RHEL6 apache httpd virtual host the proper way

My recipie for name based virtual hosts in separate directories on RHEL:

We place all the virtual hosts under a new directory tree /var/www/vhosts:

# yum install httpd
# mkdir /var/www/vhosts
# semanage fcontext -a -t httpd_sys_content_t /var/www/vhosts
# restorecon -Rv /var/www/vhosts
# mkdir -p /var/www/vhosts/{site1,site2,site3}/{logs,htdocs}
# chown -R apache:apache /var/www/vhosts

I recommend using the FQDN of each site instead of the words “site1”, “site2”, in these examples.

Create the file /etc/httpd/conf.d/vhosts.conf with appropriate content such as:

NameVirtualHost *:80

<VirtualHost *:80>
  ServerName site1
  DocumentRoot /var/www/vhosts/site1/htdocs
  CustomLog "/var/www/vhosts/site1/logs/access.log" common
  ErrorLog "/var/www/vhosts/site1/logs/error.log"

  <Directory "/var/www/vhosts/site1/htdocs">
     Options None
     AllowOverride All
     Order Deny,Allow
     Allow from 127.0.0.1
  </Directory>
</VirtualHost>

<VirtualHost *:80>
  ServerName site2
  DocumentRoot /var/www/vhosts/site2/htdocs
  CustomLog "/var/www/vhosts/site2/logs/access.log" common
  ErrorLog "/var/www/vhosts/site2/logs/error.log"

  <Directory "/var/www/vhosts/site2/htdocs">
     Options None
     AllowOverride All
     Order Deny,Allow
     Allow from 127.0.0.1
  </Directory>
</VirtualHost>

and so on

(Dont forget to set the Directory permissions properly. Above is just an example!)

Then activate the goodness:

# apachectl restart

Why is this method good?

1. Creating the vhosts.conf in conf.d doesn’t modify any vendor-supplied files, which means that we won’t lose them if we reinstall the package.

2. Keeping each virtual host and its logs under its own directory tree makes maintenance a breeze and permissions can be separated to give developers access to specific vhosts only.

officially best way to get up to date LAMP on RHEL6

Q: How do I update php, mysql, and apache on RHEL6 without breaking stuff?

A: Use the great packages from IUS!

1. set up the IUS repo

$ wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/ius-release-1.0-11.ius.el6.noarch.rpm
$ wget http://dl.iuscommunity.org/pub/ius/stable/Redhat/6/x86_64/epel-release-6-5.noarch.rpm
$ sudo rpm -Uvh ius-release*.rpm epel-release*.rpm

2. make sure you have an up to date ca-certificates bundle installed.

3. See what php packages are available: yum list | grep -w ius | grep ^php

4. The “downside” (a minor inconvenience) of the greatness of the IUS is that the packages they build provides the same things as the original outdated redhat packages, but don’t obsolete them. This is intentional, and what makes me think it is the best way to obtain a current LAMP on RHEL or CentOS. What this boils down to is that the IUS packages have different names but cannot be installed at the same time as the RedHat/CentOS packages.
This means that we must uninstall the original packages (if they are installed) before we can install the more recent IUS packages.

IUS provides a neat yum plugin called “replace”, that can be used to do this en masse for a whole bunch of packages based on a certain name. If you have the stock packages “php”, “php-devel”, “php-common” and “php-cli” installed, you can “upgrade” them to the IUS php54 equivalents with a pretty oneliner like “yum replace php –replace-with php54“! (If you want to use the plugin, first install it with: “sudo yum install yum-plugin-replace“).

5. install the IUS packages the usual way if not using the replace plugin.

In case of RHEL6, postfix (terribly outdated 2.6.6) requires mysql-libs, so you cannot install mysql55 straight away. What I did was two-steps:

# yum erase postfix
# yum install postfix php54 mysql55-server

This means that I uninstalled postfix which was dependent on mysql-libs, and then reinstalled it at the same time as php54 and mysql55. Then it uses mysql55-libs instead.

