Server Software
Server software configuration and installation procedures such as Apache, and Postfix
- Apache Option FollowSymLinks not allowed here Error
- Migrating Self-Signed SSL Certificate to LetsEncrypt Certificate
- LAMP Stack Upgrade Issues
- Standard Installation Procedures for LAMP Stack on CentOS 7
- Slow Loading on Ownloud 8
- Postfix and Dovecot Configuration
- Install RethinkDB on CentOS 7
- Turtl API Server and Client Installation CentOS 7
Apache Option FollowSymLinks not allowed here Error
Apache htaccess Option FollowSymLinks not allowed here
error:
find /home -name ".htaccess" -type f -exec sed -i '/FollowSymLinks/SymLinksIfOwnerMatch/g' {} ";"
Migrating Self-Signed SSL Certificate to LetsEncrypt Certificate
Download Let's Encrypt Client
sudo -s
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
Update Apache Configuration
Let's Encrypt does not detect multiple virtual host in a single file, so if you have multiple virtual hosts in a single file, you need to separate it and update the configuration for SSL only. Then redirect all plain-text traffic to SSL using a single virtual host.
Create a new virtual host in /etc/httpd/conf.d/redirect_ssl.conf
to redirect plain-text traffic to SSL, replace all <domain>
to your TLD, such as example.com
:
<VirtualHost *:80>
ServerName <domain>
ServerAlias *.<domain>
RewriteEngine on
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]
</VirtualHost>
Setup SSL Certificates
cd /opt/letsencrypt
./letsencrypt-auto --apache -d <domain> -d www.<domain> -d <subdomain>.<domain>
Replacing <domain>
with your domain, subsequent subdomains can be specified with -d
option.
Restart Apache and Test
systemctl restart httpd
(Optional) Renewing SSL Certificates
Let's Encrypt issue 90 days validity certificates, but you can however, renew it earlier in case errors occurred.
To renew the certificates, simply use the following command:
/opt/letsencrypt/letsencrypt-auto renew
If you have just created a new certificate, Let's Encrypt will never issue you a new one, it will only issue a new certificate for your domains if the validity period is less than 30 days, so, you can create a cronjob to try and renew the certificate every day, week or month, in case anything goes wrong with your certificate.
To setup cronjob to automatically renew certificate, enter command crontab -e
to create a new cronjob and add the following line:
0 3 * * 1 /opt/letsencrypt/letsencrypt-auto renew >> /var/log/le-renew.log
The cronjob above will run on every monday at 3 A.M., it will append any output from /opt/letsencrypt/letsencrypt-auto
to /var/log/le-renew.log
. Please refer to the reference for more info on Linux cronjobs.
References
LAMP Stack Upgrade Issues
"Table Doesn't Exists" After MySQL/MariaDB Upgrade
Paste MySQL data directory to upgraded data directory, containing ibdata1
, ib_logfile0
and ib_logfile1
, in lampp
, it's /opt/lampp/var/mysql
:
sudo cp /opt/lampp_backup/var/mysql /opt/lampp/var/mysql
sudo chown -R mysql:mysql /opt/lampp/mysql
Standard Installation Procedures for LAMP Stack on CentOS 7
1. System Upgrade
yum -y update
2. Install Required Software
yum -y install git policycoreutils-python httpd mariadb mariadb-server php-mysql php-gd php-ldap php-odbc php-pear php-xml php-xmlrpc php-mbstring php-snmp php-soap curl curl-devel
3. Setup MySQL Server
mysql_secure_installation
4. Start and Enable All Services
systemctl enable httpd
systemctl enable mariadb
systemctl start httpd
systemctl start mariadb
5. Open Firewall Ports
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --add-service=https
firewall-cmd --permanent --zone=public --add-port=<ssh_port>/tcp
firewall-cmd --reload
6. Change SSH Port
vim /etc/ssh/sshd_config #and append 'Port <ssh_port>'
semanage port -a -t ssh_port_t -p tcp <ssh_port>
systemctl restart sshd
7. Enable Shutdown Button
Edit /etc/systemd/logind.conf
and uncomment the following 2 lines:
PowerKeyIgnoreInhibited=no
HandlePowerKey=poweroff
8. Reboot System
reboot
(HP MicroServer Only)
Edit /etc/default/grub
and append clocksource=hpet nolapic
to the end of GRUB_CMDLINE_LINUX
variable.
