Guide d’installation serveur Debian 10 - ISPConfig
Installation complète serveur Debian 10 avec ISPConfig - Suivant le guide HowToForge
1. Provisioning et infrastructure
1.1 Configuration serveur
Configuration Dedibox :
- Système : Debian buster (10)
- Type : Pro-5-S-LE
- Nom : sd-154040
- Partitions : supprimer /data et tout mettre sur / (plus simple pour gérer l’espace)
1.2 Configuration DNS externe
DNS A : sd-154040.montaigu.io / 51.159.31.243 DNS AAAA : sd-154040.montaigu.io / 2001:0bc8:6005:001b:aa1e:84ff:fe96:92bc
Modification des reverses :
Anciens :
- IPv4 : 51-159-31-243.rev.poneytelecom.eu.
- IPv6 : 2001:0bc8:6005:001b:aa1e:84ff:fe96:92bc.rev.poneytelecom.eu.
Nouveaux :
- IPv4 : sd-154040.montaigu.io.
- IPv6 : sd-154040.montaigu.io.
2. Configuration système de base
2.1 Mise à jour initiale
apt-get update
apt-get upgrade -y
# Reboot nécessaire après cette étape2.2 Configuration hostname et hosts
nano /etc/hosts127.0.0.1 localhost.localdomain localhost
51.159.31.243 sd-154040.montaigu.io sd-154040
# IPv6
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
2001:0bc8:6005:001b:aa1e:84ff:fe96:92bc sd-154040.montaigu.io
Vérification :
hostname -f
# sd-154040.montaigu.io2.3 Configuration des sources APT
nano /etc/apt/sources.listdeb http://mirrors.online.net/debian buster main non-free contrib
deb-src http://mirrors.online.net/debian buster main non-free contrib
deb http://security.debian.org/debian-security buster/updates main contrib non-free
deb-src http://security.debian.org/debian-security buster/updates main contrib non-free
apt-get update
apt-get upgrade2.4 Configuration shell et synchronisation
# Changer le shell par défaut
dpkg-reconfigure dash
# Synchroniser l'horloge système
apt-get -y install ntp3. Sécurisation de base
3.1 Sécurisation SSH
Références :
- https://community.jaguar-network.com/securiser-son-serveur-ssh/
- https://community.jaguar-network.com/mettre-en-place-une-authentification-par-cle-ssh/
nano /etc/ssh/sshd_configConfiguration SSH :
Port 22022
X11Forwarding no
MaxAuthTries 3
PermitRootLogin no
UsePAM yes
AllowUsers amontaigu
PubkeyAuthentication yes
PasswordAuthentication no
systemctl restart sshd3.2 Installation fail2ban
apt-get install fail2ban
nano /etc/fail2ban/jail.local[pure-ftpd]
enabled = true
port = ftp
filter = pure-ftpd
logpath = /var/log/syslog
maxretry = 3
[dovecot]
enabled = true
filter = dovecot
logpath = /var/log/mail.log
maxretry = 5
[postfix-sasl]
enabled = true
port = smtp
filter = postfix[mode=auth]
logpath = /var/log/mail.log
maxretry = 3systemctl restart fail2ban3.3 Installation rkhunter et UFW
apt-get -y install rkhunter
apt-get install ufwConfiguration rkhunter :
MIRRORS_MODE=1→MIRRORS_MODE=0UPDATE_MIRRORS=0→UPDATE_MIRRORS=1WEB_CMD="/bin/false"→WEB_CMD=""
4. Installation base de données
4.1 Installation MariaDB
apt-get -y install mariadb-client mariadb-server
mysql_secure_installation4.2 Configuration MariaDB
nano /etc/mysql/mariadb.conf.d/50-server.cnfCommenter :
#bind-address = 127.0.0.1
echo "update mysql.user set plugin = 'mysql_native_password' where user='root';" | mysql -u root4.3 Configuration des limites système
nano /etc/mysql/debian.cnf[client]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
[mysql_upgrade]
host = localhost
user = root
