Ubilling на Debian Jessie

Имеем 2 сетевых интерфейса
eth1 100.1.1.1 — интернет
eth0 192.168.10.1 — локальная сеть

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude install apache2 bandwidthd expat libapache2-mod-php5 mysql-server libexpat1 libmysqlclient-dev libxmlrpc-c++8 libxmlrpc-c++8-dev php5-cli php5-mysql isc-dhcp-server softflowd sudo wget build-essential openssl iptables-persistent
wget http://ftp.ua.debian.org/debian/pool/main/x/xmlrpc-c/{libxmlrpc-core-c3_1.33.14-0.2_amd64.deb,libxmlrpc-core-c3-dev_1.33.14-0.2_amd64.deb}
dpkg -i libxmlrpc-core-c3_1.33.14-0.2_amd64.deb libxmlrpc-core-c3-dev_1.33.14-0.2_amd64.deb

vim /etc/default/isc-dhcp-server:

INTERFACES="eth0"

service isc-dhcp-server start

vim /etc/bandwidthd/bandwidthd.conf:

htdocs_dir "/var/lib/bandwidthd/htdocs"

vim /etc/apache2/conf-enabled/bandwidthd.conf

Alias /bwd /var/lib/bandwidthd/htdocs/

chown -R www-data:www-data /var/lib/bandwidthd/htdocs/
service bandwidthd restart

visudo

User_Alias BILLING = www-data
BILLING ALL = NOPASSWD: ALL

Устанавливаем шейпер
wget http://sourceforge.net/projects/htbinit/files/HTB.init/0.8.5/htb.init-v0.8.5 -O /etc/init.d/htb
chmod +x /etc/init.d/htb
mkdir /etc/htb
vim /etc/init.d/htb:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          htb init script
# Required-Start:    $remote_fs
# Required-Stop:     $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start htb
# Description:       enable traffic control
### END INIT INFO
HTB_PATH=${HTB_PATH:-/etc/htb}

Добавляем htb в автозапуск
systemctl enable htb.service

vim /etc/htb/eth0:

DEFAULT=0
R2Q=100

vim /etc/htb/eth1:

DEFAULT=0
R2Q=100

vim /etc/htb/eth0-2.root:

RATE=100Mbit
CEIL=100Mbit

vim /etc/htb/eth1-2.root:

RATE=100Mbit
CEIL=100Mbit

service htb compile
service htb start

vim /etc/default/softflowd:

INTERFACE="eth0"
OPTIONS="-n 192.168.10.1:42111"

service softflowd restart

Устанавливаем stargazer
Добавляем исходник для iptables без него не скомпилируется stargazer (https://git.netfilter.org/iptables/tree/include/linux/netfilter_ipv4/ip_queue.h)
vim /usr/include/linux/netfilter_ipv4/ip_queue.h:

/*
 * This is a module which is used for queueing IPv4 packets and
 * communicating with userspace via netlink.
 *
 * (C) 2000 James Morris, this code is GPL.
 */
#ifndef _IP_QUEUE_H
#define _IP_QUEUE_H

#ifdef __KERNEL__
#ifdef DEBUG_IPQ
#define QDEBUG(x...) printk(KERN_DEBUG ## x)
#else
#define QDEBUG(x...)
#endif  /* DEBUG_IPQ */
#else
#include 
#endif	/* ! __KERNEL__ */

/* Messages sent from kernel */
typedef struct ipq_packet_msg {
	unsigned long packet_id;	/* ID of queued packet */
	unsigned long mark;		/* Netfilter mark value */
	long timestamp_sec;		/* Packet arrival time (seconds) */
	long timestamp_usec;		/* Packet arrvial time (+useconds) */
	unsigned int hook;		/* Netfilter hook we rode in on */
	char indev_name[IFNAMSIZ];	/* Name of incoming interface */
	char outdev_name[IFNAMSIZ];	/* Name of outgoing interface */
	__be16 hw_protocol;		/* Hardware protocol (network order) */
	unsigned short hw_type;		/* Hardware type */
	unsigned char hw_addrlen;	/* Hardware address length */
	unsigned char hw_addr[8];	/* Hardware address */
	size_t data_len;		/* Length of packet data */
	unsigned char payload[0];	/* Optional packet data */
} ipq_packet_msg_t;

