Install and configure techdocs server: Difference between revisions
Jump to navigation
Jump to search
(Created page with "== Host OS installation == # Do minimal Debian Bullseye install # Disable IPv6 in /etc/default grub * Install updates and set hostname # Ensure unattended-upgrades package is installed # Allow root access via SSH key == Security == The firewall rules (i.e., AWS security group) allow: # Ping, SSH and HTTPs from 129.94.0.0/16 and 149.171.0.0/16 # HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate # Everything else is blocked == Initial web...") |
No edit summary |
||
| Line 3: | Line 3: | ||
# Do minimal Debian Bullseye install | # Do minimal Debian Bullseye install | ||
# Disable IPv6 in /etc/default grub | # Disable IPv6 in /etc/default grub | ||
# Install updates and set hostname | |||
# Ensure unattended-upgrades package is installed | # Ensure unattended-upgrades package is installed | ||
# Allow root access via SSH key | # Allow root access via SSH key | ||
Revision as of 14:02, 20 Haziran 2022
Host OS installation
- Do minimal Debian Bullseye install
- Disable IPv6 in /etc/default grub
- Install updates and set hostname
- Ensure unattended-upgrades package is installed
- Allow root access via SSH key
Security
The firewall rules (i.e., AWS security group) allow:
- Ping, SSH and HTTPs from 129.94.0.0/16 and 149.171.0.0/16
- HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate
- Everything else is blocked
Initial web site setup
root@techdocs:~# apt-get install apache2 mariadb-server php php-mysql libapache2-mod-php php-xml php-mbstring php-apcu php-intl php-gd php-cli samba
Edit /etc/apache2/sites-enabled/000-default.conf and set server name to techdocs.cseunsw.tech
root@techdocs:~# systemctl restart apache2
Install certbot and acquire SSL certificate
root@techdocs:~# apt-get install python3-certbot-apache
root@techdocs:~# systemctl restart apache2
root@techdocs:~# certbot --apache Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): ss@cse.unsw.edu.au - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server. Do you agree? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: Y - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing, once your first certificate is successfully issued, to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Account registered. Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: techdocs.cseunsw.tech - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Requesting a certificate for techdocs.cseunsw.tech Performing the following challenges: http-01 challenge for techdocs.cseunsw.tech Enabled Apache rewrite module Waiting for verification... Cleaning up challenges Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache socache_shmcb module Enabled Apache ssl module Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf Enabled Apache rewrite module Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://techdocs.cseunsw.tech - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem Your certificate will expire on 2022-09-18. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le root@techdocs:~#
Note that installing certbot adds a cron file, /etc/cron.d/certbot, which regularly attempts certificate renewal