Updated Comprehensive VPS Setup Documentation

Building a VPS requires lots of complex steps, and these steps change over time.

The time has come to create comprehensive, consolidated documentation for how I setup these machines. Many of these steps are optional.

  1. Deploy A New VPS With Digital Ocean
  2. FQDN DNS Setup With Godaddy
  3. Recommended Initial Installations
  4. Setup Email Server
  5. Create a VirtualHost
  6. Setup Free SSL With LetsEncrypt
  7. Automate Database Backups
  8. Install Webmin

And then you are golden!

VPS Setup: Automated Database Backups

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

Create a new directory for the backups;

mkdir /var/backups/mysql

 

I added the following line to /etc/crontab in order to facilitate automatic database backups;
0 22 * * * root /usr/bin/mysqldump -uroot -i[MySQL Root Password] [MySQL Database Name] | gzip > /var/backups/mysql/mysql-backup-$( date +'\%Y-\%m-\%d_\%H-\%M-\%S' ).sql.gz

VPS Setup: Install Free SSL From LetsEncrypt

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

LetsEncypt allows us to setup free SSL certificates for our virtualhosts.

First, make sure you are in your root home directory “/~” and then clone the LetsEncrypt git repository;

git clone https://github.com/letsencrypt/letsencrypt

Enter the directory cd letsencrypt

And run the automatic script ./letsencrypt-auto --apache

It will ask which virtual hosts you want to install certificates for, and then it does all the work for you!

 

When you need to renew these, check out my tutorial Renewing Free LetsEncrypt SSL Certificates.

VPS Setup: Create A Virtual Host

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

Once you have your FQDN forwarded to the VPS, create a directory for it with;

mkdir /var/www/[fqdn]/

Now we make a new virtualhost conf file with this command. Again, substitute your fqdn;

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/[fqdn].conf

Then edit the file with nano /etc/apache2/sites-available/[fqdn].conf

It needs to contain the following;

	ServerName [fqdn]

	ServerAdmin your_email@website.com
	DocumentRoot /var/www/[fqdn]/

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

Activate the new virtualhost with a2ensite [fqdn] and if you haven’t already done this, deactivate the default virtualhost with a2dissite 000-default.conf

Restart apache with service apache2 restart so the changes take effect.

 

Automated Backups

If you want to setup automated backups, create a new directory for the backups;

mkdir /var/backups/[fqdn]

 

Add the following line to /etc/crontab in order to facilitate automatic daily backups;
0 22 * * * root tar -cf /var/backups/[fqdn]/www-backup-$( date +'\%Y-\%m-\%d_\%H-\%M-\%S' ).gz /var/www/[fqdn]

 

Or if you would prefer weekly updates every Sunday night, use this instead;

0 0 * * 0 root tar -cf /var/backups/[fqdn]/www-backup-$( date +'\%Y-\%m-\%d_\%H-\%M-\%S' ).gz /var/www/[fqdn]

VPS Setup: Email Server

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

Many of my apps send lots of emails, so I usually need to setup a local outbound email server.

Secure the port with iptables -A INPUT -i eth0 -j REJECT -p tcp --dport 25

Install postfix for the server apt-get -y install postfix && apt-get -y install mailutils

Now edit the config files and change the interface to loopback-only like so;

nano /etc/postfix/main.cf

Find this line;

inet_interfaces =

And change to;

inet_interfaces = 127.0.0.1

Now edit the email aliases;

nano /etc/aliases

At the end of the file, make sure there is a line that starts with root and ends with your email, like so;

root email@domain.com

Save the file and exit. Then run newaliases to let Postfix apply the changes.

