Difference between revisions of "SAC:betawebsite"

This is setup of Cloud server osgeo.public.cloudvps.com

It is a debian 8, 4GB , 160 HDD server.

Martin's changes to get LDAP working properly (per ticket 2010 I presume these supercede the ones I made

    # Avoid error messages upon login

   root@osgeo:~# aptitude install locales-all

   # Have the preferred LDAP subsystem

   root@osgeo:~# aptitude install libpam-ldapd libnss-ldapd

   # Purge deprecated configs

   root@osgeo:~# dpkg -l | grep \^rc | awk '{print $2}' | cut -f 1 -d \: | xargs dpkg --purge

   # Purge local user

   root@osgeo:~# grep -v \^martin /etc/passwd > Hallo && cat Hallo > /etc/passwd
   root@osgeo:~# grep -v \^martin /etc/shadow > Hallo && cat Hallo > /etc/shadow
   root@osgeo:~# rm -vf Hallo

   # Purge cache and reload LDAP stuff

   root@osgeo:~# /etc/init.d/nscd stop; rm -vf /var/cache/nscd/*; /etc/init.d/nscd  start
   root@osgeo:~# /etc/init.d/nslcd  restart

   # Voila

   root@osgeo:~# getent passwd martin
   martin:x:10026:100:Martin Spott:/home/martin:/bin/tcsh

   # Have a homedir and proper login shell

   root@osgeo:~# cp -a /etc/skel /home/martin
   root@osgeo:~# chown -R martin:100 /home/martin
   root@osgeo:~# aptitude install tcsh

   # Reduce authentication error log

   root@osgeo:~# aptitude install fail2ban

   # Now test

   foehn: 17:06:08 ~> ssh osgeo.public.cloudvps.com
   martin@osgeo.public.cloudvps.com's password: 
   [...]
   osgeo:~>

   # Success 

These are the steps I did after it was created in attempt to implement LDAP

First I installed updates

 apt-get update
 apt-get upgrade
 apt-get install libpam-ldap nscd
 apt-get install libnss-ldap #not sure if this one is needed 
 apt-get install locales-all
 apt-get install sudo

Then to try the ldap

https://wiki.debian.org/LDAP/PAM

1) edit /etc/ldap/ldap.conf (copied from osgeo6)

   BASE    dc=osgeo, dc=org
   URI     ldaps://ldap.osgeo.org/
   #SIZELIMIT      12
   #TIMELIMIT      15
   #DEREF          never
   TLS_CHECKPEER yes
   TLS_REQCERT demand
   TLS_CACERT /etc/ssl/certs/STAR_osgeo_org.ca-bundle  #this file you need to copy from osgeo6 as well
   pam_groupdn cn=telascience,ou=Shell,dc=osgeo,dc=org  #not though telascience is defunct so not sure what that cn
   nss_base_passwd ou=People,dc=osgeo,dc=org
   nss_base_shadow ou=People,dc=osgeo,dc=org
   nss_base_group  ou=Group,dc=osgeo,dc=org
   ldap_version 3
   pam_password md5
   bind_policy soft

2) Copy contents of /etc/nslcd.conf from osgeo6

  nano /etc/ssh/sshd_config

(it will prompt for services you want to use ldap for ) Selections will be written to /etc/nsswitch.conf

after conf looked like this

   after conf looked like this

   # /etc/nsswitch.conf
   #
   # Example configuration of GNU Name Service Switch functionality.
   # If you have the `glibc-doc-reference' and `info' packages installed, try:
   # `info libc "Name Service Switch"' for information about this file.

   passwd:         compat ldap
   group:          compat ldap
   shadow:         compat
   gshadow:        files

   hosts:          files dns
   networks:       files

   protocols:      db files ldap
   services:       db files ldap
   ethers:         db files
   rpc:            db files

   netgroup:       nis
   aliases:        ldap

3) pam-auth-update Make sure both Unix and LDAP authentication are checked 4)

  /etc/init.d/nscd restart
 /etc/init.d/nslcd restart
 /etc/init.d/ssh restart
 
 Should output something like this:

[ ok ] Restarting ssh (via systemctl): ssh.service.

5) Verify server can do ldap queries with Osgeo by running something like this

    ldapsearch -x uid=robe

Install LetsEncrypt SSL

First logged in as me robe, and did sudo bash so I can install stuff

1) Add jessie backports with:

  echo "deb http://ftp.debian.org/debian jessie-backports main" | tee -a /etc/apt/sources.list
  aptitude update

2) now install

 aptitude install certbot
 apt-get install python-certbot-apache -t jessie-backports

3) #needed to then edit the /etc/apache2/sites-available/www.osgeo.org.conf to allow ./wellknown folder to be accessed by adding these lines

   Alias /.well-known "/var/www/osgeo.org/httpdocs/.well-known"
   <Directory "/var/www/osgeo.org/httpdocs/.well-known/">
       AllowOverride None
       Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
       Require method GET POST OPTIONS
   </Directory>

After edit run:

 service apache2 reload

4) Get the cert had to do this since for some reason, trying to do normally gave error: Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot certonly" to do so. You'

 certbot certonly -d staging.www.osgeo.org

Fill in following for prompts:

   Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
   Input the webroot for staging.www.osgeo.org: (Enter 'c' to cancel):/var/www/osgeo.org/httpdocs
   Waiting for verification...
   Cleaning up challenges
   Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
   Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

5) Created two new files /etc/apache2/sites-available/www.osgeo.org-le-ssl.conf and /etc/apache2/sites-available/www.osgeo.org-common.conf

The common one is pretty much copy of all stuff from the original www.osgeo.org.conf (that doesn't specifically reference host) and then included this in the new ssl.conf which is set to :443. So file looks like this

   <IfModule mod_ssl.c>
   <VirtualHost *:443>
   ServerAdmin support@osgeo.org
   ServerName www.osgeo.org
   ServerAlias staging.www.osgeo.org

   Include /etc/apache2/sites-available/www.osgeo.org-common.conf

   SSLCertificateFile /etc/letsencrypt/live/staging.www.osgeo.org/fullchain.pem
   SSLCertificateKeyFile /etc/letsencrypt/live/staging.www.osgeo.org/privkey.pem
   #Include /etc/letsencrypt/options-ssl-apache.conf
   </VirtualHost>
   </IfModule>

6) Now to enable the ssl config

  a2ensite www.osgeo.org-le-ssl
  service apache2 reload