U-232 + Cpanel + Nginx + Varnish + CSF And A Bunch of Other Stuff

Started by Bushman, December 31, 2013, 11:51:00 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Print
Go Down Pages1
User actions

iTake

#4
March 21, 2014, 03:51:17 AM
This guide has been well organized... thanks dude

Bushman

#1
December 31, 2013, 11:51:00 PM Last Edit: January 07, 2014, 09:06:02 PM by Bushman
I just had a friend ask me if I could get him setup with his own tracker in a PlugNPlay type style and figured I would document it for anybody else that is interested in a easy, secure, yet performance based install that damn near anybody can manage :P My buddy is a noob when it comes to Linux so i wanted to make things easy as possible while keeping his site safe and fast. This guide is for those with a Cpanel/WHM license not for shared hosting on Cpanel, which btw nobody should be trying to install and run a tracker on!

I at first was considering Gazelle + Ocelot but it really is not as polished from a new torrent admin perspective and I knew u-232 was just as robust and secure but more polished and friendly.

Hosting: I wrote this guide using a Digital Ocean droplet located in Amsterdam but will be moving the server for him in a few months once it starts to grow. Spain is IMO at this time the #1 Torrent friendly country in the world. They are notorious for their slack copyright laws, failing to co-operate with the US and other countries regarding takedown requests even when the US threatened them with a trade embargo they stood their ground. For good hosting you can checkout http://sologigabit.com I have been using them for over a year for "sensitive" projects and have been quite happy with their service.

This was a fresh install so first to update the OS:
Code Select
yum update -y

Now we will install Cpanel:
Code Select
cd /home
Code Select
wget -N http://httpupdate.cpanel.net/latest If your host is decent and it is a actual minimal install and you get a error about command wget not being found than install by doing
Code Select
yum install wget -y now grab the latest Cpanel :)
Code Select
sh latest (depending on your rig this install can take 30 to 90 minutes so grab a beer :P If you get a error about Perl than do >>
Code Select
yum install perl -y

Soon as the install has finished do a reboot and re-log with SSH, leave it open we will be using it shortly. Navigate to your WHM login >> https:yourip:2087 and go through the installer. In short it will be like:

-> I Agree/Go To Step 2
-> Enter a valid e-mail and any other relevant info. For resolvers you can use Googles which are 8.8.8.8 and 8.8.4.4
-> Next step is adding IPs which you can skip unless you plan on a paid SSL in which case you would need to get a 2nd IP that is dedicated to the Cpanel account you will be running the tracker on. (I will add this step later).
-> Nameservers -> Bind is fine. Since this is more of a beginners guide don't worry about nameservers. Scroll down and enter your server ip in the fields at the bottom, the IPs do not need to be different no matter what it says.
-> Next is "Services" scroll down and check "Provide modules to /usr/bin/perl formerly provided by checkperlmodules" and save.
-> Click "Finish Setup Wizard"
-> Feature Showcase Crap. Disable all and "Save Settings".

Now before we go any farther lets do a basic securing of our server. First we will change the SSH port (scrubs favorite attack vector), to do this:
Code Select
nano /etc/ssh/sshd_config
uncomment the line #Port 22 and change the port number. Something high up like 7676 should avoid any conflicts with other services, so it should now look like >> Port 7676. Save and exit and do >>
Code Select
service sshd restart. Now open a new instance of your SSH program..Putty for example and make sure you can connect on the new port (important). If all is good proceed to the next step.

Installing CSF (Config Server Firewall)

This absolutely beats dealing with IPtables straight up. The ease of use and functionality kicks ass and is a industry standard for security, so use it! To install do:
Code Select
wget http://www.configserver.com/free/csf.tgz
tar -xzf csf.tgz
cd csf
sh install.sh

Now do:
Code Select
perl /etc/csf/csftest.pl

That will test and make sure that all the CSF modules will work on your system. This will normally return all ok with the rare exception on OpenVZ VPS where a few (non-critical) will fail.

Now in your WHM panel on the left if you scroll down you will see Config Server Firewall at the bottom. Go to it and open it than click on Firewall Configuration. I will keep this to a bare minimum as to securing and functionality if you want to go deeper than research what the rest of the settings mean :).

First near the top check TCP_IN and make sure your new SSHD port from above is listed. if it is not than add it.

