123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978 |
- %
- % Software-daemons.tex
- %
- % Fork Sand IT Manual
- %
- % Copyright (C) 2018, Fork Sand, Inc.
- % Copyright (C) 2017, Jeff Moe
- % Copyright (C) 2014, 2015, 2016, 2017 Aleph Objects, Inc.
- %
- % This document is licensed under the Creative Commons Attribution 4.0
- % International Public License (CC BY-SA 4.0) by Fork Sand, Inc.
- %
- \section{Server Daemons}
- These are the server daemons used to drive the enterprise.
- \section{\href{http://sourceforge.net/projects/acpid2/}{ACPID}}
- Monitors ACPI events. Runs on nearly all servers and workstations.
- \section{\href{http://httpd.apache.org/}{Apache}}
- Web daemon, used on many servers.
- \section{\href{http://www.isc.org/}{BIND}}
- Nameserver used for caching.
- \section{\href{https://borgbackup.github.io/borgbackup/}{Borg}}
- Backup program.
- \section{\href{https://www.collaboraoffice.com/code/}{code}}
- Collabora Online Development Edition (CODE) is LibreOffice Online (LOOL)
- for Nextcloud.
- \section{\href{https://github.com/coturn/coturn}{coturn}}
- TURN and STUN server. Used for videoconferencing.
- \section{\href{http://ftp.isc.org/isc/cron/}{cron}}
- Scheduled triggering of applications (cf. at).
- \section{\href{http://dnsmasq.org/}{DHCP}}
- dnsmasq DHCP for 350+ hosts.
- \section{\href{https://www.discourse.org/}{Discourse}}
- Mailing list, discussion board, forum.
- \section{\href{https://dockerproject.org/}{Docker}}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- System containers, virtual servers.
- \section{\href{http://dnsmasq.org/}{DNS}}
- dnsmasq DNS caching.
- \section{\href{http://dnsmasq.org/}{Dovecot}}
- IMAP mail services. Employees check their mail via the
- IMAP server, typically using Icedove or aomail (roundcube using IMAP).
- \section{\href{https://www.erlang.org/}{Erlang}}
- Virtual machine (ejabberd).
- \section{{iptables}{\Glspl{firewall}}}
- Linux's iptables.
- \section{\href{http://www.fail2ban.org/}{fail2ban}}
- Block out scripts, bots, crackers, and network noise on servers.
- \section{\href{http://www.debian.org/}{Init}}
- Init, woo!
- \section{\href{http://mariadb.org/}{MariaDB}}
- Used on many servers for a database. Replacing MySQL.
- \section{md RAID}
- Linux RAID, md, mdadm.
- \section{\href{http://www.memcached.org/}{memcached}}
- Used to speed up websites, such as Nextcloud.
- \section{\href{http://www.mysql.org/}{MySQL}}
- Used on many servers for a database.
- \section{\href{https://nextcloud.com/}{Nextcloud}}
- Shared calendars, files, collaborative document editing with
- LibreOffice Online, videoconferencing.
- Some of this is from owncloud era...
- \begin{minted}{sh}
- #Install debian jessie, ssh server, standard system utilities
- #install jebba ssh key
- #install sudo
- #disable password ssh
- #disable root ssh
- #==================================
- #
- #Set up DNS
- #Set up Server
- #Create new jessie server, and boot it up.
- #Copy over key:
- ssh-copy-id jebba@pwn.themoes.org
- #Log in to new machine:
- ssh jebba@pwn.themoes.org
- #Change jebba's password.
- passwd jebba
- #Set a root password:
- su -
- passwd root
- #Disable source repos:
- sed -i -e 's/deb-src/#deb-src/g' /etc/apt/sources.list
- #Set up `git` as kludge to track /etc
- apt-get -y install git
- cd /etc
- git init
- chmod og-rwx /etc/.git
- vi /etc/.gitignore
- \end{minted}
- Add these lines to /etc/.gitignore
- \begin{minted}{sh}
- prelink.cache
- *.swp
- ld.so.cache
- adjtime
- blkid.tab
- blkid.tab.old
- mtab
- resolv.conf
- asound.state
- mtab.fuselock
- aliases.db
- \end{minted}
- \subsection{Set up a git user:}
- vi ~/.gitconfig
- \begin{minted}{sh}
- [user]
- name = Jeff Moe
- [color]
- branch = auto
- diff = auto
- status = auto
- \end{minted}
- \subsection{Create and populate the git repo for /etc:}
- \begin{minted}{sh}
- git add .