password = howtoforge
socket = /var/run/mysqld/mysqld.sock
basedir = /usr
nano /etc/security/limits.confmysql soft nofile 65535
mysql hard nofile 65535
mkdir -p /etc/systemd/system/mysql.service.d/
nano /etc/systemd/system/mysql.service.d/limits.conf[Service]
LimitNOFILE=infinity
systemctl daemon-reload
systemctl restart mariadb
netstat -tap | grep mysql5. Installation serveur web et PHP
5.1 Installation Apache
apt install apache2 apache2-doc apache2-utils apache2-suexec-pristine
apt install libruby libapache2-mod-python mcrypt imagemagick memcached
apt install libapache2-mod-passenger libapache2-mod-fcgid5.2 Installation PHP de base
apt install libapache2-mod-php
apt install php8.3-fpm php8.3-common php8.3-gd php8.3-mysql php8.3-imap php8.3-cli php8.3-cgi php8.3-curl php8.3-intl php8.3-pspell php8.3-sqlite3 php8.3-tidy php8.3-xmlrpc php8.3-xsl php8.3-memcache php8.3-memcached php8.3-imagick php8.3-zip php8.3-mbstring php8.3-soap php8.3-fpm php8.3-opcache php8.3-apcu
apt install php-gettext php-pear5.3 Activation des modules Apache
a2enmod suexec rewrite ssl actions include dav_fs dav auth_digest cgi headers actions proxy_fcgi alias5.4 Configuration HTTPoxy
nano /etc/apache2/conf-available/httpoxy.conf<IfModule mod_headers.c>
RequestHeader unset Proxy early
</IfModule>a2enconf httpoxy
systemctl restart apache25.5 Installation Let’s Encrypt
curl https://get.acme.sh | sh -s6. Configuration mail
6.1 Installation des composants mail
apt-get -y install postfix postfix-mysql postfix-doc openssl getmail4
apt-get -y install dovecot-imapd dovecot-pop3d dovecot-mysql dovecot-sieve dovecot-lmtpd
apt-get -y install binutils sudo curl6.2 Configuration Postfix
nano /etc/postfix/master.cfConfiguration submission et smtps :
submission inet n - - - - smtpd
-o syslog_name=postfix/submission
-o smtpd_tls_security_level=encrypt
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=$mua_client_restrictions
smtps inet n - - - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_tls_wrappermode=yes
-o smtpd_sasl_auth_enable=yes
-o smtpd_client_restrictions=permit_sasl_authenticated,reject
systemctl restart postfix6.3 Installation et configuration anti-spam
apt-get install amavisd-new spamassassin clamav clamav-daemon unzip bzip2 arj nomarch lzop cabextract p7zip p7zip-full unrar lrzip apt-listchanges libnet-ldap-perl libauthen-sasl-perl clamav-docs daemon libio-string-perl libio-socket-ssl-perl libnet-ident-perl zip libnet-dns-perl libdbd-mysql-perl postgrey
systemctl stop spamassassin
systemctl disable spamassassin6.4 Installation Mailman
apt-get install mailman
newlist mailmanConfiguration des alias :
nano /etc/aliases## mailman mailing list
mailman: "|/var/lib/mailman/mail/mailman post mailman"
mailman-admin: "|/var/lib/mailman/mail/mailman admin mailman"
mailman-bounces: "|/var/lib/mailman/mail/mailman bounces mailman"
mailman-confirm: "|/var/lib/mailman/mail/mailman confirm mailman"
mailman-join: "|/var/lib/mailman/mail/mailman join mailman"
mailman-leave: "|/var/lib/mailman/mail/mailman leave mailman"
mailman-owner: "|/var/lib/mailman/mail/mailman owner mailman"
mailman-request: "|/var/lib/mailman/mail/mailman request mailman"
mailman-subscribe: "|/var/lib/mailman/mail/mailman subscribe mailman"
mailman-unsubscribe: "|/var/lib/mailman/mail/mailman unsubscribe mailman"
