Sea of Fate - User contributions [en]

Plum (Photo)

2025-03-16T12:49:22Z

192.168.100.9: /* Initial Setup */

==Introduction==

The host plum.seaoffate.net will be at an IP address of production.20. The purpose will be to show photos using Piwigo. The main premise is that plum will have a SSD hard drive for it's OS as normal but it will have a large hard drive from the ZFS Proxmox storage to store the photos and video. We can add the hd as soon as the VM is created but leave it to be formatted and mounted later.

==Initial Setup==

The first things we need to do is to install Apache and configure the webserver, as soon as that is done we should setup the reverse proxy on Raisin. The good news is that we have some scripts to do that as it is just boiler plate stuff all we need to say here is that the website will be called photo or more precisely photo.seaoffate.net. To use the wonderful scripts we must first copy them from Lemon so open a terminal on lemon and cd to ~/templates once that is done enter the command
scp create_apache_config.sh lamp_client_install.sh nigel@plum:~/
This will copy the files to the home dir of nigel (if SSH is not ready yet on plum look here). When the two are copied they will need to be made executable and make sure they are owned by the set user so login to plum and
sudo chown nigel:nigel create_apache_config.sh
sudo chown nigel:nigel lamp_client_install.sh
sudo chmod 755 lamp_client_install.sh
sudo chmod 755 create_apache_config.sh
Now that we have the first scripts we can execute them
./lamp_client_install.sh
and then setup the websites with the other script
./create_apache_config.sh photo
This script will create the configs for the hostname(plum) and the parameter in this case photo. We will get 6 configs both the http and https for plum.seaofffate.local and photo.seaoffate.local and photo.seaoffate.net. We will should check that the seaoffate.crt is in the /etc/ssl/certs dir
ls -l /etc/ssl/certs/
If it is missing then we should get the cert and key and mv it to the /etc/ssl/ dirs it should be called "seaoffate" (.crt & .key) to match the Apache configs that we just created. The next thing we need to do is get the piwigo zip file. Probably the best thing is to get it downloaded on to one of the desktop Linux VMs and scp it to this at the home dir. We will need to copy the zip to the public_html (best to cp rather than mv in case we need to redo the install and we would just delete everything in public_html). First we install zip, then cp the zip file then cd to where we want to extract to
sudo apt install zip
sudo cp piwigo-15.4.0.zip /var/www/plum.seaoffate.local
cd /var/www/plum.seaoffate.local
Then delete the existing public_html
sudo rm -rf /var/www/plum.seaoffate.local/public_html
and then unzip the file with
unzip piwigo-15.4.0.zip -d .
This will create a dir called piwigo and so we rename it to public_html
sudo mv piwigo /var/www/plum.seaoffate.local/public_html
so we now should have all of the files extracted in to the docroot of our website we now need to change the ownersip to the apache user
sudo chown -R www-data:www-data /var/www/plum.seaoffate.local/public_html/
Before we can proceed with the installation at a web browser we have to create a database and for piwigo to use so ssh to mandarin and start a MySQL session with
sudo mysql -u root -p
at the mysql> prompt we need to create the database
CREATE DATABASE piwigo_db;
and then the user with privileges to the database, we will restrict this user to the plum host only
CREATE USER 'piwigo_user'@'192.168.100.22' IDENTIFIED BY 'your_strong_password';
GRANT ALL PRIVILEGES ON piwigo_db.* TO 'piwigo_user'@'192.168.100.22';
FLUSH PRIVILEGES;
exit?
Armed with our newly created database and user we can now start the web installation so we need to go get a web browser to https://photo.seaoffate.local. if that takes us to the nginix holding page we will need to setup raisin to do the reverse proxy thing or we could continue from a client inside the Pfsense but if we do that we still have to do the raisin set up at some point. so we may as well do so now so SSH to raisin
cd /etc/nginx/sites-available
sudo cp wiki.conf photo.conf
sudo cp wiki.seaoffate.local.ssl.conf photo.seaoffate.local.ssl.conf
sudo cp wiki.seaoffate.net.conf photo.seaoffate.net.conf
Then modify them to replace the servernames and ip addresses. While it is not pretty it does work and the scripts that we had generated forwarding loops so we can't use them. It looks like the reverse proxy was redirecting as well as the origin so it was causing a problem for browsers, we should only have the origin browser do any redirect between 80 and 443. Once this is done proceed to the web browser part of the piwigi installation. Keep a record of passwords in a password manager. Most of the install is now done. we could use the application as is but we would run out of storage for photos before too long so we will add a big hard drive to the installation mounting it inside public_html.

Plum (Photo)

2025-03-16T12:42:56Z

192.168.100.9: /* Initial Setup */

Virtual Machines

2025-03-14T14:01:57Z

192.168.100.9: /* Installation Scripts */

==Introduction==

There will be a variety of Virtual Machines contained within the '''[[Home Lab]]'''. A Brief description will be provided here with a more complete set of notes on each individual VM on the links.

==Virtual Machine Installation & Configuration Notes==

===Qemu Agent Install===

All VMs should have the qemu guest installed even server installs, it will allow the guest VM to communicate with Proxmox and give better options from the Proxmox . For Debian / Ubuntu type.
sudo apt update && install qemu-guest-agent
For Windows VMs there is a cd that can be referenced when defining the VM. On the OS page as soon as the Guest OS "Microsoft Windows" is selected a tick box, with the title "Add additional drive for VirtIO Drivers" appears. When selected find an ISO image "Virtio-win.iso". If it is not available it can be added to the ISO library on Proxmox by downloading it from [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso] or [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso].

==Virtual Machines==
A fairly high description of each of the VMs in use in the [[Home Lab]].

===Firewall===

====[[Pfsense]]====

The firewall and gateway to the whole of the [[Home Lab]]. The Virgin router will forward all incoming traffic from the Internet to the WAN port of the firewall at 192.168.0.125. The Firewall has five other internal interfaces to link to the Home Lab environment. 192.168.99.10/24 is the MGT VLAN it should be severely restricted to maintain security it is the only VLAN to be able to access the WebGUI of Pfsense. The Production VLAN is where all of the file and web servers are, the gateway address is 192.168.100.1/24. The Infra VLAN gateway 192.168.110.10/24 is where any supporting services will be located, at present there is only a Nameserver. I have reserved a VLAN called VPNnet with a gateway address of 192.168.130.1/24 for a VPN server to provide a VPN tunnel from remote terminals, there will not be many concurrent connections so a /24 network will be more than sufficient. The last VLAN has a Pfsense interface of 192.168.111.1/24 for any Desktop VM terminals that I will use while i am out, I have called this terminals. Further details of the [[Pfsense]] firewall can be found [[Pfsense | here]].

===MGT VLAN===

====[[Management kiosk]]====

A desktop Linux used to configure other VMs including Pfsense. As it is so sensitive i have kept it isolated on the MGT VLAN. There I have setup passwordless ssh to various other VMs as well. The host is called Lemon and has an IP Address of MGT.20.

====[[CA Server]]====

I have setup a host specifically to issue SSL certificates. The host name is Alpine with an IP of 192.168.99.25/24.

===Infra Vlan===

====[[Nameserver]]====

There is only one nameserver at the moment called ns1 Infra.11. It is the only host on the Infra VLAN.

===VPNNet VLAN===

====[[VPNserver]]====

There will be a VPN server called vanilla at VPNnet.5. It will control VPN access to the rest of the network.

===Terminals===

====[[Remote Access Terminal]]====

There will be two VMs setup on teminals VLAN with a desktop that I will provide for remote access one of them will be Linux (Ubuntu), hostname Lychee and the other will be Windows 11 Pro with a hostname Wahoo.

