Immie.org

Links

• gandi.net

Status

• Registered and managed by gandi.net
• Pack:

• Mailpack

Domain Configuration (Gandi.net)

Managed via Gandi interface (https://www.gandi.net/).

Mail

• Mailboxes
• Email forwarding
• Gandi Mail Pack: Activated 2 GB

Web forwarding

Contacts

Owner, Technical, Administrative, Billing:

   MP4410-GANDI
   Michael Peeters
   peeters-ml1@noekeon.org

Name servers

   DNS1: a.dns.gandi.net
   DNS2: b.dns.gandi.net
   DNS3: c.dns.gandi.net

Zone

zone file - version 6

• Currently in user - changed 28.06.2016, 18:12
• Removed CNAME entries for noekeon.org migration tests.

@ 10800 IN A 91.134.134.85
prime 10800 IN A 91.134.134.85
blog 10800 IN CNAME blogs.vip.gandi.net.
imap 10800 IN CNAME access.mail.gandi.net.
miki 10800 IN CNAME prime
mip 10800 IN CNAME prime
owncloud 10800 IN CNAME prime
pop 10800 IN CNAME access.mail.gandi.net.
smtp 10800 IN CNAME relay.mail.gandi.net.
webmail 10800 IN CNAME agent.mail.gandi.net.
www 10800 IN CNAME prime
@ 10800 IN MX 50 fb.mail.gandi.net.
@ 10800 IN MX 10 spool.mail.gandi.net.
noekeon 10800 IN MX 10 prime
prime 10800 IN MX 10 prime

zone file - version 5

• Currently in use - changed 20.06.2016, 11:34
• Removed duplicate CNAME entries (immie) - was causing SERVFAIL in dig queries

; @          10800 IN A     91.134.134.85    ; Not sure I need this so disabled

; Mail server for @immie.org addresses (Gandi.net mail package)
@          10800 IN MX 50 fb.mail.gandi.net.
@          10800 IN MX 10 spool.mail.gandi.net.
blog       10800 IN CNAME blogs.vip.gandi.net.
imap       10800 IN CNAME access.mail.gandi.net.
pop        10800 IN CNAME access.mail.gandi.net.
smtp       10800 IN CNAME relay.mail.gandi.net.
webmail    10800 IN CNAME agent.mail.gandi.net.


; Our server at ovh
prime      10800 IN A     91.134.134.85
; Mail server for @prime.immie.org addresses
prime      10800 IN MX 10 prime

; Some virtual hosts at immie.org
www        10800 IN CNAME prime            ; host www.immie.org
miki       10800 IN CNAME prime            ; host miki.immie.org
owncloud   10800 IN CNAME prime            ; host owncloud.immie.org

; some aliases to prepare transition of domain noekeon.org
alongcil   10800 IN CNAME prime
gilles     10800 IN CNAME prime
gro        10800 IN CNAME prime
gva        10800 IN CNAME prime
heloise    10800 IN CNAME prime
jda        10800 IN CNAME prime
joan       10800 IN CNAME prime
keccak     10800 IN CNAME prime
ketje      10800 IN CNAME prime
keyak      10800 IN CNAME prime
kiwi       10800 IN CNAME prime
mip        10800 IN CNAME prime
radiogatun 10800 IN CNAME prime
sponge     10800 IN CNAME prime

; Mail for testing
noekeon    10800 IN MX 10 prime

Default Gandi zone file - version 1

Not used

@        10800  IN  A          217.70.184.38
blog     10800  IN  CNAME      blogs.vip.gandi.net.
imap     10800  IN  CNAME      access.mail.gandi.net.
pop      10800  IN  CNAME      access.mail.gandi.net.
smtp     10800  IN  CNAME      relay.mail.gandi.net.
webmail  10800  IN  CNAME      webmail.gandi.net.
www      10800  IN  CNAME      webredir.vip.gandi.net.
@        10800  IN  MX     50  fb.mail.gandi.net.
@        10800  IN  MX     10  spool.mail.gandi.net.

VPS Configuration (OVH)

This is done via OVH Manager (https://www.ovh.com/manager/).

Service name

This is the name of the server.

Original name was vps282013.ovh.net.

Reverse DNS

In Advanced mode, click Modify the Reverse DNS.

Original name was 85.ip-91-134-134.eu

Server Configuration

Guides

Guides I followed to install the server:

• http://www.pontikis.net/blog/debian-jessie-web-server-setup

I added testing and unstable repositories.

