This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
navody:uzivatele:stepan_schejbal [2015/04/08 06:52] – stepanschebal | navody:uzivatele:stepan_schejbal [Unknown date] (current) – removed - external edit (Unknown date) 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== vps====== | ||
- | |||
- | =====Info===== | ||
- | |||
- | Na serveru běží veřejné služby (web pro java aplikace) a privátní služby přes vpn (ssh, redmine, git, maven repozitář). Zabezpečení je postaveno na firewalu, který blokuje všechno kromě veřejných služeb a vpn. | ||
- | |||
- | Nainstalovaný systém je **debian 7 (wheezy)** . Původně jsem zkoušel debian 6, ale nefungoval v něm shorewall. Pak to běželo na arch linuxu, ale ten není od vpsfree moc podporovaný a navíc má rolling-updates, | ||
- | |||
- | |||
- | =====Základ===== | ||
- | |||
- | |||
- | ====Auktualizace systému==== | ||
- | |||
- | apt-get update | ||
- | apt-get upgrade | ||
- | |||
- | |||
- | |||
- | ====Základní balíky a nastavení==== | ||
- | |||
- | apt-get install rsyslog man bzip2 wget sudo htop cron-apt | ||
- | | ||
- | # Oracle Java: | ||
- | # je potreba java-package 0.50+ kuli podpore server-jre, tohle je lepsi nez povolovat backports repozitar | ||
- | wget http:// | ||
- | dpkg -i java-package_0.53~bpo70+1_all.deb | ||
- | wget --no-check-certificate --no-cookies - --header " | ||
- | http:// | ||
- | make-jpkg server-jre-7u55-linux-x64.tar.gz | ||
- | dpkg -i oracle-java7-jre_7u55_amd64.deb | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | Zkopirovat klic na prihlaseni napr. ssh-copy-id root@example.com, | ||
- | |||
- | PasswordAuthentication no | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | set mouse-=a | ||
- | colorscheme elflord | ||
- | syntax on | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | MAILON=" | ||
- | MAILTO=" | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ====Firewall==== | ||
- | |||
- | Nastavení firewallu se dělá pomocí balíku // | ||
- | |||
- | apt-get install shorewall | ||
- | cd / | ||
- | # adresar by mel byt prazdny, krome shorewall.conf | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | Nastavení zón ($FW v ostatních souborech se automaticky nahrazuje " | ||
- | |||
- | #ZONE | ||
- | # | ||
- | fw firewall | ||
- | net ipv4 | ||
- | vpn ipv4 | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | Tohle je nastaveni implicitních akcí (vyhodnocuje se v zadaném pořadí!). | ||
- | |||
- | # | ||
- | # | ||
- | | ||
- | # povol spojeni "ze serveru na internet" | ||
- | $FW | ||
- | | ||
- | # zahod vsechno "z internetu na server" | ||
- | net | ||
- | | ||
- | # odmitni vsechno "z vpn na internet" | ||
- | vpn | ||
- | | ||
- | # povol vsechno ostatni "z vpn" | ||
- | vpn | ||
- | | ||
- | # The FOLLOWING POLICY MUST BE LAST | ||
- | all | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | FORMAT 2 | ||
- | ############################################################################### | ||
- | #ZONE | ||
- | net | ||
- | vpn tun0 | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | # | ||
- | # | ||
- | #SECTION ALL | ||
- | #SECTION ESTABLISHED | ||
- | #SECTION RELATED | ||
- | SECTION NEW | ||
- | | ||
- | # povoleni SSH sluzby pro klienty z internetu (NEDELAT, v pripade nouze se lze pripojit k terminalu pres administraci VPS) | ||
- | # - pro vsechny | ||
- | # | ||
- | # - pro urcitou IP adresu | ||
- | # | ||
- | # - pro skupinu IP adres (subnet) | ||
- | # | ||
- | | ||
- | # OpenVPN | ||
- | ACCEPT | ||
- | ACCEPT | ||
- | | ||
- | # WEB | ||
- | ACCEPT | ||
- | ACCEPT | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | STARTUP_ENABLED=Yes | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | startup=1 | ||
- | |||
- | |||
- | |||
- | |||
- | Pár užitečných příkazů: | ||
- | |||
- | / | ||
- | shorewall status | ||
- | shorewall show | ||
- | shorevall safe-start | ||
- | shorewall safe-restart | ||
- | |||
- | |||
- | |||
- | ====OpenVPN==== | ||
- | |||
- | apt-get install openvpn | ||