- EDITOR=vi git commit -a
- \end{minted}
- Intial setup of pwn.themoes.org jessie owncloud server
- \begin{minted}{sh}
- #Install some needed stuff:
- apt-get -y install sudo vim curl exuberant-ctags rsync ntp vim-scripts
- host strace telnet lsb-release unzip bzip2 && apt-get clean
- #Set up vim:
- echo :syntax on > ~/.vimrc
- #Add jebba to sudo group:
- adduser jebba sudo
- #Make sudoers passwordless:
- vim /etc/sudoers
- #Change:
- %sudo ALL=(ALL:ALL) ALL
- #To:
- %sudo ALL=(ALL) NOPASSWD: ALL
- #Edit /etc/ssh/sshd_config (dodgy way to do this):
- sed -i \
- -e 's/PermitRootLogin yes/PermitRootLogin no/g' \
- -e 's/\#PasswordAuthentication yes/PasswordAuthentication no/g' \
- -e 's/RSAAuthentication yes/RSAAuthentication no/g' \
- -e 's/Port 22/Port 43827/g'\
- -e 's/X11Forwarding yes/X11Forwarding no/g' \
- /etc/ssh/sshd_config
- #Disable unneeded services:
- for i in nfs-common rpcbind mountkernfs.sh rsync exim4 ; do echo $i ;
- sudo /usr/sbin/update-rc.d $i disable ; done
- \end{minted}
- Todo. Should these be dropped too? mountnfs-bootclean.sh mountnfs.sh
- Reboot
- \begin{minted}{sh}
- #Log in as jebba (from workstation):
- ssh -p 43827 -C jebba@pwn.themoes.org
- #VIM:
- echo :syntax on > ~/.vimrc
- \end{minted}
- \subsection{Setup}
- Update /etc/hosts:
- \begin{minted}{sh}
- 5.152.179.226 pwn pwn.themoes.org
- #Comment out:
- #127.0.1.1 pwn.themoes.org pwn
- #Update /etc/hostname:
- pwn
- #Commit everything so far to git
- sudo su -
- cd /etc
- git add .
- EDITOR=vi git commit -a
- # Additional base config for server.
- \end{minted}
- \subsection{Make IP Static}
- \begin{minted}{sh}
- vim /etc/network/interfaces
- \end{minted}
- Comment out:
- \begin{minted}{sh}
- #allow-hotplug eth0
- #iface eth0 inet dhcp
- \end{minted}
- Add:
- \begin{minted}{sh}
- auto eth0
- iface eth0 inet static
- address 5.152.179.226
- netmask 255.255.255.0
- gateway 5.152.179.1
- \end{minted}
- \subsection{Install Firewall}\label{ssec:nextcloudfirewall}
- \url{https://wiki.debian.org/iptables}
- \begin{minted}{sh}
- #Create /etc/iptables.up.rules and /etc/network/if-pre-up.d/iptables
- touch /etc/iptables.up.rules /etc/network/if-pre-up.d/iptables
- /etc/iptables.test.rules
- chmod 600 /etc/iptables.test.rules /etc/iptables.up.rules
- \end{minted}
- \begin{minted}{sh}
- vim /etc/iptables.test.rules
- \end{minted}
- *filter
- \begin{minted}{sh}
- # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that
- doesn't use lo0
- -A INPUT -i lo -j ACCEPT
- #-A INPUT -i ! lo -d 127.0.0.0/8 -j REJECT
- # Accepts all established inbound connections
- -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
- # Allows all outbound traffic
- # You could modify this to only allow certain traffic
- -A OUTPUT -j ACCEPT
- # Allows HTTP and HTTPS connections from anywhere (the normal ports for
- websites)
- #-A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
- #-A INPUT -p tcp --dport 80 -j ACCEPT
- # Accept 443 from everywhere
- #-A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
- #-A INPUT -p tcp --dport 443 -j ACCEPT
- # SSH Access Port 43827
- -A INPUT -p tcp -s 67.54.153.124 --dport 43827 -j ACCEPT
- # Allow ssh from anywhere
- -A INPUT -p tcp --dport 43827 -j ACCEPT
- # Allow ping
- -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
- # Opsview access
- #-A INPUT -s 999.999.999.999/32 -p icmp -m icmp --icmp-type 8 -j ACCEPT
- #-A INPUT -s 999.999.999.999/32 -p tcp -m tcp -m multiport --dports