===Prodution===

====[[Reverse Proxy]]====

The Reverse proxy Ngnix install is hosted on Raisin production.9. It should be setup to fetch SSL certs from Letsencrypt and copy the certs to the various webservers that need them. It's primary role, of course is to manage access to the webservers.

===[[Webservers]]===

There wil be at least three webservers, One hosting www.seaoffate.net, another hosting plum.seaoffate.net and another hosting wiki.seaoffate.net. These will also be servicing .local addresses. MySQL will be on a different host. There will be other hosts that have some sort of webserver on them but not as a primary role.

===[[File server]]===

There is a file server called fig at Production.11. It will also have a webserver installed and will answer to files.seaoffate.net & files.seaoffate.local. It should be configured to serve files using NFS,FTP and SMB locally but only SFTP externally.

===[[MySQL Server]]===

Manderin at Production.8 is hosting the MySQL Databases.I will probably install phpmyadmin at some point to make DB management a bit easier but I doubt if I will give it external access.

===[[UpLoad Server]]===

There is an server especially set for SFTP and SMB serving. It will be on Production.25. It will have a large HD that will be used to import and export all pictures from the network.

===[[Backup Server]]===

We will have a dedicated backup server, Strawberry, that will share files with other servers like the '''[[Plum (Photo)]]''' server by NFS. It will mostly do not too much except monitor the files for others. If it looks like NFS is creating too much of a bottleneck we can look at storing photos directly on Plum and grabbing them periodically to upload. i will be doin just that so this note will change when i have reconfigured the '''[[Plum (Photo)]]''' and this server Strawberry.

===Future VMs===

I may well setup a streaming server with some sort of NFS RO share from the file server.

==Installation Scripts==

We are creating several scripts to speed up the installation of the VMs. some are long and major time savers and some are not much more than one or two lines.

=====[[Webserver Setup]]=====

Some Apache and Gninx scrips to speed up creation and deployment of webservers.

=====[[Add a Hostname & IP Address to DNSmsaq]]=====

there is a script that can be run to add a dns record to dnsmasq currently frm the ~ off the user you should be able to do
./add_dns_record.sh
it will have two parameters one for hostname and the other for the IP Address of the host we would be dealing with.

#!/bin/bash

# Script to add or update a DNS record in dnsmasq

# Get hostname and IP address from command line
HOSTNAME="$1"
IP_ADDRESS="$2"

# Check if parameters are provided
if [ -z "$HOSTNAME" ] || [ -z "$IP_ADDRESS" ]; then
echo "Usage: sudo $0 <hostname> <ip_address>"
exit 1
fi

# Define filename
FILENAME="/etc/dnsmasq.d/$HOSTNAME.seaoffate.local"

# Create DNS and PTR records
DNS_RECORD="address=/$HOSTNAME.seaoffate.local/$IP_ADDRESS"

# Trim leading/trailing spaces from IP_ADDRESS
IP_ADDRESS="${IP_ADDRESS#"${IP_ADDRESS%%[![:space:]]*}"}" # Remove leading spaces
IP_ADDRESS="${IP_ADDRESS%"${IP_ADDRESS##*[![:space:]]}"}" # Remove trailing spaces

# Reverse IP for PTR Record.
REVERSE_IP=$(echo "$IP_ADDRESS" | awk -F. '{print $4"."$3"."$2"."$1}')

# Trim leading/trailing spaces from REVERSE_IP
REVERSE_IP="${REVERSE_IP#"${REVERSE_IP%%[![:space:]]*}"}" # Remove leading spaces
REVERSE_IP="${REVERSE_IP%"${REVERSE_IP##*[![:space:]]}"}" # Remove trailing spaces

PTR_RECORD="ptr-record=$REVERSE_IP.in-addr.arpa,$HOSTNAME.seaoffate.local"

# Write records to file, overwriting any existing content
echo "$DNS_RECORD" | sudo tee "$FILENAME"
echo "$PTR_RECORD" | sudo tee -a "$FILENAME"

# Restart dnsmasq
sudo systemctl restart dnsmasq

echo "DNS record added/updated for $HOSTNAME.seaoffate.local."
echo "IP address: $IP_ADDRESS"

# Set permissions on the file.
sudo chmod 644 "$FILENAME"

echo "Permissions set to 644 on $FILENAME"

# List the file with its permissions
echo "\nFile details:"
ls -l "$FILENAME"

# Restart dnsmasq again
sudo systemctl restart dnsmasq

echo "dnsmasq restarted again to ensure changes are applied."

Webserver Setup

2025-03-14T10:37:36Z

192.168.100.9: /* Revove Website from Proxy (Raisin) */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

====Install packages====

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

====Website Config====

Once Apache and it supporting packages are done we will need to create the config files. We will need 6 configs created.
* hostname.seaoffate.local as http
* hostname.seaoffate.local as https
* purpose.seaoffate.local as http
* purpose.seaoffate.local as https
* purpose.seaoffate.net as http
* purpose.seaoffate.net as https
The file will be stored in the Templates dir on nigel login on lemon Although there are six websites they all will serve from the same docroot. we will get one of the names from the hostname of the VM and the other will be the parameter in the call.
./apache_config.sh purpose
purpose will be what the reason for having the webserver eg wiki or photo. We do not need the .seaofffate.local or .net as that is assumed

#!/bin/bash
#
# Script to configure Apache for HTTP and HTTPS, create directories, and enable modules
#
# Get website purpose from command line
WEBSITE_PURPOSE="$1"
#
# Check if website purpose is provided
if [ -z "$WEBSITE_PURPOSE" ]; then
echo "Usage: sudo 0 <website\_purpose\>"
exit 1
fi
\# Define hostname
HOSTNAME\=(hostname)
#
# Define domain names
DOMAIN_HOST="$HOSTNAME.seaoffate.local"
DOMAIN_PURPOSE_LOCAL="$WEBSITE_PURPOSE.seaoffate.local"
DOMAIN_PURPOSE_NET="$WEBSITE_PURPOSE.seaoffate.net"
#
# Define document root
DOC_ROOT="/var/www/$WEBSITE_PURPOSE.seaoffate.local/public_html"
#
# Create document root directory
sudo mkdir -p "$DOC_ROOT"
sudo chown -R www-data:www-data "$DOC_ROOT"
#
# Create SSL directories
sudo mkdir -p /etc/apache2/ssl/
sudo chmod 700 /etc/apache2/ssl/
#
# Create HTTP configuration for hostname.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
#
# Create HTTPS configuration for hostname.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_HOST.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_HOST.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
#
# Create HTTP configuration for purpose.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
#
# Create HTTPS configuration for purpose.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
#
# Create HTTP configuration for purpose.net
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
#
# Create HTTPS configuration for purpose.net
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.key" | sudo tee -a /etc

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash
#
# Script to configure Nginx as a reverse proxy
#
# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"
#
# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi
#
# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"
#
# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
#
# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
#
# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
#
# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
#
# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/
#
# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/
#
# Restart Nginx
sudo systemctl restart nginx
#
echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash
#
# Script to remove an Nginx reverse proxy website configuration
#
# Get website name from command line
WEBSITE_NAME="$1"
#
# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi
#
# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"
#
# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"
#
# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"
#
# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"
#
# Restart Nginx
sudo systemctl restart nginx
#
echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"
#
# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T10:36:54Z

192.168.100.9: /* Add site to Nginx */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

