Requirements

Vanilla Forum recommended software stack:

• PHP version 7.2 or greater with the following extensions:
• mbstring
• curl
• gd
• PDO
• mysqli
• openssl
• MySQL version 5.7 or greater, or MariaDB equivalent. This guide will use MariaDB
• Web server software such as Nginx or Apache. This guide will use Nginx
• SSL encryption is optional but recommended

Before you begin

Check the FreeBSD version.

uname -ro
# FreeBSD 12.0-RELEASE

Ensure that your FreeBSD system is up to date.

freebsd-update fetch install
pkg update && pkg upgrade -y

Install some basic system administration packages if they are not present on your system.

pkg install -y sudo vim unzip wget curl bash socat git unzip

Create a new user account with your preferred username (we will use johndoe).

adduser

# Username: johndoe
# Full name: John Doe
# Uid (Leave empty for default): <Enter>
# Login group [johndoe]: <Enter>
# Login group is johndoe. Invite johndoe into other groups? []: wheel
# Login class [default]: <Enter>
# Shell (sh csh tcsh nologin) [sh]: bash
# Home directory [/home/johndoe]: <Enter>
# Home directory permissions (Leave empty for default): <Enter>
# Use password-based authentication? [yes]: <Enter>
# Use an empty password? (yes/no) [no]: <Enter>
# Use a random password? (yes/no) [no]: <Enter>
# Enter password: your_secure_password
# Enter password again: your_secure_password
# Lock out the account after creation? [no]: <Enter>
# OK? (yes/no): yes
# Add another user? (yes/no): no
# Goodbye!

Run the visudo command and uncomment the %wheel ALL=(ALL) ALL line to allow members of the wheel group to execute any command.

visudo

# Uncomment by removing hash (#) sign
# %wheel ALL=(ALL) ALL

Now, switch to your newly created user with su command.

su - johndoe

NOTE: Replace johndoe with your username.

Set up the timezone.

sudo tzsetup

Install PHP

Install PHP and PHP extensions.

sudo pkg install -y php72 php72-mbstring php72-curl php72-gd php72-pdo php72-mysqli php72-pdo_mysql php72-json php72-openssl php72-ctype php72-dom php72-hash php72-iconv php72-tokenizer php72-calendar php72-fileinfo php72-session php72-simplexml php72-xml php72-filter

Check the version.

php --version
# PHP 7.2.14 (cli) (built: Jan 15 2019 01:14:39) ( NTS )
# Copyright (c) 1997-2018 The PHP Group
# Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

Soft-link php.ini-production to php.ini.

sudo ln -s /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Check installed PHP extensions.

php -m
# mbstring
# curl
# gd
# PDO
# mysqli
# openssl
# . . .

Enable and start PHP-FPM.

sudo sysrc php_fpm_enable=yes
sudo service php-fpm start

Install MariaDB

Install MariaDB.

sudo pkg install -y mariadb102-client mariadb102-server

Check the version.

mysql --version
# mysql  Ver 15.1 Distrib 10.2.19-MariaDB, for FreeBSD12.0 (amd64) using readline 5.1

Start and enable MariaDB.

sudo sysrc mysql_enable="yes" 
sudo service mysql-server start

Run the mysql_secure_installation script to improve the security of your installation.

sudo mysql_secure_installation

Log into MariaDB as the root user.

mysql -u root -p
# Enter password:

Create a new database and user. Remember the credentials for this new user.

CREATE DATABASE dbname;
GRANT ALL ON dbname.* TO 'username' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit;

Install Nginx

Install Nginx.

sudo pkg install -y nginx

Check the version.

nginx -v
# nginx version: nginx/1.14.2

Enable and start Nginx.

sudo sysrc nginx_enable=yes
sudo service nginx start

Configure Nginx for use with Vanilla forum.

sudo vim /usr/local/etc/nginx/vanilla.conf

Populate the file with the following.

server {

  listen 80;
  server_name example.com;
  root /usr/local/www/vanilla;
  index index.php;

  location ~* /\.git { deny all; return 403; }
  location /build/ { deny all; return 403; }
  location /cache/ { deny all; return 403; }
  location /cgi-bin/ { deny all; return 403; }
  location /uploads/import/ { deny all; return 403; }
  location /conf/ { deny all; return 403; }
  location /tests/ { deny all; return 403; }
  location /vendor/ { deny all; return 403; }

  location ~* ^/index\.php(/|$) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    try_files $fastcgi_script_name =404;
    set $path_info $fastcgi_path_info;
    fastcgi_param PATH_INFO $path_info;
    fastcgi_index index.php;
    include fastcgi_params;
    fastcgi_param SCRIPT_NAME /index.php;
    fastcgi_param SCRIPT_FILENAME $realpath_root/index.php;
    fastcgi_param X_REWRITE 1;
    fastcgi_pass 127.0.0.1:9000;
  }

  location ~* \.php(/|$) {
    rewrite ^ /index.php$uri last;
  }
  
  location / {
    try_files $uri $uri/ @vanilla;
  }

  location @vanilla {
    rewrite ^ /index.php$uri last;
  }

}

Save the file and exit with COLON+W+Q.

Now we need to include the vanilla.conf file in the main nginx.conf file.

