Difference between revisions of "Operativa"

From Hackerspace.gr
Jump to: navigation, search
m
(Add nginx part)
Line 3: Line 3:
 
= Common =
 
= Common =
  
1. Install basic stuff
+
1. Install basic stuff.
  
 
  # yum install -y epel-release
 
  # yum install -y epel-release
  # yum install -y vim bash-completion wget certbot
+
  # yum install -y vim bash-completion wget
  
 
= LDAP =
 
= LDAP =
Line 16: Line 16:
 
== Service ==
 
== Service ==
  
1. Enable and start service
+
1. Enable and start service.
  
 
  # systemctl enable slapd.service
 
  # systemctl enable slapd.service
 
  # systemctl start slapd.service
 
  # systemctl start slapd.service
  
2. Check it actually works
+
2. Check it actually works.
  
 
  # systemctl status -l slapd.service
 
  # systemctl status -l slapd.service
Line 27: Line 27:
 
== Configuration ==
 
== Configuration ==
  
1. Copy default DB_CONFIG
+
1. Copy default DB_CONFIG.
  
 
  # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
 
  # cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG
  
2. Create a new admin password
+
2. Create a new admin password.
  
 
  # slappasswd
 
  # slappasswd
  
3. Create an initial config in a file
+
3. Create an initial config in a file.
  
 
  dn: olcDatabase={1}monitor,cn=config
 
  dn: olcDatabase={1}monitor,cn=config
Line 54: Line 54:
 
  olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
 
  olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd
  
4. And use it
+
4. And use it.
  
 
  ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
 
  ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif
Line 60: Line 60:
 
== Schema ==
 
== Schema ==
  
1. Create an ldif file with the schema
+
1. Create an ldif file with the schema.
  
 
  # example.org
 
  # example.org
Line 74: Line 74:
 
  ou: People
 
  ou: People
  
2. And use it
+
2. And use it.
  
 
  # ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
 
  # ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif
Line 80: Line 80:
 
== Users ==
 
== Users ==
  
1. Create a new user
+
1. Create a new user.
  
 
  dn: uid=test,ou=People,dc=example,dc=org
 
  dn: uid=test,ou=People,dc=example,dc=org
Line 100: Line 100:
 
== Status ==
 
== Status ==
  
1. Display entire config
+
1. Display entire config.
  
 
  # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
 
  # ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"
 +
 +
= Nginx =
 +
 +
== Installation ==
 +
 +
# yum -y install nginx certbot
 +
 +
== Initial Configuration ==
 +
 +
1. Edit nginx.conf. Remove server block and turn access logs off.
 +
 +
access_log off;
 +
 +
2. Create ssl.conf under conf.d.
 +
 +
# https://wiki.mozilla.org/Security/Server_Side_TLS
 +
ssl_dhparam /etc/ssl/dhparam.pem;
 +
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 +
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
 +
ssl_session_timeout 5m;
 +
ssl_prefer_server_ciphers on;
 +
ssl_session_cache shared:SSL:50m;
 +
add_header Strict-Transport-Security "max-age=31536000";
 +
 +
3. Create dhparam.
 +
 +
openssl dhparam -out /etc/ssl/dhparam.pem 2048
 +
 +
4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.
 +
 +
server {
 +
    listen [::]:80;
 +
    listen 80;
 +
    server_name example.org www.example.org conf.example.org;
 +
   
 +
    root /var/www/default/;
 +
    index index.html;
 +
}
 +
 +
== Service ==
 +
 +
1. Test the configuration.
 +
 +
# nginx -t
 +
 +
2. Enable and start service.
 +
 +
# systemctl enable nginx.service
 +
# systemctl start nginx.service
 +
 +
== Certificates ==
 +
 +
1. Create certificates, including all subdomains
 +
 +
certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly
 +
 +
== Final configuration ==
 +
 +
1. Edit default.conf to make it https-only.
 +
 +
server {
 +
    listen [::]:80;
 +
    listen 80;
 +
    server_name example.org www.example.org;
 +
    return 301 https://$server_name$request_uri;
 +
}
 +
 +
server {
 +
    listen [::]:443 ssl;
 +
    listen 443 ssl;
 +
    server_name www.example.org;
 +
    return 301 https://$server_name$request_uri;
 +
 +
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
 +
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
 +
}
 +
 +
server {
 +
    listen [::]:443 ssl;
 +
    listen 443 ssl;
 +
    server_name example.org;
 +
 +
    root /var/www/default/;
 +
    index index.html;
 +
 +
    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
 +
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
 +
}
 +
 +
2. Test the configuration.
 +
 +
# nginx -t
 +
 +
3. Reload nginx.
 +
 +
# nginx -s reload
  