====Install packages====

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

====Website Config====

Once Apache and it supporting packages are done we will need to create the config files. We will need 6 configs created.
* hostname.seaoffate.local as http
* hostname.seaoffate.local as https
* purpose.seaoffate.local as http
* purpose.seaoffate.local as https
* purpose.seaoffate.net as http
* purpose.seaoffate.net as https
The file will be stored in the Templates dir on nigel login on lemon Although there are six websites they all will serve from the same docroot. we will get one of the names from the hostname of the VM and the other will be the parameter in the call.
./apache_config.sh purpose
purpose will be what the reason for having the webserver eg wiki or photo. We do not need the .seaofffate.local or .net as that is assumed

#!/bin/bash
#
# Script to configure Apache for HTTP and HTTPS, create directories, and enable modules
#
# Get website purpose from command line
WEBSITE_PURPOSE="$1"
#
# Check if website purpose is provided
if [ -z "$WEBSITE_PURPOSE" ]; then
echo "Usage: sudo 0 <website\_purpose\>"
exit 1
fi
\# Define hostname
HOSTNAME\=(hostname)
#
# Define domain names
DOMAIN_HOST="$HOSTNAME.seaoffate.local"
DOMAIN_PURPOSE_LOCAL="$WEBSITE_PURPOSE.seaoffate.local"
DOMAIN_PURPOSE_NET="$WEBSITE_PURPOSE.seaoffate.net"
#
# Define document root
DOC_ROOT="/var/www/$WEBSITE_PURPOSE.seaoffate.local/public_html"
#
# Create document root directory
sudo mkdir -p "$DOC_ROOT"
sudo chown -R www-data:www-data "$DOC_ROOT"
#
# Create SSL directories
sudo mkdir -p /etc/apache2/ssl/
sudo chmod 700 /etc/apache2/ssl/
#
# Create HTTP configuration for hostname.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
#
# Create HTTPS configuration for hostname.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_HOST.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_HOST.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
#
# Create HTTP configuration for purpose.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
#
# Create HTTPS configuration for purpose.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
#
# Create HTTP configuration for purpose.net
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
#
# Create HTTPS configuration for purpose.net
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.key" | sudo tee -a /etc

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash
#
# Script to configure Nginx as a reverse proxy
#
# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"
#
# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi
#
# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"
#
# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
#
# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
#
# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
#
# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
#
# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/
#
# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/
#
# Restart Nginx
sudo systemctl restart nginx
#
echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T10:35:21Z

192.168.100.9: /* Website Config */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

====Install packages====

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

====Website Config====

Once Apache and it supporting packages are done we will need to create the config files. We will need 6 configs created.
* hostname.seaoffate.local as http
* hostname.seaoffate.local as https
* purpose.seaoffate.local as http
* purpose.seaoffate.local as https
* purpose.seaoffate.net as http
* purpose.seaoffate.net as https
The file will be stored in the Templates dir on nigel login on lemon Although there are six websites they all will serve from the same docroot. we will get one of the names from the hostname of the VM and the other will be the parameter in the call.
./apache_config.sh purpose
purpose will be what the reason for having the webserver eg wiki or photo. We do not need the .seaofffate.local or .net as that is assumed

#!/bin/bash
#
# Script to configure Apache for HTTP and HTTPS, create directories, and enable modules
#
# Get website purpose from command line
WEBSITE_PURPOSE="$1"
#
# Check if website purpose is provided
if [ -z "$WEBSITE_PURPOSE" ]; then
echo "Usage: sudo 0 <website\_purpose\>"
exit 1
fi
\# Define hostname
HOSTNAME\=(hostname)
#
# Define domain names
DOMAIN_HOST="$HOSTNAME.seaoffate.local"
DOMAIN_PURPOSE_LOCAL="$WEBSITE_PURPOSE.seaoffate.local"
DOMAIN_PURPOSE_NET="$WEBSITE_PURPOSE.seaoffate.net"
#
# Define document root
DOC_ROOT="/var/www/$WEBSITE_PURPOSE.seaoffate.local/public_html"
#
# Create document root directory
sudo mkdir -p "$DOC_ROOT"
sudo chown -R www-data:www-data "$DOC_ROOT"
#
# Create SSL directories
sudo mkdir -p /etc/apache2/ssl/
sudo chmod 700 /etc/apache2/ssl/
#
# Create HTTP configuration for hostname.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
#
# Create HTTPS configuration for hostname.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_HOST.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_HOST.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
#
# Create HTTP configuration for purpose.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
#
# Create HTTPS configuration for purpose.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
#
# Create HTTP configuration for purpose.net
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
#
# Create HTTPS configuration for purpose.net
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.key" | sudo tee -a /etc

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T10:34:57Z

192.168.100.9: /* Apache Webservers */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

====Install packages====

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

====Website Config====

Once Apache and it supporting packages are done we will need to create the config files. We will need 6 configs created.
* hostname.seaoffate.local as http
* hostname.seaoffate.local as https
* purpose.seaoffate.local as http
* purpose.seaoffate.local as https
* purpose.seaoffate.net as http
* purpose.seaoffate.net as https
The file will be stored in the Templates dir on nigel login on lemon Although there are six websites they all will serve from the same docroot. we will get one of the names from the hostname of the VM and the other will be the parameter in the call.
./apache_config.sh purpose
purpose will be what the reason for having the webserver eg wiki or photo. We do not need the .seaofffate.local or .net as that is assumed

#!/bin/bash
#
# Script to configure Apache for HTTP and HTTPS, create directories, and enable modules
#
# Get website purpose from command line
WEBSITE_PURPOSE="$1"
#
# Check if website purpose is provided
if [ -z "$WEBSITE_PURPOSE" ]; then
echo "Usage: sudo 0 <website\_purpose\>"
exit 1
fi
\# Define hostname
HOSTNAME\=(hostname)
#
# Define domain names
DOMAIN_HOST="$HOSTNAME.seaoffate.local"
DOMAIN_PURPOSE_LOCAL="$WEBSITE_PURPOSE.seaoffate.local"
DOMAIN_PURPOSE_NET="$WEBSITE_PURPOSE.seaoffate.net"
#
# Define document root
DOC_ROOT="/var/www/$WEBSITE_PURPOSE.seaoffate.local/public_html"
#
# Create document root directory
sudo mkdir -p "$DOC_ROOT"
sudo chown -R www-data:www-data "$DOC_ROOT"
#
# Create SSL directories
sudo mkdir -p /etc/apache2/ssl/
sudo chmod 700 /etc/apache2/ssl/
#
# Create HTTP configuration for hostname.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST.conf
#
# Create HTTPS configuration for hostname.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " ServerName $DOMAIN_HOST" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_HOST\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_HOST-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_HOST.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_HOST.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_HOST-ssl.conf
#
# Create HTTP configuration for purpose.local
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.conf

# Create HTTPS configuration for purpose.local
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_LOCAL" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_LOCAL\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_LOCAL-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL.ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_LOCAL.key" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_LOCAL-ssl.conf
#
# Create HTTP configuration for purpose.net
echo "<VirtualHost *:80>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
echo "</VirtualHost>" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET.conf
#
# Create HTTPS configuration for purpose.net
echo "<VirtualHost *:443>" | sudo tee /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " ServerName $DOMAIN_PURPOSE_NET" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " DocumentRoot $DOC_ROOT" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " ErrorLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-error.log" | sudo tee -a /etc/apache2/sites-available/DOMAIN\_PURPOSE\_NET\-ssl\.conf
echo " CustomLog \\{APACHE_LOG_DIR}/$DOMAIN_PURPOSE_NET-ssl-access.log combined" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLEngine on" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.crt" | sudo tee -a /etc/apache2/sites-available/$DOMAIN_PURPOSE_NET-ssl.conf
echo " SSLCertificateKeyFile /etc/apache2/ssl/$DOMAIN_PURPOSE_NET.key" | sudo tee -a /etc

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T10:11:01Z

192.168.100.9: /* Apache Webservers */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash
#
# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader
#
# Update package lists
sudo apt update -y
#
# Install Apache2
sudo apt install apache2 -y
#
# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y
#
# Install MySQL client
sudo apt install mysql-client -y
#
# Install ImageMagick
sudo apt install imagemagick -y
#
# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y
#
# Enable SSH service
sudo systemctl enable ssh
#
# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y
#
# Restart Apache2
sudo systemctl restart apache2
#
echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T10:08:31Z

192.168.100.9: /* Introduction */

==Introduction==

Some scripts to help with the deployment of webservers.

