| |
| ISPConfig安装方法 |
|
| 来源:
ChinaUnix博客 日期:
2007.03.20 01:41 (共有条评论) 我要评论 |
| |
ISPConfig安装方法
标题
详细介绍了Debian Sarege(Debian 3.1)安装ISPConfig需要的所有服务,包括 web服务器(可支持SSL),邮件服务器(SMTP-AUTH和TLS),域名服务器,FTP服务器,MySQL服务器,POP3/IMAP,以及磁盘限额,防火墙等
upsdn首页 > 系统与网络 > 脚本与网站建设
作者:Johnny 更新日期:2005-11-14
来源:upsdn.net 浏览次数: 571
安装基本系统
1.安装基本系统的过程可以设置 主机名 和 域名
2.不要设置硬件时钟为GMT
3.继续安装libc-client不要Maildir支持(我们以后可选择安装 Courier-POP3/Courier-IMAP,所以不必担心)
4.不要配置exmi,因为我们要安装postfix
配置网络
编辑/etc/network/interfaces,为服务器设置静态IP 还可以设置IP别名(也就是一个网卡绑定2个IP)
# /etc/network/interfaces -- configuration file for ifup(8), ifdown(8)# The loopback interfaceauto loiface lo inet loopback# The first network card - this entry was created during the Debian installation# (network, broadcast and gateway are optional)auto eth0iface eth0 inet static address 192.168.0.100 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1auto eth0:0iface eth0:0 inet static address 192.168.0.101 netmask 255.255.255.0 network 192.168.0.0 broadcast 192.168.0.255 gateway 192.168.0.1
重启网卡
/etc/init.d/networking restart增加域名服务器
search servernameserver 145.253.2.75nameserver 193.174.32.18nameserver 194.25.0.60
将新增加的IP填入到/etc/hosts
127.0.0.1 localhost.localdomain localhost server1192.168.0.100 server1.example.com server1192.168.0.101 virtual-ip1.example.com virtual-ip1# The following lines are desirable for IPv6 capable hosts::1 ip6-localhost ip6-loopbackfe00::0 ip6-localnetff00::0 ip6-mcastprefixff02::1 ip6-allnodesff02::2 ip6-allroutersff02::3 ip6-allhosts设置主机名
echo server1.example.com > /etc/hostname/bin/hostname -F /etc/hostname安装/删除一些软件
先安装一些我们需要的
apt-get install wget bzip2 rdate fetchmail libdb3++-dev unzip zip ncftp xlispstat libarchive-zip-perl zlib1g-dev libpopt-dev nmap openssl lynx fileutils(注意:上面的命令写在一行里)
再移除一些用不着的
apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfigupdate-rc.d -f exim removeupdate-inetd --remove daytimeupdate-inetd --remove telnetupdate-inetd --remove timeupdate-inetd --remove fingerupdate-inetd --remove talkupdate-inetd --remove ntalkupdate-inetd --remove ftpupdate-inetd --remove discard移除软件时需要配置,回答YES
重新加载inetd服务
/etc/init.d/inetd reload磁盘限额
安装磁盘限额工具
apt-get install quota quotatool
配置时,回答NO
像下面这样编辑/etc/fstab ,我增加了userquota,grpquot给root分区
# /etc/fstab: static file system information. # # proc /proc proc defaults 0 0 /dev/sda1 / ext3 defaults,errors=remount-ro,usrquota,grpquota 0 1 /dev/sda5 none swap sw 0 0 /dev/hdc /media/cdrom0 iso9660 ro,user,noauto 0 0 /dev/fd0 /media/floppy0 auto rw,user,noauto 0 0
然后运行
touch /quota.user /quota.group chmod 600 /quota.* mount -o remount / quotacheck -avugm quotaon -avug
DNS服务器
安装Bind9
apt-get install bind9为安全方面的考虑, 以chroot方式运行BIND: 首先停止服务
/etc/init.d/bind9 stop编辑/etc/default/bind9,让bind以非特权用户‘bind’来运行,chroot到/var/lib/named.
