SAC:betawebsite

This is setup of Cloud server osgeo.public.cloudvps.com

It is a debian 8, 4GB, 160 HDD server.

Martin's changes to get LDAP working properly (per ticket 2010 I presume these supercede the ones I made
# Avoid error messages upon login

root@osgeo:~# aptitude install locales-all

# Have the preferred LDAP subsystem

root@osgeo:~# aptitude install libpam-ldapd libnss-ldapd

# Purge deprecated configs

root@osgeo:~# dpkg -l | grep \^rc | awk '{print $2}' | cut -f 1 -d \: | xargs dpkg --purge

# Purge local user

root@osgeo:~# grep -v \^martin /etc/passwd > Hallo && cat Hallo > /etc/passwd root@osgeo:~# grep -v \^martin /etc/shadow > Hallo && cat Hallo > /etc/shadow root@osgeo:~# rm -vf Hallo

# Purge cache and reload LDAP stuff

root@osgeo:~# /etc/init.d/nscd stop; rm -vf /var/cache/nscd/*; /etc/init.d/nscd start root@osgeo:~# /etc/init.d/nslcd restart

# Voila

root@osgeo:~# getent passwd martin martin:x:10026:100:Martin Spott:/home/martin:/bin/tcsh

# Have a homedir and proper login shell

root@osgeo:~# cp -a /etc/skel /home/martin root@osgeo:~# chown -R martin:100 /home/martin root@osgeo:~# aptitude install tcsh

# Reduce authentication error log

root@osgeo:~# aptitude install fail2ban

# Now test

foehn: 17:06:08 ~> ssh osgeo.public.cloudvps.com martin@osgeo.public.cloudvps.com's password: [...]   osgeo:~>

# Success

Original Setup Steps
These are the steps I did after it was created in attempt to implement LDAP

First I installed updates

apt-get update apt-get upgrade apt-get install libpam-ldap nscd apt-get install libnss-ldap #not sure if this one is needed apt-get install locales-all apt-get install sudo

Then to try the ldap

https://wiki.debian.org/LDAP/PAM

1) edit /etc/ldap/ldap.conf (copied from osgeo6)    BASE    dc=osgeo, dc=org    URI     ldaps://ldap.osgeo.org/    #SIZELIMIT      12    #TIMELIMIT      15    #DEREF          never    TLS_CHECKPEER yes    TLS_REQCERT demand    TLS_CACERT /etc/ssl/certs/STAR_osgeo_org.ca-bundle  #this file you need to copy from osgeo6 as well    pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org  #not though telascience is defunct so not sure what that cn    nss_base_passwd ou=People,dc=osgeo,dc=org    nss_base_shadow ou=People,dc=osgeo,dc=org    nss_base_group  ou=Group,dc=osgeo,dc=org    ldap_version 3    pam_password md5    bind_policy soft

2) Copy contents of /etc/nslcd.conf from osgeo6

nano /etc/ssh/sshd_config

(it will prompt for services you want to use ldap for ) Selections will be written to /etc/nsswitch.conf

after conf looked like this

after conf looked like this

# /etc/nsswitch.conf #   # Example configuration of GNU Name Service Switch functionality. # If you have the `glibc-doc-reference' and `info' packages installed, try: # `info libc "Name Service Switch"' for information about this file.

passwd:        compat ldap group:         compat ldap shadow:        compat gshadow:       files

hosts:         files dns networks:      files

protocols:     db files ldap services:      db files ldap ethers:        db files rpc:           db files

netgroup:      nis aliases:       ldap

3) pam-auth-update Make sure both Unix and LDAP authentication are checked 4) /etc/init.d/nscd restart /etc/init.d/nslcd restart /etc/init.d/ssh restart Should output something like this: [ ok ] Restarting ssh (via systemctl): ssh.service.

5) Verify server can do ldap queries with Osgeo by running something like this

ldapsearch -x uid=robe

Install LetsEncrypt SSL
First logged in as me robe, and did sudo bash so I can install stuff

1) Add jessie backports with:

echo "deb http://ftp.debian.org/debian jessie-backports main" | tee -a /etc/apt/sources.list aptitude update

2) now install

aptitude install certbot aptitude install python-certbot-apache -t jessie-backports

3) #needed to then edit the /etc/apache2/sites-available/www.osgeo.org.conf to allow ./wellknown folder to be accessed by adding these lines

Alias /.well-known "/var/www/osgeo.org/httpdocs/.well-known"  AllowOverride None Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec Require method GET POST OPTIONS 

After edit run: service apache2 reload

4) Get the cert had to do this since for some reason, trying to do normally gave error: Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'

certbot certonly -d staging.www.osgeo.org

Fill in following for prompts:

Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Input the webroot for staging.www.osgeo.org: (Enter 'c' to cancel):/var/www/osgeo.org/httpdocs Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

5) Created two new files /etc/apache2/sites-available/www.osgeo.org-le-ssl.conf and /etc/apache2/sites-available/www.osgeo.org-common.conf

The common one is pretty much copy of all stuff from the original www.osgeo.org.conf (that doesn't specifically reference host) and then included this in the new ssl.conf which is set to :443. So file looks like this

    ServerAdmin support@osgeo.org ServerName www.osgeo.org ServerAlias staging.www.osgeo.org

Include /etc/apache2/sites-available/www.osgeo.org-common.conf

SSLCertificateFile /etc/letsencrypt/live/staging.www.osgeo.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/staging.www.osgeo.org/privkey.pem #Include /etc/letsencrypt/options-ssl-apache.conf  

6) Now to enable the ssl config

a2ensite www.osgeo.org-le-ssl service apache2 reload

7) Added to cronjob of root, to schedule a monthly renewal every 15th day of month

30 1 15 * * certbot renew