Install Debian 10 Buster and Froxlor 0.9 on a Hetzner EX52 server

After some incidents with bad performance, shitty network links and extremely outdated software (Debian 8 in 2019, wtf?) I finally landed at the renowned server provider Hetzner. Hooray!

A Hetzner EX52 server is a really nice machine. Two 8 terabyte harddrives (that I extended with two SSDs) and 64GB of DDR4 RAM are a lot of power under your fingertips.

But it was neccessary two get around two hurdles on this machine, that I’m going to talk about in the following passages:

  1. Debian 10 Buster will be released soon. Because of that, setting up Debian 9 it didn’t make any sense to me. As of this writing there are no official images from Hetzner for the new operation system and version 9 is too old for the network adapter inside the EX52 machine.
  2. Froxlor 0.9 does not support Debian 10 officially, yet. Support for this will be added in version 0.10 which is only available as a release candidate right now.

The initial installation

First of all I needed to install a Debian 9 by using the Hetzner Rescue-System and update it to version 10 in a chroot environment. During the installation I chose to format the two SSDs in the machine in RAID1 format. This will be automatically created and the Debian data files are available on the device /dev/md2 afterwards.

It was fairly easy to mount the Debian 9 installation on /mnt and use it as a root directory:

mount /dev/md2 /mnt
chroot /mnt

Until we can upgrade this to Debian 10, we need to make sure that /dev/, /proc/ und /boot/ are available outside of the chroot. Otherwise, the bootloader cannot be written correctly and the machine will not come back up anymore.

mount -o bind /dev /mnt/dev
mount -t proc none /mnt/proc
mount /dev/md/1 /mnt/boot

Inside of the chroot we can now upgrade to Debian 10 Buster with the following commands.

First of all, Debian 9 needs to be up-to-date:

apt-get update
apt-get -y upgrade
apt-get -y dist-upgrade

After that, we’ll change all references in the package list to the new version:

sed -i 's/stretch/buster/g' /etc/apt/sources.list

Finally, we’ll upgrade the package lists and do the actual upgrade:

apt-get update
apt-get -y upgrade
apt-get -y dist-upgrade

After a reboot we’ll be running the new OS and the machine can be reached from the outside thanks to having recent network drivers.

Configure and mount the harddrives

Storage space is expensive. The built-in SSDs don’t have a lot of it for all of our customers, so I’d like to use the two 8TB harddrives in RAID 1 for the actual website data.

I had an old RAID configuration on both drives from prior testing. To delete it, I nulled out the first 100 megabytes:

dd if=/dev/zero of=/dev/sda bs=100M count=1
dd if=/dev/zero of=/dev/sdb bs=100M count=1

After that I used the program cfdisk to create a GPT partition table (which is important if you have more than 2TB of space) and created the same partition on both drives:

The RAID can be created with the help of mdadm:

mdadm --create /dev/md/127 --level=1 --raid-devices=2 /dev/sda1 /dev/sda2

I need to have this RAID available permanently on the mount point /storage . The first thing I need to do for this is reading out the UUID (because device names can change after a reboot)

lsblk -o NAME,UUID

and insert this into the /etc/fstab:

UUID=8a4fcd51-d646-4aa9-8e3f-483d28822e12 /storage ext4 defaults,usrquota 0 0

The option “usrquota” is relevant to use the quota functionality of Froxlor later.

Install the Froxlor dependencies

The server is now running and all storage devices will be mounted correctly at boot. This is amazing – but we still need to set-up the web server, mail server, databases, SSL and Froxlor itself. I took the following steps to install it.

Create and SSL certificate

The server needs to be available on the address server4.example.com. Froxlor will be able to create SSL certificates later (without using any additional software), but for the first-time configuration I decided to use the lightweight LetsEncrypt client acme.sh and create a certificate with it:

apt install git socat
git clone https://github.com/Neilpang/acme.sh.git
cd acme.sh && ./acme.sh --install --home ~/myacme --cert-home /etc/acme
acme.sh --issue -d server4.example.com –standalone

Install the web server and MariaDB

As a web server we can simply choose Apache 2.4 from the official Debian repositories:

apt install apache2

I don’t like to use the database (MariaDB) packages from Debian itself, though. They get dusty very fast and I need a recent database server. We can get current versions on the official website of the project: https://downloads.mariadb.org/mariadb/repositories/

The configurator on this website will only display the release candidate 10.4 for Debian Buster, but that’s not a problem. The stable 10.3 is available by adjusting the sources.list entry, even if it’s not listed on the website.

MariaDB can be easily installed via apt. This will also create the root password (which should be noted and kept safe).

apt install mariadb-server

Get PHP 7.3 via sury.org

PHP starts to rot very fast inside the Debian project. I want to use versions that are state-of-the-art and the best solution for that is using the packages from Ondřej Sury. These are always kept up-to-date and give me the ability to test RC versions before they are released officially.

