I don’t want to manage another set of usernames & passwds, so I’d like apache2 to authenticate off the standard users on my system, via PAM.

To get this to work, you need to install and configure mod_auth_pam and mod_auth_shadow

aptitude install libapache2-mod-auth-pam libapache2-mod-auth-shadow

Ensure the www-data user is part of the shadow group, so apache2 can read the passwords

usermod -G shadow www-data

And set up the relevent virtual host:

                AuthPAM_Enabled On
                AuthShadow on
                AuthPAM_FallThrough Off
                AuthBasicAuthoritative Off
                AuthType Basic
                AuthName "Restricted to group: sysadmins"
                AuthUserFile /dev/null
                Require group sysadmins

Restart apache, and you’re done!

https://help.ubuntu.com/8.04/serverguide/C/certificates-and-security.html

Create a new virtual host (you can only have one SSL virtual host / IP)

sudo cp /etc/apache2/sites-available/default /etc/apache2/sites-available/ssl

Edit ssl sothat it looks like this:
NameVirtualHost *:443

SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key


Finally, if you want to force redirect of all traffic to a certain folder via SSL (e.g, /phpmyadmin), add the following to /etc/apache2/sites-available/default

#Redirect traffic to /phpmyadmin through https
        RewriteEngine   on
        RewriteCond     %{SERVER_PORT} ^80$
        RewriteRule     ^/phpmyadmin(.*)$ https://%{SERVER_NAME}/phpmyadmin$1 [L,R]

Enable it:

sudo a2ensite ssl
sudo /etc/init.d/apache2 reload

A convienient way to access that remote storage is to configure rsync over sshfs:

sudo aptitude install sshfs
mkdir /mnt/sshfs
mkdir /mnt/sshfs/rsync.net
sshfs **username**@ch-s011.rsync.net: /mnt/rsync.net

First, unmount

fusermount -u /mnt/rsync.net

Then, install autofs, and edit the config file

sudo aptitude install autofs
sudo vi /etc/auto.master

Add the following line 

/mnt/sshfs /etc/auto.sshfs --timeout=30,--ghost

Then,  

sudo vi /etc/auto.sshfs

Add

rsync.net -fstype=fuse,rw,nodev,nonempty,noatime,allow_other,max_read=65536 :sshfs#**username**@ch-s011.rsync.net:

And finally restart autofs 

sudo /etc/init.d/autofs restart

Now, when you cd /mnt/sshfs/rsync.net, after a short delay you will automatically be connected to the remote filesystem over SSH.  After 30 seconds of inactivity, the connection will be closed.

For backups, I want to do weekly backups and daily incrementals of the data files, and sync these off to an external backup location.

Broadly, there are two parts to the backup, creating the backed up files, and then copying them offsite.

Creating the backups

I’m using backup-manager 0.7.6-debian1, which handles backing up sets of files and MySQL databases to tar.gz files.

sudo aptitude install backup-manager
sudo /usr/sbin/backup-manager --version

The comments in the config file make editing it quite straight forward.

sudo vi /etc/backup-manager.conf

One minor points:

• Separate multiple backup methods with a space, eg:

  export BM_ARCHIVE_METHOD="tarball-incremental mysql"

To test:

sudo /usr/sbin/backup-manager --verbose

The output folder you specified (/var/archives) should now contain some .tar.gz versions of your data. Hurrah!

Getting the files offsite

Originally I intended to use Amazon’s S3 as a backup store, following Michael Zehrer’s instructions on how to rsync with S3. However, I couldn’t get this to work reliably; so I opted instead for rsync.net which offers standard scp, ftp, WebDav and sshfs access to their geographic backup locations.

Backup-manager can rsync over ssh, which is a quick and efficient way to sync changes over to the remote host..

The first step is get your rsync.net account setup; and set up your ssh so you can access without typing in a password

Then, set the BM_UPLOAD_METHOD to rsync, and configure both the scp and the rsync settings in /etc/backup-manager.conf (pay attention not to prefix remote folders with / ).

Test with:

sudo /usr/sbin/backup-manager --verbose

Once its all working, set up a cron job to call backup-manager daily.

crontab -e

I run backup-manager once per day in the wee hours, and log output to /root/crontab/daily_backup-manager.logs

  0 3   *   *   *    /usr/sbin/backup-manager -v > /root/cronlogs/daily_backup-manager.log

Viola!

user1 can have myblog1.com mapping to their wordpress blog (myblog1.masterwpmu.com) and
user2 can have myblog2.com mapping to their wordpress blog (myblog2.masterwpmu.com)

We need to configure quite a few moving parts:

1. DNS for masterwpmu.com – this should be an A record, pointing to the IP of your server
2. DNS for myblog1.com & myblog2.com – these should be CNAME records, pointing to the A record in (1) – eg. masterwpmu.com
3. Apache2 – we need to alter the apache vhost conf created by Plesk to setup a wildcard alias
4. WordPressMU – we need to configure it to serve the right content when receiving a request for myblog2.com or myblog2.com

When someone makes a browser request for myblog2.com, the following sequence happens:

1. myblog2.com is resolved to masterwpmu.com, which is resolved to the IP of your server.
2. the browser makes a request to the IP, port 80, passing the host header of myblog2.com
3. Apache intercepts the request to point 80, checks through all its known vhost server aliases, and not finding a match redirects to the wildcard alias pointing to our WPMU install
4. WPMU gets the request, matches the host header to the correct blog content, and returns the relevant page.

So, how do we configure this?

1. Create a new Plesk site, with its own domain name (eg. masterwpmu.com) & install WPMU.  Ensure this works.
2. Create a new CNAME record myblog2.com which resolves to masterwpmu.com (Its also possible to setup an A record pointing to the same IP as masterwpmu.com; although this will break if the IP of masterwpmu.com ever changes).  Google has a nice set of instructions for doing this on most major DNS providers (obviously you’ll want to point to masterwpmu.com rather than ghs.google.com )
3. Edit the Apache2 vhost conf created by Plesk at: /var/www/vhosts/masterwpmu.com/conf/httpd.include, changing:
   ServerAlias *
   <Directory>
   AllowOverride FileInfo Options
4. restart Apache2 ( /etc/init.d/apache2 restart)
5. Log in to the WPMU install as admin, and create a new blog.  Edit the new blog, and change the Domain & FileUpload Url to myblog2.com and http://myblog2.com/files (all the other Urls are automatically updated when you save)
6. Browse to http://myblog2.com !

Gotchas:

• You can only have 1 wildcard Apache ServerAlias per IP

Hope that helps!