|
|
| (15 intermediate revisions by 3 users not shown) |
| Line 1: |
Line 1: |
| ==Introduction== | | ==Introduction== |
|
| |
|
| There will be several Webservers in the '''[[Home Lab]]'''. Each will be on it's own '''[[Virtual Machines]]''' and will be on the production VLAN. The MySQL databases will be on a separate VM on the same network so no connectivity problems from that. The Proxy server will forward all web traffic to the appropriate webserver. | | There will be several Webservers in the '''[[Home Lab]]'''. Each will be on it's own '''[[Virtual Machines]]''' and will be on the production VLAN. The MySQL databases will be on a separate VM on the same network so no connectivity problems from that. The Proxy server will forward all web traffic to the appropriate webserver. There are a few helpful scripts that can help with '''[[Webserver Setup | Webserver Setup Scripts]]''' |
|
| |
|
| ==SSL Config== | | ==[[SSL Config]]== |
|
| |
|
| There will be two setups for SSL/TLS one for the seaoffate.local and one for seaoffate.net. | | There will be two setups for SSL/TLS one for the seaoffate.local and one for seaoffate.net. More details can be found '''[[SSL Config | here]]''' |
| | |
| ===Local DNS Names SSL Setup===
| |
| | |
| We will do the SSL/TLS for the .local access first mainly because because it is better to see it working on a local level and if we did the global first there is a good chance we would never get a around to doing the local, in which case some of the access will be completely without any cert. It is part of the learning curve to generate SSL certificates. While it would be fairly easier to do a self cert for the local access it is better to experience the whole process from start to finish to get a complete understanding of how it is done and the failures that inevitably appear.
| |
| | |
| ==== The Process Flow====
| |
| | |
| The process flow is to get the Certificates generated on the webserver host, get it signed by the Certificate Authority then apply it to the webserver, once that is done the SSL config needs to be applied to the host, after that it we would make a config to the reverse proxy. The reverse proxy will have it's own certificate to use for all of the hosts that it is forwarding to and once the cert is applied it will not need to have it applied again, we would just refer to it in the individual SSL config.
| |
| | |
| ====Generating SSL Certificates====
| |
| | |
| The first thing to do is to generate a private key, this is done on the webserver with the command
| |
| sudo openssl genrsa -out /etc/ssl/private/strawberry.seaoffate.local.key 2048
| |
| The out directive will specify where the private key will stored, in this case the default location is used. The .key does need to be stored privately as it is the key that will be used to encrypt or decrypt the internet traffic and is the core item in the security of the Internet. Once the private key has been generated access should be restricted to the root user only so we need to do the chmod/chown commanda s follows
| |
| sudo chmod 600 /etc/ssl/private/strawberry.seaoffate.local.key
| |
| sudo chown root:root /etc/ssl/private/strawberry.seaoffate.local.key
| |
| Now that we have the private key we can look at getting the public certificate. To get the certificate with any sort of trust it has to be signed by a Certificate Authority. We have a personal CA available on Alpine, it will only be trusted by us and not the rest of the world as it is a personal CA. To have a cert signed we must generate a Certificate Signing Request and present it to the CA the command to generate a CSR is
| |
| sudo openssl req -new -key /etc/ssl/private/strawberry.seaoffate.local.key -out /etc/ssl/certs/strawberry.seaoffate.local.csr
| |
| As this script executes it will ask a numer of questions.
| |
| * Country[]
| |
| | |
| Note that the command uses the private key that we just generated. The CSR is added to the certs directory it is not secret but it should not be modified so it still need to be stored in a form that has at least 744 on it. As this is a signing request we have to get is to the signing software, the CA, in a secure manner. generally SCP is the best option to transfer a file securely as it uses the same connection as SSH. An example is
| |
| scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:~/easy-rsa/easyrsa3/pki/reqs/
| |
| If this doesn't work with the user that is available try copying to /tmp
| |
| scp /etc/ssl/certs/strawberry.seaoffate.local.csr user@alpine:/tmp
| |
| When the file is copied to Apline we must login to the Alpine host to do the signing. I the CSR file could not be added directly to the reqs directory it should be copied there now.
