fr:ogspy_server_configuration
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
fr:ogspy_server_configuration [2021/04/23 10:49] – [New VPS] darknoon | fr:ogspy_server_configuration [Date inconnue] (Version actuelle) – supprimée - modification externe (Date inconnue) 127.0.0.1 | ||
---|---|---|---|
Ligne 1: | Ligne 1: | ||
- | < | ||
- | # Creating a VPS for OGSpy Multi | ||
- | From Ubuntu 20.04 LTS | ||
- | # Packages | ||
- | sudo apt update | ||
- | sudo apt upgrade | ||
- | # Create User | ||
- | sudo adduser darknoon | ||
- | |||
- | Add user to sudo group | ||
- | |||
- | sudo usermod -aG sudo darknoon | ||
- | # SSH Config | ||
- | |||
- | Warn : Each step need to be tested here as it could break the ssh connectivity | ||
- | |||
- | |||
- | ## Configure Default SSH port | ||
- | |||
- | |||
- | sudo vi / | ||
- | |||
- | uncomment Port line and set a new port : | ||
- | |||
- | Port 3421 | ||
- | |||
- | Reload | ||
- | |||
- | sudo service sshd reload | ||
- | |||
- | |||
- | ## Authorize Certificates | ||
- | |||
- | Connect with user | ||
- | |||
- | su - darknoon | ||
- | |||
- | Create folder .ssh | ||
- | |||
- | mkdir ~/.ssh | ||
- | |||
- | Create file Authorized keys | ||
- | |||
- | touch ./ | ||
- | |||
- | Add that line to the file | ||
- | |||
- | ssh-ed25519 AAAAfsdfdfsfsdfsdfklopzekoprejzifo5zefio7fio4zioyfiozvfiozf1 | ||
- | |||
- | |||
- | ## Remove Authentication with Password Default SSH port | ||
- | |||
- | |||
- | sudo vi / | ||
- | |||
- | Set passwordAuthentification to no | ||
- | |||
- | PasswordAuthentication no | ||
- | |||
- | Reload | ||
- | |||
- | sudo service sshd reload | ||
- | |||
- | Before closing the SSH window, try the connection using a new SSH client. If its not working revert PasswordAuthentification to yes and reload the service. | ||
- | |||
- | # Firewall Config | ||
- | ## Update OpenSSH Profile in UFW Apps with your custom port | ||
- | |||
- | |||
- | sudo vi / | ||
- | |||
- | Change line ports to : | ||
- | |||
- | |||
- | ports=3421/ | ||
- | |||
- | Enable Firewall with OpenSSH App | ||
- | |||
- | |||
- | sudo ufw enable | ||
- | sudo ufw allow ' | ||
- | sudo ufw status | ||
- | |||
- | Before closing the SSH window, try the connection using a new SSH client. | ||
- | If its not working : | ||
- | |||
- | |||
- | sudo ufw disable | ||
- | |||
- | |||
- | # Hostname | ||
- | |||
- | Set the server hostname according to your DNS pointed on that machine | ||
- | |||
- | sudo vi / | ||
- | # Web Stack | ||
- | ## Install LNMP Stack Packages | ||
- | |||
- | |||
- | sudo apt install nginx php php-fpm mariadb-server php-mysql php-json php-zip php-xml | ||
- | |||
- | |||
- | ## Open Firewall Ports | ||
- | sudo ufw allow 'Nginx Full' | ||
- | |||
- | |||
- | ## Set Web Server Working Folder | ||
- | |||
- | |||
- | mkdir / | ||
- | |||
- | Set Correct rights on that folder | ||
- | |||
- | |||
- | sudo chown ww-data: | ||
- | |||
- | sudo chmod -R | ||
- | |||
- | ## Configure Nginx for HTTP | ||
- | |||
- | Edit | ||
- | Configure a simple Http Server to get your first certificate (See well-known part) | ||
- | |||
- | Edit / | ||
- | |||
- | |||
- | # Default server configuration | ||
- | # | ||
- | server { | ||
- | listen 80 default_server; | ||
- | listen [::]:80 default_server; | ||
- | server_name ogspy.fr www.ogspy.fr pma-darkcity.ogspy.fr; | ||