- | cp -a / | ||
- | cd / | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | export KEY_SIZE=2048 | ||
- | export KEY_COUNTRY=" | ||
- | export KEY_PROVINCE=" | ||
- | export KEY_CITY=" | ||
- | export KEY_ORG=" | ||
- | export KEY_EMAIL=" | ||
- | export KEY_OU="" | ||
- | |||
- | |||
- | |||
- | |||
- | source vars | ||
- | ./clean-all | ||
- | ./ | ||
- | ./ | ||
- | ./build-key tonda # nebo build-key-pass pro zaheslovani privatnich klicu | ||
- | ./build-key cenda | ||
- | ... | ||
- | ./build-dh | ||
- | cd keys | ||
- | openvpn --genkey --secret ta.key | ||
- | cp {ca.crt, | ||
- | chmod 600 / | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | dev tun | ||
- | port 1194 | ||
- | ;proto tcp | ||
- | proto udp | ||
- | # VPN subnet - vybrat neco nahodnyho z http:// | ||
- | # urcite ne 10.0.0.0, 10.1.1.0, 192.168.0.0, | ||
- | server 10.134.75.0 255.255.255.0 | ||
- | ifconfig-pool-persist ipp.txt | ||
- | ca ca.crt | ||
- | crl-verify crl.pem | ||
- | cert inter.crt | ||
- | key inter.key | ||
- | dh dh2048.pem | ||
- | tls-auth ta.key 0 | ||
- | cipher AES-256-CBC | ||
- | comp-lzo yes | ||
- | |||
- | |||
- | |||
- | |||
- | **client.conf** | ||
- | |||
- | dev tun | ||
- | port 1194 | ||
- | proto udp | ||
- | client | ||
- | remote mujserver.example.com | ||
- | ca ca.crt | ||
- | cert tonda.crt | ||
- | key tonda.key | ||
- | tls-auth ta.key 1 | ||
- | remote-cert-tls server | ||
- | cipher AES-256-CBC | ||
- | comp-lzo yes | ||
- | |||
- | |||
- | |||
- | |||
- | Teď už je třeba jenom poslat každému klientovi '' | ||
- | |||
- | # predpoklada nastaveni sendmailu (dale v navodu) | ||
- | cd keys | ||
- | key=" | ||
- | zippwd=$(dd if=/ | ||
- | rm -v $key.7z; 7z a -p $zippwd ca.crt $key.{crt, | ||
- | echo "heslo na rozbaleni $key.7z: $zippwd" | ||
- | |||
- | |||
- | |||
- | ===Revokace certifikátů=== | ||
- | |||
- | cd / | ||
- | source vars | ||
- | ./ | ||
- | cp -v crl.pem / | ||
- | |||
- | |||
- | |||
- | ====sendmail interface pro SMTP server==== | ||
- | |||
- | Některé komponenty (např. redmine) potřebují posílat emaily přes sendmail interface (např. jejich SMTP klient z nějakého důvodu nefunguje se SMTP serverem). Proto se dá nainstalovat lepší SMTP klient, který podporuje sendmail interface. Detaily viz. [[http:// | http:// | ||
- | |||
- | apt-get purge exim4-config exim4 exim4-base exim4-daemon-light | ||
- | apt-get install msmtp-mta | ||
- | ls -l / | ||
- | # musi ukazovat na /usr/msmtp | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | # Accounts will inherit settings from this section | ||
- | defaults | ||
- | auth on | ||
- | tls on | ||
- | tls_certcheck | ||
- | # | ||
- | | ||
- | account | ||
- | host | ||
- | port 465 | ||
- | from | ||
- | user | ||
- | password | ||
- | tls_starttls | ||
- | | ||
- | account default : blackhole | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | =====web server===== | ||
- | |||
- | |||
- | ====Nginx==== | ||
- | |||
- | Nginx krom jiného umožňuje provozovat více různých web serverů na stejném portu (např. tomcat pro java web aplikace + apache pro php + passenger pro ruby aplikace). | ||
- | |||
- | Protoze potrebujem **passenger** pro **ruby** aplikace (napr. **redmine** ), neda se to instalovat z debianich balicku. | ||
- | |||
- | apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 561F9B9CAC40B2F7 | ||
- | apt-get install apt-transport-https ca-certificates | ||
- | echo "deb https:// | ||
- | chmod 600 / | ||
- | apt-get update | ||
- | apt-get install nginx-extras passenger | ||
- | |||
- | |||
- | Pokud se bude pouzivat SSL, tak je potreba vygenerovat certifikat: | ||
- | |||
- | openssl req -new -x509 -nodes -out / | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | #user nobody; | ||
- | worker_processes | ||
- | | ||
- | error_log | ||
- | pid / | ||
- | | ||
- | # | ||
- | # | ||
- | | ||
- | #pid logs/ | ||
- | | ||
- | | ||
- | events { | ||
- | worker_connections | ||
- | } | ||
- | | ||
