Azure DevOps CI Ansible LAMP Deployment >>

Web Hosting DIY

December 11, 2001

`INTRODUCTION`

This paper shows how to setup your own web server to host your web site. In addition, it tells you how to secure and manage your DNS record for mydomain.com, setup the DNS server that will tell browsers across the internet where your web site is located, and how to setup a firewall between your web server and the internet. I remember when I was a little kid, you could host your own web site without having to worry about people hacking into your web server and using it as source of attacks to other web servers, but now security should be cause of great concern to you. This concern for security is reflected in the choice of operating systems for the computers that will run the firewall, Linux (Mandrake), and the Web/DNS servers, FreeBSD. To implement this setup, you will need to have:

at least one public, static IP address from you ISP.
two spare computers, with nothing of value in the hard drives. I am using a AMD 400 MHZ CPU with 384 MB of RAM for the firewall, and for the Web/DNS server a P III 600 MHz CPU with 512 MB of RAM, but I am sure that, unless you expect a lot of traffic to your web site, a pair of computers with lower specifications will work just fine.
a CD Burner

`GENERAL LAYOUT OF THE SETUP`

In broad terms, this is the general layout of the servers: A Firewall computer called ns.mydomain.com. The firewall software that it will run is called IPTables or Netfilter. The computer will have two Network Interface Cards (NIC): one NIC will be connected to the DSL line, and configured with the public, static IP provided by your ISP (I will use 001.001.001.001 for this project); the other NIC will be configured with a private IP address (192.168.200.1), and will be connected to an ethernet switch, to which the Web/DNS server will also be connected. A Web/DNS server computer called www.mydomain.com with its NIC will be configured with another private IP address (192.168.200.2). This computer will run Apache as the Web server and BIND as the DNS server. You can optionally connect other computers to the switch and set them up with private IPs in the 168.168.200.3-254 range to share the DSL connection. |---------------| | Firewall | |---------------| |ns.mydomain.com| |----------------| |--------| | | | Web / DNS | |Internet|--->|INET NIC | |----------------| |--------| |001.001.001.001| |www.mydomain.com| | | |------| | | | LAN NIC|--->|Switch|<---|192.168.200.2 | | 192.168.200.1| |------| |----------------| |---------------|

`STEP ONE: GETTING A DOMAIN NAME`

First of all you have to register the domain name for your site. To do this you have to find an unused domain name, and paying the registration fee. The reason why you want to register your domain name before you setup your DNS server is to prevent somebody from taking it before you finish the setup of your server. For this project we will use the tools provided in Network Solutions to register the domain name. To find an unregistered domain name follow the 1-2-3 steps in the main page of Network Solutions. In the search box enter the domain name you would like to have. If nobody owns that domain name, whois will replay that the domain you entered is unregistered, at which point you can just click on the "Continue" button to complete the purchase and registration of your domain name. Otherwise, if the domain name is taken, whois will reply that the domain is already registered. The next is a do-you-want-fries-with-that? kind of screen, where you are offered for purchase additional services from Network Solutions. You don’t need any of these services, so just click “Continue” on this page also. At this point, if you had setup you DNS server already, you could click on “Configure your DNS” hyperlink to provide your domain information, namely the names of the primary and secondary DNS servers for your domain. However, we have not setup the DNS server, so you should purchase your domain name now, and return to Network Solutions later, when the DNS server is operational, to modify your DNS information. On purchasing your domain name, Network Solutions will provide you with a password-protected administrative account for your domain so that only you can modify your domain information. When you finalize the purchase of your domain name you will receive an email from Network Associates with your account number and related information. Save this email as you will need the information it contains every time you have to modify domain information, such as when you change DNS servers for your domain, or when your public, static IP changes because you changed your ISP.

`STEP TWO: SETTING UP THE FIREWALL COMPUTER`

In broad terms, to setup your Firewall computer you need to install Linux and run the firewall script. Last time I performed this procedure, it took me about 2.5 hrs form initializing the fresh install of Linux and logging out of the computer. (This time includes installing the newest versions of the Linux kernel and IPTables software) The first time it is done it takes longer because you have customize the firewall script for your network also.