- 2222,37,4949,5666 -j ACCEPT
- # log iptables denied calls (access via 'dmesg' command)
- -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: "
- --log-level 7
- # Reject all other inbound - default deny unless explicitly allowed policy:
- -A INPUT -j REJECT
- -A FORWARD -j REJECT
- COMMIT
- \end{minted}
- \begin{minted}{sh}
- touch /etc/network/if-pre-up.d/iptables
- chmod 755 /etc/network/if-pre-up.d/iptables
- vim /etc/network/if-pre-up.d/iptables
- \end{minted}
- \begin{minted}{sh}
- #!/bin/bash
- /sbin/iptables-restore < /etc/iptables.up.rules
- \end{minted}
- Then run:
- \begin{minted}{sh}
- iptables-restore < /etc/iptables.test.rules
- iptables -L
- iptables-save > /etc/iptables.up.rules
- \end{minted}
- Disable IPv6
- \begin{minted}{sh}
- vim /etc/sysctl.conf
- \end{minted}
- Add:
- \begin{minted}{sh}
- # Disable IPv6
- net.ipv6.conf.all.disable_ipv6 = 1
- net.ipv6.conf.default.disable_ipv6 = 1
- net.ipv6.conf.lo.disable_ipv6 = 1
- net.ipv6.conf.eth0.disable_ipv6 = 1
- \end{minted}
- \begin{minted}{sh}
- sysctl -p
- \end{minted}
- Add this to kernel boot line /etc/default/grub:
- \begin{minted}{sh}
- GRUB_CMDLINE_LINUX="ipv6.disable=1"
- \end{minted}
- then run:
- \begin{minted}{sh}
- update-grub
- \end{minted}
- \begin{minted}{sh}
- # Also need to change anything in /etc/apache2/sites-enabled/* that has
- *:80 to 0.0.0.0, so no IPv6.
- # Comment out IPv6 stuff in /etc/hosts:
- #::1 localhost ip6-localhost ip6-loopback
- #ff02::1 ip6-allnodes
- #ff02::2 ip6-allrouters
- # Also need to change anything in /etc/apache2/sites-enabled/* that has
- *:80 to 0.0.0.0, so no IPv6.
- \end{minted}
- Blacklist the module, don't even load it:
- \begin{minted}{sh}
- echo blacklist ipv6 > /etc/modprobe.d/ipv6.conf
- \end{minted}
- Tell the module not to use IPv6 (hit it with the hammer over and over):
- \begin{minted}{sh}
- echo alias net-pf-10 off >> /etc/modprobe.d/aliases.conf
- echo alias ivp6 off >> /etc/modprobe.d/aliases.conf
- \end{minted}
- \begin{minted}{sh}
- reboot
- \end{minted}
- \subsection{Install nextcloud}
- Copied from Owncloud installation sequence. Todo: review difference to Nextcloud
- Add Debian Backports (eh?)
- \begin{minted}{sh}
- sh -c "echo 'deb http://mirrors.kernel.org/debian/ jessie-backports
- main' >> /etc/apt/sources.list.d/backports.list"
- apt-get update
- apt-get dist-upgrade -t jessie-backports
- apt-get clean
- sync
- reboot & exit
- \end{minted}
- Add owncloud repos (ToDo)
- \begin{minted}{sh}
- cd
- wget -nv \
- https://download.owncloud.org/download/repositories/stable/Debian_8.0/Release.key \
- -O Release.key
- apt-key add - < Release.key
- sh -c "echo 'deb
- http://download.owncloud.org/download/repositories/stable/Debian_8.0/ /'
- >> /etc/apt/sources.list.d/owncloud.list"
- apt-get update
- apt-get install -t jessie-backports php5-apcu php-apc php5-imagick \
- ffmpeg libreoffice php5-mysql php5-mcrypt php5-gmp php5-apcu \
- php5-memcache php5-memcached memcached php5-redis php5-imagick apache2 \
- libapache2-mod-php5 php5-gd php5-json php5-mysql php5-curl php5-intl \
- php5-mcrypt php5-imagick mysql-server
- apt-get clean
- \end{minted}
- Set up database
- \begin{minted}{sh}
- vim ~/.mysqlpw
- \end{minted}
- \begin{minted}{sh}
- # meh
- update-rc.d saned disable
- \end{minted}
- \begin{minted}{sh}
- # Configure Apache2 on a Debian Jessie Server
- # Setup default https configuration:
- cd /etc/apache2/sites-enabled
- ln -s ../sites-available/default-ssl .