Run sudo vim /usr/local/etc/nginx/nginx.conf and add the following line to the http {} block.

include vanilla.conf;

Test the configuration.

sudo nginx -t

Reload Nginx.

sudo service nginx reload

Install Vanilla forum

Create a document root directory.

sudo mkdir -p /usr/local/www/vanilla

Change ownership of the /usr/local/www/vanilla directory to johndoe.

sudo chown -R johndoe:johndoe /usr/local/www/vanilla

Navigate to the document root directory.

cd /usr/local/www/vanilla

Download the latest Vanilla forum.

wget https://open.vanillaforums.com/get/vanilla-core-2.6.4.zip

Unzip it and remove the zip archive.

unzip vanilla-core-2.6.4.zip
rm vanilla-core-2.6.4.zip

Change ownership of the /usr/local/www/vanilla directory to www.

sudo chown -R www:www /usr/local/www/vanilla

Restart PHP-FPM.

sudo service php-fpm restart

Navigate to the folder where you uploaded Vanilla in your web browser and follow the instructions on the screen to complete the setup.

Before we begin, it is important to understand the three parts of an audio streaming server. First, we have the server software itself, IceCast. IceCast acts like a central hub where audio streams come in and get sent out. The IceCast service takes in audio streams from source clients. Source clients are programs which read audio files or other sources of audio, such as microphones. In our example, the source client is Ices and it supplies an audio stream to the IceCast server. The third component is a listening client. Audio streams travel from the IceCast server to listeners who then hear the audio. Typically a listening client is a desktop application, such as a web browser, the VLC multimedia player, or WinAMP. Visually, the arrangement looks like this:

 Source client (Ices) --> IceCast server --> Listening client (browser)

To set up an IceCast streaming server on FreeBSD, we first install the server software itself. This can be done by running the following command.

 pkg install icecast2

We then open the /etc/rc.conf file and enable the IceCast background service. This is done by appending the following text to the bottom of the /etc/rc.conf file.

 icecast_enable="YES"

Our next step is to configure the IceCast service. The IceCast package ships with a sample configuration file that we can modify. This sample file is located in the /usr/local/etc directory. We will make a copy of this sample file before editing it.

 cd /usr/local/etc
 cp icecast.xml.sample icecast.xml

We now want to edit a few key fields of the icecast.xml file. Most of the file can be left with the default settings, but we should change the login information. We can do this by visiting the authentication section (at about line 30) and changing the source-password and relay-password to something appropriate. These passwords will allow us to stream data to the IceCast server from a source client. We should also change the admin-user and admin-password variables to something unique to our system. These two credentials guard the IceCast server’s web-based interface. Then, down around line 150, we should change the variables mount-name, username, and password. These three variables protect the IceCast server’s mount point. Finally, at the bottom of the icecast.xml file we should see a security section that has been commented out. We should remove the opening <– and closing –> symbols from around the security paragraph. Once the icecast.xml file has been changed, save the file.

Once the configuration file has been edited, we want to enable logging. To do this, run the following commands.

 mkdir /var/log/icecast
 chown nobody:nogroup /var/log/icecast

Finally, we start the IceCast server, This causes the server to listen for input and incoming client connections.

 service icecast2 start

The IceCast server is up and running, so now we need to provide it with something to play. Our next step is to install the Ices source client. FreeBSD currently does not offer a binary package for Ices, so we need to build it from ports. This can be done by running the following commands.

 portsnap fetch
 portsnap extract
 cd /usr/ports/audio/ices
 make install
 make clean

The Ices source client will need a user account and logging. To create a user for the Ices software and set a password on the account, run these commands.

 pw groupadd ice
 pw useradd ices -g ice -m
 passwd ices

With the user created, we can now enable logging for Ices.

 mkdir /var/log/ices
 chown ices:ice /var/log/ices

From here on, we should no longer need root user access and can operate as the ices user. Next, we need to create two directories. One directory, music, will contain the audio files that we are going to stream. The second directory, conf, will contain our configuration files.

 su ices
 cd /home/ices
 mkdir music conf
 cp /usr/local/share/ices/ices-playlist.xml conf/configuration.xml

We now have a sample configuration file in place. It is time to edit the conf/configuration.xml file to suit our environment. The only parts of the file that we need to change are down around line 60. Here we need to provide the password and mount location we set in the icecast.xml file. For example, if we set our mount name in the icecast.xml file to be /radio.ogg, then we should change our configuration.xml file’s mount parameter to also be /radio.ogg. Our password field in configuration.xml should match the source-password we created in the icecast.xml file. Once our configuration.xml file has been edited, we will need to save our changes.

With the configuration file in place, the next step should be to copy audio files that we wish to stream into the music directory. The audio files should all be in .ogg format as IceCast will not handle .mp3 files with its default settings. Once all of the audio files that we wish to stream are in the music directory, we need to create a playlist. A playlist is a plain text file with a list of the music that we want to stream. We can easily create a playlist with the following commands.

 cd /home/ices/conf
 ls -d ../music/*.ogg > playlist.txt

The audio files will be played in the order they appear in the playlist.txt file. The file can be edited in any text editor to adjust the order of the streaming audio.

All that we need to do to begin streaming our audio files is to run this command.

 ices configuration.xml

Side note: Often we may want to run the Ices source client and then logout and go do something else. In that case, I like to run Ices from within a screen session. Here is an example on how to run ices with screen.

 screen
 cd /home/ices/conf
 ices configuration.xml

Then press Ctrl + A and tap the D key. That will detach the screen session and allow us to logout while Ices plays audio in the background. Later, we can halt Ices by logging in and running:

 screen -r
 killall ices
 exit

We can now connect to our server on port 8000 in a web browser to listen to our audio stream. The URL will look like http://myservername:8000. This address can be made publicly available if you want to let others listen to the stream.