Scroll down to Reporting Settings and enter a valid e-mail in the field "LF_Alert_To" all alerts from the firewall will be sent here.
In the "LF_Alert_From" field enter something that lets you know exactly which server the alert comes from. handy if you have multiple servers going :)

Next scroll down to Directory Watching And Integrity:

Set LF_DIRWATCH = 0

Now scroll down to Process Tracking:

PT_LIMIT = 0
PT_INTERVAL = 0
PT_USERMEM = 0
PT_USERTIME = 0

Housekeeping! >> rm csf.tgz

Those settings mainly apply to a shared environment which we are not doing. Disabling them saves you a ton of annoying alerts/e-mails. Scroll down to the bottom and hit "Change". Logout of WHM and SSH and login again to make sure you still have access. If all is good than again open the CSF Config through WHM and set TESTING = 1 >> TESTING = 0 and hit Change than Restart CSF and LFD. Congrats your server just got a whole bunch safer!

Now let's install Apache Booster which will easily give us the added speed, security, and efficiency of Nginx and Varnish.
In SSH as root execute the following commands: (If your still in /csf do /cd first
Code Select
wget http://prajith.in/downloads/apachebooster.tar.gz
tar -zxf apachebooster.tar.gz
cd apachebooster
sh install.sh

If by chance the Varnish install fails it is most likely because of a missing libedit-devel so do >>
Code Select
yum install -y libedit-devel and than do "sh install.sh" again, after the install completes do
Code Select
service httpd restart and you should see Varnish and Nginx restart successfully.

Housekeeping! rm apachebooster.tar.gz

Once that finishes....KACHOW!! Your webserver just got a massive boost in many different ways!

Let's rebuild Apache / PHP with a more secure and hardened build:

-> Go to "Easy Apache" in the left hand column of WHM.
-> Click PHP Security (starts a basic PHP build with SuHosin)
--> Because you are pro hit the button that says "Start customizing based on profile"
-> Apache version the default is fine
-> PHP 5 default selection is fine

>> Short Options List <<

-> Uncheck Frontpage
-> Uncheck "Mod SuPHP" (we will be running fcgi with ACP opcode cacher for PHP and Mod SuPHP is not compatible)
-> Check Mod Security for the sake of paranoia :P

Now Click "Exhaustive Options"

-> Check "Mod FCGID"
-> Check "MemCache"
-> Check "GD"
-> Check "Mcrypt"
-> Check "Openssl"
-> Check "Mysql of the system"
-> Check Mysql "improved" extension

Now go ahead and hit the "Save and Build" button. It can take awhile to rebuild so grab a beer or something :P

PHP Variables

We will need to make some changes to our PHP variables as they are not quite right by default for our setup. In WHM go Service Configuration >> PHP Configuration Editor >> Advanced Mode.

-> memory_limit = 128M
-> post_max_size = 100M
-> upload_max_filesize = 100M
-> max_execution_time = 0
-> max_input_time = -1

Install Memcached Server

This is normally a very easy install but being that we are using Cpanel things get a little more in depth :P

Code Select
wget https://github.com/downloads/libevent/libevent/libevent-2.0.21-stable.tar.gz --no-check-certificate
tar -xvf libevent-2.0.21-stable.tar.gz
cd libevent-2.0.21-stable
./configure
make && make install
cd ~
wget http://memcached.googlecode.com/files/memcached-1.4.15.tar.gz
tar -xzf memcached-1.4.15.tar.gz
cd memcached-1.4.15
./configure
make && make install

Now create the following file (for 32 bit systems)
Code Select
echo "/usr/local/lib/" > /etc/ld.so.conf.d/libevent-i386.conf

Or this file for 64 bit systems
Code Select
echo "/usr/local/lib/" > /etc/ld.so.conf.d/libevent-x86_64.conf

Now do:

Note: "1024" is the amount of RAM given to Memcached and you can adjust this as you want. Explaining Memcached and how it works is beyond the scope of this guide. 11211 is the port that Memcached will listen on.
Code Select
ldconfig
memcached -d -u nobody -m 1024 127.0.0.1 -p 11211

Memcached will now be running.