 
= Jabber =
 
= Jabber =

Revision as of 18:37, 25 November 2016

Notes on building Hackerspace public and member services.

Common

1. Install basic stuff.

# yum install -y epel-release
# yum install -y vim bash-completion wget

LDAP

Installation

# yum install -y openldap openldap-clients openldap-servers

Service

1. Enable and start service.

# systemctl enable slapd.service
# systemctl start slapd.service

2. Check it actually works.

# systemctl status -l slapd.service

Configuration

1. Copy default DB_CONFIG.

# cp /usr/share/openldap-servers/DB_CONFIG.example /var/lib/ldap/DB_CONFIG

2. Create a new admin password.

# slappasswd

3. Create an initial config in a file.

dn: olcDatabase={1}monitor,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 
  read by dn.base="cn=admin,dc=example,dc=org" read by * none

dn: olcDatabase={2}bdb,cn=config
changetype: modify
replace: olcSuffix
olcSuffix: dc=example,dc=org
-
replace: olcRootDN
olcRootDN: cn=admin,dc=example,dc=org
-
add: olcRootPW
olcRootPW: {SSHA}3u4JMk96UgMheppVZpdr7HmMJFKHRpEd

4. And use it.

ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f openldap_initial.ldif

Schema

1. Create an ldif file with the schema.

# example.org
dn: dc=example,dc=org
dc: example
objectClass: dcObject
objectClass: organizationalUnit
ou: example.org

# People
dn: ou=People,dc=example,dc=org
objectClass: organizationalUnit
ou: People

2. And use it.

# ldapmodify -x -W -D cn=admin,dc=example,dc=org -a -f schema.ldif

Users

1. Create a new user.

dn: uid=test,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
mail: username@example.gr
cn: username example
sn: example
givenName: username
uid: test
uidNumber: 99
gidNumber: 12
homeDirectory: /Maildir/test
userPassword: test

Status

1. Display entire config.

# ldapsearch -Y EXTERNAL -H ldapi:/// -b "cn=config"

Nginx

Installation

# yum -y install nginx certbot

Initial Configuration

1. Edit nginx.conf. Remove server block and turn access logs off.

access_log off;

2. Create ssl.conf under conf.d.

# https://wiki.mozilla.org/Security/Server_Side_TLS
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:50m;
add_header Strict-Transport-Security "max-age=31536000";

3. Create dhparam.

openssl dhparam -out /etc/ssl/dhparam.pem 2048

4. Create a default.conf under conf.d with minimal settings, and include all desired subdomains.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org conf.example.org;
    
    root /var/www/default/;
    index index.html;
}

Service

1. Test the configuration.

# nginx -t

2. Enable and start service.

# systemctl enable nginx.service
# systemctl start nginx.service

Certificates

1. Create certificates, including all subdomains

certbot --agree-tos --email ping@example.org -a webroot -w /var/www/default/ -d example.org -d www.example.org -d conf.example.org certonly

Final configuration

1. Edit default.conf to make it https-only.

server {
    listen [::]:80;
    listen 80;
    server_name example.org www.example.org;
    return 301 https://$server_name$request_uri;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.example.org;
    return 301 https://$server_name$request_uri;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name example.org;

    root /var/www/default/;
    index index.html;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
}

2. Test the configuration.

# nginx -t

3. Reload nginx.

# nginx -s reload

Jabber

Installation

# yum -y install prosody

Configuration