| |
| cp /tmp/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs
| |
| Unfortunately, easyrsa need to see CSRs with the extension of .req but the openssl generates them as .csr the solution is to mv the .csr to .req
| |
| mv ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.csr ~/easy-rsa/easyrsa3/pki/reqs/strawberry.seaoffate.local.req
| |
| Assuming that the CSR is in the /reqs directory and it has the correct extension we can proceed with the signing. We should be in the ~/easy-rsa/easyrsa3/ directory to run the script
| |
| ./easyrsa sign-req server strawberry.seaoffate.local
| |
| the script will ask to confirm the details that would have been submitted when creating the signing request on the web host and the first answer has to be "yes" or it will not continue. The next question is to supply the passphrase for the script to have access to the CA.key, if it can't be given the request fails. Once the CSR/REQ has been signed the certificate will be created and stored in the issued directory and is ready to be returned to the webserver again using SCP. We could copy the .CRT directly to the /ect/ssl/certs dir on the web host but since we are using Ubuntu we can't because the permissions fail. We should create a dir off of the user's home dir and call it signed we can then SCP
| |
| SCP ~/easy-rsa/easyrsa3/pki/issued/strawberry.seaoffate.local.crt [email protected]:~/signed | |
| When that is done swap back to the web host (strawberry) and mv the signed cert to the correct directory
| |
| sudo mv signed/strawberry.seaoffate.local.crt /etc/ssl/certs/
| |
| We should set the permissions on the cert to be read only and owned by root
| |
| sudo chmod 644 /etc/ssl/certs/strawberry.seaoffate.local.crt
| |
| sudo chown root:root /etc/ssl/certs/strawberry.seaoffate.local.crt
| |
| As a final job we can verify that the cert and key match each other
| |
| sudo openssl x509 -noout -modulus -in /etc/ssl/certs/strawberry.seaoffate.local.crt | sudo openssl sha256
| |
| sudo openssl rsa -noout -modulus -in /etc/ssl/private/strawberry.seaoffate.local.key | sudo openssl sha256
| |
| check to make sure that the two hashes are identical, if they are not SSL will not work on the website.
| |
| | |
| ====Create Apache SSL Configuration====
| |
| | |
| Now that we have a signed certificate we can proceed to configure Apache to listen & serve SSL/TLS request on port 443. As we have used Strawberry as the example for the cert generation we will continue to use the same host for the configs. First we should cd to the site-available so that the config file we create matches the existing and we get the correct docroot. We should create a config file,
| |
| sudo nano /etc/apache2/sites-available/strawberry.seaoffate.local-ssl.conf
| |
| and enter the following
| |
| | |
| <VirtualHost *:443>
| |
| ServerName strawberry.seaoffate.local
| |
| DocumentRoot /var/www/strawberry/public_html
| |
| | |
| SSLEngine on
| |
| SSLCertificateFile /etc/ssl/certs/strawberry.seaoffate.local.crt
| |
| SSLCertificateKeyFile /etc/ssl/private/strawberry.seaoffate.local.key
| |
| | |
| <Directory /var/www/strawberry/public_html/>
| |
| AllowOverride All
| |
| Require all granted
| |
| </Directory>
| |
| | |
| # Security Headers (Recommended)
| |
| Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
| |
| Header always set X-Frame-Options "SAMEORIGIN"
| |
| Header always set X-Content-Type-Options "nosniff"
| |
| Header always set Referrer-Policy "strict-origin-when-cross-origin"
| |
| | |
| # SSL Protocol and Cipher Configuration (Recommended)
| |
| SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
| |
| SSLCipherSuite HIGH:!aNULL:!MD5
| |
| | |
| ErrorLog ${APACHE_LOG_DIR}/error.log
| |
| CustomLog ${APACHE_LOG_DIR}/access.log combined
| |
| </VirtualHost>
| |
| | |
| Save and exit. To enable the SSL site and enable the SSL modules.
| |
| sudo a2ensite strawberry.seaoffate.local-ssl.conf
| |
| sudo a2enmod ssl
| |
| sudo a2enmod headers
| |
| To restart Apache & check for errors
| |
| sudo systemctl restart apache2
| |
| sudo systemctl status apache2
| |
| To test with curl
| |
| curl -v https://strawberry.seaoffate.local
| |
| We should also look in a browser to be sure that the config works.