The installation can be done with these commands:

echo "deb https://packages.sury.org/php/ buster main" > /etc/apt/sources.list.d/php.list
apt-key adv --recv-keys --keyserver keyserver.ubuntu.com 0xB188E2B695BD4743
apt install php7.3

Depending on the project different extensions for PHP will be needed. You need to decide which ones you need to install on your machine.

I prepare my machine to use FPM, because there are problems with Nextcloud and big files when php-fcgid is used. I also install the database extension for it:

apt install php7.3-fpm
a2enmod proxy_fcgi setenvif
a2enconf php7.3-fpm
a2dismod php7.3 mpm_prefork
a2enmod mpm_worker
apt install php-mysql

Install Froxlor

Now it’s time for the real deal. In this last step we will finally set-up Froxlor.

Prepare the directories

Since there’s no .deb package of Froxlor yet, I need to create the Apache VirtualHost myself and install Froxlor manually afterwards.

With the following command I create a new VHost:

mcedit /etc/apache2/sites-available/001-froxlor.conf

and insert this content:

<VirtualHost *:80>
        ServerName server4.example.com
        Redirect permanent / https://server4.example.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName server4.example.com
  ServerAdmin webmaster@example.com
  Header always set Strict-Transport-Security "max-age=15768000; includeSubdomains;"
  Header always append X-Frame-Options SAMEORIGIN
  Header always append X-XSS-Protection "1; mode=block"
  Header always append X-Content-Type-Options nosniff
  Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure

  SSLEngine on
  SSLCertificateFile /etc/acme/server4.example.com/server4.example.com.cer
  SSLCertificateKeyFile /etc/acme/server4.example.com/server4.example.com.key
  SSLCertificateChainFile /etc/acme/server4.example.com/fullchain.cer

  DocumentRoot /var/www/froxlor/html

  <Directory /var/www/froxlor/html/>
      Options +ExecCGI
      AllowOverride All
      AddHandler fcgid-script .php
      FCGIWrapper /var/www/froxlor/php-starter .php
      Order allow,deny
      Allow from all
  </Directory>

  LogLevel debug
  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

This VHost is utilizing the certificate we’ve created with acme.sh before and makes Froxlor available on https://server4.example.com. The Froxlor data needs to be put in /var/www/froxlor/html for this to work.

We need a user that will run Froxlor:

useradd -s /bin/false -U froxlorlocal

After that, we’ll create a directory for Froxlor

mkdir –p /var/www/froxlor/html

and create a PHP starter that will be used in conjunction with fcgid to deliver the content:

mcedit /var/www/froxlor/php-starter
chmod +x php-starter

Content:

#!/bin/bash
export PHPRC="/etc/php/7.3/cgi"
exec /usr/bin/php-cgi7.3

After this, I extracted the Froxlor files into the html directory, changed the permissions of the files and activated fcgid (which will later be replaced with FPM):

cd /var/www/froxlor/html/
chown –R froxlorlocal:froxlorlocal *apt install libapache2-mod-fcgid php-cgi
a2ensite 001-froxlor && a2enmod headers ssl fcgid && service apache2 restart

The actual installation and post-treatment

Froxlor can now be installed via the webinstaller by just opening up the URL we’ve set in the config files before. It’s possible that some PHP extensions still need to be installed. The setup process will display an overview of all needed extensions.

After the successful installation Froxlor will indeed be reachable, but it’s still not set-up correctly:

  • First of all, the correct ip addresses and ports need to be set under “IPs and Ports”
  • PHP-FPM needs to be activated in the settings to prevent Froxlor from still using FCGI.
    • The command for restarting PHP-FPM is: service php7.3-fpm restart
    • The path to the php-fpm configurations is: /etc/php/7.3/fpm/pool.d/
    • The configuration process still needs to be done (on the menu option “Configuration”). It’s not a problem to use the instructions for Debian Stretch here, these will all work fine on Buster, too.

After all these settings have been made correctly, we can finally disable FCGI and the default FPM configuration as well as running the Froxlor cronjob afterwards to create all of the configurations automatically in the future. acme.sh can be removed afterwards, too.

a2disconf php7.3-fpm
apt remove libapache2-mod-fcgid php-cgi
a2dissite 001-froxlor
php /var/www/froxlor/html/scripts/froxlor_master_cronjob.php --force --debug

DONE! Froxlor is now completely running on Debian 10 Buster.

There’s only one thing I did afterwards: Setting a symlink to my harddrive to save my customers data on these instead of the SSDs:

mv /var/customers /storage/
ln -s /storage/customers /var/customers

Note: The default settings of Froxlor are very minimal. For example, there’s no spam filter and no TLS encryption used on the mail server.

This tutorial does not cover these topics. Please make sure you are able to adjust these settings before releasing your system into the wild.

This Post Has 2 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top