Linux Server Project

last update Nov. 11, 2003

Introduction

This was originally just a simple document to help me keep track of the installation and setup of the linux server I was assembling. As such, it can be a little rough at times. It really is only on the 'net because I thought it would be useful for those trying to set up their own personal server at home.

The real purpose for setting up this server was to act as a sort of permanent file storage location (I download a lot of crap) and perform some server functions for my daughter, mostly for protection and SPAM filtering. Ultimately it had to perform these functions:

  1. Be cheap - in fact, I am trying very hard to build it entirely out of parts at hand that aren't being used. This isn't just cheap -- it's free. At least so far -- it helps to work at a software place with a lot of legacy systems. That also means everything has to be non-hardware dependent so I can upgrade piecemeal if needed.
  2. Be flexible for storage -- I want the system to work with my Windows boxes and my linux boxes. And anything else that might come up.
  3. Be able to run some extra services -- mostly an HTML proxy server to keep my daughter from accidentally hitting porn sites (she's still too young to do that on purpose), a mail proxy for spam filtering, and maybe some other things that will come up as I stumble across them. Basically, it needs to be the Internet gateway for a majority of my network. I have a firewall already in place for safety, but this is more to regulate what goes on inside the system -- like a firewall for a WAP, for instance.
All this means Linux. No question.

Hardware

The initial hardware list is:
  1. Zeos Pantera server case -- just lying around in my shed, it has 10 drive bays so it is perfect for this
  2. MB-8500TVG motherboard -- junked dell
  3. Pentium MMX-233 -- from junked Dell (not the same as the above MB)
  4. 64MB of Ram on SIMMs -- combined from both machines
  5. Diamond Stealth64 VGA card (no on-board video) -- in the Pantera
  6. Samsung SCR-3232 32x CD-ROM -- removed could not be detected.
  7. Sanyo CRD-820P 24x CD-ROM -- from my grandmother's compaq (really)
  8. Standard Microsystems Accton 10/100 EN5038 NIC -- from my old HP (my daughter's computer now -- no 'net connection yet) Removed -- apparently HP screws with the BIOS on these things and Linux can't even see it.
  9. Standard Microsystems Accton 10/100 EN5038 NIC -- from my officemates PC. Despite being identical to above, works like a charm.
  10. ST31220A IDE drive (1GB) -- from the Zeos, drive A
  11. Maxtor 90432D2 IDE drive (4.2GB) -- from Mom's computer, drive B
A real monster, eh?

I've got a 400Mhz Cyrix which I'm tempted to put underclocked on the 233Mhz board. It would eliminate some fan noise, but I'm not sure I can set the correct power.

Operating System

This is really a little more flexible than the hardware. I knew I would need a small OS to keep within the HD limitations, but it had to be fast, too, since it would be running on such a slow machine.

I asked around and was told Gentoo was a PITA to install. It's still a pretty good choice for a slow system, so I gave it a try. unfortunately, it ran out of space on the hard drive. I tried deleting X since I wouldn't be needing it, but I must have gone too far because it complained about missing packages. I hit my threshold on that and began trying other distributions.

Unfortunately, none of the graphic installers supported the Stealth64, so the major distros were out. I tried Debian, which installed without a hitch on the original hardware, but had no ext3 drivers. Rather than go to "unstable" I considered slackware.

Well, actually, I tried Vector Linux since the description kind of looked like just what I wanted -- a minimum of services enabled by default, and a text installation. Too bad it couldn't find the packages on the CD-ROM. A quick question on their support board turned up that the installer had a problem with some drives. I switched to a slower dive and installation went smoothly.

FTP

TBA

NFS

TBA

Samba

TBA

HTTP proxy + filtering

The basic idea here is to filter the web for my daughter. Yeah, I'm a fascist pig and should trust her judgment. But 3 year olds do not have any judgment. I plan to slowly phase this out as she gets older and learns responsibility. Right now she gets to visit playhouse Disney and other kid's sites and that's it.

The direct filtering will be at the firewall. Her computer (and the plan is for all wireless connections) will be blocked from Internet access. Instead, a proxy will be set up on the VL server that does have the right to access the Internet. Anyone can connect through it, and it will make sure that the proper filtering takes place.

Prehistory

I tried out privoxy and everything went perfectly. I highly recommend it, there was hardly any configuration necessary, and the make file installed everything beautifully. Unfortunately, it was no good for me.

