Install and configure techdocs server

From techdocs
Revision as of 14:02, 20 Haziran 2022 by Plinich (talk | contribs)
Jump to navigation Jump to search

Host OS installation

  1. Do minimal Debian Bullseye install
  2. Disable IPv6 in /etc/default grub
  3. Install updates and set hostname
  4. Ensure unattended-upgrades package is installed
  5. Allow root access via SSH key

Security

The firewall rules (i.e., AWS security group) allow:

  1. Ping, SSH and HTTPs from 129.94.0.0/16 and 149.171.0.0/16
  2. HTTP from anywhere (to allow certbot to renew the Let's Encrypt SSL certificate
  3. Everything else is blocked

Initial web site setup

root@techdocs:~# apt-get install apache2 mariadb-server php php-mysql libapache2-mod-php php-xml php-mbstring php-apcu php-intl php-gd php-cli samba

Edit /etc/apache2/sites-enabled/000-default.conf and set server name to techdocs.cseunsw.tech 

root@techdocs:~# systemctl restart apache2

Install certbot and acquire SSL certificate

root@techdocs:~# apt-get install python3-certbot-apache

root@techdocs:~# systemctl restart apache2

root@techdocs:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): ss@cse.unsw.edu.au

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: N
Account registered.

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for techdocs.cseunsw.tech
Performing the following challenges:
http-01 challenge for techdocs.cseunsw.tech
Enabled Apache rewrite module
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache socache_shmcb module
Enabled Apache ssl module
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/000-default-le-ssl.conf
Enabled Apache rewrite module
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-available/000-default-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://techdocs.cseunsw.tech
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/techdocs.cseunsw.tech/privkey.pem
   Your certificate will expire on 2022-09-18. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@techdocs:~#

Note that installing certbot adds a cron file, /etc/cron.d/certbot, which regularly attempts certificate renewal

Retrieved from ‘https://techdocs.cseunsw.tech/mediawiki/index.php?title=Install_and_configure_techdocs_server&oldid=98