newaliases
systemctl restart postfix
ln -s /etc/mailman/apache.conf /etc/apache2/conf-enabled/mailman.conf
systemctl restart apache2
systemctl restart mailman6.5 Installation PureFTPd et quotas
apt-get install pure-ftpd-common pure-ftpd-mysql quota quotatool
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048Configuration PureFTPd
nano /etc/default/pure-ftpd-commonSTANDALONE_OR_INETD=standalone
VIRTUALCHROOT=true
Configuration TLS FTP
echo 1 > /etc/pure-ftpd/conf/TLS
mkdir -p /etc/ssl/private/
openssl req -x509 -nodes -days 7300 -newkey rsa:2048 -keyout /etc/ssl/private/pure-ftpd.pem -out /etc/ssl/private/pure-ftpd.pemCertificat :
- Country: FR, State: France, City: Paris
- Organization: Montaigu
- Common Name: sd-154040.montaigu.io
- Email: alban@montaigu.net
chmod 600 /etc/ssl/private/pure-ftpd.pem
systemctl restart pure-ftpd-mysqlConfiguration quotas
nano /etc/fstab
# Ajouter usrjquota=quota.user,grpjquota=quota.group,jqfmt=vfsv0 aux options de /
mount -o remount /
quotacheck -avugm
quotaon -avug6.6 Installation BIND DNS
apt-get install bind9 dnsutils
apt-get install haveged6.7 Installation outils de statistiques
apt-get install webalizer awstats geoip-database libclass-dbi-mysql-perl libtimedate-perlConfiguration AWStats
nano /etc/cron.d/awstats
# Commenter les tâches cron par défautInstallation GoAccess
echo "deb https://deb.goaccess.io/ $(lsb_release -cs) main" | sudo tee -a /etc/apt/sources.list.d/goaccess.list
wget -O - https://deb.goaccess.io/gnugpg.key | sudo apt-key --keyring /etc/apt/trusted.gpg.d/goaccess.gpg add -
apt-get update
apt-get install goaccess7. Installation ISPConfig
Référence principale : https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
7.1 Téléchargement et installation
cd /tmp
wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
tar xfz ISPConfig-3-stable.tar.gz
cd ispconfig3_install/install/
php -q install.phpInformations pour le certificat SSL ISPConfig :
- Country: FR
- State: France
- City: Paris
- Organization: Montaigu
- Common Name: sd-154040.montaigu.io
- Email: alban@montaigu.net
7.2 Configuration du VirtualHost ISPConfig
nano /etc/apache2/sites-enabled/000-ispconfig.vhostModifier pour utiliser le port 443 au lieu de 8080 :
<VirtualHost *:443>
ServerName sd-154040.montaigu.io
ServerAlias www.sd-154040.montaigu.io
# ... rest of configuration7.3 Configuration 2FA Apache
Références :
- https://www.sidorenko.io/post/2012/01/using-one-time-password-with-apache/
- https://github.com/archiecobbs/mod-authn-otp/wiki/Configuration
mkdir otp
chown www-data:www-data otp
chown www-data:www-data users.otpConfiguration VirtualHost avec 2FA :
<VirtualHost _default_:443>
ServerName sd-154040.montaigu.io
ServerAlias www.sd-154040.montaigu.io
ServerAdmin webmaster@localhost
Alias /mail /var/www/ispconfig/mail
RewriteEngine On
RewriteCond %{HTTP_HOST} "!^sd-154040\.montaigu\.io" [NC]
RewriteRule ^/(.*) https://alban.montaigu.io [L,NE,R=301]
<Location "/">
AuthType basic
AuthName "My Protected Area"
AuthBasicProvider OTP
OTPAuthUsersFile "/etc/apache2/users.otp"
OTPAuthMaxLinger 3600
Require valid-user
</Location>
</VirtualHost>8. Configuration avancée ISPConfig
8.1 Installation PHP multi-versions
Note : ISPConfig supporte plusieurs versions de PHP en parallèle.