================================================================================
 Package          Arch      Version               Repository               Size
================================================================================
Installing:
 mysql55          x86_64    5.5.31-1.ius.el6      ius                     9.1 M
 mysql55-server   x86_64    5.5.31-1.ius.el6      ius                     9.6 M
 php54            x86_64    5.4.16-1.ius.el6      ius                     2.7 M
 postfix          x86_64    2:2.6.6-2.2.el6_1     rhel-x86_64-server-6    2.0 M
Installing for dependencies:
 apr              x86_64    1.3.9-5.el6_2         rhel-x86_64-server-6    123 k
 apr-util         x86_64    1.3.9-3.el6_0.1       rhel-x86_64-server-6     87 k
 apr-util-ldap    x86_64    1.3.9-3.el6_0.1       rhel-x86_64-server-6     15 k
 httpd            x86_64    2.2.15-28.el6_4       rhel-x86_64-server-6    821 k
 httpd-tools      x86_64    2.2.15-28.el6_4       rhel-x86_64-server-6     73 k
 mailcap          noarch    2.1.31-2.el6          rhel-x86_64-server-6     27 k
 mysql55-libs     x86_64    5.5.31-1.ius.el6      ius                     783 k
 mysqlclient16    x86_64    5.1.61-1.ius.el6      ius                     3.8 M
 perl-DBD-MySQL   x86_64    4.013-3.el6           rhel-x86_64-server-6    134 k
 perl-DBI         x86_64    1.609-4.el6           rhel-x86_64-server-6    707 k
 php54-cli        x86_64    5.4.16-1.ius.el6      ius                     2.6 M
 php54-common     x86_64    5.4.16-1.ius.el6      ius                     894 k

Transaction Summary
================================================================================
Install      15 Package(s)

That’s all, folks!

Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

Error: Cannot retrieve repository metadata (repomd.xml) for repository: epel. Please verify its path and try again

I tried installing EPEL on a fresh install of RHEL6, and after adding the repo, yum fails with the above error. I have RHEL6.1 (Santiago) and get the above error.

This happens because the RHEL/CentOS installation doesn’t trust the HTTPS certificate used by mirrors.fedoraproject.org, that is issued by “GeoTrust SSL CA“.

In my case the package ca-certificates was not installed and the /etc/pki/tls/certs/ folder didn’t contain any ca-bundle.crt or ca-bundle.trust.crt !

Solution: yum install ca-certificates

(I had to temporarily rpm –erase epel-release first, to get yum working again)

I once got the same error message eventhout ca-certificates was installed and up to date. Then it was a firewall blocking https (port 443) traffic.

I worked around that by changing from https to http in /etc/yum.repos.d/epel.repo

Howto install perl modules

I often find myself trying to install (binary) packages that have dependencies to perl modules.

Because I work on varying platforms, sometimes RHEL/RedHat, CentOS, sometimes Debian based, like Ubuntu, and sometimes, less often now, but maybe I will go back again, to Gentoo. In many ways my ideal platform.

However, Perl is wicked, and the concept of perl modules in a package manager is even more crazy.

What are we going to do when we need a new version of a software (say, amavisd-new) that is not available in the distros package library?

I’m thinking, build from source and you can’t go wrong, right?

In the case of amavisd-new, these are the listed prerequisites:

Archive::Zip   (Archive-Zip-x.xx) (1.14 or later, currently 1.23)
Compress::Zlib (Compress-Zlib-x.xx) (1.35 or later, currently 2.008)
Compress::Raw::Zlib (Compress-Raw-Zlib) (2.017 or later)
Convert::TNEF  (Convert-TNEF-x.xx)
Convert::UUlib (Convert-UUlib-x.xxx) (1.08 or later, stick to new versions!)
MIME::Base64   (MIME-Base64-x.xx)
MIME::Parser   (MIME-Tools-x.xxxx) (latest version from CPAN - currently 5.425)
Mail::Internet (MailTools-1.58 or later have workarounds for Perl 5.8.0 bugs)
Net::Server    (Net-Server-x.xx) (version 0.88 finally does setuid right)
Digest::MD5    (Digest-MD5-x.xx) (2.22 or later)
IO::Stringy    (IO-stringy-x.xxx)
Time::HiRes    (Time-HiRes-x.xx) (use 1.49 or later, older can cause problems)
Unix::Syslog   (Unix-Syslog-x.xxx)
BerkeleyDB     with bdb library (preferably 4.4.20 or later)
Mail::DKIM     (Mail-DKIM-0.31 or later)