- # Enable SSL modules
- cd /etc/apache2/mods-enabled
- ln -s ../mods-available/*ssl* .
- ln -s ../mods-available/socache_shmcb.load .
- # XXX left this out:
- #vim /etc/apache2/sites-available/default-ssl.conf
- # make sure that each <Directory > has AllowOverride All
- # Generate SSL certificate
- cd /etc/ssl/private/
- openssl genrsa -out pwn.themoes.org.key 2048
- openssl req -new -key pwn.themoes.org.key -out pwn.themoes.org.csr
- #* After the last command answer the following:
- #** Country Name : US
- #** State or Province Name: Colorado
- #** Locality Name: Redstone Canyon
- #** Organization Name: Moe
- #** Organizational Unit Name: IT
- #** Common Name: pwn.themoes.org
- #** Email Address: pwn@themoes.org
- #** Leave Challenge password and An optional company name blank.
- # Sent csr to SSL registrar.
- \end{minted}
- Open up port 80 to do SSL registrar verification:
- \begin{minted}{sh}
- vim /etc/iptables.test.rules
- \end{minted}
- Enable the port 80 lines for registar, and port 443 lines for owncloud
- later at the file
- \begin{minted}{sh}
- iptables-restore < /etc/iptables.test.rules
- iptables -L
- iptables-save > /etc/iptables.up.rules
- \end{minted}
- Copy Gandi file for SSL authentication to /var/www/html/
- After Gandi verifies it, remove the file.
- Then disable port 80 in the \gls{firewall} again:
- \begin{minted}{sh}
- vim /etc/iptables.test.rules
- \end{minted}
- \begin{minted}{sh}
- iptables-restore < /etc/iptables.test.rules
- iptables -L
- iptables-save > /etc/iptables.up.rules
- \end{minted}
- Move the cert in place
- \begin{minted}{sh}
- mv /home/jebba/certificate-323281.crt /etc/ssl/private/pwn.themoes.org.crt
- chown root:root /etc/ssl/private/pwn.themoes.org.crt
- # Gandi intermediate certs XXX
- # http://crt.gandi.net/GandiStandardSSLCA2.crt OR
- # https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
- # Gah, wtf, add this?
- # Comodo Cross-Signed Certificate
- # http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
- #* Generate certificate:
- # XXX gah, gandi root certs ?
- # WTF does this do.
- openssl x509 -req -in pwn.themoes.org.csr -CA AOrootCA.pem \
- -CAkey AOrootCA.key -CAserial AOrootCA.srl \
- -out pwn.themoes.org.crt -days 65000
- \end{minted}
- ToDo: consider adding rm pwn.themoes.org.csr
- Place the .crt and .key files on pwn.themoes.org in /etc/ssl/private
- directory.
- Make sure the they can't be read by the others.
- Configure SSL part of the Apache Server:
- \begin{minted}{sh}
- vim /etc/apache2/sites-available/default-ssl.conf
- \end{minted}
- change to:
- \begin{minted}{sh}
- ServerName pwn.themoes.org
- ServerAdmin pwn@themoes.org
- \end{minted}
- comment out snakeoil keys
- add
- \begin{minted}{sh}
- SSLProtocol all -SSLv2
- SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
- SSLCertificateFile /etc/ssl/private/pwn.themoes.org.crt
- SSLCertificateKeyFile /etc/ssl/private/pwn.themoes.org.key
- \end{minted}
- \subsection{Enable the SSL server}
- \begin{minted}{sh}
- cd /etc/apache2/sites-enabled
- ln -s ../sites-available/default-ssl.conf .