Ajout du dépôt SURY PHP
apt -y install lsb-release apt-transport-https ca-certificates
wget -O /etc/apt/trusted.gpg.d/php.gpg https://packages.sury.org/php/apt.gpg
echo "deb https://packages.sury.org/php/ $(lsb_release -sc) main" | tee /etc/apt/sources.list.d/php.list
apt updateInstallation PHP 7.4
apt -y install php7.4
apt-get -y install php7.4-common php7.4-gd php7.4-mysql php7.4-imap php7.4-cli php7.4-cgi php7.4-curl php7.4-intl php7.4-pspell php7.4-sqlite3 php7.4-tidy php7.4-xmlrpc php7.4-xsl php7.4-zip php7.4-mbstring php7.4-soap php7.4-fpm php7.4-opcache
a2enmod proxy_fcgi setenvif
a2enconf php7.4-fpmInstallation PHP 8.0
apt -y install php8.0
apt-get -y install php8.0-common php8.0-gd php8.0-mysql php8.0-imap php8.0-cli php8.0-cgi php8.0-curl php8.0-intl php8.0-pspell php8.0-sqlite3 php8.0-tidy php8.0-xmlrpc php8.0-xsl php8.0-zip php8.0-mbstring php8.0-soap php8.0-fpm php8.0-opcacheInstallation PHP 8.1 et 8.3
apt-get install php8.1-bcmath php8.1-gmp php8.1-imagick
apt-get install php8.3-bcmath php8.3-gmp php8.3-imagickExtensions PHP supplémentaires
# Memcache
apt-get install php7.4-memcache php7.4-memcached php8.0-memcache php8.0-memcached php8.3-memcache
# APCu
apt-get install php7.4-apcu php7.4-apcu-bc php-apcu php-apcu-bc
# ImageMagick
apt-get install -y php7.4-imagick php8.0-imagick
# Redis
apt-get -y install php8.1-redisConfiguration PHP
Dans tous les php.ini :
date.timezone = "Europe/Paris"
post_max_size = 50M
upload_max_filesize = 50M
memory_limit = 512MConfiguration APCu CLI :
nano /etc/php/*/cli/conf.d/20-apcu.ini
# Ajouter : apc.enable_cli = 1Redémarrage des services
service php7.4-fpm restart
service php8.0-fpm restart
service php8.1-fpm restart
service php8.3-fpm restart8.2 Configuration des versions PHP dans ISPConfig
Dans ISPConfig : System > Additional PHP Versions
PHP 7.4 :
- Path to PHP FastCGI binary:
php-cgi7.4 - Path to php.ini directory:
/etc/php/7.4/cgi/php.ini - Path to PHP-FPM init script:
php7.4-fpm - Path to php.ini directory:
/etc/php/7.4/fpm/php.ini - Path to PHP-FPM pool directory:
/etc/php/7.4/fpm/pool.d
PHP 8.0, 8.1, 8.3 : Même schéma avec les numéros de version correspondants.
8.3 Configuration des clients et sites dans ISPConfig
Ajouts dans ISPConfig
- Ajout du client
amontaigu - Ajout des sites web (montaigu.io, etc.)
