Tuesday, November 20, 2012

Setting up a LEMP Virtual Server part 2


This is the second part of my LEMP virtual server setup. This portion involves configuring various virtual machine settings. I'll also go over the basic setup for SSH and SAMBA access.

Host network setup

Hopefully at this point we should have a Ubuntu Server installed. The next step is to setup the network configurations. Go ahead and power down and close your virtual machine so we can setup the host network.

Virtual Box/Host machine configurations

First thing we need to do is setup a Virtual Box host network. Host networks can be shared between virtual machines and the host machine. The IETF (one of the internet regulating bodies) created RFC 1918 so we know which addresses are safe to use for private networks. Unfortunately, between the 3 available private address spaces there aren't any guarantees for how IP addresses are assigned. The only rough recommendation is that the vast majority of commercial and home networking equipment use the exclusively. This leaves the and spaces. If you know how (and have the permissions), you can manually limit the DHCP address space assigned by a router. The network equipment I'm working with does appear to only assign to the space, so I decided to use the space for my static IP addresses. This is not guaranteed to work everytime.

Figure 1. Setting up a virtual box host-only network. You can have as many as you want.
Figure 2. Host network static IP configurations. The IPv4 address is the IP address of the host machine.
Figure 3. Ensure the host-only network DHCP server is off.
Figure 4. Connecting a virtual machine to the host-only network (MAC Address removed).

Startup your virtual machine and login to configure the client side.

Virtual Machine configurations

The first step is to setup our network settings. In the terminal, type in the following commands:

cd /etc/network/
sudo vi interfaces

This opens up the network configurations file. I'm using the vim editor in super user mode, if you're more familiar with another editor feel free to use it. Here's what I modified the network configurations file to:

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp
# This is an autoconfigured IPv6 interface
iface eth0 inet6 auto
# Host direct connection
auto eth1
iface eth1 inet static

This sets up a static IP for the client. The client's IP address is

Limiting SSH access

At this point we should be able to SSH tunnel into our server. You can verify this by starting up putty and trying to connect to your server. You're still required to login with a valid username and password, and communication is encrypted. For added security, if you feel so inclined, you can further limit what computers can SSH tunnel to your client.

To do this modify the /etc/hosts.allow file. For example, here's a configuration which only allows the host and the virtual machine itself to ssh tunnel into itself.

# /etc/hosts.allow: list of hosts that are allowed to access the system.
#                   See the manual pages hosts_access(5) and hosts_options(5).
# Example:    ALL: LOCAL @some_netgroup
#             ALL: .foobar.edu EXCEPT terminalserver.foobar.edu
# If you're going to protect the portmapper use the name "portmap" for the
# daemon name. Remember that you can only use the keyword "ALL" and IP
# addresses (NOT host or domain names) for the portmapper, as well as for
# rpc.mountd (the NFS mount daemon). See portmap(8) and rpc.mountd(8)
# for further information.
sshd : localhost : allow
sshd : : allow
sshd : ALL : deny

SAMBA Filesystem Setup

Up to this point all the management we've been able to do in or virtual server has been in the terminal. However, for easier file management we can install a SAMBA file server. This allows us to connect a network drive to our system. I'm not positive if this is necessary if your host machine runs a Unix-type operating system, this portion is primarily for those who use the Windows operating system. If you haven't installed SAMBA yet, the first step is to do so. In the console, type in the following command:

sudo apt-get install samba

Now that we have SAMBA installed we need to configure it. The configuration file is /etc/samba/smb.conf. The file is organized to a few different sections. The main global section defines settings inheritted by all other configurations. This section is further organized into sub-sections:

  • Browsing/Identification
  • Networking
  • Debugging/Accounting
  • Authentication
  • Domains
  • Printing
  • Misc

The first step I'm going to do is create a share folder which can access the virtual machine's filesystem. Add the following section to the end.

 comment = LEMP Server Share
 path = /
 delete readonly = yes
 writable = yes
 force directory load = 777
 force create mode = 777
 hide dot files = no
 create mode = 777
 directory mode = 777

The above configuration allows all users on any machine access to the file. This is NOT what I want. There are a few different things we can do to limit access to the server filesystem. The first one is to limit access only to the host machine. This is possible because of the host-only network I have setup. The second method is to use user-restricted access. This allows a user to sign in from any other computer so long as they can be authenticated. You can also use a combination of the two.

Restricting machine access

To ensure that only my host machine can access the filesystem I changed the Networking section.

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
# is my host machine's IP address on the host-only network
interfaces =, eth1

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
bind interfaces only = yes
hosts allow =,
hosts deny =

Restricting User access

Restricting user access is also fairly simple. The first step is to enable user authentication in the Authentication section. Uncomment the line so security is set to user.

####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
   security = user

Then in the folder sections you can add what valid users/groups can access.

 comment = LEMP Server Share
 path = /
 delete readonly = yes
 writable = yes
 force directory load = 777
 force create mode = 777
 hide dot files = no
 create mode = 777
 directory mode = 777
 # allow the user helloworld922 access, as well as any user in the group helloworld922
 valid users = helloworld922 @helloworld922

The @ symbol is used to denote a group. You can include multiple users/groups, and there are also shared and domain-level access settings. Check out the SAMBA documentation for more information.

Connecting to a Ubuntu virtual filesystem from Windows

Now that we have SAMBA configured we're ready to create a network drive from Windows. First things first, ensure SAMBA is enabled. This command will try to start the SAMBA service if it's not running already.

sudo service smbd start

We can now map a network drive. The network folder is \\hostname\folder. You can use either the client IP address or the client name. If you're using the configuration I used above, the folder is share.

Figure 5. Mapping the network drive.
Figure 6. Entering user credentials. With my current setup I don't think the domain matters (tried with a random domain name and it works).


Keep tuned for part 3 in which we install the NginX web server software, MySQL, and PHP-FPM.

No comments :

Post a Comment