Now let's install libmemcached by doing:

Code Select
cd ~
wget https://launchpad.net/libmemcached/1.0/1.0.16/+download/libmemcached-1.0.16.tar.gz
tar -zxvf libmemcached-1.0.16.tar.gz
cd libmemcached-1.0.16
./configure
make && make install
pecl install memcached

To check if memcached.so is installed into /usr/local/lib/php.ini file and add it if is it not do:

Code Select
grep -q "memcached.so" /usr/local/lib/php.ini || echo 'extension=memcached.so' >> /usr/local/lib/php.ini

Now because of that fantastic feature in Cpanel called Easy Apache update we have to add a little something extra that will preserve memcached.so and restore it during Easy Apache updates. So do:

Code Select
for i in `grep ^extension_dir /usr/local/lib/php.ini | awk {'print $3'} | cut -d\" -f2` ;do cp $i/memcached.so /root ;done
for i in `grep ^extension_dir /usr/local/lib/php.ini | awk {'print $3'} | cut -d\" -f2` ;do echo -e '#!/bin/bash\ncp /root/memcached.so' "$i\ngrep -q 'memcached.so' /usr/local/lib/php.ini || echo 'extension=memcached.so' >> /usr/local/lib/php.ini\n/etc/init.d/httpd restart" > /usr/local/cpanel/scripts/posteasyapache ;done
chmod +x /usr/local/cpanel/scripts/posteasyapache

Now through WHM restart both Apache and Apache booster and do:

Code Select
php -i | grep -i memcached

If all is well it should return something similar to this:

Code Select
memcached
memcached support => enabled
libmemcached version => 1.0.4
memcached.compression_factor => 1.3 => 1.3
memcached.compression_threshold => 2000 => 2000
memcached.compression_type => fastlz => fastlz
memcached.serializer => php => php
memcached.sess_binary => 0 => 0
memcached.sess_lock_wait => 150000 => 150000
memcached.sess_locking => 1 => 1
memcached.sess_prefix => memc.sess.key. => memc.sess.key.
Registered save handlers => files user memcached memcache


Of course we want automation so after this we can pretty much let it take car of itself. For this we need to create a few files and add memcached as a autostart daemon.

First let's create a config file so Memcached knows which params to startup with:

Code Select
nano /etc/memcached.conf

add this to the new file:

Code Select
# Memory
-m 1024
# default port
-p 11211
# user to run daemon nobody/apache/www-data
-u nobody
# only listen locally
-l 127.0.0.1

Now we will create the startup files:

Code Select
nano /etc/init.d/memcached

Paste the following shell script into it:

Code Select
#!/bin/bash
#
# memcached    This shell script takes care of starting and stopping
#              standalone memcached.
#
# chkconfig: - 80 12
# description: memcached is a high-performance, distributed memory
#              object caching system, generic in nature, but
#              intended for use in speeding up dynamic web
#              applications by alleviating database load.
# processname: memcached
# config: /etc/memcached.conf
# Source function library.
. /etc/rc.d/init.d/functions
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DAEMON=/usr/local/bin/memcached
DAEMONBOOTSTRAP=/usr/local/bin/start-memcached
DAEMONCONF=/etc/memcached.conf
NAME=memcached
DESC=memcached
PIDFILE=/var/run/$NAME.pid
[ -x $DAEMON ] || exit 0
[ -x $DAEMONBOOTSTRAP ] || exit 0
RETVAL=0
start() {
echo -n $"Starting $DESC: "
daemon $DAEMONBOOTSTRAP $DAEMONCONF
RETVAL=$?
[ $RETVAL -eq 0 ] && touch $PIDFILE
echo
return $RETVAL
}
stop() {
echo -n $"Shutting down $DESC: "
killproc $NAME
RETVAL=$?
echo
[ $RETVAL -eq 0 ] && rm -f $PIDFILE
return $RETVAL
}
# See how we were called.
case "$1" in
start)
  start
  ;;
stop)
  stop
  ;;
restart|reload)
  stop
  start
  RETVAL=$?
  ;;
status)
  status $prog
  RETVAL=$?
  ;;
*)
  echo $"Usage: $0 {start|stop|restart|status}"
  exit 1
esac
exit $RETVAL

Save exit and chmod it:

Code Select
chmod +x /etc/init.d/memcached

Next file to make:

Code Select
nano /usr/local/bin/start-memcached

Paste in:

