Kloxo paruošimas shared web hosting'ui

Kloxo yra nemokamas pultas kurio pagalba galite patogiai valdyti keletą hosting'o sąskaitų viename serveryje.

1. Įdiegiame Kloxo į serverį

Atnaujiname CentOS serverį:

yum update - y

Įdiegiame wget jei nėra įdiegta:

yum install -y wget

Įdiegiame nano redaktorių (labai patogus dalykas redaguoti tekstiniams failams):

yum install -y nano

Įdiegiame Kloxo:

wget http://download.lxcenter.org/download/kloxo/production/kloxo-installer.sh
sh ./kloxo-installer.sh

2. Diegiame IPtables apsaugą (ugniasienę)

Sustabdykit ir išjunkit automatinę paleistį IPtables:

/etc/init.d/iptables stop
chkconfig iptables off

Sukurkit naują failą pavadinimu "firewall":

nano -w /etc/init.d/firewall

Įrašom į failą:

#!/bin/sh
# firewall
# chkconfig: 3 21 91
# description: Starts, stops iptables firewall

case "$1" in
start)

# Clear rules
iptables -t filter -F
iptables -t filter -X
echo - Clear rules : [OK]

# SSH In
iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT
echo - SSH : [OK]

# Don't break established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo - established connections : [OK]

# Block all connections by default
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t filter -P OUTPUT DROP
echo - Block all connections : [OK]

# Loopback
iptables -t filter -A INPUT -i lo -j ACCEPT
iptables -t filter -A OUTPUT -o lo -j ACCEPT
echo - Loopback : [OK]

# ICMP (Ping)
iptables -t filter -A INPUT -p icmp -j ACCEPT
iptables -t filter -A OUTPUT -p icmp -j ACCEPT
echo - PING : [OK]

# DNS In/Out
iptables -t filter -A OUTPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
echo - DNS : [OK]

# NTP Out
iptables -t filter -A OUTPUT -p udp --dport 123 -j ACCEPT
echo - NTP : [OK]

# FTP Out
iptables -t filter -A OUTPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 30000:50000 -j ACCEPT
# FTP In
iptables -t filter -A INPUT -p tcp --dport 20:21 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 30000:50000 -j ACCEPT
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo - FTP : [OK]

# HTTP + HTTPS Out
iptables -t filter -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 443 -j ACCEPT
# HTTP + HTTPS In
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p tcp --dport 443 -j ACCEPT
echo - HTTP/HTTPS : [OK]

# Mail SMTP:25
iptables -t filter -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo - SMTP : [OK]

# Mail POP3:110
iptables -t filter -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo - POP : [OK]

# Mail IMAP:143
iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo - IMAP : [OK]

# Kloxo
iptables -t filter -A INPUT -p tcp --dport 7777:7778 -j ACCEPT
iptables -t filter -A OUTPUT -p tcp --dport 7777:7778 -j ACCEPT
echo - Kloxo : [OK]

echo - Firewall [OK]
exit 0
;;

stop)
echo "Stopping Firewall: "
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -t filter -F
exit 0
;;
*)
echo "Usage: /etc/init.d/firewall {start|stop}"
exit 1
;;
esac
exit $RETVAL 

Suteikiame teises failui (chmod):

chmod 700 /etc/init.d/firewall

Pridedame ugniasienės servisą ir padarome auto-paleistį:

chkconfig --add firewall
chkconfig --level 2345 firewall on
/etc/init.d/firewall start

3. Konfigūruojame Kloxo optimaliam darbui Shared hosting aplinkai

Prisijunkite prie Kloxo pulto naudodami IP:7778 . Prisijungimui naudokite numatytus duomenis: admin/admin. Prisijungę nedelsiant pakeiskite slaptažodį.
Įveskite DNS duomenis bei sukurkite talpinimo planus.

Konfigūruojame mod_ruid2 saugumui užtikrinti. Originali citata iš Kloxo kūrėjų svetainės:

"With this module, all httpd process run under user's access right, not nobody or apache.
mod_ruid2 is similar to mod_suid2, but has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. It "makes use of kernel capabilites and after receiving a new request suids again."
- it runs only on linux because afaik only linux has implemented posix 1003.1e capabilities
- it has better performance than mod_suid2 because it doesn`t need to kill httpd children after one request. it makes use of kernel capabilites and after receiving a new request suids again."

