There’s a few ways that custom iptables rules can be re-loaded when your Ubuntu server reboots. I’ve chosen to reload mine using the /etc/network/interfaces file. Here’s what I’ve included in that file:

auto lo
iface lo inet loopback
pre-up iptables-restore < /etc/iptables.firewall.rules
auto eth0
iface eth0 inet dhcp

The key line here is the line starting with pre-up. This directs the iptables-restore to reload my rules from the /etc/iptables.firewall.rules file.

Another way of accomplishing the same thing is to create a script file in the /etc/network/if-pre-up.d/ directory and put the following in it:

#!/bin/sh
/sbin/iptables-restore < /etc/iptables.firewall.rules

Then set the permissions on the script file with:

sudo chmod +x /etc/network/if-pre-up.d/your-filename

A problem I have when setting up a website on a new server (or a new site on an existing server) is sorting out permissions for the Apache user (www-data) and an FTP user. I can never quite remember how to set things up so that I am not continually needing to log into a console to adjust permissions so I can FTP some files to the server. This post is the definitive reminder to myself showing how it should be done. This example applies to Ubuntu but I guess it is equally applicable to other flavours of Linux.

Add the FTP User to the www-data Group

First thing we want to do is add the FTP user (you have created an FTP user haven’t you?) to the www-data usergroup. www-data is the user/group used by Apache.

sudo adduser ftp-username www-data

Change Ownership of Files

The next step is to set the www-data group as the owner of all files and directories in the HTML source directory.

sudo chown -R www-data:www-data /var/www

Grant Group Permissions

Now we want to add write permission for the www-data group for all the files and directories in the HTML source directory.

sudo chmod -R g+w /var/www

Add umask for New Files

The final step is to make a change to an Apache configuration file so that the umask for new files created by Apache is such that the www-data group has write permissions on them. Open /etc/apache2/envvars in your text editor of choice and add this to the bottom of the file:

umask 007

The three octal digits for umask are for the Owner/Group/Others. The 0 leaves permissions unmasked (ie left at read/write/execute) and 7 gives no permissions at all. This would be equivalent to chmod 770. There’s a useful chart here showing the relationship between the binary rwx permissions and the octal numbers used by chmod and umask.

Credit for this must go to the top voted answer to this question on askubuntu.com.

I’ve followed this guide for installing Munin on my nodes at Linode a few times now. Munin is a remote server monitoring tool that allows you to monitor all sort of things about the health of your servers. Servers you want to monitor are “munin-nodes” and the server where you view all of the reports from is the “munin-master”. It all makes sense but the Linode installation guide fails horrifically if your apache webroot is not the default /var/www that Munin expects it to be. So as a reminder to myself, here’s how I got Munin working on a server where the web root was /srv/www.

First, follow the install guide exactly as instructed by the good folk at Linode. Then modify /etc/munin/apache.conf to remove references to /var/www and change them to your web root of choice. My file looks something like this:

Alias /munin /srv/www/munin
<Directory /srv/www/munin>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride all
                Order allow,deny
                allow from all
    <IfModule mod_expires.c>
        ExpiresActive On
        ExpiresDefault M310
    </IfModule>
</Directory>

Then I restarted Munin with:

sudo /etc/init.d/munin-node restart

I happen to use my munin-master as a dumb web host so the pretty Munin web pages are just in a folder off of the web root. You could be tricky and put them on their own sub-domain but I’ve chosen not to do that. So they live in a sub-folder and I can access them using this address:

http://www.your-site.com/munin/

And when I did I was seeing a 403 forbidden error. And when I took at look at the apache error log saw an entry like this:

[Mon Feb 03 04:09:23 2014] [error] [client 123.123.123.123] client denied by server configuration: /var/cache/munin/

Clearly Munin is still trying to access a folder outside of my webroot. So then it was a matter of adding this new section to my /etc/apache2/sites-available/default file:

        <Directory /var/cache/munin/www/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>

Then restarting apache with

sudo /etc/init.d/apache2  restart

Now if I visited the Munin pages using the same address as above I can see pretty graphs telling me all about my servers! w00t!

I use the PHP mycrypt extension to generate some encrypted URLs for one of my online applications. I had reason to test some of this functionality on my local development web server recently and the following error was thrown by PHP:

Call to undefined function mcrypt_create_iv()

Turns out that I didn’t actually have the MCRYPT extension installed on my little Ubuntu web server. Doing so was simply a matter of typing this at a command prompt:

sudo apt-get install php5-mcrypt

And that’s it. No need to re-start Apache or anything else. Groovy.

I knew you could use RSYNC to synchronize a local copy of a website with the files on your production server. In fact I’ve known it for long enough to have tried to get it working a few years ago but failed miserably. Well I’ve learned a bit since then (well I like to think so anyway) so I thought I’d give it another go this this morning. And, it was surprisingly easy. In this guide I refer to my local server (a teeny tiny Ubuntu server) as the LOCAL SERVER and the remote production server as the REMOTE SERVER.