也就是将
OPTS="-u bind" 这一行改成
OPTIONS="-u bind -t /var/lib/named"在 /var/lib建立必要的目录
mkdir -p /var/lib/named/etcmkdir /var/lib/named/devmkdir -p /var/lib/named/var/cache/bindmkdir -p /var/lib/named/var/run/bind/run将配置文件从/etc移动到 /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc为了避免当未来bind升级时的一些问题,我们在旧的位置,建立一个到新位置的符号连接
ln -s /var/lib/named/etc/bind /etc/bind
产生null和random设备,修正目录权限
mknod /var/lib/named/dev/null c 1 3mknod /var/lib/named/dev/random c 1 8chmod 666 /var/lib/named/dev/null /var/lib/named/dev/randomchown -R bind:bind /var/lib/named/var/*chown -R bind:bind /var/lib/named/etc/bind
我们需要修改sysklogd的启动脚本/etc/init.d/sysklogd ,以便我们还能够得到重要的登录信息到系统日志。修改这行
SYSLOGD=""成
SYSLOGD="-a /var/lib/named/dev/log"也就是改成
#! /bin/sh# /etc/init.d/sysklogd: start the system log daemon.PATH=/bin:/usr/bin:/sbin:/usr/sbinpidfile=/var/run/syslogd.pidbinpath=/sbin/syslogdtest -x $binpath || exit 0# Options for start/restart the daemons# For remote UDP logging use SYSLOGD="-r"#SYSLOGD="-a /var/lib/named/dev/log"create_xconsole(){ if [ ! -e /dev/xconsole ]; then mknod -m 640 /dev/xconsole p else chmod 0640 /dev/xconsole fi chown root:adm /dev/xconsole}running(){ # No pidfile, probably no daemon present # if [ ! -f $pidfile ] then return 1 fi pid=`cat $pidfile` # No pid, probably no daemon present # if [ -z "$pid" ] then return 1 fi if [ ! -d /proc/$pid ] then return 1 fi cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1` # No syslogd? # if [ "$cmd" != "$binpath" ] then return 1 fi return 0}case "$1" in start) echo -n "Starting system log daemon: syslogd" create_xconsole start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD echo "." ;; stop) echo -n "Stopping system log daemon: syslogd" start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile echo "." ;; reload|force-reload) echo -n "Reloading system log daemon: syslogd" start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile echo "." ;; restart) echo -n "Restarting system log daemon: syslogd" start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile sleep 1 start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD echo "." ;; reload-or-restart) if running then echo -n "Reloading system log daemon: syslogd" start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile else echo -n "Restarting system log daemon: syslogd" start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD fi echo "." ;; *) echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}" exit 1esacexit 0重启日志服务
/etc/init.d/sysklogd restart启动bind,如果有什么错误,可以查看 /var/log/syslog
/etc/init.d/bind9 startMySQL
安装
apt-get install mysql-server mysql-client libmysqlclient12-dev修改管理员密码
mysqladmin -u root password yourrootsqlpassword当你运行netstat -tap,你应该看到类似于下面的一行
tcp 0 0 localhost.localdo:mysql *:* LISTEN 2449/mysqld
这样的话,意味着MySQL可以通过3306端口访问了,你可以到下一节Postfix了。如果你没有看到上面的那一行,编辑 /etc/mysql/my.cnf,注视掉 skip-networking
# skip-networking
如果你编辑了/etc/mysql/my.cnf,请重启MySQL
/etc/init.d/mysql restartPostfix/POP3/IMAP
为了安装Postfix带SMTP-AUTH和TLS,POP3服务器支持POP3s(端口995)和IMAP服务器支持IMAPs(端口993):
apt-get install postfix postfix-tls libsasl2 sasl2-bin libsasl2-modules ipopd-ssl uw-imapd-ssl (在一行命令里输入)
配置回答