- | | ||
- | http { | ||
- | passenger_root / | ||
- | passenger_ruby / | ||
- | | ||
- | include | ||
- | default_type | ||
- | | ||
- | # | ||
- | # ' | ||
- | # '" | ||
- | | ||
- | # | ||
- | | ||
- | sendfile | ||
- | # | ||
- | | ||
- | # | ||
- | keepalive_timeout | ||
- | | ||
- | #gzip on; | ||
- | | ||
- | ssl_certificate server.crt; | ||
- | ssl_certificate_key server.key; | ||
- | | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header Host $http_host; | ||
- | } | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ====Tomcat==== | ||
- | |||
- | Web server je tomcat 7, protožev něm chceme provozovat jednoduchý javovský web aplikace (tzn. potřebujeme něco v javě, ale nepotřebujeme super-druper aplikační server). | ||
- | |||
- | apt-get install tomcat7 | ||
- | |||
- | |||
- | **conf/ | ||
- | |||
- | <Server port=" | ||
- | <Service name=" | ||
- | < | ||
- | connectionTimeout=" | ||
- | redirectPort=" | ||
- | minSpareThreads=" | ||
- | <Engine name=" | ||
- | <Host name=" | ||
- | unpackWARs=" | ||
- | <Valve className=" | ||
- | prefix=" | ||
- | pattern=" | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | </ | ||
- | |||
- | |||
- | '' | ||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | JAVA_HOME=/ | ||
- | CATALINA_OPTS=-Djava.awt.headless=true -Xmx80m -XX: | ||
- | # povolit pro remote management (napr. jconsole nebo jvisualvm) | ||
- | # | ||
- | |||
- | |||
- | |||
- | |||
- | Nastavit nginx, aby pozadavky preposilal na tomcat: | ||
- | |||
- | **/ | ||
- | |||
- | server { | ||
- | # JAVA web server - treba Tomcat | ||
- | listen *:80 default_server; | ||
- | listen *:443 ssl; | ||
- | | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header Host $http_host; | ||
- | | ||
- | location / { | ||
- | proxy_pass | ||
- | } | ||
- | } | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ====Apache + PHP==== | ||
- | |||
- | Pro PHP experimenty: | ||
- | |||
- | **/ | ||
- | |||
- | server { | ||
- | # PHP + phpmyadmin | ||
- | listen *:80; | ||
- | listen *:443 ssl; | ||
- | server_name php.example.com; | ||
- | | ||
- | proxy_set_header X-Real-IP $remote_addr; | ||
- | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | ||
- | proxy_set_header Host $http_host; | ||
- | | ||
- | location / { | ||
- | proxy_pass | ||
- | } | ||
- | | ||
- | # PHPmyadmin jenom pres SSL | ||
- | location /phpmyadmin { | ||
- | if ($scheme = " | ||
- | rewrite ^ https:// | ||
- | } | ||
- | if ($scheme = " | ||
- | proxy_pass | ||
- | } | ||
- | } | ||
- | } | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | =====Git===== | ||
- | |||
- | Přístup k repozitářům gitu řídí **gitolite** . | ||
- | |||
- | # zkopirovat id_rsa.pub spravce gitu do / | ||
- | apt-get install gitolite | ||
- | dpkg-reconfigure gitolite | ||
- | # zmenit user na git | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | $REPO_UMASK = 0027; # nastavi soubory g+rx, aby k tomu mel pristup napr. redmine | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | Zakáže se autentikace heslem (všechno běží pouze přes certifikáty): | ||
- | |||
- | Match User git | ||
- | PasswordAuthentication no | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | =====Mysql===== | ||
- | |||
- | Mysql je potřeba např. pro redmine (viz. níže). Více na [[http:// | https:// | ||
- | |||
- | apt-get install mysql-server | ||
- | mysql_secure_installation | ||
- | |||
- | |||
- | |||
- | =====Redmine===== | ||
- | |||
- | Podrobnosti viz. [[http:// | http:// | ||
- | |||
- | apt-get install ruby ruby-dev make imagemagick libmagickcore-dev libmagickwand-dev libmysqlclient-dev | ||
- | cd | ||
- | VER=2.5.1 | ||
- | wget http:// | ||
- | tar xzf redmine-$VER.tar.gz -C /opt | ||
- | chown -R root:root / | ||
- | |||
- | |||
- | mysql -p # zepta se na heslo (viz. instalace mysql) | ||
- | create database redmine character set utf8; | ||
- | create user ' | ||
- | grant all privileges on redmine.* to ' | ||
- | |||
- | |||
- | **config/ | ||
- | |||