==Apache Webservers==

To help with installing the various packages for webservers we have a simple script to call apt to install them all. We have a copy in my Templates dir on lemon as we will need to copy it to the new webserver. After it is copied to the target webserver we call the script with
./lamp_client_install.sh
Although it is called lamp it only installs the MySQL client not the server(we will user the MySQL server on Mandarin) This what it does
#!/bin/bash

# Script to install a LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader

# Update package lists
sudo apt update -y

# Install Apache2
sudo apt install apache2 -y

# Install PHP and common extensions
sudo apt install php libapache2-mod-php php-cli php-mysql php-gd php-curl php-xml php-mbstring php-zip -y

# Install MySQL client
sudo apt install mysql-client -y

# Install ImageMagick
sudo apt install imagemagick -y

# Install OpenSSH server (SFTP)
sudo apt install openssh-server -y

# Enable SSH service
sudo systemctl enable ssh

# Install exiftool (Exif reader)
sudo apt install libimage-exiftool-perl -y

# Restart Apache2
sudo systemctl restart apache2

echo "LAMP server (MySQL client only), PHP, ImageMagick, SFTP, and Exif reader installation complete."
echo "Apache2 is running. SSH is enabled."

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T09:56:13Z

192.168.100.9: /* Introduction */

==Introduction==

Some scripts to help with the deployment of webservers.

==Add site to Nginx==

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T09:54:47Z

192.168.100.9: /* Add site to Nginx */

==Introduction==

Some scripts to help with the deployment of webservers.

====Add site to Nginx====

This will take two parameters the first is the website name and the second is the IP address
website_fwd_config.sh websitename x.x.x.x
There is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. '''Note we will have to do this for a hostname and the purpose''' as the hostname will not be known here eg run once for photo and once more for plum.

If it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T09:47:48Z

192.168.100.9: /* Add site to Nginx */

==Introduction==

Some scripts to help with the deployment of webservers.

====Add site to Nginx====

This will take two parameters the first is the website name and the second is the IP address there is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. if it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

====Revove Website from Proxy (Raisin)====

We all make mistakes and we have to recover. This script will remove mistakes created by the website_fwd_config.sh above call it with
./remove_nginx_website.sh sitename
sitename is the site that needs to be removed, only the host potion needs to be supplied do not put in the .seaoffate.let or .seaoffate.local because it will remove all four configs(.local & .net and http ang https). All four website configs created above will be removed from /etc/nginx/sites-available & sites.enabled.

#!/bin/bash

# Script to remove an Nginx reverse proxy website configuration

# Get website name from command line
WEBSITE_NAME="$1"

# Check if website name is provided
if [ -z "$WEBSITE_NAME" ]; then
echo "Usage: sudo $0 <website_name>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Define configuration file paths
CONFIG_LOCAL="/etc/nginx/sites-available/$DOMAIN_LOCAL"
CONFIG_LOCAL_SSL="/etc/nginx/sites-available/$DOMAIN_LOCAL-ssl"
CONFIG_NET="/etc/nginx/sites-available/$DOMAIN_NET"
CONFIG_NET_SSL="/etc/nginx/sites-available/$DOMAIN_NET-ssl"
SYMLINK_LOCAL="/etc/nginx/sites-enabled/$DOMAIN_LOCAL"
SYMLINK_NET="/etc/nginx/sites-enabled/$DOMAIN_NET"

# Remove configuration files
sudo rm -f "$CONFIG_LOCAL" "$CONFIG_LOCAL_SSL" "$CONFIG_NET" "$CONFIG_NET_SSL"

# Remove symbolic links (disable sites)
sudo rm -f "$SYMLINK_LOCAL" "$SYMLINK_NET"

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx website configuration removed."
echo "Website: $WEBSITE_NAME"
echo "Domains: $DOMAIN_LOCAL and $DOMAIN_NET"

# List sites-available directory
echo "\nContents of /etc/nginx/sites-available/: "
ls -l /etc/nginx/sites-available/

Webserver Setup

2025-03-14T09:33:27Z

192.168.100.9: Created page with "==Introduction== Some scripts to help with the deployment of webservers. ====Add site to Nginx==== This will take two parameters the first is the website name and the second is the IP address there is no need to add seaoffate.local or .net. this script will create four configs. * sitename.seaoffate.local as http * sitename.seaoffate.local as https * sitename.seaoffate.net as http * sitename.seaoffate.net as https It should enable both of the http: versions (.local &..."

==Introduction==

Some scripts to help with the deployment of webservers.

====Add site to Nginx====

This will take two parameters the first is the website name and the second is the IP address there is no need to add seaoffate.local or .net. this script will create four configs.
* sitename.seaoffate.local as http
* sitename.seaoffate.local as https
* sitename.seaoffate.net as http
* sitename.seaoffate.net as https
It should enable both of the http: versions (.local & .net) but it will not enable the https: so we have some time to get the certs done before ssl is deployed. note that the .local is sharing the same certificate amongst all of the .local websites that are being deployed here. The script is on Raisin on the root of nigel. if it is lost it can be deployed again from this:

#!/bin/bash

# Script to configure Nginx as a reverse proxy

# Get website name, IP address from command line
WEBSITE_NAME="$1"
FORWARD_IP="$2"

# Check if parameters are provided
if [ -z "$WEBSITE_NAME" ] || [ -z "$FORWARD_IP" ]; then
echo "Usage: sudo $0 <website_name> <forward_ip>"
exit 1
fi

# Define domain names
DOMAIN_LOCAL="$WEBSITE_NAME.seaoffate.local"
DOMAIN_NET="$WEBSITE_NAME.seaoffate.net"

# Create Nginx configuration file for .local
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL

# Create Nginx configuration file for .local (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " server_name $DOMAIN_LOCAL;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate /etc/ssl/certs/raisin.seaoffate.local.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " ssl_certificate_key /etc/ssl/private/raisin.seaoffate.local.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_LOCAL-ssl

# Create Nginx configuration file for .net
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET
echo " listen 80;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET

# Create Nginx configuration file for .net (HTTPS, but not enabled)
echo "server {" | sudo tee /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " listen 443 ssl;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " server_name $DOMAIN_NET;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate /etc/nginx/ssl/$DOMAIN_NET.crt;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN_NET.key;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " location / {" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_pass http://$FORWARD_IP/;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header Host \$host;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Real-IP \$remote_addr;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " proxy_set_header X-Forwarded-Proto \$scheme;" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo " }" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl
echo "}" | sudo tee -a /etc/nginx/sites-available/$DOMAIN_NET-ssl

# Create SSL directories (only for .net)
sudo mkdir -p /etc/nginx/ssl/
sudo chmod 700 /etc/nginx/ssl/

# Enable HTTP sites
sudo ln -s /etc/nginx/sites-available/$DOMAIN_LOCAL /etc/nginx/sites-enabled/
sudo ln -s /etc/nginx/sites-available/$DOMAIN_NET /etc/nginx/sites-enabled/

# Restart Nginx
sudo systemctl restart nginx

echo "Nginx configuration complete."
echo "HTTP sites enabled. SSL directories created."
echo "Add your Cloudflare SSL certificates to /etc/nginx/ssl/ for .net and enable HTTPS sites."
echo "Using existing certs for .seaoffate.local."

