From 6343ecacd941a133d01bf9354adf6b79a0a0cb3d Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Thu, 29 Sep 2016 05:23:33 +0100 Subject: nginx and php revision --- tools/nginx.html | 2 +- tools/scripts/install-nginx.sh | 4 ++++ tools/scripts/install-php.sh | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) (limited to 'tools') diff --git a/tools/nginx.html b/tools/nginx.html index 9fd38b9..765a13f 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -224,7 +224,7 @@

Install php and setup php.ini as development mode;

-        $ prt-get depinst php php-fpm php-gd
+        $ sudo prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql

Setup php ini in development mode;

diff --git a/tools/scripts/install-nginx.sh b/tools/scripts/install-nginx.sh index 7fee79b..decacc1 100644 --- a/tools/scripts/install-nginx.sh +++ b/tools/scripts/install-nginx.sh @@ -6,6 +6,9 @@ prt-get depinst nginx cp -R $CONF_DIR/etc/nginx/* /etc/nginx/ +mkdir /srv/www +chown nginx:www /srv/www + usermod -a -G www nginx usermod -m -d /srv/www nginx @@ -18,3 +21,4 @@ openssl x509 -req -days 365 \ cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key + diff --git a/tools/scripts/install-php.sh b/tools/scripts/install-php.sh index 9d47ada..4c28173 100644 --- a/tools/scripts/install-php.sh +++ b/tools/scripts/install-php.sh @@ -2,6 +2,6 @@ . `dirname $0`/config-install.sh -prt-get depinst php php-fpm php-gd php-pdo-pgsql +prt-get depinst php php-fpm php-gd php-pdo-pgsql php-postgresql cp /etc/php/php.ini-development /etc/php/php.ini -- cgit 1.4.1-2-gfad0 From cd136e5c6bb718bbc5b3ba9e1edcf883d58bded7 Mon Sep 17 00:00:00 2001 From: Silvino Silva Date: Mon, 3 Oct 2016 18:35:05 +0100 Subject: review certificates for exim, nginx and postgresql --- core/exim.html | 2 +- tools/nginx.html | 39 +++++++++++++++------ tools/postgresql.html | 95 +++++++++++++++++++++++++++++++++++++++++++++++++-- 3 files changed, 122 insertions(+), 14 deletions(-) (limited to 'tools') diff --git a/core/exim.html b/core/exim.html index c2a5a63..c4b3c95 100644 --- a/core/exim.html +++ b/core/exim.html @@ -51,7 +51,7 @@ 

 	# chown mail:mail /etc/ssl/keys/exim.key
-	# chmod 644 /etc/ssl/keys/exim.key
+	# chmod 0600 /etc/ssl/keys/exim.key
 	# chmod 644 /etc/ssl/certs/exim.cert
diff --git a/tools/nginx.html b/tools/nginx.html index 765a13f..3daf8d5 100644 --- a/tools/nginx.html +++ b/tools/nginx.html @@ -88,6 +88,25 @@ $ +

Having password is a good idea, but requires it every + time nginx is restarted. To remove;

+ + 
+        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
+        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
+
+ + 
+        Enter pass phrase for /etc/ssl/keys/nginx.key.pass:
+        writing RSA key
+
+ + 
+        $ sudo chown nginx /etc/ssl/keys/nginx.key*
+        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
+	# chmod 644 /etc/ssl/certs/exim.cert
+
+

Sign SSL cetificate;

@@ -96,23 +115,17 @@
             -signkey /etc/ssl/keys/nginx.key \
             -out /etc/ssl/certs/nginx.crt
+ Signature ok subject=/C=PT/ST=Some-State/O=Internet Widgits Pty Ltd/CN=core.privat-network.net Getting Private key Enter pass phrase for /etc/ssl/keys/nginx.key: -

Having password is a good idea, but requires it every - time nginx is restarted. To remove;

- - 
-        $ sudo cp /etc/ssl/keys/nginx.key /etc/ssl/keys/nginx.key.pass
-        $ sudo openssl rsa -in /etc/ssl/keys/nginx.key.pass -out /etc/ssl/keys/nginx.key
-
- 
-        Enter pass phrase for /etc/ssl/keys/nginx.key.org:
-        writing RSA key
+        $ sudo chown nginx:nginx /etc/ssl/keys/nginx.key*
+        $ sudo chmod 0600 /etc/ssl/keys/nginx.key*
+	$ sudo chmod 644 /etc/ssl/certs/nginx.cert

3. Nginx Configuration

@@ -219,6 +232,12 @@

Check /etc/nginx/sites for more examples.