- \end{minted}
- Restart Apache2
- \begin{minted}{sh}
- /etc/init.d/apache2 restart
- \end{minted}
- \begin{minted}{sh}
- echo pwn > /var/www/html/index.html
- \end{minted}
- Install owncloud
- \begin{minted}{sh}
- apt-get install -t jessie-backports owncloud
- \end{minted}
- set up mysql owncloud user
- \begin{minted}{sh}
- vim ~/.mysqlpw-own
- cat ~/.mysqlpw-own
- mysql -uroot -p`cat ~/.mysqlpw`
- CREATE USER 'owncloud'@'localhost' IDENTIFIED BY 'password';
- CREATE DATABASE IF NOT EXISTS owncloud;
- GRANT ALL PRIVILEGES ON owncloud.* TO 'owncloud'@'localhost' IDENTIFIED
- BY 'password';
- ##############
- # Migrate db to sql.themoes.org
- ##############
- # Set up mysql config with sql.themoes.org (NOT on traccar, but on db
- server)
- mysql> CREATE DATABASE owncloud;
- mysql> CREATE USER 'owncloud'@'192.168.22.2' IDENTIFIED BY 'XXX';
- mysql> GRANT ALL ON owncloud.* TO 'owncloud'@'192.168.22.2';
- mysql> FLUSH PRIVILEGES;
- \end{minted}
- \begin{minted}{sh}
- mkdir /srv/owncloud
- chown www-data:www-data /srv/owncloud
- chmod 770 /srv/owncloud
- \end{minted}
- \begin{minted}{sh}
- # Do web stuff
- # https://pwn.themoes.org/owncloud/
- # Create admin account
- # Data folder:
- # /srv/owncloud
- # MySQL:
- # User: owncloud
- # Password:
- # Database Name: owncloud
- \end{minted}
- set up crontab in web and here:
- \begin{minted}{sh}
- crontab -u www-data -e
- \end{minted}
- Add:
- \begin{minted}{sh}
- */15 * * * * php -f /var/www/owncloud/cron.php
- \end{minted}
- Check it:
- \begin{minted}{sh}
- crontab -u www-data -l
- \end{minted}
- \begin{minted}{sh}
- root@pwn:/etc/ssl/private# chmod o-r *
- root@pwn:/etc/ssl/private# rm ssl-cert-snakeoil.key
- wget https://www.gandi.net/static/CAs/GandiStandardSSLCA2.pem
- mv GandiStandardSSLCA2.pem /etc/ssl/certs/
- chown root:root /etc/ssl/certs/GandiStandardSSLCA2.pem
- \end{minted}
- Add this to
- Configure SSL part of the Apache Server:
- \begin{minted}{sh}
- vim /etc/apache2/sites-available/default-ssl.conf
- \end{minted}
- \begin{minted}{sh}
- SSLCertificateChainFile /etc/ssl/certs/GandiStandardSSLCA2.pem
- SSLVerifyClient None
- \end{minted}
- \subsection{Libreoffice}
- \begin{minted}{sh}
- vim /var/www/owncloud/config/config.php
- \end{minted}
- \begin{minted}{sh}
- 'preview_libreoffice_path' => '/usr/bin/libreoffice',
- \end{minted}
- POSTFIX XXX ...
- \begin{minted}{sh}
- apt-get remove exim4 exim4-base exim4-config exim4-daemon-light
- apt-get purge exim4 exim4-base exim4-config exim4-daemon-light
- apt-get install postfix
- #apt-get install bsd-mailx
- \end{minted}
- Use APCu and Redis for caching
- \begin{minted}{sh}
- vim /var/www/owncloud/config/config.php
- \end{minted}
- add
- \begin{minted}{sh}
- 'memcache.local' => '\OC\Memcache\APCu',
- 'redis' => array(
- 'host' => '/var/run/redis/redis.sock',
- 'port' => 0,
- ),
- 'memcache.locking' => '\OC\Memcache\Redis',
- \end{minted}
- \begin{minted}{sh}
- vim /etc/redis/redis.conf
- \end{minted}
- \begin{minted}{sh}
- unixsocket /var/run/redis/redis.sock
- unixsocketperm 770
- \end{minted}
- \begin{minted}{sh}
- adduser www-data redis
- \end{minted}
- Todo: consider reboot
- \begin{minted}{sh}
- # Secure https some moar
- #
- https://doc.owncloud.org/server/9.0/admin_manual/configuration_server/harden_server.html#enable-hsts-label
- cd /etc/apache2/mods-enabled
- ln -s ../mods-available/headers.load .
