Freedom, Community & Sustainability

2 - Installing additional services (FTP, mail, phpmyadmin, SSL)

October 25, 2014 -- William
Last modified on October 2016
Duration: +- 30 minutes

These "additional services" are probably the ones you know best. I've separated them from the installation because they are optional and you can skip one or all of them. My bet is that you will want to enable all of them.

Install FTP

To install your FTP server just type:

apt-get install vsftpd

Now you can access your server with an FTP client like FileZilla using the credentials root@[your IP address]. Since we haven't yet configured your server to be accessible from outside your local network I'll assume that both your server and the computer you are using to access it via FTP are on the same network. To get the IP address of your server you can type "hostname -I" on your server and note the number that is displayed. Note that to access your server from the Internet (outside your local network) the IP address will be different! We'll see this later on.

Install mail

Regarding mails, you can either have a fully capable mail server (exim, postfix) or just enabling your site to send you mail notifications (sendmail). We will go for the latter since it's enough for our purpose and much simpler to deal with.

apt-get install sendmail

Warning: some ISPs block the standard mail port 25. In that case sendmail will not work. We will talk about ports when dealing with your router.

Install phpMyAdmin

PhpMyAdmin provides a web interface for your database. It is a tool to view, search, modify, export... your databases. It's probably a good idea to install it in order to get familiar with databases, it will make your life easier. Once you are comfortable dealing with databases you can eventually do everything from the command line (but it goes beyond the scope of this tutorial, see GNU/Linux command-line tutorial). One thing to keep in mind is that phpMyAdmin could expose vulnerabilities if not configured correctly. Not installing is the best way to prevent exploits. If you prefer, you can use it to configure your databases and then uninstall it once you have finished. One last thing, during installation you will be prompted to install a database, don't let phpmyadmin install a database, we have already done that)

apt-get install phpmyadmin

Securing phpMyAdmin

Since I'm telling you to install phpMyAdmin, I feel the responsibility to inform also how to secure it. To prevent misuses of phpmyadmin we are going to do two things, the first is to allow access only from certain IP addresses, the second is to force the use of encryption through https.

To restrict the access to phpMyAdmin we are going to create a custom configuration file that will apply only to the folder where phpmyadmin is located. So navigate to the folder where it is installed, create a file called .htaccess and enter the access rules as shown below:

cd /var/www/html/phpmyadmin
touch .htaccess
sudo nano .htaccess

order allow, deny
allow from [your IP address]

Then save and exit the text editor.

Now we are going to force the use of encrypted connections because you will be typing your database credentials on phpMyAdmin and you don't want anyone to know them. Open the configuration file that should be located in /etc/phpmyadmin/config.inc.php. Under Server configuration add the following line:

$cfg['ForceSSL'] = 'true';

This is great, our databases are now secure. The problem is that we haven't yet configured encryption in our server, so let's do it!

Create a "fake" certificate for encrypted connections (https)

When connecting securely using https, a certificate is required to prove the identity of the server. These certificates are quite expensive and technically useless. We will create our own self-signed certificate instead and use it for the time being. Your browser will complain when connecting to the server, saying that the connection is untrusted but hey, it's your server!

Warning: some ISPs block the standard ssl port 443. If this is the case you won't be able to access your server through https outside of your local network. We will talk about ways to circumvent this.

1 - Create a certificate and key

mkdir /etc/apache2/ssl

/usr/sbin/make-ssl-cert /usr/share/ssl-cert/ssleay.cnf /etc/apache2/ssl/apache.crt

cd /etc/apache2/ssl

cp apache.crt apache.pem

cp apache.crt apache.key

Now you have two files containing exactly the same information, apache.pem and apache.key. You need to remove the unnecessary information from the files. The apache.pem file should only contain the information concerning the certificate (---BEGIN CERTIFICATE--- ... ---END CERTIFICATE---). The apache.key file should only contain the key (---BEGIN PRIVATE KEY--- ... ---END PRIVATE KEY---)

To finish this up, protect your key by changing the permissions on the file:

chmod 600 /etc/apache2/ssl/apache.key

2 - Tell Apache you created a certificate

What we need now is to inform Apache that these files are our certificate. Open the file /etc/apache2/sites-enabled/default-ssl and replace or add the following lines:

SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.key

3 - Activate Apache SSL configuration

The last thing is to enable the configuration we have modified on step two and restart the server for it to take effect.

a2ensite default-ssl
service apache2 restart

Now you can access your sites using a secure connection through https. But wait, we don't have any sites yet! Let's do that now on the next page.

Add new comment