> /etc/postfix/sasl/smtpd.confecho 'mech_list: plain login' >> /etc/postfix/sasl/smtpd.confmkdir /etc/postfix/sslcd /etc/postfix/ssl/openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024chmod 600 smtpd.keyopenssl req -new -key smtpd.key -out smtpd.csropenssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crtopenssl rsa -in smtpd.key -out smtpd.key.unencryptedmv -f smtpd.key.unencrypted smtpd.keyopenssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650postconf -e 'smtpd_tls_auth_only = no'postconf -e 'smtp_use_tls = yes'postconf -e 'smtpd_use_tls = yes'postconf -e 'smtp_tls_note_starttls_offer = yes'postconf -e 'smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key'postconf -e 'smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt'postconf -e 'smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem'postconf -e 'smtpd_tls_loglevel = 1'postconf -e 'smtpd_tls_received_header = yes'postconf -e 'smtpd_tls_session_cache_timeout = 3600s'postconf -e 'tls_random_source = dev:/dev/urandom'文件 /etc/postfix/main.cf 应该像这样:
# See /usr/share/postfix/main.cf.dist for a commented, more complete version smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)biff = no # appending .domain is the MUA's job.append_dot_mydomain = no # Uncomment the next line to generate "delayed mail" warnings#delay_warning_time = 4h myhostname = server1.example.comalias_maps = hash:/etc/aliasesalias_database = hash:/etc/aliasesmyorigin = /etc/mailnamemydestination = server1.example.com, localhost.example.com, localhostrelayhost =mynetworks = 127.0.0.0/8mailbox_command = procmail -a "$EXTENSION"mailbox_size_limit = 0recipient_delimiter = +inet_interfaces = allsmtpd_sasl_local_domain = $myhostnamesmtpd_sasl_auth_enable = yessmtpd_sasl_security_options = noanonymousbroken_sasl_auth_clients = yessmtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destinationsmtpd_tls_auth_only = nosmtp_use_tls = yessmtpd_use_tls = yessmtp_tls_note_starttls_offer = yessmtpd_tls_key_file = /etc/postfix/ssl/smtpd.keysmtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crtsmtpd_tls_CAfile = /etc/postfix/ssl/cacert.pemsmtpd_tls_loglevel = 1smtpd_tls_received_header = yessmtpd_tls_session_cache_timeout = 3600stls_random_source = dev:/dev/urandom重启postfix
/etc/init.d/postfix restart
授权将由saslauthd处理. 我们必须改变一些东西来让它正确地工作.因为 Postfix chroot到 /var/spool/postfix 目录 运行,我们必须这样作:
mkdir -p /var/spool/postfix/var/run/saslauthd rm -fr /var/run/saslauthd
为了激活 saslauthd,现在我们必须编辑 /etc/default/saslauthd . 移除在 START=yes的#, 并 增加一行 PARAMS="-m /var/spool/postfix/var/run/saslauthd":
# This needs to be uncommented before saslauthd will be run automaticallySTART=yesPARAMS="-m /var/spool/postfix/var/run/saslauthd"# You must specify the authentication mechanisms you wish to use.# This defaults to "pam" for PAM support, but may also include# "shadow" or "sasldb", like this:# MECHANISMS="pam shadow"MECHANISMS="pam"
最后必须编辑 /etc/init.d/saslauthd,将这一行
dir=`dpkg-statoverride --list $PWDIR`
改成
#dir=`dpkg-statoverride --list $PWDIR`
在文件的开头,改变变量 PWDIR 和 PIDFILE,增加变量dir
PWDIR="/var/spool/postfix/var/run/${NAME}" PIDFILE="${PWDIR}/saslauthd.pid" dir="root sasl 755 ${PWDIR}"
/etc/init.d/saslauthd现在应该是这样子了:
#!/bin/sh -e NAME=saslauthdDAEMON="/usr/sbin/${NAME}"DESC="SASL Authentication Daemon"DEFAULTS=/etc/default/saslauthdPWDIR="/var/spool/postfix/var/run/${NAME}"PIDFILE="${PWDIR}/saslauthd.pid"dir="root sasl 755 ${PWDIR}" createdir() {# $1 = user# $2 = group# $3 = permissions (octal)# $4 = path to directory [ -d "$4" ] || mkdir -p "$4" chown -c -h "$1:$2" "$4" chmod -c "$3" "$4"}test -f "${DAEMON}" || exit 0# Source defaults file; edit that file to configure this script.if [ -e "${DEFAULTS}" ]; then . "${DEFAULTS}"fi# If we're not to start the daemon, simply exitif [ "${START}" != "yes" ]; then exit 0fi# If we have no mechanisms