| |
|
| |
|
| == webservers Purposes == | | == webservers Purposes == |
| Line 99: |
Line 13: |
| ===Logan (Wiki)=== | | ===Logan (Wiki)=== |
|
| |
|
| logan has been setup as a webserver to have the wiki website. It' IP is prod.12 It can be accessed by logan.seaoffate.local, wiki.seaoffate.local or wiki.seaoffate.net | | logan has been setup as a webserver to have the wiki website. It's IP is 192.168.100.12 It can be accessed by logan.seaoffate.local, wiki.seaoffate.local or wiki.seaoffate.net. '''Lodan has now been retired and wikimedia has moved to Plum''' |
|
| |
|
| ===Lime (default)=== | | ===[[Lime]] Default or www=== |
|
| |
|
| The default website is hosted on lime. The IP is prod.10. It can be accessed by lime.seaoffate.local, www.seaoffate.local or www.seaoffate.local. | | The default website is hosted on lime. The IP is 192.168.100.10. It can be accessed by lime.seaoffate.local, www.seaoffate.local, seaoffate.net or www.seaoffate.net. The application that is running the main website is Joomla. |
|
| |
|
| ===Fig (files)=== | | ===Fig (files)=== |
|
| |
|
| not setup yet ip will is prod.11
| | There is a change of plan and Fig is now hosting a Nextcloud server on prod.11. Not much to say really the install was simply a matter of downloading the installer, create a Database and start the installer going. The prompts were quite self explanatory. The only thing that is notable is that there is now a 1.7 TB hard drive added to store any and all files uploaded here. |
| | |
| | ===[[Bookstack]]=== |
| | |
| | Bookstack has been installed on Plum as an alternative note book to Wikimedia. The DNS name for bookstack is https://notes.seaoffate.net |
|
| |
|
| ===[[Plum (Photo)]]=== | | ===[[Plum (Photo)]]=== |
|
| |
|
| This one is to host the photo website, probably Piwigo. It can be accessed at plum.seaoffate.local, photo.seaoffate.local or plum.seaoffate.net. The Ip will be Prod.20. The setup here is to have a normal HD for the webserver but a NFS share for the base photos with only RO access. The actual directory where the photos are shared from will be another VM called strawberry (IP prod.21). | | This one is to host the photo website, probably Piwigo. It can be accessed at plum.seaoffate.local, photo.seaoffate.local or plum.seaoffate.net. The Ip will be 192.168.100.22. The setup here is to have a normal HD for the webserver and a large separate HD for the photos. We may VM called strawberry (IP prod.23). |
| | |
|
| |
|
| == Website log files and locations == | | == Website log files and locations == |
| Line 147: |
Line 64: |
| ===Nginx Log Files=== | | ===Nginx Log Files=== |
|
| |
|
| DocumentRoot /var/www/files.seaoffate.local/public_html | | DocumentRoot /var/www/files.seaoffate.local/public_html |
| DocumentRoot /var/www/files.seaoffate.local/public_html | | DocumentRoot /var/www/files.seaoffate.local/public_html |
| DocumentRoot /var/www/files.seaoffate.local/public_html | | DocumentRoot /var/www/files.seaoffate.local/public_html |
Introduction
There will be several Webservers in the Home Lab. Each will be on it's own Virtual Machines and will be on the production VLAN. The MySQL databases will be on a separate VM on the same network so no connectivity problems from that. The Proxy server will forward all web traffic to the appropriate webserver. There are a few helpful scripts that can help with Webserver Setup Scripts
There will be two setups for SSL/TLS one for the seaoffate.local and one for seaoffate.net. More details can be found here
webservers Purposes
four webservers with the primary job of serving websites have been defined.
Logan (Wiki)
logan has been setup as a webserver to have the wiki website. It's IP is 192.168.100.12 It can be accessed by logan.seaoffate.local, wiki.seaoffate.local or wiki.seaoffate.net. Lodan has now been retired and wikimedia has moved to Plum
Lime Default or www
The default website is hosted on lime. The IP is 192.168.100.10. It can be accessed by lime.seaoffate.local, www.seaoffate.local, seaoffate.net or www.seaoffate.net. The application that is running the main website is Joomla.
Fig (files)
There is a change of plan and Fig is now hosting a Nextcloud server on prod.11. Not much to say really the install was simply a matter of downloading the installer, create a Database and start the installer going. The prompts were quite self explanatory. The only thing that is notable is that there is now a 1.7 TB hard drive added to store any and all files uploaded here.
Bookstack has been installed on Plum as an alternative note book to Wikimedia. The DNS name for bookstack is https://notes.seaoffate.net
This one is to host the photo website, probably Piwigo. It can be accessed at plum.seaoffate.local, photo.seaoffate.local or plum.seaoffate.net. The Ip will be 192.168.100.22. The setup here is to have a normal HD for the webserver and a large separate HD for the photos. We may VM called strawberry (IP prod.23).
Website log files and locations
The Docroots are
/var/www/wiki.seaoffate.local/public_html
and
/var/www/seaoffate.local/public_html
and
/var/www/files.seaoffate.local/public_html
The access logs are seperate for each config
www.seaoffate on Lime
For the .net they are
/var/log/apache2/www.seaoffate.net-error.log
/var/log/apache2/www.seaoffate.net-access.log
and the local are
/var/log/apache2/lime.seaoffate.local-error.log
/var/log/apache2/lime.seaoffate.local-access.log
wiki.seaoffate on Logan
For the .net they are
/var/log/apache2/wiki.seaoffate.net-error.log
/var/log/apache2/wiki.seaoffate.net-access.log
and the .local are
/var/log/apache2/wiki.seaoffate.local-error.log
/var/log/apache2/wiki.seaoffate.local-access.log
/var/log/apache2/logan.seaoffate.local-error.log
/var/log/apache2/logan.seaoffate.local-access.log
Nginx Log Files
DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html
DocumentRoot /var/www/files.seaoffate.local/public_html