Earlier, I mentioned that IceCast plays .ogg files and not .mp3. This is fairly easy to overcome on FreeBSD. As the root user, we can install a conversion tool, called sox, which will convert our .mp3 files to .ogg files. Assuming all our .mp3 files are in the /home/ices/music directory, we can install sox and perform a conversion as follows:

 pkg install sox
 cd /home/ices/music
 for i in *.mp3; do sox ./"$i" ./"$i".ogg; done

We can then refresh our playlist using:

 cd ../conf
 ls -d ../music/*.ogg > playlist.txt

Please keep in mind that audio streaming can be bandwidth intensive. One or two clients listening to our radio station will not require much bandwidth, but 50 or more clients could push a server over its allotted monthly bandwidth. It is a good idea to enable bandwidth capping on the streaming server to avoid unexpected financial costs.

Nginx (engine x) is an HTTP and reverse proxy server, as well as a mail proxy server, written by Igor Sysoev. For a long time, it has been running on many heavily loaded Russian sites. (from their website)

PHP-FPM (FastCGI Process Manager) is an alternative PHP FastCGI implementation with some additional features useful for sites of any size, especially busier sites. (from their website)

Requirements:

• OpenBSD 5.6 installed on your aklwebhost.com VPS.
• The following PKG_PATH set.

   PKG_PATH = ftp://ftp.openbsd.org/pub/OpenBSD/5.6/packages/\`arch -s\`

• Super user access.

Install Nginx

$ sudo pkg_add -v nginx
Ambiguous: choose package for nginx
a     0: <None>
      1: nginx-1.4.7p0
      2: nginx-1.4.7p0-lua
      3: nginx-1.4.7p0-naxsi
      4: nginx-1.4.7p0-passenger
      5: nginx-1.5.7p3
      6: nginx-1.5.7p3-lua
      7: nginx-1.5.7p3-naxsi
      8: nginx-1.5.7p3-passenger
  Your choice:

For the purposes of this document, we install the “5” option.

Install PHP-FPM

$ sudo pkg_add -v php-fpm-5.5.14.tgz

The /etc/rc.conf.local must contain the following:

nginx_flags=""

And /etc/rc.conf must contain the following for these services to start automatically after each reboot.

# rc.d(8) packages scripts
# started in the specified order and stopped in reverse order
pkg_scripts=nginx

Edit nginx.conf

Basic requirements for /etc/nginx/nginx.conf in the server section.

location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index index.php;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
    }

Edit php-fpm.conf

Update the following in /etc/php-fpm.conf:

; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's 
; group will be used.
user = www
group = www


; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port'    - to listen on a TCP socket to a specific address on
;                            a specific port;
;   'port'                 - to listen on a TCP socket to all addresses on a
;                            specific port;
;   '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.

listen = 127.0.0.1:9000

Install MySQL

$ sudo pkg_add -v mysql-server-5.1.73p0v0.tgz

Update candidates: quirks-2.9 -> quirks-2.9 (ok)
quirks-2.9 signed on 2014-07-31T22:37:55Z
mysql-server-5.1.73p0v0:p5-Net-Daemon-0.48: ok
mysql-server-5.1.73p0v0:p5-PlRPC-0.2018p1: ok
mysql-server-5.1.73p0v0:p5-Clone-0.36p0: ok
mysql-server-5.1.73p0v0:p5-Params-Util-1.07p0: ok
mysql-server-5.1.73p0v0:p5-SQL-Statement-1.405: ok
mysql-server-5.1.73p0v0:p5-FreezeThaw-0.5001: ok
mysql-server-5.1.73p0v0:p5-MLDBM-2.05: ok
mysql-server-5.1.73p0v0:p5-DBI-1.631p0: ok
mysql-server-5.1.73p0v0:mysql-client-5.1.73v0: ok
mysql-server-5.1.73p0v0:p5-DBD-mysql-4.027: ok
mysql-server-5.1.73p0v0: ok
The following new rcscripts were installed: /etc/rc.d/mysqld
See rc.d(8) for details.
Look in /usr/local/share/doc/pkg-readmes for extra documentation.
Extracted 39040357 from 39044890

Initial setup

Create the initial database:

$ sudo /usr/local/bin/mysql_install_db

You can run the /usr/local/bin/mysql_secure_installation script to optimize your MySQL installation. Otherwise, set the root password directly.

$ sudo /usr/local/bin/mysqladmin -u root password 'password'

To access MySQL for administrative tasks – like creating databases and users, you can use the following command:

$ mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 47
Server version: 5.1.73-log OpenBSD port: mysql-server-5.1.73p0v0

Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Add MySQL support for PHP

$ sudo pkg_add -v php-pdo_mysql-5.5.14.tgz

Start Daemons

$ sudo /etc/rc.d/nginx start
$ sudo /etc/rc.d/php-fpm start
$ sudo /etc/rc.d/mysqld start

Test your installation by writing a basic info.php file into a document root, /var/www/htdocs/example.com.

<?php
    phpinfo();
?>

Upon success, you will be able to view the PHP information web page.

Logs

Basic log files are found in the /var/log/nginx directory.

Enjoy.

OpenBSD 5.6 introduced a new daemon called httpd, which supports CGI (via FastCGI) and TLS. No additional work is needed to install the new httpd daemon because it is included in the base system. This article explains how to setup a basic web server using it.

Configuration

We will be editing the following files.

• /etc/rc.conf.local
• /etc/httpd.conf

Simply add httpd_flags="" into /etc/rc.conf.local.

Open /etc/rc.conf.local in your favorite text editor and add:

pkg_scripts="httpd"

Update /etc/httpd.conf. Use the example below as a template, and make changes as noted below in the comments. Replace “example” accordingly.

ext_ip="10.0.0.1" # Change this value to your aklweb host IP

server "default" {
        listen on $ext_ip port 80 
} 
types { 
        text/css css ; 
        text/html htm html ; 
        text/txt txt ; 
        image/gif gif ; 
        image/jpeg jpg jpeg ; 
        image/png png ; 
        application/javascript js ; 
        application/xml xml ; 
} 
server "www.example.net" { 
        listen on $ext_ip port 80 
        root "/htdocs/example.net" 
} 
server "www.example.com" { 
        listen on $ext_ip port 80 
        root "/htdocs/example.com" 
}

Alternatively, you can include all the Mime Types as follows:

types { 
       include "/usr/share/misc/mime.types"
} 

Next, upload your web content and put it into /var/www/htdocs/example.com.

