Immie.org: Difference between revisions
Jump to navigation
Jump to search
Mail
Line 183: | Line 183: | ||
</source> |
</source> |
||
=== SSL certificate === |
=== Certbot - SSL certificate === |
||
<source lang=bash> |
<source lang=bash> |
||
mkdir ca |
mkdir ca |
||
Line 242: | Line 242: | ||
;New - Using [https://letsencrypt.org/ Let's Encrypt] |
;New - Using [https://letsencrypt.org/ Let's Encrypt] |
||
* Follow [https://certbot.eff.org/#debianjessie-apache certbot] guide. |
* Follow [https://certbot.eff.org/#debianjessie-apache certbot] guide. |
||
* '''New''' — We install only version from jessie-backports: |
|||
<source lang=bash> |
|||
apt install python-certbot-apache=0.10.2-1~bpo8+1 |
|||
# sudo apt-get install python-certbot-apache -t jessie-backports |
|||
certbot --authenticator=webroot --installer=apache |
|||
</source> |
|||
* '''{{red|TODO}}''' — See IMPORTANT NOTES below: |
* '''{{red|TODO}}''' — See IMPORTANT NOTES below: |
||
<source lang=text> |
<source lang=text> |
Revision as of 11:29, 22 April 2018
Links
Status
- Registered and managed by gandi.net
- Pack:
- Mailpack
Domain Configuration (Gandi.net)
Managed via Gandi interface (https://www.gandi.net/).
- Mailboxes
- Email forwarding
- Gandi Mail Pack: Activated 2 GB
Web forwarding
Contacts
Owner, Technical, Administrative, Billing:
MP4410-GANDI Michael Peeters peeters-ml1@noekeon.org
Name servers
DNS1: a.dns.gandi.net DNS2: b.dns.gandi.net DNS3: c.dns.gandi.net
Zone
- zone file - version 6
- Currently in user - changed 28.06.2016, 18:12
- Removed CNAME entries for noekeon.org migration tests.
@ 10800 IN A 91.134.134.85
prime 10800 IN A 91.134.134.85
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
miki 10800 IN CNAME prime
mip 10800 IN CNAME prime
owncloud 10800 IN CNAME prime
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME agent.mail.gandi.net.
www 10800 IN CNAME prime
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN MX 10 spool.mail.gandi.net.
noekeon 10800 IN MX 10 prime
prime 10800 IN MX 10 prime
- zone file - version 5
- Currently in use - changed 20.06.2016, 11:34
- Removed duplicate CNAME entries (
immie
) - was causing SERVFAIL in dig queries
; @ 10800 IN A 91.134.134.85 ; Not sure I need this so disabled
; Mail server for @immie.org addresses (Gandi.net mail package)
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN MX 10 spool.mail.gandi.net.
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME agent.mail.gandi.net.
; Our server at ovh
prime 10800 IN A 91.134.134.85
; Mail server for @prime.immie.org addresses
prime 10800 IN MX 10 prime
; Some virtual hosts at immie.org
www 10800 IN CNAME prime ; host www.immie.org
miki 10800 IN CNAME prime ; host miki.immie.org
owncloud 10800 IN CNAME prime ; host owncloud.immie.org
; some aliases to prepare transition of domain noekeon.org
alongcil 10800 IN CNAME prime
gilles 10800 IN CNAME prime
gro 10800 IN CNAME prime
gva 10800 IN CNAME prime
heloise 10800 IN CNAME prime
jda 10800 IN CNAME prime
joan 10800 IN CNAME prime
keccak 10800 IN CNAME prime
ketje 10800 IN CNAME prime
keyak 10800 IN CNAME prime
kiwi 10800 IN CNAME prime
mip 10800 IN CNAME prime
radiogatun 10800 IN CNAME prime
sponge 10800 IN CNAME prime
; Mail for testing
noekeon 10800 IN MX 10 prime
- Default Gandi zone file - version 1
- Not used
@ 10800 IN A 217.70.184.38
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME webmail.gandi.net.
www 10800 IN CNAME webredir.vip.gandi.net.
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN MX 10 spool.mail.gandi.net.
VPS Configuration (OVH)
This is done via OVH Manager (https://www.ovh.com/manager/).
Service name
This is the name of the server.
Service name | prime.immie.org |
Original name was vps282013.ovh.net.
Reverse DNS
In Advanced mode, click Modify the Reverse DNS.
IP | 91.134.134.85 |
Name | prime.immie.org |
Original name was 85.ip-91-134-134.eu
Server Configuration
Guides
Guides I followed to install the server:
I added testing and unstable repositories.