definedif [ "x${MECHANISMS}" = "x" ]; then echo "You need to configure ${DEFAULTS} with mechanisms to be used" exit 0fi# Add our mechanimsms with the necessary flagPARAMS="${PARAMS} -a ${MECHANISMS}"START="--start --quiet --pidfile ${PIDFILE} --startas ${DAEMON} --name ${NAME} -- ${PARAMS}"# Consider our optionscase "${1}" in start) echo -n "Starting ${DESC}: " #dir=`dpkg-statoverride --list $PWDIR` test -z "$dir" || createdir $dir if start-stop-daemon ${START} >/dev/null 2>&1 ; then echo "${NAME}." else if start-stop-daemon --test ${START} >/dev/null 2>&1; then echo "(failed)." exit 1 else echo "${DAEMON} already running." exit 0 fi fi ;; stop) echo -n "Stopping ${DESC}: " if start-stop-daemon --stop --quiet --pidfile "${PIDFILE}" \ --startas ${DAEMON} --retry 10 --name ${NAME} \ >/dev/null 2>&1 ; then echo "${NAME}." else if start-stop-daemon --test ${START} >/dev/null 2>&1; then echo "(not running)." exit 0 else echo "(failed)." exit 1 fi fi ;; restart|force-reload) $0 stop exec $0 start ;; *) echo "Usage: /etc/init.d/${NAME} {start|stop|restart|force-reload}" >&2 exit 1 ;;esacexit 0重新启动saslauthd
/etc/init.d/saslauthd start
现在可以检查 SMTP-AUTH 和 TLS 是否工作正常:
telnet localhost 25
你已经建立一个到postfix邮件服务器的连接
ehlo localhos
如果你看到
250-STARTTLS
和
250-AUTH
那么就OK了
键入
quit
返回到系统shell
Courier-IMAP/Courier-POP3
如果你想用POP3/IMAP服务,带Maildir支持的(如果你不想用,那么就用传统的Unix mailbox格式),你就可以安装Courier-IMAP/Courier-IMAP-SSL(IMAPs运行在993端口)和Courier- POP3/Courier-POP3-SSL(POP3s 运行在 995端口)。要不,你可以用Apache的配置来处理
apt-get install courier-imap courier-imap-ssl courier-pop courier-pop-ssl
配置时,回答 NO
ipopd 和 UW-IMAP 将被替换
然后,配置Postfix 传递Email给用户的 Maildir*:
postconf -e 'home_mailbox = Maildir/' postconf -e 'mailbox_command =' /etc/init.d/postfix restart
注意 如果你想用ISPConfig用procmail作必要配置,你不必作上面的。但是请你激活Maildir,在ISP的的web管理界面Management -> Settings -> EMail
Apache
安装
apt-get install apache2 apache2-docapt-get install libapache2-mod-php4 libapache2-mod-perl2 php4 php4-cli php4-common php4-curl php4-dev php4-domxml php4-gd php4-imap php4-ldap php4-mcal php4-mhash php4-mysql php4-odbc php4-pear php4-xslt curl libwww-perl imagemagick (写在一行命令里,因为这些是有依赖关系的)编辑/etc/apache2/apache2.conf,将
DirectoryIndex index.html index.cgi index.pl index.php index.xhtml改成
DirectoryIndex index.html index.htm index.shtml index.cgi index.php index.php3 index.pl index.xhtml编辑/etc/mime.types 注释掉下面这些行:
#application/x-httpd-php phtml pht php#application/x-httpd-php-source phps#application/x-httpd-php3 php3#application/x-httpd-php3-preprocessed php3p#application/x-httpd-php4 php4
编辑/etc/apache2/mods-enabled/php4.conf,注释掉下面这些行:
# AddType application/x-httpd-php .php .phtml .php3# AddType application/x-httpd-php-source .phps
编辑 /etc/apache2/ports.conf ,增加 Listen 443:
Listen 80Listen 443
现在,我们必须激活一些模块(SSL,rewrite,suexec):
cd /etc/apache2/mods-enabledln -s /etc/apache2/mods-available/ssl.conf ssl.confln -s /etc/apache2/mods-available/ssl.load ssl.loadln -s /etc/apache2/mods-available/rewrite.load rewrite.loadln -s /etc/apache2/mods-available/suexec.load suexec.loadln -s /etc/apache2/mods-available/include.load include.load重启Apache:
/etc/init.d/apache2 restart
Proftpd
安装
apt-get install proftpd配置时,选择 standalone
为安全的原因,你必须增加下面的行到 /etc/proftpd.conf:
DefaultRoot ~IdentLookups offServerIdent on "FTP Server ready."就是屏蔽掉版本信息和限制用户在自己的目录
重启proftpd
/etc/init.d/proftpd restartWebalizer
安装
apt-get install webalizer配置时回答
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/24312/showart_261593.html
|
| 发表评论
查看评论(共有条评论)
我要提问
|
| |
|
|
|