For one thing, it allows the user to configure it from the web browser, but has no way to turn that feature off (or better yet, requiring some log-in). What good does this all do for me if my daughter can just visit http://p.p/ and turn it off?

So I kept looking and found DansGuardian. Wow, neat package that does real content filtering. That means I don't need to maintain a whitelist, I can use a blacklist for the worst offenders and trust the content filtering to get the rest. It looked real good, installed nicely, and failed utterly because it depends on squid. So let's start with that.

Squid-cache

Squid is a web caching program with some url filtering built in. Actually, it has a very powerful packet filter for maintaining black/white lists. I won't be using 99% of the functionality but it is neat to know it is there.

After downloading squid and putting it on the server I did the usual (this is very detailed since I was using the script command):

root@FileServe:/home/ftp# tar xzf squid-2.5.STABLE4.tar.gz
root@FileServe:/home/ftp# cd squid-2.5.STABLE4
root@FileServe:/home/ftp/squid-2.5.STABLE4# less README

Always read the README when you see one. It's good manners, and sometimes you find out you accidentally downloaded a beta version or worse. In this case it was mostly thank-yous and a comment about the GPL.

root@FileServe:/home/ftp/squid-2.5.STABLE4# ./configure
.......lots and lots of checks.....
root@FileServe:/home/ftp/squid-2.5.STABLE4# make

At this point go do something else. On my machine it took nearly an hour. Of course, it is a 266Mhz Pentium, so your mileage may vary.

root@FileServe:/home/ftp/squid-2.5.STABLE4# make install
root@FileServe:/home/ftp/squid-2.5.STABLE4# locate -u
root@FileServe:/home/ftp/squid-2.5.STABLE4# cd /usr/local/squid/bin
root@FileServe:/usr/local/squid/bin# ./RunAccel
Running: squid -a 80 -s > > /usr/local/squid/var/squid.out 2> &1
./RunAccel: line 36: 9768 Aborted squid -N $port -s $conf > >$lo gdir/squid.out 2> &1
Running: squid -a 80 -s > > /usr/local/squid/var/squid.out 2> &1
./RunAccel: line 36: 9774 Aborted squid -N $port -s $conf > >$lo gdir/squid.out 2> &1
Running: squid -a 80 -s > > /usr/local/squid/var/squid.out 2> &1
./RunAccel: line 36: 9780 Aborted squid -N $port -s $conf > >$lo gdir/squid.out 2> &1

Whoops. Still needed to set something up. Oh, and if you were wondering about the locate -u , I always do that right after an install. The locate command is indispensible when some manual tells you to edit the squid.conf file.

root@FileServe:/usr/local/squid/bin# cd ../var
root@FileServe:/usr/local/squid/var# less squid.out
WARNING: Cannot write log file: /usr/local/squid/var/logs/cache.log
/usr/local/squid/var/logs/cache.log: Permission denied
messages will be sent to 'stderr'.
2003/12/01 14:45:52| WARNING: Closing open FD 2
2003/12/01 14:45:52| Starting Squid Cache version 2.5.STABLE4 for i586-pc-linux- gnu...
2003/12/01 14:45:52| Process ID 9768
2003/12/01 14:45:52| With 1024 file descriptors available
2003/12/01 14:45:52| Performing DNS Tests...
2003/12/01 14:45:52| Successful DNS name lookup tests...
2003/12/01 14:45:52| DNS Socket created at 0.0.0.0, port 1027, FD 4
2003/12/01 14:45:52| Adding nameserver 38.8.82.2 from /etc/resolv.conf
FATAL: Cannot open '/usr/local/squid/var/logs/access.log' for writing.
The parent directory must be writable by the
user 'nobody', which is the cache_effective_user
set in squid.conf.
Squid Cache (Version 2.5.STABLE4): Terminated abnormally.

Aha! I should have read the manual. I need to create the cache directory with squid -z and I need to make the logs directory writable by nobody (that's a user named 'nobody'). Running squid again still caused problems. Erp, the files were not writable. I think this was because I wasn't running as 'nobody', but since nobody has no password, I can't log on under that name anyway.