- Ajout des utilisateurs de base de données
- Ajout des bases de données
- Ajout des comptes FTP
- Ajout des shells utilisateur
Page d’accueil par défaut
nano /var/www/html/index.html<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>montaigu.io</title>
</head>
<body style="background-color: #303030;">
<div style="position: relative; height: 400px;">
<div style="margin: 0; position: absolute; top: 50%; left: 50%; -ms-transform: translate(-50%, -50%); transform: translate(-50%, -50%);">
<h1 style="color: #FFFFFF">montaigu.io</h1>
</div>
</div>
</body>
</html>9. Services système complémentaires
9.1 Installation Composer et Node.js
Installation Composer
apt install curl git unzip
cd ~
wget https://getcomposer.org/installer
mv installer composer-setup.php
php composer-setup.php --install-dir=/usr/local/bin --filename=composerInstallation Node.js et npm
cd ~
curl -sL https://deb.nodesource.com/setup_14.x -o nodesource_setup.sh
apt-get install -y nodejs
apt install build-essential
node -v
npm -v9.2 Installation Redis (optimisation cache)
apt-get install redis-serverConfiguration Redis :
unixsocket /var/run/redis/redis-server.sock
unixsocketperm 777
9.3 Configuration DKIM et SPF
apt-get install opendkim opendkim-tools postfix-policyd-spf-python postfix-pcre
adduser postfix opendkimConfiguration OpenDKIM
mkdir /var/spool/postfix/opendkim/
chown opendkim:opendkim /var/spool/postfix/opendkim/
chmod u=rw,go=r /etc/opendkim.conf
mkdir /etc/opendkim
mkdir /etc/opendkim/keys
chown -R opendkim:opendkim /etc/opendkim
chmod go-rw /etc/opendkim/keysTables DKIM
nano /etc/opendkim/signing.table*@montaigu.io montaigu.io
nano /etc/opendkim/key.tablemontaigu.io montaigu.io:202104:/etc/opendkim/keys/montaigu.io.private
nano /etc/opendkim/trusted.hosts127.0.0.1
::1
localhost
sd-154040
sd-154040.montaigu.io
montaigu.io
Génération des clés DKIM
opendkim-genkey -b 2048 -h rsa-sha256 -r -s 202104 -d montaigu.io -v
mv ./202104.private /etc/opendkim/keys/montaigu.io.private
mv ./202104.txt /etc/opendkim/keys/montaigu.io.txt
chown -R opendkim:opendkim /etc/opendkim
chmod -R go-rw /etc/opendkim/keys
systemctl restart opendkimTest DKIM
opendkim-testkey -d montaigu.io -s 2021049.4 Installation système de sauvegarde
Installation Duplicity
apt update && apt upgrade
apt install -y python3-boto python3-pip haveged gettext librsync-dev
wget https://launchpad.net/duplicity/0.8-series/0.8.18/+download/duplicity-0.8.18.tar.gz
tar xaf duplicity-0.8.*.tar.gz
cd duplicity-0.8.*/
pip3 install -r requirements.txt
python3 setup.py install
apt-get install ncftp lftpGénération clé GPG
gpg --full-generate-key
# Configuration : RSA 3072 bits, pas d'expiration
# Real name: backups, Email: alban@montaigu.net, Comment: Backup on dedibackup10. Applications web via ISPConfig
10.1 Installation PHPMyAdmin
Installation depuis les sources pour le support 2FA :
mkdir /usr/share/phpmyadmin
mkdir /etc/phpmyadmin
mkdir -p /var/lib/phpmyadmin/tmp
chown -R www-data:www-data /var/lib/phpmyadmin
touch /etc/phpmyadmin/htpasswd.setup
cd /tmp
wget https://files.phpmyadmin.net/phpMyAdmin/5.2.2/phpMyAdmin-5.2.2-all-languages.tar.gz
tar xfz phpMyAdmin-5.2.2-all-languages.tar.gz
mv phpMyAdmin-5.2.2-all-languages/* /usr/share/phpmyadmin/Configuration PHPMyAdmin
cp /usr/share/phpmyadmin/config.sample.inc.php /usr/share/phpmyadmin/config.inc.php
nano /usr/share/phpmyadmin/config.inc.php$cfg['blowfish_secret'] = 'XXXXX';
$cfg['TempDir'] = '/var/lib/phpmyadmin/tmp';
// Allow only root (protected with 2FA)
$cfg['Servers'][$i]['AllowDeny']['order'] = 'explicit';
$cfg['Servers'][$i]['AllowDeny']['rules'] = ['allow root from all'];Site dédié dans ISPConfig
Créer le site mysql.montaigu.io dans ISPConfig avec les directives Apache :
# phpmyadmin
Alias /phpmyadmin /usr/share/phpmyadmin
<Directory /usr/share/phpmyadmin>
Options FollowSymLinks
DirectoryIndex index.php
</Directory>
<Directory /usr/share/phpmyadmin/libraries>
Order Deny,Allow
Deny from All
</Directory>10.2 Installation RoundCube Webmail
echo "CREATE DATABASE roundcube;" | mysql --defaults-file=/etc/mysql/debian.cnf
apt-get install roundcube roundcube-core roundcube-mysql roundcube-pluginsConfiguration :
nano /etc/roundcube/config.inc.php$config['default_host'] = 'localhost';
$config['smtp_server'] = 'localhost';
$config['smtp_port'] = 25;Ajouter dans ISPConfig les alias :
Alias /roundcube /var/lib/roundcube
Alias /webmail /var/lib/roundcube10.3 Site NextCloud via ISPConfig
Créer le site cloud.montaigu.io dans ISPConfig.