Restarting Postfix is not enough because we changed the interfaces line in the config file. We need to stop and start it like so;

postfix stop
postfix start

VPS Setup: Recommended Initial Installations

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

When initially setting up a VPS, I generally install the programs listed below. Before installing anything, it is important to first update and upgrade all packages already installed on the server with apt-get update && apt-get upgrade

  1. First, install Fail2Ban in order to prevent bruteforcing of SSH passwords
  2. Install Apache2
  3. Install MySQL Server
  4. Install PHP and its dependencies for MySQL and PHPMyAdmin
  5. Performance Tools
    1. Screenfetch lets you see system information
    2. Htop lets you see details about resource usage
    3. Nload lets you see details about network utilization
  6. NTP makes sure the time is kept up to date
  7. Git tracks changes in files and is required for LetsEncrypt

This command will do all of these things without prompting in between;

apt-get -y install fail2ban apache2 && apt-get -y install mysql-server && apt-get -y install php5 php-pear php5-mysql && apt-get -y install php5-mcrypt && php5enmod mcrypt && a2enmod rewrite && apt-get -y install php5-curl && service apache2 restart && mysql_secure_installation && apt-get -y install phpmyadmin && apt-get -y install screenfetch htop nload curl git ntp

You will be prompted to create a MySQL root password. PHPMyAdmin setup will ask you for this password, as will the MySQL Secure Installation tool.

VPS Setup: FQDN DNS Setup With GoDaddy

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

Once you have a VPS deployed and know its static IP, you can forward a FQDN to it by creating a new A Record. I use GoDaddy for my DNS registration because they are simple, reliable, and quick.

  1. In order to do this with GoDaddy, log into your account
  2. Next to “Domains” click on “Manage”
  3. Click on the domain you want to forward. If you want to forward a subdomain, click on the domain it will be a subdomain of
  4. Click over to the “DNS ZONE FILE” tab
  • If you are trying to forward a subdomain
    1. Click “Add Record”
    2. We want to create an “A Record”
    3. Use the subdomain as the hostname and then the static IP of the server as the “POINTS TO”
    4. Save changes
  • If you are trying to forward a domain
    1. Edit the record for the “@” host and point it to the static IP following the same directions as above.

VPS Setup: Deploying A New Virtual Private Server With Digital Ocean

This is a subpost of the larger post Updated Comprehensive VPS Setup Documentation.

 

I like Digital Ocean (Referral Link) for my VPS host.

The first step in creating a new VPS is to select a Linux distribution. I always use the most current version of Debian. At the time of this post, that is version 8.3 x64.

Decide on an FQDN and use it as the hostname and hit deploy!

It should take about a minute and then you will receive an email with the temporary root password. Use putty to log in, and you will be prompted to change it.

Make sure to choose a root passsword with a high level of entropy.

Building a Jabber/XMPP Server With OpenFire and Debian

I wanted to create a new chat server for my company for two reasons. For one, we want any confidential information to stay as in-house as possible. And two, we wanted web access because lots of our employees move around between different offices and they don’t want to have to install chat programs every day.

We had previously been using OpenFire hosted on a local baremetal machine which did not have a CA signed cert. This meant we could not use OpenFire’s web access tool in order to access the chat tool because it did not support self-signed certs. Trillian could be talked into supporting self-signed certs, but a more elegant solution was called for.

I decided to create a new jabber/xmpp VPS with DigitalOcean (Referral Link) and install OpenFire and SparkWeb.

  1. Step one was creating a new VPS or “Droplet” with DigitalOcean (Referral Link) I chose Debian x64 for the OS and used my new FQDN for the hostname.
  2. I created a new DNS “A Record” with our hosting provider to forward my new FQDN to this new server’s IP.
  3. Install all the initial stuff. This should be self-explanatory: apt-get -y update && apt-get -y upgrade && apt-get -y install default-jre fail2ban apache2 && apt-get -y install mysql-server && apt-get -y install php5 php-pear php5-mysql && apt-get -y install php5-mcrypt && php5enmod mcrypt && a2enmod rewrite && apt-get -y install php5-curl phpmyadmin screenfetch htop nload curl git ntp && service apache2 restart && mysql_secure_installation
  4. Navigate to the downloads page http://www.igniterealtime.org/downloads/index.jsp and find the path to the Debian installer file of the current version
    1. Get the installer with wget -O openfire_installer.deb [LINK], replacing [LINK] with the link from the page in the previous step
    2. In my case, it was wget -O openfire_installer.deb http://www.igniterealtime.org/downloadServlet?filename=openfire/openfire_4.0.1_all.deb
  5. Install OpenFire with dpkg --install openfire_installer.deb
  6. Block insecure access to the OpenFire admin console with iptables -A INPUT -i eth0 -j REJECT -p tcp --dport 9090
  7. Install LetsEncrypt for free SSL:
    1. Now that OpenFire is configured, navigate to the root user’s home directory and clone letsencrypt with git clone https://github.com/letsencrypt/letsencrypt
    2. Enter the directory cd letsencrypt
    3. And run the automatic script ./letsencrypt-auto --apache
    4. It will ask which virtual hosts you want to install certificates for, and then it does all the work for you!
  8. Navigate to https://[FQDN]:9091 and complete the configuration

