about summary refs log tree commit diff stats
path: root/tools
diff options
context:
space:
mode:
authorSilvino Silva <silvino@bk.ru>2016-10-03 18:45:10 +0100
committerSilvino Silva <silvino@bk.ru>2016-10-03 18:45:10 +0100
commit44f7d00ad1d32bae79bca07ee5958a3da163c6e5 (patch)
tree0a7c605a23e80853af8985e838a7f4f7d98a3d8c /tools
parentdc2392c0420d3e25771a4bc1967ae97cba16194d (diff)
parentcd136e5c6bb718bbc5b3ba9e1edcf883d58bded7 (diff)
downloaddoc-44f7d00ad1d32bae79bca07ee5958a3da163c6e5.tar.gz
Merge branch 'f-certs' into r-0.2.3
Diffstat (limited to 'tools')
-rw-r--r--tools/nginx.html41
-rw-r--r--tools/postgresql.html95
-rw-r--r--tools/scripts/install-nginx.sh4
-rw-r--r--tools/scripts/install-php.sh2
4 files changed, 127 insertions, 15 deletions
diff --git a/tools/nginx.html b/tools/nginx.html
index 9fd38b9..3daf8d5 100644
--- a/tools/nginx.html
+++ b/tools/nginx.html
@@ -88,6 +88,25 @@
         $
         </pre>
 
+        <p>Having password is a good idea, but requires it every
+        time nginx is restarted. To remove;</p>
+
+        <pre>
+        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
+        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
+        </pre>
+
+        <pre>
+        Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
+        writing RSA key
+        </pre>
+
+        <pre>
+        $ sudo chown nginx /etc/ssl/keys/nginx.key*
+        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
+	# chmod 644 /etc/ssl/certs/exim.cert
+        </pre>
+
         <p>Sign SSL cetificate;</p>
 
         <pre>
@@ -96,23 +115,17 @@
             -signkey /etc/ssl/keys/nginx.key \
             -out /etc/ssl/certs/nginx.crt
         </pre>
+
         Signature ok
         subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=core.privat-network.net
         Getting Private key
         Enter pass phrase for /etc/ssl/keys/nginx.key:
         </pre>
 
-        <p>Having password is a good idea, but requires it every
-        time nginx is restarted. To remove;</p>
-
-        <pre>
-        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
-        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
-        </pre>
-
         <pre>
-        Enter pass phrase for /etc/ssl/keys/nginx.key.org:
-        writing RSA key
+        $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
+        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
+	$ sudo chmod 644 /etc/ssl/certs/nginx.cert
         </pre>
 
         <h2 id="nginxconf">3. Nginx Configuration</h2>
@@ -219,12 +232,18 @@
         <p>Check <a href="conf/etc/nginx/sites/">/etc/nginx/sites</a>
         for more examples.</p>
 
+        <p>To debug configurations check logs and;</p>
+
+        <pre>
+        
+        </pre>
+
         <h3>4.1. Setup PHP</h3>
 
         <p> Install php and setup php.ini as development mode;</p>
 
         <pre>
-        $ prt-get depinst php php-fpm php-gd
+        $ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
         </pre>
 
         <p>Setup php ini in development mode;<p/>
diff --git a/tools/postgresql.html b/tools/postgresql.html
index b8790e2..ca31a4d 100644
--- a/tools/postgresql.html
+++ b/tools/postgresql.html
@@ -26,6 +26,10 @@
         # sudo -u postgres initdb -D /srv/pgsql/data
         </pre>
 
+        <h2 id="config">2. Configure Server</h2>
+
+        <h3>2.1. Init script</h3>
+
         <p>Change <a href="conf/etc/rc.d/postgresql">/etc/rc.d/postgresql</a>;</p>
 