There has to be a way around this, but for now just using chmod works.
root@FileServe:/usr/local/squid/var# chmod a+w logs
root@FileServe:/usr/local/squid/var# cd logs
root@FileServe:/usr/local/squid/var/logs# chmod a+w *
root@FileServe:/usr/local/squid/var/logs# cd ../../sbin
root@FileServe:/usr/local/squid/sbin# ./squid -z
2003/12/01 14:53:54| Creating Swap Directories
FATAL: Failed to make swap directory /usr/local/squid/var/cache: (13) Permission denied
Squid Cache (Version 2.5.STABLE4): Terminated abnormally.
root@FileServe:/usr/local/squid/sbin# chmod a+w ../var
root@FileServe:/usr/local/squid/sbin# ./squid -z
2003/12/01 15:02:54| Creating Swap Directories
root@FileServe:/usr/local/squid/sbin# ./squid -NCd1

It ran without error, so now it was time to point my browser at it. Port 3180 is the default and . . . dang, access denied.

Oops, need to change the squid.conf file. You remembered to update the locate database, right? Just in case, it's in the etc directory off the squid root.

The offending line is quite a way down in the file. Basically I just needed to change the line

http_access deny all

to http_access allow all

Which, I suppose, isn't the safest setting in the world, but it's good for testing. And test's proved good. The browser now updated with only a tiny delay.

Now to turn of caching, I don't need it and it just wastes disk space. I'm using this as a domain filter, not a real proxy. To do this, back to the config file and add

no_cache deny all

Don't forget to delete the files already cached. They add up fast.

DansGuardian

DansGuardian was easy to download and install. I did it before the above, so no script log of my efforts. Aside from the surprise of needing squid, it was completely uneventful. The details I followed are at he top of this. Since VectorLinux is slackware based I couldn't install the binaries, but that didn't hurt any.

I pointed the browser at port 8080 and everything worked perfectly. I even tried visiting the playboy website and it was blocked.

Of course, there was nothing preventing me from just pointing my browser right back at squid and bypassing DansGuardian that way. So I had to block all requests that didn't come from DansGuardian which, fortunately, was easy.

http_access deny !localhost

The localhost acl is even already defined, so that's all there is to it.

Start on boot - Stupidity reigns

This is where I did something stupid. The squid page recommends setting up a squid.sh and calling it from inittab. I tried that out, but it was giving me problems. But first, the squid.sh I used:

#!/bin/sh
C=/usr/local/squid
PATH=/usr/bin:$C/sbin
TZ=PST8PDT
export PATH TZ

# User to notify on restarts
notify="root"

# Squid command line options
opts=""

cd $C
umask 022
#sleep 10
while [ -f /var/run/nosquid ]; do
sleep 1
done
#/usr/bin/tail -20 $C/logs/cache.log \
# | Mail -s "Squid restart on 'hostname' at 'date'" $notify
exec sbin/squid -N $opts

The inittab would restart the process every time it halted. Kind of nice, but DansGuardian would fail to start because it needed squid running. So I switched to the alternative, the startup scripts in rc2.d. I made a symbolic link in the directory to the two scripts

root@FileServe:/etc/rc.d/rc2.d# ln -s /usr/local/squid/sbin/squid.sh S50squid
root@FileServe:/etc/rc.d/rc2.d# ln -s ../init.d/dansguardian S55dansguardian
root@FileServe:/etc/rc.d/rc2.d# ln -s ../init.d/dansguardian K55dansguardian

and rebooted. We don't need a kill script for squid since it shuts down on its own and we aren't caching anything anyway.

Do you see the mistake?

Well, the web services started working again and I thought everything was hunky-dory until I ssh'd into the machine. Crash.

I had to hook up a monitor to see what had happened. The boot process locked up halfway through. I restarted and the same thing happened. So I sat down to think of what I did last and realized the problem. The shell script calls squid -N

which halts the process.

For inittab, this is correct since it ensures the process will keep rebooting whenever squid crashes. Easy to fix, if I could just get the computer to actually boot. Actually, I still don't know how I did this, it just happened while I was searching the web for an answer. Maybe it timed out, or maybe one of the keypresses that seemed to have no effect actually just had a delayed one. Either way, a quick session with vi and everything worked.

Copyright 2004, Warren K. vonRoeschlaub.
Non-commercial distribution under similar license allowed. Click on the Creative Commons button for details.
Creative Commons License
This page is licensed under a Creative Commons License.