Configuring Apache

March 23, 2011 under The 100% Uptime Challenge

In my scenario, the Apache server doesn’t need to be aware that it is only one server of many. Therefore I’ve customised my configuration file and copied the exact same file to all 3 servers. How much you customise is down to taste and requirements, but at a minimum I would suggest disabling any modules that you don’t need, configuring a ServerAdmin address and setting up logging to suit your needs.

I’ve posted my somewhat stripped down httpd.conf should you wish to use it as a starting point (it’s for Apache 2.2 on CentOS 5).

In addition to the customisations to httpd.conf, take a look in /etc/httpd/conf.d/ to see what other files are being loaded. I removed the welcome.conf file, but didn’t make any further changes. Most Apache modules will install a config file here, for example mod_ssl will create an ssl.conf file here.

Finally, enable the apache service:

chkconfig httpd on
service httpd start

Setting Up the Servers

March 22, 2011 under The 100% Uptime Challenge

Now on to the fun part: setting up the servers!

I’ve set up 3 new Xen virtual machines, one each in Ireland, the Netherlands and USA. I’ve given them the IPs and hostnames:

80.93.25.175 	ie.cwik.ch	Dublin, Ireland
83.96.156.169	nl.cwik.ch	Amsterdam, The Netherlands
67.202.99.74	us.cwik.ch	Chicago, USA

I started with a CentOS 5 install with just the bare minimum installed: cron, ssh, logrotate and syslog.

Step 1: When setting up a new CentOS server, the first thing I always do is run ‘yum -y update’ to install all the latest updates. As usual there was a newer version of kernel-xen available, so I rebooted to make it active.

Step 2: Create a new SSH key pair and install the public key part on the servers. This way I can disable password authentication, making network logins more secure (just change PasswordAuthentication to no in /etc/ssh/sshd_config). To create your own key pair on Linux or Mac OS X, open a Terminal window and run:

cwik:~ cwik$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/cwik/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/cwik/.ssh/id_rsa.
Your public key has been saved in /Users/cwik/.ssh/id_rsa.pub.
The key fingerprint is:be:8b:40:8c:1b:0e:97:11:bb:13:2d:8d:7e:fa:8c:6a cwik@cwik.local
The key’s randomart image is:

+--[ RSA 2048]----+
|  .              |
|   *             |
|  * o            |
| . O             |
|. O +   S        |
| + B   .         |
|  + .   .        |
| E + . . .       |
|o.. o . o.       |
+-----------------+

cwik:~ cwik$ cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzT4QusU0oYWr+hgL8DY06Q7sief07/J145dnEcdMvC++/5A8Sl79Y+Ux
X3+SxIOj9in3QyxLAvGyXAbxdv/6/IsLZOuHOsyemw9XeqW18I6Ein+yEwZJICE3volOFMCZPVW2sE5SEc+Dtesx
HWq2c1WUcdWTzpcfKMfVo/bJLhDmeCKbXdko0hghB2GNJGKPpYJSnkSNQotrZfBMuXol8S2GYukSa+DaBfnV2jK
bfgiad8r8V216OFSFoNJ8NkmKXVHg34WqyOsqFFF5VOxv3P+UhQGWr8RoS78CffmjF6LAMet3YB9V2DXO3+08
EqSccmzdvyeAbo8cbY0cOoao2Q== cwik@cwik.local

Now install this on the server (that’s not my real pub key BTW, just one I created for this blog post ;-)

[cwik@us ~]$ mkdir .ssh
[cwik@us ~]$ touch .ssh/authorized_keys
[cwik@us ~]$ chmod 700 .ssh
[cwik@us ~]$ chmod 600 .ssh/authorized_keys
[cwik@us ~]$ echo “ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEAzT4QusU0oYWr+hgL8DY06Q7sief07/J145dnEcdMvC++/5A8Sl79Y+Ux
X3+SxIOj9in3QyxLAvGyXAbxdv/6/IsLZOuHOsyemw9XeqW18I6Ein+yEwZJICE3volOFMCZPVW2sE5SEc+Dtesx
HWq2c1WUcdWTzpcfKMfVo/bJLhDmeCKbXdko0hghB2GNJGKPpYJSnkSNQotrZfBMuXol8S2GYukSa+DaBfnV2jK
bfgiad8r8V216OFSFoNJ8NkmKXVHg34WqyOsqFFF5VOxv3P+UhQGWr8RoS78CffmjF6LAMet3YB9V2DXO3+08
EqSccmzdvyeAbo8cbY0cOoao2Q==” >> .ssh/authorized_keys

