From: Aaron Taylor Date: Sun, 8 Nov 2020 12:27:59 +0000 (-0800) Subject: Added SSL notes to mail/git/web server build log. X-Git-Url: http://git.subgeniuskitty.com/website_subgeniuskitty.com/.git/commitdiff_plain/6bce4d40664885fb9a215c7cfcb8c49470d50677 Added SSL notes to mail/git/web server build log. --- diff --git a/data/notes/mail_web_git_server.md b/data/notes/mail_web_git_server.md index 95dce33..faa352d 100644 --- a/data/notes/mail_web_git_server.md +++ b/data/notes/mail_web_git_server.md @@ -27,8 +27,8 @@ Linux, offering the following services: - Anonymous read-only access to a subset of git repositories via: - - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for - GUI git browsing with syntax highlighting, diffs, etc + - Customized [gitweb](http://git.subgeniuskitty.com/gitweb-sgk/.git) for + GUI git browsing with syntax highlighting, diffs, etc - Git-daemon for cloning repositories via the `git://` protocol @@ -41,14 +41,6 @@ etc in the examples. # TODO List # - - Setup SSL with automatic certificate renewal. - - - Find a reliable way to alert me when renewal fails. - - - Websites should auto-redirect to the SSL version of the site for newer - browsers only. All sites should still be accessible on pre-SSL vintage - computers. - - Take a snapshot on Linode's backup service once the basic services are operational. @@ -58,6 +50,8 @@ etc in the examples. - Improve CSS on gitweb, especially for displaying READMEs. + - Add some form of web logfile viewing. + # Basic Configuration # @@ -142,21 +136,65 @@ status apache2`. ### SSL ### -TODO +Install certbot and generate a key for its use. -TODO + apt-get install certbot + openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 -TODO +Create `/etc/apache2/conf-available/ssl-params.conf` with the following +contents. -TODO + SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 + SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 + SSLHonorCipherOrder off + SSLSessionTickets off + + SSLUseStapling On + SSLStaplingCache "shmcb:logs/ssl_stapling(32768)" + + Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + Header always set X-Frame-Options SAMEORIGIN + Header always set X-Content-Type-Options nosniff + + SSLOpenSSLConfCmd DHParameters "/etc/ssl/certs/dhparam.pem" -TODO +Enable the new configuration and required mods, then restart Apache2. -TODO + a2enconf ssl-params + a2enmod ssl + a2enmod headers + systemctl restart apache2 -TODO +Retrieve an initial certificate with the following command, modified to match +the desired webroot and server names. -TODO + and : + + certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/subgeniuskitty.com/site/data/ -d subgeniuskitty.com -d www.subgeniuskitty.com + + and : + + certbot certonly --agree-tos --email webmaster@subgeniuskitty.com --webroot -w /srv/apache_vhosts/archive.subgeniuskitty.com/ -d archive.subgeniuskitty.com + +Edit `/etc/apache2/sites-available/subgeniuskitty.com`, adding the following +`VirtualHost` definition that mostly copies the non-SSL entry. + + + SSLEngine on + SSLCertificateFile /etc/letsencrypt/live/subgeniuskitty.com/fullchain.pem + SSLCertificateKeyFile /etc/letsencrypt/live/subgeniuskitty.com/privkey.pem + + ...copy of vhost definition for host *:80... + + +Edit `/etc/cron.d/certbot` and append `--renew-hook "systemctl reload apache2"` +to the certbot invokation. + +Test with `certbot renew --dry-run`. + +Repeat the process for any other sites hosted on this server. + +Backup the `/etc/letsencrypt` folder off-server periodically. ## Basic Website ## @@ -272,9 +310,9 @@ On my workstation, generate an SSH key with `ssh-keygen -t rsa`. On the server, as user `ataylor`: mkdir ~/.ssh - chmod 700 ~/.ssh - touch ~/.ssh/authorized_keys - chmod 600 ~/.ssh/authorized_keys + chmod 700 ~/.ssh + touch ~/.ssh/authorized_keys + chmod 600 ~/.ssh/authorized_keys Then `cat` the public SSH key from the workstation to the server, appending it onto `~/.ssh/authorized_keys`.