Thursday, October 28, 2010

(mostly bad) Debian Experience

For the longest time, I've been meaning to try Debian, the much vaunted, wildly popular Linux distro among the hardcore Linux users. Since I got started in Linux, I haven't really deviated from RHEL/Fedora/Centos, mostly, because RH-based distro have that great mix of ease-of-config/deployment/maintainance and secure-by-default, so there wasn't much incentive to try other distro. But we had a big account who requested a Debian Lenny setup/training, so finally got the excuse to test drive it.

Let me tell you, after giving it an unbiased, honest to goodness spin these past two weeks, there's no effin way I'm going to be using Debian any time soon! There's a reason why RH rock the corporate Linux server market.

A case in point is Apache and Sendmail. In RH, setting-up web-server is trivial process whereas in Debian, you have to wade through various files scattered through out different directory. It's complex and prone to misconfiguration and illustrate why Debian doesn't get much love beyond the hardcore GNU/RMS crowd. In RH, server packages like Sendmail just work out of the box, in Debian, try getting the default sendmail.mc to run without tweaking it or even try installing Sendmail (ie. apt-get is a very decent package manager but a show-stopper when it comes to installing Sendmail).

Also (and I'm probably missing something here), something about the default security settings in Debian bother me. There is no sane firewall setup, your box is 'open' by default. You have to fiddle with SELinux configuration on your own (also turn-off by default), or you have to chroot all your Internet-facing programs. And also, (and again, I'm probably missing something here) the default permission for home directories is 755. WTF!

So ok, let me back up those inflammatory statements above, let's setup the usual Apache stuff:

  • UserDir which allow multiple user on the Linux system to host a web site on the server in their home directory ala-CMS.
  • Virtual Hosting which allows you to setup setup multiple domain on single web server.
  • SSL/TLS-enabled web site for encrypted and secure identification of the server.

But first, let's make a simple bash script to simulate the RH 'service' utility in Debian. We'll use this script to start/stop/restart/ daemons. In your /root/.bashrc, add the following:

    function service() { /etc/init.d/$1 $2 }

Reload your .bashrc settings:

    source ~/.bashrc
Userdir setup
  1. Login to your user account (ie. gene) and run the following command
    2. mkdir public_html chmod 744 ~/. chmod 755 public_html
  2. Edit /etc/apache2/mods-available/userdir.conf and add the following entry:
    3. UserDir Enabled gene <Directory /home/gene/public_html> AllowOverride All </Directory>
  3. Load the 'userdir' module for Apache:
    4. a2enmod userdir
  4. Restart the Apache service:
    5. service apache2 restart
Virtual Hosting Setup
  1. Create a bogus DNS for "company1.com" and "company2.net". Then create the following directories for these domains:
    2. mkdir -p /var/www/{company1,company2}
  2. Enable virtual hosting in your Apache configuration. Create the file /etc/apache2/conf.d/virtual.conf and add the following:
    3. NameVirtualHost *
  3. Create the configuration file for each domain you will be hosting:
    4. cd /etc/apache2/sites-available/ cp default company1 cp default company2
  4. Start with company1, add/modify the following:
    5. <VirtualHost *> ServerAdmin webmaster@company1.com ServerName www.company1.com ServerAlias company1.com DocumentRoot /var/www/company1 ErrorLog logs/company1-error.log CustomLog logs/company1-access.log combined </VirtualHost>

    Note: Do the same config for company2

  5. Enable the virtual web sites: a2ensite company1 a2ensite company2

    Note: a2ensite command basically just create a link for the

  6. Restart the Apache server
HTTPS Setup
  1. Generate our own self-signed certificate. Debian have simple shell-script wrapper for openssl called "make-ssl-cert" for generating self-signed certs (ie. similar to openssl Makefile bundled in RH) but there's not much flexibility in it. We'll use openssl manually:
    2. openssl req $@ -new -x509 -nodes -out /etc/ssl/certs/apache.pem -keyout /etc/ssl/certs/apache.pem
  2. Add/modify the following configuration files:
    • /etc/apache2/sites-available/default-ssl
      • <VirtualHost *:443> ServerAdmin webmaster@localhost #SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem #SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key SSLCertificateFile /etc/ssl/certs/apache.pem </VirtualHost>
    • /etc/apache2/ports.conf
      • NameVirtualHost *.80 Listen 80 Listen 443
    • /etc/apache/conf.d/virtual.conf
    • NameVirtualHost *:80
  3. Load the module for SSL/TLS: a2enmode ssl
  4. Enable the default web for SSL/TLS:
    5. a2ensite default-ssl
  5. Restart the Apache service

So ok, it wasn't really that complex now that I've itemized the steps, but still, if you're coming from sysadmin-friendly Linux distro, working with Debian can get unproductive and harrowing, fast.

Posted by at No comments:
Labels:
Subscribe to: Comments (Atom)