The website for craig.stewart.zone https://craig.stewart.zone/
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

141 lines
6.9 KiB

  1. <!DOCTYPE html>
  2. <html lang="en">
  3. <head>
  4. <link href="/styles/default.css" rel="stylesheet" type="text/css" />
  5. <title>
  6. Installing a Webserver
  7. </title>
  8. <meta name="viewport" content="width=device-width, initial-scale=1.0" />
  9. </head>
  10. <body>
  11. <div id="wrapper">
  12. <div id="header">
  13. <h1>
  14. Installing a Webserver
  15. </h1>
  16. </div>
  17. <div id="layout">
  18. <div id="navigation">
  19. <p class="link">
  20. <a href="/index.html">
  21. Home
  22. </a>
  23. </p>
  24. <p class="link">
  25. <a href="/about.html">
  26. About Me
  27. </a>
  28. </p>
  29. <p class="link">
  30. <a href="/contact.html">
  31. Contact Me
  32. </a>
  33. </p>
  34. <!--<p class="link">
  35. <a href="/cv.html">
  36. My CV
  37. </a>
  38. </p>-->
  39. <p class="link">
  40. <a href="/guides/">
  41. Guides
  42. </a>
  43. </p>
  44. <p class="link">
  45. <a href="https://www.craig-james-stewart.co.uk/blog/">
  46. My Blog
  47. </a>
  48. </p>
  49. </div>
  50. <div id="content">
  51. <p>In the previous section of this guide we were logged in as root, and were running commands as root. This is generally considered bad practice, for good reasons, and so from this point forth we shall be logging in as our unprivileged user ("user" if you've followed the guide without making any changes) and making use of sudo for all commands that need root privileges.</p>
  52. <p>Before we install gitea we need to install and configure some services that our git server is going to need to function. A webserver that can handle SSL termination (to keep our users safe from snooping when they connect to our server), and a mail server to send out emails. The mail server is largely optional, but if you want to allow users to register we need some way to enable that without allowing in bots and scammers, and it can also be useful for other purposes, like informing us when something goes wrong.</p>
  53. <p>Before we go any further we need an FQDN (Fully Qualified Domain Name, a technical way of saying a domain name that points specifically at our server) to work for our server. Most hosting providers will give you one for your server, but it won't be pretty, and it will be a sub domain of their domain. You could use that, but if you already have a domain you could point a sub domain of that at our server and use that. For this guide we'll use the subdomain "git" of the domain "example.com", so our sever will live at "git.example.com"</p>
  54. <p>Now we are ready to install and configure our web server software. I am going to use <a href="https://httpd.apache.org/" title="The Apache HTTP Server Project">Apache HTTPD</a> as it is what I am most comfortable with, however it shouldn't be too dificult to adjust these instructions to use <a href="http://nginx.org/" title="nginx">nginx</a> or any other web server you wish to use. We're not doing anything too complicated. I'm also going to be using <a href="https://certbot.eff.org/" title="certbot">certbot</a> to get free SSL certificates from <a href="https://letsencrypt.org/" title="Let's Encrypt">Let's Encrypt</a>.</p>
  55. <pre>sudo apt-get install apache2 certbot
  56. sudo a2dissite 000-default.conf
  57. cat &lt;&lt; EOF | sudo tee -a /etc/apache2/sites-available/git.example.com.conf &gt; /dev/null
  58. &lt;VirtualHost *:80&gt;
  59. ServerName git.example.com
  60. AddDefaultCharset utf-8
  61. RewriteEngine on
  62. RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge [NC]
  63. RewriteRule ^/(.*) https://git.example.com/$1 [R=301,QSA]
  64. Alias "/.well-known/acme-challenge" "/var/www/acme-challenge"
  65. &lt;Directory /var/www/acme-challenge/&gt;
  66. Order allow,deny