/* Messages sent from userspace */
typedef struct ipq_mode_msg {
	unsigned char value;		/* Requested mode */
	size_t range;			/* Optional range of packet requested */
} ipq_mode_msg_t;

typedef struct ipq_verdict_msg {
	unsigned int value;		/* Verdict to hand to netfilter */
	unsigned long id;		/* Packet ID for this verdict */
	size_t data_len;		/* Length of replacement data */
	unsigned char payload[0];	/* Optional replacement packet */
} ipq_verdict_msg_t;

typedef struct ipq_peer_msg {
	union {
		ipq_verdict_msg_t verdict;
		ipq_mode_msg_t mode;
	} msg;
} ipq_peer_msg_t;

/* Packet delivery modes */
enum {
	IPQ_COPY_NONE,		/* Initial mode, packets are dropped */
	IPQ_COPY_META,		/* Copy metadata */
	IPQ_COPY_PACKET		/* Copy metadata + packet (range) */
};
#define IPQ_COPY_MAX IPQ_COPY_PACKET

/* Types of messages */
#define IPQM_BASE	0x10	/* standard netlink messages below this */
#define IPQM_MODE	(IPQM_BASE + 1)		/* Mode request from peer */
#define IPQM_VERDICT	(IPQM_BASE + 2)		/* Verdict from peer */
#define IPQM_PACKET	(IPQM_BASE + 3)		/* Packet from kernel */
#define IPQM_MAX	(IPQM_BASE + 4)

#endif /*_IP_QUEUE_H*/

cd /usr/src/
wget http://stargazer.net.ua/download/server/2.408/stg-2.408.tar.gz
tar xzf stg-2.408.tar.gz
cd stg-2.408/projects/stargazer
./build
make install
cd ../sgconf
./build
make
make install
cd ../sgconf_xml/
./build
make
make install
cd ../stargazer/plugins/configuration/rpcconfig/
make
make install

Создаем скрипт запуска для stargazer
vim /etc/init.d/stg:

#!/bin/bash
### BEGIN INIT INFO
# Provides:          startgazer init script
# Required-Start:    $remote_fs
# Required-Stop:     $remote_fs
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: start startgazer
# Description:       enable startgazer daemon on start system
### END INIT INFO

NAME="startgazer daemon"
BINARYNAME="stargazer"
PIDFILE="/var/run/startgazer.pid"

running() {
    if [ -n "`pgrep -f $BINARYNAME`" ]; then
        return 0
    else
        return 1
    fi
}

start() {
    if ! running; then
        echo -n "Starting the $NAME ... "
        start-stop-daemon --start --exec /usr/sbin/stargazer
        pgrep -f $BINARYNAME > $PIDFILE
        if [ -s $PIDFILE ]; then
            echo "Done"
        else
            echo "Failed"
            rm $PIDFILE
        fi
    else
        echo "The $NAME is already started."
    fi
}

stop() {
    if running; then
        echo -n "Stopping the $NAME ... "
        kill `cat $PIDFILE`
        while running; do
            sleep 1
        done
        rm $PIDFILE
        echo "Done"
    else
        echo "The $NAME is already stopped."
    fi
}

case "$1" in
    start)
        start
    ;;
    stop)
        stop
    ;;
    restart)
        stop
        start
    ;;
    status)
        if running; then
            echo "The $NAME is started."
        else
            echo "The $NAME is stopped."
        fi
    ;;
    *)
        echo "Usage: $0 (start|stop|restart|status)"
        exit 1
esac
exit 0

Добавляем в автозапуск stargazer
insserv -d stg

cp /etc/stargazer/conf-available.d/{store_mysql.conf,mod_rpc.conf,mod_cap_nf.conf,mod_remote_script.conf} /etc/stargazer/conf-enabled.d/
vim /etc/stargazer/stargazer.conf:

LogFile = /var/log/stargazer/stargazer.log
# Store module
# Configure the module that works with the database server

# Warning: Only one store module could be used at the same time!

<IncludeFile "conf-enabled.d/store_mysql.conf">
</IncludeFile>


################################################################################
# Other modules

<Modules>

    <IncludeFile "conf-enabled.d/mod_*.conf">
    </IncludeFile>

    <IncludeFile "conf-enabled.d/mod_ia.conf">
    </IncludeFile>
   <IncludeFile "conf-enabled.d/mod_sg.conf">
    </IncludeFile>