`Installing Linux Mandrake`

First, download the Mandrake Linux 8.1 ISO images . (There have three CDs for download, but for the purposes of this project you only need the first two.) You then have to use a cd burning program to make the CDs from the images. I used Adaptec Easy CD Creator 3.5. Place the first CD in the CDROM drive of the firewall computer and power-cycle the computer. If the Linux mandrake setup wizard did not start automatically during boot up, you have to change the boot sequence order in the BIOS of the computer. You usually enter the bios by pressing “Del,” “F1,” or “F12,” depending on the manufacturer of the computer. Find the boot sequence order setting in the BIOS and select CDROM as first in order. It is a good idea to read the extensive intructions for installing mandrake , before intalling the operating system. The general areas of the installation process are a) disk partitioning and formatting, b) additional software selection, and c) basic host and network configuration. During the hard drive partitioning and formatting stage, tou should check “Use the entire disk contents” and allow the wizard to create the default disk partitions. In the additional software selection area you should make sure you don’t install any server components, like file, web, DNS, or email server. This services can create security holes in the firewall computer. Although firewall software can block the ports that are opened by these services, it is good security practice not to install unnecessary services. In this computer all we are going to run is the firewall software. Also, you have to select the IPTables software from the tools directory. In the network configuration stage allow the wizard to probe the computer for the network cards. Configure the first one (eth0) with the IP and subnet you obtained from your ISP. Configure the second network card (eth1) with and iP from the private domain, like 192.168.200.1, and 255.255.255.0 as the subnet. For the main gateway of the computer enter the information provided by your ISP. For the computer select “ns” plus the name of the domain you purchased. For example, if you purchased the name “mydomain.com,” you should name the firewall computer “ns.mydomain.com.” (This is the name that you will enter later as the name of the primary DNS server for your domain, and the iP you will enter for this server is the one in eth0.)

`Creating the Firewall Script`

The firewall software, IPTables, works by matching incoming/outgoing packages against a set of rules that decide what packages are going to be allowed through the firewall into/from the internal network. The safest set of rules start by denying all traffic to and from the network, and the add rules that would allow traffic for the services you need. For example, you start by denying all incoming requests for TCP/ip connections, but later you add rules that allow and route incoming tCP/iP port 80 connections to the web server in the internal network. The firewall script consists of rules written in the syntax that the IPTables program can understand, and running the script uploads the rules into the memory thereby activating it. For this project you can use this script by Oskar Andreasson as the starting point. The script assumes that a) the ip you received from your ISP is 001.001.001.001, b) you have an internal DNS and Web server at iP 192.168.200.2 in your internal network, and c) your iptables program is installed in /sbin/iptables. This last variable will be different if you decided to ugrade to the latest version of iptables, in which case it will be in /usr/local/sbin/iptables. You should make sure the following settings in the firewall script match your own network settings. LAN_IP_RANGE="192.168.200.0/24" LAN_IP="192.168.200.1/32" LAN_BCAST_ADRESS="192.168.200.255/32" LOCALHOST_IP="127.0.0.1/32" STATIC_IP="001.001.001.001/32" INET_IFACE="eth0" LAN_IFACE="eth1" IPTABLES="/sbin/iptables" WEB_SERVER="192.168.200.2:80" DNS_SERVER="192.168.200.2:53" DNS_SECONDARY="192.188.72.18" This script will also allow access to the internet to internal computers with IPs in the LAN_IP_RANGE. When you finish editing the script change the properties of the file to executable, otherwise you are not going to be able to run the script. In windows all you need to do is to name the file *.bat to be able to run it from the command line, but in Unix you also have change the properties of the files to executable. Once you successfully run the firewall script you can log-off, detach monitor, keyboard, and mouse from the computer and leave it running. If you run into any troubles with the firewall script, you should read the iptables manual, and seek help from the iptables mailing list, and/or mailing list archives. You can also find different firewall scripts in the LinuxGuruz iptables page. If you would like to upgrade to the latest versions Linux kernel and iptables sofware, you can follow this good, succint set of instructions I found in the iptables mailing lists archives.

`STEP THREE: SETTING THE DNS/WEB SERVER`

The general steps to follow in setting up the DNS/Web server are a) installation of the operating system, and b) configuring the DNS and WEB server.

`Installing FreeBSD`

The installation of the FreeBSD operating system follows similar steps as the installation of Linux. You also need to download the images for and create the installation CDS, boot from the first CD, and go thru the installation wizard. You can download images for the CDs here, ftp://ftp6.freebsd.org/pub/FreeBSD/ISO-IMAGES-i386/4.4 , or in any of the many other mirror ftp sites. You can also find very detailed installation instructions here, http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/install.html As in Linux, the installation process follows the same general steps: a) disk partitioning and formatting, b) additional software selection, and c) basic host and network configuration. You should use the entire contents of the hard drive and allow FreeBSD to automatically partition the hard drive. In the software selection section, make sure to select Apache under WWW. BIND is installed by default. In the network setup stage you should assign the IP 192.168.200.2 to the only network card in this computer (“dc0,” network cards are referred to by a different name in FreeBSD) the network mask should be 255.255.255.0, and the default gateway should be the IP address of eth1 in the firewall computer, 192.168.200.1. The install process is very straight forward. It takes about half an hour in a PIII computer, and by the end of the process Apache is already operational.