- | |||
- | | ||
- | root / | ||
- | #Lets Encrypt | ||
- | location ~ / | ||
- | allow all; | ||
- | } | ||
- | location / { | ||
- | return 301 https:// | ||
- | } | ||
- | } | ||
- | |||
- | Start Server | ||
- | |||
- | sudo service nginx start | ||
- | |||
- | |||
- | ## Prerequisites HTTPS | ||
- | |||
- | Configure Lets Encrypt Certificate | ||
- | |||
- | |||
- | sudo apt install certbot | ||
- | |||
- | |||
- | certbot certonly --webroot -w / | ||
- | |||
- | Your certificate is now available in / | ||
- | |||
- | ## Configure Diffie Hellman Dhparam | ||
- | |||
- | https:// | ||
- | |||
- | |||
- | cd / | ||
- | sudo openssl dhparam -out dhparam.pem 4096 | ||
- | |||
- | |||
- | ## Configure SSL in NGINX | ||
- | |||
- | Nginx : Add this section to your default configuration (/ | ||
- | |||
- | |||
- | server { | ||
- | # SSL configuration | ||
- | # | ||
- | listen 443 ssl http2 default_server; | ||
- | listen [::]:443 ssl http2 default_server; | ||
- | # | ||
- | # Note: You should disable gzip for SSL traffic. | ||
- | # See: https:// | ||
- | # | ||
- | # Read up on ssl_ciphers to ensure a secure configuration. | ||
- | # See: https:// | ||
- | # | ||
- | # Self signed certs generated by the ssl-cert package | ||
- | # Don't use them in a production server! | ||
- | # | ||
- | include snippets/ | ||
- | include snippets/ | ||
- | | ||
- | root / | ||
- | | ||
- | # | ||
- | client_max_body_size 64M; | ||
- | | ||
- | | ||
- | # Add index.php to the list if you are using PHP | ||
- | index index.php index.html index.htm index.nginx-debian.html; | ||
- | | ||
- | server_name ogspy.fr www.ogspy.fr; | ||
- | | ||
- | location / { | ||
- | # First attempt to serve request as file, then | ||
- | # as directory, then fall back to displaying a 404. | ||
- | try_files $uri $uri/ =404; | ||
- | } | ||
- | | ||
- | # pass the PHP scripts to FastCGI server listening on 127.0.0.1: | ||
- | # | ||
- | location ~ \.php$ { | ||
- | include snippets/ | ||
- | | ||
- | # With php7.4-fpm: | ||
- | | ||
- | # fastcgi_pass unix:/ | ||
- | } | ||
- | # deny access to .htaccess files, if Apache' | ||
- | # concurs with nginx' | ||
- | # | ||
- | location ~ /\.ht { | ||
- | deny all; | ||
- | } | ||
- | #Lets Encrypt | ||
- | location ~ / | ||
- | allow all; | ||
- | } | ||
- | # Block xmlrpc.php access | ||
- | location = /xmlrpc.php { | ||
- | deny all; | ||
- | } | ||
- | } | ||
- | |||
- | We will now create mentioned files in the snippets folder : | ||
- | |||
- | Create the file / | ||
- | |||
- | |||
- | ssl_certificate / | ||
- | ssl_certificate_key / | ||
- | |||
- | Create the file / | ||
- | |||
- | |||
- | # from https:// | ||
- | # and https:// | ||
- | | ||
- | ssl_protocols TLSv1.2; | ||
- | ssl_prefer_server_ciphers on; | ||
- | ssl_ecdh_curve secp384r1; | ||
- | ssl_session_cache shared: | ||
- | ssl_session_tickets off; | ||
- | ssl_stapling on; | ||
- | ssl_stapling_verify on; | ||
- | resolver 8.8.8.8 8.8.4.4 valid=300s; | ||
- | resolver_timeout 5s; | ||
- | # disable HSTS header for now | ||
- | #add_header Strict-Transport-Security " | ||
- | add_header X-Frame-Options DENY; | ||
- | add_header X-Content-Type-Options nosniff; | ||
- | add_header Strict-Transport-Security " | ||
- | ssl_ciphers " | ||
- | # | ||
- | # | ||
- | | ||
- | ssl_dhparam / | ||
- | | ||
- | |||
- | |||