/etc/apt/sources.list:

# Stable
deb http://ftp.debian.org/debian/ jessie main
deb http://security.debian.org/ jessie/updates main

# Testing
deb http://ftp.debian.org/debian/ testing main
deb http://security.debian.org/ testing/updates main

# Unstable / Sid
deb http://ftp.debian.org/debian/ sid main

# Backport
deb http://ftp.debian.org/debian jessie-backports main

/etc/apt/preferences:

# cat /etc/apt/preferences 
Package: *
Pin: release a=stable
Pin-Priority: 500

Package: *
Pin: release a=jessie-backports
Pin-Priority: 475

Package: *
Pin: release a=testing
Pin-Priority: 450

Package: *
Pin: release a=unstable
Pin-Priority: 400

Upgraded some packages from testing/unstable: [1]

apt install debian-goodies=0.66                    # Fix mysqld false positive in checkrestart

Certbot - SSL certificate

mkdir ca
cd ca
cp /usr/lib/ssl/misc/CA.pl .
sed -ri 's/365/3650/; s/1095/3650/' CA.pl
./CA.pl -newca

CA certificate filename (or enter to create)
Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:BBW
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:immie.org
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:immie.org.
Email Address []:

[...]
Serial Number: 14779988171032814905 (0xcd1d10ef0ee2e539)
Certificate is to be certified until May 20 17:25:05 2026 GMT (3650 days)

/usr/lib/ssl/misc/c_info demoCA/cacert.pem

demoCA/cacert.pem
subject= /C=BE/ST=BBW/O=immie.org/CN=immie.org.
issuer= /C=BE/ST=BBW/O=immie.org/CN=immie.org.
notAfter=May 20 17:25:05 2026 GMT

openssl x509 -text -fingerprint -sha1 -in demoCA/cacert.pem -out demoCA/cacert-immie.org.crt

Certificate:
 Serial Number: 14779988171032814905 (0xcd1d10ef0ee2e539)
 SHA1 Fingerprint=AD:5E:5C:8B:47:A6:E5:49:7B:E7:6F:F7:F2:E4:95:3B:EC:08:1C:06

./CA.pl -newreq-nodes

Country Name (2 letter code) [AU]:BE
State or Province Name (full name) [Some-State]:BBW
Locality Name (eg, city) []:Brussels
Organization Name (eg, company) [Internet Widgits Pty Ltd]:immie.org
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:www.immie.org
Email Address []:

./CA.pl -sign

Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

New - Using Let's Encrypt

• Follow certbot guide.
• New — We install only version from jessie-backports:

apt install python-certbot-apache=0.10.2-1~bpo8+1
# sudo apt-get install python-certbot-apache -t jessie-backports
certbot --authenticator=webroot --installer=apache

• TODO — See IMPORTANT NOTES below:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.immie.org/fullchain.pem. Your cert will
   expire on 2016-10-02. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot again with the
   "certonly" option. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to m-certbot@immie.org.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

• Now all certificates are stored in a single file. Same for the key:

SSLCertificateFile      /etc/letsencrypt/live/www.immie.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.immie.org/privkey.pem

Update - Add some issue with certbot

Jun 12 00:38:12 prime certbot[9567]: File:
Jun 12 00:38:12 prime certbot[9567]: - Could not be found to be deleted /var/lib/letsencrypt/icJA1m-EoE3Gsf6HJlITR4GCBb_9wvlyYV4faqJ_aVk.pem - LE probably shut down unexpectedly
Jun 12 00:38:12 prime certbot[9567]: File:
Jun 12 00:38:12 prime certbot[9567]: - Could not be found to be deleted /var/lib/letsencrypt/icJA1m-EoE3Gsf6HJlITR4GCBb_9wvlyYV4faqJ_aVk.crt - LE probably shut down unexpectedly
Jun 12 00:38:13 prime certbot[9567]: Attempting to renew cert from /etc/letsencrypt/renewal/www.immie.org.conf produced an unexpected error: 'module' object has no attribute 'rand'. Skipping.

• Uninstalled certbot completely, and removed all files (/etc/encrypt, /var/...).
• Reinstall with standalone server (did not try webroot as done before, maybe that would work) [2].

certbot --authenticator standalone --installer apache --pre-hook "systemctl stop apache2" --post-hook "systemctl start apache2"

Apache

TBC

Administration

• Use webmin control panel: https://www.immie.org:10000/ (see Webmin page for usage).

I don't use webmin anymore (never used in fact). All administration is done via SSH command line.

Upgrade

• Using needrestart package to automatically tell when some services must be restarted.

MediaWiki Tuning

Following MediaWiki guide and Aaron's guide:

• Install php-mbstring

apt install php-mbstring

• Enable $wgCacheDirectory. In LocalSettings.php:

$wgCacheDirectory = "$IP/cache";

Create the directory:

cd /var/www/miki.immie.org/mediawiki
sudo -u www-data mkdir cache
chmod 700 cache

• Enable memcached (see MediaWiki memcached page)

Install memcached:

apt-get install memcached php5-memcached
systemctl restart apache2.service

Add to LocalSettings.php

$wgMainCacheType = CACHE_MEMCACHED;
$wgParserCacheType = CACHE_MEMCACHED; # optional
$wgMessageCacheType = CACHE_MEMCACHED; # optional
$wgMemCachedServers = array( "127.0.0.1:11211" );

$wgSessionsInObjectCache = true; # optional
$wgSessionCacheType = CACHE_MEMCACHED; # optional

• Enable Short URLs (URL like https://miki.immie.org/wiki/Main_Page). Follow this guide.

To Do

• Return error 403 - Forbidden when visiting https://miki.immie.org (server root).
• Change immie password because we can brute-force it via webmin interface, or forbid immie.

Firewall

We use iptable. Rules are defined in file /etc/iptables.up.rules.