Slow Loading on Ownloud 8
Change /var/www/html/owncloud/config/config.php
database host to 127.0.0.1
instead of localhost
Postfix and Dovecot Configuration
Installation
hostnamectl set-hostname mail.<domain>.<tld>
yum -y install postfix dovecot
Postfix Configuration
-
Append the following to
/etc/postfix/main.cf
:myhostname = mail.<domain>.<tld>
mydomain = <domain>.<tld>
myorigin = $mydomain
home_mailbox = mail/
mynetworks = 127.0.0.0/8 <domain IP>
inet_interfaces = all
mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth
smtpd_sasl_local_domain =
smtpd_sasl_security_options = noanonymous
broken_sasl_auth_clients = yes
smtpd_sasl_auth_enable = yes
smtpd_recipient_restrictions = permit_sasl_authenticated,permit_mynetworks,reject_unauth_destination
smtp_tls_security_level = may
smtpd_tls_security_level = may
smtp_tls_note_starttls_offer = yes
smtpd_tls_loglevel = 1
smtpd_tls_key_file = /etc/letsencrypt/live/<domain>.<tld>/privkey.pem
smtpd_tls_cert_file = /etc/letsencrypt/live/<domain>.<tld>/fullchain.pem
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls=yes
tls_random_source = dev:/dev/urandom
virtual_alias_domains = <domain>.<tld>
virtual_alias_maps = hash:/etc/postfix/virtual
-
Find and uncomment the following lines in
/etc/postfix/main.cf
:#inet_interfaces = localhost
#mydestination = $myhostname, localhost.$mydomain, localhost
-
Append the following lines to
/etc/postfix/master.cf
:submission inet n - n - - smtpd
-o syslog_name=postfix/submission
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
smtps inet n - n - - smtpd
-o syslog_name=postfix/smtps
-o smtpd_sasl_auth_enable=yes
-o smtpd_recipient_restrictions=permit_sasl_authenticated,reject_unauth_destination
-o milter_macro_daemon_name=ORIGINATING
-
Make sure that the following is present in
/etc/postfix/main.cf
:alias_maps = hash:/etc/aliases
-
Edit and add the desired email address to
/etc/postfix/virtual
such as the following:info@<domain>.<tld> admin
webmaster@<domain>.<tld> admin
-
Create a map database:
postmap /etc/postfix/virtual
Dovecot Configuration
-
Find and modify the following lines in
/etc/dovecot/conf.d/10-master.conf
:# Postfix smtp-auth
unix_listener /var/spool/postfix/private/auth {
mode = 0660
user = postfix
group = postfix
}
-
Find and modify the following lines in
/etc/dovecot/conf.d/10-auth.conf
:auth_mechanisms = plain login
-
Find and modify the following lines in
/etc/dovecot/conf.d/10-mail.conf
:mail_location = maildir:~/mail
-
Find and modify the following lines in
/etc/dovecot/conf.d/20-pop3.conf
:pop3_uidl_format = %08Xu%08Xv
-
Find and modify the following lines in
/etc/dovecot/conf.d/10-ssl.conf
:ssl_cert = </etc/letsencrypt/live/<domain>.<tld>/fullchain.pem
ssl_key = </etc/letsencrypt/live/<domain>.<tld>/privkey.pem
Restart and Enable Services
systemctl restart postfix
systemctl enable postfix
systemctl restart dovecot
systemctl enable dovecot
Open Firewall Ports
firewall-cmd --permanent --add-service=smtp
firewall-cmd --permanent --add-port=587/tcp
firewall-cmd --permanent --add-port=465/tcp
firewall-cmd --permanent --add-port=110/tcp
firewall-cmd --permanent --add-service=pop3s
firewall-cmd --permanent --add-port=143/tcp
firewall-cmd --permanent --add-service=imaps
firewall-cmd --reload
Configure DNS
-
Add an
A
record for the mail server:name = mail.<domain>.<tld>`
IP = <mail server IP>
-
Add an
MX
record:Hostname = mail.<domain>.<tld>
Priority = 5
-
Add the following
TXT
records:Name = @
Text = "v=spf1 ip4:<domain IP> ~all"
Name = _dmarc.<domain>.<tld>
Text = v=DMARC1; p=none
-
Add
PTR
record for<domain>.<tld>
-
Finally, test your email at
https://www.mail-tester.com/
Notes on Using Let's Encrypt for SSL
Make sure that Encryption
is set to STARTTLS
when configuring mail clients