- | production: | ||
- | adapter: mysql2 | ||
- | database: redmine | ||
- | host: localhost | ||
- | username: redmine | ||
- | password: my_password | ||
- | encoding: utf8 | ||
- | |||
- | |||
- | |||
- | |||
- | **config/ | ||
- | |||
- | production: | ||
- | email_delivery: | ||
- | delivery_method: | ||
- | |||
- | |||
- | |||
- | |||
- | Tohle je potreba udelat az po '' | ||
- | |||
- | cd / | ||
- | gem install --no-user-install bundler | ||
- | bundle install --system --without development test postgresql sqlite | ||
- | rake generate_secret_token | ||
- | useradd -m --home-dir / | ||
- | usermod -a -G git redmine | ||
- | mkdir -p / | ||
- | tar c files log tmp public/ | ||
- | for i in files log tmp public/ | ||
- | chown -R redmine: | ||
- | chmod -R ugo+r / | ||
- | |||
- | |||
- | Zkopírují se data ze starého serveru: | ||
- | |||
- | # nejak dostat data z files do / | ||
- | mysql -u redmine -p redmine < dump_redmine_default_2012-05-28.sql | tee restore.log | ||
- | RAILS_ENV=production rake db:migrate | ||
- | |||
- | |||
- | |||
- | |||
- | : | ||
- | |||
- | | ||
- | |||
- | RAILS_ENV=production rake db:migrate | ||
- | RAILS_ENV=production rake redmine: | ||
- | |||
- | |||
- | : | ||
- | |||
- | Instalaci lze otestovat spuštěním jednoduchého web serveru (podívat se na projekty a jestli funguje integrace s gitem a posílání emailů): | ||
- | |||
- | su - -s /bin/bash redmine | ||
- | ruby script/ | ||
- | |||
- | |||
- | |||
- | ====Passenger v nginx==== | ||
- | |||
- | Detaily viz. [[http:// | http:// | ||
- | |||
- | apt-get install ruby-passenger | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | http { | ||
- | # POZOR: musi byt zapnuty passenger (viz. instalace nginx) | ||
- | | ||
- | server { | ||
- | listen 8080 default_server; | ||
- | root / | ||
- | passenger_enabled on; | ||
- | # implicitne se pouzije aktualni owner/group souboru config/ | ||
- | passenger_user redmine; | ||
- | passenger_group redmine; | ||
- | client_max_body_size 100M; # nektere uploady do redmine budou vetsi nez default limit | ||
- | } | ||
- | } | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | ====Thin v nginx (primitivni alternativa k passengeru)==== | ||
- | |||
- | gem install --no-user-install thin | ||
- | thin install | ||
- | |||
- | |||
- | Pridat nasledujici: | ||
- | |||
- | **/ | ||
- | |||
- | gem ' | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | # comment | ||
- | --- | ||
- | chdir: / | ||
- | environment: | ||
- | timeout: 30 | ||
- | log: / | ||
- | pid: / | ||
- | max_conns: 1024 | ||
- | max_persistent_conns: | ||
- | require: [] | ||
- | wait: 30 | ||
- | socket: / | ||
- | daemonize: true | ||
- | user: redmine | ||
- | group: redmine | ||
- | servers: 1 | ||
- | |||
- | |||
- | |||
- | |||
- | A nakonec v ''/ | ||
- | |||
- | **/ | ||
- | |||
- | upstream redmine { | ||
- | server unix:/ | ||
- | } | ||
- | | ||
- | server { | ||
- | listen *:8080 default_server; | ||
- | client_max_body_size 100M; | ||
- | | ||
- | location / { | ||
- | proxy_pass http:// | ||
- | } | ||
- | } | ||
- | |||
- | |||
- | |||
- | |||
- | |||
- | =====nexus (maven repository)===== | ||
- | |||
- | |||
- | |||
- | : | ||
- | |||
- | | ||
- | |||
- | : | ||
- | |||
- | useradd --system --shell /bin/bash --home-dir / | ||
- | wget http:// | ||
- | tar xzf nexus-latest-bundle.tar.gz -C /opt | ||
- | ln -nfsv / | ||
- | mkdir / | ||
- | chown nexus:nexus / | ||
- | mkdir / | ||
- | chown nexus:nexus / | ||
- | rm -rfv / | ||
- | ln -fsv / | ||
- | ln -fsv / | ||
- | cp / | ||
- | chmod ugo+x / | ||
- | update-rc.d nexus defaults | ||
- | |||
- | |||
- | **/ | ||
- | |||
- | NEXUS_HOME="/ | ||
- | # | ||
- | RUN_AS_USER=" | ||
- | PIDDIR="/ | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | application-port=8083 | ||
- | nexus-work=/ | ||
- | |||
- | |||
- | |||
- | |||
- | **/ | ||
- | |||
- | wrapper.java.maxmemory=80 | ||
- | |||
- | |||
- | |||
- | |||
- | Zbytek viz. [[http:// | http:// | ||