Install and configure techdocs server: Difference between revisions

Credentials

For MariaDB, MediaWiki, SAMBA, etc.

See /root/CREDENTIALS.txt (and backups, of course).

Host OS installation

1. Do minimal Debian Bullseye install
2. Disable IPv6 in /etc/default grub
3. Install updates and set hostname
4. Ensure unattended-upgrades package is installed
5. Allow root access via SSH key

Network security

The firewall rules (i.e., AWS security group) allow:

1. Ping, SSH, SMB and HTTPs from 129.94.0.0/16 and 149.171.0.0/16
2. HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate, see below)
3. Everything else is blocked

Initial web site setup

root@techdocs:~# apt-get install apache2 mariadb-server php php-mysql libapache2-mod-php php-xml php-mbstring php-apcu php-intl php-gd php-cli samba pandoc

Edit /etc/apache2/sites-enabled/000-default.conf and set server name to techdocs.cseunsw.tech

root@techdocs:~# systemctl restart apache2

Install certbot and acquire SSL certificate

root@techdocs:~# apt-get install python3-certbot-apache

root@techdocs:~# systemctl restart apache2

root@techdocs:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): ss@cse.unsw.edu.au

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for techdocs.cseunsw.tech
Performing the following challenges:
http-01 challenge for techdocs.cseunsw.tech
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem
   Your certificate will expire on 2022-09-18. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@techdocs:~#

Note that installing certbot adds a cron file, /etc/cron.d/certbot, which regularly attempts certificate renewal

Secure MariaDB

root@techdocs:~# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] 
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] 
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
root@techdocs:~#

Install mediawiki software

root@techdocs:~# cd /usr/local
root@techdocs:/usr/local# rmdir * (gives errors for lib, man and share not beubng empty)
root@techdocs:/usr/local# rm -fr share man

Get latest mediawiki tar file

root@techdocs:/usr/local# mkdir /root/downloads
root@techdocs:/usr/local# ( cd /root/downloads && wget https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz )
root@techdocs:/usr/local# tar zxf /root/downloads/mediawiki-1.38.1.tar.gz
root@techdocs:/usr/local# ln -s mediawiki-1.38.1 mediawiki

Set up Apache hooks

Delete /etc/apache2/sites-enabled/*

Add following as /etc/apache2/sites/available/001-techdocs.conf and enable by linking to sites-available:

<VirtualHost *:80>
	ServerName techdocs.cseunsw.tech

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =techdocs.cseunsw.tech
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
	ServerName techdocs.cseunsw.tech

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	Alias "/mediawiki/images/" "/usr/local/mediawiki_images/"
	Alias "/mediawiki/" "/usr/local/mediawiki/"

	<Directory /usr/local/mediawiki/>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	<Directory /usr/local/mediawiki_images/>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

root@techdocs:~# systemctl restart apache2

The following notes are vague because, actually, we shouldn't be talking about a new install, but instead about a recovery from backup at this point.

And... then install MediaWiki as per the instructions at https://www.mediawiki.org/

The wiki configuration file, LocalSettings.php, is not installed in the same directory as the MediaWiki software, but is instead in a separate directory with a symlink pointing to it.

cd /usr/local/
ls -al
mkdir mediawiki_config
cd mediawiki-1.38.1/
ln -s ../mediawiki_config/LocalSettings.php .

Set up development account and SAMBA access

Create the account used for document development (images, scripts, etc.) and which is shared via SAMBA:

# useradd -m -p x -s /bin/bash techdocs

Create the following as /etc/samba/smb.conf:

[global]
workgroup = TECHDOCS
log file = /var/log/samba/log.%m
max log size = 1000
logging = file
server role = standalone server

[nwcse]
comment = Documentation work account
path = /home/techdocs
force user = techdocs
force group = techdocs
guest ok = no
read only = no

# systemctl restart samba

Use the smbpasswd command to administer the SAMBA password database (check the man page). Also corresponding entry, a possible dummy, must exist in /etc/passwd for this to work (see below). Note that this is separate to the user/password database used for MediaWiki. E.g.:

# useradd -s /usr/sbin/nologin plinich 

# smbpasswd -a plinich

You can then access the directory with this URI (keeping in mind the network security settings above):

smb://plinich@techdocs.cseunsw.tech/techdocs