Ceci est une ancienne révision du document !
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Warning: Undefined array key "pos" in /home/clients/f0b6d4765a1542e998a63120b7e48bc1/sites/wiki.ogsteam.eu/lib/plugins/mdpage/src/DokuWiki/Plugin/Mdpage/MarkdownRendererTrait.php on line 100
Table des matières
New VPS
From Ubuntu 20.04 LTS
Packages
sudo apt update sudo apt upgrade
Create User
sudo adduser darknoon
Add user to sudo group
sudo usermod -aG sudo darknoon
SSH Config
Warn : Each step need to be tested here as it could break the ssh connectivity
Configure Default SSH port
sudo vi /etc/ssh/sshd_config
uncomment Port line and set a new port :
Port 3421
Reload Parameters for the service:
sudo service sshd reload
Authorize Certificates
Connect with user
su - darknoon
Create folder .ssh
mkdir ~/.ssh
Create file Authorized keys
touch ./authorized_keys
Add that line to the file
ssh-ed25519 AAAAfsdfdfsfsdfsdfklopzekoprejzifo5zefio7fio4zioyfiozvfiozf1
Remove Authentication with Password Default SSH port
sudo vi /etc/ssh/sshd_config
Set passwordAuthentification to no
PasswordAuthentication no
Reload Parameters for the service:
sudo service sshd reload
Before closing the SSH window, try the connection using a new SSH client. If its not working revert PasswordAuthentification to yes and reload the service.
Firewall Config
Update OpenSSH Profile in UFW Apps with your custom port
sudo vi /etc/ufw/applications.d/openssh-server
Change line ports to :
ports=3421/tcp
Enable Firewall with OpenSSH App
sudo ufw enable sudo ufw allow 'Openssh’ sudo ufw status
Before closing the SSH window, try the connection using a new SSH client. If its not working :
sudo ufw disable
Hostname
Set the server hostname according to your DNS pointed on that machine
sudo vi /etc/hostname
Web Stack
Install LNMP Stack Packages
sudo apt install nginx php php-fpm mariadb-server php-mysql php-json php-zip php-xml
Open Firewall Ports
sudo ufw allow 'Nginx Full'
Set Web Server Working Folder
mkdir /srv/www/ogspy.fr
Set Correct rights on that folder
sudo chown ww-data:www-data -R .
sudo chmod -R
Configure Nginx for HTTP
Edit Configure a simple Http Server to get your first certificate (See well-known part)
Edit /etc/nginx/sites.available/default
# Default server configuration # server { listen 80 default_server; listen [::]:80 default_server; server_name ogspy.fr www.ogspy.fr pma-darkcity.ogspy.fr; root /srv/www/ogspy.fr; #Your root folder #Lets Encrypt location ~ /.well-known { allow all; } location / { return 301 https://$host$request_uri; # Redirection HTTPS } }
Start Server
sudo service nginx start
Prerequisites HTTPS
Configure Lets Encrypt Certificate
sudo apt install certbot
certbot certonly --webroot -w /srv/www/ogspy.fr -d ogspy.fr
Your certificate is now available in /etc/letsencrypt/live/ogspy.fr
Configure Diffie Hellman Dhparam
https://wiki.openssl.org/index.php/Diffie_Hellman
cd /etc/ssl/certs sudo openssl dhparam -out dhparam.pem 4096
Configure SSL in NGINX
Nginx : Add this section to your default configuration (/etc/nginx/sites-available/default
server { # SSL configuration # listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # include snippets/ssl-ogspy.fr.conf; # Will be created just after include snippets/ssl-params.conf; # Will be created just after root /srv/www/ogspy.fr; #Configurations client_max_body_size 64M; # Add index.php to the list if you are using PHP index index.php index.html index.htm index.nginx-debian.html; server_name ogspy.fr www.ogspy.fr; location / { # First attempt to serve request as file, then # as directory, then fall back to displaying a 404. try_files $uri $uri/ =404; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { include snippets/fastcgi-php.conf; # With php7.4-fpm: fastcgi_pass 127.0.0.1:9001; # fastcgi_pass unix:/run/php/php7.0-fpm.sock; #Socket Option } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # location ~ /\.ht { deny all; } #Lets Encrypt location ~ /.well-known { allow all; } # Block xmlrpc.php access location = /xmlrpc.php { deny all; } }
