Hardware
AMD Phenom(tm) II X4 965 Processor
16 GB DDR3
2x 1TB SATA HDD, Raid 1 (~850 GB usable)
Software setup
Operating system
Debian Jessie is used.
Must-have packages
- tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
- imagemagick as it will be used by some web projects for graphics manipulation
Network configuration
- 100 MBps connection (...)
- 89.238.64.138/24
- 2a00:1828:2000:664::2/64
Webserver
Nginx, php5-fpm 5.6
SSL
All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.
SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.
HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).
Monitoring
https://yuca-admin.yunity.org/ provides links to
- munin (please activate reasonable plugins when you add services or sites, especially PHP status)
- PHP OPCache statistics (please increase SHM when neccessary)
Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.
Adding a new site/project
Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.
| Code Block | ||
|---|---|---|
| ||
/var/www/create.sh <projectname> |
Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.
After that, edit
| Code Block |
|---|
/var/www/<projectname>/cert/dns |
file to have all your domains, one per line, included.
Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.
Edit
| Code Block |
|---|
/etc/nginx/sites-available/<projectname> |
to have the right ServerName and additional webserver configuration.
Edit
| Code Block |
|---|
/etc/php5/fpm/pool.d/<projectname> |
to reflect your necessary special PHP settings.
Link your site to be enabled:
| Code Block |
|---|
ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled |
Adding a new virtual host name
Create a new user
We are using one user per hosting environment.
| Code Block |
|---|
adduser --home /var/www/<name> <name> |
PHP-FPM
Create a FPM pool file in
| Code Block |
|---|
/etc/php5/fpm/pool.d/ |
This generates a unix socket file.
Nginx
Add the FPM socket file in
| Code Block |
|---|
/etc/nginx/conf.d/php-upstream.conf |
Create a nginx config file in
| Code Block |
|---|
/etc/nginx/sites-available/ |
and link it in
| Code Block |
|---|
/etc/nginx/sites-enabled/ |
Encryption
Create the file
| Code Block |
|---|
/var/www/<name>/cert/dns |
and enter the domains of the virtual host.
Run
| Code Block |
|---|
/opt/letsencrypt/update_keys.sh |
Log directory
Create a directory
| Code Block |
|---|
/var/www/<name>/log |
to allow startup and logging of PHP-FPM.