  67. allow from all
  68. &lt;/Directory&gt;
  69. ErrorLog \$\{APACHE_LOG_DIR\}/error.log
  70. CustomLog \$\{APACHE_LOG_DIR\}/access.log combined
  71. &lt;/VirtualHost&gt;
  72. &lt;IfModule ssl_module&gt;
  73. &lt;VirtualHost *:443&gt;
  74. ServerName git.example.com
  75. SSLEngine on
  76. SSLHonorCipherOrder On
  77. SSLProtocol -ALL +TLSv1.2 +TLSv1.1 +TLSv1
  78. SSLCipherSuite TLSv1.2:TLSv1.1:TLSv1:!ADH:!NULL:!MEDIUM:!LOW:!EXPORT:!AECDH:!RSA:!3DES
  79. SSLCertificateFile /etc/letsencrypt/live/git.example.com/cert.pem
  80. SSLCertificateKeyFile /etc/letsencrypt/live/git.example.com/privkey.pem
  81. SSLCertificateChainFile /etc/letsencrypt/live/git.example.com/chain.pem
  82. AddDefaultCharset utf-8
  83. Header add Strict-Transport-Security "max-age=15768000;includeSubDomains"
  84. ProxyPreserveHost On
  85. ProxyRequests off
  86. RemoteIPHeader X-Real-IP
  87. ProxyPass / http://localhost:3000/
  88. ProxyPassReverse / http://localhost:3000/
  89. ErrorLog \$\{APACHE_LOG_DIR\}/error.log
  90. CustomLog \$\{APACHE_LOG_DIR\}/access.log combined
  91. &lt;/VirtualHost&gt;
  92. &lt;/IfModule&gt;
  93. EOF
  94. sudo a2ensite git.example.com.conf
  95. sudo apache2ctl restart</pre>
  96. <p>This installs apache and certbot, but disables the default webserver, which we do not need, and creates the one we do. Note that the redirect to the https version of the site will not work as that is not yet enabled. Until we enable the ssl module it will remain that way. But we need the SSL certs first, and that is what certbot is for.</p>
  97. <p>Before we get our free SSL cert we want to control how it validates that we own the domain we are requesting a certificate for, and then we want to request our certificate.</p>
  98. <pre>sudo mkdir /root/certbot
  99. cat << EOF | sudo tee -a /root/certbot/auth.sh > /dev/null
  100. #!/bin/bash
  101. mkdir -p /var/www/acme-challenge
  102. echo $CERTBOT_VALIDATION > /var/www/acme-challenge/$CERTBOT_TOKEN
  103. EOF
  104. sudo chmod u+x /root/certbot/auth.sh
  105. cat << EOF | sudo tee -a /root/certbot/clean.sh > /dev/null
  106. #!/bin/bash
  107. rm -f /var/www/acme-challenge/$CERTBOT_TOKEN
  108. EOF
  109. sudo chmod u+x /root/certbot/clean.sh
  110. cat << EOF | sudo tee -a /root/certbot/renew.sh > /dev/null
  111. #!/bin/bash
  112. /usr/bin/service apache2 restart
  113. EOF
  114. sudo chmod u+x /root/certbot/renew.sh
  115. sudo certbot --manual-auth-hook /root/certbot/auth.sh\
  116. --manual-cleanup-hook /root/certbot/clean.sh\
  117. --rsa-key-size 4096 -d git.example.com certonly --manual</pre>
  118. <p>This last command will ask you for an email address that will be used to send reminders if your certificate is about to expire, we will prevent that later on in the guide, or if there are urgent problems, I suggest using a valid email address for this reason. It will also ask you to agree to Let's Encrypts terms, and if you are OK with your IP address being logged. Assuming that you agree and accept that your IP will be logged (the IP of your server that is) then you will get an SSL certificate. So now we need to enable some modules for apache and restart it so that our reverse proxy works.</p>
  119. <pre>sudo a2enmod proxy proxy_http ssl headers remoteip
  120. sudo apache2ctl restart</pre>
  121. <p>Our webserver is now ready, and we can move onto setting up a mail server to send out emails.</p>
  122. <p style="text-align:center;"><a href="/guides/building-a-git-repo/secure-start.html" title="Starting With a Secure Base">Starting With a Secure Base</a>|<a href="/guides/building-a-git-repo/" title="Building A git Repository Server">Main Page</a>|<a href="/guides/building-a-git-repo/installmail.html" title="Installing a Mail Server">Installing a Mail Server</a></p>
  123. </div>
  124. </div>
  125. </div>
  126. </body>
  127. </html>