We will now create mentioned files in the snippets folder :
Create the file /etc/nginx/snippets/ssl-ogspy.fr.conf for the link with your certificate
ssl_certificate /etc/letsencrypt/live/ogspy.fr/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/ogspy.fr/privkey.pem;
Create the file /etc/nginx/snippets/ssl-params.conf for the SSL configuration
# from https://cipherli.st/ # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; # disable HSTS header for now #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:!ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:!ECDHE-RSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!AES128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA256:!AES256-SHA256:!AES128-SHA:!AES256-SHA:!DES-CBC3-SHA:!DSS"; # ssl_session_timeout 24h; # keepalive_timeout 300s; # up from 75 secs default ssl_dhparam /etc/ssl/certs/dhparam.pem;
PHP-FPM
Configure the default Pool :
Open file /etc/php/7.4
sudo vi /etc/php/7.4/fpm/pool.d/www.conf
Change socket to port 9001
; The address on which to accept FastCGI requests. ; Valid syntaxes are: ; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on ; a specific port; ; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on ; a specific port; ; 'port' - to listen on a TCP socket to all addresses ; (IPv6 and IPv4-mapped) on a specific port; ; '/path/to/unix/socket' - to listen on a unix socket. ; Note: This value is mandatory. ;listen = /run/php/php7.4-fpm.sock listen = 127.0.0.1:9001 # Configure here
You can now try to start your Nginx Server 🙂
sudo service nginx start
MariaDB
Configure Root Access (Root access is accessible by unix socket)
sudo mysql_secure_installation
Connect to MariaDb console
mysql -u root -p
Create User
CREATE USER 'darknoon'@localhost IDENTIFIED BY 'password'; GRANT ALL PRIVILEGES ON *.* TO 'darknoon'@localhost IDENTIFIED BY 'password'; FLUSH PRIVILEGES; SHOW GRANTS FOR 'darknoon'@localhost;
You should now be able to connect to the SQL Server using HeidiSQL for example. Connection using SSH.
Backup
Create a backup user to allow access from outside.
sudo adduser userbackup
Add user to sudo group
sudo usermod -aG backup userbackup
Create for a SSH Keys that you will define in its home folder : .ssh/authorized_keys (Public key)
Here is the backup script, we can set it anywhere in the filesystem. I use to put it in the root folder but its your choice 🙂
#!/bin/bash #################################### # # Backup Files # #################################### # What to backup. backup_files="/home /etc /root /srv/www" # Where to backup to. dest="/var/archives" # Create archive filename. day=$(date +%F) hostname=$(hostname -s) archive_file="$hostname-$day.tgz" # Print start status message. echo "Backing up $backup_files to $dest/$archive_file" if [ ! -f "$dest/$archive_file" ]; then # Backup the files using tar. tar czf $dest/$archive_file $backup_files else echo "Backup already generated today" fi #################################### # # Backup SQL DB # #################################### # Print start status message. echo "Backing up SQL DB" for DB in $(mysql -e 'show databases' -s --skip-column-names); do if [ ! -f "$dest/$hostname-$day-sql-$DB.gz" ]; then mysqldump $DB | gzip > "$dest/$hostname-$day-sql-$DB.gz"; fi done ####################################### # # Clean Up # ####################################### find $dest/. -type f ! -name "$hostname-$day*" -execdir rm -i {} + chown userbackup:backup $dest/* # Print end status message. echo echo "Backup finished" date # Long listing of files in $dest to check file sizes. ls -lh $dest
Set Backup Execution Time
sudo crontab -e
Select your favorite Editor and add the line :
0 02 * * * /root/backup.sh
Will run every Day at 2AM. (https://www.adminschoice.com/crontab-quick-reference)