Virtual Machines

2025-03-14T09:12:37Z

192.168.100.9: /* Webserver Setup= */

Virtual Machines

2025-03-14T09:12:10Z

192.168.100.9: /* Future VMs */

==Introduction==

There will be a variety of Virtual Machines contained within the '''[[Home Lab]]'''. A Brief description will be provided here with a more complete set of notes on each individual VM on the links.

==Virtual Machine Installation & Configuration Notes==

===Qemu Agent Install===

All VMs should have the qemu guest installed even server installs, it will allow the guest VM to communicate with Proxmox and give better options from the Proxmox . For Debian / Ubuntu type.
sudo apt update && install qemu-guest-agent
For Windows VMs there is a cd that can be referenced when defining the VM. On the OS page as soon as the Guest OS "Microsoft Windows" is selected a tick box, with the title "Add additional drive for VirtIO Drivers" appears. When selected find an ISO image "Virtio-win.iso". If it is not available it can be added to the ISO library on Proxmox by downloading it from [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso] or [https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso https://fedorapeople.org/groups/virt/virtio-win/direct-downloads/stable-virtio/virtio-win.iso].

==Virtual Machines==
A fairly high description of each of the VMs in use in the [[Home Lab]].

===Firewall===

====[[Pfsense]]====

The firewall and gateway to the whole of the [[Home Lab]]. The Virgin router will forward all incoming traffic from the Internet to the WAN port of the firewall at 192.168.0.125. The Firewall has five other internal interfaces to link to the Home Lab environment. 192.168.99.10/24 is the MGT VLAN it should be severely restricted to maintain security it is the only VLAN to be able to access the WebGUI of Pfsense. The Production VLAN is where all of the file and web servers are, the gateway address is 192.168.100.1/24. The Infra VLAN gateway 192.168.110.10/24 is where any supporting services will be located, at present there is only a Nameserver. I have reserved a VLAN called VPNnet with a gateway address of 192.168.130.1/24 for a VPN server to provide a VPN tunnel from remote terminals, there will not be many concurrent connections so a /24 network will be more than sufficient. The last VLAN has a Pfsense interface of 192.168.111.1/24 for any Desktop VM terminals that I will use while i am out, I have called this terminals. Further details of the [[Pfsense]] firewall can be found [[Pfsense | here]].

===MGT VLAN===

====[[Management kiosk]]====

A desktop Linux used to configure other VMs including Pfsense. As it is so sensitive i have kept it isolated on the MGT VLAN. There I have setup passwordless ssh to various other VMs as well. The host is called Lemon and has an IP Address of MGT.20.

====[[CA Server]]====

I have setup a host specifically to issue SSL certificates. The host name is Alpine with an IP of 192.168.99.25/24.

===Infra Vlan===

====[[Nameserver]]====

There is only one nameserver at the moment called ns1 Infra.11. It is the only host on the Infra VLAN.

===VPNNet VLAN===

====[[VPNserver]]====

There will be a VPN server called vanilla at VPNnet.5. It will control VPN access to the rest of the network.

===Terminals===

====[[Remote Access Terminal]]====

There will be two VMs setup on teminals VLAN with a desktop that I will provide for remote access one of them will be Linux (Ubuntu), hostname Lychee and the other will be Windows 11 Pro with a hostname Wahoo.

===Prodution===

====[[Reverse Proxy]]====

The Reverse proxy Ngnix install is hosted on Raisin production.9. It should be setup to fetch SSL certs from Letsencrypt and copy the certs to the various webservers that need them. It's primary role, of course is to manage access to the webservers.

===[[Webservers]]===

There wil be at least three webservers, One hosting www.seaoffate.net, another hosting plum.seaoffate.net and another hosting wiki.seaoffate.net. These will also be servicing .local addresses. MySQL will be on a different host. There will be other hosts that have some sort of webserver on them but not as a primary role.

===[[File server]]===

There is a file server called fig at Production.11. It will also have a webserver installed and will answer to files.seaoffate.net & files.seaoffate.local. It should be configured to serve files using NFS,FTP and SMB locally but only SFTP externally.

===[[MySQL Server]]===

Manderin at Production.8 is hosting the MySQL Databases.I will probably install phpmyadmin at some point to make DB management a bit easier but I doubt if I will give it external access.

===[[UpLoad Server]]===

There is an server especially set for SFTP and SMB serving. It will be on Production.25. It will have a large HD that will be used to import and export all pictures from the network.

===[[Backup Server]]===

We will have a dedicated backup server, Strawberry, that will share files with other servers like the '''[[Plum (Photo)]]''' server by NFS. It will mostly do not too much except monitor the files for others. If it looks like NFS is creating too much of a bottleneck we can look at storing photos directly on Plum and grabbing them periodically to upload. i will be doin just that so this note will change when i have reconfigured the '''[[Plum (Photo)]]''' and this server Strawberry.

===Future VMs===

I may well setup a streaming server with some sort of NFS RO share from the file server.

==Installation Scripts==

We are creating several scripts to speed up the installation of the VMs. some are long and major time savers and some are not much more than one or two lines.

=====[[Webserver Setup]]======

Some Apache and Gninx scrips to speed up creation and depllyment of webservers.

Webservers

2025-03-13T05:31:57Z

192.168.100.9: /* Raisin Nginx Reverse Proxy Configuration */

==Introduction==

There will be several Webservers in the '''[[Home Lab]]'''. Each will be on it's own '''[[Virtual Machines]]''' and will be on the production VLAN. The MySQL databases will be on a separate VM on the same network so no connectivity problems from that. The Proxy server will forward all web traffic to the appropriate webserver.

==SSL Config==

There will be two setups for SSL/TLS one for the seaoffate.local and one for seaoffate.net.

===Local DNS Names SSL Setup===

We will do the SSL/TLS for the .local access first mainly because because it is better to see it working on a local level and if we did the global first there is a good chance we would never get a around to doing the local, in which case some of the access will be completely without any cert. It is part of the learning curve to generate SSL certificates. While it would be fairly easier to do a self cert for the local access it is better to experience the whole process from start to finish to get a complete understanding of how it is done and the failures that inevitably appear.

==== The Process Flow====

The process flow is to get the Certificates generated on the webserver host, get it signed by the Certificate Authority then apply it to the webserver, once that is done the SSL config needs to be applied to the host, after that it we would make a config to the reverse proxy. The reverse proxy will have it's own certificate to use for all of the hosts that it is forwarding to and once the cert is applied it will not need to have it applied again, we would just refer to it in the individual SSL config.