References
Install RethinkDB on CentOS 7
Installing RethinkDB
sudo wget http://download.rethinkdb.com/centos/7/`uname -m`/rethinkdb.repo -O /etc/yum.repos.d/rethinkdb.repo
sudo yum install rethinkdb
Create Service File
Create the service file, /usr/lib/systemd/system/rethinkdb@.service
with the following content:
[Unit]
Description=RethinkDB database server for instance '%i'
[Service]
User=rethinkdb
Group=rethinkdb
ExecStart=/usr/bin/rethinkdb serve --config-file /etc/rethinkdb/instances.d/%i.conf
KillMode=process
PrivateTmp=true
[Install]
WantedBy=multi-user.target
Make sure that it has a permission of 644
: chmod 644 /usr/lib/systemd/system/rethinkdb@.service
Creating a Rethink DB Instance
- Create the RethinkDB data directory:
rethinkdb create -d /path/to/your/rethinkdb/directory
- Set the ownership to RethinkDB user:
sudo chown -R rethinkdb.rethinkdb /path/to/your/rethinkdb/directory
- Copy RethinkDB sample config file:
sudo cp /etc/rethinkdb/default.conf.sample /etc/rethinkdb/instances.d/instance1.conf
- Edit
/etc/rethinkdb/instances.d/instance1.conf
, the line withdirectory=
must be changed to point to your Rethink DB data directory.
Start RethinkDB Instance
instance1
:
sudo systemctl enable rethinkdb@<name_instance>
sudo systemctl start rethinkdb@<name_instance>
References
Turtl API Server and Client Installation CentOS 7
Turtl API
Clone and Configure Turtl API
- Create a user for turtl API:
sudo useradd turtl
- Switch user to
turtl
:sudo su turtl
- Change directory to
turtl
's home:cd ~
- Install Clozure CL
- Install RethinkDB and create an instance for Turtl API
- Install
libuv
:sudo yum install libuv
- Clone Turtl repo:
git clone https://github.com/turtl/api.git
- Copy Turtl API config:
cp config/config.default.lisp config/lisp
- Edit and configure
config/config.lisp
, make sure to update the following parameters:(defvar *local-upload* "<local upload directory>" (defvar *local-upload-url* "<upload url>"
Setup Up Service
Create a service file at /usr/lib/systemd/system/turtl.service
with the following entry:
[Unit]
Description=Turtl API Server
[Service]
User=turtl
Group=turtl
ExecStart=/usr/local/bin/ccl64 --load /home/turtl/api/start.lisp
KillMode=process
[Install]
WantedBy=multi-user.target
Start and enable the service:
sudo systemctl start turtl
sudo systemctl enable turtl
(OPTIONAL) Configure Reverse Proxy in Apache
Create httpd
virtual host configuration /etc/httpd/conf.d/turtl.conf
with the following content, make sure to change <turtl domain>
to your own domain name:
<VirtualHost *:80>
#Server name configuration
ServerName <turtl domain>
ServerAdmin webmaster@<turtl domain>
#Proxy configuration
ProxyPreserveHost on
ProxyRequests off
ProxyPass / https://wiki.twcloud.tech:8181/
ProxyPassReverse / https://wiki.twcloud.tech:8181/
#Logging configuration
ErrorLog /var/log/httpd/turtl.err
LogLevel warn
</VirtualHost>
(OPTIONAL) Restrict User Registration
Add the following lines in your Turtl API Virtual Hosts configuration:
#Restrict Registration
<LocationMatch "^/users[/]?$">
AuthType Basic
AuthName "Restricted"
AuthUserFile /home/turtl/.htpasswd
Require valid-user
</LocationMatch>
Then generate a .htpasswd
password file in /home/turtl
: sudo htpasswd -c /etc/apache2/.htpasswd <whatever username>
. Make sure that it's in the right permission and owner: chmod 640 /home/turtl/.htpasswd && chown turtl:apache /home/turtl/.htpasswd
Installing JS Client
- Clone
turtl/js
repo to webserver webroot:sudo mkdir /var/www/turtl && cd /var/www/turtl && sudo git clone https://github.com/turtl/js.git .
- Install NodeJS dependencies:
npm install
- Copy default config:
cp config/config.js.default config.js
- Edit
config/config.js
- Update owner and group:
chown -R apache:apache .
- Generate assets:
make