Start the server

Your new httpd daemon is configured for use. Now, you just need to start the server:

$ doas /etc/rc.d/httpd start

To begin, open your terminal and install this package:

<ceph>[~]# pkg install djbdns                                              
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 3 packages will be affected (of 0 checked):

New packages to be INSTALLED:
djbdns: 1.05_20,1
ucspi-tcp: 0.88_2
daemontools: 0.76_17

The process will require 1 MB more space.
251 KB to be downloaded.

Proceed with this action? [y/N]: y
Fetching djbdns-1.05_20,1.txz: 100%  139 KB 142.4k/s    00:01    
Fetching ucspi-tcp-0.88_2.txz: 100%   62 KB  63.1k/s    00:01    
Fetching daemontools-0.76_17.txz: 100%   51 KB  51.7k/s    00:01    
Checking integrity... done (0 conflicting)
[1/3] Installing ucspi-tcp-0.88_2...
[1/3] Extracting ucspi-tcp-0.88_2: 100%
[2/3] Installing daemontools-0.76_17...
[2/3] Extracting daemontools-0.76_17: 100%
[3/3] Installing djbdns-1.05_20,1...
[3/3] Extracting djbdns-1.05_20,1: 100%

Installation will automatically install additional packages (daemontools and ucspi-tcp).

Create two users, gtinydns and gdnslog. Start with the first user:

<ceph>[~]# adduser         
Username: gtinydns
Full name: gtinydns
Uid (Leave empty for default): 
Login group [gtinydns]: 
Login group is gtinydns. Invite gtinydns into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gtinydns]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]: 
Username   : gtinydns
Password   : <random>
Full Name  : gtinydns
Uid        : 1002
Class      : 
Groups     : gtinydns 
Home       : /home/gtinydns
Home Mode  : 
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gtinydns) to the user database.
adduser: INFO: Password for (gtinydns) is: rTsada2131sa1Mg
Add another user? (yes/no): no
Goodbye!

Now, add the second user:

<ceph>[~]# adduser
Username: gdnslog
Full name: gdnslog
Uid (Leave empty for default):  
Login group [gdnslog]: 
Login group is gdnslog. Invite gdnslog into other groups? []: 
Login class [default]: 
Shell (sh csh tcsh zsh rzsh nologin) [sh]: nologin
Home directory [/home/gdnslog]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: yes
Lock out the account after creation? [no]: 
Username   : gdnslog
Password   : <random>
Full Name  : gdnslog
Uid        : 1003
Class      : 
Groups     : gdnslog 
Home       : /home/gdnslog
Home Mode  : 
Shell      : /usr/sbin/nologin
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (gdnslog) to the user database.
adduser: INFO: Password for (gdnslog) is: jWsdad33aasdaFa0
Add another user? (yes/no): no
Goodbye!

Run the following command. Replace the IP address with the address of your AKLWEB Host server.

<ceph>[~]# tinydns-conf gtinydns gdnslog /usr/local/etc/tinydns 108.61.100.100

This command will create directories, files, and other sub directories in /usr/local/etc/tinydns. It will also put the IP address of the VPS in /usr/local/etc/tinydns/env/IP.

Create the directory /service.

<ceph>[~]# mkdir /service

Edit your /etc/rc.conf file:

<ceph>[~]# ee /etc/rc.conf

… and and these lines:

svscan_enable="YES"
svscan_servicedir="/service"

Save the configuration and start the svscan service:

<ceph>[~]# /usr/local/etc/rc.d/svscan start
Starting svscan.

Next, go to this directory:

 <ceph>[~]# cd /usr/local/etc/tinydns/root

Edit the data file:

 <ceph>[root]# ee data

… and add some DNS data:

# domain1.com
Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600
&domain1.com::dns1.domain1.com.:3600
&domain1.com::dns2.domain1.com.:3600

# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600

# IP's (A records)
=dns1.domain1.com:108.61.210.99:3600
=dns2.domain1.com:89.201.163.42:3600
=mail1.domain1.com:89.201.163.42:3600
=mail2.domain1.com:85.114.41.8:3600
=www.domain1.com:108.61.178.194:3600
=test1.domain1.com:193.198.184.100:3600
=test2.domain1.com:108.61.178.215:3600

# Aliases
+domain1.com:108.61.178.194:3600
+smtp.domain1.com:89.201.163.42:3600
+imap.domain1.com:89.201.163.42:3600

Save the file and exit.

Run ls:

<ceph>[root]# ls
Makefile  add-alias  add-childns  add-host  add-mx  add-ns  data

Convert your text data to the database format:

<ceph>[root]# make
/usr/local/bin/tinydns-data

Run ls again:

<ceph>[root]# ls
Makefile  add-alias  add-childns  add-host  add-mx  add-ns  data  data.cdb

Notice the data.cdb file. You have created it with the make command.

And one more thing, create a symbolic link:

<ceph>[root]# ln -s /usr/local/etc/tinydns /service

Now test your new DNS server. Replace 108.61.178.110 with IP address of your server.

<ceph>[root]# host www.domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

www.domain1.com has address 108.61.178.194

Nameserver lookup:

<ceph>[root]# host -t ns domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

domain1.com name server dns1.domain1.com.
domain1.com name server dns2.domain1.com.