Configuration PHP pour NextCloud
PHP ini personnalisé dans ISPConfig :
opcache.enable=1
opcache.enable_cli=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.revalidate_freq=1
opcache.save_comments=1
opcache.validate_timestamps = 0
opcache.interned_strings_buffer = 32
memory_limit = 512MDirectives Apache NextCloud
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"Configuration NextCloud
'default_phone_region' => 'FR',
'mail_from_address' => 'noreply',
'mail_smtpmode' => 'smtp',
'mail_domain' => 'montaigu.io',
'mail_smtphost' => '127.0.0.1',
'mail_smtpport' => '25',
'maintenance_window_start' => 1,
'memcache.local' => '\OC\Memcache\Redis',
'filelocking.enabled' => 'true',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => '/var/run/redis/redis-server.sock',
'port' => 0,
'timeout' => 0.0,
),10.4 Installation Rundeck
echo "deb https://rundeck.bintray.com/rundeck-deb /" | sudo tee -a /etc/apt/sources.list.d/rundeck.list
curl 'https://bintray.com/user/downloadSubjectPublicKey?username=bintray' | sudo apt-key add -
sudo apt-get update
sudo apt-get install rundeckConfiguration Rundeck
nano rundeck-config.propertiesgrails.serverURL=https://jobs.montaigu.ioSite Rundeck dans ISPConfig
Créer le site jobs.montaigu.io avec reverse proxy :
ProxyPass "/" "http://127.0.0.1:4440/"
ProxyPassReverse "/" "http://127.0.0.1:4440/"Activer les modules proxy :
a2enmod proxy
a2enmod proxy_http
a2enmod proxy_balancer
a2enmod lbmethod_byrequests
systemctl restart apache2Configuration sudo pour Rundeck
visudo
# Ajouter : rundeck ALL=(ALL) NOPASSWD: ALL
nano /etc/rundeck/project.properties
# Ajouter :
# sudo-command-enabled="true"
# sudo-command-pattern="^\[sudo\] password for .+: .*"
service rundeckd restart10.5 Applications personnalisées via ISPConfig
Site alban.montaigu.io
Créer le site dans ISPConfig avec les options Apache :
<Directory /var/www/clients/client1/web1/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted
</Directory>Site osteogestion2 (Laravel)
Créer le site dans ISPConfig avec DocumentRoot personnalisé :
DocumentRoot "/var/www/clients/client1/web10/web/osteogestion2/public"
<Directory "/var/www/clients/client1/web10/web/osteogestion2/public">
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
Require all granted
</Directory>Configuration des dossiers utilisateur :
# Permettre l'ajout de dossiers à la racine
chattr -i
mkdir .npm .cache .config .ssh .composer
chattr +iDéploiement Laravel :
# En tant qu'utilisateur dédié
su amontaiguosteo2
cd /var/www/clients/client1/web10/web/osteogestion2
git clone git@gitlab.com:amontaigu/osteogestion2.git
composer install --no-dev --optimize-autoloader
npm install
php artisan storage:link
php artisan view:clear
php artisan cache:clear
php artisan config:cache
php artisan migrateSite Wallabag
Créer le site dans ISPConfig avec configuration spécifique :
DocumentRoot /var/www/clients/client1/web2/web/wallabag/web
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
<Directory /var/www/clients/client1/web2/web/wallabag/web>
AllowOverride None