====Generating SSL Certificates====

The first thing to do is to generate a private key, this is done on the webserver with the command
sudo openssl genrsa -out /etc/ssl/private/strawberry.seaoffate.local.key 2048
The out directive will specify where the private key will stored, in this case the default location is used. The .key does need to be stored privately as it is the key that will be used to encrypt or decrypt the internet traffic and is the core item in the security of the Internet. Once the private key has been generated access should be restricted to the root user only so we need to do the chmod/chown commanda s follows
sudo chmod 600 /etc/ssl/private/strawberry.seaoffate.local.key
sudo chown root:root /etc/ssl/private/strawberry.seaoffate.local.key
Now that we have the private key we can look at getting the public certificate. To get the certificate with any sort of trust it has to be signed by a Certificate Authority. We have a personal CA available on Alpine, it will only be trusted by us and not the rest of the world as it is a personal CA. To have a cert signed we must generate a Certificate Signing Request and present it to the CA the command to generate a CSR is
sudo openssl req -new -key /etc/ssl/private/strawberry.seaoffate.local.key -out /etc/ssl/certs/strawberry.seaoffate.local.csr
As this script executes it will ask a numer of questions.
* Country Name (2 letter code) [AU]:GB
* State or Province Name (full name) [Some-State]:Hampshire
* Locality Name (eg, city) []:Basingstoke
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sea of Fate
* Organizational Unit Name (eg, section) []: (Your department or unit, if applicable, or leave blank)
* Common Name (e.g. server FQDN or YOUR name) []: strawberry.seaoffate.local (This is crucial, it must match the hostname)
* Email Address []:sailor@seaoffate.net
* A challenge password []: (Leave blank, or add a password, but it is not needed for webserver certificates)
* An optional company name []: (Leave blank, or add an optional company name)
'''Note that the Common Name is critical''' The other fields are not so important but should be accurate (don't lie someone may read them), the fields could be left blank (except common name). the challenge password is rarely used for webserver certs and can be left blank.

Note that the command uses the private key that we just generated. The CSR is added to the certs directory it is not secret but it should not be modified so it still need to be stored in a form that has at least 744 on it. As this is a signing request we have to get is to the signing software, the CA, in a secure manner. generally SCP is the best option to transfer a file securely as it uses the same connection as SSH. An example is
scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:~/easy-rsa/easyrsa3/pki/reqs/
If this doesn't work with the user that is available try copying to /tmp
scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:/tmp
When the file is copied to Apline we must login to the Alpine host to do the signing. I the CSR file could not be added directly to the reqs directory it should be copied there now.
cp /tmp/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs
Unfortunately, easyrsa need to see CSRs with the extension of .req but the openssl generates them as .csr the solution is to mv the .csr to .req
mv ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.req
Assuming that the CSR is in the /reqs directory and it has the correct extension we can proceed with the signing. We should be in the ~/easy-rsa/easyrsa3/ directory to run the script
./easyrsa sign-req server strawberry.seaoffate.local
the script will ask to confirm the details that would have been submitted when creating the signing request on the web host and the first answer has to be "yes" or it will not continue. The next question is to supply the passphrase for the script to have access to the CA.key, if it can't be given the request fails. Once the CSR/REQ has been signed the certificate will be created and stored in the issued directory and is ready to be returned to the webserver again using SCP. We could copy the .CRT directly to the /ect/ssl/certs dir on the web host but since we are using Ubuntu we can't because the permissions fail. We should create a dir off of the user's home dir and call it signed we can then SCP
SCP ~/easy-rsa/easyrsa3/pki/issued/strawberry.seaoffate.local.crt user@strawberry.seaoffate.local:~/signed
When that is done swap back to the web host (strawberry) and mv the signed cert to the correct directory
sudo mv signed/strawberry.seaoffate.local.crt /etc/ssl/certs/
We should set the permissions on the cert to be read only and owned by root
sudo chmod 644 /etc/ssl/certs/strawberry.seaoffate.local.crt
sudo chown root:root /etc/ssl/certs/strawberry.seaoffate.local.crt
As a final job we can verify that the cert and key match each other
sudo openssl x509 -noout -modulus -in /etc/ssl/certs/strawberry.seaoffate.local.crt | sudo openssl sha256
sudo openssl rsa -noout -modulus -in /etc/ssl/private/strawberry.seaoffate.local.key | sudo openssl sha256
check to make sure that the two hashes are identical, if they are not SSL will not work on the website.

====Create Apache SSL Configuration====

Now that we have a signed certificate we can proceed to configure Apache to listen & serve SSL/TLS request on port 443. As we have used Strawberry as the example for the cert generation we will continue to use the same host for the configs. First we should cd to the site-available so that the config file we create matches the existing and we get the correct docroot. We should create a config file,
sudo nano /etc/apache2/sites-available/strawberry.seaoffate.local-ssl.conf
and enter the following

<VirtualHost *:443>
ServerName strawberry.seaoffate.local
DocumentRoot /var/www/strawberry/public_html

SSLEngine on
SSLCertificateFile /etc/ssl/certs/strawberry.seaoffate.local.crt
SSLCertificateKeyFile /etc/ssl/private/strawberry.seaoffate.local.key

<Directory /var/www/strawberry/public_html/>
AllowOverride All
Require all granted
</Directory>

# Security Headers (Recommended)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# SSL Protocol and Cipher Configuration (Recommended)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save and exit. To enable the SSL site and enable the SSL modules.
sudo a2ensite strawberry.seaoffate.local-ssl.conf
sudo a2enmod ssl
sudo a2enmod headers
To restart Apache & check for errors
sudo systemctl restart apache2
sudo systemctl status apache2
To test with curl
curl -v https://strawberry.seaoffate.local
We should also look in a browser to be sure that the config works.

==== Raisin Nginx Reverse Proxy Configuration====

Once we have tested the webserver SSL config we should do the same for Raisin, the Reverse Proxy, First of all ssh to raisin and cd to /etc/nginx/sites-available to check what the format is for the existing configs. Create anew config for strawberry
sudo nano strawberry.seaoffate.local.ssl.conf
fill in the following configuration
server {
listen 443 ssl;
server_name strawberry.seaoffate.local;

ssl_certificate /etc/nginx/ssl/raisin.crt; # Path to your SSL certificate on raisin
ssl_certificate_key /etc/nginx/ssl/raisin.key; # Path to your SSL key on raisin

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5'; # !aNULL: This excludes ciphers that use anonymous Diffie-Hellman key exchange !MD5' excludes weak md5 hash

location / {
proxy_pass https://*.*.*.23; # IP of strawberry
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off; # only needed if strawberry has a self signed cert.
}
}
Save and exit. If this is the first SSL website to be proxy, we will need to create the SSL directory for the certs.
sudo mkdir -p /etc/nginx/ssl
If keys and certs have not been created follow the instructions above. Assuming SSL dir creation is done we should make the site enabled
sudo ln -s /etc/nginx/sites-available/strawberry.seaoffate.local /etc/nginx/sites-enabled/
We can test the config with
sudo nginx -t
If all is well Restart Nginx to apply the changes
sudo systemctl restart nginx
sudo systemctl status nginx
We can run a test with curl
curl -v https://strawberry.seaoffate.local
We should also open a browser to see if it can open the website
https://strawberry.seaoffate.local

== webservers Purposes ==

four webservers with the primary job of serving websites have been defined.

===Logan (Wiki)===

logan has been setup as a webserver to have the wiki website. It' IP is prod.12 It can be accessed by logan.seaoffate.local, wiki.seaoffate.local or wiki.seaoffate.net

===Lime (default)===

The default website is hosted on lime. The IP is prod.10. It can be accessed by lime.seaoffate.local, www.seaoffate.local or www.seaoffate.local.

===Fig (files)===

not setup yet ip will is prod.11

===[[Plum (Photo)]]===

This one is to host the photo website, probably Piwigo. It can be accessed at plum.seaoffate.local, photo.seaoffate.local or plum.seaoffate.net. The Ip will be Prod.22. The setup here is to have a normal HD for the webserver and a large separate HD for the photos. We may VM called strawberry (IP prod.23).