    <IncludeFile "conf-enabled.d/mod_cap_nf.conf">
    </IncludeFile>

    <IncludeFile "conf-enabled.d/mod_rpc.conf">
    </IncludeFile>

    <IncludeFile "conf-enabled.d/mod_remote_script.conf">
    </IncludeFile>

</Modules>

mkdir /var/log/stargazer

vim /etc/stargazer/conf-enabled.d/store_mysql.conf:

Database = stargazer
User = stargazer
Password = stargazerpasswd

vim /etc/stargazer/conf-enabled.d/mod_cap_nf.conf:

TCPPort = 42111
UDPPort = 42111

vim /etc/stargazer/conf-enabled.d/mod_rpc.conf:

Port = 8081
vim /etc/stargazer/conf-enabled.d/mod_remote_script.conf:
SubnetFile = /etc/stargazer/subnets

vim /etc/stargazer/subnets:

192.168.10.0/24 100.1.1.1

chmod 777 /etc/stargazer/subnets

vim /etc/stargazer/rules:

ALL     0.0.0.0/0       DIR0

Делаем базу данных для stargazer
mysql -u root -p
CREATE DATABASE stargazer;
GRANT ALL PRIVILEGES ON stargazer.* TO stargazer@localhost IDENTIFIED BY 'stargazerpasswd';
quit

Запускаем stargazer чтобы он создал свои таблицы в базе данных
/etc/init.d/stg start
Проверяем таблицы
mysql -u stargazer -p stargazer -e "SHOW TABLES"

+---------------------+
| Tables_in_stargazer |
+---------------------+
| admins              |
| messages            |
| stat                |
| tariffs             |
| users               |
+---------------------+

/etc/init.d/stg stop

Устанавливаем ubilling
mkdir /var/www/ubilling
wget http://ubilling.net.ua/ub.tgz
tar fxz ub.tgz -C /var/www/ubilling
chown -R www-data:www-data /var/www/ubilling

Создаем таблицы для ubilling
mysql -u stargazer -p stargazer < /var/www/ubilling/docs/test_dump.sql

vim /var/www/ubilling/config/mysql.ini:

username = "stargazer"
password = "stargazerpasswd"
db = "stargazer"

vim /var/www/ubilling/config/billing.ini

STG_LOGIN=admin
STG_PASSWD=adminpasswd
SUDO=/usr/bin/sudo
RC_DHCPD=/etc/init.d/isc-dhcp-server
GREP=/bin/grep
PING=/bin/ping
LANG = ru
TASKBAR_ICON_SIZE = 64
REGRANDOM_MAC=0

ln -fs /etc/dhcp/ /var/www/ubilling/multinet

vim /var/www/ubilling/config/dhcp/global.template:

option domain-name "example.com";
option domain-name-servers 192.168.10.1;

vim /var/www/ubilling/config/dhcp/subnets.template:

option domain-name "example.com";
option routers 192.168.10.1;
include "/etc/dhcp/{HOSTS}";

cp /var/www/ubilling/docs/presets/Linux/etc/* /etc/stargazer/
chmod +x /etc/stargazer/*

vim /etc/stargazer/config:

username = stargazer
password = stargazerpasswd
database = stargazer

vim /etc/stargazer/OnConnect:

IFUP="eth1"
IFDOWN="eth0"
echo "$cur_date $cur_time CONNECT: ID-$ID;LOGIN-$LOGIN;IP-$IP;CASH-$CASH;SPEED-$SPEED;UPSPEED-$UPSPEED,MAC-$MAC" >> /var/log/stargazer/allconnect.log

vim /etc/stargazer/OnDisconnect:

IFUP="eth1"
IFDOWN="eth0"
echo "$cur_date $cur_time DISCONNECT: ID-$ID;LOGIN-$LOGIN;IP-$IP;CASH-$CASH;SPEED-$SPEED;UPSPEED-$UPSPEED,MAC-$MAC" >> /var/log/stargazer/allconnect.log

vim /etc/stargazer/GetMac:

#!/usr/bin/php

vim /etc/stargazer/GetSpeed:

#!/usr/bin/php

vim /etc/stargazer/GetUpSpeed:

#!/usr/bin/php

Даем права ubilling на папку dhcp чтобы он смог сгенерировать конфигурационный файл для dhcp сервера
chown -R www-data:www-data /etc/dhcp