Mailserver MX lookup:

<ceph>[root]# host -t mx domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

domain1.com mail is handled by 10 mail1.domain1.com.
domain1.com mail is handled by 30 mail2.domain1.com.

One more time to be sure:

<ceph>[root]# host mail1.domain1.com 108.61.178.110 
Using domain server:
Name: 108.61.178.110
Address: 108.61.178.110#53
Aliases: 

mail1.domain1.com has address 89.201.163.42

Congratulations! You have a working DNS server. Replace domain1.com with your domain. After every change, run the make command to make new data.cdb file.

Explanation of the data file:

“A” records begin with an = sign. Aliases or CNAME records with a + sign. Mail servers begin with the @ sign. Nameservers with the & sign.

Example 1:

=test1.domain1.com:193.198.184.100:3600

= stands for “A” record. test1.domain1.com is the DNS name, IP 193.198.184.100 is the address in which test1.domain1.com resolves, and 3600 is the TTL (time to live).

Example 2:

# MX
@domain1.com::mail1.domain1.com.:10:3600
@domain1.com::mail2.domain1.com.:30:3600

In this example, mail1 and mail2 are mail servers for domain1.com. mail1 has priority 10 and mail2 has priority 30. That means that mail servers will first try to deliver mail to mail1. If mail1 fails, then they will try mail2.

The following line marks beginning of the zone info. It is required.

Zdomain1.com:dns1.domain1.com.:ns.domain1.com.:2013101203:604800:86400:2419200:604800:3600

2013101203 number is used when you have secondary DNS on some other provider. When you change the number to 2013101204, the secondary DNS will know that there are some changes in DNS and will pick up the changes. This is just for informative purposes (you would need the AXFR DNS transfer service). Alternatively, you can copy and paste your DNS changes between two DJBDNS servers with the rsync program.

If you have PF Firewall on your FreeBSD server, add this line to allow DNS queries:

pass quick proto {tcp, udp} from any to $me port 53 flags S/SA keep state 

The default shell in FreeBSD is /bin/sh. This is a basic shell with no auto-complete functions. We will use something better. We will install zsh.

First, install these packages:

# pkg install zsh gnuls
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/freebsd:10:x86:64/latest, please wait...
...

GNULS is the ls program from Linux. We just want to have the same ls command in Linux and FreeBSD.

Add a normal user to the system: (replace john with your username and don’t forget to add user to the wheel group)

# adduser
Username: john
Full name: John Doe
Uid (Leave empty for default): 
Login group [john]: 
Login group is john. Invite john into other groups? []: wheel
Login class [default]: 
Shell (sh csh tcsh zsh rzsh nologin) [sh]: zsh
Home directory [/home/john]: 
Home directory permissions (Leave empty for default): 
Use password-based authentication? [yes]: 
Use an empty password? (yes/no) [no]: 
Use a random password? (yes/no) [no]: 
Enter password: 
Enter password again: 
Lock out the account after creation? [no]: 
Username   : john
Password   : *****
Full Name  : John Doe
Uid        : 1001
Class      : 
Groups     : john wheel
Home       : /home/john
Home Mode  : 
Shell      : /usr/local/bin/zsh
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (john) to the user database.
Add another user? (yes/no): no
Goodbye!

Create zsh config file:

# ee /home/your-username/.zshrc

Copy this to your .zshrc file:

PS1="<%U%m%u>$[%B%1~%b]%(#.#.$) "

bindkey -e
alias su='su -m'
alias du='du -h -d0'
alias df='df -h'
alias l=less
alias ll='gnuls --color=always -l'
alias ls='gnuls --color=always'
alias pkg_ver='pkg version -v -l "<" | > upgrade'

export EDITOR=ee

autoload -U colors && colors
autoload -U promptinit && promptinit
autoload -U compinit && compinit

# History settings
SAVEHIST=1000
HISTSIZE=1000
HISTFILE=~/.history
setopt histignoredups appendhistory

Run this command: (replace john with your username)

chown john:john /home/john/.zshrc

Now, login to the FreeBSD server with your username and change the default root password:

<aklwebhost>[~]$ su
Password:
<aklwebhost>[~]# passwd 
Changing local password for root
New Password:
Retype New Password:
<aklwebhost>[~]# 

We don’t need sendmail. Stop and disable this service:

<aklwebhost>[~]# /etc/rc.d/sendmail stop
Stopping sendmail.
Waiting for PIDS: 7843.
sendmail_submit not running? (check /var/run/sendmail.pid).
Stopping sendmail_msp_queue.
Waiting for PIDS: 7846.

Next, we will change our rc.conf file to look more natural:

# ee /etc/rc.conf

Change it to look like this:

#----------- NETWORKING ------------------------------------------------#
hostname="ceph.domain1.com" # replace ceph.domain1.com with your domain
ifconfig_vtnet0="dhcp"
static_routes=linklocal
route_linklocal="-net 169.254.0.0/16 -interface vtnet0"

#--------- SERVICES BSD LOCAL ----------------------------------------#
sshd_enable="YES"
ntpd_enable="YES"

#pf_enable="YES"
#pf_rules="/etc/firewall"
#pf_flags=""
#pflog_enable="YES"              
#pflog_logfile="/var/log/pflog"  
#pflog_flags=""    

sendmail_enable="NONE"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

Edit /etc/hosts file:

# ee /etc/hosts

Add your IP address and hostname:

::1                     localhost localhost.ceph ceph
127.0.0.1               localhost localhost.ceph ceph
108.61.178.110          ceph.domain1.com       ceph

Set timezone:

# bsdconfig

Whenever you can, disable remote access for the root user. Most attacks on SSH will try to access through the root user account. Always connect with your username and then su to root. Only users from the wheel group can su to root. That’s why we added our user to the wheel group.