- vim /etc/apache2/sites-enabled/default-ssl.conf
- \end{minted}
- Add:
- \begin{minted}{sh}
- <IfModule mod_headers.c>
- Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
- </IfModule>
- \end{minted}
- Add stuff, and run:
- \begin{minted}{sh}
- vim /var/www/owncloud/config/config.php
- \end{minted}
- \begin{minted}{sh}
- 'defaultapp' => 'calendar',
- 'session_keepalive' => true,
- 'htaccess.RewriteBase' => '/owncloud',
- \end{minted}
- \begin{minted}{sh}
- sudo -u www-data /var/www/owncloud/occ maintenance:update:htaccess
- \end{minted}
- Drop /owncloud from the URL
- \begin{minted}{sh}
- vim /etc/apache2/conf-available/owncloud.conf
- \end{minted}
- \begin{minted}{sh}
- Alias / "/var/www/owncloud/"
- \end{minted}
- \begin{minted}{sh}
- vim /var/www/owncloud/config/config.php
- \end{minted}
- \begin{minted}{sh}
- 'overwrite.cli.url' => 'https://pwn.themoes.org',
- \end{minted}
- \subsection{Misc}
- \begin{minted}{sh}
- vim /var/www/owncloud/config/config.php
- \end{minted}
- \begin{minted}{sh}
- 'logtimezone' => 'MST',
- 'session_keepalive' => true,
- 'htaccess.RewriteBase' => '/',
- 'overwritewebroot' => '/',
- 'check_for_working_webdav' => true,
- 'check_for_working_wellknown_setup' => true,
- 'check_for_working_htaccess' => true,
- 'logfile' => '/var/log/owncloud.log',
- 'loglevel' => 2,
- 'enable_previews' => true,
- 'preview_max_x' => 2048,
- 'preview_max_y' => 2048,
- 'preview_max_scale_factor' => 10,
- 'preview_max_filesize_image' => 50,
- 'preview_office_cl_parameters' =>
- ' --headless --nologo --nofirststartwizard --invisible
- --norestore '.
- '-convert-to pdf -outdir ',
- 'enabledPreviewProviders' => array(
- 'OC\Preview\PNG',
- 'OC\Preview\JPEG',
- 'OC\Preview\GIF',
- 'OC\Preview\BMP',
- 'OC\Preview\XBitmap',
- 'OC\Preview\MP3',
- 'OC\Preview\TXT',
- 'OC\Preview\MarkDown',
- 'OC\Preview\PDF',
- 'OC\Preview\Postscript',
- 'OC\Preview\SVG',
- 'OC\Preview\Movie',
- 'OC\Preview\MSOfficeDoc',
- 'OC\Preview\MSOffice2003',
- 'OC\Preview\MSOffice2007',
- 'OC\Preview\OpenDocument',
- 'OC\Preview\StarOffice',
- ),
- 'maintenance' => false,
- 'singleuser' => false,
- 'asset-pipeline.enabled' => false,
- \end{minted}
- set up that temp dir:
- \begin{minted}{sh}
- mkdir /srv/owncloudtemp
- chown www-data:www-data /srv/owncloudtemp/
- chmod 770 /srv/owncloudtemp/
- vim /var/www/owncloud/config/config.php
- \end{minted}
- \begin{minted}{sh}
- 'tempdirectory' => '/srv/owncloudtemp',
- \end{minted}
- php.ini stuff
- \begin{minted}{sh}
- vim /etc/php5/apache2/php.ini
- \end{minted}
- \begin{minted}{sh}
- php_value upload_max_filesize = 5G
- php_value post_max_size = 5G
- php_value max_input_time 3600
- php_value max_execution_time 3600
- memory_limit = 512M
- \end{minted}
- for svg ?
- \begin{minted}{sh}
- apt-get install inkscape
- \end{minted}
- \begin{minted}{sh}
- \subsection{Solr / Nexant}
- \end{minted}
- \begin{minted}{sh}
- apt-get install php-solr solr-jetty
- \end{minted}
- \begin{minted}{sh}
- # enable nexant app in web interface
- # vim /etc/jetty9/jetty-http.xml
- # vim /etc/jetty9/jetty-https.xml
- # <Set name="host"><Property name="jetty.host" /></Set>
- # to
- # <Set name="host"><Property name="jetty.host" default="127.0.0.1" /></Set>
- \end{minted}
- \begin{minted}{sh}
- # nope
- #cd solr/
- #cp -fr configsets/basic_configs nextant
- # This:
- # https://github.com/nextcloud/nextant/wiki/Setup-your-local-standalone-Solr
- # see local git clone
- # Actually, do this install of solr...