Включаем пересылку сетевых пакетов
vim /etc/sysctl.conf:

net.ipv4.ip_forward=1

sysctl -p
vim /etc/rc.local:

sysctl -p

vim /etc/stargazer/conf-enabled.d/mod_remote_script.conf:

SubnetFile = /var/www/ubilling/remote_nas.conf

Запускаем stargazer
/etc/init.d/stg start

Генерируем самоподписные сертификаты для SSL
cd /etc/ssl/private
openssl genrsa -des3 -out example.com.key 2048
openssl rsa -in server.key -out example.com.key
openssl req -new -days 36500 -key example.com.key -out example.com.csr
openssl x509 -in example.com.csr -out example.com.crt -req -signkey example.com.key -days 3650
chmod 400 example.com.*

Включаем поддержку SSL на нашем сайте
vim /etc/apache2/sites-available/default-ssl.conf:

SSLEngine on
SSLCertificateFile /etc/ssl/private/example.com.crt
SSLCertificateKeyFile /etc/ssl/private/example.com.key

a2ensite default-ssl

Создаем конфигурационный файл для apache
vim /etc/apache2/conf-enabled/ubilling.conf:

Alias /ubil /var/www/ubilling/
<Directory /var/www/ubilling/>
  DirectoryIndex index.php
  Require all granted
</Directory>

service apache2 reload

Включаем NAT и открываем порты
iptables -I POSTROUTING 1 -s 192.168.10.0/24 -o eth1 -j SNAT --to-source 100.1.1.1
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.10.0/24 -d 192.168.10.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 80,443,5555,8081,9999,42111 -j ACCEPT
iptables -I INPUT 3 -s 192.168.10.0/24 -d 192.168.10.1 -i eth0 -p udp -m multiport --dports 67,5555,42111 -j ACCEPT
service netfilter-persistent save

Заходим в биллинг https://example.com/ubil
По умолчанию логин admin, пароль demo
Внизу в левом углу заходим в "Права администраторов" и изменяем пароль

Asterisk с веб интерфейсом FreePBX на Debian Jessie

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude install asterisk asterisk-dahdi asterisk-mp3 asterisk-core-sounds-ru asterisk-moh-opsound-wav libpri1.4 apache2 mysql-server bind9 bison flex php5 php5-curl php5-cli php5-mysql php-pear php-db php5-gd curl sox libncurses5-dev libssl-dev libmysqlclient-dev mpg123 libxml2-dev libnewt-dev sqlite3 libsqlite3-dev libasound2-dev libogg-dev libvorbis-dev libcurl4-openssl-dev libical-dev libneon27-dev libsrtp0-dev libspandsp-dev libiksemel3 iptables-persistent

Исправляем конфигурационный файл asterisk для logrotate, иначе будет писать ошибку

error: skipping "/var/log/asterisk/..." because parent directory has insecure permissions

vim /etc/logrotate.d/asterisk:

/var/log/asterisk/debug /var/log/asterisk/messages /var/log/asterisk/full /var/log/asterisk/*_log {
        su asterisk asterisk
        size 40M
        missingok
        rotate 20
        compress
        sharedscripts
        create 0640 asterisk asterisk
        postrotate
                /usr/sbin/invoke-rc.d asterisk logger-reload > /dev/null 2> /dev/null
        endscript
}

Запускаем apache от пользователя asterisk
vim /etc/apache2/apache2.conf:

User asterisk
Group asterisk

vim /etc/apache2/envvars:

export APACHE_RUN_USER=asterisk
export APACHE_RUN_GROUP=asterisk

Делаем базу данных для FreePBX
mysql -u root -p
create database asterisk;
create database asteriskcdrdb;
GRANT ALL PRIVILEGES ON asterisk.* TO asterisk@localhost IDENTIFIED BY 'asteriskpasswd';
GRANT ALL PRIVILEGES ON asteriskcdrdb.* TO asterisk@localhost IDENTIFIED BY 'asteriskpasswd';
quit

wget http://mirror.freepbx.org/freepbx-12.0.43.tgz
tar xzf freepbx-12.0.43.tgz
cd freepbx
./start_asterisk restart
./install_amp --installdb --username=asterisk --password=asteriskpasswd --webroot=/var/www/freepbx/
amportal chown
amportal a ma installall
amportal a reload
amportal a ma refreshsignatures
amportal chown

