Skip to end of banner
Go to start of banner

yuca setup

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 9 Next »

Hardware

AMD Phenom(tm) II X4 965 Processor

16 GB DDR3

2x 1TB SATA HDD, Raid 1 (~850 GB usable)

 

Software setup

Operating system

Debian Jessie is used.

Must-have packages

  • tmux for persistent terminals (type tmux attach after SSH connection to attach, ctrl+b+n or p for next/previous pane, ctrl+b +c for new pane
  • imagemagick as it will be used by some web projects for graphics manipulation

Network configuration

  • 100 MBps connection (...)
  • 89.238.64.138/24
  • 2a00:1828:2000:664::2/64

Webserver

Nginx, php5-fpm 5.6

SSL

All web traffic is per default forwarded to the same URL on HTTPS. Define a server block for the domain if that should not happen.

SSL certificates from letsencrypt.org are used. For that, the simp_le client comes into action: The .well-known/ path is served from the common webroot /var/www/html on a wildcard server block (_). That enables a very simple default configuration. The webserver is automatically reloaded if certificates change.

HTTP Strict Transport Security is enabled in nginx.conf. Domain yunity.org was applied for Chrome certificate preloading (http://hstspreload.appspot.com/).

Monitoring

https://yuca-admin.yunity.org/ provides links to

  • munin (please activate reasonable plugins when you add services or sites, especially PHP status)
  • PHP OPCache statistics (please increase SHM when neccessary)

Please add yourself to the mailinglist serveradmin@yunity.org (in manitu interface) to receive munin/postmaster/root/etc. emails from yuca.

Adding a new site/project

Each project should execute script under a separate user. To create a basic setup for SSL, PHP and serving static files, there is a script.

/var/www/create.sh <projectname>

Execute it with a reasonable project name and it creates a directory structure, a user, a template nginx configuration and a template PHP configuration.

After that, edit

/var/www/<projectname>/cert/dns

file to have all your domains, one per line, included.

Be sure, that the DNS entries point to the system before executing /opt/letsencrypt/update_keys.sh to generate the SSL certificates.

Edit

/etc/nginx/sites-available/<projectname>

to have the right ServerName and additional webserver configuration.

Edit

/etc/php5/fpm/pool.d/<projectname>

to reflect your necessary special PHP settings.

Link your site to be enabled:

ln -s /etc/nginx/sitesavailable/<projectname> /etc/nginx/sites-enabled

Adding a new virtual host name

Create a new user

We are using one user per hosting environment.

adduser --home /var/www/<name> <name>

PHP-FPM

Create a FPM pool file in

/etc/php5/fpm/pool.d/


This generates a unix socket file.

Nginx

Add the FPM socket file in

/etc/nginx/conf.d/php-upstream.conf

 

Create a nginx config file in

/etc/nginx/sites-available/

and link it in

/etc/nginx/sites-enabled/

 

Encryption

Create the file 

/var/www/<name>/cert/dns

and enter the domains of the virtual host.

Run

/opt/letsencrypt/update_keys.sh

 

Log directory

Create a directory

 /var/www/<name>/log

to allow startup and logging of PHP-FPM.

  • No labels