Install SSH Key on Remote Server

Firstly I needed to install a SSH key on my REMOTE SERVER so my LOCAL SERVER could log into it without me needing to enter a password every time I wanted to synchronize the files. This is easy enough, on the LOCAL SERVER enter the following:

sudo ssh-keygen

Enter the default values as prompted and this will create a public key in ~/.ssh/ called id_rsa.pub. This file needs to be set to the remote server. This is done easily with:

scp ~/.ssh/id_rsa.pub user@remote_server.com:/home/user/uploaded_key.pub

Then this file needs to be appended to the authorized_keys file on the REMOTE SERVER with:

ssh user@remote_server.com "echo `cat ~/.ssh/uploaded_key.pub` >> ~/.ssh/authorized_keys"

Construct RSYNC Included and Excluded Files / Folders List

If you’re like me your development folders are littered with test files and directories that you don’t want on your production servers. So you’re going to need to create inclusion and exclusion lists for RSYNC to use so it knows what to upload and what not to upload. This is simply done using text files with file / folder specifications on separate lines. For example my include.txt looks something like this:

app
classes
create-scripts
cron-scripts
css
inc
js
images
tooltips
validation_scripts

While my exclude looks something like this:

/app/jscal
/css/img/Thumbs.db
/create-scripts/*.txt
app/test-first-day-of-week.htm
app/test-mcrypt.htm
app/images/Thumbs.db

These files can be written in nano and saved somewhere sensible (probably where you’re going to put your rsync bash script).

Write your BASH script

Next step is to write a very short bash script that includes your RSYNC command. My script looks like this:

#!/bin/bash
rsync  -v -u -r -a --rsh=ssh --stats --progress --files-from=include.txt --exclude-from exclude.txt /srv/windows-share/local-source-files/   user@remote-server:/srv/www/remote-source-files/

Don’t forget you need to make your script executable with something like:

sudo chmod 700 rsync_upload.bsh

Also you’re going to want to test the RSYNC command using the -n (or –dry-run) option to make sure everything works the way you expect it to. You’ll also need to specify the -r (recursive) option because the –files-from directive overrides the implied recursion you get from the -a (archive) option.

Run your Script

So now when you’re done developing and testing files on your development server it’s simply a matter of running your new script to sync the files on your production server. Something like the following will run your script:

sudo /path/to/script/rsync_upload.bsh

I manage a number of different websites and most of the development has been done offline on a Windows 7 machine. I use the LAMP stack for all my sites and have always found the easiest method of setting up an equivalent WAMP stack on a Windows 7 machine was using XAMPP by Apache Friends. This has always worked fine but was a bit clunky when I wanted to change which website I was working on. It meant killing the Apache processes (httpd.exe) in the Windows task manager, editing the Apache conf file to change which site I was working on and then re-starting Apache. And when crap programs like Skype keep grabbing port 80 restarting Apache is always a pain in the butt.

There had to be an easier way so this week I took an hour out of my day to work out what it was. I already had Apache installed on my mini file server that runs Ubuntu so it was just a matter of getting that to work properly to serve up different sites. And that was (surprisingly) simple.

Edit the Hosts File on the Server

First step was to edit the hosts file on the linux machine with

sudo nano /etc/hosts

And then add entries for the sites I wanted to be served up locally. So, my hosts file ended up looking something like this:

127.0.0.1       localhost
127.0.0.1       local-site-1
127.0.0.1       local-site-2

Create Sites Available Files

I then had to create files for each site to sit in Apache’s sites available directory (/etc/apache2/sites-available/)

These files are pretty simple and in my case looked like this:

<VirtualHost *:80>
    ServerName local-site-1
    DocumentRoot "/srv/path/to/local/site/1/html_root/"
</VirtualHost>

Just change the server name to your local site name and the DocumentRoot to the path where the files for the site reside. In my case DocumentRoot is a SAMBA directory that is accessible from my windows machines (so I can edit the files from my dev machines). Name each file sensibly (in my case I named them local-site-1 and local-site-2).

Enable Sites and Reload Apache

Enabling the new sites is simple, just use the following command:

sudo a2ensite /etc/apache2/sites-available/local-site-1

Then reload the apache configuration with:

sudo /etc/init.d/apache2 reload

Edit the Windows Hosts File

The final step is to edit the hosts file on the Windows machines you want to access the local sites. On Windows 7 this can be found in:

%systemroot%\system32\drivers\etc\

I opened this in Notepad and changed it to look like this:

127.0.0.1 localhost
192.168.2.3 local-site-1
192.168.2.3 local-site-2

Note that 192.168.2.3 is the IP address of my file server.

Now if I want to access one of these local sites in a browser I just need to type local-site-1 into the address bar and hey presto I see the local copy of the website served up by my file server. I love increased productivity!

Potential Improvement

One potential improvement to this process is to remove the need to edit Windows hosts files by installing a DNS server (like dmasq) that will resolve the local site URL’s into an IP address. Of course this would require changing the DNS settings on the Windows machines.