Добавляем в автозапуск FreePBX
vim /etc/rc.local

amportal start

Генерируем самоподписные сертификаты для SSL
cd /etc/ssl/private
openssl genrsa -des3 -out example.com.key 2048
openssl rsa -in server.key -out example.com.key
openssl req -new -days 36500 -key example.com.key -out example.com.csr
openssl x509 -in example.com.csr -out example.com.crt -req -signkey example.com.key -days 3650
chmod 400 example.com.*

Настраиваем FreePBX на виртуальный хост
vim /etc/apache2/sites-available/freepbx.conf:

<VirtualHost *:443>
    ServerName fpbx.example.com
    ServerAdmin admin@example.com
    ErrorLog /var/log/apache2/freepbx-error.log
    CustomLog /var/log/apache2/freepbx-access.log combined
    DocumentRoot /var/www/freepbx
    <Directory /var/www/freepbx>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>
    <Directory /var/www/freepbx/admin>
        Require all granted
    </Directory>
    SSLEngine on
    SSLCertificateFile /etc/ssl/private/example.com.crt
    SSLCertificateKeyFile /etc/ssl/private/example.com.key
</VirtualHost>

a2ensite freepbx
invoke-rc.d apache2 restart

Включаем русский язык в FreePBX
vim /usr/share/locale/locale.alias:

#russian         ru_RU.KOI8-R
russian ru
ru ru_RU
ru_RU ru_RU.UTF-8

locale-gen ru_RU.UTF-8

Настраиваем DNS сервер в chroot режиме
vim /etc/default/bind9:

OPTIONS="-u bind -t /var/bind9/chroot -4"

mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named}
mknod /var/bind9/chroot/dev/null c 1 3
mknod /var/bind9/chroot/dev/random c 1 8
chmod 660 /var/bind9/chroot/dev/{null,random}
mv /etc/bind /var/bind9/chroot/etc
ln -s /var/bind9/chroot/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
chmod 775 /var/bind9/chroot/var/{cache/bind,run/named}
chgrp bind /var/bind9/chroot/var/{cache/bind,run/named}

vim /etc/init.d/bind9:

PIDFILE=/var/bind9/chroot/var/run/named/named.pid

vim /var/bind9/chroot/etc/bind/named.conf.options:

options {
        directory "/var/cache/bind";
        dnssec-validation auto;
        auth-nxdomain no;
        listen-on-v6 { none; };
        listen-on { 127.0.0.1; 192.168.40.1; };
        allow-query { any; };
        recursion yes;
        allow-recursion { 127.0.0.1;192.168.40.0/24; };
        version "my dns server";
};

vim /etc/rsyslog.d/bind-chroot.conf:

$AddUnixListenSocket /var/bind9/chroot/dev/log

invoke-rc.d rsyslog restart

vim /var/bind9/chroot/etc/bind/named.conf.local:

zone "example.com" IN {
        type master;
        file "/etc/bind/example.com";
        allow-update { none; };
};
include "/etc/bind/zones.rfc1918";

vim /var/bind9/chroot/etc/bind/example.com:

$TTL 3600       ; 1 hour
@               IN      SOA     ns.example.com.      admin.example.com. (
                                2013090608 ; serial
                                3600       ; refresh (1 hour)
                                900        ; retry (15 minutes)
                                360000     ; expire (4 days 4 hours)
                                3600       ; minimum (1 hour)
)
                IN                      NS      ns.example.com.
                IN                      A       192.168.40.1
ns                   IN      A       192.168.40.1
example.com.         IN      A       192.168.40.1
fbpx                 IN      A       192.168.40.1

invoke-rc.d bind9 restart

Переключаемся на свой DNS сервер
vim /etc/resolv.conf:

nameserver 127.0.0.1

FreePBX будет доступен на https://fpbx.example.com

Уменьшаем ограничение на объем своих музыкальных файлов для asterisk
vim /etc/php5/apache2/php.ini:

upload_max_filesize = 40M

Убираем с автозапуска asterisk, так как его запускает FreePBX
insserv -r asterisk

Открываем порты
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.40.0/24 -d 192.168.40.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 443,2000,5038 -j ACCEPT
iptables -I INPUT 3 -s 192.168.40.0/24 -d 192.168.40.1 -i eth0 -p udp -m multiport --dports 53,2727,4520,4569,5000,5036,5060,10000:20000 -j ACCEPT
invoke-rc.d netfilter-persistent save

