X-Git-Url: http://git.subgeniuskitty.com/website_subgeniuskitty.com/.git/blobdiff_plain/562bd1873aecfa00d8be6ed9794df009bfbf96d9..adccee6a565076c4fd88e45331968b757b5641c0:/data/notes/mail_web_git_server.md diff --git a/data/notes/mail_web_git_server.md b/data/notes/mail_web_git_server.md index ac1dd91..aa297bb 100644 --- a/data/notes/mail_web_git_server.md +++ b/data/notes/mail_web_git_server.md @@ -27,8 +27,8 @@ Linux, offering the following services: - Anonymous read-only access to a subset of git repositories via: - - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for - GUI git browsing with syntax highlighting, diffs, etc + - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for + GUI git browsing with syntax highlighting, diffs, etc - Git-daemon for cloning repositories via the `git://` protocol @@ -41,29 +41,17 @@ etc in the examples. # TODO List # - - Set hostname to `sgk-main-2020` and ensure Apache recognizes it as the - ServerName (see: `systemctl status apache2`). - - - Setup SSL with automatic certificate renewal. - - - Find a reliable way to alert me when renewal fails. - - - Websites should auto-redirect to the SSL version of the site for newer - browsers only. All sites should still be accessible on pre-SSL vintage - computers. - - Take a snapshot on Linode's backup service once the basic services are operational. - - Delete old mail/web/git vservers after downloading a disk image. - - - Setup log rotation, or at least make sure everything ties into whatever is - pre-configured on Debian for log rotation. + - Migrate mail server. Delete old linode vserver after downloading a disk image. - Finish this documentation. - Improve CSS on gitweb, especially for displaying READMEs. + - Add some form of web logfile viewing. + # Basic Configuration # @@ -116,6 +104,9 @@ Install Apache2. apt-get install apache2 +If not already defined elsewhere, add a `ServerName 127.0.0.1` entry to the +bottom of `/etc/apache2/apache2.conf`, or whatever is appropriate. + Since we use `/srv` instead of `/var/www`, edit `/etc/apache2/apache2.conf` to comment out the `` entry for `/var/www` and replace it with this: @@ -145,21 +136,65 @@ status apache2`. ### SSL ### -TODO +Install certbot and generate a key for its use. -TODO + apt-get install certbot + openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 -TODO +Create `/etc/apache2/conf-available/ssl-params.conf` with the following +contents. -TODO + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + + SSLUseStapling On + SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" + + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + Header always set X-Frame-Options SAMEORIGIN + Header always set X-Content-Type-Options nosniff + + SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" -TODO +Enable the new configuration and required mods, then restart Apache2. -TODO + a2enconf ssl-params + a2enmod ssl + a2enmod headers + systemctl restart apache2 -TODO +Retrieve an initial certificate with the following command, modified to match +the desired webroot and server names. -TODO + and : + + certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/subgeniuskitty.com/site/data/ -d subgeniuskitty.com -d www.subgeniuskitty.com + + and : + + certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/archive.subgeniuskitty.com/ -d archive.subgeniuskitty.com + +Edit `/etc/apache2/sites-available/subgeniuskitty.com`, adding the following +`VirtualHost` definition that mostly copies the non-SSL entry. + + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/subgeniuskitty.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/subgeniuskitty.com/privkey.pem + + ...copy of vhost definition for host *:80... + + +Edit `/etc/cron.d/certbot` and append `--renew-hook "systemctl reload apache2"` +to the certbot invokation. + +Test with `certbot renew --dry-run`. + +Repeat the process for any other sites hosted on this server. + +Backup the `/etc/letsencrypt` folder off-server periodically. ## Basic Website ## @@ -275,9 +310,9 @@ On my workstation, generate an SSH key with `ssh-keygen -t rsa`. On the server, as user `ataylor`: mkdir ~/.ssh - chmod 700 ~/.ssh - touch ~/.ssh/authorized_keys - chmod 600 ~/.ssh/authorized_keys + chmod 700 ~/.ssh + touch ~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys Then `cat` the public SSH key from the workstation to the server, appending it onto `~/.ssh/authorized_keys`. @@ -424,9 +459,13 @@ Remember to set that up. # HTML text to include as home page header. $home_text = "indextext.html"; - - # Add a toolbar option with the 'git clone url'. - $feature{'actions'}{'default'} = [('clone url', 'git://git.subgeniuskitty.com/%n', 'summary')]; + + # Add a toolbar option with the 'git clone url' and an + # option to display all tags. + $feature{'actions'}{'default'} = [ + ('clone url', 'git://git.subgeniuskitty.com/%n', 'summary'), + ('tags', 'https://git.subgeniuskitty.com/%n/tags', 'summary') + ]; # Category name is read from .git/category, in the same manner as .git/description. $projects_list_group_categories = 1;