/etc/apt/sources.list:
# Stable
deb http://ftp.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main
# Testing
deb http://ftp.debian.org/debian/ testing main
deb http://security.debian.org/ testing/updates main
# Unstable / Sid
deb http://ftp.debian.org/debian/ sid main
# Backport
deb http://ftp.debian.org/debian jessie-backports main
/etc/apt/preferences:
# cat /etc/apt/preferences
Package: *
Pin: release a=stable
Pin-Priority: 500
Package: *
Pin: release a=jessie-backports
Pin-Priority: 475
Package: *
Pin: release a=testing
Pin-Priority: 450
Package: *
Pin: release a=unstable
Pin-Priority: 400
Upgraded some packages from testing/unstable: [1]
apt install debian-goodies=0.66 # Fix mysqld false positive in checkrestart
Certbot - SSL certificate
mkdir ca
cd ca
cp /usr/lib/ssl/misc/CA.pl .
sed -ri 's/365/3650/; s/1095/3650/' CA.pl
./CA.pl -newca
CA certificate filename (or enter to create) Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:BBW Locality Name (eg, city) []:Brussels Organization Name (eg, company) [Internet Widgits Pty Ltd]:immie.org Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:immie.org. Email Address []: [...] Serial Number: 14779988171032814905 (0xcd1d10ef0ee2e539) Certificate is to be certified until May 20 17:25:05 2026 GMT (3650 days)
/usr/lib/ssl/misc/c_info demoCA/cacert.pem
demoCA/cacert.pem subject= /C=BE/ST=BBW/O=immie.org/CN=immie.org. issuer= /C=BE/ST=BBW/O=immie.org/CN=immie.org. notAfter=May 20 17:25:05 2026 GMT
openssl x509 -text -fingerprint -sha1 -in demoCA/cacert.pem -out demoCA/cacert-immie.org.crt
Certificate: Serial Number: 14779988171032814905 (0xcd1d10ef0ee2e539) SHA1 Fingerprint=AD:5E:5C:8B:47:A6:E5:49:7B:E7:6F:F7:F2:E4:95:3B:EC:08:1C:06
./CA.pl -newreq-nodes
Country Name (2 letter code) [AU]:BE State or Province Name (full name) [Some-State]:BBW Locality Name (eg, city) []:Brussels Organization Name (eg, company) [Internet Widgits Pty Ltd]:immie.org Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:www.immie.org Email Address []:
./CA.pl -sign
Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y
- New - Using Let's Encrypt
- Follow certbot guide.
- New — We install only version from jessie-backports:
apt install python-certbot-apache=0.10.2-1~bpo8+1
# sudo apt-get install python-certbot-apache -t jessie-backports
certbot --authenticator=webroot --installer=apache
- TODO — See IMPORTANT NOTES below:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.immie.org/fullchain.pem. Your cert will
expire on 2016-10-02. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"
- If you lose your account credentials, you can recover through
e-mails sent to m-certbot@immie.org.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
- Now all certificates are stored in a single file. Same for the key:
SSLCertificateFile /etc/letsencrypt/live/www.immie.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/www.immie.org/privkey.pem
Apache
TBC
Administration
Use webmin control panel: https://www.immie.org:10000/ (see Webmin page for usage).
I don't use webmin anymore (never used in fact). All administration is done via SSH command line.
- Upgrade
- Using needrestart package to automatically tell when some services must be restarted.
MediaWiki Tuning
Following MediaWiki guide and Aaron's guide:
- Install php-mbstring
apt install php-mbstring
- Enable
$wgCacheDirectory
. In LocalSettings.php:
$wgCacheDirectory = "$IP/cache";
Create the directory:
cd /var/www/miki.immie.org/mediawiki
sudo -u www-data mkdir cache
chmod 700 cache
- Enable memcached (see MediaWiki memcached page)
Install memcached:
apt-get install memcached php5-memcached
systemctl restart apache2.service
Add to LocalSettings.php
$wgMainCacheType = CACHE_MEMCACHED;
$wgParserCacheType = CACHE_MEMCACHED; # optional
$wgMessageCacheType = CACHE_MEMCACHED; # optional
$wgMemCachedServers = array( "127.0.0.1:11211" );
$wgSessionsInObjectCache = true; # optional
$wgSessionCacheType = CACHE_MEMCACHED; # optional
- Enable Short URLs (URL like
https://miki.immie.org/wiki/Main_Page
). Follow this guide.
To Do
- Return error 403 - Forbidden when visiting https://miki.immie.org (server root).
- Change immie password because we can brute-force it via webmin interface, or forbid immie.