So, if I’m going to install amavisd-new, from souce, on a RHEL6 server, what do I need to do? -Well, I’ll show what I did. Not neccessarily what is the best thing to do… OK?

yum install cpan
perl -MCPAN -e shell

(going with the defaults, automatic is nice)

When I attempted to install the first module (Archive::Zip), I discovered that I did not have web access from my server, so I had to download the CPAN modules by hand. I did this by using the powerful http://search.cpan.org/ search tool, and just pasting the package name (Archive::Zip) in the search box and then downloading the tar.gz packages one at a time.

Manual installation of 1 CPAN package:

tar zxf Archive-Zip-1.31_04.tar.gz
cd Archive-Zip-1.31_04
perl Makefile.PL
make
make test
sudo make install

Had I had internet connection available:

perl -MCPAN -e 'install Archive::Zip'

The beauty of CPAN installation is that it resolves dependencies automatically.

authorized_keys SELinux pubkey authentication on RHEL / CentOS

So, you have correct permissions on your home directory and all the way up to /, with no other-writable directories in the path, as well as correct permissions on the .ssh directory in $HOME, and it still doesn’t work? You probably have SELinux, and need to put the newly created files in the correct security context. Do it with restorecon like this:

chmod 700 ~/.ssh
cd ~/.ssh
chmod 600 ~/.ssh/*
chmod 644 ~/.ssh/authorized_keys
chmod 644 ~/.ssh/known_hosts
chmod 644 ~/.ssh/config
restorecon -R -v ~/.ssh

 

uuencode package name

Sometimes you have a tiny file you wish to include in a block of plain text, perhaps an email. When I was young(er), -in the era of UUCP and modems, before the world wide web and HTML were invented, when RFC-821 was still new, -there were no MIME attachments to email.

If you wanted to send a file by mail, you had to encode it in a way that could be included in plain text without breaking. That meant 7-bit ASCII only, max 72 chars on each line, and a lot of other limitations.

Bandwidth and storage were limited, so uuencode was invented to “efficiently” encode 3 bytes of binary data into 4 printable characters. Pretty clever.

I recently had a need for uuencode, and it was not installed on my CentOS/RedHat system by default. The package containing uuencode is called “sharutils”. The name comes from the “shar” utility to encode binaries into a shell script, shell archive (shar file).

yum install sharutils” – and voila, I have uuencode and uudecode available.

Sigh. Linux is simply better than Windows… (?)

I gave up developing for android with titanium on a windows7 virtual machine in virtualbox on CentOS5.

Decided to go with a native linux development environment. (of course!). How could I have been so stupid to even consider Windows in the first place? I have no idea. Temporary confusion, perhaps. Anyhow…

As much as I hate binary distributions and Debian’s geeky I-know-whats-best-for-you-but-I-pretend-I-give-you-total-control-and-freedom philosophy which often makes more harm than good; I still do my Android development on a Binary Linux Distribution: Ubuntu 11.04 Natty Narwahl.

Why?

Well, when using third-party linux binaries in a binary distribution, you are pretty much dancing by their command. If they ship a binary that was linked against a very new glibc and libstdc++, which they often are, and were in the case of Titanium Developer (is a piece of junk, I hate it more and more each day), you have to have a binary distribution that matches that version. In case of Titanium Developer, CentOS5.6 is too old. You have to use a recent Fedora or Ubuntu to get the libraries you need. CentOS and all other RPM-based binary distributions will simply break (of course) if you try to force in a libc from another distro, or even build your own, as no utilities are linked against it.

I’m still “new” to ubuntu. Still preferring Gentoo, but I’m at work, and I can’t have too much downtime on my workstation, so I left CentOS for Ubuntu, simply because I need something that just works. (I have Windows on my Laptop, for Outlook and Excel).

Sigh. I miss Gentoo, but Ubuntu will do, I’m sure.