- | ## PHP-FPM | ||
- | |||
- | Configure the default Pool : | ||
- | |||
- | Open file / | ||
- | |||
- | |||
- | sudo vi / | ||
- | |||
- | Change socket to port 9001 | ||
- | |||
- | ; The address on which to accept FastCGI requests. | ||
- | ; Valid syntaxes are: | ||
- | ; ' | ||
- | ; a specific port; | ||
- | ; ' | ||
- | ; a specific port; | ||
- | ; ' | ||
- | ; (IPv6 and IPv4-mapped) on a specific port; | ||
- | ; '/ | ||
- | ; Note: This value is mandatory. | ||
- | ;listen = / | ||
- | listen = 127.0.0.1: | ||
- | | ||
- | |||
- | |||
- | You can now try to start your Nginx Server 🙂 | ||
- | |||
- | sudo service nginx start | ||
- | |||
- | |||
- | ## MariaDB | ||
- | |||
- | Configure Root Access | ||
- | (Root access is accessible by unix socket) | ||
- | |||
- | |||
- | sudo mysql_secure_installation | ||
- | |||
- | Connect to MariaDb console | ||
- | |||
- | |||
- | mysql -u root -p | ||
- | |||
- | Create User | ||
- | |||
- | CREATE USER ' | ||
- | GRANT ALL PRIVILEGES ON *.* TO ' | ||
- | FLUSH PRIVILEGES; | ||
- | SHOW GRANTS FOR ' | ||
- | |||
- | You should now be able to connect to the SQL Server using HeidiSQL for example. Connection using SSH. | ||
- | |||
- | |||
- | ## Backup | ||
- | |||
- | Create a backup user to allow access from outside. | ||
- | |||
- | |||
- | sudo adduser userbackup | ||
- | |||
- | Add user to sudo group | ||
- | |||
- | sudo usermod -aG backup userbackup | ||
- | |||
- | Create for a SSH Keys that you will define in its home folder : .ssh/ | ||
- | |||
- | Here is the backup script, we can set it anywhere in the filesystem. I use to put it in the root folder but its your choice 🙂 | ||
- | |||
- | |||
- | #!/bin/bash | ||
- | #################################### | ||
- | # | ||
- | # Backup Files | ||
- | # | ||
- | #################################### | ||
- | | ||
- | # What to backup. | ||
- | backup_files="/ | ||
- | | ||
- | # Where to backup to. | ||
- | dest="/ | ||
- | | ||
- | # Create archive filename. | ||
- | day=$(date +%F) | ||
- | hostname=$(hostname -s) | ||
- | archive_file=" | ||
- | | ||
- | # Print start status message. | ||
- | echo " | ||
- | | ||
- | if [ ! -f " | ||
- | then | ||
- | | ||
- | # Backup the files using tar. | ||
- | tar czf $dest/ | ||
- | else | ||
- | echo " | ||
- | fi | ||
- | | ||
- | #################################### | ||
- | # | ||
- | # Backup SQL DB | ||
- | # | ||
- | #################################### | ||
- | | ||
- | # Print start status message. | ||
- | echo " | ||
- | | ||
- | for DB in $(mysql -e 'show databases' | ||
- | if [ ! -f " | ||
- | then | ||
- | mysqldump $DB | gzip > " | ||
- | fi | ||
- | done | ||
- | | ||
- | ####################################### | ||
- | # | ||
- | # Clean Up | ||
- | # | ||
- | ####################################### | ||
- | | ||
- | find $dest/. -type f ! -name " | ||
- | chown userbackup: | ||
- | | ||
- | # Print end status message. | ||
- | echo | ||
- | echo " | ||
- | date | ||
- | | ||
- | # Long listing of files in $dest to check file sizes. | ||
- | ls -lh $dest | ||
- | |||
- | |||
- | ## Set Backup Execution Time | ||
- | |||
- | |||
- | sudo crontab -e | ||
- | |||
- | Select your favorite Editor and add the line : | ||
- | |||
- | |||
- | 0 02 * * * / | ||
- | |||
- | Will run every Day at 2AM. (https:// | ||
- | |||
- | |||
- | |||
- | </ | ||
- | n> |