Code Select
#!/usr/bin/perl -w
# start-memcached
# 2003/2004 - Jay Bonci <jaybonci@debian.org>
# This script handles the parsing of the /etc/memcached.conf file
# and was originally created for the Debian distribution.
# Anyone may use this little script under the same terms as
# memcached itself.
use strict;
if ($> != 0 and $< != 0) {
print STDERR "Only root wants to run start-memcached.\n";
exit;
}
my $etcfile = shift || "/etc/memcached.conf";
my $params = [];
my $etchandle;
# This script assumes that memcached is located at /usr/bin/memcached, and
# that the pidfile is writable at /var/run/memcached.pid
my $memcached = "/usr/local/bin/memcached";
my $pidfile = "/var/run/memcached.pid";
# If we don't get a valid logfile parameter in the /etc/memcached.conf file,
# we'll just throw away all of our in-daemon output. We need to re-tie it so
# that non-bash shells will not hang on logout. Thanks to Michael Renner for
# the tip
my $fd_reopened = "/dev/null";
sub handle_logfile {
my ($logfile) = @_;
$fd_reopened = $logfile;
}
sub reopen_logfile {
my ($logfile) = @_;
open *STDERR, ">>$logfile";
open *STDOUT, ">>$logfile";
open *STDIN, ">>/dev/null";
$fd_reopened = $logfile;
}
# This is set up in place here to support other non -[a-z] directives
my $conf_directives = {
"logfile" => \&handle_logfile
};
if (open $etchandle, $etcfile) {
foreach my $line (<$etchandle>) {
  $line =~ s/\#.*//go;
  $line = join ' ', split ' ', $line;
  next unless $line;
  next if $line =~ /^\-[dh]/o;
  if ($line =~ /^[^\-]/o) {
   my ($directive, $arg) = $line =~ /^(.*?)\s+(.*)/;
   $conf_directives->{$directive}->($arg);
   next;
  }
  push @$params, $line;
}
}
unshift @$params, "-u root" unless (grep $_ eq '-u', @$params);
$params = join " ", @$params;
if (-e $pidfile) {
open PIDHANDLE, "$pidfile";
my $localpid = <PIDHANDLE>;
close PIDHANDLE;
chomp $localpid;
if (-d "/proc/$localpid") {
  print STDERR "memcached is already running.\n";
  exit;
} else {
  `rm -f $localpid`;
}
}
my $pid = fork();
if ($pid == 0) {
reopen_logfile($fd_reopened);
exec "$memcached $params";
exit(0);
} elsif (open PIDHANDLE,">$pidfile") {
print PIDHANDLE $pid;
close PIDHANDLE;
} else {
print STDERR "Can't write pidfile to $pidfile.\n";
}

Save exit and than chmod it:

Code Select
chmod +x  /usr/local/bin/start-memcached

Now we test and make sure the scripts are working properly:

Code Select
/etc/init.d/memcached restart

Should return:





Install APC Opcode Cacher

APC will make a large difference on your PHP performance as well as give you detailed information and graphs (with GD installed which we did). Very simple to do. You can install it through WHMs Module Installer but it almost always has a issue with APC so better to do it from command line, so login with SSH as root and do:
Code Select
yum install pcre-devel
than:
Code Select
pecl install apc

Now add a package and Cpanel account in WHM. This is extremely well documented so i am not going to cover it here. if you have a problem at this step post here and I'll give you a cookie of a naked Santa Clause! (Oh i will mention when making the account give it Shell Access permissions). This will cover a future Sphinx Search install and give you added flexibility if needed. It is only a NONO in shared environments which this is not.

Once you have the account made login to your newly made Cpanel account >> https://serverip/~accountname:2083 or if you are ahead of the game and already have a domain pointed https://yourdomain:2083 (always https don't be a nab!). Now you upload the files however you choose whether it be through FTP or the File manager within Cpanel and extract them.

Get the latest U-232 Ver 3 Here >> https://github.com/Bigjoos/U-232-V3

Navigate to http://yourdomain/install/index.php and you should be greeted with the installer which will already have run a directory check and be showing all green arrows. For the next step you will need to create a Database, a database user, and assign that user to the database with all permissions. This is also well documented so I will not include it here. I will mention that when creating database_name and user_name use random chars and numbers in upper and lowercase for added security. Once done you can go ahead and fill out the fields in the installer something like:






This guide is currently in progress
Print
Go Up Pages1
User actions