User Tools

Site Tools


home:webserver

Link to create a sitemap for Dokuwiki: https://www.dokuwiki.org/sitemap. (enable sitemap option in config and submit http://nhergert.homenet.org/doku.php?do=sitemap

Github

Use Github for hosting with Octopress or similar?

Free hosting, linked via CDN, easy HTTPS, etc. https://www.toptal.com/github/unlimited-scale-web-hosting-github-pages-cloudflare

Dynamic DNS

For namecheap.

crontab -e
# Append for every 1 minute check
* * * * * /home/nhergert/update_ip.sh > /home/nhergert/update_ip.log

# Run cron on boot
update-rc.d cron defaults
update_ip.sh
# Only writes to server if ip address changes
# Keeps log of old ip to below txt file
old_ip_file="update_ip.txt"
 
 
myip="$(dig +short myip.opendns.com @resolver1.opendns.com)"
# Create file if it doesn't exist
if [ ! -e "$old_ip_file" ]; then
	echo "${myip}" > "$old_ip_file"
fi
 
# Read in file
oldip=`cat $old_ip_file`
echo "$oldip"
# Why not "==" ??? Different behavior in cron vs interactive shell >.<
# https://serverfault.com/questions/734202/bash-if-statment-unexpected-behavior-in-crontab-job
if [ "${myip}" = "${oldip}" ]
then
	echo "They match!"
	exit
fi
 
# New value found
echo "${myip}" > "${old_ip_file}"
 
echo "Updating WAN/Public IP address from ${oldip} to ${myip}"
 
wget -q -O - "https://dynamicdns.park-your-domain.com/update?host=nhergert&domain=ozeo.org&password=<dynamic dns password here, diff than normal password>&ip=${myip}"
wget -q -O - "https://dynamicdns.park-your-domain.com/update?host=@&domain=ozeo.org&password=<dynamic dns password here, diff than normal password>&ip=${myip}"

https

Can use let's encrypt for free certificate. Cool.

Super easy to do, requires no account: https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

Hardening

Probably more frustrating than useful both for me and attacker, but here's something. https://www.raspberrypi.org/documentation/configuration/security.md, https://www.pluralsight.com/blog/it-ops/linux-hardening-secure-server-checklist.

Like I like to tell people, “if you have enough money to attack with, anything is possible. However, if their target doesn't have money, it's probably not a big deal”

Also, using a container might give some peace of mind, but hardening and not being stupid is generally good enough. https://security.stackexchange.com/questions/100389/can-i-make-my-online-server-more-secure-using-docker

Domain stuff

Probably want to use “A record”. However, it's not working for some reason…

https://www.namecheap.com/support/knowledgebase/article.aspx?type=article&contentid=434&categoryid=&articletitle=how-do-i-set-up-host-records-for-a-domain

Need to contact their support for main domain and potential subdomains.

Hardware

  • Raspberry pi 1, unsupported SD card socket breaks sd cards, tried clothespin and gluing a support on top, now it's not booting on top of it.
  • Android smartphone. Works quite well with Palapa web server for intentionally obsoleted phones (Android 4). However, I couldn't figure out how to get adb working. After 2-3 hours, it was worth it to run a full server.
  • Running on a used Macbook for $20 now, should be low power as the fan doesn't spin up.
    • Don't need to make image backup, you have a Snow Leopard disc still. Make a copy of the iso that's on Dad's OS X though, store it in Dropbox_archive.
    • Maybe older versions of apache/php are secure enough? Dokuwiki bombs on XAMPP PHP 7.1. Trying to get dokuwiki files to share to VM. It will be more clear later. Back to Windows, just want to do other stuff.
  • EC2 is another option for $8/month
    • Apache log locations at … /etc/httpd/logs2

Power

Macbook is 15 W idle ($1.50 per month). Chromebook (Intel celeron) is 2.5 watts idle ($.25 per month).

Maybe I want to migrate to the chromebook??? Interesting.