Note the permissions on .ssh and authorized_keys must only allow the owner read privileges. If you omit this step, login will fail and sshd will log a warning to the secure log.

Alright, I can now log in to my servers using key based authentication! Next, repeat this process on each of the 3 servers themselves, so that I can use ssh (and thus scp and rsync over ssh) without entering a password. This is important for a replication configuration, as I’ll be setting up automated cron jobs to do things like keep my webroot in sync. When finished, each of my servers has a authorized_keys file listing my own public key and the public key of each of the other servers (one per line).

Step 3: I want relatively new versions of PHP and MySQL. The versions CentOS 5 ships with are starting to get a little dated, so I’ve elected to install a couple 3rd party yum repositories which contain newer builds. In particular PHP 5.3 (vs. the stock 5.1) and MySQL 5.1 (vs the stock 5.0). Grab the latest installer RPMs for remi and EPEL and install them using rpm -i <filename>.

Step 4: Install all the software I need:

yum –enablerepo remi –enablerepo epel -y install httpd php php-mysql mysql mysql-server rsync iptables named sudo

Step 5: Configure sudo so I can run commands as root as and when needed without having to re-type my password each time. Run ‘visudo’ and add a new line around line 76 where you see the default root definition:

cwik    ALL=(ALL)       NOPASSWD: ALL

Step 6: Install an FTP server on the nominated master. I have chosen ie.cwik.ch (at random) as my master file store. I’ll upload any new files and make changes on this server only. Those changes will then be propagated to us.cwik.ch and nl.cwik.ch by means of an automated rsync command that will be run on a regular basis via cron. vsftpd is the standard FTP server for CentOS and works great. It supports SSL, but this is not enabled by default, so I’ll set it up:

[cwik@ie ~]$ yum -y install vsftpd
[cwik@ie ~]$ chkconfig vsftpd on
[cwik@ie ~]$ openssl req -x509 -nodes -days 999 -newkey rsa:1024  -keyout /etc/vsftpd/vsftpd.pem  \
    -out /etc/vsftpd/vsftpd.pem
(answer some questions here to generate your self-signed cert)
[cwik@ie ~]$ vi /etc/vsftpd/vsftpd.conf
(add these lines to the bottom):
# Enable SSL Support
ssl_enable=YES
allow_anon_ssl=NO
force_local_data_ssl=NO
force_local_logins_ssl=NO
ssl_tlsv1=YES
ssl_sslv2=NO
ssl_sslv3=NO
rsa_cert_file=/etc/vsftpd/vsftpd.pem

# ip_conntrack_ftp doesn't work with encrypted connections. Specify range for passive FTP here.
pasv_min_port=5600
pasv_max_port=5700
[cwik@ie ~]$ service vsftpd start

OK, FTP service is running!

Step 7: set up the firewall. Open up /etc/sysconfig/iptables and set up some good firewall rules. Here’s my ruleset that I’m using for this blog. Note that the only open ports are 80 for HTTP, and 53 for DNS. Ports for SSH (I’m running this on the non-standard port 1984) and for FTP and MySQL are restricted to the IPs of my servers only. I’ve also got an exception allowing me to log in via SSH from my laptop. Turn on the firewall with:

chkconfig iptables on
service iptables start

That’s about it for the initial server set up. The next tasks are:

  • Configuring file replication
  • Configuring MySQL and setting up circular replication
  • Editing Apache config to suit
  • Creating a BIND configuration file and DNS zone

Then I’ll finally be ready to copy over my WordPress blog and go live!

Subscribe