Webvirtmgr на Debian Jessie. Веб интерфейс для Linux KVM

Добавляем репозиторий
vim /etc/apt/sources.list:

deb http://ftp.ua.debian.org/debian/ jessie main

aptitude update
aptitude install git python-pip python-libvirt python-libxml2 novnc supervisor qemu-kvm libvirt-bin virtinst sasl2-bin apache2 libapache2-mod-wsgi bridge-utils iptables-persistent

Настраиваем KVM
vim /etc/default/libvirtd:

libvirtd_opts="-d -l"

vim /etc/libvirt/libvirtd.conf:

listen_tls = 0
listen_tcp = 1

invoke-rc.d libvirtd restart

Делаем сетевой мост для KVM
vim /etc/network/interfaces:

auto br0
allow-hotplug br0
iface br0 inet static
        address 192.168.10.1
        gateway 192.168.10.1
        bridge_ports eth0
        bridge_stp off
        bridge_maxwait 0

invoke-rc.d networking stop && invoke-rc.d networking start

Настраиваем webvirtmgr
cd /var/www
git clone git://github.com/retspen/webvirtmgr.git
cd webvirtmgr
pip install -r requirements.txt
./manage.py syncdb
./manage.py collectstatic
vim conf/gunicorn.conf.py:

bind = '0.0.0.0:8000'

chown -R www-data:www-data /var/www/webvirtmgr

Добавляем пользователя, который получит доступ к веб интерфейсу
/var/www/webvirtmgr/manage.py createsuperuser
Потом для того же пользователя
saslpasswd2 -a libvirt user
Статус пользователей
sasldblistusers2 -f /etc/libvirt/passwd.db

vim /etc/supervisor/conf.d/webvirtmgr.conf:

[program:webvirtmgr]
command=/usr/bin/python /var/www/webvirtmgr/manage.py run_gunicorn -c /var/www/webvirtmgr/conf/gunicorn.conf.py
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr.log
redirect_stderr=true
user=www-data

[program:webvirtmgr-console]
command=/usr/bin/python /var/www/webvirtmgr/console/webvirtmgr-console
directory=/var/www/webvirtmgr
autostart=true
autorestart=true
stdout_logfile=/var/log/supervisor/webvirtmgr-console.log
redirect_stderr=true
user=www-data

invoke-rc.d supervisor restart
invoke-rc.d supervisor restart

invoke-rc.d novnc stop
insserv -r novnc
vim /etc/insserv/overrides/novnc:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nova-novncproxy
# Required-Start:    $network $local_fs $remote_fs $syslog
# Required-Stop:     $remote_fs
# Default-Start:
# Default-Stop:
# Short-Description: Nova NoVNC proxy
# Description:       Nova NoVNC proxy
### END INIT INFO

Делаем виртуальный хост для webvirtmgr
vim /etc/apache2/sites-available/webvirtmgr.conf:

WSGISocketPrefix /var/run/apache2/wsgi
<VirtualHost *:8000>
    ServerAdmin admin@example.com
    ServerName example.com

    WSGIDaemonProcess webvirtmgr display-name=%{GROUP} python-path=/var/www/webvirtmgr
    WSGIProcessGroup webvirtmgr
    WSGIScriptAlias / /var/www/webvirtmgr/webvirtmgr/wsgi.py

    Alias /static /var/www/webvirtmgr/webvirtmgr/static/
    Alias /media /var/www/webvirtmgr/webvirtmgr/media/

    <Directory /var/www/webvirtmgr/webvirtmgr>
        <Files wsgi.py>
        Require all granted
        </Files>
    </Directory>

    CustomLog ${APACHE_LOG_DIR}/webvirtmgr-access.log common
    ErrorLog ${APACHE_LOG_DIR}/webvirtmgr-error.log
</VirtualHost>

a2ensite webvirtmgr
invoke-rc.d apache2 reload

Открываем порты
iptables -I INPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I INPUT 2 -s 192.168.10.0/24 -d 192.168.10.1 -i eth0 -p tcp -m state --state NEW -m multiport --dports 80,6080,8000,16509 -j ACCEPT
invoke-rc.d netfilter-persistent save

Веб интерфейс будет доступен по адресу http://example.com:8000