Sukuriame repositoriją:

/etc/yum.repos.d/atomic.repo

Įrašom į sukurtą failą:

# Name: Atomic Rocket Turtle RPM Repository for CentOS / Red Hat Enterprise Linux 5 -
# URL: http://www.atomicrocketturtle.com/
[atomic]
name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com
mirrorlist = http://www.atomicorp.com/mirrorlist/atomic/centos-5-$basearch
#mirrorlist = http://www.atomicorp.com/channels/atomic/centos/5/mirrors-atomic
enabled = 1
gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
gpgcheck = 1
# ony need mod_ package
includepkgs=mod_*
     
# Almost Stable, release candidates for [atomic]
[atomic-testing]
name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com - (Testing)
mirrorlist = http://www.atomicorp.com/mirrorlist/atomic-testing/centos-5-$basearch
enabled = 0
gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
gpgcheck = 1
 
# Untested, Unstable, known buggy, and incomplete packages.
#[atomic-bleeding]
#name = CentOS / Red Hat Enterprise Linux $releasever - atomicrocketturtle.com - (Bleeding)
#baseurl = http://www.atomicorp.com/channels/atomic-bleeding/centos/5/$basearch/
#enabled = 0
#gpgkey = http://www.atomicrocketturtle.com/RPM-GPG-KEY.art.txt
#gpgcheck = 1

Įdiegiame mod_ruid2:

yum install mod_ruid2

Redaguojame failą web__ apachelib.php :

nano /usr/local/lxlabs/kloxo/httpdocs/lib/domain/web/driver/web__ apachelib.php

Viską kas jame yra ištriname ir įrašome žemiau esančius duomenis:

function getSuexecString($username)
{
    $string = "\n";
    $string .= "<IfModule suexec.c>\n";
    $string .= "SuexecUserGroup {$this->main->username} {$this->main->username}\n";
    $string .= "</IfModule>\n\n";

    $string .= "<IfModule mod_suphp.c>\n";

/* --- too much code and overlap with suphp.conf (http://project.lxcenter.org/issues/563)

    $string .= "AddType application/x-httpd-php .php\n";
    $string .= "RemoveHandler .php\n";
    $string .= "<FilesMatch \"\.php$\" >\n";
    $string .= "SetHandler x-httpd-php\n";
    $string .= "</FilesMatch>\n";
    $string .= "<Location />\n";
    $string .= "suPHP_AddHandler x-httpd-php \n";
    $string .= "</Location>\n";
--- */
    $string .= "SuPhp_UserGroup {$this->main->username} {$this->main->username}\n";
    $string .= "</IfModule>\n\n";

    $string .= "<IfModule !sapi_apache2.c>\n";
    $string .= "<IfModule !mod_php5.c>\n";
    $string .= "<Location />\n";
    $string .= "Options MultiViews Indexes Includes FollowSymLinks ExecCGI\n";
    $string .= "</Location>\n";
    $string .= "</IfModule>\n\n";
    $string .= "</IfModule>\n\n";

// begin - this portion for mod_ruid2

    $string .= "<IfModule mod_ruid2.c>\n";
    $string .= "RMode config\n";
    $string .= "RUidGid {$this->main->username} {$this->main->username}\n";
    $string .= "RMinUidGid {$this->main->username} {$this->main->username}\n";
    $string .= "RGroups {$this->main->username}\n";
    $string .= "</IfModule>\n\n";
// end

    return $string;
}

Prisijungiame prie Kloxo pulto ir keičiam suPHP į mod_php skyriuje "Webserver Config". Pasirinkite Apache kaip web serverio klientą (numatytasis yra Lighttpd).

Jei jūs esate pridėję domenų iki šiol, tuomet jums reik paleisti komandinę eilutę:

sh /script/fixweb

Perkraukite Apache:

service httpd restart

4. Baigta

Šiuos nustatymus naudoja kai kurios komercinės shared web hosting'o paslaugas teikiančios svetainės.

---

Įrankiai padėsiantys lengviau atlikti norimus veiksmus (nepatyrusiems vartotojams):

WinSCP