Chromebook Lid

Unfortunately is not done through power options in menu.

sudo vim /etc/systemd/logind.conf

find line "#HandleLidSwitch=suspend"
Replace line with "HandleLidSwitch=ignore" (no hash in front)

finaly, restart service:
sudo systemctl restart systemd-logind.service

Setup Linux

  • Send daily updates of backups to email? Screenshot of Dropbox “recents” page by controlling Chrome through Python: https://sites.google.com/a/chromium.org/chromedriver/getting-started
  • sudo apt-get install apache2 php libapache2-mod-php php-common php-xml php-mbstring
    • Uhhh, do I really need libapache2-mod-php7.2? Bummer…
    • php-common or php7.0-xml needed for utf8_encode in one page (virtual reality). Apparently mainlined in php 7.2?
    • gnome-session-flashback for low graphics gnome
  • Currently is returning “500” on 1st load. fix here?
  • Add PHP operation caching for fast loading (php5-xcache / php5-apc above) or OpCache is built in with PHP 5.5 (but not currently in Ubuntu repo)
  • sudo service apache2 restart
  • Use Curl script for FreeDNS updating and run it once every 5 minutes or on reboot too. @reboot in crontab
  • Not inadyn, as it takes too long and is confusing.
# Done :-)
curl -k https://freedns.afraid.org/dynamic/update.php?<YOUR HASH HERE>
  • Not using gitolite as I don't have a bunch of users and repos right now, but might be useful in future.

Creating a Web Server

  • Apache files are located at /etc/apache2/sites-enabled
<VirtualHost *:80>
	# The ServerName directive sets the request scheme, hostname and port that
	# the server uses to identify itself. This is used when creating
	# redirection URLs. In the context of virtual hosts, the ServerName
	# specifies what hostname must appear in the request's Host: header to
	# match this virtual host. For the default virtual host (this file) this
	# value is not decisive as it is used as a last resort host regardless.
	# However, you must set it for any further virtual host explicitly.
	#ServerName www.example.com
 
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
 
	DirectoryIndex index.php index.html
 
        <Directory /var/www/html>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride none
                Order allow,deny
                allow from all
        </Directory>
 
 
	<LocationMatch "/(data|conf|bin|inc)/">
	    Order allow,deny
	    Deny from all
	    Satisfy All
	</LocationMatch>
 
 
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
 
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
 
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf
</VirtualHost>
 
# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
  • php.ini is located at /etc/php5/apache2/php.ini
    • To adjust upload size, change upload_max_filesize = 2M and post_max_size = 8M to whatever you want, then restart apache using sudo /etc/init.d/apache2 restart
  • Permissions:
# Not very secure, but given a sandbox computer it's probably okay.
# sudo vi /env/apache2/envvars
# Edit APACHE_RUN_USER/GROUP from www-data to your username
# Then restart apache
# Done!
 
 
#Make user www-data in charge of /var/www
sudo chown -R www-data:www-data /var/www
# Allow user and group read/write/execute permissions on /var/www
sudo chmod -R 770 /var/www
# Add to group www-data user nhergert
#sudo usermod -a -G www-data nhergert
# Tsk tsk, but maybe needed for Dropbox?
sudo usermod -a -G nhergert www-data
# List groups of nhergert
id nhergert
# List users of www-data
getent group www-data
# Remove user from www-data
#gpasswd -d <user> www-data
 
# For some reason apache doesn't want to follow symlinks even with setting?
# So need to move files from Dropbox to /var/www/html and then make a symlink in Dropbox directory
#mv ~/Dropbox/dokuwiki2/* /var/www/html
#rmdir ~/Dropbox/dokuwiki2
#ln -s /var/www/html ~/Dropbox/dokuwiki2
 
# Then restart computer (but maybe just log off) to apply changes

SSH

//Client
ssh-keygen -t rsa
ssh-copy-id user@my.host
//Host
sudo apt-get install fail2ban

Nginx

Not using right now

  • Follow this tutorial to install LEMP installation in Ubuntu
  • Some important directories:
    • /var/log/nginx/error.log (for some reason nginx is silent on cmd line and you have to check here for errors
    • /etc/nginx/nginx.conf
    • /etc/nginx/sites-available, virtual sites you set up. sites-enabled is linked to this folder

nginx

10/18

9/29

Older

Dokuwiki Permissions

  • Need to allow .htaccess files and turn off directory listing in httpd.conf
//In httpd.conf
Options (Indexes FollowSymLinks MultiViews) -> (FollowSymLinks MultiViews)
AllowOverride None -> All

Use Rsync Effectively

rsync --verbose --progress --stats --compress --recursive --times  --links --delete -az -e "ssh -i ~/.ssh/id_rsa" /Users/Nolan/DropboxArchive nolanher@nolanhergert.com:~/public_html/dropbox/
home/webserver.txt · Last modified: 2020/05/21 21:41 by admin