== Website log files and locations ==

The Docroots are
/var/www/wiki.seaoffate.local/public_html
and
/var/www/seaoffate.local/public_html
and
/var/www/files.seaoffate.local/public_html

The access logs are seperate for each config

===www.seaoffate on Lime===

For the .net they are
/var/log/apache2/www.seaoffate.net-error.log
/var/log/apache2/www.seaoffate.net-access.log
and the local are
/var/log/apache2/lime.seaoffate.local-error.log
/var/log/apache2/lime.seaoffate.local-access.log

===wiki.seaoffate on Logan===

For the .net they are
/var/log/apache2/wiki.seaoffate.net-error.log
/var/log/apache2/wiki.seaoffate.net-access.log
and the .local are
/var/log/apache2/wiki.seaoffate.local-error.log
/var/log/apache2/wiki.seaoffate.local-access.log
/var/log/apache2/logan.seaoffate.local-error.log
/var/log/apache2/logan.seaoffate.local-access.log

===Nginx Log Files===

DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html

Webservers

2025-03-13T05:29:45Z

192.168.100.9: /* Plum (Photo) */

==Introduction==

There will be several Webservers in the '''[[Home Lab]]'''. Each will be on it's own '''[[Virtual Machines]]''' and will be on the production VLAN. The MySQL databases will be on a separate VM on the same network so no connectivity problems from that. The Proxy server will forward all web traffic to the appropriate webserver.

==SSL Config==

There will be two setups for SSL/TLS one for the seaoffate.local and one for seaoffate.net.

===Local DNS Names SSL Setup===

We will do the SSL/TLS for the .local access first mainly because because it is better to see it working on a local level and if we did the global first there is a good chance we would never get a around to doing the local, in which case some of the access will be completely without any cert. It is part of the learning curve to generate SSL certificates. While it would be fairly easier to do a self cert for the local access it is better to experience the whole process from start to finish to get a complete understanding of how it is done and the failures that inevitably appear.

==== The Process Flow====

The process flow is to get the Certificates generated on the webserver host, get it signed by the Certificate Authority then apply it to the webserver, once that is done the SSL config needs to be applied to the host, after that it we would make a config to the reverse proxy. The reverse proxy will have it's own certificate to use for all of the hosts that it is forwarding to and once the cert is applied it will not need to have it applied again, we would just refer to it in the individual SSL config.

====Generating SSL Certificates====

The first thing to do is to generate a private key, this is done on the webserver with the command
sudo openssl genrsa -out /etc/ssl/private/strawberry.seaoffate.local.key 2048
The out directive will specify where the private key will stored, in this case the default location is used. The .key does need to be stored privately as it is the key that will be used to encrypt or decrypt the internet traffic and is the core item in the security of the Internet. Once the private key has been generated access should be restricted to the root user only so we need to do the chmod/chown commanda s follows
sudo chmod 600 /etc/ssl/private/strawberry.seaoffate.local.key
sudo chown root:root /etc/ssl/private/strawberry.seaoffate.local.key
Now that we have the private key we can look at getting the public certificate. To get the certificate with any sort of trust it has to be signed by a Certificate Authority. We have a personal CA available on Alpine, it will only be trusted by us and not the rest of the world as it is a personal CA. To have a cert signed we must generate a Certificate Signing Request and present it to the CA the command to generate a CSR is
sudo openssl req -new -key /etc/ssl/private/strawberry.seaoffate.local.key -out /etc/ssl/certs/strawberry.seaoffate.local.csr
As this script executes it will ask a numer of questions.
* Country Name (2 letter code) [AU]:GB
* State or Province Name (full name) [Some-State]:Hampshire
* Locality Name (eg, city) []:Basingstoke
* Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sea of Fate
* Organizational Unit Name (eg, section) []: (Your department or unit, if applicable, or leave blank)
* Common Name (e.g. server FQDN or YOUR name) []: strawberry.seaoffate.local (This is crucial, it must match the hostname)
* Email Address []:sailor@seaoffate.net
* A challenge password []: (Leave blank, or add a password, but it is not needed for webserver certificates)
* An optional company name []: (Leave blank, or add an optional company name)
'''Note that the Common Name is critical''' The other fields are not so important but should be accurate (don't lie someone may read them), the fields could be left blank (except common name). the challenge password is rarely used for webserver certs and can be left blank.

Note that the command uses the private key that we just generated. The CSR is added to the certs directory it is not secret but it should not be modified so it still need to be stored in a form that has at least 744 on it. As this is a signing request we have to get is to the signing software, the CA, in a secure manner. generally SCP is the best option to transfer a file securely as it uses the same connection as SSH. An example is
scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:~/easy-rsa/easyrsa3/pki/reqs/
If this doesn't work with the user that is available try copying to /tmp
scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:/tmp
When the file is copied to Apline we must login to the Alpine host to do the signing. I the CSR file could not be added directly to the reqs directory it should be copied there now.
cp /tmp/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs
Unfortunately, easyrsa need to see CSRs with the extension of .req but the openssl generates them as .csr the solution is to mv the .csr to .req
mv ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.req
Assuming that the CSR is in the /reqs directory and it has the correct extension we can proceed with the signing. We should be in the ~/easy-rsa/easyrsa3/ directory to run the script
./easyrsa sign-req server strawberry.seaoffate.local
the script will ask to confirm the details that would have been submitted when creating the signing request on the web host and the first answer has to be "yes" or it will not continue. The next question is to supply the passphrase for the script to have access to the CA.key, if it can't be given the request fails. Once the CSR/REQ has been signed the certificate will be created and stored in the issued directory and is ready to be returned to the webserver again using SCP. We could copy the .CRT directly to the /ect/ssl/certs dir on the web host but since we are using Ubuntu we can't because the permissions fail. We should create a dir off of the user's home dir and call it signed we can then SCP
SCP ~/easy-rsa/easyrsa3/pki/issued/strawberry.seaoffate.local.crt user@strawberry.seaoffate.local:~/signed
When that is done swap back to the web host (strawberry) and mv the signed cert to the correct directory
sudo mv signed/strawberry.seaoffate.local.crt /etc/ssl/certs/
We should set the permissions on the cert to be read only and owned by root
sudo chmod 644 /etc/ssl/certs/strawberry.seaoffate.local.crt
sudo chown root:root /etc/ssl/certs/strawberry.seaoffate.local.crt
As a final job we can verify that the cert and key match each other
sudo openssl x509 -noout -modulus -in /etc/ssl/certs/strawberry.seaoffate.local.crt | sudo openssl sha256
sudo openssl rsa -noout -modulus -in /etc/ssl/private/strawberry.seaoffate.local.key | sudo openssl sha256
check to make sure that the two hashes are identical, if they are not SSL will not work on the website.