         <pre>
@@ -47,7 +51,71 @@
         # End of file
         </pre>
 
-        <h2 id="config">2. Configure Server</h2>
+        <h3>2.2. Certificates</h3>
+
+        <pre>
+        $ sudo openssl genrsa -des3 -out /etc/ssl/keys/pg.key 2048
+        Password:
+        Generating RSA private key, 2048 bit long modulus
+        ..............................+++
+        ............+++
+        e is 65537 (0x10001)
+        Enter pass phrase for /etc/ssl/keys/pg.key:
+        Verifying - Enter pass phrase for /etc/ssl/keys/pg.key:
+        </pre>
+
+        <p>Create ceritificate signing request. For "Common Name"
+        provide domain name or ip address, leave challange password
+        and optional company name blank;</p>
+
+        <pre>
+        $ sudo openssl req -x509 -in server.req -text -key /etc/ssl/keys/pg.key -out /etc/ssl/certs/pg.crt
+
+        Enter pass phrase for /etc/ssl/keys/pg.key:
+        You are about to be asked to enter information that will be incorporated
+        into your certificate request.
+        What you are about to enter is what is called a Distinguished Name or a DN.
+        There are quite a few fields but you can leave some blank
+        For some fields there will be a default value,
+        If you enter '.', the field will be left blank.
+        -----
+        Country Name (2 letter code) [AU]:PT
+        State or Province Name (full name) [Some-State]:
+        Locality Name (eg, city) []:
+        Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+        Organizational Unit Name (eg, section) []:
+        Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net
+        Email Address []:
+
+        Please enter the following 'extra' attributes
+        to be sent with your certificate request
+        A challenge password []:
+        An optional company name []:
+        $
+        </pre>
+
+        <p>Having password is a good idea, but requires it every
+        time pg is restarted. To remove;</p>
+
+        <pre>
+        $ sudo cp /etc/ssl/keys/pg.key /etc/ssl/keys/pg.key.pass
+        $ sudo openssl rsa \
+            -in /etc/ssl/keys/pg.key.pass \
+            -out /etc/ssl/keys/pg.key
+        </pre>
+
+        <pre>
+        Enter pass phrase for /etc/ssl/keys/pg.key.pass:
+        writing RSA key
+        </pre>
+
+        <pre>
+        $ sudo chown postgres:postgres /etc/ssl/keys/pg.key*
+        $ sudo chmod 0600 /etc/ssl/keys/pg.key*
+        $ sudo chmod 644 /etc/ssl/certs/pg.cert
+        </pre>
+
+        <h3>2.3. Super user password</h3>
 
         <p>Create password for super user;</p>
 
@@ -56,6 +124,28 @@
         $ psql -U postgres
         </pre>
 
+        <h3>2.4. Configure postgresql.conf</h3>
+
+        <p>Edit <a href="conf/srv/pgsql/data/postgresql.conf">/srv/pgsql/data/postgresql.conf</a>;</p>
+
+        <pre>
+        # - Security and Authentication -
+
+        #authentication_timeout = 1min          # 1s-600s
+        ssl = on                                # (change requires restart)
+        #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+                                                # (change requires restart)
+        #ssl_prefer_server_ciphers = on         # (change requires restart)
+        #ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
+        ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart)
+        ssl_key_file = '/etc/ssl/keys/pg.key'           # (change requires restart)
+        #ssl_ca_file = ''                       # (change requires restart)
+        #ssl_crl_file = ''                      # (change requires restart)
+        password_encryption = on
+        </pre>
+
+        <h3>2.5. Configure pg_hba.conf</h3>
+
         <p>Edit
         <a href="conf/srv/pgsql/data/pg_hba.conf">/srv/pgsql/data/pg_hba.conf</a>;
         </p>
@@ -87,7 +177,7 @@
         postgres=# alter user postgres with password 'new_password';
         </pre>
 
-        <h3 id="syslog">2.1. Configure syslog-ng</h3>
+        <h3 id="syslog">2.6. Configure syslog-ng</h3>
 
         <p><a href="syslog-ng.html">Configure Syslog-ng</a>, check <a href="http://michael.otacoo.com/postgresql-2/postgres-settings-simple-syslog-configuration-with-syslog-ng/">Michael at otacoo</a> article. Example;</p>
 
@@ -98,7 +188,6 @@
         syslog_facility='LOCAL0'
         syslog_ident='postgres'
         log_connections = on
-        password_encryption=on
         </pre>
 
 
diff --git a/tools/scripts/install-nginx.sh b/tools/scripts/install-nginx.sh
index 7fee79b..decacc1 100644
--- a/tools/scripts/install-nginx.sh
+++ b/tools/scripts/install-nginx.sh
@@ -6,6 +6,9 @@ prt-get depinst nginx
 
 cp -R $CONF_DIR/etc/nginx/* /etc/nginx/
 
+mkdir /srv/www
+chown nginx:www /srv/www
+
 usermod -a -G www nginx
 usermod -m -d /srv/www nginx
 
@@ -18,3 +21,4 @@ openssl x509 -req -days 365 \
 
 cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
 openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
+
diff --git a/tools/scripts/install-php.sh b/tools/scripts/install-php.sh
index 9d47ada..4c28173 100644
--- a/tools/scripts/install-php.sh
+++ b/tools/scripts/install-php.sh
@@ -2,6 +2,6 @@
 
 . `dirname $0`/config-install.sh
 
-prt-get depinst php php-fpm php-gd php-pdo-pgsql
+prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql
 
 cp /etc/php/php.ini-development /etc/php/php.ini