- # https://github.com/nextcloud/nextant/wiki/Setup-your-local-Solr-as-a-Service
- # apt-get install tesseract-ocr tesseract-ocr-eng
- # apt-get install ocrmypdf # not needed, for other OCR thing
- \end{minted}
- \subsection{Spreed}
- \large{Spreed Nextcloud WebRTC}
- There is a Spreed.me module for Nextcloud, which points to a spreed
- webrtc server. If the spreed and nextcloud server use different
- hostnames (origins), screen-sharing won't be allowed due to browser
- restrictions. So spreed is getting installed straight onto the Nextcloud
- server, https://own.alephobjects.com .
- \subsection{Links}
- \begin{minted}{sh}
- * https://github.com/strukturag/spreed-webrtc
- * https://github.com/strukturag/nextcloud-spreedme
- * https://github.com/strukturag/nextcloud-spreedme#installation--setup-of-a-spreed-webrtc-server
- * https://hub.docker.com/r/spreed/webrtc/
- * https://docs.docker.com/engine/installation/linux/debian/
- \end{minted}
- We're going to use a \gls{docker} install... own.alephobjects.com is
- currently running Debian Stretch (testing, version 9). Unfortunately,
- \gls{docker}.io (as it is named in Debian) is available for jessie-backports
- and sid, but not for stretch... We'll use \gls{docker}'s apt repos to get
- \gls{docker} ....
- \subsection{Install Docker}
- \begin{minted}{sh}
- * https://docs.docker.com/engine/installation/linux/debian/
- \end{minted}
- \begin{minted}{sh}
- apt update
- apt install apt-transport-https ca-certificates gnupg2
- apt-key adv \
- --keyserver hkp://ha.pool.sks-keyservers.net:80 \
- --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
- vim /etc/apt/sources.list.d/docker.list
- \end{minted}
- Add:
- \begin{minted}{sh}
- deb https://apt.dockerproject.org/repo debian-stretch main
- \end{minted}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- \begin{minted}{sh}
- cd /etc ; git add . ; git commit -a -m 'Add docker repo to apt'
- \end{minted}
- save
- \begin{minted}{sh}
- apt update
- apt install -y docker-engine
- cd /etc ; git add . ; git commit -a -m 'Install docker'
- service docker start
- \end{minted}
- \subsection{Test docker}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- \begin{minted}{sh}
- docker run hello-world
- \end{minted}
- \subsection{Set up spreed docker}
- \begin{minted}{sh}
- mkdir -p /srv/spreed/extra.d
- vim /etc/spreed-webrtc-nextcloud.conf
- \end{minted}
- make config like this:
- \begin{minted}{sh}
- [http]
- basePath = /webrtc/
- [app]
- authorizeRoomJoin = true
- extra.d = /srv/spreed/extra.d
- [users]
- enabled = true
- mode = sharedsecret
- \end{minted}
- \subsection{Run Spreed Docker}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- \begin{minted}{sh}
- cd /srv/spreed
- docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 \
- -v /srv/spreed -i -t spreed/webrtc -c /etc/spreed-webrtc-nextcloud.conf
- \end{minted}
- On first launch, it may hang forever because it doesn't have any
- entropy. So it will hang at "Creating new server secrets ..."
- Here is a workaround to generate entropy:
- \begin{minted}{sh}
- apt install -y rng-tools
- rngd -f -r /dev/urandom
- \end{minted}
- Run it thusly:
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- \begin{minted}{sh}
- docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
- /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
- /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
- -i -t spreed/webrtc -c /etc/spreed/server.conf
- \end{minted}
- \large{Configure Apache}
- install needed apache modules:
- \begin{minted}{sh}
- a2enmod proxy proxy_http proxy_wstunnel headers
- vim /etc/apache2/sites-enabled/01-own.alephobjects.com.conf
- \end{minted}
- Add this inside the VirtualHost section:
- \begin{minted}{sh}
- # Spreed WebRTC
- ProxyPass http://127.0.0.1:8080/webrtc
- ProxyPassReverse /webrtc
- ProxyPass ws://127.0.0.1:8080/webrtc/ws
- ProxyVia On
- ProxyPreserveHost On
- RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
- \end{minted}
- \subsection{Spreed Configuration}
- \begin{picture}(0,0)\put(-10000,0){
- \gls{docker}
- }\end{picture}
- \begin{minted}{sh}
- Get the config in own.alephobjects.com --> admin --> Additional
- Settings(?) --> Spreed.me
- # Generate that config, put it in /etc/spreed/spreed.conf
- # Restart docker.