Disable root login:

# ee /etc/ssh/sshd_config

Uncomment this line:

PermitRootLogin no

Reboot:

# reboot

After the reboot finishes, you will see a message like this in the AKWLEB Host console:

time correction of 3600 seconds exceeds sanity limit (1000); set clock manually to
correct UTC time.

That’s why we need to correct the clock manually. Follow these commands, first su to root:

$ su
Password:
# ntpdate 0.europe.pool.ntp.org

Now, we are going to configure the firewall. OpenBSD PF is included in the FreeBSD kernel, so you don’t have to install any packages.

With ee editor, create file /etc/firewall:

# ee /etc/firewall

Insert this: (replace any IP addresses with yours)

#######################################################################
me="vtnet0"                
table <bruteforcers> persist    
table <trusted> persist file "/etc/trusted"
icmp_types = "echoreq"          
junk_ports="{ 135,137,138,139,445,68,67,3222 }"
junk_ip="224.0.0.0/4"           

set loginterface vtnet0           
scrub on vtnet0 reassemble tcp no-df random-id

# ---- First rule obligatory "Pass all on loopback"
pass quick on lo0 all           

# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip 
block quick proto { tcp, udp } from any to any port $junk_ports

# ---- Second rule "Block all in and pass all out"
block in log all                
pass out all keep state         

############### FIREWALL ###############################################
# ---- Allow all traffic from my Home
pass quick proto {tcp, udp} from 1.2.3.4 to $me keep state

# ---- block SMTP out 
block quick proto tcp from $me to any port 25

# ---- Allow incoming Web traffic
pass quick proto tcp from any to $me port { 80, 443 } flags S/SA keep state

# ---- Allow my team member SSH access 
pass quick proto tcp from 1.2.3.5 to $me port ssh flags S/SA keep state

# ---- Block bruteforcers
block log quick from <bruteforcers>

# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)

# ---- Allow ICMP 
pass in inet proto icmp all icmp-type $icmp_types keep state
pass out inet proto icmp all icmp-type $icmp_types keep state

Create /etc/trusted file. In this file, we will put IPs that we “trust”.

# ee /etc/trusted

Add some IP’s:

# Hosting
1.2.0.0/16

# My friends
1.2.4.0/24

Now some explanation. Junk ports and junk IPs are just some ports/IPs that we don’t want to see in logs. We have done this with this rule:

# ---- Block junk logs
block quick proto { tcp, udp } from any to $junk_ip 
block quick proto { tcp, udp } from any to any port $junk_ports

These are just defaults and you don’t have to worry about it:

icmp_types = "echoreq"                                            
set loginterface vtnet0           
scrub on vtnet0 reassemble tcp no-df random-id
pass quick on lo0 all
block in log all                
pass out all keep state

This rule blocks outgoing SMTP traffic from your server (which is the default on AKLWEB Host).

# ---- block SMTP out 
block quick proto tcp from $me to any port 25

Except bruteforcers the rest is pretty straight forward.

# ---- Allow SSH from trusted sources, but block bruteforcers
pass quick proto tcp from <trusted> to $me port ssh \
flags S/SA keep state \
(max-src-conn 10, max-src-conn-rate 20/60, \
overload <bruteforcers> flush global)

Bruteforcers just says: Allow from <trusted> IPs to port 22 but only 10 concurrent connections can be made from one source IP. If it’s more than 10, block this IP and put it in table bruteforcers. The same goes for 20/60 rule. It means a max of 20 connections in 60 seconds.

Enable firewall:

# ee /etc/rc.conf

Uncomment these lines:

pf_enable="YES"
pf_rules="/etc/firewall"
pf_flags=""
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Reboot:

# reboot 

If you have done everything right, then you will be able to login and the firewall will be enabled. You don’t have to reboot every time you change the /etc/firewall file. Just do:

# /etc/rc.d/pf reload

See who is trying to connect to your server in real-time:

# tcpdump -n -e -ttt -i pflog0

Show history:

# tcpdump -n -e -ttt -r /var/log/pflog

See if you have someone in bruteforcers table:

# pfctl -t bruteforcers -T show

And that’s it. You have successfully implemented PF firewall on FreeBSD server!

• Basic knowledge of UNIX.
• FreeBSD x64 with Nginx installed.

Install Tools

You will need several programs that are not shipped with FreeBSD. Run the following command to install them:

pkg install nano wget git mercurial bzr

Download and Install Golang

Download golang by running the following set of commands:

cd /tmp
wget https://storage.googleapis.com/golang/go1.3.3.freebsd-amd64.tar.gz
tar -C /usr/local -xzf go1.3.3.freebsd-amd64.tar.gz

Setup Environment Variables

Create a variable called GOPATH (which will be the location for installed packages) and add it to your path:

mkdir ~/.gopkg
setenv GOPATH /root/.gopkg
set path = ($path /usr/local/go/bin /root/.gopkg/bin)

If you want to have the path set on boot, then run the following command to add it to your .cshrc:

echo "setenv GOPATH /root/.gopkg" >> ~/.cshrc
echo "set path = ($path /usr/local/go/bin /root/.gopkg/bin)" >> ~/.cshrc

Verify Installation

Run go in your terminal. If you are presented with a list of options, then the installation was successful. Run the following command to install a web framework called Martini:

go get github.com/go-martini/martini

If you don’t see any errors, then you may proceed to the next step.

Setup Martini

Create a file called server.go and populate it with the following lines of code:

package main

import "github.com/go-martini/martini"

func main() {
  m := martini.Classic()
  m.Get("/", func() string {
    return "Hello from AKLWEB Host VPS :)!"
  })
  m.Run()
}

When done, save and run go run server.go. Provided that you do not see any errors on your terminal, then you can proceed to the next step.

