configuration
Include conf/extra/httpd-phpmyadmin.conf

#postfixAdmin vhost-configuration
Include conf/extra/httpd-postfixadmin.conf

#roundcubemail vhost-configuration
Include conf/extra/httpd-roundcubemail.conf

#ProBIND vhost-configuration
Include conf/extra/httpd-probind.conf

#HORDE vhost-configuration
Include conf/extra/httpd-horde.conf

# Note: The following must must be present to support
#       starting without SSL on platforms with no /dev/random equivalent
#       but a statically compiled-in mod_ssl.
Note: these files do not exist yet, we will create them.

EDIT: the file: /etc/httpd/conf/mime.types: We must now ADD a "Mime Type" FOR: PHP / PHP5 in the mime.types file, this file is in ALPHABETICAL ORDER, Add the php mime.type line as I have, in the proper alphabetical location shown:

# [root@node(1/2) ~] nano /etc/httpd/conf/mime.types 
application/pdf                                 pdf
application/pgp-encrypted                       pgp
# application/pgp-keys
application/pgp-signature                       asc sig
application/x-httpd-php                         php
application/pics-rules                          prf
# application/pidf+xml
# application/pidf-diff+xml
application/pkcs10                              p10
application/pkcs7-mime                          p7m p7c

EDIT: the file: /etc/httpd/conf/extra/httpd-default.conf & fix it so that given lines read as follows:

# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-default.conf
UseCanonicalName Off
ServerTokens Prod
ServerSignature Off
HostnameLookups On

We must now CREATE all of the 'vhost style files' we have defined in httpd.conf with Include conf/extra/* lines, inside the directory: /etc/httpd/conf/extra/, here we go:

# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-phpmyadmin.conf
Alias /phpmyadmin "/usr/share/webapps/phpMyAdmin"
	<Directory "/usr/share/webapps/phpMyAdmin">
		AllowOverride All
		Options FollowSymlinks
		Order allow,deny
		Allow from all
		php_admin_value open_basedir "/srv/:/tmp/:/usr/share/webapps/:/etc/webapps:/usr/share/pear/"
# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-postfixadmin.conf
Alias /postfixadmin "/usr/share/webapps/PostfixAdmin"
	<Directory "/usr/share/webapps/PostfixAdmin">
		AllowOverride All
		Options FollowSymlinks
		Order allow,deny
		Allow from all
		php_admin_value open_basedir "/srv/:/tmp/:/usr/share/webapps/:/etc/webapps:/usr/share/pear/"
# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-roundcubemail.conf
Alias /roundcubemail "/usr/share/webapps/RoundCubeMail"
	<Directory "/usr/share/webapps/RoundCubeMail">
		AllowOverride All
		Options FollowSymlinks
		Order allow,deny
		Allow from all
		php_admin_value open_basedir "/srv/:/tmp/:/usr/share/webapps/:/etc/webapps:/usr/share/pear/"
# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-probind.conf
Alias /probind "/usr/share/webapps/ProBIND"
	<Directory "/usr/share/webapps/ProBIND">
		AllowOverride All
		Options FollowSymlinks
		Order allow,deny
		Allow from all
		php_admin_value open_basedir "/srv/:/tmp/:/usr/share/webapps/:/etc/webapps:/usr/share/pear/"
# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-horde.conf
Alias /hordge "/usr/share/webapps/horde"
	<Directory "/usr/share/webapps/Horde">
		AllowOverride All
		Options FollowSymlinks
		Order allow,deny
		Allow from all
		php_admin_value open_basedir "/srv/:/tmp/:/usr/share/webapps/:/etc/webapps:/usr/share/pear/"

EDIT: /etc/httpd/conf/extra/httpd-vhosts.conf to reflect the following 'Virtual Hosts':

# [root@node(1/2) ~] nano /etc/httpd/conf/extra/httpd-vhosts.conf
NameVirtualHost *:80

<VirtualHost *:80>
    DocumentRoot "/srv/http"
    ServerAdmin root@localhost
    ErrorLog "/var/log/httpd/"
    CustomLog "/var/log/httpd/" common
    <Directory /srv/http/>
		    DirectoryIndex index.htm index.html
		    AddHandler cgi-script .cgi .pl
		    Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
		    AllowOverride None
		    Order allow,deny
		    allow from all
<VirtualHost *:80>
    ServerAdmin root@example.dom
    DocumentRoot "/srv/http/"
    ServerName example.dom
    ServerAlias www.example.dom
    <Directory /serv/http/>
		    DirectoryIndex index.htm index.html
		    AddHandler cgi-script .cgi .pl
		    Options ExecCGI Indexes FollowSymLinks MultiViews +Includes
		    AllowOverride None
		    Order allow,deny
		    allow from all

CREATE: Self Signed SSL Certificates for apache:

# [root@node(1/2) ~] cd /etc/httpd/conf
# [root@node(1/2) ~] openssl genrsa -des3 -out server.key 1024
# [root@node(1/2) ~] openssl req -new -key server.key -out server.csr
# [root@node(1/2) ~] cp server.key server.key.org
# [root@node(1/2) ~] openssl rsa -in server.key.org -out server.key
# [root@node(1/2) ~] openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Note: Apache should now be set-up correctly, we will serve files for 'www.example.dom' out of /srv/http/*.html, AND for: "www.example.dom/~username" out of /home/*username/public_html/*.html; We have also told apache to look in /usr/share/webapps/ for the following directories(packages/webapps): ..webapps/RoundCubeMail/, ../webapps/PostfixAdmin/, ../webapps/PHPMyAdmin/, etc, etc, using the 'Include conf/extra/httpd-*package.conf files.

Configure MySQL: