Install and configure techdocs server

From techdocs
Revision as of 15:20, 20 Haziran 2022 by Plinich (talk | contribs)
Jump to navigation Jump to search

Credentials

For MariaDB, MediaWiki, SAMBA, etc.

See /root/CREDENTIALS.txt (and backups, of course).

Host OS installation

  1. Do minimal Debian Bullseye install
  2. Disable IPv6 in /etc/default grub
  3. Install updates and set hostname
  4. Ensure unattended-upgrades package is installed
  5. Allow root access via SSH key

Network security

The firewall rules (i.e., AWS security group) allow:

  1. Ping, SSH and HTTPs from 129.94.0.0/16 and 149.171.0.0/16
  2. HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate
  3. Everything else is blocked

Initial web site setup

root@techdocs:~# apt-get install apache2 mariadb-server php php-mysql libapache2-mod-php php-xml php-mbstring php-apcu php-intl php-gd php-cli samba

Edit /etc/apache2/sites-enabled/000-default.conf and set server name to techdocs.cseunsw.tech 

root@techdocs:~# systemctl restart apache2

Install certbot and acquire SSL certificate

root@techdocs:~# apt-get install python3-certbot-apache

root@techdocs:~# systemctl restart apache2

root@techdocs:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): ss@cse.unsw.edu.au

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for techdocs.cseunsw.tech
Performing the following challenges:
http-01 challenge for techdocs.cseunsw.tech
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem
   Your certificate will expire on 2022-09-18. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@techdocs:~#

Note that installing certbot adds a cron file, /etc/cron.d/certbot, which regularly attempts certificate renewal

Secure MariaDB

root@techdocs:~# mysql_secure_installation

NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
      SERVERS IN PRODUCTION USE!  PLEASE READ EACH STEP CAREFULLY!

In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
haven't set the root password yet, you should just press enter here.

Enter current password for root (enter for none): 
OK, successfully used password, moving on...

Setting the root password or using the unix_socket ensures that nobody
can log into the MariaDB root user without the proper authorisation.

You already have your root account protected, so you can safely answer 'n'.

Switch to unix_socket authentication [Y/n] 
Enabled successfully!
Reloading privilege tables..
 ... Success!


You already have your root account protected, so you can safely answer 'n'.

Change the root password? [Y/n] 
New password: 
Re-enter new password: 
Password updated successfully!
Reloading privilege tables..
 ... Success!


By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them.  This is intended only for testing, and to make the installation
go a bit smoother.  You should remove them before moving into a
production environment.

Remove anonymous users? [Y/n] 
 ... Success!

Normally, root should only be allowed to connect from 'localhost'.  This
ensures that someone cannot guess at the root password from the network.

Disallow root login remotely? [Y/n] 
 ... Success!

By default, MariaDB comes with a database named 'test' that anyone can
access.  This is also intended only for testing, and should be removed
before moving into a production environment.

Remove test database and access to it? [Y/n] 
 - Dropping test database...
 ... Success!
 - Removing privileges on test database...
 ... Success!

Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.

Reload privilege tables now? [Y/n] 
 ... Success!

Cleaning up...

All done!  If you've completed all of the above steps, your MariaDB
installation should now be secure.

Thanks for using MariaDB!
root@techdocs:~#

Install mediawiki software

root@techdocs:~# cd /usr/local
root@techdocs:/usr/local# rmdir * (gives errors for lib, man and share not beubng empty)
root@techdocs:/usr/local# rm -fr share man

Get latest mediawiki tar file

root@techdocs:/usr/local# mkdir /root/downloads
root@techdocs:/usr/local# ( cd /root/downloads && wget https://releases.wikimedia.org/mediawiki/1.38/mediawiki-1.38.1.tar.gz )
root@techdocs:/usr/local# tar zxf /root/downloads/mediawiki-1.38.1.tar.gz
root@techdocs:/usr/local# ln -s mediawiki-1.38.1 mediawiki

Set up Apache hooks

Delete /etc/apache2/sites-enabled/*

Add following as /etc/apache2/sites/available/001-techdocs.conf and enable by linking to sites-available: 

<VirtualHost *:80>
	ServerName techdocs.cseunsw.tech

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =techdocs.cseunsw.tech
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
	ServerName techdocs.cseunsw.tech

	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html

	Alias "/mediawiki/images/" "/usr/local/mediawiki_images/"
	Alias "/mediawiki/" "/usr/local/mediawiki/"

	<Directory /usr/local/mediawiki/>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	<Directory /usr/local/mediawiki_images/>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined

	SSLCertificateFile /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

root@techdocs:~# systemctl restart apache2

And... then install MediaWiki as per the instructions at https://www.mediawiki.org/

Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=Install_and_configure_techdocs_server&oldid=100