Order Allow,Deny
Allow from All
<IfModule mod_rewrite.c>
Options +SymLinksIfOwnerMatch
Options -MultiViews
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ app.php [QSA,L]
</IfModule>
</Directory>
<Directory /var/www/clients/client1/web2/web/wallabag/web/bundles>
<IfModule mod_rewrite.c>
RewriteEngine Off
</IfModule>
</Directory>Site FreshRSS
Créer le site dans ISPConfig :
DocumentRoot /var/www/clients/client1/web3/web/p11. Optimisations et monitoring
11.1 Sécurisation Apache avancée
apt install libapache2-mod-security2
apt install libapache2-mod-evasiveConfiguration OWASP ModSecurity :
SecAction \
"id:900200,\
phase:1,\
nolog,\
pass,\
t:none,\
setvar:'tx.allowed_methods=GET HEAD POST OPTIONS PUT PATCH DELETE CHECKOUT COPY LOCK MERGE MKACTIVITY MKCOL MOVE PROPFIND PROPPATCH UNLOCK'"11.2 Configuration d’exemption pour sites sensibles
Exemption NextCloud et applications critiques :
# Pour NextCloud
<VirtualHost *:80>
ServerName cloud.montaigu.io
# Désactiver ModSecurity pour NextCloud
<IfModule mod_security2.c>
SecRuleEngine Off
</IfModule>
# Désactiver mod_evasive pour NextCloud
<IfModule mod_evasive24.c>
DOSEnabled off
</IfModule>
</VirtualHost>
# Configuration générique pour autres domaines avec sécurité active
<VirtualHost *:80>
ServerName autre-domaine.com
<IfModule mod_evasive24.c>
DOSPageCount 3
DOSPageInterval 1
DOSSiteCount 50
DOSSiteInterval 1
DOSBlockingPeriod 600
</IfModule>
</VirtualHost>11.3 Scripts de sauvegarde automatisée
Script de sauvegarde Duplicity
# Première sauvegarde manuelle
FTP_PASSWORD=secret duplicity /var/www ftp://sd-154040@dedibackup-dc3.online.net/
# Script automatisé via Rundeck
sudo FTP_PASSWORD=dddd PASSPHRASE=dddd duplicity /var/www ftp://sd-154040@dedibackup-dc3.online.net/Sauvegarde des clés GPG
# Lister les clés
gpg --list-secret-keys
# Exporter la clé privée
gpg --export-secret-keys KEYID > dedibackup.key11.4 DNS OVH et enregistrements
Enregistrement DKIM TXT dans OVH :
v=DKIM1; h=sha256; k=rsa; s=email; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkSjrFTTc/7e95/SmRg4mY1+Z1FkobbPHJnZXFHSx8EMR/dc7Sgv8NFWpQ7grt/eIPw+8+Ci9xZ+SPHCvg0R0xo9mYWGj0B5sV4xhewXM58Zi8CLQ0YRK17tH9W20d5JsPtoeYIsLYVBJ90NCV3hEhjThA6KgTRAHoj+/GiG2B4AYZgciKWUZwHyJdTJnDNHGwsyp1XA9ZnkCilVszjc2BlIrGnwfyuoGdI1t2pSkWxyzRbZNU7DX8VTMCG8FL0NNRzxdFVNt9KMv2Yp1A0W5tLIv+ALsZU7WII7nVr6zYlhghuWhV7zQhvqz/F0672sp7bqmy0TRiqftDe6HWDnHHwIDAQAB
12. Maintenance et dépannage
12.1 Scripts de maintenance
Mise à jour des packages Python
pip3 list --outdated --format=freeze | grep -v '^\-e' | cut -d = -f 1 | xargs -n1 pip3 install -URestauration de sites
cp -Rf source dest
chown -R webX:client112.2 Nettoyage et désinstallation
Désinstallation des anciennes versions PHP
apt purge php8.1*
apt purge php8.1-fpm*
update-alternatives --config phpDésinstallation de Wordfence
rm .user.ini
nano .htaccess # Nettoyer les règles Wordfence
rm wordfence-waf.php12.3 Problèmes connus et solutions
Let’s Encrypt ISPConfig
Une mise à jour d’ISPConfig peut casser le renouvellement Let’s Encrypt pour l’admin.