`Configuring the Web server`

To publish your own web page, all you need to do is to create a html document, call it “index.html,” and place it in the /usr/local/share/doc/apache folder along with other supporting files.

`Configuring the DNS server`

To configure you need to follow this steps: a) Run the make-localhost script located in the /etc/namedb/ directory. b) Create the file that contains your domain information. It is a common practice to name this file after the domain. In this case you could name it “mydomain.com.” The contents of the file should be as follows: $TTL 43200 @ IN SOA ns.mydomain.com. hostmaster.mydomain.com. ( 2001100100 ; serial 3600 ; refresh 900 ; retry 1209600 ; expire 43200 ; default_ttl ) ns IN A 001.001.001.001 @ IN NS ns.michosa.com. @ IN NS ns.secundary.com. @ IN A 001.001.001.001 www IN CNAME ns The iP address in lines 9 and 12 should be the address public address you obtained from your ISP. This is the same address configured on eth0 of the firewall computer, and the same address the you use the register the primary DNS server for your domain. You should substitute the server listed in line 10 of the file, ns.secundary.com, with your own secondary name server. In order to complete the registration of your domain you need to provide Network Solutions with the names and addresses of both the primary and secondary name servers for your domain. I use a name server from my ISP as the secondary name server for may domain. If you want to do the same, you need to contact the hostmaster for your ISP (tech support can tell you who is that person in their organization), tell him that you are setting up a name server of for your own domain, and ask him with whether you could use one of their name servers as your secondary name server. You will need to give them the public iP address of the firewall computer, so that they can configure their name server to accept transfers of information about your domain from that iP address. The last line in the file, “www IN CNAME ns,” adds a nick name for your web site. This allows people in the internet to type www in front of your domain name (www.mydomain.com) to access your web site. The last step in configuring the name server is to edit the Lastly you have to edit the named.conf file in the /etc/namedb/ directory. You need to add the following lines at the end of the file: zone "mydomain.com" { //change to your domain name type master; file "mydomain.com"; //change to your domain name allow-transfer{ 002.002.002.002; //should be the IP of your secondary name server }; }; Once you edited the named.conf file, you can start the name server by typing “ndc start” at the command prompt. To make the name server start automatically with the computer you need to add the following line to the /etc/rc.conf file: named_enable=”YES” To test the name server you should make sure that the DNS/Web server computers is configured to use localhost as the DNS server, and try to ping a different site. If at the command prompt you type “ping google.com,” and you get reply times, it means that your name server was able to resolve google.com and is working. Also, from at the command prompt of a windows computer in your private LAN type “nslookup” to start the DNS troubleshooting software. Then type “server 192.168.200.2" to query your new server. Then type “set q=any” to get all possible information about a domain. Lastly, type “mydomain.com” to see what information your name server has about your domain. If you get something like the following, mydomain.com primary name server = ns.mydomain.com responsible mail addr = hostmaster.mydomain.com serial = 2001120700 refresh = 3600 (1 hour) retry = 900 (15 mins) expire = 1209600 (14 days) default TTL = 43200 (12 hours) mydomain.com internet address = 001.001.001.001 mydomain.com nameserver = ns.mydomain.com mydomain.com nameserver = ns.mydomain.com mydomain.com nameserver = ns.secundary.com ns.mydomain.com internet address = 001.001.001.001 ns.secundary.com internet address = 002.002.002.002 it means that your name server is answering queries about your domain, and that your are ready to submit the DNS server information about you domain.

`LAST STEP: UPDATING YOUR DOMAIN’S DNS INFORMATION WITH NETWORK SOLUTIONS`

Once you have tested the DNS server you go back to the account management area of Network Solutions, provide your user account and password, select “update DNS information” and enter ns.mydomain.com as the primary server and ns.secundary.com as the secondary server for your domain. It takes about 24-48 hours for the updated information about your domain gets propagated among root servers around the world. When the progagation completes, people around the world will be able to visit your web site by typing mydomain.com or www.mydomian.com in their web browsers. This completes the setup. Visit the following links for further information. http://www.linux-mandrake.com/en/

http://www.freebsd.org

http://netfilter.samba.org/

Questions or Comments? mailto:info@bcc.bz

Thank you for reading.

Federico Canton

IT Consultant
Better Computing Consulting