+

To debug configurations check logs and;

+ + 
+        
+
+

4.1. Setup PHP

Install php and setup php.ini as development mode;

diff --git a/tools/postgresql.html b/tools/postgresql.html index b8790e2..ca31a4d 100644 --- a/tools/postgresql.html +++ b/tools/postgresql.html @@ -26,6 +26,10 @@ # sudo -u postgres initdb -D /srv/pgsql/data +

2. Configure Server

+ +

2.1. Init script

+

Change /etc/rc.d/postgresql;

@@ -47,7 +51,71 @@
         # End of file
-

2. Configure Server

+

2.2. Certificates

+ + 
+        $ sudo openssl genrsa -des3 -out /etc/ssl/keys/pg.key 2048
+        Password:
+        Generating RSA private key, 2048 bit long modulus
+        ..............................+++
+        ............+++
+        e is 65537 (0x10001)
+        Enter pass phrase for /etc/ssl/keys/pg.key:
+        Verifying - Enter pass phrase for /etc/ssl/keys/pg.key:
+
+ +

Create ceritificate signing request. For "Common Name" + provide domain name or ip address, leave challange password + and optional company name blank;

+ + 
+        $ sudo openssl req -x509 -in server.req -text -key /etc/ssl/keys/pg.key -out /etc/ssl/certs/pg.crt
+
+        Enter pass phrase for /etc/ssl/keys/pg.key:
+        You are about to be asked to enter information that will be incorporated
+        into your certificate request.
+        What you are about to enter is what is called a Distinguished Name or a DN.
+        There are quite a few fields but you can leave some blank
+        For some fields there will be a default value,
+        If you enter '.', the field will be left blank.
+        -----
+        Country Name (2 letter code) [AU]:PT
+        State or Province Name (full name) [Some-State]:
+        Locality Name (eg, city) []:
+        Organization Name (eg, company) [Internet Widgits Pty Ltd]:
+        Organizational Unit Name (eg, section) []:
+        Common Name (e.g. server FQDN or YOUR name) []:core.privat-network.net
+        Email Address []:
+
+        Please enter the following 'extra' attributes
+        to be sent with your certificate request
+        A challenge password []:
+        An optional company name []:
+        $
+
+ +

Having password is a good idea, but requires it every + time pg is restarted. To remove;

+ + 
+        $ sudo cp /etc/ssl/keys/pg.key /etc/ssl/keys/pg.key.pass
+        $ sudo openssl rsa \
+            -in /etc/ssl/keys/pg.key.pass \
+            -out /etc/ssl/keys/pg.key
+
+ + 
+        Enter pass phrase for /etc/ssl/keys/pg.key.pass:
+        writing RSA key
+
+ + 
+        $ sudo chown postgres:postgres /etc/ssl/keys/pg.key*
+        $ sudo chmod 0600 /etc/ssl/keys/pg.key*
+        $ sudo chmod 644 /etc/ssl/certs/pg.cert
+
+ +

2.3. Super user password

Create password for super user;

@@ -56,6 +124,28 @@ $ psql -U postgres +

2.4. Configure postgresql.conf

+ +

Edit /srv/pgsql/data/postgresql.conf;

+ + 
+        # - Security and Authentication -
+
+        #authentication_timeout = 1min          # 1s-600s
+        ssl = on                                # (change requires restart)
+        #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+                                                # (change requires restart)
+        #ssl_prefer_server_ciphers = on         # (change requires restart)
+        #ssl_ecdh_curve = 'prime256v1'          # (change requires restart)
+        ssl_cert_file = '/etc/ssl/certs/pg.crt' # (change requires restart)
+        ssl_key_file = '/etc/ssl/keys/pg.key'           # (change requires restart)
+        #ssl_ca_file = ''                       # (change requires restart)
+        #ssl_crl_file = ''                      # (change requires restart)
+        password_encryption = on
+
+ +

2.5. Configure pg_hba.conf

+

Edit /srv/pgsql/data/pg_hba.conf;

@@ -87,7 +177,7 @@ postgres=# alter user postgres with password 'new_password'; -

2.1. Configure syslog-ng

+

2.6. Configure syslog-ng

Configure Syslog-ng, check Michael at otacoo article. Example;

@@ -98,7 +188,6 @@ syslog_facility='LOCAL0' syslog_ident='postgres' log_connections = on - password_encryption=on -- cgit 1.4.1-2-gfad0