Note:This write up describes how i wished to run my Home server and how i did it. Hence the description heavily focuses on settings that are very specific to my requirements. However, you can find bits and pieces that may be usefult to you.
How i want to Run My Homeserver
Homeserver Shall Serve the Following
- Have three virtual hosts, each of them serving different audiences. One of the three is purely https host for server admin remotely.
- Redirect to a SSL connection and with a Basic User/Group authentication system when anyone access the File Respositry and Image Gallery link on my home page
- Home server Adminstration will be allowed only with in the Local Internet. Like PhpMyAdmin and Blog Configuration.
How i went about setting up the Home Server to achieve my Goal?
- Installing the LAMP stack
I installed Ubuntu Server Edition. Ubuntu Server edition provides an option to install LAMP stact during the installation phase. Choose this option as it saves you the trouble of configuring later.
2.
Setting up the Root password for MYSQL database
The default installation of LAMP stack will not set the Root password for the MYSQL Database. It is essential that you set the Root password or you will not be able to create any database or create databases from PHPMYADMIN.
3.
Installing PhpMyAdmin
Ubuntu has a nice way of installing new packages. All i did was:
sudo apt-get update
sudo apt-get install phpmyadmin
Voila!! PhpMyAdmin was downloaded from ubuntu site and installed automatically. Automatic installation has one limitation though. PhpMyAdmin is linked to your DocumentRoot of Apache.
That is if the Document Root is /var/www. then a symbolic link to PhpMyAdmin is created in /var/www.
So if a anyone can access php just by typing www.yourdomain.com/phpmyadmin. The phpmyadmin user interface shows up. Hence you need to be careful. Please read further down how i am handling the phpmyadmin feature.
4.
Creating Directory structures
This is not necessary if you are a casual user or an enthusiast. But if you are about running your own server either in home or in data centers, then i would strongly recommend to put some thoughts on the Directory structures, users and groups. There are no set rules that the directories needs to be in particular order.
This is the way i am doing it:
Each virtual Host will have its own Document root pointing to seperate location as shown below.
The default directory is
/var/www
…………./default
The default catches all those requests where no signle VHost can serve. This could happen if someone connects to your IP address at Port 80. Since there will be no Host header, Apache will serve from this default root. Other could some one has configured a domain name that resolves to your IP address. In this case, you would not have that domainname in your VHOST, and hence apache will serve from default root. More about Vhosts below.
Now, the Virtual Host directories. I am configuring Two Virtual Hosts.It is a good idea to create directories in the Home directory of the user who hosts that domain.
/home/”username”
……………………/”domainname1″/www
……………………………………………./cgibin
……………………………………………../securearea ( Secure using a htpassword )
…………………………………………………………../MediaStore/photos ( Symbolic Link )
……………………………………………………………/MediaStore/videos ( Symbolic Link )
/home/”username”
……………………/”domainname2″/www
……………………………………………./cgibin
……………………………………………../securearea ( Secure using a htpassword )
……………………………………………………………/MediaStore/videos ( Symbolic Link )
Now setup a Secure area for system admin over internet. This area could be used for running PhpMyAdmin, or a file valut or some thing you want absolute security.
The following is only via SSL
/var/www
………./ssl_securearea
……………………./phpMyadmin ( Symbolic Link )
……………………./MediaStore/files ( Symbolic Link )
……………………./MediaStore/Copyrighted Ebooks
You may notice that the way i have created the directory structure is to seperate your secure area and Non-secure area. For me this is very important as i am overly security consiuos. So ssl_securearea can only be accessed by https and authentication. Securearea under the virtual host is a place where you want to have some kind of user athuentication to maintain your privacy but still contents are not classified in nature. Say, your photo album. You dont want any tom,dick and harry see it. And hence you have some basic athuentication. But at the same time you dont want your photos be encrypted/decrypted before the user sees.
5.VHOSTS Configuration
Before we jump into Vhost configuration some basic understanding of Hostname, domain name, FQDN ( Fully qualified Domain name ) , CNAME alias is required. This post assumes that you have an understanding of this. VHOST configuration can be daunting if you have not set up your machine properly. i nearly spent 2 days to get it setup properly.
I am going to explain with an example. This example is based on how i configured my system with the hostname and domain names changed .
Linux Host Name : HomeServer
Domain Name For First Virtual Host: www.domain1.com
Alias Name for First Virtual Host: localdomain1
Domain Name for Second Virtual Host: www.doman2.com
Alias Name for Second Virtual Host: localdomain2
Domain name for Third Virtual Host: www.domain3.com
Alias Name for Third Virtual Host: SecureDomain
First make sure that
HomeServer is configured properly in your setup. When you type the command hostname, you should Get “HomeServer”. When you do a
ping `hostname`, the hostname should resolve to either 127.0.1.1 or the static address you have configured for your interface or the DHCP address provided by your DHCP server. In my case, and most probably your case as well, it resolves to 127.0.1.1. if it does not resolve than please check your network setup.