Setup Nginx Reverse Proxy

Configure Nginx to reverse proxy to the Martini server. In /usr/local/etc/nginx/nginx.conf look for location and replace its content within the curly brackets with the following:

expires 8d;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_read_timeout 5m;
proxy_connect_timeout 5m;

proxy_cache_key sfs$request_uri$scheme;
proxy_pass http://127.0.0.1:3000;
proxy_redirect off;

One you have added that, save and run service nginx restart or service nginx onerestart, then run go run server.go. In your browser, enter http://0.0.0.0 (change the IP accordingly) and you will see a page that says:

Hello from AKLWEB Host VPS :)!

Congratulations, you have successfully setup an Nginx reverse proxy server with Golang + Martini.

For the most part, we will simply follow the OpenBSD installation guide at the official OpenBSD website.

The only issue you’re likely to encounter is the static route required if you choose to use AKLWEB HOST’s nameservers, or if you use DHCP. I recommend against using DHCP on custom OS’s in AKLWEB HOST’s environment, simply because it requires extra configuration steps, which defeats the purpose of DHCP in my opinion.

You’ll need a browser that can run AKLWEB HOST’s noVNC console.

The steps required for OpenBSD are similar to the instructions for FreeBSD at the above link. We’ll cover the differences below.

1. On AKLWEB HOST’s Deploy screen, choose a 64-bit AKLWEB HOST plan that meets your needs. A 64-bit plan is required for a custom OS at the time of this writing. You are free to install i386 arch OpenBSD on your 64-bit instance if you want to make more efficient use of RAM. Select “Custom” for your OS.
2. Find the URL of the OpenBSD installation media of your choice from the mirrors listed in the official OpenBSD installation guide. Try to pick a mirror close to your datacenter. The URL should end in installXX.iso or cdXX.iso, where XX is the OpenBSD version of your choice. Use this URL in AKLWEB HOST’s Upload/Manage ISO feature, which appears when you select “Custom” OS.
3. Spin up your VM with the “Place Order” button. Don’t worry about providing an SSH key; this is not supported for a custom OS. Select “My Servers->Manage->IPv4” and make a note of your IP address, subnet mask, and gateway. Then select “View Console”, where you should see the OpenBSD installer booting.
4. When the installer is booted, hit Ctrl-Z or Ctrl-C to get a shell prompt. In the shell, add your static route. OpenBSD differs from FreeBSD in that you’ll use your IP address instead of the interface name. This allows you to use the AKLWEB HOST nameserver, 169.254.169.254.

   # route add -net 169.254.0.0/16 -iface <your IP address>
   

5. Foreground the OpenBSD installer and hit Enter, or run install (or upgrade if you are upgrading an existing installation). Refer to the official OpenBSD install documentation for the rest of the installation.
6. After the install, you will get a shell prompt. Now you will want to configure your network interface to set up the static route on boot. Edit /mnt/etc/hostname.vio0, and add the following line at the end. If you forget this step, you can edit /etc/hostname.vio0 after booting into the new system.

   !route add -net 169.254.0.0/16 -iface <your IP address>
   

7. Reboot and enjoy.

Keep in mind that, as a security-focused project, the OpenBSD developers do not encourage virtualization. Do not allow the fact that you’re running OpenBSD lull you into a false sense of security. That being said, an inexpensive KVM instance can be a good platform to get some experience with OpenBSD and have fun in the process. I have yet to run into problems related to virtualization in AKLWEB HOST’s environment.

You should use a server with at least one gigabyte of memory, preferably even two. While the software doesn’t use many resources when idling, it peaks very fast when under load. For example, during virus scans.

Important: Please do not try to install iRedMail on a system that’s already in production. It’s designed to be installed on a fresh installation and will override other MTAs when it finds them. Please be cautious and always have backups at hand.

For the course of this tutorial, we will assume that you are working as the administrative user. If you want to use sudo instead, then you will have to append it where necessary.

First, make sure that a fully qualified domain name is set by opening /etc/rc.conf with your favorite text editor and replacing the value there with a FQDN:

hostname="mail.example.com"

Next, make sure that FQDN is the first value listed in /etc/hosts:

127.0.0.1   mail.example.com mail localhost localhost.localdomain

Verify that everything worked by issuing hostname -f. The output should be:

mail.example.com

The only dependency of iRedMail is bash-static (and wget to fetch it) which can be found in the official pkg-repositories:

pkg
pkg update -f
pkg install bash-static

Since the installation script builds everything from FreeBSD’s ports tree, you need to fetch it:

portsnap fetch extract

Due to some complications with the Apache versioning from FreeBSD 10 upwards, you need to add the following to /etc/make.conf to ensure that the installation script works:

DEFAULT_VERSIONS=apache=2.2

Download and unpack the latest version from the official homepage:

wget https://bitbucket.org/zhb/iredmail/downloads/iRedMail-0.8.7.tar.bz2
tar -xf iRedMail-0.8.7.tar.bz2

Change the permissions of the script, and run the installer:

cd iRedMail-0.8.7/
chmod 700 iRedMail.sh
./iRedMail.sh

The installation script will ask you some questions:

• Location for the mailboxes, /var/vmail is the default and perfectly fine.
• Backend used to store the accounts, there is no default. For a small number of users, MySQL is just fitting – if you want to integrate into, for example, an ActiveDirectory user base then you should choose OpenLDAP.
• A password for the administrative MySQL user – be careful not to use special characters as this will cause problems.
• First virtual domain name – example.com for this tutorial.
• A password for the administrative mailuser – you should also avoid special characters.
• Optional components – you should at least choose iRedAdmin, phpMyAdmin and Roundcubemail for this question.