Solution : https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
Rundeck - Perte du hostname
Après certaines mises à jour, le nom d’hôte peut être “perdu”.
nano /etc/rundeck/rundeck-config.properties
# grails.serverURL=https://jobs.montaigu.io
nano /etc/rundeck/framework.propertiesframework.server.name = sd-154040
framework.server.hostname = sd-154040
framework.server.port = 443
framework.server.url = https://jobs.montaigu.ioProblèmes de permissions Redis
nano /etc/group
# Ajouter redis:x:130:web13
# ou utiliser : unixsocketperm 777
systemctl restart php8.1-fpm12.5 Éléments techniques spécifiques
Configuration /proc/cpuinfo
Pour vérifier les capacités du processeur :
cat /proc/cpuinfoGestion open_basedir dans ISPConfig
Dans ISPConfig, configuration de open_basedir pour les sites selon les besoins de sécurité.
Issues connues
- Let’s Encrypt renouvellement : Une mise à jour ISPConfig peut casser le renouvellement
- Rundeck hostname : Peut être perdu après mise à jour
- NextCloud + ModSecurity : Incompatibilité nécessitant exemption
- Redis permissions : Problèmes avec les sockets Unix et utilisateurs web
- PHP versions : Attention aux dépendances lors des mises à jour Debian
Upgrade vers Debian 12
Debian 10 n’est plus maintenu depuis août 2024.
Références pour la migration :
- Dist-Upgrade Debian 10 Buster to Debian 12 Bookworm · GitHub
- Nettoyer sa Debian — Le Wiki du Forum-Debian.fr
- How To Install PHP (8.3, 8.2 or 7.4) on Debian 12 – TecAdmin
- How to install PHP 5.6 and 7.0 - 8.3 with PHP-FPM and FastCGI mode for ISPConfig 3.2
Conclusion
Cette installation suit la méthodologie HowToForge avec ISPConfig au centre de l’architecture. L’ordre d’installation respecte les dépendances :
- Infrastructure et base (serveur, système, sécurité)
- Services fondamentaux (base de données, web, mail)
- ISPConfig (panel de contrôle central)
- Extensions (PHP multi-versions, applications)
- Optimisations (sécurité, monitoring, sauvegardes)
ISPConfig gère ensuite tous les sites web, domaines, emails et bases de données via son interface web sécurisée avec authentification 2FA.
Références et documentation
Références principales
- HowToForge Guide principal : https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
- https://community.jaguar-network.com/securiser-son-serveur-ssh/
- https://docs.nextcloud.com/server/latest/admin_manual/installation/source_installation.html
- https://docs.rundeck.com/docs/administration/install/linux-deb.html
Sécurité
- https://kifarunix.com/install-modsecurity-with-apache-on-debian-12/
- https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/1677
- https://www.clearhat.org/post/configure-one-time-password-k-2fa-or-mfa-apache-using-mod-authn-otp-and-freeotp
Mail et DNS
- https://www.linode.com/docs/guides/configure-spf-and-dkim-in-postfix-on-debian-9/
- https://help.nextcloud.com/t/solved-cant-get-redis-to-work-in-socket-mode/122830
Développement
- https://www.digitalocean.com/community/tutorials/how-to-install-and-use-composer-on-debian-10
- https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-debian-10