These are the areas you my need to check for trouble shooting
/etc/hosts
/etc/resolve.conf
/etc/hostname
Second make sure that your aliases and domain names are resolvable. In my case, and in most case, domain names are hosted outside so DNS resloving is not an issue. But the issue could alias resolving. All the alias i have mentioned above is for local use only. In my case, the router i have allowed me to configure these alias name and its IP address. If not, then you have to change your /etc/hosts file as follows
127.0.1.1 localdomain1
127.0.1.1 localdomain2
127.0.1.1 securedomain
Now you are set to configure your apache2.conf for virtual hosts.
A word before we jump into that. If you notice, for each virtual host i have a domain alias as well. I did this for two reasons. And i encourage others as well. One is that if i want to access my virtual host with in my netowrk, that is behind the firewall, then i just use local alias rather than using the fully qualified domain name. Some of the router, the one i have, does not even allow to access my local machine via a fully qualified domain name. Second, when you are configuring your virtual hosts, i assign these alias to the ServerName directive. As you might know, when apache reads the configuration file, it does host name resolution to resolve all hostnames into IP address. Irrespetive of whether your DNS host is up or down, apache will be able to resolve the alias names as these are locally configured in your /etc/hosts file. Please read this article to know more about this issue.
This is for ubuntu Linux server .
Make sure your /etc/apache2/apache2.conf has the following lines at the end. ( By default it is present )
# Include the virtual host configurations:
Include /etc/apache2/sites-enabled/
Now in /etc/apache2/sites-avilable, crete three files with the following. Backup the defaul file that is already in this directory.
default
www.domain1.com
www.domain2.com
www.domain3.com
Open the “default” file copy the following into it. Change the names and directory according to your setup
ServerName HomeServer
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName HomeServer
DocumentRoot /var/www/default
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/default>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
</VirtualHost>
Now open the second file which i have named here as www.domain1.com ( You can name whatever you want. For me this is simpler to keep track of what is inside the file )
The file should have the following
<VirtualHost *>
ServerName localdomain1
ServerAlias lingams www.domain1.com
DocumentRoot /home/”username”/www.domain1.com/www
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /home/”username”/www.domain1.com/www>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
~
For the second virtual host same as above, only thing changes is the DocumentRoot, Servername and ServerAlias directives.
Now, the following shows how to configure for a VHOST, that allows only SSL traffic
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain www.domain3.com
DocumentRoot /var/www/ssl_securearea
RewriteEngine on
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R]
</VirtualHost>
NameVirtualHost *:443
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName securedomain
ServerAlias securedomain www.domain3.com
DocumentRoot /var/www/ssl_securearea
SSLEngine On
SSLCertificateFile /etc/apache2/ssl/apache.pem
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www>
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /var/www/ssl_securearea>
Options -Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory “/usr/lib/cgi-bin”>
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
</Directory>
ErrorLog /var/log/apache2/error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/access.log combined
ServerSignature On
Alias /doc/ “/usr/share/doc/”
<Directory “/usr/share/doc/”>
Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>
</VirtualHost>
Now all the vhost has been configured. You need to enable it. Use the ubuntu provided commands to enable the sites.
default is already enabled. So just enable others
sudo a2ensite
www.domain1.com ( This is a filename. If you are using a different name, then use that name )
sudo a2ensite
www.domain2.com ( Same as above )
sudo a2ensite
www.domain3.com ( Same as above )
Also make sure rewrite engine is enabled.
sudo a2enmod rewrite
Also make sure that ssl engine is enabled
sudo a2enmod ssl
You are set to restart apache. Do as follows
/etc/init.d/apache2 reload
If there are no error, everything is done. If there is an error, please refer to apache documentation for trouble shooting. The following section has some trouble shooting info for few deciptive warnings that teased for 2 days.
6. Troubleshooting VHost Configuration
The following warnings are deceptive. It does not break your Vhost configuration, but it hoses up the way Apache understands the Vhost configuration . So if you see the following warning signs, better resolve it.
Warning 1
apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
This is becuase apache is unable to resolve the default hostname of the machine it is running on. To solve this problem, look at the first 5 lines in the “default” file configuration. I am cutting it and pasting it here for your reference
ServerName HomeServer
NameVirtualHost *
<VirtualHost *>
ServerAdmin webmaster@localhost
ServerName HomeServer
The above two made the problem go away for me.
Warning 2
[warn] NameVirtualHost *:80 has no VirtualHosts….
This is becuase somewhere in your configuration file you have the same NameVirtualHost:* entered more than once. Apache document clearly state that you can only have one NameVirtualHost per IP address port combination. That is if you have NameVirtualHost *, then you cannot redefine it in some other place. It has to be a different combination. You can see in my securedomain configuration. The last is NameVirtualHost *:443 is ok, becuase it is different port. But i cannot repeat this defination again.