The installer will now prompt you about a file with sensitive information in it, /root/iRedMail-0.8.7/config, make sure to properly set the file permissions when the installation is finished:

chmod 600 /root/iRedMail-0.8.7/config

The installation script installs a lot of packages, and it may take some time to complete since everything is building from source.

Now you’ll be prompted with all the necessary information to use iRedMail – after a reboot:

reboot

(Don’t worry, the prompted information can be found in /root/iRedMail-0.8.7/iRedMail.tip after the reboot.)

The webmail interface can now be accessed with your web browser at:

https://mail.example.com/mail

However, since iRedMail uses a certificate that’s not issued by a legitimate certificate authority (CA), you will most likely get a security warning from your browser. If you would like to remove the security warning, then you will need to obtain a certificate from a trusted CA. Installing a different certificate requires both the certificate and the private key. Once uploaded to your server, these files can be copied to the proper location with the following commands:

cp /path/to/your/cert /etc/ssl/certs/iRedMail_CA.pem
cp /path/to/your/key /etc/ssl/private/iRedMail.key

Then, restart everything that uses the cert/key:

service postfix restart
service dovecot restart
service apache2 restart

And now you have a all-in-one mail solution. Happy mailing!

Other Versions

Debian

In this tutorial, we will be covering the basic steps for disabling direct root access, creating a sudo user, and setting up the sudo group on CentOS, Debian, and FreeBSD.

Prerequisites

• A newly installed Linux server with your preferred distribution.
• A text editor installed on the server whether it’s nano, vi, vim, emacs.

Step 1: Installing sudo

Debian

apt-get install sudo -y

CentOS

yum install sudo -y

FreeBSD

cd /usr/ports/security/sudo/ && make install clean

or

pkg install sudo

Step 2: Adding the sudo user

A sudo user is a normal user account on a Linux or Unix machine.

Debian

adduser mynewusername

CentOS

adduser mynewusername

FreeBSD

adduser mynewusername

Step 3: Adding the new user to the wheel group (optional)

The wheel group is a user group which limits the number of people who are able to su to root. Adding your sudo user to the wheel group is entirely optional, but it is advisable.

Note: In Debian, the sudo group is often found instead of wheel. You can however manually add the wheel group using the groupadd command. For the purpose of this tutorial, we will use the sudo group for Debian.

The difference between wheel and sudo.

In CentOS and Debian, a user belonging to the wheel group can execute su and directly ascend to root. Meanwhile, a sudo user would have use the sudo su first. Essentially, there is no real difference except for the syntax used to become root, and users belonging to both groups can use the sudo command.

Debian

usermod -aG sudo mynewusername

CentOS

usermod -aG wheel mynewusername

FreeBSD

pw group mod wheel -m mynewusername

Step 4: Making sure your sudoers file is setup properly

It is important to ensure that sudoers file located in /etc/sudoers is setup properly in order to allow sudo users to effectively use the sudo command. In order to accomplish that, we will view the contents of /etc/sudoers and edit them where applicable.

Debian

vim /etc/sudoers

or

visudo

CentOS

vim /etc/sudoers

or

visudo

FreeBSD

vim /etc/sudoers

or

visudo

Note: The visudo command will open /etc/sudoers using the system’s preferred text editor (usually vi or vim).

Start reviewing and editing below this line:

# Allow members of group sudo to execute any command

This section of /etc/sudoers often looks like this:

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

In some systems, you may not find %wheel instead of %sudo; in which case, this would be the line under which you would start modifying.

If the line starting with %sudo in Debian or %wheel in CentOS and FreeBSD is not commented out (prefixed by #), this means that sudo is already setup and is enabled. You can then move to the next step.

Step 5: Allowing a user that belongs to neither the wheel nor the sudo group to execute the sudo command

It is possible to allow a user that is in neither user groups to execute the sudo command by simply adding them to /etc/sudoers as follows:

anotherusername ALL=(ALL) ALL

Step 6: Restarting the SSHD Server

In order to apply the changes you made to /etc/sudoers, you need to restart the SSHD server as follows:

Debian

/etc/init.d/sshd restart

CentOS 6

/etc/init.d/sshd restart

CentOS 7

systemctl restart sshd.service

FreeBSD

/etc/rc.d/sshd start

Step 7: Testing

After you have restarted the SSH server, log out and then log back in as your sudo user, then attempt to execute some testing commands as follows:

sudo uptime
sudo whoami

Any of the below commands will allow the sudo user to become root.

sudo su -
sudo -i
sudo -S

Notes:

• The whoami command will return root when coupled with sudo.
• You will be prompted to enter your user’s password when executing the sudo command unless you explicitly instruct the system to not prompt sudo users for their passwords. Please note that is not a recommended practice.

Optional: allowing sudo without entering the user’s password

As previously explained, this is not a recommended practice and is included in this tutorial for demonstration purposes only.

In order to allow your sudo user to execute the sudo command without being prompted for their password, suffix the access line in /etc/sudoers with NOPASSWD: ALL as follows:

%sudo   ALL=(ALL:ALL) ALL   NOPASSWD: ALL

Note: You need to restart your SSHD server in order to apply the changes.

Step 8: Disable direct root access

Now that you have confirmed that you can use your sudo user without issues, it is time for the eighth and final step, disabling direct root access.

First, open /etc/ssh/sshd_config using your favorite text editor and find the line containing the following string. It may be prefixed with a # character.

PermitRootLogin

Regardless of the prefix or the value of the option in /etc/ssh/sshd_config, you need to change that line to the following:

PermitRootLogin no

Finally, restart your SSHD server.

Note: Do not forget to test your changes by attempting to SSH into your server as root. If you are unable to do so, this means that you have successfully completed all the necessary steps.

This concludes our tutorial.