 

UPDATE 2016-07-31

We have officially migrated to Slack as a company. This provides compliance with all the various requirements of our many managed services clients. At long last, this service has been outsourced to a competent partner, and it is one less thing we need to worry about!

Nevertheless, this guide will show you how to create a simple, free alternative with Jabber/XMPP.

Virtualizing An Application Server

Another department at Tech 2U performs diagnostics on lots of computers. They use a proprietary tool that they built which deploys diagnostic tools on customers’ computers during tech support services.

This tool was built years ago by someone who no longer works here. He used a baremetal Apache server to host the tools. This server crashed, crippling the tool and everyone who relied on it.

I decided to move the tools to a new cloud VPS.

I created a new Droplet on Digital Ocean (Referral Code) for $5/month.

I chose Debian 8 amd64 for the OS and set a hostname of the new fqdn.

Once I created the droplet, I pulled its IP and created a new DNS A-Record on our main domain account to forward that hostname to the new VPS.

 

Now the VPS was finished building so I ran apt-get -y update && apt-get -y upgrade to update any packages that have changed since Digital Ocean built their image for this type of server.

apt-get -y install fail2ban apache2 && apt-get -y install && a2enmod rewrite && service apache2 restart && apt-get -y install screenfetch htop nload curl git ntp

Now I make a new folder for the virtualhost with mkdir /var/www/[fqdn]

Now we make a new virtualhost conf file with this command. Again, substitute your fqdn;

cp /etc/apache2/sites-available/000-default.conf /etc/apache2/sites-available/[fqdn].conf

Then edit the file with nano /etc/apache2/sites-available/[fqdn].conf

It needs to contain the following;

	ServerName [fqdn]

	ServerAdmin your_email@website.com
	DocumentRoot /var/www/[fqdn]/

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

I also created another virtualhost to server the /var/www directory. This virtualhost will be secured with a directory password and contain some diagnostic and performance monitoring tools.

Now I disable the default VirtualHost with a2dissite 000-default

Then enable my new virtualhosts with a2ensite [fqdn]

And restart Apache with service apache2 restart

BitTorrent Sync

If you’re not already familiar with BitTorrent Sync, it is a free, secure option for synchronizing directory structures in real time. I use it to synchronize the app between different web servers. Any changes are immediately propagated everywhere. This is also the vehicle for delivering updates to the server from the people who manage it.

This command will download the script to install version 1.4 of BitTorrent sync. Note that this is not the most recent version, as the new version is very limited in features and requires much more resources to run.
sh -c "$(curl -fsSL http://debian.yeasoft.net/add-btsync14-repository.sh)"

Then, run this command to install BitTorrent Sync
apt-get update && apt-get install btsync

Now we need to clean up any permissions and ownership issues with the following commands;

chmod 775 /var/www/ -R
chown www-data:www-data /var/www/ -R
chown www-data:btsync /var/www/f2.tech2u.com -R

Then we configure btsync to synchronize the app’s folder, and it does the work of importing the app.

Now I simply add the old BitTorrent key to the correct directory and then all the files copy over!

 

Eureka!

screenfetch