- #cd /etc ; git add . ; git commit -a -m 'Configure'
- ##### HMM
- docker run --name ao-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
- /srv/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
- rngd -f -r /dev/urandom
- # 585 docker run --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
- /etc/spreed:/etc/spreed -i -t spreed/webrtc -c /etc/spreed/server.conf
- # 587 docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 \
- -v /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
- /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
- -i -t spreed/webrtc -c /etc/spreed/server.conf
- docker run -d --name my-spreed-webrtc -p 8080:8080 -p 8443:8443 -v \
- /etc/spreed:/etc/spreed -v /var/log/spreed:/var/log/spreed -v \
- /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
- -i -t spreed/webrtc -c /etc/spreed/server.conf
- # These two:
- rngd -f -r /dev/urandom
- docker run -d --restart unless-stopped --name my-spreed-webrtc -p \
- 8080:8080 -p 8443:8443 -v /etc/spreed:/etc/spreed -v \
- /var/log/spreed:/var/log/spreed -v \
- /var/www/owncloud/apps/spreedme/extra:/var/www/owncloud/apps/spreedme/extra \
- -i -t spreed/webrtc -c /etc/spreed/server.conf \
- \end{minted}
- \subsection{apache2}
- Install needed apache modules:
- \begin{minted}{sh}
- a2enmod proxy proxy_http proxy_wstunnel headers
- vim /etc/apache2/sites-enabled/pwn.themoes.org.conf
- \end{minted}
- Add this inside the VirtualHost section:
- \begin{minted}{sh}
- # Spreed WebRTC
- <Location /webrtc>
- ProxyPass http://127.0.0.1:8080/webrtc
- ProxyPassReverse /webrtc
- </Location>
- <Location /webrtc/ws>
- ProxyPass ws://127.0.0.1:8080/webrtc/ws
- </Location>
- ProxyVia On
- ProxyPreserveHost On
- RequestHeader set X-Forwarded-Proto 'https' env=HTTPS
- \end{minted}
- \section{\href{http://support.ntp.org/}{NTP}}
- Syncs time on every server and workstation.
- \section{\href{http://www.opendkim.org/}{OpenDKIM}}
- DKIM (Domain Keys Identified Mail) sender authentication system.
- \section{\href{http://www.openssh.com/}{OpenSSH}}
- Used to control every server, create encrypted tunnels (autossh),
- mount filesystems (sshfs), and remote file transfer (sftp).
- \section{\href{http://openvpn.net/}{OpenVPN}}
- Connects external resources, such as employee mobiles and laptops, to the internal network.
- \section{\href{https://www.piwiki.org/}{Piwik}}
- Application to analyze web site traffic.
- \href{http://www.mrunix.net/webalizer/}{Webalizer} is used occassionally.
- \section{\href{http://www.postfix.org/}{Postfix}}
- Main SMTP outgoing mail server.
- \section{\href{http://www.postgresql.org/}{Postgres}}
- Database server.
- \section{\href{http://www.qemu.org/}{QEMU}}
- Computer emulator, runs virtual servers. Uses \gls{kvm}.
- \section{\href{http://rsync.samba.org/}{rsync}}
- File server.
- \section{\href{http://www.rsyslog.com/}{rsyslog}}
- Logging on every server and workstation.
- \section{\href{http://www.spamassassin.org/}{spamassassin}}
- Spam filtering of email.
- \section{\href{http://fuse.sourceforge.net/sshfs.html}{sshfs}}
- Main internal fileserver.
- \section{\href{http://www.freedesktop.org/wiki/Software/systemd}{systemd}}
- System bootup and process manager.
- \section{\href{http://dnsmasq.org/}{TFTP}}
- Network install server.
- \section{\href{http://www.xinetd.org}{xinetd}}
- xinetd on Debian systems. inetd on OpenBSD. Misc network utils.
- \section{\href{http://www.ejabberd.im/}{XMPP/jabber}}
- ejabberd, Erlang XMPP (jabber) server.
|