====Create Apache SSL Configuration====

Now that we have a signed certificate we can proceed to configure Apache to listen & serve SSL/TLS request on port 443. As we have used Strawberry as the example for the cert generation we will continue to use the same host for the configs. First we should cd to the site-available so that the config file we create matches the existing and we get the correct docroot. We should create a config file,
sudo nano /etc/apache2/sites-available/strawberry.seaoffate.local-ssl.conf
and enter the following

<VirtualHost *:443>
ServerName strawberry.seaoffate.local
DocumentRoot /var/www/strawberry/public_html

SSLEngine on
SSLCertificateFile /etc/ssl/certs/strawberry.seaoffate.local.crt
SSLCertificateKeyFile /etc/ssl/private/strawberry.seaoffate.local.key

<Directory /var/www/strawberry/public_html/>
AllowOverride All
Require all granted
</Directory>

# Security Headers (Recommended)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# SSL Protocol and Cipher Configuration (Recommended)
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite HIGH:!aNULL:!MD5

ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Save and exit. To enable the SSL site and enable the SSL modules.
sudo a2ensite strawberry.seaoffate.local-ssl.conf
sudo a2enmod ssl
sudo a2enmod headers
To restart Apache & check for errors
sudo systemctl restart apache2
sudo systemctl status apache2
To test with curl
curl -v https://strawberry.seaoffate.local
We should also look in a browser to be sure that the config works.

==== Raisin Nginx Reverse Proxy Configuration====

Once we have tested the webserver SSL config we should do the same for Raisin, the Reverse Proxy, First of all ssh to raisin and cd to /etc/nginx/sites-available to check what the format is for the existing configs. Create anew config for strawberry
sudo nano strawberry.seaoffate.local.ssl.conf
fill in the following configuration
server {
listen 443 ssl;
server_name strawberry.seaoffate.local;

ssl_certificate /etc/nginx/ssl/raisin.crt; # Path to your SSL certificate on raisin
ssl_certificate_key /etc/nginx/ssl/raisin.key; # Path to your SSL key on raisin

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'HIGH:!aNULL:!MD5'; # !aNULL: This excludes ciphers that use anonymous Diffie-Hellman key exchange !MD5' excludes weak md5 hash

location / {
proxy_pass https://192.168.100.21; # IP of strawberry
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_verify off; # only needed if strawberry has a self signed cert.
}
}
Save and exit. If this is the first SSL website to be proxy, we will need to create the SSL directory for the certs.
sudo mkdir -p /etc/nginx/ssl
If keys and certs have not been created follow the instructions above. Assuming SSL dir creation is done we should make the site enabled
sudo ln -s /etc/nginx/sites-available/strawberry.seaoffate.local /etc/nginx/sites-enabled/
We can test the config with
sudo nginx -t
If all is well Restart Nginx to apply the changes
sudo systemctl restart nginx
sudo systemctl status nginx
We can run a test with curl
curl -v https://strawberry.seaoffate.local
We should also open a browser to see if it can open the website
https://strawberry.seaoffate.local

== webservers Purposes ==

four webservers with the primary job of serving websites have been defined.

===Logan (Wiki)===

logan has been setup as a webserver to have the wiki website. It' IP is prod.12 It can be accessed by logan.seaoffate.local, wiki.seaoffate.local or wiki.seaoffate.net

===Lime (default)===

The default website is hosted on lime. The IP is prod.10. It can be accessed by lime.seaoffate.local, www.seaoffate.local or www.seaoffate.local.

===Fig (files)===

not setup yet ip will is prod.11

===[[Plum (Photo)]]===

This one is to host the photo website, probably Piwigo. It can be accessed at plum.seaoffate.local, photo.seaoffate.local or plum.seaoffate.net. The Ip will be Prod.22. The setup here is to have a normal HD for the webserver and a large separate HD for the photos. We may VM called strawberry (IP prod.23).

== Website log files and locations ==

The Docroots are
/var/www/wiki.seaoffate.local/public_html
and
/var/www/seaoffate.local/public_html
and
/var/www/files.seaoffate.local/public_html

The access logs are seperate for each config

===www.seaoffate on Lime===

For the .net they are
/var/log/apache2/www.seaoffate.net-error.log
/var/log/apache2/www.seaoffate.net-access.log
and the local are
/var/log/apache2/lime.seaoffate.local-error.log
/var/log/apache2/lime.seaoffate.local-access.log

===wiki.seaoffate on Logan===

For the .net they are
/var/log/apache2/wiki.seaoffate.net-error.log
/var/log/apache2/wiki.seaoffate.net-access.log
and the .local are
/var/log/apache2/wiki.seaoffate.local-error.log
/var/log/apache2/wiki.seaoffate.local-access.log
/var/log/apache2/logan.seaoffate.local-error.log
/var/log/apache2/logan.seaoffate.local-access.log

===Nginx Log Files===

DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html

External Access

2025-03-01T15:48:41Z

192.168.100.9: Created page with "==Introduction== I will want access to various hosts for file shares and configuration. This is where I will describe it. ==SSH Access== I will want access to the hosts inside the network not least the production hosts to continue the configuration while I am somewhere else. The problem is that Pfsense can only forward based on port so if I want to SSH to Lime from outside of the WAN port of Pfsense there is no way of the firewall from knowing that mean Lime and no..."

==Introduction==

I will want access to various hosts for file shares and configuration. This is where I will describe it.

==SSH Access==

I will want access to the hosts inside the network not least the production hosts to continue the configuration while I am somewhere else. The problem is that Pfsense can only forward based on port so if I want to SSH to Lime from outside of the WAN port of Pfsense there is no way of the firewall from knowing that mean Lime and not Lemon. I could setup a bastion host to forward on SSH to the various hosts and I may well set it up at a later date just so that I know how but it is a bit of overkill for such a small number hosts. I have instead chosen to have each host listen at a different port so all I need is to have a table showing which port to which host, it will still be secure as it will still be SSH but instead. I will still need a firewall port forward rule for each host internally i will only need one

Home Lab

2025-03-01T15:30:18Z

192.168.100.9:

==Introduction==

The purpose of the home lab will be to provide a safe store for all of my pictures and videos. Also there will be a website to document my adventures, It will be contained within the [[Proxmox Server]]

==[[Virtual Machines]]==

There will be a collection of Virtual Machines, mostly Linux hosts partly because they are free but now that i have found a really cheap license seller the cost is less of a concern. Reliability is the other reason for basing the systems around Linux. The general setup is to have a Pfsense firewall at the central gateway to my network all of the rest of the servers being linked by it. There is already a Nameserver, a reverse proxy to allow access to Webservers. there will be a VPNserver to allow remote access to some Desktop VMs. There is a CA server so I can issue my own certs to the various computers that I use. There is a management kiosk that I am using to do most of the configuration, as it is not going to be easily access from outside it will keep all of the configuration inside Proxmox. More details of the VMs can be found '''[[Virtual Machines | here]]'''.

==[[External Access]]==

I want to allow access to some of the network from remote sites initially by SSH but also other means at a later date.

Webservers

2025-03-01T15:18:25Z

192.168.100.9:

==Introduction==

== Website log files and locations ==

The Docroots are
/var/www/wiki.seaoffate.local/public_html
and
/var/www/seaoffate.local/public_html
and
/var/www/files.seaoffate.local/public_html

The access logs are seperate for each config

===www.seaoffate on Lime===

For the .net they are
/var/log/apache2/www.seaoffate.net-error.log
/var/log/apache2/www.seaoffate.net-access.log
and the local are
/var/log/apache2/lime.seaoffate.local-error.log
/var/log/apache2/lime.seaoffate.local-access.log

===wiki.seaoffate on Logan===

For the .net they are
/var/log/apache2/wiki.seaoffate.net-error.log
/var/log/apache2/wiki.seaoffate.net-access.log
and the .local are
/var/log/apache2/wiki.seaoffate.local-error.log
/var/log/apache2/wiki.seaoffate.local-access.log
/var/log/apache2/logan.seaoffate.local-error.log
/var/log/apache2/logan.seaoffate.local-access.log

===Nginx Log Files===

DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html

Webservers

2025-03-01T10:03:31Z

192.168.100.9: /* Website log files and locations */